From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 20 Mar 2023 14:20:31 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v4.14.311~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4cac278bcc8fdf571b6213bede3b5fb0ea756ce4;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	hid-core-provide-new-max_buffer_size-attribute-to-over-ride-the-default.patch
	hid-uhid-over-ride-the-default-maximum-data-buffer-value-with-our-own.patch
---

diff --git a/queue-5.4/hid-core-provide-new-max_buffer_size-attribute-to-over-ride-the-default.patch b/queue-5.4/hid-core-provide-new-max_buffer_size-attribute-to-over-ride-the-default.patch
new file mode 100644
index 00000000000..f5125f8b026
--- /dev/null
+++ b/queue-5.4/hid-core-provide-new-max_buffer_size-attribute-to-over-ride-the-default.patch
@@ -0,0 +1,110 @@
+From stable-owner@vger.kernel.org Mon Mar 20 14:06:54 2023
+From: Lee Jones <lee@kernel.org>
+Date: Mon, 20 Mar 2023 13:06:31 +0000
+Subject: HID: core: Provide new max_buffer_size attribute to over-ride the default
+To: lee@kernel.org
+Cc: stable@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Message-ID: <20230320130632.2770364-1-lee@kernel.org>
+
+From: Lee Jones <lee@kernel.org>
+
+commit b1a37ed00d7908a991c1d0f18a8cba3c2aa99bdc upstream.
+
+Presently, when a report is processed, its proposed size, provided by
+the user of the API (as Report Size * Report Count) is compared against
+the subsystem default HID_MAX_BUFFER_SIZE (16k).  However, some
+low-level HID drivers allocate a reduced amount of memory to their
+buffers (e.g. UHID only allocates UHID_DATA_MAX (4k) buffers), rending
+this check inadequate in some cases.
+
+In these circumstances, if the received report ends up being smaller
+than the proposed report size, the remainder of the buffer is zeroed.
+That is, the space between sizeof(csize) (size of the current report)
+and the rsize (size proposed i.e. Report Size * Report Count), which can
+be handled up to HID_MAX_BUFFER_SIZE (16k).  Meaning that memset()
+shoots straight past the end of the buffer boundary and starts zeroing
+out in-use values, often resulting in calamity.
+
+This patch introduces a new variable into 'struct hid_ll_driver' where
+individual low-level drivers can over-ride the default maximum value of
+HID_MAX_BUFFER_SIZE (16k) with something more sympathetic to the
+interface.
+
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+[Lee: Backported to v5.10.y]
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c |   18 +++++++++++++-----
+ include/linux/hid.h    |    3 +++
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -258,6 +258,7 @@ static int hid_add_field(struct hid_pars
+ {
+ 	struct hid_report *report;
+ 	struct hid_field *field;
++	unsigned int max_buffer_size = HID_MAX_BUFFER_SIZE;
+ 	unsigned int usages;
+ 	unsigned int offset;
+ 	unsigned int i;
+@@ -288,8 +289,11 @@ static int hid_add_field(struct hid_pars
+ 	offset = report->size;
+ 	report->size += parser->global.report_size * parser->global.report_count;
+ 
++	if (parser->device->ll_driver->max_buffer_size)
++		max_buffer_size = parser->device->ll_driver->max_buffer_size;
++
+ 	/* Total size check: Allow for possible report index byte */
+-	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
++	if (report->size > (max_buffer_size - 1) << 3) {
+ 		hid_err(parser->device, "report is too long\n");
+ 		return -1;
+ 	}
+@@ -1745,6 +1749,7 @@ int hid_report_raw_event(struct hid_devi
+ 	struct hid_report_enum *report_enum = hid->report_enum + type;
+ 	struct hid_report *report;
+ 	struct hid_driver *hdrv;
++	int max_buffer_size = HID_MAX_BUFFER_SIZE;
+ 	unsigned int a;
+ 	u32 rsize, csize = size;
+ 	u8 *cdata = data;
+@@ -1761,10 +1766,13 @@ int hid_report_raw_event(struct hid_devi
+ 
+ 	rsize = hid_compute_report_size(report);
+ 
+-	if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
+-		rsize = HID_MAX_BUFFER_SIZE - 1;
+-	else if (rsize > HID_MAX_BUFFER_SIZE)
+-		rsize = HID_MAX_BUFFER_SIZE;
++	if (hid->ll_driver->max_buffer_size)
++		max_buffer_size = hid->ll_driver->max_buffer_size;
++
++	if (report_enum->numbered && rsize >= max_buffer_size)
++		rsize = max_buffer_size - 1;
++	else if (rsize > max_buffer_size)
++		rsize = max_buffer_size;
+ 
+ 	if (csize < rsize) {
+ 		dbg_hid("report %d is too short, (%d < %d)\n", report->id,
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -796,6 +796,7 @@ struct hid_driver {
+  * @raw_request: send raw report request to device (e.g. feature report)
+  * @output_report: send output report to device
+  * @idle: send idle request to device
++ * @max_buffer_size: over-ride maximum data buffer size (default: HID_MAX_BUFFER_SIZE)
+  */
+ struct hid_ll_driver {
+ 	int (*start)(struct hid_device *hdev);
+@@ -820,6 +821,8 @@ struct hid_ll_driver {
+ 	int (*output_report) (struct hid_device *hdev, __u8 *buf, size_t len);
+ 
+ 	int (*idle)(struct hid_device *hdev, int report, int idle, int reqtype);
++
++	unsigned int max_buffer_size;
+ };
+ 
+ extern struct hid_ll_driver i2c_hid_ll_driver;
diff --git a/queue-5.4/hid-uhid-over-ride-the-default-maximum-data-buffer-value-with-our-own.patch b/queue-5.4/hid-uhid-over-ride-the-default-maximum-data-buffer-value-with-our-own.patch
new file mode 100644
index 00000000000..3ef4104700b
--- /dev/null
+++ b/queue-5.4/hid-uhid-over-ride-the-default-maximum-data-buffer-value-with-our-own.patch
@@ -0,0 +1,35 @@
+From stable-owner@vger.kernel.org Mon Mar 20 14:06:53 2023
+From: Lee Jones <lee@kernel.org>
+Date: Mon, 20 Mar 2023 13:06:32 +0000
+Subject: HID: uhid: Over-ride the default maximum data buffer value with our own
+To: lee@kernel.org
+Cc: stable@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Message-ID: <20230320130632.2770364-2-lee@kernel.org>
+
+From: Lee Jones <lee@kernel.org>
+
+commit 1c5d4221240a233df2440fe75c881465cdf8da07 upstream.
+
+The default maximum data buffer size for this interface is UHID_DATA_MAX
+(4k).  When data buffers are being processed, ensure this value is used
+when ensuring the sanity, rather than a value between the user provided
+value and HID_MAX_BUFFER_SIZE (16k).
+
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/uhid.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -395,6 +395,7 @@ struct hid_ll_driver uhid_hid_driver = {
+ 	.parse = uhid_hid_parse,
+ 	.raw_request = uhid_hid_raw_request,
+ 	.output_report = uhid_hid_output_report,
++	.max_buffer_size = UHID_DATA_MAX,
+ };
+ EXPORT_SYMBOL_GPL(uhid_hid_driver);
+ 
diff --git a/queue-5.4/io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch b/queue-5.4/io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch
deleted file mode 100644
index b6bb8d75e6d..00000000000
--- a/queue-5.4/io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From pchelkin@ispras.ru  Mon Mar 20 14:30:30 2023
-From: Fedor Pchelkin <pchelkin@ispras.ru>
-Date: Thu, 16 Mar 2023 21:56:16 +0300
-Subject: io_uring: avoid null-ptr-deref in io_arm_poll_handler
-To: Jens Axboe <axboe@kernel.dk>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
-Cc: Fedor Pchelkin <pchelkin@ispras.ru>, linux-kernel@vger.kernel.org, Alexey Khoroshilov <khoroshilov@ispras.ru>, lvc-project@linuxtesting.org
-Message-ID: <20230316185616.271024-1-pchelkin@ispras.ru>
-
-From: Fedor Pchelkin <pchelkin@ispras.ru>
-
-No upstream commit exists for this commit.
-
-The issue was introduced with backporting upstream commit c16bda37594f
-("io_uring/poll: allow some retries for poll triggering spuriously").
-
-Memory allocation can possibly fail causing invalid pointer be
-dereferenced just before comparing it to NULL value.
-
-Move the pointer check in proper place (upstream has the similar location
-of the check). In case the request has REQ_F_POLLED flag up, apoll can't
-be NULL so no need to check there.
-
-Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
-
-Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- io_uring/io_uring.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
-index 445afda927f4..fd799567fc23 100644
---- a/io_uring/io_uring.c
-+++ b/io_uring/io_uring.c
-@@ -5792,10 +5792,10 @@ static int io_arm_poll_handler(struct io_kiocb *req)
- 		}
- 	} else {
- 		apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
-+		if (unlikely(!apoll))
-+			return IO_APOLL_ABORTED;
- 		apoll->poll.retries = APOLL_MAX_RETRY;
- 	}
--	if (unlikely(!apoll))
--		return IO_APOLL_ABORTED;
- 	apoll->double_poll = NULL;
- 	req->apoll = apoll;
- 	req->flags |= REQ_F_POLLED;
--- 
-2.34.1
-
diff --git a/queue-5.4/series b/queue-5.4/series
index 2162ed5b336..94e204a35b4 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -56,4 +56,5 @@ drm-i915-don-t-use-stolen-memory-for-ring-buffers-with-llc.patch
 serial-8250_em-fix-uart-port-type.patch
 s390-ipl-add-missing-intersection-check-to-ipl_report-handling.patch
 pci-unify-delay-handling-for-reset-and-resume.patch
-io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch
+hid-core-provide-new-max_buffer_size-attribute-to-over-ride-the-default.patch
+hid-uhid-over-ride-the-default-maximum-data-buffer-value-with-our-own.patch