--- /dev/null
+From 3111491fca4f01764e0c158c5e0f7ced808eef51 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 11:59:32 -0800
+Subject: Input: aiptek - fix endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3111491fca4f01764e0c158c5e0f7ced808eef51 upstream.
+
+The driver was checking the number of endpoints of the first alternate
+setting instead of the current one, something which could lead to the
+driver binding to an invalid interface.
+
+This in turn could cause the driver to misbehave or trigger a WARN() in
+usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/aiptek.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/tablet/aiptek.c
++++ b/drivers/input/tablet/aiptek.c
+@@ -1802,14 +1802,14 @@ aiptek_probe(struct usb_interface *intf,
+ input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
+
+ /* Verify that a device really has an endpoint */
+- if (intf->altsetting[0].desc.bNumEndpoints < 1) {
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+ dev_err(&intf->dev,
+ "interface has %d endpoints, but must have minimum 1\n",
+- intf->altsetting[0].desc.bNumEndpoints);
++ intf->cur_altsetting->desc.bNumEndpoints);
+ err = -EINVAL;
+ goto fail3;
+ }
+- endpoint = &intf->altsetting[0].endpoint[0].desc;
++ endpoint = &intf->cur_altsetting->endpoint[0].desc;
+
+ /* Go set up our URB, which is called when the tablet receives
+ * input.
--- /dev/null
+From a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 12:00:18 -0800
+Subject: Input: gtco - fix endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream.
+
+The driver was checking the number of endpoints of the first alternate
+setting instead of the current one, something which could lead to the
+driver binding to an invalid interface.
+
+This in turn could cause the driver to misbehave or trigger a WARN() in
+usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/gtco.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interfa
+ }
+
+ /* Sanity check that a device has an endpoint */
+- if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++ if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) {
+ dev_err(&usbinterface->dev,
+ "Invalid number of endpoints\n");
+ error = -EINVAL;
+ goto err_free_urb;
+ }
+
+- /*
+- * The endpoint is always altsetting 0, we know this since we know
+- * this device only has one interrupt endpoint
+- */
+- endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
+
+ /* Some debug */
+ dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting);
+@@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interfa
+ input_dev->dev.parent = &usbinterface->dev;
+
+ /* Setup the URB, it will be posted later on open of input device */
+- endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
+
+ usb_fill_int_urb(gtco->urbinfo,
+ udev,
--- /dev/null
+From bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 11:55:47 -0800
+Subject: Input: pegasus_notetaker - fix endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 upstream.
+
+The driver was checking the number of endpoints of the first alternate
+setting instead of the current one, something which could be used by a
+malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer
+dereference.
+
+Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Martin Kepplinger <martink@posteo.de>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-2-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/pegasus_notetaker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/tablet/pegasus_notetaker.c
++++ b/drivers/input/tablet/pegasus_notetaker.c
+@@ -275,7 +275,7 @@ static int pegasus_probe(struct usb_inte
+ return -ENODEV;
+
+ /* Sanity check that the device has an endpoint */
+- if (intf->altsetting[0].desc.bNumEndpoints < 1) {
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+ dev_err(&intf->dev, "Invalid number of endpoints\n");
+ return -EINVAL;
+ }
--- /dev/null
+From 996d5d5f89a558a3608a46e73ccd1b99f1b1d058 Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan@gerhold.net>
+Date: Fri, 17 Jan 2020 13:40:36 -0800
+Subject: Input: pm8xxx-vib - fix handling of separate enable register
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+commit 996d5d5f89a558a3608a46e73ccd1b99f1b1d058 upstream.
+
+Setting the vibrator enable_mask is not implemented correctly:
+
+For regmap_update_bits(map, reg, mask, val) we give in either
+regs->enable_mask or 0 (= no-op) as mask and "val" as value.
+But "val" actually refers to the vibrator voltage control register,
+which has nothing to do with the enable_mask.
+
+So we usually end up doing nothing when we really wanted
+to enable the vibrator.
+
+We want to set or clear the enable_mask (to enable/disable the vibrator).
+Therefore, change the call to always modify the enable_mask
+and set the bits only if we want to enable the vibrator.
+
+Fixes: d4c7c5c96c92 ("Input: pm8xxx-vib - handle separate enable register")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20200114183442.45720-1-stephan@gerhold.net
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/pm8xxx-vibrator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/misc/pm8xxx-vibrator.c
++++ b/drivers/input/misc/pm8xxx-vibrator.c
+@@ -90,7 +90,7 @@ static int pm8xxx_vib_set(struct pm8xxx_
+
+ if (regs->enable_mask)
+ rc = regmap_update_bits(vib->regmap, regs->enable_addr,
+- on ? regs->enable_mask : 0, val);
++ regs->enable_mask, on ? ~0 : 0);
+
+ return rc;
+ }
--- /dev/null
+From 97e24b095348a15ec08c476423c3b3b939186ad7 Mon Sep 17 00:00:00 2001
+From: Chuhong Yuan <hslester96@gmail.com>
+Date: Fri, 10 Jan 2020 10:30:04 -0800
+Subject: Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+commit 97e24b095348a15ec08c476423c3b3b939186ad7 upstream.
+
+The driver misses a check for devm_thermal_zone_of_sensor_register().
+Add a check to fix it.
+
+Fixes: e28d0c9cd381 ("input: convert sun4i-ts to use devm_thermal_zone_of_sensor_register")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sun4i-ts.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/sun4i-ts.c
++++ b/drivers/input/touchscreen/sun4i-ts.c
+@@ -237,6 +237,7 @@ static int sun4i_ts_probe(struct platfor
+ struct device *dev = &pdev->dev;
+ struct device_node *np = dev->of_node;
+ struct device *hwmon;
++ struct thermal_zone_device *thermal;
+ int error;
+ u32 reg;
+ bool ts_attached;
+@@ -355,7 +356,10 @@ static int sun4i_ts_probe(struct platfor
+ if (IS_ERR(hwmon))
+ return PTR_ERR(hwmon);
+
+- devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, &sun4i_ts_tz_ops);
++ thermal = devm_thermal_zone_of_sensor_register(ts->dev, 0, ts,
++ &sun4i_ts_tz_ops);
++ if (IS_ERR(thermal))
++ return PTR_ERR(thermal);
+
+ writel(TEMP_IRQ_EN(1), ts->base + TP_INT_FIFOC);
+
--- /dev/null
+From 6b32391ed675827f8425a414abbc6fbd54ea54fe Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 12:01:27 -0800
+Subject: Input: sur40 - fix interface sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6b32391ed675827f8425a414abbc6fbd54ea54fe upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+This in turn could cause the driver to misbehave or trigger a WARN() in
+usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sur40.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -653,7 +653,7 @@ static int sur40_probe(struct usb_interf
+ int error;
+
+ /* Check if we really have the right interface. */
+- iface_desc = &interface->altsetting[0];
++ iface_desc = interface->cur_altsetting;
+ if (iface_desc->desc.bInterfaceClass != 0xFF)
+ return -ENODEV;
+
--- /dev/null
+From 63963d0f9d17be83d0e419e03282847ecc2c3715 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Wed, 15 Jan 2020 13:53:46 +0200
+Subject: mlxsw: switchx2: Do not modify cloned SKBs during xmit
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+commit 63963d0f9d17be83d0e419e03282847ecc2c3715 upstream.
+
+The driver needs to prepend a Tx header to each packet it is
+transmitting. The header includes information such as the egress port
+and traffic class.
+
+The addition of the header requires the driver to modify the SKB's
+header and therefore it must not be shared. Otherwise, we risk hitting
+various race conditions.
+
+For example, when a packet is flooded (cloned) by the bridge driver to
+two switch ports swp1 and swp2:
+
+t0 - mlxsw_sp_port_xmit() is called for swp1. Tx header is prepended with
+ swp1's port number
+t1 - mlxsw_sp_port_xmit() is called for swp2. Tx header is prepended with
+ swp2's port number, overwriting swp1's port number
+t2 - The device processes data buffer from t0. Packet is transmitted via
+ swp2
+t3 - The device processes data buffer from t1. Packet is transmitted via
+ swp2
+
+Usually, the device is fast enough and transmits the packet before its
+Tx header is overwritten, but this is not the case in emulated
+environments.
+
+Fix this by making sure the SKB's header is writable by calling
+skb_cow_head(). Since the function ensures we have headroom to push the
+Tx header, the check further in the function can be removed.
+
+v2:
+* Use skb_cow_head() instead of skb_unshare() as suggested by Jakub
+* Remove unnecessary check regarding headroom
+
+Fixes: 31557f0f9755 ("mlxsw: Introduce Mellanox SwitchX-2 ASIC support")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Shalom Toledo <shalomt@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlxsw/switchx2.c | 17 ++++++-----------
+ 1 file changed, 6 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
+@@ -299,22 +299,17 @@ static netdev_tx_t mlxsw_sx_port_xmit(st
+ u64 len;
+ int err;
+
++ if (skb_cow_head(skb, MLXSW_TXHDR_LEN)) {
++ this_cpu_inc(mlxsw_sx_port->pcpu_stats->tx_dropped);
++ dev_kfree_skb_any(skb);
++ return NETDEV_TX_OK;
++ }
++
+ memset(skb->cb, 0, sizeof(struct mlxsw_skb_cb));
+
+ if (mlxsw_core_skb_transmit_busy(mlxsw_sx->core, &tx_info))
+ return NETDEV_TX_BUSY;
+
+- if (unlikely(skb_headroom(skb) < MLXSW_TXHDR_LEN)) {
+- struct sk_buff *skb_orig = skb;
+-
+- skb = skb_realloc_headroom(skb, MLXSW_TXHDR_LEN);
+- if (!skb) {
+- this_cpu_inc(mlxsw_sx_port->pcpu_stats->tx_dropped);
+- dev_kfree_skb_any(skb_orig);
+- return NETDEV_TX_OK;
+- }
+- dev_consume_skb_any(skb_orig);
+- }
+ mlxsw_sx_txhdr_construct(skb, &tx_info);
+ /* TX header is consumed by HW on the way so we shouldn't count its
+ * bytes as being sent.
--- /dev/null
+From db885e66d268884dc72967279b7e84f522556abc Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Fri, 10 Jan 2020 04:38:32 -0800
+Subject: net/tls: fix async operation
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+commit db885e66d268884dc72967279b7e84f522556abc upstream.
+
+Mallesham reports the TLS with async accelerator was broken by
+commit d10523d0b3d7 ("net/tls: free the record on encryption error")
+because encryption can return -EINPROGRESS in such setups, which
+should not be treated as an error.
+
+The error is also present in the BPF path (likely copied from there).
+
+Reported-by: Mallesham Jatharakonda <mallesham.jatharakonda@oneconvergence.com>
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tls/tls_sw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -793,7 +793,7 @@ static int bpf_exec_tx_verdict(struct sk
+ psock = sk_psock_get(sk);
+ if (!psock || !policy) {
+ err = tls_push_record(sk, flags, record_type);
+- if (err) {
++ if (err && err != -EINPROGRESS) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
+ }
+@@ -819,7 +819,7 @@ more_data:
+ switch (psock->eval) {
+ case __SK_PASS:
+ err = tls_push_record(sk, flags, record_type);
+- if (err < 0) {
++ if (err && err != -EINPROGRESS) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
+ goto out_err;
--- /dev/null
+From 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 18 Jan 2020 11:27:25 +0100
+Subject: netfilter: nft_osf: add missing check for DREG attribute
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 upstream.
+
+syzbot reports just another NULL deref crash because of missing test
+for presence of the attribute.
+
+Reported-by: syzbot+cf23983d697c26c34f60@syzkaller.appspotmail.com
+Fixes: b96af92d6eaf9fadd ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_osf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nft_osf.c
++++ b/net/netfilter/nft_osf.c
+@@ -61,6 +61,9 @@ static int nft_osf_init(const struct nft
+ int err;
+ u8 ttl;
+
++ if (!tb[NFTA_OSF_DREG])
++ return -EINVAL;
++
+ if (tb[NFTA_OSF_TTL]) {
+ ttl = nla_get_u8(tb[NFTA_OSF_TTL]);
+ if (ttl > 2)
mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch
mmc-sdhci_am654-remove-inverted-write-protect-flag.patch
mmc-sdhci_am654-reset-command-and-data-line-after-tuning.patch
+mlxsw-switchx2-do-not-modify-cloned-skbs-during-xmit.patch
+net-tls-fix-async-operation.patch
+input-pm8xxx-vib-fix-handling-of-separate-enable-register.patch
+input-sur40-fix-interface-sanity-checks.patch
+input-gtco-fix-endpoint-sanity-check.patch
+input-aiptek-fix-endpoint-sanity-check.patch
+input-pegasus_notetaker-fix-endpoint-sanity-check.patch
+input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch
+netfilter-nft_osf-add-missing-check-for-dreg-attribute.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
