From: Greg Kroah-Hartman Date: Thu, 29 Jun 2023 18:21:12 +0000 (+0200) Subject: 6.4-stable patches X-Git-Tag: v6.4.1~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee1f4853c8373eb516772891fc05559d9228bde8;p=thirdparty%2Fkernel%2Fstable-queue.git 6.4-stable patches added patches: fbdev-fix-potential-oob-read-in-fast_imageblit.patch hid-hidraw-fix-data-race-on-device-refcount.patch hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch mm-khugepaged-fix-regression-in-collapse_file.patch --- diff --git a/queue-6.4/fbdev-fix-potential-oob-read-in-fast_imageblit.patch b/queue-6.4/fbdev-fix-potential-oob-read-in-fast_imageblit.patch new file mode 100644 index 00000000000..3aa7ad4005d --- /dev/null +++ b/queue-6.4/fbdev-fix-potential-oob-read-in-fast_imageblit.patch @@ -0,0 +1,40 @@ +From c2d22806aecb24e2de55c30a06e5d6eb297d161d Mon Sep 17 00:00:00 2001 +From: Zhang Shurong +Date: Sun, 25 Jun 2023 00:16:49 +0800 +Subject: fbdev: fix potential OOB read in fast_imageblit() + +From: Zhang Shurong + +commit c2d22806aecb24e2de55c30a06e5d6eb297d161d upstream. + +There is a potential OOB read at fast_imageblit, for +"colortab[(*src >> 4)]" can become a negative value due to +"const char *s = image->data, *src". +This change makes sure the index for colortab always positive +or zero. + +Similar commit: +https://patchwork.kernel.org/patch/11746067 + +Potential bug report: +https://groups.google.com/g/syzkaller-bugs/c/9ubBXKeKXf4/m/k-QXy4UgAAAJ + +Signed-off-by: Zhang Shurong +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/sysimgblt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/sysimgblt.c ++++ b/drivers/video/fbdev/core/sysimgblt.c +@@ -189,7 +189,7 @@ static void fast_imageblit(const struct + u32 fgx = fgcolor, bgx = bgcolor, bpp = p->var.bits_per_pixel; + u32 ppw = 32/bpp, spitch = (image->width + 7)/8; + u32 bit_mask, eorx, shift; +- const char *s = image->data, *src; ++ const u8 *s = image->data, *src; + u32 *dst; + const u32 *tab; + size_t tablen; diff --git a/queue-6.4/hid-hidraw-fix-data-race-on-device-refcount.patch b/queue-6.4/hid-hidraw-fix-data-race-on-device-refcount.patch new file mode 100644 index 00000000000..415b0bf5644 --- /dev/null +++ b/queue-6.4/hid-hidraw-fix-data-race-on-device-refcount.patch @@ -0,0 +1,55 @@ +From 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b Mon Sep 17 00:00:00 2001 +From: Ludvig Michaelsson +Date: Wed, 21 Jun 2023 13:17:43 +0200 +Subject: HID: hidraw: fix data race on device refcount + +From: Ludvig Michaelsson + +commit 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b upstream. + +The hidraw_open() function increments the hidraw device reference +counter. The counter has no dedicated synchronization mechanism, +resulting in a potential data race when concurrently opening a device. + +The race is a regression introduced by commit 8590222e4b02 ("HID: +hidraw: Replace hidraw device table mutex with a rwsem"). While +minors_rwsem is intended to protect the hidraw_table itself, by instead +acquiring the lock for writing, the reference counter is also protected. +This is symmetrical to hidraw_release(). + +Link: https://github.com/systemd/systemd/issues/27947 +Fixes: 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem") +Cc: stable@vger.kernel.org +Signed-off-by: Ludvig Michaelsson +Link: https://lore.kernel.org/r/20230621-hidraw-race-v1-1-a58e6ac69bab@yubico.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hidraw.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -272,7 +272,12 @@ static int hidraw_open(struct inode *ino + goto out; + } + +- down_read(&minors_rwsem); ++ /* ++ * Technically not writing to the hidraw_table but a write lock is ++ * required to protect the device refcount. This is symmetrical to ++ * hidraw_release(). ++ */ ++ down_write(&minors_rwsem); + if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { + err = -ENODEV; + goto out_unlock; +@@ -301,7 +306,7 @@ static int hidraw_open(struct inode *ino + spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); + file->private_data = list; + out_unlock: +- up_read(&minors_rwsem); ++ up_write(&minors_rwsem); + out: + if (err < 0) + kfree(list); diff --git a/queue-6.4/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch b/queue-6.4/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch new file mode 100644 index 00000000000..d3f8ec2960c --- /dev/null +++ b/queue-6.4/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch @@ -0,0 +1,34 @@ +From 5fe251112646d8626818ea90f7af325bab243efa Mon Sep 17 00:00:00 2001 +From: Mike Hommey +Date: Sun, 18 Jun 2023 08:09:57 +0900 +Subject: HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651. + +From: Mike Hommey + +commit 5fe251112646d8626818ea90f7af325bab243efa upstream. + +commit 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if +not necessary") put restarting communication behind that flag, and this +was apparently necessary on the T651, but the flag was not set for it. + +Fixes: 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if not necessary") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Hommey +Link: https://lore.kernel.org/r/20230617230957.6mx73th4blv7owqk@glandium.org +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-logitech-hidpp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -4553,7 +4553,7 @@ static const struct hid_device_id hidpp_ + { /* wireless touchpad T651 */ + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, + USB_DEVICE_ID_LOGITECH_T651), +- .driver_data = HIDPP_QUIRK_CLASS_WTP }, ++ .driver_data = HIDPP_QUIRK_CLASS_WTP | HIDPP_QUIRK_DELAYED_INIT }, + { /* Mouse Logitech Anywhere MX */ + LDJ_DEVICE(0x1017), .driver_data = HIDPP_QUIRK_HI_RES_SCROLL_1P0 }, + { /* Mouse logitech M560 */ diff --git a/queue-6.4/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch b/queue-6.4/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch new file mode 100644 index 00000000000..74cd9fcb329 --- /dev/null +++ b/queue-6.4/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch @@ -0,0 +1,70 @@ +From 9a6c0e28e215535b2938c61ded54603b4e5814c5 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 8 Jun 2023 14:38:28 -0700 +Subject: HID: wacom: Use ktime_t rather than int when dealing with timestamps + +From: Jason Gerecke + +commit 9a6c0e28e215535b2938c61ded54603b4e5814c5 upstream. + +Code which interacts with timestamps needs to use the ktime_t type +returned by functions like ktime_get. The int type does not offer +enough space to store these values, and attempting to use it is a +recipe for problems. In this particular case, overflows would occur +when calculating/storing timestamps leading to incorrect values being +reported to userspace. In some cases these bad timestamps cause input +handling in userspace to appear hung. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/901 +Fixes: 17d793f3ed53 ("HID: wacom: insert timestamp to packed Bluetooth (BT) events") +CC: stable@vger.kernel.org +Signed-off-by: Jason Gerecke +Reviewed-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20230608213828.2108-1-jason.gerecke@wacom.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 6 +++--- + drivers/hid/wacom_wac.h | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1314,7 +1314,7 @@ static void wacom_intuos_pro2_bt_pen(str + struct input_dev *pen_input = wacom->pen_input; + unsigned char *data = wacom->data; + int number_of_valid_frames = 0; +- int time_interval = 15000000; ++ ktime_t time_interval = 15000000; + ktime_t time_packet_received = ktime_get(); + int i; + +@@ -1348,7 +1348,7 @@ static void wacom_intuos_pro2_bt_pen(str + if (number_of_valid_frames) { + if (wacom->hid_data.time_delayed) + time_interval = ktime_get() - wacom->hid_data.time_delayed; +- time_interval /= number_of_valid_frames; ++ time_interval = div_u64(time_interval, number_of_valid_frames); + wacom->hid_data.time_delayed = time_packet_received; + } + +@@ -1359,7 +1359,7 @@ static void wacom_intuos_pro2_bt_pen(str + bool range = frame[0] & 0x20; + bool invert = frame[0] & 0x10; + int frames_number_reversed = number_of_valid_frames - i - 1; +- int event_timestamp = time_packet_received - frames_number_reversed * time_interval; ++ ktime_t event_timestamp = time_packet_received - frames_number_reversed * time_interval; + + if (!valid) + continue; +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -324,7 +324,7 @@ struct hid_data { + int ps_connected; + bool pad_input_event_flag; + unsigned short sequence_number; +- int time_delayed; ++ ktime_t time_delayed; + }; + + struct wacom_remote_data { diff --git a/queue-6.4/mm-khugepaged-fix-regression-in-collapse_file.patch b/queue-6.4/mm-khugepaged-fix-regression-in-collapse_file.patch new file mode 100644 index 00000000000..72e2a9eed83 --- /dev/null +++ b/queue-6.4/mm-khugepaged-fix-regression-in-collapse_file.patch @@ -0,0 +1,78 @@ +From e8c716bc6812202ccf4ce0f0bad3428b794fb39c Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Wed, 28 Jun 2023 21:31:35 -0700 +Subject: mm/khugepaged: fix regression in collapse_file() + +From: Hugh Dickins + +commit e8c716bc6812202ccf4ce0f0bad3428b794fb39c upstream. + +There is no xas_pause(&xas) in collapse_file()'s main loop, at the points +where it does xas_unlock_irq(&xas) and then continues. + +That would explain why, once two weeks ago and twice yesterday, I have +hit the VM_BUG_ON_PAGE(page != xas_load(&xas), page) since "mm/khugepaged: +fix iteration in collapse_file" removed the xas_set(&xas, index) just +before it: xas.xa_node could be left pointing to a stale node, if there +was concurrent activity on the file which transformed its xarray. + +I tried inserting xas_pause()s, but then even bootup crashed on that +VM_BUG_ON_PAGE(): there appears to be a subtle "nextness" implicit in +xas_pause(). + +xas_next() and xas_pause() are good for use in simple loops, but not in +this one: xas_set() worked well until now, so use xas_set(&xas, index) +explicitly at the head of the loop; and change that VM_BUG_ON_PAGE() not +to need its own xas_set(), and not to interfere with the xa_state (which +would probably stop the crashes from xas_pause(), but I trust that less). + +The user-visible effects of this bug (if VM_BUG_ONs are configured out) +would be data loss and data leak - potentially - though in practice I +expect it is more likely that a subsequent check (e.g. on mapping or on +nr_none) would notice an inconsistency, and just abandon the collapse. + +Link: https://lore.kernel.org/linux-mm/f18e4b64-3f88-a8ab-56cc-d1f5f9c58d4@google.com/ +Fixes: c8a8f3b4a95a ("mm/khugepaged: fix iteration in collapse_file") +Signed-off-by: Hugh Dickins +Cc: stable@kernel.org +Cc: Andrew Morton +Cc: Matthew Wilcox +Cc: David Stevens +Cc: Peter Xu +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/khugepaged.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1918,9 +1918,9 @@ static int collapse_file(struct mm_struc + } + } while (1); + +- xas_set(&xas, start); + for (index = start; index < end; index++) { +- page = xas_next(&xas); ++ xas_set(&xas, index); ++ page = xas_load(&xas); + + VM_BUG_ON(index != xas.xa_index); + if (is_shmem) { +@@ -1935,7 +1935,6 @@ static int collapse_file(struct mm_struc + result = SCAN_TRUNCATED; + goto xa_locked; + } +- xas_set(&xas, index + 1); + } + if (!shmem_charge(mapping->host, 1)) { + result = SCAN_FAIL; +@@ -2071,7 +2070,7 @@ static int collapse_file(struct mm_struc + + xas_lock_irq(&xas); + +- VM_BUG_ON_PAGE(page != xas_load(&xas), page); ++ VM_BUG_ON_PAGE(page != xa_load(xas.xa, index), page); + + /* + * We control three references to the page: diff --git a/queue-6.4/series b/queue-6.4/series index bbaeef50df2..81633d5c8ee 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -19,4 +19,9 @@ powerpc-mm-convert-coprocessor-fault-to-lock_mm_and_find_vma.patch mm-make-find_extend_vma-fail-if-write-lock-not-held.patch execve-expand-new-process-stack-manually-ahead-of-time.patch mm-always-expand-the-stack-with-the-mmap-write-lock-held.patch +hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch gup-add-warning-if-some-caller-would-seem-to-want-stack-expansion.patch +mm-khugepaged-fix-regression-in-collapse_file.patch +fbdev-fix-potential-oob-read-in-fast_imageblit.patch +hid-hidraw-fix-data-race-on-device-refcount.patch +hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch