diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-09-24 09:28:51 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-09-24 09:28:51 +0200 |
commit | e4bf226d5b809f2bcb99ac7a46275463d4ceedbf (patch) | |
tree | 84271f5a941c195cc0ba46eaa300b6dae6efb9ee | |
parent | 22f8d670782494f884692314acfcd0cd0ca244e1 (diff) | |
download | queue-3.18-e4bf226d5b809f2bcb99ac7a46275463d4ceedbf.tar.gz |
patches!!!
-rw-r--r-- | hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch | 72 | ||||
-rw-r--r-- | hid-lg-make-transfer-buffers-dma-capable.patch | 56 | ||||
-rw-r--r-- | hid-prodikeys-fix-general-protection-fault-during-probe.patch | 76 | ||||
-rw-r--r-- | mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch | 86 | ||||
-rw-r--r-- | series | 4 |
5 files changed, 294 insertions, 0 deletions
diff --git a/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch b/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch new file mode 100644 index 0000000..ff65400 --- /dev/null +++ b/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch @@ -0,0 +1,72 @@ +From 416dacb819f59180e4d86a5550052033ebb6d72c Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Wed, 21 Aug 2019 13:27:12 -0400 +Subject: HID: hidraw: Fix invalid read in hidraw_ioctl + +From: Alan Stern <stern@rowland.harvard.edu> + +commit 416dacb819f59180e4d86a5550052033ebb6d72c upstream. + +The syzbot fuzzer has reported a pair of problems in the +hidraw_ioctl() function: slab-out-of-bounds read and use-after-free +read. An example of the first: + +BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525 +Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833 + +CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xca/0x13e lib/dump_stack.c:113 + print_address_description+0x6a/0x32c mm/kasan/report.c:351 + __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 + kasan_report+0xe/0x12 mm/kasan/common.c:612 + strlen+0x79/0x90 lib/string.c:525 + strlen include/linux/string.h:281 [inline] + hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 + ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 + do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x459829 +Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 +48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff +ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829 +RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004 +RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4 +R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff + +The two problems have the same cause: hidraw_ioctl() fails to test +whether the device has been removed. This patch adds the missing test. + +Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +CC: <stable@vger.kernel.org> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/hid/hidraw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -383,7 +383,7 @@ static long hidraw_ioctl(struct file *fi + + mutex_lock(&minors_lock); + dev = hidraw_table[minor]; +- if (!dev) { ++ if (!dev || !dev->exist) { + ret = -ENODEV; + goto out; + } diff --git a/hid-lg-make-transfer-buffers-dma-capable.patch b/hid-lg-make-transfer-buffers-dma-capable.patch new file mode 100644 index 0000000..92fbba7 --- /dev/null +++ b/hid-lg-make-transfer-buffers-dma-capable.patch @@ -0,0 +1,56 @@ +From 061232f0d47fa10103f3efa3e890f002a930d902 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Date: Mon, 21 Nov 2016 11:48:40 +0100 +Subject: HID: lg: make transfer buffers DMA capable + +From: Benjamin Tissoires <benjamin.tissoires@redhat.com> + +commit 061232f0d47fa10103f3efa3e890f002a930d902 upstream. + +Kernel v4.9 strictly enforces DMA capable buffers, so we need to remove +buffers allocated on the stack. + +[jkosina@suse.cz: fix up second usage of hid_hw_raw_request(), spotted by + 0day build bot] +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/hid/hid-lg.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/hid/hid-lg.c ++++ b/drivers/hid/hid-lg.c +@@ -690,11 +690,16 @@ static int lg_probe(struct hid_device *h + + /* Setup wireless link with Logitech Wii wheel */ + if (hdev->product == USB_DEVICE_ID_LOGITECH_WII_WHEEL) { +- unsigned char buf[] = { 0x00, 0xAF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; ++ const unsigned char cbuf[] = { 0x00, 0xAF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; ++ u8 *buf = kmemdup(cbuf, sizeof(cbuf), GFP_KERNEL); + +- ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(buf), +- HID_FEATURE_REPORT, HID_REQ_SET_REPORT); ++ if (!buf) { ++ ret = -ENOMEM; ++ goto err_free; ++ } + ++ ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf), ++ HID_FEATURE_REPORT, HID_REQ_SET_REPORT); + if (ret >= 0) { + /* insert a little delay of 10 jiffies ~ 40ms */ + wait_queue_head_t wait; +@@ -705,9 +710,10 @@ static int lg_probe(struct hid_device *h + buf[1] = 0xB2; + get_random_bytes(&buf[2], 2); + +- ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(buf), ++ ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf), + HID_FEATURE_REPORT, HID_REQ_SET_REPORT); + } ++ kfree(buf); + } + + if (drv_data->quirks & LG_FF) diff --git a/hid-prodikeys-fix-general-protection-fault-during-probe.patch b/hid-prodikeys-fix-general-protection-fault-during-probe.patch new file mode 100644 index 0000000..e0ddc3c --- /dev/null +++ b/hid-prodikeys-fix-general-protection-fault-during-probe.patch @@ -0,0 +1,76 @@ +From 98375b86c79137416e9fd354177b85e768c16e56 Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Wed, 4 Sep 2019 11:54:20 -0400 +Subject: HID: prodikeys: Fix general protection fault during probe + +From: Alan Stern <stern@rowland.harvard.edu> + +commit 98375b86c79137416e9fd354177b85e768c16e56 upstream. + +The syzbot fuzzer provoked a general protection fault in the +hid-prodikeys driver: + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc5+ #28 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +RIP: 0010:pcmidi_submit_output_report drivers/hid/hid-prodikeys.c:300 [inline] +RIP: 0010:pcmidi_set_operational drivers/hid/hid-prodikeys.c:558 [inline] +RIP: 0010:pcmidi_snd_initialise drivers/hid/hid-prodikeys.c:686 [inline] +RIP: 0010:pk_probe+0xb51/0xfd0 drivers/hid/hid-prodikeys.c:836 +Code: 0f 85 50 04 00 00 48 8b 04 24 4c 89 7d 10 48 8b 58 08 e8 b2 53 e4 fc +48 8b 54 24 20 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f +85 13 04 00 00 48 ba 00 00 00 00 00 fc ff df 49 8b + +The problem is caused by the fact that pcmidi_get_output_report() will +return an error if the HID device doesn't provide the right sort of +output report, but pcmidi_set_operational() doesn't bother to check +the return code and assumes the function call always succeeds. + +This patch adds the missing check and aborts the probe operation if +necessary. + +Reported-and-tested-by: syzbot+1088533649dafa1c9004@syzkaller.appspotmail.com +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +CC: <stable@vger.kernel.org> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/hid/hid-prodikeys.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-prodikeys.c ++++ b/drivers/hid/hid-prodikeys.c +@@ -557,10 +557,14 @@ static void pcmidi_setup_extra_keys( + + static int pcmidi_set_operational(struct pcmidi_snd *pm) + { ++ int rc; ++ + if (pm->ifnum != 1) + return 0; /* only set up ONCE for interace 1 */ + +- pcmidi_get_output_report(pm); ++ rc = pcmidi_get_output_report(pm); ++ if (rc < 0) ++ return rc; + pcmidi_submit_output_report(pm, 0xc1); + return 0; + } +@@ -689,7 +693,11 @@ static int pcmidi_snd_initialise(struct + spin_lock_init(&pm->rawmidi_in_lock); + + init_sustain_timers(pm); +- pcmidi_set_operational(pm); ++ err = pcmidi_set_operational(pm); ++ if (err < 0) { ++ pk_error("failed to find output report\n"); ++ goto fail_register; ++ } + + /* register it */ + err = snd_card_register(card); diff --git a/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch b/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch new file mode 100644 index 0000000..b0a2767 --- /dev/null +++ b/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch @@ -0,0 +1,86 @@ +From 37c673ade35c707d50583b5b25091ff8ebdeafd7 Mon Sep 17 00:00:00 2001 +From: Tokunori Ikegami <ikegami.t@gmail.com> +Date: Tue, 6 Aug 2019 04:03:18 +0900 +Subject: mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() + +From: Tokunori Ikegami <ikegami.t@gmail.com> + +commit 37c673ade35c707d50583b5b25091ff8ebdeafd7 upstream. + +As reported by the OpenWRT team, write requests sometimes fail on some +platforms. +Currently to check the state chip_ready() is used correctly as described by +the flash memory S29GL256P11TFI01 datasheet. +Also chip_good() is used to check if the write is succeeded and it was +implemented by the commit fb4a90bfcd6d8 ("[MTD] CFI-0002 - Improve error +checking"). +But actually the write failure is caused on some platforms and also it can +be fixed by using chip_good() to check the state and retry instead. +Also it seems that it is caused after repeated about 1,000 times to retry +the write one word with the reset command. +By using chip_good() to check the state to be done it can be reduced the +retry with reset. +It is depended on the actual flash chip behavior so the root cause is +unknown. + +Cc: Chris Packham <chris.packham@alliedtelesis.co.nz> +Cc: Joakim Tjernlund <Joakim.Tjernlund@infinera.com> +Cc: linux-mtd@lists.infradead.org +Cc: stable@vger.kernel.org +Reported-by: Fabio Bettoni <fbettoni@gmail.com> +Signed-off-by: Felix Fietkau <nbd@nbd.name> +Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> +Signed-off-by: Tokunori Ikegami <ikegami.t@gmail.com> +[vigneshr@ti.com: Fix a checkpatch warning] +Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -1626,29 +1626,35 @@ static int __xipram do_write_oneword(str + continue; + } + +- if (time_after(jiffies, timeo) && !chip_ready(map, adr)){ ++ /* ++ * We check "time_after" and "!chip_good" before checking ++ * "chip_good" to avoid the failure due to scheduling. ++ */ ++ if (time_after(jiffies, timeo) && !chip_good(map, adr, datum)) { + xip_enable(map, chip, adr); + printk(KERN_WARNING "MTD %s(): software timeout\n", __func__); + xip_disable(map, chip, adr); ++ ret = -EIO; + break; + } + +- if (chip_ready(map, adr)) ++ if (chip_good(map, adr, datum)) + break; + + /* Latency issues. Drop the lock, wait a while and retry */ + UDELAY(map, chip, adr, 1); + } ++ + /* Did we succeed? */ +- if (!chip_good(map, adr, datum)) { ++ if (ret) { + /* reset on all failures. */ + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- if (++retry_cnt <= MAX_RETRIES) ++ if (++retry_cnt <= MAX_RETRIES) { ++ ret = 0; + goto retry; +- +- ret = -EIO; ++ } + } + xip_enable(map, chip, adr); + op_done: @@ -0,0 +1,4 @@ +hid-prodikeys-fix-general-protection-fault-during-probe.patch +hid-lg-make-transfer-buffers-dma-capable.patch +hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch +mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch |