From: Greg Kroah-Hartman Date: Thu, 2 Oct 2014 19:56:03 +0000 (-0700) Subject: 3.16-stable patches X-Git-Tag: v3.16.4~75 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0617e0f49758bc4ebe11553286df1c9cc57867bf;p=thirdparty%2Fkernel%2Fstable-queue.git 3.16-stable patches added patches: hid-logitech-dj-prevent-false-errors-to-be-shown.patch hid-magicmouse-sanity-check-report-size-in-raw_event-callback.patch hid-picolcd-sanity-check-report-size-in-raw_event-callback.patch xattr-fix-check-for-simultaneous-glibc-header-inclusion.patch --- diff --git a/queue-3.16/hid-logitech-dj-prevent-false-errors-to-be-shown.patch b/queue-3.16/hid-logitech-dj-prevent-false-errors-to-be-shown.patch new file mode 100644 index 00000000000..1fa96b81d12 --- /dev/null +++ b/queue-3.16/hid-logitech-dj-prevent-false-errors-to-be-shown.patch @@ -0,0 +1,112 @@ +From 5abfe85c1d4694d5d4bbd13ecc166262b937adf0 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Fri, 22 Aug 2014 16:16:05 -0400 +Subject: HID: logitech-dj: prevent false errors to be shown + +From: Benjamin Tissoires + +commit 5abfe85c1d4694d5d4bbd13ecc166262b937adf0 upstream. + +Commit "HID: logitech: perform bounds checking on device_id early +enough" unfortunately leaks some errors to dmesg which are not real +ones: +- if the report is not a DJ one, then there is not point in checking + the device_id +- the receiver (index 0) can also receive some notifications which + can be safely ignored given the current implementation + +Move out the test regarding the report_id and also discards +printing errors when the receiver got notified. + +Fixes: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 + +Reported-and-tested-by: Markus Trippelsdorf +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-logitech-dj.c | 43 ++++++++++++++++++++++++------------------ + drivers/hid/hid-logitech-dj.h | 1 + 2 files changed, 26 insertions(+), 18 deletions(-) + +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -656,7 +656,6 @@ static int logi_dj_raw_event(struct hid_ + struct dj_receiver_dev *djrcv_dev = hid_get_drvdata(hdev); + struct dj_report *dj_report = (struct dj_report *) data; + unsigned long flags; +- bool report_processed = false; + + dbg_hid("%s, size:%d\n", __func__, size); + +@@ -683,34 +682,42 @@ static int logi_dj_raw_event(struct hid_ + * device (via hid_input_report() ) and return 1 so hid-core does not do + * anything else with it. + */ ++ ++ /* case 1) */ ++ if (data[0] != REPORT_ID_DJ_SHORT) ++ return false; ++ + if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || + (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { +- dev_err(&hdev->dev, "%s: invalid device index:%d\n", ++ /* ++ * Device index is wrong, bail out. ++ * This driver can ignore safely the receiver notifications, ++ * so ignore those reports too. ++ */ ++ if (dj_report->device_index != DJ_RECEIVER_INDEX) ++ dev_err(&hdev->dev, "%s: invalid device index:%d\n", + __func__, dj_report->device_index); + return false; + } + + spin_lock_irqsave(&djrcv_dev->lock, flags); +- if (dj_report->report_id == REPORT_ID_DJ_SHORT) { +- switch (dj_report->report_type) { +- case REPORT_TYPE_NOTIF_DEVICE_PAIRED: +- case REPORT_TYPE_NOTIF_DEVICE_UNPAIRED: +- logi_dj_recv_queue_notification(djrcv_dev, dj_report); +- break; +- case REPORT_TYPE_NOTIF_CONNECTION_STATUS: +- if (dj_report->report_params[CONNECTION_STATUS_PARAM_STATUS] == +- STATUS_LINKLOSS) { +- logi_dj_recv_forward_null_report(djrcv_dev, dj_report); +- } +- break; +- default: +- logi_dj_recv_forward_report(djrcv_dev, dj_report); ++ switch (dj_report->report_type) { ++ case REPORT_TYPE_NOTIF_DEVICE_PAIRED: ++ case REPORT_TYPE_NOTIF_DEVICE_UNPAIRED: ++ logi_dj_recv_queue_notification(djrcv_dev, dj_report); ++ break; ++ case REPORT_TYPE_NOTIF_CONNECTION_STATUS: ++ if (dj_report->report_params[CONNECTION_STATUS_PARAM_STATUS] == ++ STATUS_LINKLOSS) { ++ logi_dj_recv_forward_null_report(djrcv_dev, dj_report); + } +- report_processed = true; ++ break; ++ default: ++ logi_dj_recv_forward_report(djrcv_dev, dj_report); + } + spin_unlock_irqrestore(&djrcv_dev->lock, flags); + +- return report_processed; ++ return true; + } + + static int logi_dj_probe(struct hid_device *hdev, +--- a/drivers/hid/hid-logitech-dj.h ++++ b/drivers/hid/hid-logitech-dj.h +@@ -27,6 +27,7 @@ + + #define DJ_MAX_PAIRED_DEVICES 6 + #define DJ_MAX_NUMBER_NOTIFICATIONS 8 ++#define DJ_RECEIVER_INDEX 0 + #define DJ_DEVICE_INDEX_MIN 1 + #define DJ_DEVICE_INDEX_MAX 6 + diff --git a/queue-3.16/hid-magicmouse-sanity-check-report-size-in-raw_event-callback.patch b/queue-3.16/hid-magicmouse-sanity-check-report-size-in-raw_event-callback.patch new file mode 100644 index 00000000000..46597c11aae --- /dev/null +++ b/queue-3.16/hid-magicmouse-sanity-check-report-size-in-raw_event-callback.patch @@ -0,0 +1,47 @@ +From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Wed, 27 Aug 2014 09:12:24 +0200 +Subject: HID: magicmouse: sanity check report size in raw_event() callback + +From: Jiri Kosina + +commit c54def7bd64d7c0b6993336abcffb8444795bf38 upstream. + +The report passed to us from transport driver could potentially be +arbitrarily large, therefore we better sanity-check it so that +magicmouse_emit_touch() gets only valid values of raw_id. + +Reported-by: Steven Vittitoe +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-magicmouse.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/hid/hid-magicmouse.c ++++ b/drivers/hid/hid-magicmouse.c +@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct h + if (size < 4 || ((size - 4) % 9) != 0) + return 0; + npoints = (size - 4) / 9; ++ if (npoints > 15) { ++ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n", ++ size); ++ return 0; ++ } + msc->ntouches = 0; + for (ii = 0; ii < npoints; ii++) + magicmouse_emit_touch(msc, ii, data + ii * 9 + 4); +@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct h + if (size < 6 || ((size - 6) % 8) != 0) + return 0; + npoints = (size - 6) / 8; ++ if (npoints > 15) { ++ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n", ++ size); ++ return 0; ++ } + msc->ntouches = 0; + for (ii = 0; ii < npoints; ii++) + magicmouse_emit_touch(msc, ii, data + ii * 8 + 6); diff --git a/queue-3.16/hid-picolcd-sanity-check-report-size-in-raw_event-callback.patch b/queue-3.16/hid-picolcd-sanity-check-report-size-in-raw_event-callback.patch new file mode 100644 index 00000000000..8e336d3a8f0 --- /dev/null +++ b/queue-3.16/hid-picolcd-sanity-check-report-size-in-raw_event-callback.patch @@ -0,0 +1,37 @@ +From 844817e47eef14141cf59b8d5ac08dd11c0a9189 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Wed, 27 Aug 2014 09:13:15 +0200 +Subject: HID: picolcd: sanity check report size in raw_event() callback + +From: Jiri Kosina + +commit 844817e47eef14141cf59b8d5ac08dd11c0a9189 upstream. + +The report passed to us from transport driver could potentially be +arbitrarily large, therefore we better sanity-check it so that raw_data +that we hold in picolcd_pending structure are always kept within proper +bounds. + +Reported-by: Steven Vittitoe +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-picolcd_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hid/hid-picolcd_core.c ++++ b/drivers/hid/hid-picolcd_core.c +@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_ + if (!data) + return 1; + ++ if (size > 64) { ++ hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n", ++ size); ++ return 0; ++ } ++ + if (report->id == REPORT_KEY_STATE) { + if (data->input_keys) + ret = picolcd_raw_keypad(data, report, raw_data+1, size-1); diff --git a/queue-3.16/series b/queue-3.16/series index 342174ab707..1b709a47b7a 100644 --- a/queue-3.16/series +++ b/queue-3.16/series @@ -62,3 +62,7 @@ alsa-hda-fix-invalid-pin-powermap-without-jack-detection.patch alsa-hda-add-fixup-model-name-lookup-for-lemote-a1205.patch alsa-pcm-fix-fifo_size-frame-calculation.patch cfq-iosched-fix-wrong-children_weight-calculation.patch +hid-picolcd-sanity-check-report-size-in-raw_event-callback.patch +hid-magicmouse-sanity-check-report-size-in-raw_event-callback.patch +hid-logitech-dj-prevent-false-errors-to-be-shown.patch +xattr-fix-check-for-simultaneous-glibc-header-inclusion.patch diff --git a/queue-3.16/xattr-fix-check-for-simultaneous-glibc-header-inclusion.patch b/queue-3.16/xattr-fix-check-for-simultaneous-glibc-header-inclusion.patch new file mode 100644 index 00000000000..13f89b89ae5 --- /dev/null +++ b/queue-3.16/xattr-fix-check-for-simultaneous-glibc-header-inclusion.patch @@ -0,0 +1,50 @@ +From bfcfd44cce2774f19daeb59fb4e43fc9aa80e7b8 Mon Sep 17 00:00:00 2001 +From: Filipe Brandenburger +Date: Fri, 29 Aug 2014 15:18:51 -0700 +Subject: xattr: fix check for simultaneous glibc header inclusion + +From: Filipe Brandenburger + +commit bfcfd44cce2774f19daeb59fb4e43fc9aa80e7b8 upstream. + +The guard was introduced in commit ea1a8217b06b ("xattr: guard against +simultaneous glibc header inclusion") but it is using #ifdef to check +for a define that is either set to 1 or 0. Fix it to use #if instead. + +* Without this patch: + + $ { echo "#include "; echo "#include "; } | gcc -E -Iinclude/uapi - >/dev/null + include/uapi/linux/xattr.h:19:0: warning: "XATTR_CREATE" redefined [enabled by default] + #define XATTR_CREATE 0x1 /* set value, fail if attr already exists */ + ^ + /usr/include/x86_64-linux-gnu/sys/xattr.h:32:0: note: this is the location of the previous definition + #define XATTR_CREATE XATTR_CREATE + ^ + +* With this patch: + + $ { echo "#include "; echo "#include "; } | gcc -E -Iinclude/uapi - >/dev/null + (no warnings) + +Signed-off-by: Filipe Brandenburger +Acked-by: Serge E. Hallyn +Cc: Allan McRae +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/xattr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/linux/xattr.h ++++ b/include/uapi/linux/xattr.h +@@ -13,7 +13,7 @@ + #ifndef _UAPI_LINUX_XATTR_H + #define _UAPI_LINUX_XATTR_H + +-#ifdef __UAPI_DEF_XATTR ++#if __UAPI_DEF_XATTR + #define __USE_KERNEL_XATTR_DEFS + + #define XATTR_CREATE 0x1 /* set value, fail if attr already exists */