1. 17 Jul, 2018 9 commits
    • Johan Hovold's avatar
      USB: serial: mos7840: fix status-register error handling · dd1496f3
      Johan Hovold authored
      commit 794744ab upstream.
      
      Add missing transfer-length sanity check to the status-register
      completion handler to avoid leaking bits of uninitialised slab data to
      user space.
      
      Fixes: 3f542974 ("USB: Moschip 7840 USB-Serial Driver")
      Cc: stable <stable@vger.kernel.org>     # 2.6.19
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd1496f3
    • Jann Horn's avatar
      USB: yurex: fix out-of-bounds uaccess in read handler · 2638a67a
      Jann Horn authored
      commit f1e255d6 upstream.
      
      In general, accessing userspace memory beyond the length of the supplied
      buffer in VFS read/write handlers can lead to both kernel memory corruption
      (via kernel_read()/kernel_write(), which can e.g. be triggered via
      sys_splice()) and privilege escalation inside userspace.
      
      Fix it by using simple_read_from_buffer() instead of custom logic.
      
      Fixes: 6bc235a2 ("USB: add driver for Meywa-Denki & Kayac YUREX")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2638a67a
    • Johan Hovold's avatar
      USB: serial: keyspan_pda: fix modem-status error handling · 5736d7c2
      Johan Hovold authored
      commit 01b3cdfc upstream.
      
      Fix broken modem-status error handling which could lead to bits of slab
      data leaking to user space.
      
      Fixes: 3b36a8fd ("usb: fix uninitialized variable warning in keyspan_pda")
      Cc: stable <stable@vger.kernel.org>     # 2.6.27
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5736d7c2
    • Olli Salonen's avatar
      USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick · 5bbc3938
      Olli Salonen authored
      commit 367b160f upstream.
      
      There are two versions of the Qivicon Zigbee stick in circulation. This
      adds the second USB ID to the cp210x driver.
      Signed-off-by: default avatarOlli Salonen <olli.salonen@iki.fi>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5bbc3938
    • Dan Carpenter's avatar
      USB: serial: ch341: fix type promotion bug in ch341_control_in() · a82597e9
      Dan Carpenter authored
      commit e33eab9d upstream.
      
      The "r" variable is an int and "bufsize" is an unsigned int so the
      comparison is type promoted to unsigned.  If usb_control_msg() returns a
      negative that is treated as a high positive value and the error handling
      doesn't work.
      
      Fixes: 2d5a9c72 ("USB: serial: ch341: fix control-message error handling")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a82597e9
    • Hans de Goede's avatar
      ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS · 54b59436
      Hans de Goede authored
      commit 240630e6 upstream.
      
      There have been several reports of LPM related hard freezes about once
      a day on multiple Lenovo 50 series models. Strange enough these reports
      where not disk model specific as LPM issues usually are and some users
      with the exact same disk + laptop where seeing them while other users
      where not seeing these issues.
      
      It turns out that enabling LPM triggers a firmware bug somewhere, which
      has been fixed in later BIOS versions.
      
      This commit adds a new ahci_broken_lpm() function and a new ATA_FLAG_NO_LPM
      for dealing with this.
      
      The ahci_broken_lpm() function contains DMI match info for the 4 models
      which are known to be affected by this and the DMI BIOS date field for
      known good BIOS versions. If the BIOS date is older then the one in the
      table LPM will be disabled and a warning will be printed.
      
      Note the BIOS dates are for known good versions, some older versions may
      work too, but we don't know for sure, the table is using dates from BIOS
      versions for which users have confirmed that upgrading to that version
      makes the problem go away.
      
      Unfortunately I've been unable to get hold of the reporter who reported
      that BIOS version 2.35 fixed the problems on the W541 for him. I've been
      able to verify the DMI_SYS_VENDOR and DMI_PRODUCT_VERSION from an older
      dmidecode, but I don't know the exact BIOS date as reported in the DMI.
      Lenovo keeps a changelog with dates in their release notes, but the
      dates there are the release dates not the build dates which are in DMI.
      So I've chosen to set the date to which we compare to one day past the
      release date of the 2.34 BIOS. I plan to fix this with a follow up
      commit once I've the necessary info.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54b59436
    • Nadav Amit's avatar
      vmw_balloon: fix inflation with batching · f0a1bf29
      Nadav Amit authored
      commit 90d72ce0 upstream.
      
      Embarrassingly, the recent fix introduced worse problem than it solved,
      causing the balloon not to inflate. The VM informed the hypervisor that
      the pages for lock/unlock are sitting in the wrong address, as it used
      the page that is used the uninitialized page variable.
      
      Fixes: b23220fe ("vmw_balloon: fixing double free when batching mode is off")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarXavier Deguillard <xdeguillard@vmware.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0a1bf29
    • Jann Horn's avatar
      ibmasm: don't write out of bounds in read handler · ba20e67a
      Jann Horn authored
      commit a0341fc1 upstream.
      
      This read handler had a lot of custom logic and wrote outside the bounds of
      the provided buffer. This could lead to kernel and userspace memory
      corruption. Just use simple_read_from_buffer() with a stack buffer.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba20e67a
    • Paul Burton's avatar
      MIPS: Fix ioremap() RAM check · bc20ab94
      Paul Burton authored
      commit 523402fa upstream.
      
      We currently attempt to check whether a physical address range provided
      to __ioremap() may be in use by the page allocator by examining the
      value of PageReserved for each page in the region - lowmem pages not
      marked reserved are presumed to be in use by the page allocator, and
      requests to ioremap them fail.
      
      The way we check this has been broken since commit 92923ca3 ("mm:
      meminit: only set page reserved in the memblock region"), because
      memblock will typically not have any knowledge of non-RAM pages and
      therefore those pages will not have the PageReserved flag set. Thus when
      we attempt to ioremap a region outside of RAM we incorrectly fail
      believing that the region is RAM that may be in use.
      
      In most cases ioremap() on MIPS will take a fast-path to use the
      unmapped kseg1 or xkphys virtual address spaces and never hit this path,
      so the only way to hit it is for a MIPS32 system to attempt to ioremap()
      an address range in lowmem with flags other than _CACHE_UNCACHED.
      Perhaps the most straightforward way to do this is using
      ioremap_uncached_accelerated(), which is how the problem was discovered.
      
      Fix this by making use of walk_system_ram_range() to test the address
      range provided to __ioremap() against only RAM pages, rather than all
      lowmem pages. This means that if we have a lowmem I/O region, which is
      very common for MIPS systems, we're free to ioremap() address ranges
      within it. A nice bonus is that the test is no longer limited to lowmem.
      
      The approach here matches the way x86 performed the same test after
      commit c81c8a1e ("x86, ioremap: Speed up check for RAM pages") until
      x86 moved towards a slightly more complicated check using walk_mem_res()
      for unrelated reasons with commit 0e4c12b4 ("x86/mm, resource: Use
      PAGE_KERNEL protection for ioremap of memory pages").
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Reported-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Tested-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Fixes: 92923ca3 ("mm: meminit: only set page reserved in the memblock region")
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.2+
      Patchwork: https://patchwork.linux-mips.org/patch/19786/Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc20ab94
  2. 11 Jul, 2018 31 commits