patches!!!

5 files changed, 294 insertions, 0 deletions

diff --git a/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch b/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch
new file mode 100644
index 0000000..ff65400
--- /dev/null
+++ b/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch
@@ -0,0 +1,72 @@
+From 416dacb819f59180e4d86a5550052033ebb6d72c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 21 Aug 2019 13:27:12 -0400
+Subject: HID: hidraw: Fix invalid read in hidraw_ioctl
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 416dacb819f59180e4d86a5550052033ebb6d72c upstream.
+
+The syzbot fuzzer has reported a pair of problems in the
+hidraw_ioctl() function: slab-out-of-bounds read and use-after-free
+read.  An example of the first:
+
+BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525
+Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833
+
+CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+  __dump_stack lib/dump_stack.c:77 [inline]
+  dump_stack+0xca/0x13e lib/dump_stack.c:113
+  print_address_description+0x6a/0x32c mm/kasan/report.c:351
+  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
+  kasan_report+0xe/0x12 mm/kasan/common.c:612
+  strlen+0x79/0x90 lib/string.c:525
+  strlen include/linux/string.h:281 [inline]
+  hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446
+  vfs_ioctl fs/ioctl.c:46 [inline]
+  file_ioctl fs/ioctl.c:509 [inline]
+  do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
+  ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
+  __do_sys_ioctl fs/ioctl.c:720 [inline]
+  __se_sys_ioctl fs/ioctl.c:718 [inline]
+  __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
+  do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
+  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x459829
+Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
+48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
+ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
+RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004
+RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4
+R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff
+
+The two problems have the same cause: hidraw_ioctl() fails to test
+whether the device has been removed.  This patch adds the missing test.
+
+Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hidraw.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -383,7 +383,7 @@ static long hidraw_ioctl(struct file *fi
+ 
+ 	mutex_lock(&minors_lock);
+ 	dev = hidraw_table[minor];
+-	if (!dev) {
++	if (!dev || !dev->exist) {
+ 		ret = -ENODEV;
+ 		goto out;
+ 	}
diff --git a/hid-lg-make-transfer-buffers-dma-capable.patch b/hid-lg-make-transfer-buffers-dma-capable.patch
new file mode 100644
index 0000000..92fbba7
--- /dev/null
+++ b/hid-lg-make-transfer-buffers-dma-capable.patch
@@ -0,0 +1,56 @@
+From 061232f0d47fa10103f3efa3e890f002a930d902 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Mon, 21 Nov 2016 11:48:40 +0100
+Subject: HID: lg: make transfer buffers DMA capable
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 061232f0d47fa10103f3efa3e890f002a930d902 upstream.
+
+Kernel v4.9 strictly enforces DMA capable buffers, so we need to remove
+buffers allocated on the stack.
+
+[jkosina@suse.cz: fix up second usage of hid_hw_raw_request(), spotted by
+ 0day build bot]
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-lg.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/hid-lg.c
++++ b/drivers/hid/hid-lg.c
+@@ -690,11 +690,16 @@ static int lg_probe(struct hid_device *h
+ 
+ 	/* Setup wireless link with Logitech Wii wheel */
+ 	if (hdev->product == USB_DEVICE_ID_LOGITECH_WII_WHEEL) {
+-		unsigned char buf[] = { 0x00, 0xAF,  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
++		const unsigned char cbuf[] = { 0x00, 0xAF,  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
++		u8 *buf = kmemdup(cbuf, sizeof(cbuf), GFP_KERNEL);
+ 
+-		ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(buf),
+-					HID_FEATURE_REPORT, HID_REQ_SET_REPORT);
++		if (!buf) {
++			ret = -ENOMEM;
++			goto err_free;
++		}
+ 
++		ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf),
++					HID_FEATURE_REPORT, HID_REQ_SET_REPORT);
+ 		if (ret >= 0) {
+ 			/* insert a little delay of 10 jiffies ~ 40ms */
+ 			wait_queue_head_t wait;
+@@ -705,9 +710,10 @@ static int lg_probe(struct hid_device *h
+ 			buf[1] = 0xB2;
+ 			get_random_bytes(&buf[2], 2);
+ 
+-			ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(buf),
++			ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf),
+ 					HID_FEATURE_REPORT, HID_REQ_SET_REPORT);
+ 		}
++		kfree(buf);
+ 	}
+ 
+ 	if (drv_data->quirks & LG_FF)
diff --git a/hid-prodikeys-fix-general-protection-fault-during-probe.patch b/hid-prodikeys-fix-general-protection-fault-during-probe.patch
new file mode 100644
index 0000000..e0ddc3c
--- /dev/null
+++ b/hid-prodikeys-fix-general-protection-fault-during-probe.patch
@@ -0,0 +1,76 @@
+From 98375b86c79137416e9fd354177b85e768c16e56 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 4 Sep 2019 11:54:20 -0400
+Subject: HID: prodikeys: Fix general protection fault during probe
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 98375b86c79137416e9fd354177b85e768c16e56 upstream.
