1. 03 Mar, 2017 31 commits
    • Johan Hovold's avatar
      USB: serial: pl2303: fix NULL-deref at open · fb7a1121
      Johan Hovold authored
      [ Upstream commit 76ab439e ]
      
      Fix NULL-pointer dereference in open() should a type-0 or type-1 device
      lack the expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at pl2303_open+0x38/0xec [pl2303]
      
      Note that a missing interrupt-in endpoint would have caused open() to
      fail.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      fb7a1121
    • Johan Hovold's avatar
      USB: serial: oti6858: fix NULL-deref at open · f61e65c8
      Johan Hovold authored
      [ Upstream commit 5afeef23 ]
      
      Fix NULL-pointer dereference in open() should the device lack the
      expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at oti6858_open+0x30/0x1d0 [oti6858]
      
      Note that a missing interrupt-in endpoint would have caused open() to
      fail.
      
      Fixes: 49cdee0e ("USB: oti6858 usb-serial driver (in Nokia CA-42
      cable)")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      f61e65c8
    • Johan Hovold's avatar
      USB: serial: omninet: fix NULL-derefs at open and disconnect · be501013
      Johan Hovold authored
      [ Upstream commit a5bc0194 ]
      
      Fix NULL-pointer dereferences at open() and disconnect() should the
      device lack the expected bulk-out endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 000000b4
      ...
      [c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264)
      [<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c)
      [<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4)
      [<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet])
      [<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial])
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000234
      ...
      [<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial])
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      be501013
    • Johan Hovold's avatar
      USB: serial: mos7840: fix NULL-deref at open · 98ca459c
      Johan Hovold authored
      [ Upstream commit 5c75633e ]
      
      Fix NULL-pointer dereference in open() should the device lack the
      expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at mos7840_open+0x88/0x8dc [mos7840]
      
      Note that we continue to treat the interrupt-in endpoint as optional for
      now.
      
      Fixes: 3f542974 ("USB: Moschip 7840 USB-Serial Driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      98ca459c
    • Johan Hovold's avatar
      USB: serial: mos7720: fix parallel probe · 019f8122
      Johan Hovold authored
      [ Upstream commit fde1faf8 ]
      
      A static usb-serial-driver structure that is used to initialise the
      interrupt URB was modified during probe depending on the currently
      probed device type, something which could break a parallel probe of a
      device of a different type.
      
      Fix this up by overriding the default completion callback for MCS7715
      devices in attach() instead. We may want to use two usb-serial driver
      instances for the two types later.
      
      Fixes: fb088e33 ("USB: serial: add support for serial port on the
      moschip 7715")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      019f8122
    • Johan Hovold's avatar
      USB: serial: mos7720: fix parport use-after-free on probe errors · e5324137
      Johan Hovold authored
      [ Upstream commit 75dd211e ]
      
      Do not submit the interrupt URB until after the parport has been
      successfully registered to avoid another use-after-free in the
      completion handler when accessing the freed parport private data in case
      of a racing completion.
      
      Fixes: b69578df ("USB: usbserial: mos7720: add support for parallel
      port on moschip 7715")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      e5324137
    • Johan Hovold's avatar
      USB: serial: mos7720: fix use-after-free on probe errors · 63009c59
      Johan Hovold authored
      [ Upstream commit 91a1ff4d ]
      
      The interrupt URB was submitted on probe but never stopped on probe
      errors. This can lead to use-after-free issues in the completion
      handler when accessing the freed usb-serial struct:
      
      Unable to handle kernel paging request at virtual address 6b6b6be7
      ...
      [<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
      [<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
      [<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)
      
      Fixes: b69578df ("USB: usbserial: mos7720: add support for parallel
      port on moschip 7715")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      63009c59
    • Johan Hovold's avatar
      USB: serial: mos7720: fix NULL-deref at open · 51ecc07f
      Johan Hovold authored
      [ Upstream commit b05aebc2 ]
      
      Fix NULL-pointer dereference at port open if a device lacks the expected
      bulk in and out endpoints.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      [<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial])
      [<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
      [<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial])
      [<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
      
      Fixes: 0f64478c ("USB: add USB serial mos7720 driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      51ecc07f
    • Johan Hovold's avatar
      USB: serial: kobil_sct: fix NULL-deref in write · d6e7aa70
      Johan Hovold authored
      [ Upstream commit 21ce5784 ]
      
      Fix NULL-pointer dereference in write() should the device lack the
      expected interrupt-out endpoint:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000054
      ...
      PC is at kobil_write+0x144/0x2a0 [kobil_sct]
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      d6e7aa70
    • Johan Hovold's avatar
      USB: serial: keyspan_pda: verify endpoints at probe · 77c5492b
      Johan Hovold authored
      [ Upstream commit 5d9b0f85 ]
      
      Check for the expected endpoints in attach() and fail loudly if not
      present.
      
      Note that failing to do this appears to be benign since da280e34
      ("USB: keyspan_pda: clean up write-urb busy handling") which prevents a
      NULL-pointer dereference in write() by never marking a non-existent
      write-urb as free.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>	# < v3.3
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      77c5492b
    • Johan Hovold's avatar
      USB: serial: iuu_phoenix: fix NULL-deref at open · 276aae5b
      Johan Hovold authored
      [ Upstream commit 90507d54 ]
      
      Fix NULL-pointer dereference at open should the device lack a bulk-in or
      bulk-out endpoint:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at iuu_open+0x78/0x59c [iuu_phoenix]
      
      Fixes: 07c3b1a1 ("USB: remove broken usb-serial num_endpoints
      check")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      276aae5b
    • Johan Hovold's avatar
      USB: serial: io_ti: fix NULL-deref at open · fe436258
      Johan Hovold authored
      [ Upstream commit a323fefc ]
      
      Fix NULL-pointer dereference when clearing halt at open should a
      malicious device lack the expected endpoints when in download mode.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      [<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial])
      [<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
      [<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial])
      [<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      fe436258
    • Johan Hovold's avatar
      USB: serial: io_edgeport: fix NULL-deref at open · 611bc0f4
      Johan Hovold authored
      [ Upstream commit 0dd40842 ]
      
      Fix NULL-pointer dereference when initialising URBs at open should a
      non-EPIC device lack a bulk-in or interrupt-in endpoint.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000028
      ...
      PC is at edge_open+0x24c/0x3e8 [io_edgeport]
      
      Note that the EPIC-device probe path has the required sanity checks so
      this makes those checks partially redundant.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      611bc0f4
    • Johan Hovold's avatar
      USB: serial: garmin_gps: fix memory leak on failed URB submit · 63d2b066
      Johan Hovold authored
      [ Upstream commit c4ac4496 ]
      
      Make sure to free the URB transfer buffer in case submission fails (e.g.
      due to a disconnect).
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      63d2b066
    • Johan Hovold's avatar
      USB: serial: cyberjack: fix NULL-deref at open · 028643e8
      Johan Hovold authored
      [ Upstream commit 3dca0111 ]
      
      Fix NULL-pointer dereference when clearing halt at open should the device
      lack a bulk-out endpoint.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at cyberjack_open+0x40/0x9c [cyberjack]
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      028643e8
    • Wan Ahmad Zainie's avatar
      usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake · 8e77b808
      Wan Ahmad Zainie authored
      [ Upstream commit 6c97cfc1 ]
      
      Intel Apollo Lake also requires XHCI_PME_STUCK_QUIRK.
      Adding its PCI ID to quirk.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarWan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      8e77b808
    • Lu Baolu's avatar
      usb: xhci: hold lock over xhci_abort_cmd_ring() · 18ee1064
      Lu Baolu authored
      [ Upstream commit 4dea7077 ]
      
      In command timer function, xhci_handle_command_timeout(), xhci->lock
      is unlocked before call into xhci_abort_cmd_ring(). This might cause
      race between the timer function and the event handler.
      
      The xhci_abort_cmd_ring() function sets the CMD_RING_ABORT bit in the
      command register and polling it until the setting takes effect. A stop
      command ring event might be handled between writing the abort bit and
      polling for it. The event handler will restart the command ring, which
      causes the failure of polling, and we ever believed that we failed to
      stop it.
      
      As a bonus, this also fixes some issues of calling functions without
      locking in xhci_handle_command_timeout().
      
