diff --git a/blacklist.conf b/blacklist.conf index dfe3e6f..6d8caba 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2195,3 +2195,6 @@ e75130f20b1f48e04ccc806aea01f0a361f9cb6b # requires 10f78fd0dabbc3856ddd67b09a46 10f78fd0dabbc3856ddd67b09a46abdedb045913 # fix for e75130f20b1f48e04ccc806aea01f0a361f9cb6b 7dee93a9a8808b3d8595e1cc79ccb8b1a7bc7a77 # introduces boot_mem_top, 4.12 code uses boot_memory_size indiscriminately bec53196adf4791d466adf0e339b61186c7b5283 # relies on boot_mem_top, 4.12 code uses boot_memory_size indiscriminately +b38cd3b42fba66cc538edb9cf77e07881f43f8e2 # misattributed. Bug introduced in 4a56f891efceee88d422af2e99d00c8321c671c1, which we don't have +3ad02c27d89d72b3b49ac51899144b7d0942f05f # cleanup breaking kABI +218848835699879ed6260ec49bbb22e9e7839017 # cleanup breaking kABI diff --git a/patches.suse/Bluetooth-hci_qca-Use-del_timer_sync-before-freeing.patch b/patches.suse/Bluetooth-hci_qca-Use-del_timer_sync-before-freeing.patch new file mode 100644 index 0000000..e366ff7 --- /dev/null +++ b/patches.suse/Bluetooth-hci_qca-Use-del_timer_sync-before-freeing.patch @@ -0,0 +1,43 @@ +From 72ef98445aca568a81c2da050532500a8345ad3a Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Tue, 5 Apr 2022 10:02:00 -0400 +Subject: [PATCH] Bluetooth: hci_qca: Use del_timer_sync() before freeing +Git-commit: 72ef98445aca568a81c2da050532500a8345ad3a +References: git-fixes +Patch-mainline: v5.19-rc1 + +While looking at a crash report on a timer list being corrupted, which +usually happens when a timer is freed while still active. This is +commonly triggered by code calling del_timer() instead of +del_timer_sync() just before freeing. + +One possible culprit is the hci_qca driver, which does exactly that. + +Eric mentioned that wake_retrans_timer could be rearmed via the work +queue, so also move the destruction of the work queue before +del_timer_sync(). + +Cc: Eric Dumazet +Cc: stable@vger.kernel.org +Fixes: 0ff252c1976da ("Bluetooth: hciuart: Add support QCA chipset for UART") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Marcel Holtmann +Signed-off-by: Oliver Neukum +--- + drivers/bluetooth/hci_qca.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -524,9 +524,9 @@ static int qca_close(struct hci_uart *hu + + skb_queue_purge(&qca->tx_wait_q); + skb_queue_purge(&qca->txq); +- del_timer(&qca->tx_idle_timer); +- del_timer(&qca->wake_retrans_timer); + destroy_workqueue(qca->workqueue); ++ del_timer_sync(&qca->tx_idle_timer); ++ del_timer_sync(&qca->wake_retrans_timer); + qca->hu = NULL; + + kfree_skb(qca->rx_skb); diff --git a/patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch b/patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch new file mode 100644 index 0000000..d981451 --- /dev/null +++ b/patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch @@ -0,0 +1,54 @@ +From 8dbdcc7269a83305ee9d677b75064d3530a48ee2 Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Tue, 30 Nov 2021 16:38:05 +0100 +Subject: [PATCH] media: dib8000: Fix a memleak in dib8000_init() +Git-commit: 8dbdcc7269a83305ee9d677b75064d3530a48ee2 +References: git-fixes +Patch-mainline: v5.17-rc1 + +In dib8000_init(), the variable fe is not freed or passed out on the +failure of dib8000_identify(&state->i2c), which could lead to a memleak. + +Fix this bug by adding a kfree of fe in the error path. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DVB_DIB8000=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 77e2c0f5d471 ("V4L/DVB (12900): DiB8000: added support for DiBcom ISDB-T/ISDB-Tsb demodulator DiB8000") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/dvb-frontends/dib8000.