--- /dev/null
+hid-core-correctly-handle-reportsize-being-zero.patch
+hid-core-sanitize-event-code-and-type-when-mapping-input.patch
+perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch
--- /dev/null
+hid-core-correctly-handle-reportsize-being-zero.patch
+hid-core-sanitize-event-code-and-type-when-mapping-input.patch
+perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch
--- /dev/null
+From bce1305c0ece3dc549663605e567655dd701752c Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Sat, 29 Aug 2020 12:26:01 +0100
+Subject: HID: core: Correctly handle ReportSize being zero
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit bce1305c0ece3dc549663605e567655dd701752c upstream.
+
+It appears that a ReportSize value of zero is legal, even if a bit
+non-sensical. Most of the HID code seems to handle that gracefully,
+except when computing the total size in bytes. When fed as input to
+memset, this leads to some funky outcomes.
+
+Detect the corner case and correctly compute the size.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1368,6 +1368,17 @@ static void hid_output_field(const struc
+ }
+
+ /*
++ * Compute the size of a report.
++ */
++static size_t hid_compute_report_size(struct hid_report *report)
++{
++ if (report->size)
++ return ((report->size - 1) >> 3) + 1;
++
++ return 0;
++}
++
++/*
+ * Create a report. 'data' has to be allocated using
+ * hid_alloc_report_buf() so that it has proper size.
+ */
+@@ -1379,7 +1390,7 @@ void hid_output_report(struct hid_report
+ if (report->id > 0)
+ *data++ = report->id;
+
+- memset(data, 0, ((report->size - 1) >> 3) + 1);
++ memset(data, 0, hid_compute_report_size(report));
+ for (n = 0; n < report->maxfield; n++)
+ hid_output_field(report->device, report->field[n], data);
+ }
+@@ -1506,7 +1517,7 @@ int hid_report_raw_event(struct hid_devi
+ csize--;
+ }
+
+- rsize = ((report->size - 1) >> 3) + 1;
++ rsize = hid_compute_report_size(report);
+
+ if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
+ rsize = HID_MAX_BUFFER_SIZE - 1;
--- /dev/null
+From 35556bed836f8dc07ac55f69c8d17dce3e7f0e25 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 1 Sep 2020 10:52:33 +0100
+Subject: HID: core: Sanitize event code and type when mapping input
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 35556bed836f8dc07ac55f69c8d17dce3e7f0e25 upstream.
+
+When calling into hid_map_usage(), the passed event code is
+blindly stored as is, even if it doesn't fit in the associated bitmap.
+
+This event code can come from a variety of sources, including devices
+masquerading as input devices, only a bit more "programmable".
+
+Instead of taking the event code at face value, check that it actually
+fits the corresponding bitmap, and if it doesn't:
+- spit out a warning so that we know which device is acting up
+- NULLify the bitmap pointer so that we catch unexpected uses
+
+Code paths that can make use of untrusted inputs can now check
+that the mapping was indeed correct and bail out if not.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 4 ++++
+ drivers/hid/hid-multitouch.c | 2 ++
+ include/linux/hid.h | 42 +++++++++++++++++++++++++++++-------------
+ 3 files changed, 35 insertions(+), 13 deletions(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -994,6 +994,10 @@ static void hidinput_configure_usage(str
+ }
+
+ mapped:
++ /* Mapping failed, bail out */
++ if (!bit)
++ return;
++
+ if (device->driver->input_mapped &&
+ device->driver->input_mapped(device, hidinput, field, usage,
+ &bit, &max) < 0) {
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -569,6 +569,8 @@ static int mt_touch_input_mapping(struct
+ case HID_UP_BUTTON:
+ code = BTN_MOUSE + ((usage->hid - 1) & HID_USAGE);
+ hid_map_usage(hi, usage, bit, max, EV_KEY, code);
++ if (!*bit)
++ return -1;
+ input_set_capability(hi->input, EV_KEY, code);
+ return 1;
+
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -866,34 +866,49 @@ static inline void hid_device_io_stop(st
+ * @max: maximal valid usage->code to consider later (out parameter)
+ * @type: input event type (EV_KEY, EV_REL, ...)
+ * @c: code which corresponds to this usage and type
++ *
++ * The value pointed to by @bit will be set to NULL if either @type is
++ * an unhandled event type, or if @c is out of range for @type. This
++ * can be used as an error condition.
+ */
+ static inline void hid_map_usage(struct hid_input *hidinput,
+ struct hid_usage *usage, unsigned long **bit, int *max,
+- __u8 type, __u16 c)
++ __u8 type, unsigned int c)
+ {
+ struct input_dev *input = hidinput->input;
+-
+- usage->type = type;
+- usage->code = c;
++ unsigned long *bmap = NULL;
++ unsigned int limit = 0;
+
+ switch (type) {
+ case EV_ABS:
+- *bit = input->absbit;
+- *max = ABS_MAX;
++ bmap = input->absbit;
++ limit = ABS_MAX;
+ break;
+ case EV_REL:
+- *bit = input->relbit;
+- *max = REL_MAX;
++ bmap = input->relbit;
++ limit = REL_MAX;
+ break;
+ case EV_KEY:
+- *bit = input->keybit;
+- *max = KEY_MAX;
++ bmap = input->keybit;
++ limit = KEY_MAX;
+ break;
+ case EV_LED:
+- *bit = input->ledbit;
+- *max = LED_MAX;
++ bmap = input->ledbit;
++ limit = LED_MAX;
+ break;
+ }
++
++ if (unlikely(c > limit || !bmap)) {
++ pr_warn_ratelimited("%s: Invalid code %d type %d\n",
++ input->name, c, type);
++ *bit = NULL;
++ return;
++ }
++
++ usage->type = type;
++ usage->code = c;
++ *max = limit;
++ *bit = bmap;
+ }
+
+ /**
+@@ -907,7 +922,8 @@ static inline void hid_map_usage_clear(s
+ __u8 type, __u16 c)
+ {
+ hid_map_usage(hidinput, usage, bit, max, type, c);
+- clear_bit(c, *bit);
++ if (*bit)
++ clear_bit(usage->code, *bit);
+ }
+
+ /**
--- /dev/null
+From e48a73a312ebf19cc3d72aa74985db25c30757c1 Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Tue, 1 Sep 2020 16:58:53 -0500
+Subject: perf record/stat: Explicitly call out event modifiers in the documentation
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit e48a73a312ebf19cc3d72aa74985db25c30757c1 upstream.
+
+Event modifiers are not mentioned in the perf record or perf stat
+manpages. Add them to orient new users more effectively by pointing
+them to the perf list manpage for details.
+
+Fixes: 2055fdaf8703 ("perf list: Document precise event sampling for AMD IBS")
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Paul Clarke <pc@us.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Tony Jones <tonyj@suse.de>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20200901215853.276234-1-kim.phillips@amd.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/Documentation/perf-record.txt | 4 ++++
+ tools/perf/Documentation/perf-stat.txt | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/tools/perf/Documentation/perf-record.txt
++++ b/tools/perf/Documentation/perf-record.txt
+@@ -33,6 +33,10 @@ OPTIONS
+ - a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a
+ hexadecimal event descriptor.
+
++ - a symbolic or raw PMU event followed by an optional colon
++ and a list of event modifiers, e.g., cpu-cycles:p. See the
++ linkperf:perf-list[1] man page for details on event modifiers.
++
+ - a symbolically formed PMU event like 'pmu/param1=0x3,param2/' where
+ 'param1', 'param2', etc are defined as formats for the PMU in
+ /sys/bus/event_sources/devices/<pmu>/format/*.
+--- a/tools/perf/Documentation/perf-stat.txt
++++ b/tools/perf/Documentation/perf-stat.txt
+@@ -32,6 +32,10 @@ OPTIONS
+ - a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a
+ hexadecimal event descriptor.
+
++ - a symbolic or raw PMU event followed by an optional colon
++ and a list of event modifiers, e.g., cpu-cycles:p. See the
++ linkperf:perf-list[1] man page for details on event modifiers.
++
+ - a symbolically formed event like 'pmu/param1=0x3,param2/' where
+ param1 and param2 are defined as formats for the PMU in
+ /sys/bus/event_sources/devices/<pmu>/format/*
--- /dev/null
+hid-core-correctly-handle-reportsize-being-zero.patch
+hid-core-sanitize-event-code-and-type-when-mapping-input.patch
+perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch
--- /dev/null
+hid-core-correctly-handle-reportsize-being-zero.patch
+hid-core-sanitize-event-code-and-type-when-mapping-input.patch
+perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch
--- /dev/null
+hid-core-correctly-handle-reportsize-being-zero.patch
+hid-core-sanitize-event-code-and-type-when-mapping-input.patch
+perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch
--- /dev/null
+hid-core-correctly-handle-reportsize-being-zero.patch
+hid-core-sanitize-event-code-and-type-when-mapping-input.patch
+netfilter-nft_set_rbtree-handle-outcomes-of-tree-rotations-in-overlap-detection.patch
+mm-fix-pin-vs.-gup-mismatch-with-gate-pages.patch
+selftests-x86-test_vsyscall-improve-the-process_vm_readv-test.patch
+perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