      Cc: <stable@vger.kernel.org> # 3.7+
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      18ee1064
    • Mathias Nyman's avatar
      xhci: Handle command completion and timeout race · af7f5bf2
      Mathias Nyman authored
      [ Upstream commit a5a1b951 ]
      
      If we get a command completion event at the same time as the command
      timeout work starts on another cpu we might end up aborting the wrong
      command.
      
      If the command completion takes the xhci lock before the timeout work, it
      will handle the command, pick the next command, mark it as current_cmd, and
      re-queue the timeout work. When the timeout work finally gets the lock
      It will start aborting the wrong command.
      
      This case can be resolved by checking if the timeout work is pending inside
      the timeout function itself. A new timeout work can only be pending if the
      command completed and a new command was queued.
      
      If there are no more commands pending then command completion will set
      the current_cmd to NULL, which is already handled in the timeout work.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarBaolin Wang <baolin.wang@linaro.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      af7f5bf2
    • Baolin Wang's avatar
      usb: host: xhci: Fix possible wild pointer when handling abort command · adae8711
      Baolin Wang authored
      [ Upstream commit 2a7cfdf3 ]
      
      When current command was supposed to be aborted, host will free the command
      in handle_cmd_completion() function. But it might be still referenced by
      xhci->current_cmd, which need to set NULL.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarBaolin Wang <baolin.wang@linaro.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      adae8711
    • Lu Baolu's avatar
      usb: xhci: fix possible wild pointer · 073dd4e9
      Lu Baolu authored
      [ Upstream commit 2b985467 ]
      
      handle_cmd_completion() frees a command structure which might be still
      referenced by xhci->current_cmd.
      This might cause problem when xhci->current_cmd is accessed after that.
      
      A real-life case could be like this. The host takes a very long time to
      respond to a command, and the command timer is fired at the same time
      when the command completion event arrives. The command completion
      handler frees xhci->current_cmd before the timer function can grab
      xhci->lock. Afterward, timer function grabs the lock and go ahead with
      checking and setting members of xhci->current_cmd.
      
      Cc: <stable@vger.kernel.org> # v3.16+
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      073dd4e9
    • Mathias Nyman's avatar
      xhci: free xhci virtual devices with leaf nodes first · 4b6ac340
      Mathias Nyman authored
      [ Upstream commit ee8665e2 ]
      
      the tt_info provided by a HS hub might be in use to by a child device
      Make sure we free the devices in the correct order.
      
      This is needed in special cases such as when xhci controller is
      reset when resuming from hibernate, and all virt_devices are freed.
      
      Also free the virt_devices starting from max slot_id as children
      more commonly have higher slot_id than parent.
      
      CC: <stable@vger.kernel.org>
      Reported-by: default avatarGuenter Roeck <groeck@chromium.org>
      Tested-by: default avatarGuenter Roeck <groeck@chromium.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      4b6ac340
    • Bartosz Golaszewski's avatar
      ARM: davinci: da850: don't add emac clock to lookup table twice · 3e88ba68
      Bartosz Golaszewski authored
      [ Upstream commit ef37427a ]
      
      Similarly to the aemif clock - this screws up the linked list of clock
      children. Create a separate clock for mdio inheriting the rate from
      emac_clk.
      
      Cc: <stable@vger.kernel.org> # 3.12.x-
      Signed-off-by: default avatarBartosz Golaszewski <bgolaszewski@baylibre.com>
      [nsekhar@ti.com: add a comment over mdio_clk to explaing its existence +
      		 commit headline updates]
      Signed-off-by: default avatarSekhar Nori <nsekhar@ti.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      3e88ba68
    • Alan Stern's avatar
      USB: gadgetfs: fix checks of wTotalLength in config descriptors · 4848f01b
      Alan Stern authored
      [ Upstream commit 1c069b05 ]
      
      Andrey Konovalov's fuzz testing of gadgetfs showed that we should
      improve the driver's checks for valid configuration descriptors passed
      in by the user.  In particular, the driver needs to verify that the
      wTotalLength value in the descriptor is not too short (smaller
      than USB_DT_CONFIG_SIZE).  And the check for whether wTotalLength is
      too large has to be changed, because the driver assumes there is
      always enough room remaining in the buffer to hold a device descriptor
      (at least USB_DT_DEVICE_SIZE bytes).
      
      This patch adds the additional check and fixes the existing check.  It
      may do a little more than strictly necessary, but one extra check
      won't hurt.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: Andrey Konovalov <andreyknvl@google.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      4848f01b
    • Alan Stern's avatar
      USB: gadgetfs: fix use-after-free bug · fdd21c63
      Alan Stern authored
      [ Upstream commit add333a8 ]
      
      Andrey Konovalov reports that fuzz testing with syzkaller causes a
      KASAN use-after-free bug report in gadgetfs:
      
      BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
      Read of size 2 by task syz-executor0/22994
      CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
       ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
       ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
       ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
      Call Trace:
       <IRQ> [  201.343209]  [<     inline     >] __dump_stack lib/dump_stack.c:15
       <IRQ> [  201.343209]  [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
       [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
       [<     inline     >] print_address_description mm/kasan/report.c:197
       [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
       [<     inline     >] kasan_report mm/kasan/report.c:306
       [<ffffffff817e562a>] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
       [<     inline     >] config_buf drivers/usb/gadget/legacy/inode.c:1298
       [<ffffffff8322c8fa>] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
       [<ffffffff830fdcd0>] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
       [<ffffffff814807c1>] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
       [<     inline     >] expire_timers kernel/time/timer.c:1348
       [<ffffffff81482de6>] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
       [<ffffffff814832c1>] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
       [<ffffffff84f4af8b>] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284
      
      The cause of the bug is subtle.  The dev_config() routine gets called
      twice by the fuzzer.  The first time, the user data contains both a
      full-speed configuration descriptor and a high-speed config
      descriptor, causing dev->hs_config to be set.  But it also contains an
      invalid device descriptor, so the buffer containing the descriptors is
      deallocated and dev_config() returns an error.
      
      The second time dev_config() is called, the user data contains only a
      full-speed config descriptor.  But dev->hs_config still has the stale
      pointer remaining from the first call, causing the routine to think
      that there is a valid high-speed config.  Later on, when the driver
      dereferences the stale pointer to copy that descriptor, we get a
      use-after-free access.
      
      The fix is simple: Clear dev->hs_config if the passed-in data does not
      contain a high-speed config descriptor.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      fdd21c63
    • Alan Stern's avatar
      USB: gadgetfs: fix unbounded memory allocation bug · 6cd527a3
      Alan Stern authored
      [ Upstream commit faab5098 ]
      
      Andrey Konovalov reports that fuzz testing with syzkaller causes a
      KASAN warning in gadgetfs:
      
      BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
      Write of size 65537 by task syz-executor0/6356
      CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
       ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
       ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
       ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
      Call Trace:
       [<     inline     >] __dump_stack lib/dump_stack.c:15
       [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
       [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
       [<     inline     >] print_address_description mm/kasan/report.c:197
       [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
       [<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
       [<     inline     >] check_memory_region_inline mm/kasan/kasan.c:308
       [<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
       [<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
       [<     inline     >] copy_from_user arch/x86/include/asm/uaccess.h:689
       [<     inline     >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
       [<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
       [<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
       [<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
       [<     inline     >] SYSC_write fs/read_write.c:607
       [<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
       [<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      Indeed, there is a comment saying that the value of len is restricted
      to a 16-bit integer, but the code doesn't actually do this.
      
      This patch fixes the warning.  It replaces the comment with a
      computation that forces the amount of data copied from the user in
      ep0_write() to be no larger than the wLength size for the control
      transfer, which is a 16-bit quantity.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6cd527a3
    • Greg Kroah-Hartman's avatar
      usb: gadgetfs: restrict upper bound on device configuration size · 709c4986
      Greg Kroah-Hartman authored
      [ Upstream commit 0994b0a2 ]
      
      Andrey Konovalov reported that we were not properly checking the upper
      limit before of a device configuration size before calling
      memdup_user(), which could cause some problems.
      
      So set the upper limit to PAGE_SIZE * 4, which should be good enough for
      all devices.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      709c4986
    • Alan Stern's avatar
      USB: dummy-hcd: fix bug in stop_activity (handle ep0) · dde808bf
      Alan Stern authored
      [ Upstream commit bcdbeb84 ]
      
      The stop_activity() routine in dummy-hcd is supposed to unlink all
      active requests for every endpoint, among other things.  But it
      doesn't handle ep0.  As a result, fuzz testing can generate a WARNING
      like the following:
      
      WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
      Modules linked in:
      CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
       ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
       ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
       ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
      Call Trace:
       [<     inline     >] __dump_stack lib/dump_stack.c:15
       [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
       [<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
       [<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
       [<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
       [<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
       [<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
       [<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
       [<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357
      
      This patch fixes the problem by iterating over all the endpoints in
      the driver's ep array instead of iterating over the gadget's ep_list,
      which explicitly leaves out ep0.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      dde808bf
    • Krzysztof Opasiak's avatar
      usb: gadget: composite: Test get_alt() presence instead of set_alt() · 6c0b4029
      Krzysztof Opasiak authored
      [ Upstream commit 7e4da3fc ]
      
      By convention (according to doc) if function does not provide
      get_alt() callback composite framework should assume that it has only
      altsetting 0 and should respond with error if host tries to set
      other one.
      
      After commit dd4dff8b ("USB: composite: Fix bug: should test
      set_alt function pointer before use it")
      we started checking set_alt() callback instead of get_alt().
      This check is useless as we check if set_alt() is set inside
      usb_add_function() and fail if it's NULL.
      
      Let's fix this check and move comment about why we check the get
      method instead of set a little bit closer to prevent future false
      fixes.
      
      Fixes: dd4dff8b ("USB: composite: Fix bug: should test set_alt function pointer before use it")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarKrzysztof Opasiak <k.opasiak@samsung.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6c0b4029
    • Felipe Balbi's avatar
      usb: dwc3: gadget: always unmap EP0 requests · df6a1fb2
      Felipe Balbi authored
      [ Upstream commit d6214592 ]
      
      commit 0416e494 ("usb: dwc3: ep0: correct cache
      sync issue in case of ep0_bounced") introduced a bug
      where we would leak DMA resources which would cause
      us to starve the system of them resulting in failing
      DMA transfers.
      
      Fix the bug by making sure that we always unmap EP0
      requests since those are *always* mapped.
      
      Fixes: 0416e494 ("usb: dwc3: ep0: correct cache
      	sync issue in case of ep0_bounced")
      Cc: <stable@vger.kernel.org>
      Tested-by: default avatarTomasz Medrek <tomaszx.medrek@intel.com>
      Reported-by: default avatarJanusz Dziedzic <januszx.dziedzic@linux.intel.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      df6a1fb2
    • Hauke Mehrtens's avatar
      mtd: nand: xway: disable module support · d4000ff4
      Hauke Mehrtens authored
      [ Upstream commit 73529c87 ]
      
      The xway_nand driver accesses the ltq_ebu_membase symbol which is not
      exported. This also should not get exported and we should handle the
      EBU interface in a better way later. This quick fix just deactivated
      support for building as module.
      
      Fixes: 99f2b107 ("mtd: lantiq: Add NAND support on Lantiq XWAY SoC.")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      d4000ff4
    • Eric W. Biederman's avatar
      ptrace: Capture the ptracer's creds not PT_PTRACE_CAP · 6d237451
      Eric W. Biederman authored
      [ Upstream commit 64b875f7 ]
      
      When the flag PT_PTRACE_CAP was added the PTRACE_TRACEME path was
      overlooked.  This can result in incorrect behavior when an application
      like strace traces an exec of a setuid executable.
      
      Further PT_PTRACE_CAP does not have enough information for making good
      security decisions as it does not report which user namespace the
      capability is in.  This has already allowed one mistake through
      insufficient granulariy.
      
      I found this issue when I was testing another corner case of exec and
      discovered that I could not get strace to set PT_PTRACE_CAP even when
      running strace as root with a full set of caps.
      
      This change fixes the above issue with strace allowing stracing as
      root a setuid executable without disabling setuid.  More fundamentaly
      this change allows what is allowable at all times, by using the correct
      information in it's decision.
      
      Cc: stable@vger.kernel.org
      Fixes: 4214e42f96d4 ("v2.4.9.11 -> v2.4.9.12")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6d237451
  2. 18 Jan, 2017 1 commit
  3. 13 Jan, 2017 8 commits