From: Greg Kroah-Hartman Date: Wed, 22 Dec 2021 12:51:16 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.4.297~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a47aa1ad0fb413cf176499d530e06cdfbf347d0d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: hid-holtek-fix-mouse-probing.patch hid-potential-dereference-of-null-pointer.patch nfsd-fix-readdir-buffer-overflow.patch pm-sleep-fix-error-handling-in-dpm_prepare.patch selftests-kvm-fix-non-x86-compiling.patch --- diff --git a/queue-5.15/hid-holtek-fix-mouse-probing.patch b/queue-5.15/hid-holtek-fix-mouse-probing.patch new file mode 100644 index 00000000000..7b62087018c --- /dev/null +++ b/queue-5.15/hid-holtek-fix-mouse-probing.patch @@ -0,0 +1,49 @@ +From 93a2207c254ca102ebbdae47b00f19bbfbfa7ecd Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Mon, 20 Dec 2021 10:51:20 +0100 +Subject: HID: holtek: fix mouse probing + +From: Benjamin Tissoires + +commit 93a2207c254ca102ebbdae47b00f19bbfbfa7ecd upstream. + +An overlook from the previous commit: we don't even parse or start the +device, meaning that the device is not presented to user space. + +Fixes: 93020953d0fa ("HID: check for valid USB device for many HID drivers") +Cc: stable@vger.kernel.org +Link: https://bugs.archlinux.org/task/73048 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215341 +Link: https://lore.kernel.org/r/e4efbf13-bd8d-0370-629b-6c80c0044b15@leemhuis.info/ +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-holtek-mouse.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/hid/hid-holtek-mouse.c ++++ b/drivers/hid/hid-holtek-mouse.c +@@ -65,8 +65,23 @@ static __u8 *holtek_mouse_report_fixup(s + static int holtek_mouse_probe(struct hid_device *hdev, + const struct hid_device_id *id) + { ++ int ret; ++ + if (!hid_is_usb(hdev)) + return -EINVAL; ++ ++ ret = hid_parse(hdev); ++ if (ret) { ++ hid_err(hdev, "hid parse failed: %d\n", ret); ++ return ret; ++ } ++ ++ ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); ++ if (ret) { ++ hid_err(hdev, "hw start failed: %d\n", ret); ++ return ret; ++ } ++ + return 0; + } + diff --git a/queue-5.15/hid-potential-dereference-of-null-pointer.patch b/queue-5.15/hid-potential-dereference-of-null-pointer.patch new file mode 100644 index 00000000000..19c3c165c4b --- /dev/null +++ b/queue-5.15/hid-potential-dereference-of-null-pointer.patch @@ -0,0 +1,35 @@ +From 13251ce1dd9bb525da2becb9b26fdfb94ca58659 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 15 Dec 2021 16:36:05 +0800 +Subject: HID: potential dereference of null pointer + +From: Jiasheng Jiang + +commit 13251ce1dd9bb525da2becb9b26fdfb94ca58659 upstream. + +The return value of devm_kzalloc() needs to be checked. +To avoid hdev->dev->driver_data to be null in case of the failure of +alloc. + +Fixes: 14c9c014babe ("HID: add vivaldi HID driver") +Cc: stable@vger.kernel.org +Signed-off-by: Jiasheng Jiang +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20211215083605.117638-1-jiasheng@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-vivaldi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-vivaldi.c ++++ b/drivers/hid/hid-vivaldi.c +@@ -57,6 +57,9 @@ static int vivaldi_probe(struct hid_devi + int ret; + + drvdata = devm_kzalloc(&hdev->dev, sizeof(*drvdata), GFP_KERNEL); ++ if (!drvdata) ++ return -ENOMEM; ++ + hid_set_drvdata(hdev, drvdata); + + ret = hid_parse(hdev); diff --git a/queue-5.15/nfsd-fix-readdir-buffer-overflow.patch b/queue-5.15/nfsd-fix-readdir-buffer-overflow.patch new file mode 100644 index 00000000000..d732698a0b2 --- /dev/null +++ b/queue-5.15/nfsd-fix-readdir-buffer-overflow.patch @@ -0,0 +1,105 @@ +From 53b1119a6e5028b125f431a0116ba73510d82a72 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Thu, 16 Dec 2021 11:12:11 -0500 +Subject: NFSD: Fix READDIR buffer overflow + +From: Chuck Lever + +commit 53b1119a6e5028b125f431a0116ba73510d82a72 upstream. + +If a client sends a READDIR count argument that is too small (say, +zero), then the buffer