From: Greg Kroah-Hartman Date: Mon, 3 Apr 2023 08:11:50 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.14.312~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e7139df71bc70450fb9501f4819ad64b80047003;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch input-alps-fix-compatibility-with-funsigned-char.patch input-focaltech-use-explicitly-signed-char-type.patch --- diff --git a/queue-4.19/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch b/queue-4.19/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch new file mode 100644 index 00000000000..ce39685c916 --- /dev/null +++ b/queue-4.19/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch @@ -0,0 +1,62 @@ +From 179a88a8558bbf42991d361595281f3e45d7edfc Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Wed, 29 Mar 2023 22:24:06 +0200 +Subject: cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL + +From: David Disseldorp + +commit 179a88a8558bbf42991d361595281f3e45d7edfc upstream. + +When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount +is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to +S_AUTOMOUNT and corresponding dentry flags is retained regardless of +CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in +VFS follow_automount() when traversing a DFS referral link: + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ... + Call Trace: + + __traverse_mounts+0xb5/0x220 + ? cifs_revalidate_mapping+0x65/0xc0 [cifs] + step_into+0x195/0x610 + ? lookup_fast+0xe2/0xf0 + path_lookupat+0x64/0x140 + filename_lookup+0xc2/0x140 + ? __create_object+0x299/0x380 + ? kmem_cache_alloc+0x119/0x220 + ? user_path_at_empty+0x31/0x50 + user_path_at_empty+0x31/0x50 + __x64_sys_chdir+0x2a/0xd0 + ? exit_to_user_mode_prepare+0xca/0x100 + do_syscall_64+0x42/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler +when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to +avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This +approach was chosen as it provides more control over the error path. + +Signed-off-by: David Disseldorp +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/cifs/cifsfs.h ++++ b/fs/cifs/cifsfs.h +@@ -121,7 +121,10 @@ extern const struct dentry_operations ci + #ifdef CONFIG_CIFS_DFS_UPCALL + extern struct vfsmount *cifs_dfs_d_automount(struct path *path); + #else +-#define cifs_dfs_d_automount NULL ++static inline struct vfsmount *cifs_dfs_d_automount(struct path *path) ++{ ++ return ERR_PTR(-EREMOTE); ++} + #endif + + /* Functions related to symlinks */ diff --git a/queue-4.19/cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch b/queue-4.19/cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch new file mode 100644 index 00000000000..b296d6064d6 --- /dev/null +++ b/queue-4.19/cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch @@ -0,0 +1,40 @@ +From 09ba47b44d26b475bbdf9c80db9e0193d2b58956 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 29 Mar 2023 17:14:22 -0300 +Subject: cifs: prevent infinite recursion in CIFSGetDFSRefer() + +From: Paulo Alcantara + +commit 09ba47b44d26b475bbdf9c80db9e0193d2b58956 upstream. + +We can't call smb_init() in CIFSGetDFSRefer() as cifs_reconnect_tcon() +may end up calling CIFSGetDFSRefer() again to get new DFS referrals +and thus causing an infinite recursion. + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Cc: stable@vger.kernel.org # 6.2 +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifssmb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -4895,8 +4895,13 @@ CIFSGetDFSRefer(const unsigned int xid, + return -ENODEV; + + getDFSRetry: +- rc = smb_init(SMB_COM_TRANSACTION2, 15, ses->tcon_ipc, (void **) &pSMB, +- (void **) &pSMBr); ++ /* ++ * Use smb_init_no_reconnect() instead of smb_init() as ++ * CIFSGetDFSRefer() may be called from cifs_reconnect_tcon() and thus ++ * causing an infinite recursion. ++ */ ++ rc = smb_init_no_reconnect(SMB_COM_TRANSACTION2, 15, ses->tcon_ipc, ++ (void **)&pSMB, (void **)&pSMBr); + if (rc) + return rc; + diff --git a/queue-4.19/input-alps-fix-compatibility-with-funsigned-char.patch b/queue-4.19/input-alps-fix-compatibility-with-funsigned-char.patch new file mode 100644 index 00000000000..7162e4db0b1 --- /dev/null +++ b/queue-4.19/input-alps-fix-compatibility-with-funsigned-char.patch @@ -0,0 +1,77 @@ +From 754ff5060daf5a1cf4474eff9b4edeb6c17ef7ab Mon Sep 17 00:00:00 2001 +From: msizanoen +Date: Sun, 19 Mar 2023 23:02:56 -0700 +Subject: Input: alps - fix compatibility with -funsigned-char + +From: msizanoen + +commit 754ff5060daf5a1cf4474eff9b4edeb6c17ef7ab upstream. + +The AlpsPS/2 code previously relied on the assumption that `char` is a +signed type, which was true on x86 platforms (the only place where this +driver is used) before kernel 6.2. However, on 6.2 and later, this +assumption is broken due to the introduction of -funsigned-char as a new +global compiler flag. + +Fix this by explicitly specifying the signedness of `char` when sign +extending the values received from the device. + +Fixes: f3f33c677699 ("Input: alps - Rushmore and v7 resolution support") +Signed-off-by: msizanoen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230320045228.182259-1-msizanoen@qtmlabs.xyz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/alps.