--- /dev/null
+From c2d22806aecb24e2de55c30a06e5d6eb297d161d Mon Sep 17 00:00:00 2001
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+Date: Sun, 25 Jun 2023 00:16:49 +0800
+Subject: fbdev: fix potential OOB read in fast_imageblit()
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+commit c2d22806aecb24e2de55c30a06e5d6eb297d161d upstream.
+
+There is a potential OOB read at fast_imageblit, for
+"colortab[(*src >> 4)]" can become a negative value due to
+"const char *s = image->data, *src".
+This change makes sure the index for colortab always positive
+or zero.
+
+Similar commit:
+https://patchwork.kernel.org/patch/11746067
+
+Potential bug report:
+https://groups.google.com/g/syzkaller-bugs/c/9ubBXKeKXf4/m/k-QXy4UgAAAJ
+
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/sysimgblt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/core/sysimgblt.c
++++ b/drivers/video/fbdev/core/sysimgblt.c
+@@ -189,7 +189,7 @@ static void fast_imageblit(const struct
+ u32 fgx = fgcolor, bgx = bgcolor, bpp = p->var.bits_per_pixel;
+ u32 ppw = 32/bpp, spitch = (image->width + 7)/8;
+ u32 bit_mask, eorx, shift;
+- const char *s = image->data, *src;
++ const u8 *s = image->data, *src;
+ u32 *dst;
+ const u32 *tab;
+ size_t tablen;
--- /dev/null
+From 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b Mon Sep 17 00:00:00 2001
+From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
+Date: Wed, 21 Jun 2023 13:17:43 +0200
+Subject: HID: hidraw: fix data race on device refcount
+
+From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
+
+commit 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b upstream.
+
+The hidraw_open() function increments the hidraw device reference
+counter. The counter has no dedicated synchronization mechanism,
+resulting in a potential data race when concurrently opening a device.
+
+The race is a regression introduced by commit 8590222e4b02 ("HID:
+hidraw: Replace hidraw device table mutex with a rwsem"). While
+minors_rwsem is intended to protect the hidraw_table itself, by instead
+acquiring the lock for writing, the reference counter is also protected.
+This is symmetrical to hidraw_release().
+
+Link: https://github.com/systemd/systemd/issues/27947
+Fixes: 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
+Link: https://lore.kernel.org/r/20230621-hidraw-race-v1-1-a58e6ac69bab@yubico.com
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hidraw.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -272,7 +272,12 @@ static int hidraw_open(struct inode *ino
+ goto out;
+ }
+
+- down_read(&minors_rwsem);
++ /*
++ * Technically not writing to the hidraw_table but a write lock is
++ * required to protect the device refcount. This is symmetrical to
++ * hidraw_release().
++ */
++ down_write(&minors_rwsem);
+ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
+ err = -ENODEV;
+ goto out_unlock;
+@@ -301,7 +306,7 @@ static int hidraw_open(struct inode *ino
+ spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags);
+ file->private_data = list;
+ out_unlock:
+- up_read(&minors_rwsem);
++ up_write(&minors_rwsem);
+ out:
+ if (err < 0)
+ kfree(list);
--- /dev/null
+From 5fe251112646d8626818ea90f7af325bab243efa Mon Sep 17 00:00:00 2001
+From: Mike Hommey <mh@glandium.org>
+Date: Sun, 18 Jun 2023 08:09:57 +0900
+Subject: HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651.
+
+From: Mike Hommey <mh@glandium.org>
+
+commit 5fe251112646d8626818ea90f7af325bab243efa upstream.
+
+commit 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if
+not necessary") put restarting communication behind that flag, and this
+was apparently necessary on the T651, but the flag was not set for it.
+
+Fixes: 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if not necessary")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Hommey <mh@glandium.org>
+Link: https://lore.kernel.org/r/20230617230957.6mx73th4blv7owqk@glandium.org
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -4348,7 +4348,7 @@ static const struct hid_device_id hidpp_
+ { /* wireless touchpad T651 */
+ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH,
+ USB_DEVICE_ID_LOGITECH_T651),
+- .driver_data = HIDPP_QUIRK_CLASS_WTP },
++ .driver_data = HIDPP_QUIRK_CLASS_WTP | HIDPP_QUIRK_DELAYED_INIT },
+ { /* Mouse Logitech Anywhere MX */
+ LDJ_DEVICE(0x1017), .driver_data = HIDPP_QUIRK_HI_RES_SCROLL_1P0 },
+ { /* Mouse logitech M560 */
--- /dev/null
+From 9a6c0e28e215535b2938c61ded54603b4e5814c5 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <jason.gerecke@wacom.com>
+Date: Thu, 8 Jun 2023 14:38:28 -0700
+Subject: HID: wacom: Use ktime_t rather than int when dealing with timestamps
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+commit 9a6c0e28e215535b2938c61ded54603b4e5814c5 upstream.
+
+Code which interacts with timestamps needs to use the ktime_t type
+returned by functions like ktime_get. The int type does not offer
+enough space to store these values, and attempting to use it is a
+recipe for problems. In this particular case, overflows would occur
+when calculating/storing timestamps leading to incorrect values being
+reported to userspace. In some cases these bad timestamps cause input
+handling in userspace to appear hung.
+
+Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/901
+Fixes: 17d793f3ed53 ("HID: wacom: insert timestamp to packed Bluetooth (BT) events")
+CC: stable@vger.kernel.org
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20230608213828.2108-1-jason.gerecke@wacom.com
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_wac.c | 6 +++---
+ drivers/hid/wacom_wac.h | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1309,7 +1309,7 @@ static void wacom_intuos_pro2_bt_pen(str
+ struct input_dev *pen_input = wacom->pen_input;
+ unsigned char *data = wacom->data;
+ int number_of_valid_frames = 0;
+- int time_interval = 15000000;
++ ktime_t time_interval = 15000000;
+ ktime_t time_packet_received = ktime_get();
+ int i;
+
+@@ -1343,7 +1343,7 @@ static void wacom_intuos_pro2_bt_pen(str
+ if (number_of_valid_frames) {
+ if (wacom->hid_data.time_delayed)
+ time_interval = ktime_get() - wacom->hid_data.time_delayed;
+- time_interval /= number_of_valid_frames;
++ time_interval = div_u64(time_interval, number_of_valid_frames);
+ wacom->hid_data.time_delayed = time_packet_received;
+ }
+
+@@ -1354,7 +1354,7 @@ static void wacom_intuos_pro2_bt_pen(str
+ bool range = frame[0] & 0x20;
+ bool invert = frame[0] & 0x10;
+ int frames_number_reversed = number_of_valid_frames - i - 1;
+- int event_timestamp = time_packet_received - frames_number_reversed * time_interval;
++ ktime_t event_timestamp = time_packet_received - frames_number_reversed * time_interval;
+
+ if (!valid)
+ continue;
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -324,7 +324,7 @@ struct hid_data {
+ int ps_connected;
+ bool pad_input_event_flag;
+ unsigned short sequence_number;
+- int time_delayed;
++ ktime_t time_delayed;
+ };
+
+ struct wacom_remote_data {
if (!vma_permits_fault(vma, fault_flags))
--- a/mm/memory.c
+++ b/mm/memory.c
-@@ -5352,7 +5352,7 @@ struct vm_area_struct *lock_mm_and_find_
+@@ -5364,7 +5364,7 @@ struct vm_area_struct *lock_mm_and_find_
goto fail;
}
goto fail;
success:
-@@ -5636,6 +5636,14 @@ int __access_remote_vm(struct mm_struct
+@@ -5648,6 +5648,14 @@ int __access_remote_vm(struct mm_struct
if (mmap_read_lock_killable(mm))
return 0;
endmenu
--- a/mm/memory.c
+++ b/mm/memory.c
-@@ -5246,6 +5246,127 @@ vm_fault_t handle_mm_fault(struct vm_are
+@@ -5258,6 +5258,127 @@ vm_fault_t handle_mm_fault(struct vm_are
}
EXPORT_SYMBOL_GPL(handle_mm_fault);
int remap_pfn_range_notrack(struct vm_area_struct *vma, unsigned long addr,
--- a/mm/memory.c
+++ b/mm/memory.c
-@@ -5352,7 +5352,7 @@ struct vm_area_struct *lock_mm_and_find_
+@@ -5364,7 +5364,7 @@ struct vm_area_struct *lock_mm_and_find_
goto fail;
}
--- a/mm/memory.c
+++ b/mm/memory.c
-@@ -5263,8 +5263,7 @@ static inline bool get_mmap_lock_careful
+@@ -5275,8 +5275,7 @@ static inline bool get_mmap_lock_careful
return false;
}
}
static inline bool mmap_upgrade_trylock(struct mm_struct *mm)
-@@ -5288,8 +5287,7 @@ static inline bool upgrade_mmap_lock_car
+@@ -5300,8 +5299,7 @@ static inline bool upgrade_mmap_lock_car
if (!search_exception_tables(ip))
return false;
}
mm-make-find_extend_vma-fail-if-write-lock-not-held.patch
execve-expand-new-process-stack-manually-ahead-of-time.patch
mm-always-expand-the-stack-with-the-mmap-write-lock-held.patch
+fbdev-fix-potential-oob-read-in-fast_imageblit.patch
+hid-hidraw-fix-data-race-on-device-refcount.patch
+hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch
+hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
