5.4-stable patches

added patches:
	binder-check-offset-alignment-in-binder_get_object.patch
	comedi-vmk80xx-fix-incomplete-endpoint-checking.patch

3 files changed, 146 insertions, 0 deletions

diff --git a/queue-5.4/binder-check-offset-alignment-in-binder_get_object.patch b/queue-5.4/binder-check-offset-alignment-in-binder_get_object.patch
new file mode 100644
index 0000000000..5816a2eecf
--- /dev/null
+++ b/queue-5.4/binder-check-offset-alignment-in-binder_get_object.patch
@@ -0,0 +1,46 @@
+From aaef73821a3b0194a01bd23ca77774f704a04d40 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Sat, 30 Mar 2024 19:01:14 +0000
+Subject: binder: check offset alignment in binder_get_object()
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit aaef73821a3b0194a01bd23ca77774f704a04d40 upstream.
+
+Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
+txn") introduced changes to how binder objects are copied. In doing so,
+it unintentionally removed an offset alignment check done through calls
+to binder_alloc_copy_from_buffer() -> check_buffer().
+
+These calls were replaced in binder_get_object() with copy_from_user(),
+so now an explicit offset alignment check is needed here. This avoids
+later complications when unwinding the objects gets harder.
+
+It is worth noting this check existed prior to commit 7a67a39320df
+("binder: add function to copy binder object from buffer"), likely
+removed due to redundancy at the time.
+
+Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn")
+Cc: stable@vger.kernel.org
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Acked-by: Todd Kjos <tkjos@google.com>
+Link: https://lore.kernel.org/r/20240330190115.1877819-1-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2047,8 +2047,10 @@ static size_t binder_get_object(struct b
+ 	size_t object_size = 0;
+ 
+ 	read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
+-	if (offset > buffer->data_size || read_size < sizeof(*hdr))
++	if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
++	    !IS_ALIGNED(offset, sizeof(u32)))
+ 		return 0;
++
+ 	if (u) {
+ 		if (copy_from_user(object, u + offset, read_size))
+ 			return 0;
diff --git a/queue-5.4/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch b/queue-5.4/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch
new file mode 100644
index 0000000000..b6d74efedc
--- /dev/null
+++ b/queue-5.4/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch
@@ -0,0 +1,98 @@
+From d1718530e3f640b7d5f0050e725216eab57a85d8 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Mon, 8 Apr 2024 10:16:33 -0700
+Subject: comedi: vmk80xx: fix incomplete endpoint checking
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit d1718530e3f640b7d5f0050e725216eab57a85d8 upstream.
+
+While vmk80xx does have endpoint checking implemented, some things
+can fall through the cracks. Depending on the hardware model,
+URBs can have either bulk or interrupt type, and current version
+of vmk80xx_find_usb_endpoints() function does not take that fully
+into account. While this warning does not seem to be too harmful,
+at the very least it will crash systems with 'panic_on_warn' set on
+them.
+
+Fix the issue found by Syzkaller [1] by somewhat simplifying the
+endpoint checking process with usb_find_common_endpoints() and
+ensuring that only expected endpoint types are present.
+
+This patch has not been tested on real hardware.
+
+[1] Syzkaller report:
+usb 1-1: BOGUS urb xfer, pipe 1 != type 3
+WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
+...
+Call Trace:
+ <TASK>
+ usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59
+ vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]
+ vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818
+ comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067
+ usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399
+...
+
+Similar issue also found by Syzkaller:
+Link: https://syzkaller.appspot.com/bug?extid=5205eb2f17de3e01946e
+
+Reported-and-tested-by: syzbot+5f29dc6a889fc42bd896@syzkaller.appspotmail.com
+Cc: stable <stable@kernel.org>
+Fixes: 49253d542cc0 ("staging: comedi: vmk80xx: factor out usb endpoint detection")
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://lore.kernel.org/r/20240408171633.31649-1-n.zhandarovich@fintech.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/vmk80xx.c |   35 ++++++++++---------------------
+ 1 file changed, 12 insertions(+), 23 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/vmk80xx.c
++++ b/drivers/staging/comedi/drivers/vmk80xx.c
+@@ -642,33 +642,22 @@ static int vmk80xx_find_usb_endpoints(st
+ 	struct vmk80xx_private *devpriv = dev->private;
+ 	struct usb_interface *intf = comedi_to_usb_interface(dev);
+ 	struct usb_host_interface *iface_desc = intf->cur_altsetting;
+-	struct usb_endpoint_descriptor *ep_desc;
+-	int i;
++	struct usb_endpoint_descriptor *ep_rx_desc, *ep_tx_desc;
++	int ret;
+ 
+-	if (iface_desc->desc.bNumEndpoints != 2)
+-		return -ENODEV;
+-
+-	for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
+-		ep_desc = &iface_desc->endpoint[i].desc;
+-
+-		if (usb_endpoint_is_int_in(ep_desc) ||
+-		    usb_endpoint_is_bulk_in(ep_desc)) {
+-			if (!devpriv->ep_rx)
+-				devpriv->ep_rx = ep_desc;
+-			continue;
+-		}
++	if (devpriv->model == VMK8061_MODEL)
++		ret = usb_find_common_endpoints(iface_desc, &ep_rx_desc,
++						&ep_tx_desc, NULL, NULL);
++	else
++		ret = usb_find_common_endpoints(iface_desc, NULL, NULL,
++						&ep_rx_desc, &ep_tx_desc);
+ 
+-		if (usb_endpoint_is_int_out(ep_desc) ||
+-		    usb_endpoint_is_bulk_out(ep_desc)) {
+-			if (!devpriv->ep_tx)
+-				devpriv->ep_tx = ep_desc;
+-			continue;
+-		}
+-	}
+-
+-	if (!devpriv->ep_rx || !devpriv->ep_tx)
++	if (ret)
+ 		return -ENODEV;
+ 
++	devpriv->ep_rx = ep_rx_desc;
++	devpriv->ep_tx = ep_tx_desc;
++
+ 	if (!usb_endpoint_maxp(devpriv->ep_rx) || !usb_endpoint_maxp(devpriv->ep_tx))
+ 		return -EINVAL;
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index 8596d3d13c..9e9fc83f12 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -33,3 +33,5 @@ clk-print-an-info-line-before-disabling-unused-clock.patch
 clk-initialize-struct-clk_core-kref-earlier.patch
 clk-get-runtime-pm-before-walking-tree-during-disabl.patch
 x86-cpufeatures-fix-dependencies-for-gfni-vaes-and-v.patch
+binder-check-offset-alignment-in-binder_get_object.patch
+comedi-vmk80xx-fix-incomplete-endpoint-checking.patch