--- /dev/null
+From 4cc8d6505ab82db3357613d36e6c58a297f57f7c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 4 Dec 2019 15:48:24 +0100
+Subject: ALSA: pcm: oss: Avoid potential buffer overflows
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream.
+
+syzkaller reported an invalid access in PCM OSS read, and this seems
+to be an overflow of the internal buffer allocated for a plugin.
+Since the rate plugin adjusts its transfer size dynamically, the
+calculation for the chained plugin might be bigger than the given
+buffer size in some extreme cases, which lead to such an buffer
+overflow as caught by KASAN.
+
+Fix it by limiting the max transfer size properly by checking against
+the destination size in each plugin transfer callback.
+
+Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/linear.c | 2 ++
+ sound/core/oss/mulaw.c | 2 ++
+ sound/core/oss/route.c | 2 ++
+ 3 files changed, 6 insertions(+)
+
+--- a/sound/core/oss/linear.c
++++ b/sound/core/oss/linear.c
+@@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer
+ }
+ }
+ #endif
++ if (frames > dst_channels[0].frames)
++ frames = dst_channels[0].frames;
+ convert(plugin, src_channels, dst_channels, frames);
+ return frames;
+ }
+--- a/sound/core/oss/mulaw.c
++++ b/sound/core/oss/mulaw.c
+@@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer(
+ }
+ }
+ #endif
++ if (frames > dst_channels[0].frames)
++ frames = dst_channels[0].frames;
+ data = (struct mulaw_priv *)plugin->extra_data;
+ data->func(plugin, src_channels, dst_channels, frames);
+ return frames;
+--- a/sound/core/oss/route.c
++++ b/sound/core/oss/route.c
+@@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer(
+ return -ENXIO;
+ if (frames == 0)
+ return 0;
++ if (frames > dst_channels[0].frames)
++ frames = dst_channels[0].frames;
+
+ nsrcs = plugin->src_format.channels;
+ ndsts = plugin->dst_format.channels;
--- /dev/null
+From 2fe6899e36aa174abefd017887f9cfe0cb60c43a Mon Sep 17 00:00:00 2001
+From: Mike Leach <mike.leach@linaro.org>
+Date: Mon, 4 Nov 2019 11:12:42 -0700
+Subject: coresight: etm4x: Fix input validation for sysfs.
+
+From: Mike Leach <mike.leach@linaro.org>
+
+commit 2fe6899e36aa174abefd017887f9cfe0cb60c43a upstream.
+
+A number of issues are fixed relating to sysfs input validation:-
+
+1) bb_ctrl_store() - incorrect compare of bit select field to absolute
+value. Reworked per ETMv4 specification.
+2) seq_event_store() - incorrect mask value - register has two
+event values.
+3) cyc_threshold_store() - must mask with max before checking min
+otherwise wrapped values can set illegal value below min.
+4) res_ctrl_store() - update to mask off all res0 bits.
+
+Reviewed-by: Leo Yan <leo.yan@linaro.org>
+Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Mike Leach <mike.leach@linaro.org>
+Fixes: a77de2637c9eb ("coresight: etm4x: moving sysFS entries to a dedicated file")
+Cc: stable <stable@vger.kernel.org> # 4.9+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20191104181251.26732-6-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 21 ++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
+@@ -667,10 +667,13 @@ static ssize_t cyc_threshold_store(struc
+
+ if (kstrtoul(buf, 16, &val))
+ return -EINVAL;
++
++ /* mask off max threshold before checking min value */
++ val &= ETM_CYC_THRESHOLD_MASK;
+ if (val < drvdata->ccitmin)
+ return -EINVAL;
+
+- config->ccctlr = val & ETM_CYC_THRESHOLD_MASK;
++ config->ccctlr = val;
+ return size;
+ }
+ static DEVICE_ATTR_RW(cyc_threshold);
+@@ -701,14 +704,16 @@ static ssize_t bb_ctrl_store(struct devi
+ return -EINVAL;
+ if (!drvdata->nr_addr_cmp)
+ return -EINVAL;
++
+ /*
+- * Bit[7:0] selects which address range comparator is used for
+- * branch broadcast control.
++ * Bit[8] controls include(1) / exclude(0), bits[0-7] select
++ * individual range comparators. If include then at least 1
++ * range must be selected.
+ */
+- if (BMVAL(val, 0, 7) > drvdata->nr_addr_cmp)
++ if ((val & BIT(8)) && (BMVAL(val, 0, 7) == 0))
+ return -EINVAL;
+
+- config->bb_ctrl = val;
++ config->bb_ctrl = val & GENMASK(8, 0);
+ return size;
+ }
+ static DEVICE_ATTR_RW(bb_ctrl);
+@@ -1341,8 +1346,8 @@ static ssize_t seq_event_store(struct de
+
+ spin_lock(&drvdata->spinlock);
+ idx = config->seq_idx;
+- /* RST, bits[7:0] */
+- config->seq_ctrl[idx] = val & 0xFF;
++ /* Seq control has two masks B[15:8] F[7:0] */
++ config->seq_ctrl[idx] = val & 0xFFFF;
+ spin_unlock(&drvdata->spinlock);
+ return size;
+ }
+@@ -1597,7 +1602,7 @@ static ssize_t res_ctrl_store(struct dev
+ if (idx % 2 != 0)
+ /* PAIRINV, bit[21] */
+ val &= ~BIT(21);
+- config->res_ctrl[idx] = val;
++ config->res_ctrl[idx] = val & GENMASK(21, 0);
+ spin_unlock(&drvdata->spinlock);
+ return size;
+ }
--- /dev/null
+From df5b5e555b356662a5e4a23c6774fdfce8547d54 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 2 Dec 2019 09:36:15 -0800
+Subject: Input: goodix - add upside-down quirk for Teclast X89 tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit df5b5e555b356662a5e4a23c6774fdfce8547d54 upstream.
+
+The touchscreen on the Teclast X89 is mounted upside down in relation to
+the display orientation (the touchscreen itself is mounted upright, but the
+display is mounted upside-down). Add a quirk for this so that we send
+coordinates which match the display orientation.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Bastien Nocera <hadess@hadess.net>
+Link: https://lore.kernel.org/r/20191202085636.6650-1-hdegoede@redhat.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/goodix.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/touchscreen/goodix.c
++++ b/drivers/input/touchscreen/goodix.c
+@@ -90,6 +90,15 @@ static const unsigned long goodix_irq_fl
+ static const struct dmi_system_id rotated_screen[] = {
+ #if defined(CONFIG_DMI) && defined(CONFIG_X86)
+ {
++ .ident = "Teclast X89",
++ .matches = {
++ /* tPAD is too generic, also match on bios date */
++ DMI_MATCH(DMI_BOARD_VENDOR, "TECLAST"),
++ DMI_MATCH(DMI_BOARD_NAME, "tPAD"),
++ DMI_MATCH(DMI_BIOS_DATE, "12/19/2014"),
++ },
++ },
++ {
+ .ident = "WinBook TW100",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "WinBook"),
sched-fair-scale-bandwidth-quota-and-period-without-losing-quota-period-ratio-precision.patch
fuse-verify-nlink.patch
fuse-verify-attributes.patch
+alsa-pcm-oss-avoid-potential-buffer-overflows.patch
+input-goodix-add-upside-down-quirk-for-teclast-x89-tablet.patch
+coresight-etm4x-fix-input-validation-for-sysfs.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
