From: Greg Kroah-Hartman Date: Mon, 3 Apr 2023 08:11:39 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.14.312~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=10e817e0ca9b7a2be883080c963a5bd7040b2fb7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch input-focaltech-use-explicitly-signed-char-type.patch --- diff --git a/queue-4.14/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch b/queue-4.14/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch new file mode 100644 index 00000000000..d9a2f8ee56c --- /dev/null +++ b/queue-4.14/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch @@ -0,0 +1,62 @@ +From 179a88a8558bbf42991d361595281f3e45d7edfc Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Wed, 29 Mar 2023 22:24:06 +0200 +Subject: cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL + +From: David Disseldorp + +commit 179a88a8558bbf42991d361595281f3e45d7edfc upstream. + +When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount +is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to +S_AUTOMOUNT and corresponding dentry flags is retained regardless of +CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in +VFS follow_automount() when traversing a DFS referral link: + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ... + Call Trace: + + __traverse_mounts+0xb5/0x220 + ? cifs_revalidate_mapping+0x65/0xc0 [cifs] + step_into+0x195/0x610 + ? lookup_fast+0xe2/0xf0 + path_lookupat+0x64/0x140 + filename_lookup+0xc2/0x140 + ? __create_object+0x299/0x380 + ? kmem_cache_alloc+0x119/0x220 + ? user_path_at_empty+0x31/0x50 + user_path_at_empty+0x31/0x50 + __x64_sys_chdir+0x2a/0xd0 + ? exit_to_user_mode_prepare+0xca/0x100 + do_syscall_64+0x42/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler +when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to +avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This +approach was chosen as it provides more control over the error path. + +Signed-off-by: David Disseldorp +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/cifs/cifsfs.h ++++ b/fs/cifs/cifsfs.h +@@ -122,7 +122,10 @@ extern const struct dentry_operations ci + #ifdef CONFIG_CIFS_DFS_UPCALL + extern struct vfsmount *cifs_dfs_d_automount(struct path *path); + #else +-#define cifs_dfs_d_automount NULL ++static inline struct vfsmount *cifs_dfs_d_automount(struct path *path) ++{ ++ return ERR_PTR(-EREMOTE); ++} + #endif + + /* Functions related to symlinks */ diff --git a/queue-4.14/input-focaltech-use-explicitly-signed-char-type.patch b/queue-4.14/input-focaltech-use-explicitly-signed-char-type.patch new file mode 100644 index 00000000000..46d2298c524 --- /dev/null +++ b/queue-4.14/input-focaltech-use-explicitly-signed-char-type.patch @@ -0,0 +1,50 @@ +From 8980f190947ba29f23110408e712444884b74251 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 19 Mar 2023 21:36:36 -0700 +Subject: Input: focaltech - use explicitly signed char type + +From: Jason A. Donenfeld + +commit 8980f190947ba29f23110408e712444884b74251 upstream. + +The recent change of -funsigned-char causes additions of negative +numbers to become additions of large positive numbers, leading to wrong +calculations of mouse movement. Change these casts to be explicitly +signed, to take into account negative offsets. + +Fixes: 3bc753c06dd0 ("kbuild: treat char as always unsigned") +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Hans de Goede +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217211 +Link: https://lore.kernel.org/r/20230318133010.1285202-1-Jason@zx2c4.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/focaltech.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/mouse/focaltech.c ++++ b/drivers/input/mouse/focaltech.c +@@ -206,8 +206,8 @@ static void focaltech_process_rel_packet + state->pressed = packet[0] >> 7; + finger1 = ((packet[0] >> 4) & 0x7) - 1; + if (finger1 < FOC_MAX_FINGERS) { +- state->fingers[finger1].x += (char)packet[1]; +- state->fingers[finger1].y += (char)packet[2]; ++ state->fingers[finger1].x += (s8)packet[1]; ++ state->fingers[finger1].y += (s8)packet[2]; + } else { + psmouse_err(psmouse, "First finger in rel packet invalid: %d\n", + finger1); +@@ -222,8 +222,8 @@ static void focaltech_process_rel_packet + */ + finger2 = ((packet[3] >> 4) & 0x7) - 1; + if (finger2 < FOC_MAX_FINGERS) { +- state->fingers[finger2].x += (char)packet[4]; +- state->fingers[finger2].y += (char)packet[5]; ++ state->fingers[finger2].x += (s8)packet[4]; ++ state->fingers[finger2].y += (s8)packet[5]; + } + } + diff --git a/queue-4.14/series b/queue-4.14/series index f332a386d94..b18ae78fe46 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -52,3 +52,5 @@ fbdev-au1200fb-fix-potential-divide-by-zero.patch scsi-megaraid_sas-fix-crash-after-a-double-completio.patch can-bcm-bcm_tx_setup-fix-kmsan-uninit-value-in-vfs_w.patch i40e-fix-registers-dump-after-run-ethtool-adapter-se.patch +input-focaltech-use-explicitly-signed-char-type.patch +cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch