FAILED: patch "[PATCH] ALSA: usb-audio: Fix a DMA to stack memory bug" failed to apply to 5.15-stable tree
The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f7d306b47a24367302bd4fe846854e07752ffcd9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024121040-distant-throng-b534@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From f7d306b47a24367302bd4fe846854e07752ffcd9 Mon Sep 17 00:00:00 2001 From: Dan Carpenter dan.carpenter@linaro.org Date: Mon, 2 Dec 2024 15:57:54 +0300 Subject: [PATCH] ALSA: usb-audio: Fix a DMA to stack memory bug
The usb_get_descriptor() function does DMA so we're not allowed to use a stack buffer for that. Doing DMA to the stack is not portable all architectures. Move the "new_device_descriptor" from being stored on the stack and allocate it with kmalloc() instead.
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") Cc: stable@kernel.org Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mounta... Signed-off-by: Takashi Iwai tiwai@suse.de
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 8bc959b60be3..7c9d352864da 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -555,7 +555,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; int err;
if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || @@ -566,15 +566,19 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 0x10, 0x43, 0x0001, 0x000a, NULL, 0); if (err < 0) dev_dbg(&dev->dev, "error sending boot message: %d\n", err); + + new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); err = usb_reset_configuration(dev); if (err < 0) dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); @@ -906,7 +910,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; int err; u8 bootresponse[0x12]; int fwsize; @@ -941,15 +945,19 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
dev_dbg(&dev->dev, "device initialised!\n");
+ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
err = usb_reset_configuration(dev); if (err < 0) @@ -1259,7 +1267,7 @@ static void mbox3_setup_defaults(struct usb_device *dev) static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; int err; int descriptor_size;
@@ -1272,15 +1280,19 @@ static int snd_usb_mbox3_boot_quirk(struct usb_device *dev)
dev_dbg(&dev->dev, "MBOX3: device initialised!\n");
+ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
err = usb_reset_configuration(dev); if (err < 0)
From: Dan Carpenter dan.carpenter@linaro.org
The usb_get_descriptor() function does DMA so we're not allowed to use a stack buffer for that. Doing DMA to the stack is not portable all architectures. Move the "new_device_descriptor" from being stored on the stack and allocate it with kmalloc() instead.
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") Cc: stable@kernel.org Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mounta... Signed-off-by: Takashi Iwai tiwai@suse.de (cherry picked from commit f7d306b47a24367302bd4fe846854e07752ffcd9) [Benoît: there is no mbox3 suppport and no __free macro in 5.15] Signed-off-by: Benoît Sevens bsevens@google.com --- sound/usb/quirks.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 9d98a0e6a9f4..4c28a27aafdf 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -591,7 +591,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; int err;
if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || @@ -602,15 +602,19 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 0x10, 0x43, 0x0001, 0x000a, NULL, 0); if (err < 0) dev_dbg(&dev->dev, "error sending boot message: %d\n", err); + + new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); err = usb_reset_configuration(dev); if (err < 0) dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); @@ -942,7 +946,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; int err; u8 bootresponse[0x12]; int fwsize; @@ -977,15 +981,19 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
dev_dbg(&dev->dev, "device initialised!\n");
+ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
err = usb_reset_configuration(dev); if (err < 0)
On Tue, 17 Dec 2024 at 13:39, Benoît Sevens bsevens@google.com wrote:
From: Dan Carpenter dan.carpenter@linaro.org
The usb_get_descriptor() function does DMA so we're not allowed to use a stack buffer for that. Doing DMA to the stack is not portable all architectures. Move the "new_device_descriptor" from being stored on the stack and allocate it with kmalloc() instead.
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") Cc: stable@kernel.org Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mounta... Signed-off-by: Takashi Iwai tiwai@suse.de (cherry picked from commit f7d306b47a24367302bd4fe846854e07752ffcd9) [Benoît: there is no mbox3 suppport and no __free macro in 5.15] Signed-off-by: Benoît Sevens bsevens@google.com
sound/usb/quirks.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 9d98a0e6a9f4..4c28a27aafdf 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -591,7 +591,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) { struct usb_host_config *config = dev->actconfig;
struct usb_device_descriptor new_device_descriptor;
struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; int err; if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||@@ -602,15 +602,19 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 0x10, 0x43, 0x0001, 0x000a, NULL, 0); if (err < 0) dev_dbg(&dev->dev, "error sending boot message: %d\n", err);
new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);if (!new_device_descriptor)return -ENOMEM; err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
&new_device_descriptor, sizeof(new_device_descriptor));
new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)
if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",
new_device_descriptor.bNumConfigurations);
new_device_descriptor->bNumConfigurations); else
memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));
memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); err = usb_reset_configuration(dev); if (err < 0) dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);@@ -942,7 +946,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig;
struct usb_device_descriptor new_device_descriptor;
struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; int err; u8 bootresponse[0x12]; int fwsize;@@ -977,15 +981,19 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
dev_dbg(&dev->dev, "device initialised!\n");
new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);if (!new_device_descriptor)return -ENOMEM;err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
&new_device_descriptor, sizeof(new_device_descriptor));
new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)
if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",
new_device_descriptor.bNumConfigurations);
new_device_descriptor->bNumConfigurations); else
memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));
memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); err = usb_reset_configuration(dev); if (err < 0)-- 2.47.1.613.gc27f4b7a9f-goog
Please disregard, this does not build. I will submit a working patch.
[ Sasha's backport helper bot ]
Hi,
Found matching upstream commit: f7d306b47a24367302bd4fe846854e07752ffcd9
WARNING: Author mismatch between patch and found commit: Backport author: "=?UTF-8?q?Beno=C3=AEt=20Sevens?=" bsevens@google.com Commit author: Dan Carpenter dan.carpenter@linaro.org
Status in newer kernel trees: 6.12.y | Present (different SHA1: 7f1292f8d4d6) 6.6.y | Not found 6.1.y | Not found 5.15.y | Not found
Note: The patch differs from the upstream commit: --- 1: f7d306b47a24 ! 1: c80406b311f1 ALSA: usb-audio: Fix a DMA to stack memory bug @@ Commit message Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mounta... Signed-off-by: Takashi Iwai tiwai@suse.de + (cherry picked from commit f7d306b47a24367302bd4fe846854e07752ffcd9) + [Benoît: there is no mbox3 suppport and no __free macro in 5.15] + Signed-off-by: Benoît Sevens bsevens@google.com
## sound/usb/quirks.c ## @@ sound/usb/quirks.c: int snd_usb_create_quirk(struct snd_usb_audio *chip, @@ sound/usb/quirks.c: static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
err = usb_reset_configuration(dev); if (err < 0) -@@ sound/usb/quirks.c: static void mbox3_setup_defaults(struct usb_device *dev) - static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) - { - struct usb_host_config *config = dev->actconfig; -- struct usb_device_descriptor new_device_descriptor; -+ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; - int err; - int descriptor_size; - -@@ sound/usb/quirks.c: static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) - - dev_dbg(&dev->dev, "MBOX3: device initialised!\n"); - -+ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); -+ if (!new_device_descriptor) -+ return -ENOMEM; -+ - err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, -- &new_device_descriptor, sizeof(new_device_descriptor)); -+ new_device_descriptor, sizeof(*new_device_descriptor)); - if (err < 0) - dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err); -- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) -+ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) - dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n", -- new_device_descriptor.bNumConfigurations); -+ new_device_descriptor->bNumConfigurations); - else -- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); -+ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); - - err = usb_reset_configuration(dev); - if (err < 0) ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.15.y | Success | Failed |
Build Errors: Build error for stable/linux-5.15.y: sound/usb/quirks.c: In function 'snd_usb_extigy_boot_quirk': sound/usb/quirks.c:594:61: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__free' 594 | struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; | ^~~~~~ sound/usb/quirks.c:594:61: error: implicit declaration of function '__free'; did you mean 'kvfree'? [-Werror=implicit-function-declaration] 594 | struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; | ^~~~~~ | kvfree sound/usb/quirks.c:594:75: error: lvalue required as left operand of assignment 594 | struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; | ^ sound/usb/quirks.c:595:9: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement] 595 | int err; | ^~~ sound/usb/quirks.c:606:17: error: 'new_device_descriptor' undeclared (first use in this function); did you mean 'usb_device_descriptor'? 606 | new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); | ^~~~~~~~~~~~~~~~~~~~~ | usb_device_descriptor sound/usb/quirks.c:606:17: note: each undeclared identifier is reported only once for each function it appears in sound/usb/quirks.c: In function 'snd_usb_mbox2_boot_quirk': sound/usb/quirks.c:949:61: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__free' 949 | struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; | ^~~~~~ sound/usb/quirks.c:949:75: error: lvalue required as left operand of assignment 949 | struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; | ^ sound/usb/quirks.c:950:9: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement] 950 | int err; | ^~~ sound/usb/quirks.c:984:9: error: 'new_device_descriptor' undeclared (first use in this function); did you mean 'usb_device_descriptor'? 984 | new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); | ^~~~~~~~~~~~~~~~~~~~~ | usb_device_descriptor cc1: some warnings being treated as errors make[2]: *** [scripts/Makefile.build:289: sound/usb/quirks.o] Error 1 make[2]: Target '__build' not remade because of errors. make[1]: *** [scripts/Makefile.build:552: sound/usb] Error 2 make[1]: Target '__build' not remade because of errors. make: *** [Makefile:1906: sound] Error 2 make: Target '__all' not remade because of errors.
From: Dan Carpenter dan.carpenter@linaro.org
The usb_get_descriptor() function does DMA so we're not allowed to use a stack buffer for that. Doing DMA to the stack is not portable all architectures. Move the "new_device_descriptor" from being stored on the stack and allocate it with kmalloc() instead.
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") Cc: stable@kernel.org Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mounta... Signed-off-by: Takashi Iwai tiwai@suse.de (cherry picked from commit f7d306b47a24367302bd4fe846854e07752ffcd9) [Benoît: there is no mbox3 suppport and no __free macro in 5.15] Signed-off-by: Benoît Sevens bsevens@google.com --- sound/usb/quirks.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 9d98a0e6a9f4..9f182c448d04 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -591,7 +591,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor = NULL; int err;
if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || @@ -602,15 +602,20 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 0x10, 0x43, 0x0001, 0x000a, NULL, 0); if (err < 0) dev_dbg(&dev->dev, "error sending boot message: %d\n", err); + + new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + kfree(new_device_descriptor); err = usb_reset_configuration(dev); if (err < 0) dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); @@ -942,7 +947,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor = NULL; int err; u8 bootresponse[0x12]; int fwsize; @@ -977,15 +982,21 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
dev_dbg(&dev->dev, "device initialised!\n");
+ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + + kfree(new_device_descriptor);
err = usb_reset_configuration(dev); if (err < 0)
On Tue, Dec 17, 2024 at 12:43:18PM +0000, Benoît Sevens wrote:
From: Dan Carpenter dan.carpenter@linaro.org
The usb_get_descriptor() function does DMA so we're not allowed to use a stack buffer for that. Doing DMA to the stack is not portable all architectures. Move the "new_device_descriptor" from being stored on the stack and allocate it with kmalloc() instead.