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index bb02354a48b8..d67f2dd997d0 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -4473,8 +4473,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad + + state->timf_default = cfg->pll->timf; + +- if (dib8000_identify(&state->i2c) == 0) ++ if (dib8000_identify(&state->i2c) == 0) { ++ kfree(fe); + goto error; ++ } + + dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr); + +-- +2.35.3 + diff --git a/patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch b/patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch new file mode 100644 index 0000000..f249807 --- /dev/null +++ b/patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch @@ -0,0 +1,64 @@ +From 0407c49ebe330333478440157c640fffd986f41b Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Tue, 30 Nov 2021 17:34:44 +0100 +Subject: [PATCH] media: saa7146: mxb: Fix a NULL pointer dereference in + mxb_attach() +Git-commit: 0407c49ebe330333478440157c640fffd986f41b +References: git-fixes +Patch-mainline: v5.17-rc1 + +In mxb_attach(dev, info), saa7146_vv_init() is called to allocate a +new memory for dev->vv_data. saa7146_vv_release() will be called on +failure of mxb_probe(dev). There is a dereference of dev->vv_data +in saa7146_vv_release(), which could lead to a NULL pointer dereference +on failure of saa7146_vv_init(). + +Fix this bug by adding a check of saa7146_vv_init(). + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_VIDEO_MXB=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 03b1930efd3c ("V4L/DVB: saa7146: fix regression of the av7110/budget-av driver") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/pci/saa7146/mxb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c +index 73fc901ecf3d..bf0b9b0914cd 100644 +--- a/drivers/media/pci/saa7146/mxb.c ++++ b/drivers/media/pci/saa7146/mxb.c +@@ -683,10 +683,16 @@ static struct saa7146_ext_vv vv_data; + static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + { + struct mxb *mxb; ++ int ret; + + DEB_EE("dev:%p\n", dev); + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ ERR("Error in saa7146_vv_init()"); ++ return ret; ++ } ++ + if (mxb_probe(dev)) { + saa7146_vv_release(dev); + return -1; +-- +2.35.3 + diff --git a/patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch b/patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch new file mode 100644 index 0000000..3c3c2c8 --- /dev/null +++ b/patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch @@ -0,0 +1,47 @@ +From 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 26 Oct 2021 11:55:11 +0200 +Subject: [PATCH] media: uvcvideo: fix division by zero at stream start +Git-commit: 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df +References: git-fixes +Patch-mainline: v5.17-rc1 + +Add the missing bulk-endpoint max-packet sanity check to +uvc_video_start_transfer() to avoid division by zero in +uvc_alloc_urb_buffers() in case a malicious device has broken +descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org # 2.6.26 +Signed-off-by: Johan Hovold +Reviewed-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Oliver Neukum +--- + drivers/media/usb/uvc/uvc_video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index 9f37eaf28ce7..1b4cc934109e 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1963,6 +1963,10 @@ static int uvc_video_start_transfer(struct uvc_streaming *stream, + if (ep == NULL) + return -EIO; + ++ /* Reject broken descriptors. */ ++ if (usb_endpoint_maxp(&ep->desc) == 0) ++ return -EIO; ++ + ret = uvc_init_video_bulk(stream, ep, gfp_flags); + } + +-- +2.35.3 + diff --git a/series.conf b/series.conf index 01306cd..02eec76 100644 --- a/series.conf +++ b/series.conf @@ -61073,6 +61073,9 @@ patches.suse/media-stk1160-fix-control-message-timeouts.patch patches.suse/media-dmxdev-fix-UAF-when-dvb_register_device-fails.patch patches.suse/media-dib0700-fix-undefined-behavior-in-tuner-shutdo.patch + patches.suse/media-uvcvideo-fix-division-by-zero-at-stream-start.patch + patches.suse/media-dib8000-Fix-a-memleak-in-dib8000_init.patch + patches.suse/media-saa7146-mxb-Fix-a-NULL-pointer-dereference-in-.patch patches.suse/Bluetooth-bfusb-fix-division-by-zero-in-send-path.patch patches.suse/msft-hv-2486-net-mana-Add-XDP-support.patch patches.suse/ibmvnic-Update-driver-return-codes.patch @@ -61474,6 +61477,7 @@ patches.suse/ext4-avoid-cycles-in-directory-h-tree.patch patches.suse/ext4-fix-bug_on-in-__es_tree_search.patch patches.suse/iomap-iomap_write_failed-fix.patch + patches.suse/Bluetooth-hci_qca-Use-del_timer_sync-before-freeing.patch patches.suse/scsi-qla2xxx-Remove-free_sg-command-flag.patch patches.suse/scsi-ufs-qcom-Fix-ufs_qcom_resume.patch patches.suse/scsi-qla2xxx-Remove-unneeded-flush_workqueue.patch