size calculation in the new init_dirlist +helper functions results in an underflow, allowing the XDR stream +functions to write beyond the actual buffer. + +This calculation has always been suspect. NFSD has never sanity- +checked the READDIR count argument, but the old entry encoders +managed the problem correctly. + +With the commits below, entry encoding changed, exposing the +underflow to the pointer arithmetic in xdr_reserve_space(). + +Modern NFS clients attempt to retrieve as much data as possible +for each READDIR request. Also, we have no unit tests that +exercise the behavior of READDIR at the lower bound of @count +values. Thus this case was missed during testing. + +Reported-by: Anatoly Trosinenko +Fixes: f5dcccd647da ("NFSD: Update the NFSv2 READDIR entry encoder to use struct xdr_stream") +Fixes: 7f87fc2d34d4 ("NFSD: Update NFSv3 READDIR entry encoders to use struct xdr_stream") +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs3proc.c | 11 ++++------- + fs/nfsd/nfsproc.c | 8 ++++---- + 2 files changed, 8 insertions(+), 11 deletions(-) + +--- a/fs/nfsd/nfs3proc.c ++++ b/fs/nfsd/nfs3proc.c +@@ -439,22 +439,19 @@ nfsd3_proc_link(struct svc_rqst *rqstp) + + static void nfsd3_init_dirlist_pages(struct svc_rqst *rqstp, + struct nfsd3_readdirres *resp, +- int count) ++ u32 count) + { + struct xdr_buf *buf = &resp->dirlist; + struct xdr_stream *xdr = &resp->xdr; + +- count = min_t(u32, count, svc_max_payload(rqstp)); ++ count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); + + memset(buf, 0, sizeof(*buf)); + + /* Reserve room for the NULL ptr & eof flag (-2 words) */ + buf->buflen = count - XDR_UNIT * 2; + buf->pages = rqstp->rq_next_page; +- while (count > 0) { +- rqstp->rq_next_page++; +- count -= PAGE_SIZE; +- } ++ rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT; + + /* This is xdr_init_encode(), but it assumes that + * the head kvec has already been consumed. */ +@@ -463,7 +460,7 @@ static void nfsd3_init_dirlist_pages(str + xdr->page_ptr = buf->pages; + xdr->iov = NULL; + xdr->p = page_address(*buf->pages); +- xdr->end = xdr->p + (PAGE_SIZE >> 2); ++ xdr->end = (void *)xdr->p + min_t(u32, buf->buflen, PAGE_SIZE); + xdr->rqst = NULL; + } + +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -557,17 +557,17 @@ nfsd_proc_rmdir(struct svc_rqst *rqstp) + + static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp, + struct nfsd_readdirres *resp, +- int count) ++ u32 count) + { + struct xdr_buf *buf = &resp->dirlist; + struct xdr_stream *xdr = &resp->xdr; + +- count = min_t(u32, count, PAGE_SIZE); ++ count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); + + memset(buf, 0, sizeof(*buf)); + + /* Reserve room for the NULL ptr & eof flag (-2 words) */ +- buf->buflen = count - sizeof(__be32) * 2; ++ buf->buflen = count - XDR_UNIT * 2; + buf->pages = rqstp->rq_next_page; + rqstp->rq_next_page++; + +@@ -578,7 +578,7 @@ static void nfsd_init_dirlist_pages(stru + xdr->page_ptr = buf->pages; + xdr->iov = NULL; + xdr->p = page_address(*buf->pages); +- xdr->end = xdr->p + (PAGE_SIZE >> 2); ++ xdr->end = (void *)xdr->p + min_t(u32, buf->buflen, PAGE_SIZE); + xdr->rqst = NULL; + } + diff --git a/queue-5.15/pm-sleep-fix-error-handling-in-dpm_prepare.patch b/queue-5.15/pm-sleep-fix-error-handling-in-dpm_prepare.patch new file mode 100644 index 00000000000..001e483d109 --- /dev/null +++ b/queue-5.15/pm-sleep-fix-error-handling-in-dpm_prepare.patch @@ -0,0 +1,42 @@ +From 544e737dea5ad1a457f25dbddf68761ff25e028b Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 16 Dec 2021 20:30:18 +0100 +Subject: PM: sleep: Fix error handling in dpm_prepare() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafael J. Wysocki + +commit 544e737dea5ad1a457f25dbddf68761ff25e028b upstream. + +Commit 2aa36604e824 ("PM: sleep: Avoid calling put_device() under +dpm_list_mtx") forgot to update the while () loop termination +condition to also break the loop if error is nonzero, which +causes the loop to become infinite if device_prepare() returns +an error for one device. + +Add the missing !error check. + +Fixes: 2aa36604e824 ("PM: sleep: Avoid calling put_device() under dpm_list_mtx") +Signed-off-by: Rafael J. Wysocki +Reported-by: Thomas Hellström +Reviewed-by: Thomas Hellström +Reviewed-by: Ulf Hansson +Cc: All applicable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1906,7 +1906,7 @@ int dpm_prepare(pm_message_t state) + device_block_probing(); + + mutex_lock(&dpm_list_mtx); +- while (!list_empty(&dpm_list)) { ++ while (!list_empty(&dpm_list) && !error) { + struct device *dev = to_device(dpm_list.next); + + get_device(dev); diff --git a/queue-5.15/selftests-kvm-fix-non-x86-compiling.patch b/queue-5.15/selftests-kvm-fix-non-x86-compiling.patch new file mode 100644 index 00000000000..e0133e800f5 --- /dev/null +++ b/queue-5.15/selftests-kvm-fix-non-x86-compiling.patch @@ -0,0 +1,76 @@ +From 577e022b7b41854911dcfb03678d8d2b930e8a3f Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Tue, 14 Dec 2021 16:18:42 +0100 +Subject: selftests: KVM: Fix non-x86 compiling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrew Jones + +commit 577e022b7b41854911dcfb03678d8d2b930e8a3f upstream. + +Attempting to compile on a non-x86 architecture fails with + +include/kvm_util.h: In function ‘vm_compute_max_gfn’: +include/kvm_util.h:79:21: error: dereferencing pointer to incomplete type ‘struct kvm_vm’ + return ((1ULL << vm->pa_bits) >> vm->page_shift) - 1; + ^~ + +This is because the declaration of struct kvm_vm is in +lib/kvm_util_internal.h as an effort to make it private to +the test lib code. We can still provide arch specific functions, +though, by making the generic function symbols weak. Do that to +fix the compile error. + +Fixes: c8cc43c1eae2 ("selftests: KVM: avoid failures due to reserved HyperTransport region") +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Jones +Message-Id: <20211214151842.848314-1-drjones@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/kvm/include/kvm_util.h | 10 +--------- + tools/testing/selftests/kvm/lib/kvm_util.c | 5 +++++ + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/tools/testing/selftests/kvm/include/kvm_util.h ++++ b/tools/testing/selftests/kvm/include/kvm_util.h +@@ -69,15 +69,6 @@ enum vm_guest_mode { + + #endif + +-#if defined(__x86_64__) +-unsigned long vm_compute_max_gfn(struct kvm_vm *vm); +-#else +-static inline unsigned long vm_compute_max_gfn(struct kvm_vm *vm) +-{ +- return ((1ULL << vm->pa_bits) >> vm->page_shift) - 1; +-} +-#endif +- + #define MIN_PAGE_SIZE (1U << MIN_PAGE_SHIFT) + #define PTES_PER_MIN_PAGE ptes_per_page(MIN_PAGE_SIZE) + +@@ -318,6 +309,7 @@ bool vm_is_unrestricted_guest(struct kvm + + unsigned int vm_get_page_size(struct kvm_vm *vm); + unsigned int vm_get_page_shift(struct kvm_vm *vm); ++unsigned long vm_compute_max_gfn(struct kvm_vm *vm); + uint64_t vm_get_max_gfn(struct kvm_vm *vm); + int vm_get_fd(struct kvm_vm *vm); + +--- a/tools/testing/selftests/kvm/lib/kvm_util.c ++++ b/tools/testing/selftests/kvm/lib/kvm_util.c +@@ -2282,6 +2282,11 @@ unsigned int vm_get_page_shift(struct kv + return vm->page_shift; + } + ++unsigned long __attribute__((weak)) vm_compute_max_gfn(struct kvm_vm *vm) ++{ ++ return ((1ULL << vm->pa_bits) >> vm->page_shift) - 1; ++} ++ + uint64_t vm_get_max_gfn(struct kvm_vm *vm) + { + return vm->max_gfn; diff --git a/queue-5.15/series b/queue-5.15/series index 960b737c2d0..1a0882ddafb 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -3,3 +3,8 @@ net-usb-lan78xx-add-allied-telesis-at29m2-af.patch ext4-prevent-partial-update-of-the-extent-blocks.patch ext4-check-for-out-of-order-index-extents-in-ext4_valid_extent_entries.patch ext4-check-for-inconsistent-extents-between-index-and-leaf-block.patch +selftests-kvm-fix-non-x86-compiling.patch +hid-holtek-fix-mouse-probing.patch +hid-potential-dereference-of-null-pointer.patch +nfsd-fix-readdir-buffer-overflow.patch +pm-sleep-fix-error-handling-in-dpm_prepare.patch