From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 28 Jan 2015 00:16:40 +0000 (-0800)
Subject: 3.14-stable patches
X-Git-Tag: v3.10.67~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f21cd6cc1f7f342cc628912f57ef9210b767d89;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	input-evdev-fix-eviocg-type-ioctl.patch
---

diff --git a/queue-3.14/input-evdev-fix-eviocg-type-ioctl.patch b/queue-3.14/input-evdev-fix-eviocg-type-ioctl.patch
new file mode 100644
index 00000000000..3ee80b73f32
--- /dev/null
+++ b/queue-3.14/input-evdev-fix-eviocg-type-ioctl.patch
@@ -0,0 +1,63 @@
+From 7c4f56070fde2367766fa1fb04852599b5e1ad35 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 6 Oct 2014 10:55:49 -0700
+Subject: Input: evdev - fix EVIOCG{type} ioctl
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 7c4f56070fde2367766fa1fb04852599b5e1ad35 upstream.
+
+The 'max' size passed into the function is measured in number of bits
+(KEY_MAX, LED_MAX, etc) so we need to convert it accordingly before trying
+to copy the data out, otherwise we will try copying too much and end up
+with up with a page fault.
+
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Reviewed-by: Pavel Machek <pavel@ucw.cz>
+Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/evdev.c |   13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/input/evdev.c
++++ b/drivers/input/evdev.c
+@@ -757,20 +757,23 @@ static int evdev_handle_set_keycode_v2(s
+  */
+ static int evdev_handle_get_val(struct evdev_client *client,
+ 				struct input_dev *dev, unsigned int type,
+-				unsigned long *bits, unsigned int max,
+-				unsigned int size, void __user *p, int compat)
++				unsigned long *bits, unsigned int maxbit,
++				unsigned int maxlen, void __user *p,
++				int compat)
+ {
+ 	int ret;
+ 	unsigned long *mem;
++	size_t len;
+ 
+-	mem = kmalloc(sizeof(unsigned long) * max, GFP_KERNEL);
++	len = BITS_TO_LONGS(maxbit) * sizeof(unsigned long);
++	mem = kmalloc(len, GFP_KERNEL);
+ 	if (!mem)
+ 		return -ENOMEM;
+ 
+ 	spin_lock_irq(&dev->event_lock);
+ 	spin_lock(&client->buffer_lock);
+ 
+-	memcpy(mem, bits, sizeof(unsigned long) * max);
++	memcpy(mem, bits, len);
+ 
+ 	spin_unlock(&dev->event_lock);
+ 
+@@ -778,7 +781,7 @@ static int evdev_handle_get_val(struct e
+ 
+ 	spin_unlock_irq(&client->buffer_lock);
+ 
+-	ret = bits_to_user(mem, max, size, p, compat);
++	ret = bits_to_user(mem, maxbit, maxlen, p, compat);
+ 	if (ret < 0)
+ 		evdev_queue_syn_dropped(client);
+ 
diff --git a/queue-3.14/series b/queue-3.14/series
index b54978531fc..7d86f7952ea 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -39,3 +39,4 @@ crypto-include-crypto-module-prefix-in-template.patch
 crypto-add-missing-crypto-module-aliases.patch
 arc-delete-stale-barrier.h.patch
 arc-fix-build-breakage-for-config_arc_dw2_unwind.patch
+input-evdev-fix-eviocg-type-ioctl.patch