From: Greg Kroah-Hartman Date: Sat, 27 Nov 2021 13:12:02 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.15.6~71 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a05f6eb3a6be3b195cea99b55103b90c8b6479ac;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-ctxfi-fix-out-of-range-access.patch binder-fix-test-regression-due-to-sender_euid-change.patch fuse-fix-page-stealing.patch hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch media-cec-copy-sequence-field-for-the-reply.patch staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch --- diff --git a/queue-4.14/alsa-ctxfi-fix-out-of-range-access.patch b/queue-4.14/alsa-ctxfi-fix-out-of-range-access.patch new file mode 100644 index 00000000000..c2af8599c2e --- /dev/null +++ b/queue-4.14/alsa-ctxfi-fix-out-of-range-access.patch @@ -0,0 +1,181 @@ +From 76c47183224c86e4011048b80f0e2d0d166f01c2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 18 Nov 2021 22:57:29 +0100 +Subject: ALSA: ctxfi: Fix out-of-range access + +From: Takashi Iwai + +commit 76c47183224c86e4011048b80f0e2d0d166f01c2 upstream. + +The master and next_conj of rcs_ops are used for iterating the +resource list entries, and currently those are supposed to return the +current value. The problem is that next_conf may go over the last +entry before the loop abort condition is evaluated, and it may return +the "current" value that is beyond the array size. It was caught +recently as a GPF, for example. + +Those return values are, however, never actually evaluated, hence +basically we don't have to consider the current value as the return at +all. By dropping those return values, the potential out-of-range +access above is also fixed automatically. + +This patch changes the return type of master and next_conj callbacks +to void and drop the superfluous code accordingly. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214985 +Cc: +Link: https://lore.kernel.org/r/20211118215729.26257-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ctxfi/ctamixer.c | 14 ++++++-------- + sound/pci/ctxfi/ctdaio.c | 16 ++++++++-------- + sound/pci/ctxfi/ctresource.c | 7 +++---- + sound/pci/ctxfi/ctresource.h | 4 ++-- + sound/pci/ctxfi/ctsrc.c | 7 +++---- + 5 files changed, 22 insertions(+), 26 deletions(-) + +--- a/sound/pci/ctxfi/ctamixer.c ++++ b/sound/pci/ctxfi/ctamixer.c +@@ -27,16 +27,15 @@ + + #define BLANK_SLOT 4094 + +-static int amixer_master(struct rsc *rsc) ++static void amixer_master(struct rsc *rsc) + { + rsc->conj = 0; +- return rsc->idx = container_of(rsc, struct amixer, rsc)->idx[0]; ++ rsc->idx = container_of(rsc, struct amixer, rsc)->idx[0]; + } + +-static int amixer_next_conj(struct rsc *rsc) ++static void amixer_next_conj(struct rsc *rsc) + { + rsc->conj++; +- return container_of(rsc, struct amixer, rsc)->idx[rsc->conj]; + } + + static int amixer_index(const struct rsc *rsc) +@@ -335,16 +334,15 @@ int amixer_mgr_destroy(struct amixer_mgr + + /* SUM resource management */ + +-static int sum_master(struct rsc *rsc) ++static void sum_master(struct rsc *rsc) + { + rsc->conj = 0; +- return rsc->idx = container_of(rsc, struct sum, rsc)->idx[0]; ++ rsc->idx = container_of(rsc, struct sum, rsc)->idx[0]; + } + +-static int sum_next_conj(struct rsc *rsc) ++static void sum_next_conj(struct rsc *rsc) + { + rsc->conj++; +- return container_of(rsc, struct sum, rsc)->idx[rsc->conj]; + } + + static int sum_index(const struct rsc *rsc) +--- a/sound/pci/ctxfi/ctdaio.c ++++ b/sound/pci/ctxfi/ctdaio.c +@@ -55,12 +55,12 @@ static struct daio_rsc_idx idx_20k2[NUM_ + [SPDIFIO] = {.left = 0x05, .right = 0x85}, + }; + +-static int daio_master(struct rsc *rsc) ++static void daio_master(struct rsc *rsc) + { + /* Actually, this is not the resource index of DAIO. + * For DAO, it is the input mapper index. And, for DAI, + * it is the output time-slot index. */ +- return rsc->conj = rsc->idx; ++ rsc->conj = rsc->idx; + } + + static int daio_index(const struct rsc *rsc) +@@ -68,19 +68,19 @@ static int daio_index(const struct rsc * + return rsc->conj; + } + +-static int daio_out_next_conj(struct rsc *rsc) ++static void daio_out_next_conj(struct rsc *rsc) + { +- return rsc->conj += 2; ++ rsc->conj += 2; + } + +-static int daio_in_next_conj_20k1(struct rsc *rsc) ++static void daio_in_next_conj_20k1(struct rsc *rsc) + { +- return rsc->conj += 0x200; ++ rsc->conj += 0x200; + } + +-static int daio_in_next_conj_20k2(struct rsc *rsc) ++static void daio_in_next_conj_20k2(struct rsc *rsc) + { +- return rsc->conj += 0x100; ++ rsc->conj += 0x100; + } + + static const struct rsc_ops daio_out_rsc_ops = { +--- a/sound/pci/ctxfi/ctresource.c ++++ b/sound/pci/ctxfi/ctresource.c +@@ -113,18 +113,17 @@ static int audio_ring_slot(const struct + return (rsc->conj << 4) + offset_in_audio_slot_block[rsc->type]; + } + +-static int rsc_next_conj(struct rsc *rsc) ++static void rsc_next_conj(struct rsc *rsc) + { + unsigned int i; + for (i = 0; (i < 8) && (!(rsc->msr & (0x1 << i))); ) + i++; + rsc->conj += (AUDIO_SLOT_BLOCK_NUM >> i); +- return rsc->conj; + } + +-static int rsc_master(struct rsc *rsc) ++static void rsc_master(struct rsc *rsc) + { +- return rsc->conj = rsc->idx; ++ rsc->conj = rsc->idx; + } + + static const struct rsc_ops rsc_generic_ops = { +--- a/sound/pci/ctxfi/ctresource.h ++++ b/sound/pci/ctxfi/ctresource.h +@@ -43,8 +43,8 @@ struct rsc { + }; + + struct rsc_ops { +- int (*master)(struct rsc *rsc); /* Move to master resource */ +- int (*next_conj)(struct rsc *rsc); /* Move to next conjugate resource */ ++ void (*master)(struct rsc *rsc); /* Move to master resource */ ++ void (*next_conj)(struct rsc *rsc); /* Move to next conjugate resource */ + int (*index)(const struct rsc *rsc); /* Return the index of resource */ + /* Return the output slot number */ + int (*output_slot)(const struct rsc *rsc); +--- a/sound/pci/ctxfi/ctsrc.c ++++ b/sound/pci/ctxfi/ctsrc.c +@@ -594,16 +594,15 @@ int src_mgr_destroy(struct src_mgr *src_ + + /* SRCIMP resource manager operations */ + +-static int srcimp_master(struct rsc *rsc) ++static void srcimp_master(struct rsc *rsc) + { + rsc->conj = 0; +- return rsc->idx = container_of(rsc, struct srcimp, rsc)->idx[0]; ++ rsc->idx = container_of(rsc, struct srcimp, rsc)->idx[0]; + } + +-static int srcimp_next_conj(struct rsc *rsc) ++static void srcimp_next_conj(struct rsc *rsc) + { + rsc->conj++; +- return container_of(rsc, struct srcimp, rsc)->idx[rsc->conj]; + } + + static int srcimp_index(const struct rsc *rsc) diff --git a/queue-4.14/binder-fix-test-regression-due-to-sender_euid-change.patch b/queue-4.14/binder-fix-test-regression-due-to-sender_euid-change.patch new file mode 100644 index 00000000000..160ba376eb9 --- /dev/null +++ b/queue-4.14/binder-fix-test-regression-due-to-sender_euid-change.patch @@ -0,0 +1,37 @@ +From c21a80ca0684ec2910344d72556c816cb8940c01 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Fri, 12 Nov 2021 10:07:20 -0800 +Subject: binder: fix test regression due to sender_euid change + +From: Todd Kjos + +commit c21a80ca0684ec2910344d72556c816cb8940c01 upstream. + +This is a partial revert of commit +29bc22ac5e5b ("binder: use euid from cred instead of using task"). +Setting sender_euid using proc->cred caused some Android system test +regressions that need further investigation. It is a partial +reversion because subsequent patches rely on proc->cred. + +Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task") +Cc: stable@vger.kernel.org # 4.4+ +Acked-by: Christian Brauner +Signed-off-by: Todd Kjos +Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66 +Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2894,7 +2894,7 @@ static void binder_transaction(struct bi + t->from = thread; + else + t->from = NULL; +- t->sender_euid = proc->cred->euid; ++ t->sender_euid = task_euid(proc->tsk); + t->to_proc = target_proc; + t->to_thread = target_thread; + t->code = tr->code; diff --git a/queue-4.14/fuse-fix-page-stealing.patch b/queue-4.14/fuse-fix-page-stealing.patch new file mode 100644 index 00000000000..86be6ca5343 --- /dev/null +++ b/queue-4.14/fuse-fix-page-stealing.patch @@ -0,0 +1,64 @@ +From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 2 Nov 2021 11:10:37 +0100 +Subject: fuse: fix page stealing + +From: Miklos Szeredi + +commit 712a951025c0667ff00b25afc360f74e639dfabe upstream. + +It is possible to trigger a crash by splicing anon pipe bufs to the fuse +device. + +The reason for this is that anon_pipe_buf_release() will reuse buf->page if +the refcount is 1, but that page might have already been stolen and its +flags modified (e.g. PG_lru added). + +This happens in the unlikely case of fuse_dev_splice_write() getting around +to calling pipe_buf_release() after a page has been stolen, added to the +page cache and removed from the page cache. + +Fix by calling pipe_buf_release() right after the page was inserted into +the page cache. In this case the page has an elevated refcount so any +release function will know that the page isn't reusable. + +Reported-by: Frank Dinoff +Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/ +Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") +Cc: # v2.6.35 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -897,6 +897,12 @@ static int fuse_try_move_page(struct fus + goto out_put_old; + } + ++ /* ++ * Release while we have extra ref on stolen page. Otherwise ++ * anon_pipe_buf_release() might think the page can be reused. ++ */ ++ pipe_buf_release(cs->pipe, buf); ++ + get_page(newpage); + + if (!(buf->flags & PIPE_BUF_FLAG_LRU)) +@@ -2046,8 +2052,12 @@ static ssize_t fuse_dev_splice_write(str + + pipe_lock(pipe); + out_free: +- for (idx = 0; idx < nbuf; idx++) +- pipe_buf_release(pipe, &bufs[idx]); ++ for (idx = 0; idx < nbuf; idx++) { ++ struct pipe_buffer *buf = &bufs[idx]; ++ ++ if (buf->ops) ++ pipe_buf_release(pipe, buf); ++ } + pipe_unlock(pipe); + + kfree(bufs); diff --git a/queue-4.14/hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch b/queue-4.14/hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch new file mode 100644 index 00000000000..2179e814d3b --- /dev/null +++ b/queue-4.14/hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch @@ -0,0 +1,81 @@ +From 7fb0413baa7f8a04caef0c504df9af7e0623d296 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Mon, 8 Nov 2021 16:31:01 -0800 +Subject: HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts + +From: Jason Gerecke + +commit 7fb0413baa7f8a04caef0c504df9af7e0623d296 upstream. + +The HID descriptor of many of Wacom's touch input devices include a +"Confidence" usage that signals if a particular touch collection contains +useful data. The driver does not look at this flag, however, which causes +even invalid contacts to be reported to userspace. A lucky combination of +kernel event filtering and device behavior (specifically: contact ID 0 == +invalid, contact ID >0 == valid; and order all data so that all valid +contacts are reported before any invalid contacts) spare most devices from +any visibly-bad behavior. + +The DTH-2452 is one example of an unlucky device that misbehaves. It uses +ID 0 for both the first valid contact and all invalid contacts. Because +we report both the valid and invalid contacts, the kernel reports that +contact 0 first goes down (valid) and then goes up (invalid) in every +report. This causes ~100 clicks per second simply by touching the screen. + +This patch inroduces new `confidence` flag in our `hid_data` structure. +The value is initially set to `true` at the start of a report and can be +set to `false` if an invalid touch usage is seen. + +Link: https://github.com/linuxwacom/input-wacom/issues/270 +Fixes: f8b6a74719b5 ("HID: wacom: generic: Support multiple tools per report") +Signed-off-by: Jason Gerecke +Tested-by: Joshua Dickens +Cc: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 8 +++++++- + drivers/hid/wacom_wac.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2433,6 +2433,9 @@ static void wacom_wac_finger_event(struc + struct wacom_features *features = &wacom->wacom_wac.features; + + switch (equivalent_usage) { ++ case HID_DG_CONFIDENCE: ++ wacom_wac->hid_data.confidence = value; ++ break; + case HID_GD_X: + wacom_wac->hid_data.x = value; + break; +@@ -2463,7 +2466,8 @@ static void wacom_wac_finger_event(struc + + + if (usage->usage_index + 1 == field->report_count) { +- if (equivalent_usage == wacom_wac->hid_data.last_slot_field) ++ if (equivalent_usage == wacom_wac->hid_data.last_slot_field && ++ wacom_wac->hid_data.confidence) + wacom_wac_finger_slot(wacom_wac, wacom_wac->touch_input); + } + } +@@ -2476,6 +2480,8 @@ static void wacom_wac_finger_pre_report( + struct hid_data* hid_data = &wacom_wac->hid_data; + int i; + ++ hid_data->confidence = true; ++ + for (i = 0; i < report->maxfield; i++) { + struct hid_field *field = report->field[i]; + int j; +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -293,6 +293,7 @@ struct hid_data { + bool inrange_state; + bool invert_state; + bool tipswitch; ++ bool confidence; + int x; + int y; + int pressure; diff --git a/queue-4.14/media-cec-copy-sequence-field-for-the-reply.patch b/queue-4.14/media-cec-copy-sequence-field-for-the-reply.patch new file mode 100644 index 00000000000..a82d5552479 --- /dev/null +++ b/queue-4.14/media-cec-copy-sequence-field-for-the-reply.patch @@ -0,0 +1,34 @@ +From 13cbaa4c2b7bf9f8285e1164d005dbf08244ecd5 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 2 Nov 2021 12:24:26 +0000 +Subject: media: cec: copy sequence field for the reply + +From: Hans Verkuil + +commit 13cbaa4c2b7bf9f8285e1164d005dbf08244ecd5 upstream. + +When the reply for a non-blocking transmit arrives, the sequence +field for that reply was never filled in, so userspace would have no +way of associating the reply to the original transmit. + +Copy the sequence field to ensure that this is now possible. + +Signed-off-by: Hans Verkuil +Fixes: 0dbacebede1e ([media] cec: move the CEC framework out of staging and to media) +Cc: +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/cec-adap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -1135,6 +1135,7 @@ void cec_received_msg_ts(struct cec_adap + if (abort) + dst->rx_status |= CEC_RX_STATUS_FEATURE_ABORT; + msg->flags = dst->flags; ++ msg->sequence = dst->sequence; + /* Remove it from the wait_queue */ + list_del_init(&data->list); + diff --git a/queue-4.14/series b/queue-4.14/series index 016deee7627..30b324497b6 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -2,3 +2,9 @@ usb-serial-option-add-telit-le910s1-0x9200-composition.patch usb-serial-option-add-fibocom-fm101-gl-variants.patch usb-hub-fix-usb-enumeration-issue-due-to-address0-race.patch usb-hub-fix-locking-issues-with-address0_mutex.patch +binder-fix-test-regression-due-to-sender_euid-change.patch +alsa-ctxfi-fix-out-of-range-access.patch +media-cec-copy-sequence-field-for-the-reply.patch +hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch +staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch +fuse-fix-page-stealing.patch diff --git a/queue-4.14/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch b/queue-4.14/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch new file mode 100644 index 00000000000..c250151e69a --- /dev/null +++ b/queue-4.14/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch @@ -0,0 +1,39 @@ +From b535917c51acc97fb0761b1edec85f1f3d02bda4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 17 Nov 2021 10:20:16 +0300 +Subject: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() + +From: Dan Carpenter + +commit b535917c51acc97fb0761b1edec85f1f3d02bda4 upstream. + +The free_rtllib() function frees the "dev" pointer so there is use +after free on the next line. Re-arrange things to avoid that. + +Fixes: 66898177e7e5 ("staging: rtl8192e: Fix unload/reload problem") +Cc: stable +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211117072016.GA5237@kili +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +@@ -2582,13 +2582,14 @@ static void _rtl92e_pci_disconnect(struc + free_irq(dev->irq, dev); + priv->irq = 0; + } +- free_rtllib(dev); + + if (dev->mem_start != 0) { + iounmap((void __iomem *)dev->mem_start); + release_mem_region(pci_resource_start(pdev, 1), + pci_resource_len(pdev, 1)); + } ++ ++ free_rtllib(dev); + } else { + priv = rtllib_priv(dev); + }