From: Greg Kroah-Hartman Date: Fri, 4 Sep 2020 09:11:38 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.4.63~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34ab3e02c5848c202b69d22821ed655879ce92ca;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: hid-core-correctly-handle-reportsize-being-zero.patch hid-core-sanitize-event-code-and-type-when-mapping-input.patch perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch --- diff --git a/queue-4.9/hid-core-correctly-handle-reportsize-being-zero.patch b/queue-4.9/hid-core-correctly-handle-reportsize-being-zero.patch new file mode 100644 index 00000000000..fd133b28167 --- /dev/null +++ b/queue-4.9/hid-core-correctly-handle-reportsize-being-zero.patch @@ -0,0 +1,63 @@ +From bce1305c0ece3dc549663605e567655dd701752c Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Sat, 29 Aug 2020 12:26:01 +0100 +Subject: HID: core: Correctly handle ReportSize being zero + +From: Marc Zyngier + +commit bce1305c0ece3dc549663605e567655dd701752c upstream. + +It appears that a ReportSize value of zero is legal, even if a bit +non-sensical. Most of the HID code seems to handle that gracefully, +except when computing the total size in bytes. When fed as input to +memset, this leads to some funky outcomes. + +Detect the corner case and correctly compute the size. + +Cc: stable@vger.kernel.org +Signed-off-by: Marc Zyngier +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1407,6 +1407,17 @@ static void hid_output_field(const struc + } + + /* ++ * Compute the size of a report. ++ */ ++static size_t hid_compute_report_size(struct hid_report *report) ++{ ++ if (report->size) ++ return ((report->size - 1) >> 3) + 1; ++ ++ return 0; ++} ++ ++/* + * Create a report. 'data' has to be allocated using + * hid_alloc_report_buf() so that it has proper size. + */ +@@ -1418,7 +1429,7 @@ void hid_output_report(struct hid_report + if (report->id > 0) + *data++ = report->id; + +- memset(data, 0, ((report->size - 1) >> 3) + 1); ++ memset(data, 0, hid_compute_report_size(report)); + for (n = 0; n < report->maxfield; n++) + hid_output_field(report->device, report->field[n], data); + } +@@ -1545,7 +1556,7 @@ int hid_report_raw_event(struct hid_devi + csize--; + } + +- rsize = ((report->size - 1) >> 3) + 1; ++ rsize = hid_compute_report_size(report); + + if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE) + rsize = HID_MAX_BUFFER_SIZE - 1; diff --git a/queue-4.9/hid-core-sanitize-event-code-and-type-when-mapping-input.patch b/queue-4.9/hid-core-sanitize-event-code-and-type-when-mapping-input.patch new file mode 100644 index 00000000000..101aa62e6df --- /dev/null +++ b/queue-4.9/hid-core-sanitize-event-code-and-type-when-mapping-input.patch @@ -0,0 +1,132 @@ +From 35556bed836f8dc07ac55f69c8d17dce3e7f0e25 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 1 Sep 2020 10:52:33 +0100 +Subject: HID: core: Sanitize event code and type when mapping input + +From: Marc Zyngier + +commit 35556bed836f8dc07ac55f69c8d17dce3e7f0e25 upstream. + +When calling into hid_map_usage(), the passed event code is +blindly stored as is, even if it doesn't fit in the associated bitmap. + +This event code can come from a variety of sources, including devices +masquerading as input devices, only a bit more "programmable". + +Instead of taking the event code at face value, check that it actually +fits the corresponding bitmap, and if it doesn't: +- spit out a warning so that we know which device is acting up +- NULLify the bitmap pointer so that we catch unexpected uses + +Code paths that can make use of untrusted inputs can now check +that the mapping was indeed correct and bail out if not. + +Cc: stable@vger.kernel.org +Signed-off-by: Marc Zyngier +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-input.c | 4 ++++ + drivers/hid/hid-multitouch.c | 2 ++ + include/linux/hid.h | 42 +++++++++++++++++++++++++++++------------- + 3 files changed, 35 insertions(+), 13 deletions(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1026,6 +1026,10 @@ static void hidinput_configure_usage(str + } + + mapped: ++ /* Mapping failed, bail out */ ++ if (!bit) ++ return; ++ + if (device->driver->input_mapped && + device->driver->input_mapped(device, hidinput, field, usage, + &bit, &max) < 0) { +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -567,6 +567,8 @@ static int mt_touch_input_mapping(struct + case HID_UP_BUTTON: + code = BTN_MOUSE + ((usage->hid - 1) & HID_USAGE); + hid_map_usage(hi, usage, bit, max, EV_KEY, code); ++ if (!*bit) ++ return -1; + input_set_capability(hi->input, EV_KEY, code); + return 1; + +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -874,34 +874,49 @@ static inline void hid_device_io_stop(st + * @max: maximal valid usage->code to consider later (out parameter) + * @type: input event type (EV_KEY, EV_REL, ...) + * @c: code which corresponds to this usage and type ++ * ++ * The value pointed to by @bit will be set to NULL if either @type is ++ * an unhandled event type, or if @c is out of range for @type. This ++ * can be used as an error condition. + */ + static inline void hid_map_usage(struct hid_input *hidinput, + struct hid_usage *usage, unsigned long **bit, int *max, +- __u8 type, __u16 c) ++ __u8 type, unsigned int c) + { + struct input_dev *input = hidinput->input; +- +- usage->type = type; +- usage->code = c; ++ unsigned long *bmap = NULL; ++ unsigned int limit = 0; + + switch (type) { + case EV_ABS: +- *bit = input->absbit; +- *max = ABS_MAX; ++ bmap = input->absbit; ++ limit = ABS_MAX; + break; + case EV_REL: +- *bit = input->relbit; +- *max = REL_MAX; ++ bmap = input->relbit; ++ limit = REL_MAX; + break; + case EV_KEY: +- *bit = input->keybit; +- *max = KEY_MAX; ++ bmap = input->keybit; ++ limit = KEY_MAX; + break; + case EV_LED: +- *bit = input->ledbit; +- *max = LED_MAX; ++ bmap = input->ledbit; ++ limit = LED_MAX; + break; + } ++ ++ if (unlikely(c > limit || !bmap)) { ++ pr_warn_ratelimited("%s: Invalid code %d type %d\n", ++ input->name, c, type); ++ *bit = NULL; ++ return; ++ } ++ ++ usage->type = type; ++ usage->code = c; ++ *max = limit; ++ *bit = bmap; + } + + /** +@@ -915,7 +930,8 @@ static inline void hid_map_usage_clear(s + __u8 type, __u16 c) + { + hid_map_usage(hidinput, usage, bit, max, type, c); +- clear_bit(c, *bit); ++ if (*bit) ++ clear_bit(usage->code, *bit); + } + + /** diff --git a/queue-4.9/perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch b/queue-4.9/perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch new file mode 100644 index 00000000000..1c0392482dc --- /dev/null +++ b/queue-4.9/perf-record-stat-explicitly-call-out-event-modifiers-in-the-documentation.patch @@ -0,0 +1,63 @@ +From e48a73a312ebf19cc3d72aa74985db25c30757c1 Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Tue, 1 Sep 2020 16:58:53 -0500 +Subject: perf record/stat: Explicitly call out event modifiers in the documentation + +From: Kim Phillips + +commit e48a73a312ebf19cc3d72aa74985db25c30757c1 upstream. + +Event modifiers are not mentioned in the perf record or perf stat +manpages. Add them to orient new users more effectively by pointing +them to the perf list manpage for details. + +Fixes: 2055fdaf8703 ("perf list: Document precise event sampling for AMD IBS") +Signed-off-by: Kim Phillips +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Ian Rogers +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Paul Clarke +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Tony Jones +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/20200901215853.276234-1-kim.phillips@amd.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/Documentation/perf-record.txt | 4 ++++ + tools/perf/Documentation/perf-stat.txt | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/tools/perf/Documentation/perf-record.txt ++++ b/tools/perf/Documentation/perf-record.txt +@@ -33,6 +33,10 @@ OPTIONS + - a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a + hexadecimal event descriptor. + ++ - a symbolic or raw PMU event followed by an optional colon ++ and a list of event modifiers, e.g., cpu-cycles:p. See the ++ linkperf:perf-list[1] man page for details on event modifiers. ++ + - a symbolically formed PMU event like 'pmu/param1=0x3,param2/' where + 'param1', 'param2', etc are defined as formats for the PMU in + /sys/bus/event_source/devices//format/*. +--- a/tools/perf/Documentation/perf-stat.txt ++++ b/tools/perf/Documentation/perf-stat.txt +@@ -39,6 +39,10 @@ report:: + - a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a + hexadecimal event descriptor. + ++ - a symbolic or raw PMU event followed by an optional colon ++ and a list of event modifiers, e.g., cpu-cycles:p. See the ++ linkperf:perf-list[1] man page for details on event modifiers. ++ + - a symbolically formed event like 'pmu/param1=0x3,param2/' where + param1 and param2 are defined as formats for the PMU in + /sys/bus/event_sources/devices//format/*