From: Greg Kroah-Hartman Date: Thu, 29 Jun 2023 18:20:53 +0000 (+0200) Subject: 6.3-stable patches X-Git-Tag: v6.4.1~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=64f06d83c9ca2e6b4b9998701d173ccd2819ccbf;p=thirdparty%2Fkernel%2Fstable-queue.git 6.3-stable patches added patches: fbdev-fix-potential-oob-read-in-fast_imageblit.patch hid-hidraw-fix-data-race-on-device-refcount.patch hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch --- diff --git a/queue-6.3/fbdev-fix-potential-oob-read-in-fast_imageblit.patch b/queue-6.3/fbdev-fix-potential-oob-read-in-fast_imageblit.patch new file mode 100644 index 00000000000..3aa7ad4005d --- /dev/null +++ b/queue-6.3/fbdev-fix-potential-oob-read-in-fast_imageblit.patch @@ -0,0 +1,40 @@ +From c2d22806aecb24e2de55c30a06e5d6eb297d161d Mon Sep 17 00:00:00 2001 +From: Zhang Shurong +Date: Sun, 25 Jun 2023 00:16:49 +0800 +Subject: fbdev: fix potential OOB read in fast_imageblit() + +From: Zhang Shurong + +commit c2d22806aecb24e2de55c30a06e5d6eb297d161d upstream. + +There is a potential OOB read at fast_imageblit, for +"colortab[(*src >> 4)]" can become a negative value due to +"const char *s = image->data, *src". +This change makes sure the index for colortab always positive +or zero. + +Similar commit: +https://patchwork.kernel.org/patch/11746067 + +Potential bug report: +https://groups.google.com/g/syzkaller-bugs/c/9ubBXKeKXf4/m/k-QXy4UgAAAJ + +Signed-off-by: Zhang Shurong +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/sysimgblt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/sysimgblt.c ++++ b/drivers/video/fbdev/core/sysimgblt.c +@@ -189,7 +189,7 @@ static void fast_imageblit(const struct + u32 fgx = fgcolor, bgx = bgcolor, bpp = p->var.bits_per_pixel; + u32 ppw = 32/bpp, spitch = (image->width + 7)/8; + u32 bit_mask, eorx, shift; +- const char *s = image->data, *src; ++ const u8 *s = image->data, *src; + u32 *dst; + const u32 *tab; + size_t tablen; diff --git a/queue-6.3/hid-hidraw-fix-data-race-on-device-refcount.patch b/queue-6.3/hid-hidraw-fix-data-race-on-device-refcount.patch new file mode 100644 index 00000000000..415b0bf5644 --- /dev/null +++ b/queue-6.3/hid-hidraw-fix-data-race-on-device-refcount.patch @@ -0,0 +1,55 @@ +From 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b Mon Sep 17 00:00:00 2001 +From: Ludvig Michaelsson +Date: Wed, 21 Jun 2023 13:17:43 +0200 +Subject: HID: hidraw: fix data race on device refcount + +From: Ludvig Michaelsson + +commit 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b upstream. + +The hidraw_open() function increments the hidraw device reference +counter. The counter has no dedicated synchronization mechanism, +resulting in a potential data race when concurrently opening a device. + +The race is a regression introduced by commit 8590222e4b02 ("HID: +hidraw: Replace hidraw device table mutex with a rwsem"). While +minors_rwsem is intended to protect the hidraw_table itself, by instead +acquiring the lock for writing, the reference counter is also protected. +This is symmetrical to hidraw_release(). + +Link: https://github.com/systemd/systemd/issues/27947 +Fixes: 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem") +Cc: stable@vger.kernel.org +Signed-off-by: Ludvig Michaelsson +Link: https://lore.kernel.org/r/20230621-hidraw-race-v1-1-a58e6ac69bab@yubico.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hidraw.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -272,7 +272,12 @@ static int hidraw_open(struct inode *ino + goto out; + } + +- down_read(&minors_rwsem); ++ /* ++ * Technically not writing to the hidraw_table but a write lock is ++ * required to protect the device refcount. This is symmetrical to ++ * hidraw_release(). ++ */ ++ down_write(&minors_rwsem); + if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { + err = -ENODEV; + goto out_unlock; +@@ -301,7 +306,7 @@ static int hidraw_open(struct inode *ino + spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); + file->private_data = list; + out_unlock: +- up_read(&minors_rwsem); ++ up_write(&minors_rwsem); + out: + if (err < 0) + kfree(list); diff --git a/queue-6.3/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch b/queue-6.3/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch new file mode 100644 index 00000000000..b3be96b888b --- /dev/null +++ b/queue-6.3/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch @@ -0,0 +1,34 @@ +From 5fe251112646d8626818ea90f7af325bab243efa Mon Sep 17 00:00:00 2001 +From: Mike Hommey +Date: Sun, 18 Jun 2023 08:09:57 +0900 +Subject: HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651. + +From: Mike Hommey + +commit 5fe251112646d8626818ea90f7af325bab243efa upstream. + +commit 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if +not necessary") put restarting communication behind that flag, and this +was apparently necessary on the T651, but the flag was not set for it. + +Fixes: 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if not necessary") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Hommey +Link: https://lore.kernel.org/r/20230617230957.6mx73th4blv7owqk@glandium.org +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-logitech-hidpp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -4364,7 +4364,7 @@ static const struct hid_device_id hidpp_ + { /* wireless touchpad T651 */ + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, + USB_DEVICE_ID_LOGITECH_T651), +- .driver_data = HIDPP_QUIRK_CLASS_WTP }, ++ .driver_data = HIDPP_QUIRK_CLASS_WTP | HIDPP_QUIRK_DELAYED_INIT }, + { /* Mouse Logitech Anywhere MX */ + LDJ_DEVICE(0x1017), .driver_data = HIDPP_QUIRK_HI_RES_SCROLL_1P0 }, + { /* Mouse logitech M560 */ diff --git a/queue-6.3/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch b/queue-6.3/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch new file mode 100644 index 00000000000..4ffd6d218c8 --- /dev/null +++ b/queue-6.3/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch @@ -0,0 +1,70 @@ +From 9a6c0e28e215535b2938c61ded54603b4e5814c5 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 8 Jun 2023 14:38:28 -0700 +Subject: HID: wacom: Use ktime_t rather than int when dealing with timestamps + +From: Jason Gerecke + +commit 9a6c0e28e215535b2938c61ded54603b4e5814c5 upstream. + +Code which interacts with timestamps needs to use the ktime_t type +returned by functions like ktime_get. The int type does not offer +enough space to store these values, and attempting to use it is a +recipe for problems. In this particular case, overflows would occur +when calculating/storing timestamps leading to incorrect values being +reported to userspace. In some cases these bad timestamps cause input +handling in userspace to appear hung. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/901 +Fixes: 17d793f3ed53 ("HID: wacom: insert timestamp to packed Bluetooth (BT) events") +CC: stable@vger.kernel.org +Signed-off-by: Jason Gerecke +Reviewed-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20230608213828.2108-1-jason.gerecke@wacom.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 6 +++--- + drivers/hid/wacom_wac.h | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1309,7 +1309,7 @@ static void wacom_intuos_pro2_bt_pen(str + struct input_dev *pen_input = wacom->pen_input; + unsigned char *data = wacom->data; + int number_of_valid_frames = 0; +- int time_interval = 15000000; ++ ktime_t time_interval = 15000000; + ktime_t time_packet_received = ktime_get(); + int i; + +@@ -1343,7 +1343,7 @@ static void wacom_intuos_pro2_bt_pen(str + if (number_of_valid_frames) { + if (wacom->hid_data.time_delayed) + time_interval = ktime_get() - wacom->hid_data.time_delayed; +- time_interval /= number_of_valid_frames; ++ time_interval = div_u64(time_interval, number_of_valid_frames); + wacom->hid_data.time_delayed = time_packet_received; + } + +@@ -1354,7 +1354,7 @@ static void wacom_intuos_pro2_bt_pen(str + bool range = frame[0] & 0x20; + bool invert = frame[0] & 0x10; + int frames_number_reversed = number_of_valid_frames - i - 1; +- int event_timestamp = time_packet_received - frames_number_reversed * time_interval; ++ ktime_t event_timestamp = time_packet_received - frames_number_reversed * time_interval; + + if (!valid) + continue; +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -324,7 +324,7 @@ struct hid_data { + int ps_connected; + bool pad_input_event_flag; + unsigned short sequence_number; +- int time_delayed; ++ ktime_t time_delayed; + }; + + struct wacom_remote_data { diff --git a/queue-6.3/series b/queue-6.3/series index fcec13792a1..1f679d4077f 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -23,3 +23,7 @@ mm-make-find_extend_vma-fail-if-write-lock-not-held.patch execve-expand-new-process-stack-manually-ahead-of-time.patch mm-always-expand-the-stack-with-the-mmap-write-lock-held.patch gup-add-warning-if-some-caller-would-seem-to-want-stack-expansion.patch +fbdev-fix-potential-oob-read-in-fast_imageblit.patch +hid-hidraw-fix-data-race-on-device-refcount.patch +hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch +hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch