--- /dev/null
+From c2d22806aecb24e2de55c30a06e5d6eb297d161d Mon Sep 17 00:00:00 2001
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+Date: Sun, 25 Jun 2023 00:16:49 +0800
+Subject: fbdev: fix potential OOB read in fast_imageblit()
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+commit c2d22806aecb24e2de55c30a06e5d6eb297d161d upstream.
+
+There is a potential OOB read at fast_imageblit, for
+"colortab[(*src >> 4)]" can become a negative value due to
+"const char *s = image->data, *src".
+This change makes sure the index for colortab always positive
+or zero.
+
+Similar commit:
+https://patchwork.kernel.org/patch/11746067
+
+Potential bug report:
+https://groups.google.com/g/syzkaller-bugs/c/9ubBXKeKXf4/m/k-QXy4UgAAAJ
+
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/sysimgblt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/core/sysimgblt.c
++++ b/drivers/video/fbdev/core/sysimgblt.c
+@@ -189,7 +189,7 @@ static void fast_imageblit(const struct
+ u32 fgx = fgcolor, bgx = bgcolor, bpp = p->var.bits_per_pixel;
+ u32 ppw = 32/bpp, spitch = (image->width + 7)/8;
+ u32 bit_mask, eorx, shift;
+- const char *s = image->data, *src;
++ const u8 *s = image->data, *src;
+ u32 *dst;
+ const u32 *tab;
+ size_t tablen;
--- /dev/null
+From 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b Mon Sep 17 00:00:00 2001
+From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
+Date: Wed, 21 Jun 2023 13:17:43 +0200
+Subject: HID: hidraw: fix data race on device refcount
+
+From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
+
+commit 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b upstream.
+
+The hidraw_open() function increments the hidraw device reference
+counter. The counter has no dedicated synchronization mechanism,
+resulting in a potential data race when concurrently opening a device.
+
+The race is a regression introduced by commit 8590222e4b02 ("HID:
+hidraw: Replace hidraw device table mutex with a rwsem"). While
+minors_rwsem is intended to protect the hidraw_table itself, by instead
+acquiring the lock for writing, the reference counter is also protected.
+This is symmetrical to hidraw_release().
+
+Link: https://github.com/systemd/systemd/issues/27947
+Fixes: 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
+Link: https://lore.kernel.org/r/20230621-hidraw-race-v1-1-a58e6ac69bab@yubico.com
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hidraw.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -272,7 +272,12 @@ static int hidraw_open(struct inode *ino
+ goto out;
+ }
+
+- down_read(&minors_rwsem);
++ /*
++ * Technically not writing to the hidraw_table but a write lock is
++ * required to protect the device refcount. This is symmetrical to
++ * hidraw_release().
++ */
++ down_write(&minors_rwsem);
+ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
+ err = -ENODEV;
+ goto out_unlock;
+@@ -301,7 +306,7 @@ static int hidraw_open(struct inode *ino
+ spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags);
+ file->private_data = list;
+ out_unlock:
+- up_read(&minors_rwsem);
++ up_write(&minors_rwsem);
+ out:
+ if (err < 0)
+ kfree(list);
--- /dev/null
+From 5fe251112646d8626818ea90f7af325bab243efa Mon Sep 17 00:00:00 2001
+From: Mike Hommey <mh@glandium.org>
+Date: Sun, 18 Jun 2023 08:09:57 +0900
+Subject: HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651.
+
+From: Mike Hommey <mh@glandium.org>
+
+commit 5fe251112646d8626818ea90f7af325bab243efa upstream.
+
+commit 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if
+not necessary") put restarting communication behind that flag, and this
+was apparently necessary on the T651, but the flag was not set for it.
+
+Fixes: 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if not necessary")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Hommey <mh@glandium.org>
+Link: https://lore.kernel.org/r/20230617230957.6mx73th4blv7owqk@glandium.org
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -4553,7 +4553,7 @@ static const struct hid_device_id hidpp_
+ { /* wireless touchpad T651 */
+ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH,
+ USB_DEVICE_ID_LOGITECH_T651),
+- .driver_data = HIDPP_QUIRK_CLASS_WTP },
++ .driver_data = HIDPP_QUIRK_CLASS_WTP | HIDPP_QUIRK_DELAYED_INIT },
+ { /* Mouse Logitech Anywhere MX */
+ LDJ_DEVICE(0x1017), .driver_data = HIDPP_QUIRK_HI_RES_SCROLL_1P0 },
+ { /* Mouse logitech M560 */
--- /dev/null
+From 9a6c0e28e215535b2938c61ded54603b4e5814c5 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <jason.gerecke@wacom.com>
+Date: Thu, 8 Jun 2023 14:38:28 -0700
+Subject: HID: wacom: Use ktime_t rather than int when dealing with timestamps
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+commit 9a6c0e28e215535b2938c61ded54603b4e5814c5 upstream.
+
+Code which interacts with timestamps needs to use the ktime_t type
+returned by functions like ktime_get. The int type does not offer
+enough space to store these values, and attempting to use it is a
+recipe for problems. In this particular case, overflows would occur
+when calculating/storing timestamps leading to incorrect values being
+reported to userspace. In some cases these bad timestamps cause input
+handling in userspace to appear hung.
+
+Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/901
+Fixes: 17d793f3ed53 ("HID: wacom: insert timestamp to packed Bluetooth (BT) events")
+CC: stable@vger.kernel.org
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20230608213828.2108-1-jason.gerecke@wacom.com
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_wac.c | 6 +++---
+ drivers/hid/wacom_wac.h | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1314,7 +1314,7 @@ static void wacom_intuos_pro2_bt_pen(str
+ struct input_dev *pen_input = wacom->pen_input;
+ unsigned char *data = wacom->data;
+ int number_of_valid_frames = 0;
+- int time_interval = 15000000;
++ ktime_t time_interval = 15000000;
+ ktime_t time_packet_received = ktime_get();
+ int i;
+
+@@ -1348,7 +1348,7 @@ static void wacom_intuos_pro2_bt_pen(str
+ if (number_of_valid_frames) {
+ if (wacom->hid_data.time_delayed)
+ time_interval = ktime_get() - wacom->hid_data.time_delayed;
+- time_interval /= number_of_valid_frames;
++ time_interval = div_u64(time_interval, number_of_valid_frames);
+ wacom->hid_data.time_delayed = time_packet_received;
+ }
+
+@@ -1359,7 +1359,7 @@ static void wacom_intuos_pro2_bt_pen(str
+ bool range = frame[0] & 0x20;
+ bool invert = frame[0] & 0x10;
+ int frames_number_reversed = number_of_valid_frames - i - 1;
+- int event_timestamp = time_packet_received - frames_number_reversed * time_interval;
++ ktime_t event_timestamp = time_packet_received - frames_number_reversed * time_interval;
+
+ if (!valid)
+ continue;
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -324,7 +324,7 @@ struct hid_data {
+ int ps_connected;
+ bool pad_input_event_flag;
+ unsigned short sequence_number;
+- int time_delayed;
++ ktime_t time_delayed;
+ };
+
+ struct wacom_remote_data {
--- /dev/null
+From e8c716bc6812202ccf4ce0f0bad3428b794fb39c Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Wed, 28 Jun 2023 21:31:35 -0700
+Subject: mm/khugepaged: fix regression in collapse_file()
+
+From: Hugh Dickins <hughd@google.com>
+
+commit e8c716bc6812202ccf4ce0f0bad3428b794fb39c upstream.
+
+There is no xas_pause(&xas) in collapse_file()'s main loop, at the points
+where it does xas_unlock_irq(&xas) and then continues.
+
+That would explain why, once two weeks ago and twice yesterday, I have
+hit the VM_BUG_ON_PAGE(page != xas_load(&xas), page) since "mm/khugepaged:
+fix iteration in collapse_file" removed the xas_set(&xas, index) just
+before it: xas.xa_node could be left pointing to a stale node, if there
+was concurrent activity on the file which transformed its xarray.
+
+I tried inserting xas_pause()s, but then even bootup crashed on that
+VM_BUG_ON_PAGE(): there appears to be a subtle "nextness" implicit in
+xas_pause().
+
+xas_next() and xas_pause() are good for use in simple loops, but not in
+this one: xas_set() worked well until now, so use xas_set(&xas, index)
+explicitly at the head of the loop; and change that VM_BUG_ON_PAGE() not
+to need its own xas_set(), and not to interfere with the xa_state (which
+would probably stop the crashes from xas_pause(), but I trust that less).
+
+The user-visible effects of this bug (if VM_BUG_ONs are configured out)
+would be data loss and data leak - potentially - though in practice I
+expect it is more likely that a subsequent check (e.g. on mapping or on
+nr_none) would notice an inconsistency, and just abandon the collapse.
+
+Link: https://lore.kernel.org/linux-mm/f18e4b64-3f88-a8ab-56cc-d1f5f9c58d4@google.com/
+Fixes: c8a8f3b4a95a ("mm/khugepaged: fix iteration in collapse_file")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Cc: stable@kernel.org
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: David Stevens <stevensd@chromium.org>
+Cc: Peter Xu <peterx@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/khugepaged.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1918,9 +1918,9 @@ static int collapse_file(struct mm_struc
+ }
+ } while (1);
+
+- xas_set(&xas, start);
+ for (index = start; index < end; index++) {
+- page = xas_next(&xas);
++ xas_set(&xas, index);
++ page = xas_load(&xas);
+
+ VM_BUG_ON(index != xas.xa_index);
+ if (is_shmem) {
+@@ -1935,7 +1935,6 @@ static int collapse_file(struct mm_struc
+ result = SCAN_TRUNCATED;
+ goto xa_locked;
+ }
+- xas_set(&xas, index + 1);
+ }
+ if (!shmem_charge(mapping->host, 1)) {
+ result = SCAN_FAIL;
+@@ -2071,7 +2070,7 @@ static int collapse_file(struct mm_struc
+
+ xas_lock_irq(&xas);
+
+- VM_BUG_ON_PAGE(page != xas_load(&xas), page);
++ VM_BUG_ON_PAGE(page != xa_load(xas.xa, index), page);
+
+ /*
+ * We control three references to the page:
mm-make-find_extend_vma-fail-if-write-lock-not-held.patch
execve-expand-new-process-stack-manually-ahead-of-time.patch
mm-always-expand-the-stack-with-the-mmap-write-lock-held.patch
+hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch
gup-add-warning-if-some-caller-would-seem-to-want-stack-expansion.patch
+mm-khugepaged-fix-regression-in-collapse_file.patch
+fbdev-fix-potential-oob-read-in-fast_imageblit.patch
+hid-hidraw-fix-data-race-on-device-refcount.patch
+hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
