From: Greg Kroah-Hartman Date: Fri, 16 Oct 2020 07:50:35 +0000 (+0200) Subject: 5.9-stable patches X-Git-Tag: v5.9.1~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=684e462ef66cadde54442a60ef22471e5df156c3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.9-stable patches added patches: media-usbtv-fix-refcounting-mixup.patch reiserfs-fix-oops-during-mount.patch reiserfs-initialize-inode-keys-properly.patch revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch staging-comedi-check-validity-of-wmaxpacketsize-of-usb-endpoints-found.patch usb-serial-ftdi_sio-add-support-for-freecalypso-jtag-uart-adapters.patch usb-serial-option-add-cellient-mpl200-card.patch usb-serial-option-add-telit-ft980-ks-composition.patch usb-serial-pl2303-add-device-id-for-hp-gc-device.patch vt_ioctl-make-vt_resizex-behave-like-vt_resize.patch --- diff --git a/queue-5.9/media-usbtv-fix-refcounting-mixup.patch b/queue-5.9/media-usbtv-fix-refcounting-mixup.patch new file mode 100644 index 00000000000..9c282192ba1 --- /dev/null +++ b/queue-5.9/media-usbtv-fix-refcounting-mixup.patch @@ -0,0 +1,39 @@ +From bf65f8aabdb37bc1a785884374e919477fe13e10 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 24 Sep 2020 11:14:10 +0200 +Subject: media: usbtv: Fix refcounting mixup + +From: Oliver Neukum + +commit bf65f8aabdb37bc1a785884374e919477fe13e10 upstream. + +The premature free in the error path is blocked by V4L +refcounting, not USB refcounting. Thanks to +Ben Hutchings for review. + +[v2] corrected attributions + +Signed-off-by: Oliver Neukum +Fixes: 50e704453553 ("media: usbtv: prevent double free in error case") +CC: stable@vger.kernel.org +Reported-by: Ben Hutchings +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbtv/usbtv-core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/usbtv/usbtv-core.c ++++ b/drivers/media/usb/usbtv/usbtv-core.c +@@ -113,7 +113,8 @@ static int usbtv_probe(struct usb_interf + + usbtv_audio_fail: + /* we must not free at this point */ +- usb_get_dev(usbtv->udev); ++ v4l2_device_get(&usbtv->v4l2_dev); ++ /* this will undo the v4l2_device_get() */ + usbtv_video_free(usbtv); + + usbtv_video_fail: diff --git a/queue-5.9/reiserfs-fix-oops-during-mount.patch b/queue-5.9/reiserfs-fix-oops-during-mount.patch new file mode 100644 index 00000000000..9229ba2e03a --- /dev/null +++ b/queue-5.9/reiserfs-fix-oops-during-mount.patch @@ -0,0 +1,55 @@ +From c2bb80b8bdd04dfe32364b78b61b6a47f717af52 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 30 Sep 2020 17:08:20 +0200 +Subject: reiserfs: Fix oops during mount + +From: Jan Kara + +commit c2bb80b8bdd04dfe32364b78b61b6a47f717af52 upstream. + +With suitably crafted reiserfs image and mount command reiserfs will +crash when trying to verify that XATTR_ROOT directory can be looked up +in / as that recurses back to xattr code like: + + xattr_lookup+0x24/0x280 fs/reiserfs/xattr.c:395 + reiserfs_xattr_get+0x89/0x540 fs/reiserfs/xattr.c:677 + reiserfs_get_acl+0x63/0x690 fs/reiserfs/xattr_acl.c:209 + get_acl+0x152/0x2e0 fs/posix_acl.c:141 + check_acl fs/namei.c:277 [inline] + acl_permission_check fs/namei.c:309 [inline] + generic_permission+0x2ba/0x550 fs/namei.c:353 + do_inode_permission fs/namei.c:398 [inline] + inode_permission+0x234/0x4a0 fs/namei.c:463 + lookup_one_len+0xa6/0x200 fs/namei.c:2557 + reiserfs_lookup_privroot+0x85/0x1e0 fs/reiserfs/xattr.c:972 + reiserfs_fill_super+0x2b51/0x3240 fs/reiserfs/super.c:2176 + mount_bdev+0x24f/0x360 fs/super.c:1417 + +Fix the problem by bailing from reiserfs_xattr_get() when xattrs are not +yet initialized. + +CC: stable@vger.kernel.org +Reported-by: syzbot+9b33c9b118d77ff59b6f@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/xattr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/reiserfs/xattr.c ++++ b/fs/reiserfs/xattr.c +@@ -674,6 +674,13 @@ reiserfs_xattr_get(struct inode *inode, + if (get_inode_sd_version(inode) == STAT_DATA_V1) + return -EOPNOTSUPP; + ++ /* ++ * priv_root needn't be initialized during mount so allow initial ++ * lookups to succeed. ++ */ ++ if (!REISERFS_SB(inode->i_sb)->priv_root) ++ return 0; ++ + dentry = xattr_lookup(inode, name, XATTR_REPLACE); + if (IS_ERR(dentry)) { + err = PTR_ERR(dentry); diff --git a/queue-5.9/reiserfs-initialize-inode-keys-properly.patch b/queue-5.9/reiserfs-initialize-inode-keys-properly.patch new file mode 100644 index 00000000000..6eac520ad03 --- /dev/null +++ b/queue-5.9/reiserfs-initialize-inode-keys-properly.patch @@ -0,0 +1,37 @@ +From 4443390e08d34d5771ab444f601cf71b3c9634a4 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 21 Sep 2020 15:08:50 +0200 +Subject: reiserfs: Initialize inode keys properly + +From: Jan Kara + +commit 4443390e08d34d5771ab444f601cf71b3c9634a4 upstream. + +reiserfs_read_locked_inode() didn't initialize key length properly. Use +_make_cpu_key() macro for key initialization so that all key member are +properly initialized. + +CC: stable@vger.kernel.org +Reported-by: syzbot+d94d02749498bb7bab4b@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/inode.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/fs/reiserfs/inode.c ++++ b/fs/reiserfs/inode.c +@@ -1551,11 +1551,7 @@ void reiserfs_read_locked_inode(struct i + * set version 1, version 2 could be used too, because stat data + * key is the same in both versions + */ +- key.version = KEY_FORMAT_3_5; +- key.on_disk_key.k_dir_id = dirino; +- key.on_disk_key.k_objectid = inode->i_ino; +- key.on_disk_key.k_offset = 0; +- key.on_disk_key.k_type = 0; ++ _make_cpu_key(&key, KEY_FORMAT_3_5, dirino, inode->i_ino, 0, 0, 3); + + /* look for the object's stat data */ + retval = search_item(inode->i_sb, &key, &path_to_sd); diff --git a/queue-5.9/revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch b/queue-5.9/revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch new file mode 100644 index 00000000000..e5293fdfbde --- /dev/null +++ b/queue-5.9/revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch @@ -0,0 +1,54 @@ +From 2456c290a7889be492cb96092b62d16c11176f72 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 30 Jul 2020 11:02:30 -0400 +Subject: Revert "drm/amdgpu: Fix NULL dereference in dpm sysfs handlers" + +From: Alex Deucher + +commit 2456c290a7889be492cb96092b62d16c11176f72 upstream. + +This regressed some working configurations so revert it. Will +fix this properly for 5.9 and backport then. + +This reverts commit 38e0c89a19fd13f28d2b4721035160a3e66e270b. + +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c +@@ -796,7 +796,8 @@ static ssize_t amdgpu_set_pp_od_clk_volt + tmp_str++; + while (isspace(*++tmp_str)); + +- while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { ++ while (tmp_str[0]) { ++ sub_str = strsep(&tmp_str, delimiter); + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) + return -EINVAL; +@@ -1066,7 +1067,8 @@ static ssize_t amdgpu_read_mask(const ch + memcpy(buf_cpy, buf, bytes); + buf_cpy[bytes] = '\0'; + tmp = buf_cpy; +- while ((sub_str = strsep(&tmp, delimiter)) != NULL) { ++ while (tmp[0]) { ++ sub_str = strsep(&tmp, delimiter); + if (strlen(sub_str)) { + ret = kstrtol(sub_str, 0, &level); + if (ret) +@@ -1695,7 +1697,8 @@ static ssize_t amdgpu_set_pp_power_profi + i++; + memcpy(buf_cpy, buf, count-i); + tmp_str = buf_cpy; +- while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { ++ while (tmp_str[0]) { ++ sub_str = strsep(&tmp_str, delimiter); + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) + return -EINVAL; diff --git a/queue-5.9/series b/queue-5.9/series index a65f1aa58f1..752cdef8d2f 100644 --- a/queue-5.9/series +++ b/queue-5.9/series @@ -1,3 +1,13 @@ bluetooth-a2mp-fix-not-initializing-all-members.patch bluetooth-l2cap-fix-calling-sk_filter-on-non-socket-based-channel.patch bluetooth-mgmt-fix-not-checking-if-bt_hs-is-enabled.patch +media-usbtv-fix-refcounting-mixup.patch +usb-serial-option-add-cellient-mpl200-card.patch +usb-serial-option-add-telit-ft980-ks-composition.patch +staging-comedi-check-validity-of-wmaxpacketsize-of-usb-endpoints-found.patch +usb-serial-pl2303-add-device-id-for-hp-gc-device.patch +usb-serial-ftdi_sio-add-support-for-freecalypso-jtag-uart-adapters.patch +vt_ioctl-make-vt_resizex-behave-like-vt_resize.patch +reiserfs-initialize-inode-keys-properly.patch +reiserfs-fix-oops-during-mount.patch +revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch diff --git a/queue-5.9/staging-comedi-check-validity-of-wmaxpacketsize-of-usb-endpoints-found.patch b/queue-5.9/staging-comedi-check-validity-of-wmaxpacketsize-of-usb-endpoints-found.patch new file mode 100644 index 00000000000..4767a383e8e --- /dev/null +++ b/queue-5.9/staging-comedi-check-validity-of-wmaxpacketsize-of-usb-endpoints-found.patch @@ -0,0 +1,41 @@ +From e1f13c879a7c21bd207dc6242455e8e3a1e88b40 Mon Sep 17 00:00:00 2001 +From: Anant Thazhemadam +Date: Sat, 10 Oct 2020 13:59:32 +0530 +Subject: staging: comedi: check validity of wMaxPacketSize of usb endpoints found + +From: Anant Thazhemadam + +commit e1f13c879a7c21bd207dc6242455e8e3a1e88b40 upstream. + +While finding usb endpoints in vmk80xx_find_usb_endpoints(), check if +wMaxPacketSize = 0 for the endpoints found. + +Some devices have isochronous endpoints that have wMaxPacketSize = 0 +(as required by the USB-2 spec). +However, since this doesn't apply here, wMaxPacketSize = 0 can be +considered to be invalid. + +Reported-by: syzbot+009f546aa1370056b1c2@syzkaller.appspotmail.com +Tested-by: syzbot+009f546aa1370056b1c2@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Cc: stable +Link: https://lore.kernel.org/r/20201010082933.5417-1-anant.thazhemadam@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/vmk80xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -667,6 +667,9 @@ static int vmk80xx_find_usb_endpoints(st + if (!devpriv->ep_rx || !devpriv->ep_tx) + return -ENODEV; + ++ if (!usb_endpoint_maxp(devpriv->ep_rx) || !usb_endpoint_maxp(devpriv->ep_tx)) ++ return -EINVAL; ++ + return 0; + } + diff --git a/queue-5.9/usb-serial-ftdi_sio-add-support-for-freecalypso-jtag-uart-adapters.patch b/queue-5.9/usb-serial-ftdi_sio-add-support-for-freecalypso-jtag-uart-adapters.patch new file mode 100644 index 00000000000..66c8fc824a6 --- /dev/null +++ b/queue-5.9/usb-serial-ftdi_sio-add-support-for-freecalypso-jtag-uart-adapters.patch @@ -0,0 +1,73 @@ +From 6cf87e5edd9944e1d3b6efd966ea401effc304ee Mon Sep 17 00:00:00 2001 +From: "Mychaela N. Falconia" +Date: Wed, 16 Sep 2020 01:56:29 +0000 +Subject: USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters + +From: Mychaela N. Falconia + +commit 6cf87e5edd9944e1d3b6efd966ea401effc304ee upstream. + +There exist many FT2232-based JTAG+UART adapter designs in which +FT2232 Channel A is used for JTAG and Channel B is used for UART. +The best way to handle them in Linux is to have the ftdi_sio driver +create a ttyUSB device only for Channel B and not for Channel A: +a ttyUSB device for Channel A would be bogus and will disappear as +soon as the user runs OpenOCD or other applications that access +Channel A for JTAG from userspace, causing undesirable noise for +users. The ftdi_sio driver already has a dedicated quirk for such +JTAG+UART FT2232 adapters, and it requires assigning custom USB IDs +to such adapters and adding these IDs to the driver with the +ftdi_jtag_quirk applied. + +Boutique hardware manufacturer Falconia Partners LLC has created a +couple of JTAG+UART adapter designs (one buffered, one unbuffered) +as part of FreeCalypso project, and this hardware is specifically made +to be used with Linux hosts, with the intent that Channel A will be +accessed only from userspace via appropriate applications, and that +Channel B will be supported by the ftdi_sio kernel driver, presenting +a standard ttyUSB device to userspace. Toward this end the hardware +manufacturer will be programming FT2232 EEPROMs with custom USB IDs, +specifically with the intent that these IDs will be recognized by +the ftdi_sio driver with the ftdi_jtag_quirk applied. + +Signed-off-by: Mychaela N. Falconia +[johan: insert in PID order and drop unused define] +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 5 +++++ + drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++ + 2 files changed, 12 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1037,6 +1037,11 @@ static const struct usb_device_id id_tab + /* U-Blox devices */ + { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) }, + { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) }, ++ /* FreeCalypso USB adapters */ ++ { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -39,6 +39,13 @@ + + #define FTDI_LUMEL_PD12_PID 0x6002 + ++/* ++ * Custom USB adapters made by Falconia Partners LLC ++ * for FreeCalypso project, ID codes allocated to Falconia by FTDI. ++ */ ++#define FTDI_FALCONIA_JTAG_BUF_PID 0x7150 ++#define FTDI_FALCONIA_JTAG_UNBUF_PID 0x7151 ++ + /* Sienna Serial Interface by Secyourit GmbH */ + #define FTDI_SIENNA_PID 0x8348 + diff --git a/queue-5.9/usb-serial-option-add-cellient-mpl200-card.patch b/queue-5.9/usb-serial-option-add-cellient-mpl200-card.patch new file mode 100644 index 00000000000..0f58dd5e100 --- /dev/null +++ b/queue-5.9/usb-serial-option-add-cellient-mpl200-card.patch @@ -0,0 +1,40 @@ +From 3e765cab8abe7f84cb80d4a7a973fc97d5742647 Mon Sep 17 00:00:00 2001 +From: Wilken Gottwalt +Date: Sat, 3 Oct 2020 11:40:29 +0200 +Subject: USB: serial: option: add Cellient MPL200 card + +From: Wilken Gottwalt + +commit 3e765cab8abe7f84cb80d4a7a973fc97d5742647 upstream. + +Add usb ids of the Cellient MPL200 card. + +Signed-off-by: Wilken Gottwalt +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/3db5418fe9e516f4b290736c5a199c9796025e3c.1601715478.git.wilken.gottwalt@mailbox.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -528,6 +528,7 @@ static void option_instat_callback(struc + /* Cellient products */ + #define CELLIENT_VENDOR_ID 0x2692 + #define CELLIENT_PRODUCT_MEN200 0x9005 ++#define CELLIENT_PRODUCT_MPL200 0x9025 + + /* Hyundai Petatel Inc. products */ + #define PETATEL_VENDOR_ID 0x1ff4 +@@ -1982,6 +1983,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x02, 0x01) }, + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x00, 0x00) }, + { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, ++ { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MPL200), ++ .driver_info = RSVD(1) | RSVD(4) }, + { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) }, + { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) }, + { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */ diff --git a/queue-5.9/usb-serial-option-add-telit-ft980-ks-composition.patch b/queue-5.9/usb-serial-option-add-telit-ft980-ks-composition.patch new file mode 100644 index 00000000000..e423ac5c79e --- /dev/null +++ b/queue-5.9/usb-serial-option-add-telit-ft980-ks-composition.patch @@ -0,0 +1,37 @@ +From 924a9213358fb92fa3c3225d6d042aa058167405 Mon Sep 17 00:00:00 2001 +From: Leonid Bloch +Date: Sun, 4 Oct 2020 18:58:13 +0300 +Subject: USB: serial: option: Add Telit FT980-KS composition + +From: Leonid Bloch + +commit 924a9213358fb92fa3c3225d6d042aa058167405 upstream. + +This commit adds the following Telit FT980-KS composition: + +0x1054: rndis, diag, adb, nmea, modem, modem, aux + +AT commands can be sent to /dev/ttyUSB2. + +Signed-off-by: Leonid Bloch +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/ce86bc05-f4e2-b199-0cdc-792715e3f275@asocscloud.com +Link: https://lore.kernel.org/r/20201004155813.2342-1-lb.workbox@gmail.com +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1187,6 +1187,8 @@ static const struct usb_device_id option + .driver_info = NCTRL(2) | RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1053, 0xff), /* Telit FN980 (ECM) */ + .driver_info = NCTRL(0) | RSVD(1) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1054, 0xff), /* Telit FT980-KS */ ++ .driver_info = NCTRL(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), diff --git a/queue-5.9/usb-serial-pl2303-add-device-id-for-hp-gc-device.patch b/queue-5.9/usb-serial-pl2303-add-device-id-for-hp-gc-device.patch new file mode 100644 index 00000000000..74b34669ca9 --- /dev/null +++ b/queue-5.9/usb-serial-pl2303-add-device-id-for-hp-gc-device.patch @@ -0,0 +1,41 @@ +From 031f9664f8f9356cee662335bc56c93d16e75665 Mon Sep 17 00:00:00 2001 +From: Scott Chen +Date: Thu, 24 Sep 2020 14:27:45 +0800 +Subject: USB: serial: pl2303: add device-id for HP GC device + +From: Scott Chen + +commit 031f9664f8f9356cee662335bc56c93d16e75665 upstream. + +This is adds a device id for HP LD381 which is a pl2303GC-base device. + +Signed-off-by: Scott Chen +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/pl2303.c | 1 + + drivers/usb/serial/pl2303.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -100,6 +100,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD381_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD381GC_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) }, +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -127,6 +127,7 @@ + + /* Hewlett-Packard POS Pole Displays */ + #define HP_VENDOR_ID 0x03f0 ++#define HP_LD381GC_PRODUCT_ID 0x0183 + #define HP_LM920_PRODUCT_ID 0x026b + #define HP_TD620_PRODUCT_ID 0x0956 + #define HP_LD960_PRODUCT_ID 0x0b39 diff --git a/queue-5.9/vt_ioctl-make-vt_resizex-behave-like-vt_resize.patch b/queue-5.9/vt_ioctl-make-vt_resizex-behave-like-vt_resize.patch new file mode 100644 index 00000000000..008f22b4df4 --- /dev/null +++ b/queue-5.9/vt_ioctl-make-vt_resizex-behave-like-vt_resize.patch @@ -0,0 +1,115 @@ +From 988d0763361bb65690d60e2bc53a6b72777040c3 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sun, 27 Sep 2020 20:46:30 +0900 +Subject: vt_ioctl: make VT_RESIZEX behave like VT_RESIZE + +From: Tetsuo Handa + +commit 988d0763361bb65690d60e2bc53a6b72777040c3 upstream. + +syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for +vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than +actual font height calculated by con_font_set() from ioctl(PIO_FONT). +Since fbcon_set_font() from con_font_set() allocates minimal amount of +memory based on actual font height calculated by con_font_set(), +use of vt_resizex() can cause UAF/OOB read for font data. + +VT_RESIZEX was introduced in Linux 1.3.3, but it is unclear that what +comes to the "+ more" part, and I couldn't find a user of VT_RESIZEX. + + #define VT_RESIZE 0x5609 /* set kernel's idea of screensize */ + #define VT_RESIZEX 0x560A /* set kernel's idea of screensize + more */ + +So far we are not aware of syzbot reports caused by setting non-zero value +to v_vlin parameter. But given that it is possible that nobody is using +VT_RESIZEX, we can try removing support for v_clin and v_vlin parameters. + +Therefore, this patch effectively makes VT_RESIZEX behave like VT_RESIZE, +with emitting a message if somebody is still using v_clin and/or v_vlin +parameters. + +[1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837 +[2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3 + +Reported-by: syzbot +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Cc: stable +Link: https://lore.kernel.org/r/4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt_ioctl.c | 57 ++++++++-------------------------------------- + 1 file changed, 10 insertions(+), 47 deletions(-) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -773,58 +773,21 @@ static int vt_resizex(struct vc_data *vc + if (copy_from_user(&v, cs, sizeof(struct vt_consize))) + return -EFAULT; + +- /* FIXME: Should check the copies properly */ +- if (!v.v_vlin) +- v.v_vlin = vc->vc_scan_lines; +- +- if (v.v_clin) { +- int rows = v.v_vlin / v.v_clin; +- if (v.v_rows != rows) { +- if (v.v_rows) /* Parameters don't add up */ +- return -EINVAL; +- v.v_rows = rows; +- } +- } +- +- if (v.v_vcol && v.v_ccol) { +- int cols = v.v_vcol / v.v_ccol; +- if (v.v_cols != cols) { +- if (v.v_cols) +- return -EINVAL; +- v.v_cols = cols; +- } +- } +- +- if (v.v_clin > 32) +- return -EINVAL; ++ if (v.v_vlin) ++ pr_info_once("\"struct vt_consize\"->v_vlin is ignored. Please report if you need this.\n"); ++ if (v.v_clin) ++ pr_info_once("\"struct vt_consize\"->v_clin is ignored. Please report if you need this.\n"); + ++ console_lock(); + for (i = 0; i < MAX_NR_CONSOLES; i++) { +- struct vc_data *vcp; +- +- if (!vc_cons[i].d) +- continue; +- console_lock(); +- vcp = vc_cons[i].d; +- if (vcp) { +- int ret; +- int save_scan_lines = vcp->vc_scan_lines; +- int save_font_height = vcp->vc_font.height; ++ vc = vc_cons[i].d; + +- if (v.v_vlin) +- vcp->vc_scan_lines = v.v_vlin; +- if (v.v_clin) +- vcp->vc_font.height = v.v_clin; +- vcp->vc_resize_user = 1; +- ret = vc_resize(vcp, v.v_cols, v.v_rows); +- if (ret) { +- vcp->vc_scan_lines = save_scan_lines; +- vcp->vc_font.height = save_font_height; +- console_unlock(); +- return ret; +- } ++ if (vc) { ++ vc->vc_resize_user = 1; ++ vc_resize(vc, v.v_cols, v.v_rows); + } +- console_unlock(); + } ++ console_unlock(); + + return 0; + }