6.1-stable patches

added patches:
	gcc-disable-warray-bounds-for-gcc-13-too.patch
	input-pegasus-notetaker-check-pipe-type-when-probing.patch

diff --git a/queue-6.1/gcc-disable-warray-bounds-for-gcc-13-too.patch b/queue-6.1/gcc-disable-warray-bounds-for-gcc-13-too.patch
new file mode 100644 (file)
index 0000000..b21cf59
--- /dev/null
+++ b/queue-6.1/gcc-disable-warray-bounds-for-gcc-13-too.patch
@@ -0,0 +1,63 @@
+From 0da6e5fd6c3726723e275603426e09178940dace Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun, 23 Apr 2023 09:56:20 -0700
+Subject: gcc: disable '-Warray-bounds' for gcc-13 too
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0da6e5fd6c3726723e275603426e09178940dace upstream.
+
+We started disabling '-Warray-bounds' for gcc-12 originally on s390,
+because it resulted in some warnings that weren't realistically fixable
+(commit 8b202ee21839: "s390: disable -Warray-bounds").
+
+That s390-specific issue was then found to be less common elsewhere, but
+generic (see f0be87c42cbd: "gcc-12: disable '-Warray-bounds' universally
+for now"), and then later expanded the version check was expanded to
+gcc-11 (5a41237ad1d4: "gcc: disable -Warray-bounds for gcc-11 too").
+
+And it turns out that I was much too optimistic in thinking that it's
+all going to go away, and here we are with gcc-13 showing all the same
+issues.  So instead of expanding this one version at a time, let's just
+disable it for gcc-11+, and put an end limit to it only when we actually
+find a solution.
+
+Yes, I'm sure some of this is because the kernel just does odd things
+(like our "container_of()" use, but also knowingly playing games with
+things like linker tables and array layouts).
+
+And yes, some of the warnings are likely signs of real bugs, but when
+there are hundreds of false positives, that doesn't really help.
+
+Oh well.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ init/Kconfig |   10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -892,18 +892,14 @@ config CC_IMPLICIT_FALLTHROUGH
+       default "-Wimplicit-fallthrough=5" if CC_IS_GCC && $(cc-option,-Wimplicit-fallthrough=5)
+       default "-Wimplicit-fallthrough" if CC_IS_CLANG && $(cc-option,-Wunreachable-code-fallthrough)
+ 
+-# Currently, disable gcc-11,12 array-bounds globally.
+-# We may want to target only particular configurations some day.
++# Currently, disable gcc-11+ array-bounds globally.
++# It's still broken in gcc-13, so no upper bound yet.
+ config GCC11_NO_ARRAY_BOUNDS
+       def_bool y
+ 
+-config GCC12_NO_ARRAY_BOUNDS
+-      def_bool y
+-
+ config CC_NO_ARRAY_BOUNDS
+       bool
+-      default y if CC_IS_GCC && GCC_VERSION >= 110000 && GCC_VERSION < 120000 && GCC11_NO_ARRAY_BOUNDS
+-      default y if CC_IS_GCC && GCC_VERSION >= 120000 && GCC_VERSION < 130000 && GCC12_NO_ARRAY_BOUNDS
++      default y if CC_IS_GCC && GCC_VERSION >= 110000 && GCC11_NO_ARRAY_BOUNDS
+ 
+ #
+ # For architectures that know their GCC __int128 support is sound

diff --git a/queue-6.1/input-pegasus-notetaker-check-pipe-type-when-probing.patch b/queue-6.1/input-pegasus-notetaker-check-pipe-type-when-probing.patch
new file mode 100644 (file)
index 0000000..a942ca6
--- /dev/null
+++ b/queue-6.1/input-pegasus-notetaker-check-pipe-type-when-probing.patch
@@ -0,0 +1,41 @@
+From b3d80fd27a3c2d8715a40cbf876139b56195f162 Mon Sep 17 00:00:00 2001
+From: Soumya Negi <soumya.negi97@gmail.com>
+Date: Sun, 9 Apr 2023 19:12:04 -0700
+Subject: Input: pegasus-notetaker - check pipe type when probing
+
+From: Soumya Negi <soumya.negi97@gmail.com>
+
+commit b3d80fd27a3c2d8715a40cbf876139b56195f162 upstream.
+
+Fix WARNING in pegasus_open/usb_submit_urb
+Syzbot bug: https://syzkaller.appspot.com/bug?id=bbc107584dcf3262253ce93183e51f3612aaeb13
+
+Warning raised because pegasus_driver submits transfer request for
+bogus URB (pipe type does not match endpoint type). Add sanity check at
+probe time for pipe value extracted from endpoint descriptor. Probe
+will fail if sanity check fails.
+
+Reported-and-tested-by: syzbot+04ee0cb4caccaed12d78@syzkaller.appspotmail.com
+Signed-off-by: Soumya Negi <soumya.negi97@gmail.com>
+Link: https://lore.kernel.org/r/20230404074145.11523-1-soumya.negi97@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/tablet/pegasus_notetaker.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/input/tablet/pegasus_notetaker.c
++++ b/drivers/input/tablet/pegasus_notetaker.c
+@@ -296,6 +296,12 @@ static int pegasus_probe(struct usb_inte
+       pegasus->intf = intf;
+ 
+       pipe = usb_rcvintpipe(dev, endpoint->bEndpointAddress);
++      /* Sanity check that pipe's type matches endpoint's type */
++      if (usb_pipe_type_check(dev, pipe)) {
++              error = -EINVAL;
++              goto err_free_mem;
++      }
++
+       pegasus->data_len = usb_maxpacket(dev, pipe);
+ 
+       pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL,

diff --git a/queue-6.1/series b/queue-6.1/series
index 5427ce7a373c8486ae3db53ff3d7ed55520d3d8f..95f9b63e126c58bf3530b863f717540704ceca3b 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -87,3 +87,5 @@ purgatory-fix-disabling-debug-info.patch
 inet6-remove-inet6_destroy_sock-in-sk-sk_prot-destroy.patch
 dccp-call-inet6_destroy_sock-via-sk-sk_destruct.patch
 sctp-call-inet6_destroy_sock-via-sk-sk_destruct.patch
+gcc-disable-warray-bounds-for-gcc-13-too.patch
+input-pegasus-notetaker-check-pipe-type-when-probing.patch