+
+The syzbot fuzzer provoked a general protection fault in the
+hid-prodikeys driver:
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN
+CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc5+ #28
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Workqueue: usb_hub_wq hub_event
+RIP: 0010:pcmidi_submit_output_report drivers/hid/hid-prodikeys.c:300  [inline]
+RIP: 0010:pcmidi_set_operational drivers/hid/hid-prodikeys.c:558 [inline]
+RIP: 0010:pcmidi_snd_initialise drivers/hid/hid-prodikeys.c:686 [inline]
+RIP: 0010:pk_probe+0xb51/0xfd0 drivers/hid/hid-prodikeys.c:836
+Code: 0f 85 50 04 00 00 48 8b 04 24 4c 89 7d 10 48 8b 58 08 e8 b2 53 e4 fc
+48 8b 54 24 20 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f
+85 13 04 00 00 48 ba 00 00 00 00 00 fc ff df 49 8b
+
+The problem is caused by the fact that pcmidi_get_output_report() will
+return an error if the HID device doesn't provide the right sort of
+output report, but pcmidi_set_operational() doesn't bother to check
+the return code and assumes the function call always succeeds.
+
+This patch adds the missing check and aborts the probe operation if
+necessary.
+
+Reported-and-tested-by: syzbot+1088533649dafa1c9004@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-prodikeys.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-prodikeys.c
++++ b/drivers/hid/hid-prodikeys.c
+@@ -557,10 +557,14 @@ static void pcmidi_setup_extra_keys(
+ 
+ static int pcmidi_set_operational(struct pcmidi_snd *pm)
+ {
++	int rc;
++
+ 	if (pm->ifnum != 1)
+ 		return 0; /* only set up ONCE for interace 1 */
+ 
+-	pcmidi_get_output_report(pm);
++	rc = pcmidi_get_output_report(pm);
++	if (rc < 0)
++		return rc;
+ 	pcmidi_submit_output_report(pm, 0xc1);
+ 	return 0;
+ }
+@@ -689,7 +693,11 @@ static int pcmidi_snd_initialise(struct
+ 	spin_lock_init(&pm->rawmidi_in_lock);
+ 
+ 	init_sustain_timers(pm);
+-	pcmidi_set_operational(pm);
++	err = pcmidi_set_operational(pm);
++	if (err < 0) {
++		pk_error("failed to find output report\n");
++		goto fail_register;
++	}
+ 
+ 	/* register it */
+ 	err = snd_card_register(card);
diff --git a/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch b/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch
new file mode 100644
index 0000000..b0a2767
--- /dev/null
+++ b/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch
@@ -0,0 +1,86 @@
+From 37c673ade35c707d50583b5b25091ff8ebdeafd7 Mon Sep 17 00:00:00 2001
+From: Tokunori Ikegami <ikegami.t@gmail.com>
+Date: Tue, 6 Aug 2019 04:03:18 +0900
+Subject: mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword()
+
+From: Tokunori Ikegami <ikegami.t@gmail.com>
+
+commit 37c673ade35c707d50583b5b25091ff8ebdeafd7 upstream.
+
+As reported by the OpenWRT team, write requests sometimes fail on some
+platforms.
+Currently to check the state chip_ready() is used correctly as described by
+the flash memory S29GL256P11TFI01 datasheet.
+Also chip_good() is used to check if the write is succeeded and it was
+implemented by the commit fb4a90bfcd6d8 ("[MTD] CFI-0002 - Improve error
+checking").
+But actually the write failure is caused on some platforms and also it can
+be fixed by using chip_good() to check the state and retry instead.
+Also it seems that it is caused after repeated about 1,000 times to retry
+the write one word with the reset command.
+By using chip_good() to check the state to be done it can be reduced the
+retry with reset.
+It is depended on the actual flash chip behavior so the root cause is
+unknown.
+
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Cc: linux-mtd@lists.infradead.org
+Cc: stable@vger.kernel.org
+Reported-by: Fabio Bettoni <fbettoni@gmail.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: Tokunori Ikegami <ikegami.t@gmail.com>
+[vigneshr@ti.com: Fix a checkpatch warning]
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c |   18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -1626,29 +1626,35 @@ static int __xipram do_write_oneword(str
+ 			continue;
+ 		}
+ 
+-		if (time_after(jiffies, timeo) && !chip_ready(map, adr)){
++		/*
++		 * We check "time_after" and "!chip_good" before checking
++		 * "chip_good" to avoid the failure due to scheduling.
++		 */
++		if (time_after(jiffies, timeo) && !chip_good(map, adr, datum)) {
+ 			xip_enable(map, chip, adr);
+ 			printk(KERN_WARNING "MTD %s(): software timeout\n", __func__);
+ 			xip_disable(map, chip, adr);
++			ret = -EIO;
+ 			break;
+ 		}
+ 
+-		if (chip_ready(map, adr))
++		if (chip_good(map, adr, datum))
+ 			break;
+ 
+ 		/* Latency issues. Drop the lock, wait a while and retry */
+ 		UDELAY(map, chip, adr, 1);
+ 	}
++
+ 	/* Did we succeed? */
+-	if (!chip_good(map, adr, datum)) {
++	if (ret) {
+ 		/* reset on all failures. */
+ 		map_write( map, CMD(0xF0), chip->start );
+ 		/* FIXME - should have reset delay before continuing */
+ 
+-		if (++retry_cnt <= MAX_RETRIES)
++		if (++retry_cnt <= MAX_RETRIES) {
++			ret = 0;
+ 			goto retry;
+-
+-		ret = -EIO;
++		}
+ 	}
+ 	xip_enable(map, chip, adr);
+  op_done:
diff --git a/series b/series
index e69de29..cb34f98 100644
--- a/series
+++ b/series
@@ -0,0 +1,4 @@
+hid-prodikeys-fix-general-protection-fault-during-probe.patch
+hid-lg-make-transfer-buffers-dma-capable.patch
+hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch
+mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch