From: Greg Kroah-Hartman Date: Fri, 7 Aug 2020 14:04:09 +0000 (+0200) Subject: 5.7-stable patches X-Git-Tag: v4.19.139~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9818ac955d607bbb7820aa372419514eba6969a7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.7-stable patches added patches: alsa-hda-ca0132-add-new-quirk-id-for-recon3d.patch alsa-hda-ca0132-fix-ae-5-microphone-selection-commands.patch alsa-hda-ca0132-fix-zxr-headphone-gain-control-get-value.patch alsa-hda-realtek-add-alc269-alc662-pin-tables-for-loongson-3-laptops.patch alsa-seq-oss-serialize-ioctls.patch binder-prevent-context-manager-from-incrementing-ref-0.patch bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch gpio-max77620-fix-missing-release-of-interrupt.patch leds-88pm860x-fix-use-after-free-on-unbind.patch leds-da903x-fix-use-after-free-on-unbind.patch leds-lm3533-fix-use-after-free-on-unbind.patch leds-lm36274-fix-use-after-free-on-unbind.patch leds-wm831x-status-fix-use-after-free-on-unbind.patch lkdtm-heap-avoid-edge-and-middle-of-slabs.patch mtd-properly-check-all-write-ioctls-for-permissions.patch omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch scripts-add-dummy-report-mode-to-add_namespace.cocci.patch smack-fix-use-after-free-in-smk_write_relabel_self.patch staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch staging-rtl8188eu-rtw_mlme-fix-uninitialized-variable-authmode.patch staging-rtl8712-handle-firmware-load-failure.patch usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch usb-xhci-define-ids-for-various-asmedia-host-controllers.patch usb-xhci-fix-asmedia-asm1142-dma-addressing.patch vgacon-fix-for-missing-check-in-scrollback-handling.patch --- diff --git a/queue-5.7/alsa-hda-ca0132-add-new-quirk-id-for-recon3d.patch b/queue-5.7/alsa-hda-ca0132-add-new-quirk-id-for-recon3d.patch new file mode 100644 index 00000000000..850aab54027 --- /dev/null +++ b/queue-5.7/alsa-hda-ca0132-add-new-quirk-id-for-recon3d.patch @@ -0,0 +1,31 @@ +From cc5edb1bd3f7bfe450f767b12423f6673822427b Mon Sep 17 00:00:00 2001 +From: Connor McAdams +Date: Sun, 2 Aug 2020 20:29:26 -0400 +Subject: ALSA: hda/ca0132 - Add new quirk ID for Recon3D. + +From: Connor McAdams + +commit cc5edb1bd3f7bfe450f767b12423f6673822427b upstream. + +Add a new quirk ID for the Recon3D, as tested by me. + +Signed-off-by: Connor McAdams +Cc: +Link: https://lore.kernel.org/r/20200803002928.8638-2-conmanx360@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1182,6 +1182,7 @@ static const struct snd_pci_quirk ca0132 + SND_PCI_QUIRK(0x1458, 0xA036, "Gigabyte GA-Z170X-Gaming 7", QUIRK_R3DI), + SND_PCI_QUIRK(0x3842, 0x1038, "EVGA X99 Classified", QUIRK_R3DI), + SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D), ++ SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D), + SND_PCI_QUIRK(0x1102, 0x0051, "Sound Blaster AE-5", QUIRK_AE5), + {} + }; diff --git a/queue-5.7/alsa-hda-ca0132-fix-ae-5-microphone-selection-commands.patch b/queue-5.7/alsa-hda-ca0132-fix-ae-5-microphone-selection-commands.patch new file mode 100644 index 00000000000..18613f41d6c --- /dev/null +++ b/queue-5.7/alsa-hda-ca0132-fix-ae-5-microphone-selection-commands.patch @@ -0,0 +1,51 @@ +From 7fe3530427e52dd53cd7366914864e29215180a4 Mon Sep 17 00:00:00 2001 +From: Connor McAdams +Date: Sun, 2 Aug 2020 20:29:27 -0400 +Subject: ALSA: hda/ca0132 - Fix AE-5 microphone selection commands. + +From: Connor McAdams + +commit 7fe3530427e52dd53cd7366914864e29215180a4 upstream. + +The ca0113 command had the wrong group_id, 0x48 when it should've been +0x30. The front microphone selection should now work. + +Signed-off-by: Connor McAdams +Cc: +Link: https://lore.kernel.org/r/20200803002928.8638-3-conmanx360@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4672,7 +4672,7 @@ static int ca0132_alt_select_in(struct h + tmp = FLOAT_ONE; + break; + case QUIRK_AE5: +- ca0113_mmio_command_set(codec, 0x48, 0x28, 0x00); ++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00); + tmp = FLOAT_THREE; + break; + default: +@@ -4718,7 +4718,7 @@ static int ca0132_alt_select_in(struct h + r3di_gpio_mic_set(codec, R3DI_REAR_MIC); + break; + case QUIRK_AE5: +- ca0113_mmio_command_set(codec, 0x48, 0x28, 0x00); ++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00); + break; + default: + break; +@@ -4757,7 +4757,7 @@ static int ca0132_alt_select_in(struct h + tmp = FLOAT_ONE; + break; + case QUIRK_AE5: +- ca0113_mmio_command_set(codec, 0x48, 0x28, 0x3f); ++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x3f); + tmp = FLOAT_THREE; + break; + default: diff --git a/queue-5.7/alsa-hda-ca0132-fix-zxr-headphone-gain-control-get-value.patch b/queue-5.7/alsa-hda-ca0132-fix-zxr-headphone-gain-control-get-value.patch new file mode 100644 index 00000000000..6124618e206 --- /dev/null +++ b/queue-5.7/alsa-hda-ca0132-fix-zxr-headphone-gain-control-get-value.patch @@ -0,0 +1,37 @@ +From a00dc409de455b64e6cb2f6d40cdb8237cdb2e83 Mon Sep 17 00:00:00 2001 +From: Connor McAdams +Date: Sun, 2 Aug 2020 20:29:25 -0400 +Subject: ALSA: hda/ca0132 - Fix ZxR Headphone gain control get value. + +From: Connor McAdams + +commit a00dc409de455b64e6cb2f6d40cdb8237cdb2e83 upstream. + +When the ZxR headphone gain control was added, the ca0132_switch_get +function was not updated, which meant that the changes to the control +state were not saved when entering/exiting alsamixer. + +Signed-off-by: Connor McAdams +Cc: +Link: https://lore.kernel.org/r/20200803002928.8638-1-conmanx360@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -5749,6 +5749,11 @@ static int ca0132_switch_get(struct snd_ + return 0; + } + ++ if (nid == ZXR_HEADPHONE_GAIN) { ++ *valp = spec->zxr_gain_set; ++ return 0; ++ } ++ + return 0; + } + diff --git a/queue-5.7/alsa-hda-realtek-add-alc269-alc662-pin-tables-for-loongson-3-laptops.patch b/queue-5.7/alsa-hda-realtek-add-alc269-alc662-pin-tables-for-loongson-3-laptops.patch new file mode 100644 index 00000000000..bc9a4a92619 --- /dev/null +++ b/queue-5.7/alsa-hda-realtek-add-alc269-alc662-pin-tables-for-loongson-3-laptops.patch @@ -0,0 +1,184 @@ +From f1ec5be17b9aafbc5f573da023850566b43d8e5e Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Sun, 2 Aug 2020 17:26:40 +0800 +Subject: ALSA: hda/realtek: Add alc269/alc662 pin-tables for Loongson-3 laptops + +From: Huacai Chen + +commit f1ec5be17b9aafbc5f573da023850566b43d8e5e upstream. + +There are several Loongson-3 based laptops produced by CZC or Lemote, +they use alc269/alc662 codecs and need specific pin-tables, this patch +add their pin-tables. + +Signed-off-by: Huacai Chen +Cc: +Link: https://lore.kernel.org/r/1596360400-32425-1-git-send-email-chenhc@lemote.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 114 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 114 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6131,6 +6131,11 @@ enum { + ALC289_FIXUP_ASUS_GA502, + ALC256_FIXUP_ACER_MIC_NO_PRESENCE, + ALC285_FIXUP_HP_GPIO_AMP_INIT, ++ ALC269_FIXUP_CZC_B20, ++ ALC269_FIXUP_CZC_TMI, ++ ALC269_FIXUP_CZC_L101, ++ ALC269_FIXUP_LEMOTE_A1802, ++ ALC269_FIXUP_LEMOTE_A190X, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -7369,6 +7374,89 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC285_FIXUP_HP_GPIO_LED + }, ++ [ALC269_FIXUP_CZC_B20] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x12, 0x411111f0 }, ++ { 0x14, 0x90170110 }, /* speaker */ ++ { 0x15, 0x032f1020 }, /* HP out */ ++ { 0x17, 0x411111f0 }, ++ { 0x18, 0x03ab1040 }, /* mic */ ++ { 0x19, 0xb7a7013f }, ++ { 0x1a, 0x0181305f }, ++ { 0x1b, 0x411111f0 }, ++ { 0x1d, 0x411111f0 }, ++ { 0x1e, 0x411111f0 }, ++ { } ++ }, ++ .chain_id = ALC269_FIXUP_DMIC, ++ }, ++ [ALC269_FIXUP_CZC_TMI] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x12, 0x4000c000 }, ++ { 0x14, 0x90170110 }, /* speaker */ ++ { 0x15, 0x0421401f }, /* HP out */ ++ { 0x17, 0x411111f0 }, ++ { 0x18, 0x04a19020 }, /* mic */ ++ { 0x19, 0x411111f0 }, ++ { 0x1a, 0x411111f0 }, ++ { 0x1b, 0x411111f0 }, ++ { 0x1d, 0x40448505 }, ++ { 0x1e, 0x411111f0 }, ++ { 0x20, 0x8000ffff }, ++ { } ++ }, ++ .chain_id = ALC269_FIXUP_DMIC, ++ }, ++ [ALC269_FIXUP_CZC_L101] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x12, 0x40000000 }, ++ { 0x14, 0x01014010 }, /* speaker */ ++ { 0x15, 0x411111f0 }, /* HP out */ ++ { 0x16, 0x411111f0 }, ++ { 0x18, 0x01a19020 }, /* mic */ ++ { 0x19, 0x02a19021 }, ++ { 0x1a, 0x0181302f }, ++ { 0x1b, 0x0221401f }, ++ { 0x1c, 0x411111f0 }, ++ { 0x1d, 0x4044c601 }, ++ { 0x1e, 0x411111f0 }, ++ { } ++ }, ++ .chain_id = ALC269_FIXUP_DMIC, ++ }, ++ [ALC269_FIXUP_LEMOTE_A1802] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x12, 0x40000000 }, ++ { 0x14, 0x90170110 }, /* speaker */ ++ { 0x17, 0x411111f0 }, ++ { 0x18, 0x03a19040 }, /* mic1 */ ++ { 0x19, 0x90a70130 }, /* mic2 */ ++ { 0x1a, 0x411111f0 }, ++ { 0x1b, 0x411111f0 }, ++ { 0x1d, 0x40489d2d }, ++ { 0x1e, 0x411111f0 }, ++ { 0x20, 0x0003ffff }, ++ { 0x21, 0x03214020 }, ++ { } ++ }, ++ .chain_id = ALC269_FIXUP_DMIC, ++ }, ++ [ALC269_FIXUP_LEMOTE_A190X] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x14, 0x99130110 }, /* speaker */ ++ { 0x15, 0x0121401f }, /* HP out */ ++ { 0x18, 0x01a19c20 }, /* rear mic */ ++ { 0x19, 0x99a3092f }, /* front mic */ ++ { 0x1b, 0x0201401f }, /* front lineout */ ++ { } ++ }, ++ .chain_id = ALC269_FIXUP_DMIC, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -7658,9 +7746,14 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K), + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD), + SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS), ++ SND_PCI_QUIRK(0x1b35, 0x1235, "CZC B20", ALC269_FIXUP_CZC_B20), ++ SND_PCI_QUIRK(0x1b35, 0x1236, "CZC TMI", ALC269_FIXUP_CZC_TMI), ++ SND_PCI_QUIRK(0x1b35, 0x1237, "CZC L101", ALC269_FIXUP_CZC_L101), + SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */ + SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x10ec, 0x118c, "Medion EE4254 MD62100", ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1c06, 0x2013, "Lemote A1802", ALC269_FIXUP_LEMOTE_A1802), ++ SND_PCI_QUIRK(0x1c06, 0x2015, "Lemote A190X", ALC269_FIXUP_LEMOTE_A190X), + + #if 0 + /* Below is a quirk table taken from the old code. +@@ -8916,6 +9009,7 @@ enum { + ALC662_FIXUP_LED_GPIO1, + ALC662_FIXUP_IDEAPAD, + ALC272_FIXUP_MARIO, ++ ALC662_FIXUP_CZC_ET26, + ALC662_FIXUP_CZC_P10T, + ALC662_FIXUP_SKU_IGNORE, + ALC662_FIXUP_HP_RP5800, +@@ -8985,6 +9079,25 @@ static const struct hda_fixup alc662_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc272_fixup_mario, + }, ++ [ALC662_FIXUP_CZC_ET26] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ {0x12, 0x403cc000}, ++ {0x14, 0x90170110}, /* speaker */ ++ {0x15, 0x411111f0}, ++ {0x16, 0x411111f0}, ++ {0x18, 0x01a19030}, /* mic */ ++ {0x19, 0x90a7013f}, /* int-mic */ ++ {0x1a, 0x01014020}, ++ {0x1b, 0x0121401f}, ++ {0x1c, 0x411111f0}, ++ {0x1d, 0x411111f0}, ++ {0x1e, 0x40478e35}, ++ {} ++ }, ++ .chained = true, ++ .chain_id = ALC662_FIXUP_SKU_IGNORE ++ }, + [ALC662_FIXUP_CZC_P10T] = { + .type = HDA_FIXUP_VERBS, + .v.verbs = (const struct hda_verb[]) { +@@ -9368,6 +9481,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1849, 0x5892, "ASRock B150M", ALC892_FIXUP_ASROCK_MOBO), + SND_PCI_QUIRK(0x19da, 0xa130, "Zotac Z68", ALC662_FIXUP_ZOTAC_Z68), + SND_PCI_QUIRK(0x1b0a, 0x01b8, "ACER Veriton", ALC662_FIXUP_ACER_VERITON), ++ SND_PCI_QUIRK(0x1b35, 0x1234, "CZC ET26", ALC662_FIXUP_CZC_ET26), + SND_PCI_QUIRK(0x1b35, 0x2206, "CZC P10T", ALC662_FIXUP_CZC_P10T), + SND_PCI_QUIRK(0x1025, 0x0566, "Acer Aspire Ethos 8951G", ALC669_FIXUP_ACER_ASPIRE_ETHOS), + diff --git a/queue-5.7/alsa-seq-oss-serialize-ioctls.patch b/queue-5.7/alsa-seq-oss-serialize-ioctls.patch new file mode 100644 index 00000000000..ec2b76a4bcc --- /dev/null +++ b/queue-5.7/alsa-seq-oss-serialize-ioctls.patch @@ -0,0 +1,51 @@ +From 80982c7e834e5d4e325b6ce33757012ecafdf0bb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 4 Aug 2020 20:58:15 +0200 +Subject: ALSA: seq: oss: Serialize ioctls + +From: Takashi Iwai + +commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. + +Some ioctls via OSS sequencer API may race and lead to UAF when the +port create and delete are performed concurrently, as spotted by a +couple of syzkaller cases. This patch is an attempt to address it by +serializing the ioctls with the existing register_mutex. + +Basically OSS sequencer API is an obsoleted interface and was designed +without much consideration of the concurrency. There are very few +applications with it, and the concurrent performance isn't asked, +hence this "big hammer" approach should be good enough. + +Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com +Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com +Suggested-by: Hillf Danton +Cc: +Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -168,10 +168,16 @@ static long + odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { + struct seq_oss_devinfo *dp; ++ long rc; ++ + dp = file->private_data; + if (snd_BUG_ON(!dp)) + return -ENXIO; +- return snd_seq_oss_ioctl(dp, cmd, arg); ++ ++ mutex_lock(®ister_mutex); ++ rc = snd_seq_oss_ioctl(dp, cmd, arg); ++ mutex_unlock(®ister_mutex); ++ return rc; + } + + #ifdef CONFIG_COMPAT diff --git a/queue-5.7/binder-prevent-context-manager-from-incrementing-ref-0.patch b/queue-5.7/binder-prevent-context-manager-from-incrementing-ref-0.patch new file mode 100644 index 00000000000..91fef8a4aab --- /dev/null +++ b/queue-5.7/binder-prevent-context-manager-from-incrementing-ref-0.patch @@ -0,0 +1,92 @@ +From 4b836a1426cb0f1ef2a6e211d7e553221594f8fc Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 27 Jul 2020 14:04:24 +0200 +Subject: binder: Prevent context manager from incrementing ref 0 + +From: Jann Horn + +commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream. + +Binder is designed such that a binder_proc never has references to +itself. If this rule is violated, memory corruption can occur when a +process sends a transaction to itself; see e.g. +. + +There is a remaining edgecase through which such a transaction-to-self +can still occur from the context of a task with BINDER_SET_CONTEXT_MGR +access: + + - task A opens /dev/binder twice, creating binder_proc instances P1 + and P2 + - P1 becomes context manager + - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its + handle table + - P1 dies (by closing the /dev/binder fd and waiting a bit) + - P2 becomes context manager + - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its + handle table + [this triggers a warning: "binder: 1974:1974 tried to acquire + reference to desc 0, got 1 instead"] + - task B opens /dev/binder once, creating binder_proc instance P3 + - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way + transaction) + - P2 receives the handle and uses it to call P3 (two-way transaction) + - P3 calls P2 (via magic handle 0) (two-way transaction) + - P2 calls P2 (via handle 1) (two-way transaction) + +And then, if P2 does *NOT* accept the incoming transaction work, but +instead closes the binder fd, we get a crash. + +Solve it by preventing the context manager from using ACQUIRE on ref 0. +There shouldn't be any legitimate reason for the context manager to do +that. + +Additionally, print a warning if someone manages to find another way to +trigger a transaction-to-self bug in the future. + +Cc: stable@vger.kernel.org +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Acked-by: Todd Kjos +Signed-off-by: Jann Horn +Reviewed-by: Martijn Coenen +Link: https://lore.kernel.org/r/20200727120424.1627555-1-jannh@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2982,6 +2982,12 @@ static void binder_transaction(struct bi + goto err_dead_binder; + } + e->to_node = target_node->debug_id; ++ if (WARN_ON(proc == target_proc)) { ++ return_error = BR_FAILED_REPLY; ++ return_error_param = -EINVAL; ++ return_error_line = __LINE__; ++ goto err_invalid_target_handle; ++ } + if (security_binder_transaction(proc->tsk, + target_proc->tsk) < 0) { + return_error = BR_FAILED_REPLY; +@@ -3635,10 +3641,17 @@ static int binder_thread_write(struct bi + struct binder_node *ctx_mgr_node; + mutex_lock(&context->context_mgr_node_lock); + ctx_mgr_node = context->binder_context_mgr_node; +- if (ctx_mgr_node) ++ if (ctx_mgr_node) { ++ if (ctx_mgr_node->proc == proc) { ++ binder_user_error("%d:%d context manager tried to acquire desc 0\n", ++ proc->pid, thread->pid); ++ mutex_unlock(&context->context_mgr_node_lock); ++ return -EINVAL; ++ } + ret = binder_inc_ref_for_node( + proc, ctx_mgr_node, + strong, NULL, &rdata); ++ } + mutex_unlock(&context->context_mgr_node_lock); + } + if (ret) diff --git a/queue-5.7/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch b/queue-5.7/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch new file mode 100644 index 00000000000..dba18645f3c --- /dev/null +++ b/queue-5.7/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch @@ -0,0 +1,39 @@ +From 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 12:09:15 -0400 +Subject: Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() + +From: Peilin Ye + +commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream. + +Check upon `num_rsp` is insufficient. A malformed event packet with a +large `num_rsp` number makes hci_extended_inquiry_result_evt() go out +of bounds. Fix it. + +This patch fixes the following syzbot bug: + + https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 + +Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Acked-by: Greg Kroah-Hartman +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4346,7 +4346,7 @@ static void hci_extended_inquiry_result_ + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) diff --git a/queue-5.7/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch b/queue-5.7/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch new file mode 100644 index 00000000000..68f7bd783bc --- /dev/null +++ b/queue-5.7/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch @@ -0,0 +1,31 @@ +From 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 17:39:18 -0400 +Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() + +From: Peilin Ye + +commit 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a upstream. + +Check `num_rsp` before using it as for-loop counter. + +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2487,7 +2487,7 @@ static void hci_inquiry_result_evt(struc + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) diff --git a/queue-5.7/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch b/queue-5.7/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch new file mode 100644 index 00000000000..3eb1628f090 --- /dev/null +++ b/queue-5.7/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch @@ -0,0 +1,50 @@ +From 629b49c848ee71244203934347bd7730b0ddee8d Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 17:45:26 -0400 +Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() + +From: Peilin Ye + +commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. + +Check `num_rsp` before using it as for-loop counter. Add `unlock` label. + +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4143,6 +4143,9 @@ static void hci_inquiry_result_with_rssi + struct inquiry_info_with_rssi_and_pscan_mode *info; + info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -4164,6 +4167,9 @@ static void hci_inquiry_result_with_rssi + } else { + struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -4184,6 +4190,7 @@ static void hci_inquiry_result_with_rssi + } + } + ++unlock: + hci_dev_unlock(hdev); + } + diff --git a/queue-5.7/gpio-max77620-fix-missing-release-of-interrupt.patch b/queue-5.7/gpio-max77620-fix-missing-release-of-interrupt.patch new file mode 100644 index 00000000000..a1fa3c275ab --- /dev/null +++ b/queue-5.7/gpio-max77620-fix-missing-release-of-interrupt.patch @@ -0,0 +1,39 @@ +From 2a5e6f7eede8cd1c4bac0b8ec6491cec4e75c99a Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 9 Jul 2020 20:11:59 +0300 +Subject: gpio: max77620: Fix missing release of interrupt + +From: Dmitry Osipenko + +commit 2a5e6f7eede8cd1c4bac0b8ec6491cec4e75c99a upstream. + +The requested interrupt is never released by the driver. Fix this by +using the resource-managed variant of request_threaded_irq(). + +Fixes: ab3dd9cc24d4 ("gpio: max77620: Fix interrupt handling") +Signed-off-by: Dmitry Osipenko +Reviewed-by: Andy Shevchenko +Acked-by: Laxman Dewangan +Cc: # 5.5+ +Link: https://lore.kernel.org/r/20200709171203.12950-3-digetx@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-max77620.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpio-max77620.c ++++ b/drivers/gpio/gpio-max77620.c +@@ -305,8 +305,9 @@ static int max77620_gpio_probe(struct pl + gpiochip_irqchip_add_nested(&mgpio->gpio_chip, &max77620_gpio_irqchip, + 0, handle_edge_irq, IRQ_TYPE_NONE); + +- ret = request_threaded_irq(gpio_irq, NULL, max77620_gpio_irqhandler, +- IRQF_ONESHOT, "max77620-gpio", mgpio); ++ ret = devm_request_threaded_irq(&pdev->dev, gpio_irq, NULL, ++ max77620_gpio_irqhandler, IRQF_ONESHOT, ++ "max77620-gpio", mgpio); + if (ret < 0) { + dev_err(&pdev->dev, "failed to request IRQ: %d\n", ret); + return ret; diff --git a/queue-5.7/leds-88pm860x-fix-use-after-free-on-unbind.patch b/queue-5.7/leds-88pm860x-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..dc6cf06da76 --- /dev/null +++ b/queue-5.7/leds-88pm860x-fix-use-after-free-on-unbind.patch @@ -0,0 +1,63 @@ +From eca21c2d8655387823d695b26e6fe78cf3975c05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:45 +0200 +Subject: leds: 88pm860x: fix use-after-free on unbind + +From: Johan Hovold + +commit eca21c2d8655387823d695b26e6fe78cf3975c05 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: 375446df95ee ("leds: 88pm860x: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-88pm860x.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-88pm860x.c ++++ b/drivers/leds/leds-88pm860x.c +@@ -203,21 +203,33 @@ static int pm860x_led_probe(struct platf + data->cdev.brightness_set_blocking = pm860x_led_set; + mutex_init(&data->lock); + +- ret = devm_led_classdev_register(chip->dev, &data->cdev); ++ ret = led_classdev_register(chip->dev, &data->cdev); + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); + return ret; + } + pm860x_led_set(&data->cdev, 0); ++ ++ platform_set_drvdata(pdev, data); ++ + return 0; + } + ++static int pm860x_led_remove(struct platform_device *pdev) ++{ ++ struct pm860x_led *data = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&data->cdev); ++ ++ return 0; ++} + + static struct platform_driver pm860x_led_driver = { + .driver = { + .name = "88pm860x-led", + }, + .probe = pm860x_led_probe, ++ .remove = pm860x_led_remove, + }; + + module_platform_driver(pm860x_led_driver); diff --git a/queue-5.7/leds-da903x-fix-use-after-free-on-unbind.patch b/queue-5.7/leds-da903x-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..438661be369 --- /dev/null +++ b/queue-5.7/leds-da903x-fix-use-after-free-on-unbind.patch @@ -0,0 +1,61 @@ +From 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:46 +0200 +Subject: leds: da903x: fix use-after-free on unbind + +From: Johan Hovold + +commit 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: eed16255d66b ("leds: da903x: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-da903x.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-da903x.c ++++ b/drivers/leds/leds-da903x.c +@@ -110,12 +110,23 @@ static int da903x_led_probe(struct platf + led->flags = pdata->flags; + led->master = pdev->dev.parent; + +- ret = devm_led_classdev_register(led->master, &led->cdev); ++ ret = led_classdev_register(led->master, &led->cdev); + if (ret) { + dev_err(&pdev->dev, "failed to register LED %d\n", id); + return ret; + } + ++ platform_set_drvdata(pdev, led); ++ ++ return 0; ++} ++ ++static int da903x_led_remove(struct platform_device *pdev) ++{ ++ struct da903x_led *led = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&led->cdev); ++ + return 0; + } + +@@ -124,6 +135,7 @@ static struct platform_driver da903x_led + .name = "da903x-led", + }, + .probe = da903x_led_probe, ++ .remove = da903x_led_remove, + }; + + module_platform_driver(da903x_led_driver); diff --git a/queue-5.7/leds-lm3533-fix-use-after-free-on-unbind.patch b/queue-5.7/leds-lm3533-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..4d82e6cdce0 --- /dev/null +++ b/queue-5.7/leds-lm3533-fix-use-after-free-on-unbind.patch @@ -0,0 +1,66 @@ +From d584221e683bbd173738603b83a315f27d27d043 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:47 +0200 +Subject: leds: lm3533: fix use-after-free on unbind + +From: Johan Hovold + +commit d584221e683bbd173738603b83a315f27d27d043 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: 50154e29e5cc ("leds: lm3533: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-lm3533.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/leds/leds-lm3533.c ++++ b/drivers/leds/leds-lm3533.c +@@ -694,7 +694,7 @@ static int lm3533_led_probe(struct platf + + platform_set_drvdata(pdev, led); + +- ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev); ++ ret = led_classdev_register(pdev->dev.parent, &led->cdev); + if (ret) { + dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id); + return ret; +@@ -704,13 +704,18 @@ static int lm3533_led_probe(struct platf + + ret = lm3533_led_setup(led, pdata); + if (ret) +- return ret; ++ goto err_deregister; + + ret = lm3533_ctrlbank_enable(&led->cb); + if (ret) +- return ret; ++ goto err_deregister; + + return 0; ++ ++err_deregister: ++ led_classdev_unregister(&led->cdev); ++ ++ return ret; + } + + static int lm3533_led_remove(struct platform_device *pdev) +@@ -720,6 +725,7 @@ static int lm3533_led_remove(struct plat + dev_dbg(&pdev->dev, "%s\n", __func__); + + lm3533_ctrlbank_disable(&led->cb); ++ led_classdev_unregister(&led->cdev); + + return 0; + } diff --git a/queue-5.7/leds-lm36274-fix-use-after-free-on-unbind.patch b/queue-5.7/leds-lm36274-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..e3aba818932 --- /dev/null +++ b/queue-5.7/leds-lm36274-fix-use-after-free-on-unbind.patch @@ -0,0 +1,64 @@ +From a0972fff09479dd09b731360a3a0b09e4fb4d415 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:48 +0200 +Subject: leds: lm36274: fix use-after-free on unbind + +From: Johan Hovold + +commit a0972fff09479dd09b731360a3a0b09e4fb4d415 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot use devres so that +deregistration ends up being tied to the parent device, something which +leads to use-after-free on driver unbind when the class device is +released while still being registered. + +Fixes: 11e1bbc116a7 ("leds: lm36274: Introduce the TI LM36274 LED driver") +Cc: stable # 5.3 +Cc: Dan Murphy +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-lm36274.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/leds/leds-lm36274.c ++++ b/drivers/leds/leds-lm36274.c +@@ -133,7 +133,7 @@ static int lm36274_probe(struct platform + lm36274_data->pdev = pdev; + lm36274_data->dev = lmu->dev; + lm36274_data->regmap = lmu->regmap; +- dev_set_drvdata(&pdev->dev, lm36274_data); ++ platform_set_drvdata(pdev, lm36274_data); + + ret = lm36274_parse_dt(lm36274_data); + if (ret) { +@@ -147,8 +147,16 @@ static int lm36274_probe(struct platform + return ret; + } + +- return devm_led_classdev_register(lm36274_data->dev, +- &lm36274_data->led_dev); ++ return led_classdev_register(lm36274_data->dev, &lm36274_data->led_dev); ++} ++ ++static int lm36274_remove(struct platform_device *pdev) ++{ ++ struct lm36274 *lm36274_data = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&lm36274_data->led_dev); ++ ++ return 0; + } + + static const struct of_device_id of_lm36274_leds_match[] = { +@@ -159,6 +167,7 @@ MODULE_DEVICE_TABLE(of, of_lm36274_leds_ + + static struct platform_driver lm36274_driver = { + .probe = lm36274_probe, ++ .remove = lm36274_remove, + .driver = { + .name = "lm36274-leds", + }, diff --git a/queue-5.7/leds-wm831x-status-fix-use-after-free-on-unbind.patch b/queue-5.7/leds-wm831x-status-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..e68516181f7 --- /dev/null +++ b/queue-5.7/leds-wm831x-status-fix-use-after-free-on-unbind.patch @@ -0,0 +1,61 @@ +From 47a459ecc800a17109d0c496a4e21e478806ee40 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:49 +0200 +Subject: leds: wm831x-status: fix use-after-free on unbind + +From: Johan Hovold + +commit 47a459ecc800a17109d0c496a4e21e478806ee40 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: 8d3b6a4001ce ("leds: wm831x-status: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-wm831x-status.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-wm831x-status.c ++++ b/drivers/leds/leds-wm831x-status.c +@@ -269,12 +269,23 @@ static int wm831x_status_probe(struct pl + drvdata->cdev.blink_set = wm831x_status_blink_set; + drvdata->cdev.groups = wm831x_status_groups; + +- ret = devm_led_classdev_register(wm831x->dev, &drvdata->cdev); ++ ret = led_classdev_register(wm831x->dev, &drvdata->cdev); + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); + return ret; + } + ++ platform_set_drvdata(pdev, drvdata); ++ ++ return 0; ++} ++ ++static int wm831x_status_remove(struct platform_device *pdev) ++{ ++ struct wm831x_status *drvdata = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&drvdata->cdev); ++ + return 0; + } + +@@ -283,6 +294,7 @@ static struct platform_driver wm831x_sta + .name = "wm831x-status", + }, + .probe = wm831x_status_probe, ++ .remove = wm831x_status_remove, + }; + + module_platform_driver(wm831x_status_driver); diff --git a/queue-5.7/lkdtm-heap-avoid-edge-and-middle-of-slabs.patch b/queue-5.7/lkdtm-heap-avoid-edge-and-middle-of-slabs.patch new file mode 100644 index 00000000000..64373e6c150 --- /dev/null +++ b/queue-5.7/lkdtm-heap-avoid-edge-and-middle-of-slabs.patch @@ -0,0 +1,42 @@ +From e12145cf1c3a8077e6d9f575711e38dd7d8a3ebc Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 25 Jun 2020 13:37:02 -0700 +Subject: lkdtm/heap: Avoid edge and middle of slabs + +From: Kees Cook + +commit e12145cf1c3a8077e6d9f575711e38dd7d8a3ebc upstream. + +Har har, after I moved the slab freelist pointer into the middle of the +slab, now it looks like the contents are getting poisoned. Adjust the +test to avoid the freelist pointer again. + +Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20200625203704.317097-3-keescook@chromium.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/lkdtm/heap.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/misc/lkdtm/heap.c ++++ b/drivers/misc/lkdtm/heap.c +@@ -58,11 +58,12 @@ void lkdtm_READ_AFTER_FREE(void) + int *base, *val, saw; + size_t len = 1024; + /* +- * The slub allocator uses the first word to store the free +- * pointer in some configurations. Use the middle of the +- * allocation to avoid running into the freelist ++ * The slub allocator will use the either the first word or ++ * the middle of the allocation to store the free pointer, ++ * depending on configurations. Store in the second word to ++ * avoid running into the freelist. + */ +- size_t offset = (len / sizeof(*base)) / 2; ++ size_t offset = sizeof(*base); + + base = kmalloc(len, GFP_KERNEL); + if (!base) { diff --git a/queue-5.7/mtd-properly-check-all-write-ioctls-for-permissions.patch b/queue-5.7/mtd-properly-check-all-write-ioctls-for-permissions.patch new file mode 100644 index 00000000000..a01dced3b6d --- /dev/null +++ b/queue-5.7/mtd-properly-check-all-write-ioctls-for-permissions.patch @@ -0,0 +1,120 @@ +From f7e6b19bc76471ba03725fe58e0c218a3d6266c3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 16 Jul 2020 13:53:46 +0200 +Subject: mtd: properly check all write ioctls for permissions + +From: Greg Kroah-Hartman + +commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream. + +When doing a "write" ioctl call, properly check that we have permissions +to do so before copying anything from userspace or anything else so we +can "fail fast". This includes also covering the MEMWRITE ioctl which +previously missed checking for this. + +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: Vignesh Raghavendra +Cc: stable +Signed-off-by: Greg Kroah-Hartman +[rw: Fixed locking issue] +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtdchar.c | 56 +++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 47 insertions(+), 9 deletions(-) + +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -355,9 +355,6 @@ static int mtdchar_writeoob(struct file + uint32_t retlen; + int ret = 0; + +- if (!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + if (length > 4096) + return -EINVAL; + +@@ -643,6 +640,48 @@ static int mtdchar_ioctl(struct file *fi + + pr_debug("MTD_ioctl\n"); + ++ /* ++ * Check the file mode to require "dangerous" commands to have write ++ * permissions. ++ */ ++ switch (cmd) { ++ /* "safe" commands */ ++ case MEMGETREGIONCOUNT: ++ case MEMGETREGIONINFO: ++ case MEMGETINFO: ++ case MEMREADOOB: ++ case MEMREADOOB64: ++ case MEMLOCK: ++ case MEMUNLOCK: ++ case MEMISLOCKED: ++ case MEMGETOOBSEL: ++ case MEMGETBADBLOCK: ++ case MEMSETBADBLOCK: ++ case OTPSELECT: ++ case OTPGETREGIONCOUNT: ++ case OTPGETREGIONINFO: ++ case OTPLOCK: ++ case ECCGETLAYOUT: ++ case ECCGETSTATS: ++ case MTDFILEMODE: ++ case BLKPG: ++ case BLKRRPART: ++ break; ++ ++ /* "dangerous" commands */ ++ case MEMERASE: ++ case MEMERASE64: ++ case MEMWRITEOOB: ++ case MEMWRITEOOB64: ++ case MEMWRITE: ++ if (!(file->f_mode & FMODE_WRITE)) ++ return -EPERM; ++ break; ++ ++ default: ++ return -ENOTTY; ++ } ++ + switch (cmd) { + case MEMGETREGIONCOUNT: + if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int))) +@@ -690,9 +729,6 @@ static int mtdchar_ioctl(struct file *fi + { + struct erase_info *erase; + +- if(!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL); + if (!erase) + ret = -ENOMEM; +@@ -985,9 +1021,6 @@ static int mtdchar_ioctl(struct file *fi + ret = 0; + break; + } +- +- default: +- ret = -ENOTTY; + } + + return ret; +@@ -1031,6 +1064,11 @@ static long mtdchar_compat_ioctl(struct + struct mtd_oob_buf32 buf; + struct mtd_oob_buf32 __user *buf_user = argp; + ++ if (!(file->f_mode & FMODE_WRITE)) { ++ ret = -EPERM; ++ break; ++ } ++ + if (copy_from_user(&buf, argp, sizeof(buf))) + ret = -EFAULT; + else diff --git a/queue-5.7/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch b/queue-5.7/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch new file mode 100644 index 00000000000..26a09cd5647 --- /dev/null +++ b/queue-5.7/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch @@ -0,0 +1,42 @@ +From 254503a2b186caa668a188dbbd7ab0d25149c0a5 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Tue, 30 Jun 2020 13:26:36 -0500 +Subject: omapfb: dss: Fix max fclk divider for omap36xx + +From: Adam Ford + +commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream. + +The drm/omap driver was fixed to correct an issue where using a +divider of 32 breaks the DSS despite the TRM stating 32 is a valid +number. Through experimentation, it appears that 31 works, and +it is consistent with the value used by the drm/omap driver. + +This patch fixes the divider for fbdev driver instead of the drm. + +Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") +Cc: #4.5+ +Signed-off-by: Adam Ford +Reviewed-by: Tomi Valkeinen +Cc: Dave Airlie +Cc: Rob Clark +[b.zolnierkie: mark patch as applicable to stable 4.5+ (was 4.9+)] +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200630182636.439015-1-aford173@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +@@ -833,7 +833,7 @@ static const struct dss_features omap34x + }; + + static const struct dss_features omap3630_dss_feats = { +- .fck_div_max = 32, ++ .fck_div_max = 31, + .dss_fck_multiplier = 1, + .parent_clk_name = "dpll4_ck", + .dpi_select_source = &dss_dpi_select_source_omap2_omap3, diff --git a/queue-5.7/revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch b/queue-5.7/revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch new file mode 100644 index 00000000000..92d041d58df --- /dev/null +++ b/queue-5.7/revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch @@ -0,0 +1,41 @@ +From 07c9983b567d0ef33aefc063299de95a987e12a8 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Mon, 3 Aug 2020 14:46:38 +0800 +Subject: Revert "ALSA: hda: call runtime_allow() for all hda controllers" + +From: Hui Wang + +commit 07c9983b567d0ef33aefc063299de95a987e12a8 upstream. + +This reverts commit 9a6418487b56 ("ALSA: hda: call runtime_allow() +for all hda controllers"). + +The reverted patch already introduced some regressions on some +machines: + - on gemini-lake machines, the error of "azx_get_response timeout" + happens in the hda driver. + - on the machines with alc662 codec, the audio jack detection doesn't + work anymore. + +Fixes: 9a6418487b56 ("ALSA: hda: call runtime_allow() for all hda controllers") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208511 +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20200803064638.6139-1-hui.wang@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2354,7 +2354,6 @@ static int azx_probe_continue(struct azx + + if (azx_has_pm_runtime(chip)) { + pm_runtime_use_autosuspend(&pci->dev); +- pm_runtime_allow(&pci->dev); + pm_runtime_put_autosuspend(&pci->dev); + } + diff --git a/queue-5.7/scripts-add-dummy-report-mode-to-add_namespace.cocci.patch b/queue-5.7/scripts-add-dummy-report-mode-to-add_namespace.cocci.patch new file mode 100644 index 00000000000..e94c8d752b7 --- /dev/null +++ b/queue-5.7/scripts-add-dummy-report-mode-to-add_namespace.cocci.patch @@ -0,0 +1,80 @@ +From 55c7549819e438f40a3ef1d8ac5c38b73390bcb7 Mon Sep 17 00:00:00 2001 +From: Matthias Maennich +Date: Thu, 4 Jun 2020 18:41:45 +0200 +Subject: scripts: add dummy report mode to add_namespace.cocci + +From: Matthias Maennich + +commit 55c7549819e438f40a3ef1d8ac5c38b73390bcb7 upstream. + +When running `make coccicheck` in report mode using the +add_namespace.cocci file, it will fail for files that contain +MODULE_LICENSE. Those match the replacement precondition, but spatch +errors out as virtual.ns is not set. + +In order to fix that, add the virtual rule nsdeps and only do search and +replace if that rule has been explicitly requested. + +In order to make spatch happy in report mode, we also need a dummy rule, +as otherwise it errors out with "No rules apply". Using a script:python +rule appears unrelated and odd, but this is the shortest I could come up +with. + +Adjust scripts/nsdeps accordingly to set the nsdeps rule when run trough +`make nsdeps`. + +Suggested-by: Julia Lawall +Fixes: c7c4e29fb5a4 ("scripts: add_namespace: Fix coccicheck failed") +Cc: YueHaibing +Cc: jeyu@kernel.org +Cc: cocci@systeme.lip6.fr +Cc: stable@vger.kernel.org +Signed-off-by: Matthias Maennich +Reported-by: Shuah Khan +Acked-by: Julia Lawall +Link: https://lore.kernel.org/r/20200604164145.173925-1-maennich@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/coccinelle/misc/add_namespace.cocci | 8 +++++++- + scripts/nsdeps | 2 +- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/scripts/coccinelle/misc/add_namespace.cocci ++++ b/scripts/coccinelle/misc/add_namespace.cocci +@@ -6,6 +6,7 @@ + /// add a missing namespace tag to a module source file. + /// + ++virtual nsdeps + virtual report + + @has_ns_import@ +@@ -16,10 +17,15 @@ MODULE_IMPORT_NS(ns); + + // Add missing imports, but only adjacent to a MODULE_LICENSE statement. + // That ensures we are adding it only to the main module source file. +-@do_import depends on !has_ns_import@ ++@do_import depends on !has_ns_import && nsdeps@ + declarer name MODULE_LICENSE; + expression license; + identifier virtual.ns; + @@ + MODULE_LICENSE(license); + + MODULE_IMPORT_NS(ns); ++ ++// Dummy rule for report mode that would otherwise be empty and make spatch ++// fail ("No rules apply.") ++@script:python depends on report@ ++@@ +--- a/scripts/nsdeps ++++ b/scripts/nsdeps +@@ -29,7 +29,7 @@ fi + + generate_deps_for_ns() { + $SPATCH --very-quiet --in-place --sp-file \ +- $srctree/scripts/coccinelle/misc/add_namespace.cocci -D ns=$1 $2 ++ $srctree/scripts/coccinelle/misc/add_namespace.cocci -D nsdeps -D ns=$1 $2 + } + + generate_deps() { diff --git a/queue-5.7/series b/queue-5.7/series index 0b374630dff..bd1591a07fe 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -1,2 +1,30 @@ scsi-ufs-fix-and-simplify-setup_xfer_req-variant-operation.patch usb-serial-qcserial-add-em7305-qdl-product-id.patch +usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch +usb-xhci-define-ids-for-various-asmedia-host-controllers.patch +usb-xhci-fix-asmedia-asm1142-dma-addressing.patch +revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch +alsa-hda-realtek-add-alc269-alc662-pin-tables-for-loongson-3-laptops.patch +alsa-hda-ca0132-add-new-quirk-id-for-recon3d.patch +alsa-hda-ca0132-fix-zxr-headphone-gain-control-get-value.patch +alsa-hda-ca0132-fix-ae-5-microphone-selection-commands.patch +alsa-seq-oss-serialize-ioctls.patch +staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch +staging-rtl8712-handle-firmware-load-failure.patch +staging-rtl8188eu-rtw_mlme-fix-uninitialized-variable-authmode.patch +bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch +bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch +bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch +omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch +binder-prevent-context-manager-from-incrementing-ref-0.patch +smack-fix-use-after-free-in-smk_write_relabel_self.patch +scripts-add-dummy-report-mode-to-add_namespace.cocci.patch +lkdtm-heap-avoid-edge-and-middle-of-slabs.patch +vgacon-fix-for-missing-check-in-scrollback-handling.patch +mtd-properly-check-all-write-ioctls-for-permissions.patch +leds-wm831x-status-fix-use-after-free-on-unbind.patch +leds-lm36274-fix-use-after-free-on-unbind.patch +leds-da903x-fix-use-after-free-on-unbind.patch +leds-lm3533-fix-use-after-free-on-unbind.patch +leds-88pm860x-fix-use-after-free-on-unbind.patch +gpio-max77620-fix-missing-release-of-interrupt.patch diff --git a/queue-5.7/smack-fix-use-after-free-in-smk_write_relabel_self.patch b/queue-5.7/smack-fix-use-after-free-in-smk_write_relabel_self.patch new file mode 100644 index 00000000000..87285058cf2 --- /dev/null +++ b/queue-5.7/smack-fix-use-after-free-in-smk_write_relabel_self.patch @@ -0,0 +1,79 @@ +From beb4ee6770a89646659e6a2178538d2b13e2654e Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 8 Jul 2020 13:15:20 -0700 +Subject: Smack: fix use-after-free in smk_write_relabel_self() + +From: Eric Biggers + +commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream. + +smk_write_relabel_self() frees memory from the task's credentials with +no locking, which can easily cause a use-after-free because multiple +tasks can share the same credentials structure. + +Fix this by using prepare_creds() and commit_creds() to correctly modify +the task's credentials. + +Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self": + + #include + #include + #include + + static void *thrproc(void *arg) + { + int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY); + for (;;) write(fd, "foo", 3); + } + + int main() + { + pthread_t t; + pthread_create(&t, NULL, thrproc, NULL); + thrproc(NULL); + } + +Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com +Fixes: 38416e53936e ("Smack: limited capability for changing process label") +Cc: # v4.4+ +Signed-off-by: Eric Biggers +Signed-off-by: Casey Schaufler +Signed-off-by: Greg Kroah-Hartman + +--- + security/smack/smackfs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -2720,7 +2720,6 @@ static int smk_open_relabel_self(struct + static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- struct task_smack *tsp = smack_cred(current_cred()); + char *data; + int rc; + LIST_HEAD(list_tmp); +@@ -2745,11 +2744,21 @@ static ssize_t smk_write_relabel_self(st + kfree(data); + + if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { ++ struct cred *new; ++ struct task_smack *tsp; ++ ++ new = prepare_creds(); ++ if (!new) { ++ rc = -ENOMEM; ++ goto out; ++ } ++ tsp = smack_cred(new); + smk_destroy_label_list(&tsp->smk_relabel); + list_splice(&list_tmp, &tsp->smk_relabel); ++ commit_creds(new); + return count; + } +- ++out: + smk_destroy_label_list(&list_tmp); + return rc; + } diff --git a/queue-5.7/staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch b/queue-5.7/staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch new file mode 100644 index 00000000000..62522eeac50 --- /dev/null +++ b/queue-5.7/staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch @@ -0,0 +1,77 @@ +From 3e338d3c95c735dc3265a86016bb4c022ec7cadc Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Thu, 30 Jul 2020 12:26:32 -0700 +Subject: staging: android: ashmem: Fix lockdep warning for write operation + +From: Suren Baghdasaryan + +commit 3e338d3c95c735dc3265a86016bb4c022ec7cadc upstream. + +syzbot report [1] describes a deadlock when write operation against an +ashmem fd executed at the time when ashmem is shrinking its cache results +in the following lock sequence: + +Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(fs_reclaim); + lock(&sb->s_type->i_mutex_key#13); + lock(fs_reclaim); + lock(&sb->s_type->i_mutex_key#13); + +kswapd takes fs_reclaim and then inode_lock while generic_perform_write +takes inode_lock and then fs_reclaim. However ashmem does not support +writing into backing shmem with a write syscall. The only way to change +its content is to mmap it and operate on mapped memory. Therefore the race +that lockdep is warning about is not valid. Resolve this by introducing a +separate lockdep class for the backing shmem inodes. + +[1]: https://lkml.kernel.org/lkml/0000000000000b5f9d059aa2037f@google.com/ + +Reported-by: syzbot+7a0d9d0b26efefe61780@syzkaller.appspotmail.com +Signed-off-by: Suren Baghdasaryan +Cc: stable +Reviewed-by: Joel Fernandes (Google) +Link: https://lore.kernel.org/r/20200730192632.3088194-1-surenb@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -95,6 +95,15 @@ static DEFINE_MUTEX(ashmem_mutex); + static struct kmem_cache *ashmem_area_cachep __read_mostly; + static struct kmem_cache *ashmem_range_cachep __read_mostly; + ++/* ++ * A separate lockdep class for the backing shmem inodes to resolve the lockdep ++ * warning about the race between kswapd taking fs_reclaim before inode_lock ++ * and write syscall taking inode_lock and then fs_reclaim. ++ * Note that such race is impossible because ashmem does not support write ++ * syscalls operating on the backing shmem. ++ */ ++static struct lock_class_key backing_shmem_inode_class; ++ + static inline unsigned long range_size(struct ashmem_range *range) + { + return range->pgend - range->pgstart + 1; +@@ -396,6 +405,7 @@ static int ashmem_mmap(struct file *file + if (!asma->file) { + char *name = ASHMEM_NAME_DEF; + struct file *vmfile; ++ struct inode *inode; + + if (asma->name[ASHMEM_NAME_PREFIX_LEN] != '\0') + name = asma->name; +@@ -407,6 +417,8 @@ static int ashmem_mmap(struct file *file + goto out; + } + vmfile->f_mode |= FMODE_LSEEK; ++ inode = file_inode(vmfile); ++ lockdep_set_class(&inode->i_rwsem, &backing_shmem_inode_class); + asma->file = vmfile; + /* + * override mmap operation of the vmfile so that it can't be diff --git a/queue-5.7/staging-rtl8188eu-rtw_mlme-fix-uninitialized-variable-authmode.patch b/queue-5.7/staging-rtl8188eu-rtw_mlme-fix-uninitialized-variable-authmode.patch new file mode 100644 index 00000000000..f278e9c6023 --- /dev/null +++ b/queue-5.7/staging-rtl8188eu-rtw_mlme-fix-uninitialized-variable-authmode.patch @@ -0,0 +1,41 @@ +From 11536442a3b4e1de6890ea5e805908debb74f94a Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Tue, 28 Jul 2020 15:21:51 +0800 +Subject: Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode + +From: Dinghao Liu + +commit 11536442a3b4e1de6890ea5e805908debb74f94a upstream. + +The variable authmode can be uninitialized. The danger would be if +it equals to _WPA_IE_ID_ (0xdd) or _WPA2_IE_ID_ (0x33). We can avoid +this by setting it to zero instead. This is the approach that was +used in the rtl8723bs driver. + +Fixes: 7b464c9fa5cc ("staging: r8188eu: Add files for new driver - part 4") +Co-developed-by: Dan Carpenter +Signed-off-by: Dan Carpenter +Signed-off-by: Dinghao Liu +Cc: stable +Link: https://lore.kernel.org/r/20200728072153.9202-1-dinghao.liu@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/core/rtw_mlme.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c ++++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c +@@ -1729,9 +1729,11 @@ int rtw_restruct_sec_ie(struct adapter * + if ((ndisauthmode == Ndis802_11AuthModeWPA) || + (ndisauthmode == Ndis802_11AuthModeWPAPSK)) + authmode = _WPA_IE_ID_; +- if ((ndisauthmode == Ndis802_11AuthModeWPA2) || ++ else if ((ndisauthmode == Ndis802_11AuthModeWPA2) || + (ndisauthmode == Ndis802_11AuthModeWPA2PSK)) + authmode = _WPA2_IE_ID_; ++ else ++ authmode = 0x0; + + if (check_fwstate(pmlmepriv, WIFI_UNDER_WPS)) { + memcpy(out_ie + ielength, psecuritypriv->wps_ie, psecuritypriv->wps_ie_len); diff --git a/queue-5.7/staging-rtl8712-handle-firmware-load-failure.patch b/queue-5.7/staging-rtl8712-handle-firmware-load-failure.patch new file mode 100644 index 00000000000..4d0fbedf9d7 --- /dev/null +++ b/queue-5.7/staging-rtl8712-handle-firmware-load-failure.patch @@ -0,0 +1,80 @@ +From b4383c971bc5263efe2b0915ba67ebf2bf3f1ee5 Mon Sep 17 00:00:00 2001 +From: Rustam Kovhaev +Date: Thu, 16 Jul 2020 08:13:26 -0700 +Subject: staging: rtl8712: handle firmware load failure + +From: Rustam Kovhaev + +commit b4383c971bc5263efe2b0915ba67ebf2bf3f1ee5 upstream. + +when firmware fails to load we should not call unregister_netdev() +this patch fixes a race condition between rtl871x_load_fw_cb() and +r871xu_dev_remove() and fixes the bug reported by syzbot + +Reported-by: syzbot+80899a8a8efe8968cde7@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=80899a8a8efe8968cde7 +Signed-off-by: Rustam Kovhaev +Cc: stable +Link: https://lore.kernel.org/r/20200716151324.1036204-1-rkovhaev@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/hal_init.c | 3 ++- + drivers/staging/rtl8712/usb_intf.c | 11 ++++++++--- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/staging/rtl8712/hal_init.c ++++ b/drivers/staging/rtl8712/hal_init.c +@@ -33,7 +33,6 @@ static void rtl871x_load_fw_cb(const str + { + struct _adapter *adapter = context; + +- complete(&adapter->rtl8712_fw_ready); + if (!firmware) { + struct usb_device *udev = adapter->dvobjpriv.pusbdev; + struct usb_interface *usb_intf = adapter->pusb_intf; +@@ -41,11 +40,13 @@ static void rtl871x_load_fw_cb(const str + dev_err(&udev->dev, "r8712u: Firmware request failed\n"); + usb_put_dev(udev); + usb_set_intfdata(usb_intf, NULL); ++ complete(&adapter->rtl8712_fw_ready); + return; + } + adapter->fw = firmware; + /* firmware available - start netdev */ + register_netdev(adapter->pnetdev); ++ complete(&adapter->rtl8712_fw_ready); + } + + static const char firmware_file[] = "rtlwifi/rtl8712u.bin"; +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -595,13 +595,17 @@ static void r871xu_dev_remove(struct usb + if (pnetdev) { + struct _adapter *padapter = netdev_priv(pnetdev); + +- usb_set_intfdata(pusb_intf, NULL); +- release_firmware(padapter->fw); + /* never exit with a firmware callback pending */ + wait_for_completion(&padapter->rtl8712_fw_ready); ++ pnetdev = usb_get_intfdata(pusb_intf); ++ usb_set_intfdata(pusb_intf, NULL); ++ if (!pnetdev) ++ goto firmware_load_fail; ++ release_firmware(padapter->fw); + if (drvpriv.drv_registered) + padapter->surprise_removed = true; +- unregister_netdev(pnetdev); /* will call netdev_close() */ ++ if (pnetdev->reg_state != NETREG_UNINITIALIZED) ++ unregister_netdev(pnetdev); /* will call netdev_close() */ + flush_scheduled_work(); + udelay(1); + /* Stop driver mlme relation timer */ +@@ -614,6 +618,7 @@ static void r871xu_dev_remove(struct usb + */ + usb_put_dev(udev); + } ++firmware_load_fail: + /* If we didn't unplug usb dongle and remove/insert module, driver + * fails on sitesurvey for the first time when device is up. + * Reset usb port for sitesurvey fail issue. diff --git a/queue-5.7/usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch b/queue-5.7/usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch new file mode 100644 index 00000000000..16456320c70 --- /dev/null +++ b/queue-5.7/usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch @@ -0,0 +1,79 @@ +From 17a82716587e9d7c3b246a789add490b2b5dcab6 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 26 Jul 2020 11:49:39 +0200 +Subject: USB: iowarrior: fix up report size handling for some devices + +From: Greg Kroah-Hartman + +commit 17a82716587e9d7c3b246a789add490b2b5dcab6 upstream. + +In previous patches that added support for new iowarrior devices, the +handling of the report size was not done correct. + +Fix that up and update the copyright date for the driver + +Reworked from an original patch written by Christoph Jung. + +Fixes: bab5417f5f01 ("USB: misc: iowarrior: add support for the 100 device") +Fixes: 5f6f8da2d7b5 ("USB: misc: iowarrior: add support for the 28 and 28L devices") +Fixes: 461d8deb26a7 ("USB: misc: iowarrior: add support for 2 OEMed devices") +Cc: stable +Reported-by: Christoph Jung +Link: https://lore.kernel.org/r/20200726094939.1268978-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 35 +++++++++++++++++++++++++---------- + 1 file changed, 25 insertions(+), 10 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -2,8 +2,9 @@ + /* + * Native support for the I/O-Warrior USB devices + * +- * Copyright (c) 2003-2005 Code Mercenaries GmbH +- * written by Christian Lucht ++ * Copyright (c) 2003-2005, 2020 Code Mercenaries GmbH ++ * written by Christian Lucht and ++ * Christoph Jung + * + * based on + +@@ -802,14 +803,28 @@ static int iowarrior_probe(struct usb_in + + /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ + dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); +- if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && +- ((dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56AM) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28L) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW100))) +- /* IOWarrior56 has wMaxPacketSize different from report size */ +- dev->report_size = 7; ++ ++ /* ++ * Some devices need the report size to be different than the ++ * endpoint size. ++ */ ++ if (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) { ++ switch (dev->product_id) { ++ case USB_DEVICE_ID_CODEMERCS_IOW56: ++ case USB_DEVICE_ID_CODEMERCS_IOW56AM: ++ dev->report_size = 7; ++ break; ++ ++ case USB_DEVICE_ID_CODEMERCS_IOW28: ++ case USB_DEVICE_ID_CODEMERCS_IOW28L: ++ dev->report_size = 4; ++ break; ++ ++ case USB_DEVICE_ID_CODEMERCS_IOW100: ++ dev->report_size = 13; ++ break; ++ } ++ } + + /* create the urb and buffer for reading */ + dev->int_in_urb = usb_alloc_urb(0, GFP_KERNEL); diff --git a/queue-5.7/usb-xhci-define-ids-for-various-asmedia-host-controllers.patch b/queue-5.7/usb-xhci-define-ids-for-various-asmedia-host-controllers.patch new file mode 100644 index 00000000000..9d39865181d --- /dev/null +++ b/queue-5.7/usb-xhci-define-ids-for-various-asmedia-host-controllers.patch @@ -0,0 +1,52 @@ +From 1841cb255da41e87bed9573915891d056f80e2e7 Mon Sep 17 00:00:00 2001 +From: Forest Crossman +Date: Mon, 27 Jul 2020 23:24:07 -0500 +Subject: usb: xhci: define IDs for various ASMedia host controllers + +From: Forest Crossman + +commit 1841cb255da41e87bed9573915891d056f80e2e7 upstream. + +Not all ASMedia host controllers have a device ID that matches its part +number. #define some of these IDs to make it clearer at a glance which +chips require what quirks. + +Acked-by: Mathias Nyman +Signed-off-by: Forest Crossman +Link: https://lore.kernel.org/r/20200728042408.180529-2-cyrozap@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -56,7 +56,9 @@ + #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba + #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb + #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc ++#define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 + #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 ++#define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 + + static const char hcd_name[] = "xhci_hcd"; + +@@ -250,13 +252,13 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_LPM_SUPPORT; + + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && +- pdev->device == 0x1042) ++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI) + xhci->quirks |= XHCI_BROKEN_STREAMS; + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && +- pdev->device == 0x1142) ++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && +- pdev->device == 0x2142) ++ pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI) + xhci->quirks |= XHCI_NO_64BIT_SUPPORT; + + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && diff --git a/queue-5.7/usb-xhci-fix-asmedia-asm1142-dma-addressing.patch b/queue-5.7/usb-xhci-fix-asmedia-asm1142-dma-addressing.patch new file mode 100644 index 00000000000..5cb52bf2136 --- /dev/null +++ b/queue-5.7/usb-xhci-fix-asmedia-asm1142-dma-addressing.patch @@ -0,0 +1,45 @@ +From ec37198acca7b4c17b96247697406e47aafe0605 Mon Sep 17 00:00:00 2001 +From: Forest Crossman +Date: Mon, 27 Jul 2020 23:24:08 -0500 +Subject: usb: xhci: Fix ASMedia ASM1142 DMA addressing + +From: Forest Crossman + +commit ec37198acca7b4c17b96247697406e47aafe0605 upstream. + +I've confirmed that the ASMedia ASM1142 has the same problem as the +ASM2142/ASM3142, in that it too reports that it supports 64-bit DMA +addresses when in fact it does not. As with the ASM2142/ASM3142, this +can cause problems on systems where the upper bits matter, and adding +the XHCI_NO_64BIT_SUPPORT quirk completely fixes the issue. + +Acked-by: Mathias Nyman +Signed-off-by: Forest Crossman +Cc: stable +Link: https://lore.kernel.org/r/20200728042408.180529-3-cyrozap@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -58,6 +58,7 @@ + #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc + #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 + #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 ++#define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242 + #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 + + static const char hcd_name[] = "xhci_hcd"; +@@ -258,7 +259,8 @@ static void xhci_pci_quirks(struct devic + pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && +- pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI) ++ (pdev->device == PCI_DEVICE_ID_ASMEDIA_1142_XHCI || ++ pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI)) + xhci->quirks |= XHCI_NO_64BIT_SUPPORT; + + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && diff --git a/queue-5.7/vgacon-fix-for-missing-check-in-scrollback-handling.patch b/queue-5.7/vgacon-fix-for-missing-check-in-scrollback-handling.patch new file mode 100644 index 00000000000..55a0ee9754e --- /dev/null +++ b/queue-5.7/vgacon-fix-for-missing-check-in-scrollback-handling.patch @@ -0,0 +1,88 @@ +From ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d Mon Sep 17 00:00:00 2001 +From: Yunhai Zhang +Date: Tue, 28 Jul 2020 09:58:03 +0800 +Subject: vgacon: Fix for missing check in scrollback handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunhai Zhang + +commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream. + +vgacon_scrollback_update() always leaves enbough room in the scrollback +buffer for the next call, but if the console size changed that room +might not actually be enough, and so we need to re-check. + +The check should be in the loop since vgacon_scrollback_cur->tail is +updated in the loop and count may be more than 1 when triggered by CSI M, +as Jiri's PoC: +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char** argv) +{ + int fd = open("/dev/tty1", O_RDWR); + unsigned short size[3] = {25, 200, 0}; + ioctl(fd, 0x5609, size); // VT_RESIZE + + write(fd, "\e[1;1H", 6); + for (int i = 0; i < 30; i++) + write(fd, "\e[10M", 5); +} + +It leads to various crashes as vgacon_scrollback_update writes out of +the buffer: + BUG: unable to handle page fault for address: ffffc900001752a0 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + RIP: 0010:mutex_unlock+0x13/0x30 +... + Call Trace: + n_tty_write+0x1a0/0x4d0 + tty_write+0x1a0/0x2e0 + +Or to KASAN reports: +BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed + +This fixes CVE-2020-14331. + +Reported-by: 张云海 +Reported-by: Yang Yingliang +Reported-by: Kyungtae Kim +Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback) +Cc: stable@vger.kernel.org +Cc: linux-fbdev@vger.kernel.org +Cc: Linus Torvalds +Cc: Solar Designer +Cc: "Srivatsa S. Bhat" +Cc: Anthony Liguori +Cc: Yang Yingliang +Cc: Bartlomiej Zolnierkiewicz +Cc: Jiri Slaby +Signed-off-by: Yunhai Zhang +Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/vgacon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -251,6 +251,10 @@ static void vgacon_scrollback_update(str + p = (void *) (c->vc_origin + t * c->vc_size_row); + + while (count--) { ++ if ((vgacon_scrollback_cur->tail + c->vc_size_row) > ++ vgacon_scrollback_cur->size) ++ vgacon_scrollback_cur->tail = 0; ++ + scr_memcpyw(vgacon_scrollback_cur->data + + vgacon_scrollback_cur->tail, + p, c->vc_size_row);