Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.9.y 2023-11-22T12:02:53Z 2023-11-22T12:02:53Z Kees Cook keescook@chromium.org 2023-11-16T19:14:52Z urn:sha1:2d1803ada2e021b9333b8a784c55fe828ab2b985 strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated[1]. Additionally, it returns the size of the source string, not the resulting size of the destination string. In an effort to remove strlcpy() completely[2], replace strlcpy() here with strscpy(). In the unlikely (impossible?) case where opts->id was larger than PAGE_SIZE, this will now correctly report truncation errors. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1] Link: https://github.com/KSPP/linux/issues/89 [2] Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Will McVicker <willmcvicker@google.com> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: Peter Chen <peter.chen@nxp.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Zhang Qilong <zhangqilong3@huawei.com> Cc: Linyu Yuan <quic_linyyuan@quicinc.com> Cc: John Keeping <john@keeping.me.uk> Cc: Azeem Shaikh <azeemshaikh38@gmail.com> Cc: linux-usb@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20231116191452.work.902-kees@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-10-02T16:48:52Z Kees Cook keescook@chromium.org 2023-09-15T19:59:39Z urn:sha1:182717026e2c8e6cc3b5757f601c3fee15f64ecb Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct f_midi. Additionally, since the element count member must be set before accessing the annotated flexible array member, move its initialization earlier. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: John Keeping <john@keeping.me.uk> Cc: Peter Chen <peter.chen@nxp.com> Cc: Hulk Robot <hulkci@huawei.com> Cc: Allen Pais <allen.lkml@gmail.com> Cc: Will McVicker <willmcvicker@google.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Zhang Qilong <zhangqilong3@huawei.com> Cc: linux-usb@vger.kernel.org Reviewed-by: "Gustavo A. R. Silva" <gustavoars@kernel.org> Link: https://lore.kernel.org/r/20230915195938.never.611-kees@kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> 2023-08-22T12:48:33Z Linyu Yuan quic_linyyuan@quicinc.com 2023-08-03T09:10:50Z urn:sha1:46decc82ffd54212cc2c600031daec6e835a6503 Take f_midi_bind() for example, when composite layer call it, it will allocate hs descriptor by calling gadget_is_dualspeed() API to check gadget max support speed capability, but most other gadget function didn't do like this. To follow other function drivers, it is safe to remove the check which mean support all possible link speed by default in function driver. Similar change apply to midi2 and uvc. Also in midi and midi2, as there is no descriptor difference between super speed and super speed plus, follow other gadget function drivers, do not allocate descriptor for super speed plus, composite layer will handle it properly. Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com> Link: https://lore.kernel.org/r/20230803091053.9714-5-quic_linyyuan@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-11-17T13:40:43Z John Keeping john@metanate.com 2021-10-29T13:41:14Z urn:sha1:d429976170a5699ef2cc03e3e3abfc06098754cc Unlike the other integral options supported by the MIDI gadget, index is a signed integer and defaults to -1, which means "choose any sound card index". The generic store routine parses input into a u32 which fails to properly read -1 if an attempt is made to set the value to the default. Add a new macro block for signed values to fix this, and use the correct format string for unsigned values. Signed-off-by: John Keeping <john@metanate.com> Link: https://lore.kernel.org/r/20211029134115.351008-1-john@metanate.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-01-12T11:52:28Z Davidlohr Bueso dave@stgolabs.net 2021-01-11T04:28:55Z urn:sha1:8653d71ce3763aedcf3d2331f59beda3fecd79e4 Currently a tasklet is used to transmit input substream buffer data. However, tasklets have long been deprecated as being too heavy on the system by running in irq context - and this is not a performance critical path. If a higher priority process wants to run, it must wait for the tasklet to finish before doing so. Deferring work to a workqueue and executing in process context should be fine considering the callback already does f_midi_do_transmit() under the transmit_lock and thus changes in semantics are ok regarding concurrency - tasklets being serialized against itself. Cc: Takashi Iwai <tiwai@suse.de> Reviewed-by: Takashi Iwai <tiwai@suse.de> Acked-by: Felipe Balbi <balbi@kernel.org> Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Link: https://lore.kernel.org/r/20210111042855.73289-1-dave@stgolabs.net Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-12-10T15:12:23Z Will McVicker willmcvicker@google.com 2020-11-27T14:05:57Z urn:sha1:457a902ba1a73b7720666b21ca038cd19764db18 Needed for SuperSpeed Plus support for f_midi. This allows the gadget to work properly without crashing at SuperSpeed rates. Cc: Felipe Balbi <balbi@kernel.org> Cc: stable <stable@vger.kernel.org> Signed-off-by: Will McVicker <willmcvicker@google.com> Reviewed-by: Peter Chen <peter.chen@nxp.com> Link: https://lore.kernel.org/r/20201127140559.381351-4-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-11-20T15:32:42Z Zhang Qilong zhangqilong3@huawei.com 2020-11-17T02:16:28Z urn:sha1:e7694cb6998379341fd9bf3bd62b48c4e6a79385 In the error path, if midi is not null, we should free the midi->id if necessary to prevent memleak. Fixes: b85e9de9e818d ("usb: gadget: f_midi: convert to new function interface with backward compatibility") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com> Link: https://lore.kernel.org/r/20201117021629.1470544-2-zhangqilong3@huawei.com Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-08-18T11:00:01Z Allen Pais allen.lkml@gmail.com 2020-08-17T09:02:06Z urn:sha1:6148c10f6b62a6df782d26522921f70cc8bf1d7f In preparation for unconditionally passing the struct tasklet_struct pointer to all tasklet callbacks, switch to using the new tasklet_setup() and from_tasklet() to pass the tasklet pointer explicitly. Signed-off-by: Romain Perier <romain.perier@gmail.com> Signed-off-by: Allen Pais <allen.lkml@gmail.com> Link: https://lore.kernel.org/r/20200817090209.26351-5-allen.cryptic@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-06-07T00:27:14Z Linus Torvalds torvalds@linux-foundation.org 2018-06-07T00:27:14Z urn:sha1:285767604576148fc1be7fcd112e4a90eb0d6ad2 Pull overflow updates from Kees Cook: "This adds the new overflow checking helpers and adds them to the 2-factor argument allocators. And this adds the saturating size helpers and does a treewide replacement for the struct_size() usage. Additionally this adds the overflow testing modules to make sure everything works. I'm still working on the treewide replacements for allocators with "simple" multiplied arguments: *alloc(a * b, ...) -> *alloc_array(a, b, ...) and *zalloc(a * b, ...) -> *calloc(a, b, ...) as well as the more complex cases, but that's separable from this portion of the series. I expect to have the rest sent before -rc1 closes; there are a lot of messy cases to clean up. Summary: - Introduce arithmetic overflow test helper functions (Rasmus) - Use overflow helpers in 2-factor allocators (Kees, Rasmus) - Introduce overflow test module (Rasmus, Kees) - Introduce saturating size helper functions (Matthew, Kees) - Treewide use of struct_size() for allocators (Kees)" * tag 'overflow-v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: treewide: Use struct_size() for devm_kmalloc() and friends treewide: Use struct_size() for vmalloc()-family treewide: Use struct_size() for kmalloc()-family device: Use overflow helpers for devm_kmalloc() mm: Use overflow helpers in kvmalloc() mm: Use overflow helpers in kmalloc_array*() test_overflow: Add memory allocation overflow tests overflow.h: Add allocation size calculation helpers test_overflow: Report test failures test_overflow: macrofy some more, do more tests for free lib: add runtime test of check_*_overflow functions compiler.h: enable builtin overflow checkers and add fallback code 2018-06-06T18:15:43Z Kees Cook keescook@chromium.org 2018-05-08T20:45:50Z urn:sha1:acafe7e30216166a17e6e226aadc3ecb63993242 One of the more common cases of allocation size calculations is finding the size of a structure that has a zero-sized array at the end, along with memory for some number of elements for that array. For example: struct foo { int stuff; void *entry[]; }; instance = kmalloc(sizeof(struct foo) + sizeof(void *) * count, GFP_KERNEL); Instead of leaving these open-coded and prone to type mistakes, we can now use the new struct_size() helper: instance = kmalloc(struct_size(instance, entry, count), GFP_KERNEL); This patch makes the changes for kmalloc()-family (and kvmalloc()-family) uses. It was done via automatic conversion with manual review for the "CHECKME" non-standard cases noted below, using the following Coccinelle script: // pkey_cache = kmalloc(sizeof *pkey_cache + tprops->pkey_tbl_len * // sizeof *pkey_cache->table, GFP_KERNEL); @@ identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc"; expression GFP; identifier VAR, ELEMENT; expression COUNT; @@ - alloc(sizeof(*VAR) + COUNT * sizeof(*VAR->ELEMENT), GFP) + alloc(struct_size(VAR, ELEMENT, COUNT), GFP) // mr = kzalloc(sizeof(*mr) + m * sizeof(mr->map[0]), GFP_KERNEL); @@ identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc"; expression GFP; identifier VAR, ELEMENT; expression COUNT; @@ - alloc(sizeof(*VAR) + COUNT * sizeof(VAR->ELEMENT[0]), GFP) + alloc(struct_size(VAR, ELEMENT, COUNT), GFP) // Same pattern, but can't trivially locate the trailing element name, // or variable name. @@ identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc"; expression GFP; expression SOMETHING, COUNT, ELEMENT; @@ - alloc(sizeof(SOMETHING) + COUNT * sizeof(ELEMENT), GFP) + alloc(CHECKME_struct_size(&SOMETHING, ELEMENT, COUNT), GFP) Signed-off-by: Kees Cook <keescook@chromium.org>