From b01f49678c717e25a1249c3a0c8351835d30e289 Mon Sep 17 00:00:00 2001 From: android-t1 Date: Fri, 6 May 2022 11:09:36 +0800 Subject: [PATCH 1/3] Integrate security patch 2022-05-05-CVE-2021-22600 Change-Id: I679a8ffe4f012a0167935b6db9f5555bad9dcd5c --- net/packet/af_packet.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index fe39290bc276..90f870bdf432 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -4437,9 +4437,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, } out_free_pg_vec: - bitmap_free(rx_owner_map); - if (pg_vec) + if (pg_vec) { + bitmap_free(rx_owner_map); free_pg_vec(pg_vec, order, req->tp_block_nr); + } out: return err; } -- GitLab From 7d88aea860ea6d6552422522b1041f6ffabf2d24 Mon Sep 17 00:00:00 2001 From: android-t1 Date: Fri, 6 May 2022 11:10:10 +0800 Subject: [PATCH 2/3] Integrate security patch 2022-05-05-CVE-2022-20008 Change-Id: I4759515cb2ab63895d2c5a826f052725342cbc02 --- drivers/mmc/core/block.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index bcb83a1ca9e9..6b2f231c1ead 100644 --- a/drivers/mmc/core/block.c +++ b/drivers/mmc/core/block.c @@ -1718,31 +1718,31 @@ static void mmc_blk_read_single(struct mmc_queue *mq, struct request *req) struct mmc_card *card = mq->card; struct mmc_host *host = card->host; blk_status_t error = BLK_STS_OK; - int retries = 0; do { u32 status; int err; + int retries = 0; - mmc_blk_rw_rq_prep(mqrq, card, 1, mq); + while (retries++ <= MMC_READ_SINGLE_RETRIES) { + mmc_blk_rw_rq_prep(mqrq, card, 1, mq); - mmc_wait_for_req(host, mrq); + mmc_wait_for_req(host, mrq); err = mmc_send_status(card, &status); - if (err) - goto error_exit; - - if (!mmc_host_is_spi(host) && - !mmc_blk_in_tran_state(status)) { - err = mmc_blk_fix_state(card, req); if (err) goto error_exit; - } - if (mrq->cmd->error && retries++ < MMC_READ_SINGLE_RETRIES) - continue; + if (!mmc_host_is_spi(host) && + !mmc_blk_in_tran_state(status)) { + err = mmc_blk_fix_state(card, req); + if (err) + goto error_exit; + } - retries = 0; + if (!mrq->cmd->error) + break; + } if (mrq->cmd->error || mrq->data->error || -- GitLab From bcdf0c02164460ee3ba6329a1e1789390d98c077 Mon Sep 17 00:00:00 2001 From: android-t1 Date: Fri, 6 May 2022 11:10:47 +0800 Subject: [PATCH 3/3] Integrate security patch 2022-05-05-CVE-2022-20009 Change-Id: Ic6c9ab45bd42d190ef38d791e5fca664ab02f49e --- drivers/usb/gadget/composite.c | 3 +++ drivers/usb/gadget/function/rndis.c | 9 ++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 25fd3acbecee..905252a7cf5f 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -2062,6 +2062,9 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) if (w_index != 0x5 || (w_value >> 8)) break; interface = w_value & 0xFF; + if (interface >= MAX_CONFIG_INTERFACES || + !os_desc_cfg->interface[interface]) + break; buf[6] = w_index; count = count_ext_prop(os_desc_cfg, interface); diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c index f1d3113698b8..006aa43eb4a9 100644 --- a/drivers/usb/gadget/function/rndis.c +++ b/drivers/usb/gadget/function/rndis.c @@ -633,14 +633,17 @@ static int rndis_set_response(struct rndis_params *params, rndis_set_cmplt_type *resp; rndis_resp_t *r; + BufLength = le32_to_cpu(buf->InformationBufferLength); + BufOffset = le32_to_cpu(buf->InformationBufferOffset); + if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || + (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE)) + return -EINVAL; + r = rndis_add_response(params, sizeof(rndis_set_cmplt_type)); if (!r) return -ENOMEM; resp = (rndis_set_cmplt_type *)r->buf; - BufLength = le32_to_cpu(buf->InformationBufferLength); - BufOffset = le32_to_cpu(buf->InformationBufferOffset); - #ifdef VERBOSE_DEBUG pr_debug("%s: Length: %d\n", __func__, BufLength); pr_debug("%s: Offset: %d\n", __func__, BufOffset); -- GitLab