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") Cc: stable@kernel.org Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mounta... Signed-off-by: Takashi Iwai tiwai@suse.de (cherry picked from commit f7d306b47a24367302bd4fe846854e07752ffcd9) [Benoît: there is no mbox3 suppport and no __free macro in 5.15] Signed-off-by: Benoît Sevens bsevens@google.com
sound/usb/quirks.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-)
I see 2 versions of this, which one is correct?
When sending new versions, always properly version them. I'll delete this and wait for a proper v2.
thanks,
greg k-h
[ Sasha's backport helper bot ]
Hi,
Found matching upstream commit: f7d306b47a24367302bd4fe846854e07752ffcd9
WARNING: Author mismatch between patch and found commit: Backport author: "=?UTF-8?q?Beno=C3=AEt=20Sevens?=" bsevens@google.com Commit author: Dan Carpenter dan.carpenter@linaro.org
Status in newer kernel trees: 6.12.y | Present (different SHA1: 7f1292f8d4d6) 6.6.y | Not found 6.1.y | Not found 5.15.y | Not found
Note: The patch differs from the upstream commit: --- 1: f7d306b47a24 ! 1: ad2d0ea6f907 ALSA: usb-audio: Fix a DMA to stack memory bug @@ Commit message Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mounta... Signed-off-by: Takashi Iwai tiwai@suse.de + (cherry picked from commit f7d306b47a24367302bd4fe846854e07752ffcd9) + [Benoît: there is no mbox3 suppport and no __free macro in 5.15] + Signed-off-by: Benoît Sevens bsevens@google.com
## sound/usb/quirks.c ## @@ sound/usb/quirks.c: int snd_usb_create_quirk(struct snd_usb_audio *chip, @@ sound/usb/quirks.c: int snd_usb_create_quirk(struct snd_usb_audio *chip, { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; -+ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; ++ struct usb_device_descriptor *new_device_descriptor = NULL; int err;
if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || @@ sound/usb/quirks.c: static int snd_usb_extigy_boot_quirk(struct usb_device *dev, else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); ++ kfree(new_device_descriptor); err = usb_reset_configuration(dev); if (err < 0) dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); @@ sound/usb/quirks.c: static void mbox2_setup_48_24_magic(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; -+ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; ++ struct usb_device_descriptor *new_device_descriptor = NULL; int err; u8 bootresponse[0x12]; int fwsize; @@ sound/usb/quirks.c: static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); - - err = usb_reset_configuration(dev); - if (err < 0) -@@ sound/usb/quirks.c: static void mbox3_setup_defaults(struct usb_device *dev) - static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) - { - struct usb_host_config *config = dev->actconfig; -- struct usb_device_descriptor new_device_descriptor; -+ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; - int err; - int descriptor_size; - -@@ sound/usb/quirks.c: static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) - - dev_dbg(&dev->dev, "MBOX3: device initialised!\n"); - -+ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); -+ if (!new_device_descriptor) -+ return -ENOMEM; + - err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, -- &new_device_descriptor, sizeof(new_device_descriptor)); -+ new_device_descriptor, sizeof(*new_device_descriptor)); - if (err < 0) - dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err); -- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) -+ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) - dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n", -- new_device_descriptor.bNumConfigurations); -+ new_device_descriptor->bNumConfigurations); - else -- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); -+ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); ++ kfree(new_device_descriptor);
err = usb_reset_configuration(dev); if (err < 0) ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.15.y | Success | Success |
From: Dan Carpenter dan.carpenter@linaro.org
The usb_get_descriptor() function does DMA so we're not allowed to use a stack buffer for that. Doing DMA to the stack is not portable all architectures. Move the "new_device_descriptor" from being stored on the stack and allocate it with kmalloc() instead.
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") Cc: stable@kernel.org Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mounta... Signed-off-by: Takashi Iwai tiwai@suse.de (cherry picked from commit f7d306b47a24367302bd4fe846854e07752ffcd9) [Benoît: there is no mbox3 suppport and no __free macro in 5.15] Signed-off-by: Benoît Sevens bsevens@google.com --- Changes: - v2: Remove usage of __free macro which is not yet available in 5.15
sound/usb/quirks.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 9d98a0e6a9f4..9f182c448d04 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -591,7 +591,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor = NULL; int err;
if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || @@ -602,15 +602,20 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 0x10, 0x43, 0x0001, 0x000a, NULL, 0); if (err < 0) dev_dbg(&dev->dev, "error sending boot message: %d\n", err); + + new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + kfree(new_device_descriptor); err = usb_reset_configuration(dev); if (err < 0) dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); @@ -942,7 +947,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor = NULL; int err; u8 bootresponse[0x12]; int fwsize; @@ -977,15 +982,21 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
dev_dbg(&dev->dev, "device initialised!\n");
+ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + + kfree(new_device_descriptor);
err = usb_reset_configuration(dev); if (err < 0)
[ Sasha's backport helper bot ]
Hi,
Found matching upstream commit: f7d306b47a24367302bd4fe846854e07752ffcd9
WARNING: Author mismatch between patch and found commit: Backport author: "=?UTF-8?q?Beno=C3=AEt=20Sevens?=" bsevens@google.com Commit author: Dan Carpenter dan.carpenter@linaro.org
Status in newer kernel trees: 6.12.y | Present (different SHA1: 7f1292f8d4d6) 6.6.y | Not found 6.1.y | Not found 5.15.y | Not found
Note: The patch differs from the upstream commit: --- 1: f7d306b47a24 ! 1: 483c2942243f ALSA: usb-audio: Fix a DMA to stack memory bug @@ Commit message Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mounta... Signed-off-by: Takashi Iwai tiwai@suse.de + (cherry picked from commit f7d306b47a24367302bd4fe846854e07752ffcd9) + [Benoît: there is no mbox3 suppport and no __free macro in 5.15] + Signed-off-by: Benoît Sevens bsevens@google.com
## sound/usb/quirks.c ## @@ sound/usb/quirks.c: int snd_usb_create_quirk(struct snd_usb_audio *chip, @@ sound/usb/quirks.c: int snd_usb_create_quirk(struct snd_usb_audio *chip, { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; -+ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; ++ struct usb_device_descriptor *new_device_descriptor = NULL; int err;
if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || @@ sound/usb/quirks.c: static int snd_usb_extigy_boot_quirk(struct usb_device *dev, else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); ++ kfree(new_device_descriptor); err = usb_reset_configuration(dev); if (err < 0) dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); @@ sound/usb/quirks.c: static void mbox2_setup_48_24_magic(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; -+ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; ++ struct usb_device_descriptor *new_device_descriptor = NULL; int err; u8 bootresponse[0x12]; int fwsize; @@ sound/usb/quirks.c: static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); - - err = usb_reset_configuration(dev); - if (err < 0) -@@ sound/usb/quirks.c: static void mbox3_setup_defaults(struct usb_device *dev) - static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) - { - struct usb_host_config *config = dev->actconfig; -- struct usb_device_descriptor new_device_descriptor; -+ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; - int err; - int descriptor_size; - -@@ sound/usb/quirks.c: static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) - - dev_dbg(&dev->dev, "MBOX3: device initialised!\n"); - -+ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); -+ if (!new_device_descriptor) -+ return -ENOMEM; + - err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, -- &new_device_descriptor, sizeof(new_device_descriptor)); -+ new_device_descriptor, sizeof(*new_device_descriptor)); - if (err < 0) - dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err); -- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) -+ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) - dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n", -- new_device_descriptor.bNumConfigurations); -+ new_device_descriptor->bNumConfigurations); - else -- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); -+ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); ++ kfree(new_device_descriptor);
err = usb_reset_configuration(dev); if (err < 0) ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.15.y | Success | Success |
linux-stable-mirror@lists.linaro.org
-
Benoît Sevens -
Greg KH -
gregkh@linuxfoundation.org
-
Sasha Levin