--- /dev/null
+From stable-owner@vger.kernel.org Mon Mar 20 14:06:54 2023
+From: Lee Jones <lee@kernel.org>
+Date: Mon, 20 Mar 2023 13:06:31 +0000
+Subject: HID: core: Provide new max_buffer_size attribute to over-ride the default
+To: lee@kernel.org
+Cc: stable@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Message-ID: <20230320130632.2770364-1-lee@kernel.org>
+
+From: Lee Jones <lee@kernel.org>
+
+commit b1a37ed00d7908a991c1d0f18a8cba3c2aa99bdc upstream.
+
+Presently, when a report is processed, its proposed size, provided by
+the user of the API (as Report Size * Report Count) is compared against
+the subsystem default HID_MAX_BUFFER_SIZE (16k). However, some
+low-level HID drivers allocate a reduced amount of memory to their
+buffers (e.g. UHID only allocates UHID_DATA_MAX (4k) buffers), rending
+this check inadequate in some cases.
+
+In these circumstances, if the received report ends up being smaller
+than the proposed report size, the remainder of the buffer is zeroed.
+That is, the space between sizeof(csize) (size of the current report)
+and the rsize (size proposed i.e. Report Size * Report Count), which can
+be handled up to HID_MAX_BUFFER_SIZE (16k). Meaning that memset()
+shoots straight past the end of the buffer boundary and starts zeroing
+out in-use values, often resulting in calamity.
+
+This patch introduces a new variable into 'struct hid_ll_driver' where
+individual low-level drivers can over-ride the default maximum value of
+HID_MAX_BUFFER_SIZE (16k) with something more sympathetic to the
+interface.
+
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+[Lee: Backported to v5.10.y]
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c | 18 +++++++++++++-----
+ include/linux/hid.h | 3 +++
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -258,6 +258,7 @@ static int hid_add_field(struct hid_pars
+ {
+ struct hid_report *report;
+ struct hid_field *field;
++ unsigned int max_buffer_size = HID_MAX_BUFFER_SIZE;
+ unsigned int usages;
+ unsigned int offset;
+ unsigned int i;
+@@ -288,8 +289,11 @@ static int hid_add_field(struct hid_pars
+ offset = report->size;
+ report->size += parser->global.report_size * parser->global.report_count;
+
++ if (parser->device->ll_driver->max_buffer_size)
++ max_buffer_size = parser->device->ll_driver->max_buffer_size;
++
+ /* Total size check: Allow for possible report index byte */
+- if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
++ if (report->size > (max_buffer_size - 1) << 3) {
+ hid_err(parser->device, "report is too long\n");
+ return -1;
+ }
+@@ -1745,6 +1749,7 @@ int hid_report_raw_event(struct hid_devi
+ struct hid_report_enum *report_enum = hid->report_enum + type;
+ struct hid_report *report;
+ struct hid_driver *hdrv;
++ int max_buffer_size = HID_MAX_BUFFER_SIZE;
+ unsigned int a;
+ u32 rsize, csize = size;
+ u8 *cdata = data;
+@@ -1761,10 +1766,13 @@ int hid_report_raw_event(struct hid_devi
+
+ rsize = hid_compute_report_size(report);
+
+- if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
+- rsize = HID_MAX_BUFFER_SIZE - 1;
+- else if (rsize > HID_MAX_BUFFER_SIZE)
+- rsize = HID_MAX_BUFFER_SIZE;
++ if (hid->ll_driver->max_buffer_size)
++ max_buffer_size = hid->ll_driver->max_buffer_size;
++
++ if (report_enum->numbered && rsize >= max_buffer_size)
++ rsize = max_buffer_size - 1;
++ else if (rsize > max_buffer_size)
++ rsize = max_buffer_size;
+
+ if (csize < rsize) {
+ dbg_hid("report %d is too short, (%d < %d)\n", report->id,
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -796,6 +796,7 @@ struct hid_driver {
+ * @raw_request: send raw report request to device (e.g. feature report)
+ * @output_report: send output report to device
+ * @idle: send idle request to device
++ * @max_buffer_size: over-ride maximum data buffer size (default: HID_MAX_BUFFER_SIZE)
+ */
+ struct hid_ll_driver {
+ int (*start)(struct hid_device *hdev);
+@@ -820,6 +821,8 @@ struct hid_ll_driver {
+ int (*output_report) (struct hid_device *hdev, __u8 *buf, size_t len);
+
+ int (*idle)(struct hid_device *hdev, int report, int idle, int reqtype);
++
++ unsigned int max_buffer_size;
+ };
+
+ extern struct hid_ll_driver i2c_hid_ll_driver;
--- /dev/null
+From stable-owner@vger.kernel.org Mon Mar 20 14:06:53 2023
+From: Lee Jones <lee@kernel.org>
+Date: Mon, 20 Mar 2023 13:06:32 +0000
+Subject: HID: uhid: Over-ride the default maximum data buffer value with our own
+To: lee@kernel.org
+Cc: stable@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Message-ID: <20230320130632.2770364-2-lee@kernel.org>
+
+From: Lee Jones <lee@kernel.org>
+
+commit 1c5d4221240a233df2440fe75c881465cdf8da07 upstream.
+
+The default maximum data buffer size for this interface is UHID_DATA_MAX
+(4k). When data buffers are being processed, ensure this value is used
+when ensuring the sanity, rather than a value between the user provided
+value and HID_MAX_BUFFER_SIZE (16k).
+
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/uhid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -395,6 +395,7 @@ struct hid_ll_driver uhid_hid_driver = {
+ .parse = uhid_hid_parse,
+ .raw_request = uhid_hid_raw_request,
+ .output_report = uhid_hid_output_report,
++ .max_buffer_size = UHID_DATA_MAX,
+ };
+ EXPORT_SYMBOL_GPL(uhid_hid_driver);
+
+++ /dev/null
-From pchelkin@ispras.ru Mon Mar 20 14:30:30 2023
-From: Fedor Pchelkin <pchelkin@ispras.ru>
-Date: Thu, 16 Mar 2023 21:56:16 +0300
-Subject: io_uring: avoid null-ptr-deref in io_arm_poll_handler
-To: Jens Axboe <axboe@kernel.dk>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
-Cc: Fedor Pchelkin <pchelkin@ispras.ru>, linux-kernel@vger.kernel.org, Alexey Khoroshilov <khoroshilov@ispras.ru>, lvc-project@linuxtesting.org
-Message-ID: <20230316185616.271024-1-pchelkin@ispras.ru>
-
-From: Fedor Pchelkin <pchelkin@ispras.ru>
-
-No upstream commit exists for this commit.
-
-The issue was introduced with backporting upstream commit c16bda37594f
-("io_uring/poll: allow some retries for poll triggering spuriously").
-
-Memory allocation can possibly fail causing invalid pointer be
-dereferenced just before comparing it to NULL value.
-
-Move the pointer check in proper place (upstream has the similar location
-of the check). In case the request has REQ_F_POLLED flag up, apoll can't
-be NULL so no need to check there.
-
-Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
-
-Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- io_uring/io_uring.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
-index 445afda927f4..fd799567fc23 100644
---- a/io_uring/io_uring.c
-+++ b/io_uring/io_uring.c
-@@ -5792,10 +5792,10 @@ static int io_arm_poll_handler(struct io_kiocb *req)
- }
- } else {
- apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
-+ if (unlikely(!apoll))
-+ return IO_APOLL_ABORTED;
- apoll->poll.retries = APOLL_MAX_RETRY;
- }
-- if (unlikely(!apoll))
-- return IO_APOLL_ABORTED;
- apoll->double_poll = NULL;
- req->apoll = apoll;
- req->flags |= REQ_F_POLLED;
---
-2.34.1
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