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -855,8 +855,8 @@ static void alps_process_packet_v6(struc + x = y = z = 0; + + /* Divide 4 since trackpoint's speed is too fast */ +- input_report_rel(dev2, REL_X, (char)x / 4); +- input_report_rel(dev2, REL_Y, -((char)y / 4)); ++ input_report_rel(dev2, REL_X, (s8)x / 4); ++ input_report_rel(dev2, REL_Y, -((s8)y / 4)); + + psmouse_report_standard_buttons(dev2, packet[3]); + +@@ -1107,8 +1107,8 @@ static void alps_process_trackstick_pack + ((packet[3] & 0x20) << 1); + z = (packet[5] & 0x3f) | ((packet[3] & 0x80) >> 1); + +- input_report_rel(dev2, REL_X, (char)x); +- input_report_rel(dev2, REL_Y, -((char)y)); ++ input_report_rel(dev2, REL_X, (s8)x); ++ input_report_rel(dev2, REL_Y, -((s8)y)); + input_report_abs(dev2, ABS_PRESSURE, z); + + psmouse_report_standard_buttons(dev2, packet[1]); +@@ -2297,20 +2297,20 @@ static int alps_get_v3_v7_resolution(str + if (reg < 0) + return reg; + +- x_pitch = (char)(reg << 4) >> 4; /* sign extend lower 4 bits */ ++ x_pitch = (s8)(reg << 4) >> 4; /* sign extend lower 4 bits */ + x_pitch = 50 + 2 * x_pitch; /* In 0.1 mm units */ + +- y_pitch = (char)reg >> 4; /* sign extend upper 4 bits */ ++ y_pitch = (s8)reg >> 4; /* sign extend upper 4 bits */ + y_pitch = 36 + 2 * y_pitch; /* In 0.1 mm units */ + + reg = alps_command_mode_read_reg(psmouse, reg_pitch + 1); + if (reg < 0) + return reg; + +- x_electrode = (char)(reg << 4) >> 4; /* sign extend lower 4 bits */ ++ x_electrode = (s8)(reg << 4) >> 4; /* sign extend lower 4 bits */ + x_electrode = 17 + x_electrode; + +- y_electrode = (char)reg >> 4; /* sign extend upper 4 bits */ ++ y_electrode = (s8)reg >> 4; /* sign extend upper 4 bits */ + y_electrode = 13 + y_electrode; + + x_phys = x_pitch * (x_electrode - 1); /* In 0.1 mm units */ diff --git a/queue-4.19/input-focaltech-use-explicitly-signed-char-type.patch b/queue-4.19/input-focaltech-use-explicitly-signed-char-type.patch new file mode 100644 index 00000000000..46d2298c524 --- /dev/null +++ b/queue-4.19/input-focaltech-use-explicitly-signed-char-type.patch @@ -0,0 +1,50 @@ +From 8980f190947ba29f23110408e712444884b74251 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 19 Mar 2023 21:36:36 -0700 +Subject: Input: focaltech - use explicitly signed char type + +From: Jason A. Donenfeld + +commit 8980f190947ba29f23110408e712444884b74251 upstream. + +The recent change of -funsigned-char causes additions of negative +numbers to become additions of large positive numbers, leading to wrong +calculations of mouse movement. Change these casts to be explicitly +signed, to take into account negative offsets. + +Fixes: 3bc753c06dd0 ("kbuild: treat char as always unsigned") +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Hans de Goede +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217211 +Link: https://lore.kernel.org/r/20230318133010.1285202-1-Jason@zx2c4.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/focaltech.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/mouse/focaltech.c ++++ b/drivers/input/mouse/focaltech.c +@@ -206,8 +206,8 @@ static void focaltech_process_rel_packet + state->pressed = packet[0] >> 7; + finger1 = ((packet[0] >> 4) & 0x7) - 1; + if (finger1 < FOC_MAX_FINGERS) { +- state->fingers[finger1].x += (char)packet[1]; +- state->fingers[finger1].y += (char)packet[2]; ++ state->fingers[finger1].x += (s8)packet[1]; ++ state->fingers[finger1].y += (s8)packet[2]; + } else { + psmouse_err(psmouse, "First finger in rel packet invalid: %d\n", + finger1); +@@ -222,8 +222,8 @@ static void focaltech_process_rel_packet + */ + finger2 = ((packet[3] >> 4) & 0x7) - 1; + if (finger2 < FOC_MAX_FINGERS) { +- state->fingers[finger2].x += (char)packet[4]; +- state->fingers[finger2].y += (char)packet[5]; ++ state->fingers[finger2].x += (s8)packet[4]; ++ state->fingers[finger2].y += (s8)packet[5]; + } + } + diff --git a/queue-4.19/series b/queue-4.19/series index 6d3da2155a8..68811760df8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -66,3 +66,7 @@ can-bcm-bcm_tx_setup-fix-kmsan-uninit-value-in-vfs_w.patch i40e-fix-registers-dump-after-run-ethtool-adapter-se.patch net-dsa-mv88e6xxx-enable-igmp-snooping-on-user-ports.patch net-mvneta-make-tx-buffer-array-agnostic.patch +input-alps-fix-compatibility-with-funsigned-char.patch +input-focaltech-use-explicitly-signed-char-type.patch +cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch +cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch