From 1321ea4b22c542546b78cc317c65b2fb6295ab33 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 27 Jan 2020 17:45:54 +0100 Subject: [PATCH] 4.19-stable patches added patches: input-aiptek-fix-endpoint-sanity-check.patch input-gtco-fix-endpoint-sanity-check.patch input-pegasus_notetaker-fix-endpoint-sanity-check.patch input-pm8xxx-vib-fix-handling-of-separate-enable-register.patch input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch input-sur40-fix-interface-sanity-checks.patch netfilter-nft_osf-add-missing-check-for-dreg-attribute.patch --- ...put-aiptek-fix-endpoint-sanity-check.patch | 47 +++++++++++++++ ...input-gtco-fix-endpoint-sanity-check.patch | 59 +++++++++++++++++++ ..._notetaker-fix-endpoint-sanity-check.patch | 37 ++++++++++++ ...handling-of-separate-enable-register.patch | 44 ++++++++++++++ ...devm_thermal_zone_of_sensor_register.patch | 43 ++++++++++++++ ...ut-sur40-fix-interface-sanity-checks.patch | 37 ++++++++++++ ...add-missing-check-for-dreg-attribute.patch | 34 +++++++++++ queue-4.19/series | 7 +++ 8 files changed, 308 insertions(+) create mode 100644 queue-4.19/input-aiptek-fix-endpoint-sanity-check.patch create mode 100644 queue-4.19/input-gtco-fix-endpoint-sanity-check.patch create mode 100644 queue-4.19/input-pegasus_notetaker-fix-endpoint-sanity-check.patch create mode 100644 queue-4.19/input-pm8xxx-vib-fix-handling-of-separate-enable-register.patch create mode 100644 queue-4.19/input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch create mode 100644 queue-4.19/input-sur40-fix-interface-sanity-checks.patch create mode 100644 queue-4.19/netfilter-nft_osf-add-missing-check-for-dreg-attribute.patch diff --git a/queue-4.19/input-aiptek-fix-endpoint-sanity-check.patch b/queue-4.19/input-aiptek-fix-endpoint-sanity-check.patch new file mode 100644 index 00000000000..787fdfac5f3 --- /dev/null +++ b/queue-4.19/input-aiptek-fix-endpoint-sanity-check.patch @@ -0,0 +1,47 @@ +From 3111491fca4f01764e0c158c5e0f7ced808eef51 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 11:59:32 -0800 +Subject: Input: aiptek - fix endpoint sanity check + +From: Johan Hovold + +commit 3111491fca4f01764e0c158c5e0f7ced808eef51 upstream. + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could lead to the +driver binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") +Signed-off-by: Johan Hovold +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/aiptek.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/input/tablet/aiptek.c ++++ b/drivers/input/tablet/aiptek.c +@@ -1815,14 +1815,14 @@ aiptek_probe(struct usb_interface *intf, + input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); + + /* Verify that a device really has an endpoint */ +- if (intf->altsetting[0].desc.bNumEndpoints < 1) { ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&intf->dev, + "interface has %d endpoints, but must have minimum 1\n", +- intf->altsetting[0].desc.bNumEndpoints); ++ intf->cur_altsetting->desc.bNumEndpoints); + err = -EINVAL; + goto fail3; + } +- endpoint = &intf->altsetting[0].endpoint[0].desc; ++ endpoint = &intf->cur_altsetting->endpoint[0].desc; + + /* Go set up our URB, which is called when the tablet receives + * input. diff --git a/queue-4.19/input-gtco-fix-endpoint-sanity-check.patch b/queue-4.19/input-gtco-fix-endpoint-sanity-check.patch new file mode 100644 index 00000000000..7215eb72621 --- /dev/null +++ b/queue-4.19/input-gtco-fix-endpoint-sanity-check.patch @@ -0,0 +1,59 @@ +From a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 12:00:18 -0800 +Subject: Input: gtco - fix endpoint sanity check + +From: Johan Hovold + +commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream. + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could lead to the +driver binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") +Signed-off-by: Johan Hovold +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/gtco.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interfa + } + + /* Sanity check that a device has an endpoint */ +- if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&usbinterface->dev, + "Invalid number of endpoints\n"); + error = -EINVAL; + goto err_free_urb; + } + +- /* +- * The endpoint is always altsetting 0, we know this since we know +- * this device only has one interrupt endpoint +- */ +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc; ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; + + /* Some debug */ + dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting); +@@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interfa + input_dev->dev.parent = &usbinterface->dev; + + /* Setup the URB, it will be posted later on open of input device */ +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc; ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; + + usb_fill_int_urb(gtco->urbinfo, + udev, diff --git a/queue-4.19/input-pegasus_notetaker-fix-endpoint-sanity-check.patch b/queue-4.19/input-pegasus_notetaker-fix-endpoint-sanity-check.patch new file mode 100644 index 00000000000..55a488dcb7b --- /dev/null +++ b/queue-4.19/input-pegasus_notetaker-fix-endpoint-sanity-check.patch @@ -0,0 +1,37 @@ +From bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 11:55:47 -0800 +Subject: Input: pegasus_notetaker - fix endpoint sanity check + +From: Johan Hovold + +commit bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 upstream. + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could be used by a +malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer +dereference. + +Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") +Signed-off-by: Johan Hovold +Acked-by: Martin Kepplinger +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-2-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/pegasus_notetaker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/tablet/pegasus_notetaker.c ++++ b/drivers/input/tablet/pegasus_notetaker.c +@@ -274,7 +274,7 @@ static int pegasus_probe(struct usb_inte + return -ENODEV; + + /* Sanity check that the device has an endpoint */ +- if (intf->altsetting[0].desc.bNumEndpoints < 1) { ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&intf->dev, "Invalid number of endpoints\n"); + return -EINVAL; + } diff --git a/queue-4.19/input-pm8xxx-vib-fix-handling-of-separate-enable-register.patch b/queue-4.19/input-pm8xxx-vib-fix-handling-of-separate-enable-register.patch new file mode 100644 index 00000000000..95da84b81c8 --- /dev/null +++ b/queue-4.19/input-pm8xxx-vib-fix-handling-of-separate-enable-register.patch @@ -0,0 +1,44 @@ +From 996d5d5f89a558a3608a46e73ccd1b99f1b1d058 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Fri, 17 Jan 2020 13:40:36 -0800 +Subject: Input: pm8xxx-vib - fix handling of separate enable register + +From: Stephan Gerhold + +commit 996d5d5f89a558a3608a46e73ccd1b99f1b1d058 upstream. + +Setting the vibrator enable_mask is not implemented correctly: + +For regmap_update_bits(map, reg, mask, val) we give in either +regs->enable_mask or 0 (= no-op) as mask and "val" as value. +But "val" actually refers to the vibrator voltage control register, +which has nothing to do with the enable_mask. + +So we usually end up doing nothing when we really wanted +to enable the vibrator. + +We want to set or clear the enable_mask (to enable/disable the vibrator). +Therefore, change the call to always modify the enable_mask +and set the bits only if we want to enable the vibrator. + +Fixes: d4c7c5c96c92 ("Input: pm8xxx-vib - handle separate enable register") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200114183442.45720-1-stephan@gerhold.net +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/pm8xxx-vibrator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/misc/pm8xxx-vibrator.c ++++ b/drivers/input/misc/pm8xxx-vibrator.c +@@ -98,7 +98,7 @@ static int pm8xxx_vib_set(struct pm8xxx_ + + if (regs->enable_mask) + rc = regmap_update_bits(vib->regmap, regs->enable_addr, +- on ? regs->enable_mask : 0, val); ++ regs->enable_mask, on ? ~0 : 0); + + return rc; + } diff --git a/queue-4.19/input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch b/queue-4.19/input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch new file mode 100644 index 00000000000..dc1960e6dfe --- /dev/null +++ b/queue-4.19/input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch @@ -0,0 +1,43 @@ +From 97e24b095348a15ec08c476423c3b3b939186ad7 Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan +Date: Fri, 10 Jan 2020 10:30:04 -0800 +Subject: Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register + +From: Chuhong Yuan + +commit 97e24b095348a15ec08c476423c3b3b939186ad7 upstream. + +The driver misses a check for devm_thermal_zone_of_sensor_register(). +Add a check to fix it. + +Fixes: e28d0c9cd381 ("input: convert sun4i-ts to use devm_thermal_zone_of_sensor_register") +Signed-off-by: Chuhong Yuan +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/sun4i-ts.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/sun4i-ts.c ++++ b/drivers/input/touchscreen/sun4i-ts.c +@@ -246,6 +246,7 @@ static int sun4i_ts_probe(struct platfor + struct device *dev = &pdev->dev; + struct device_node *np = dev->of_node; + struct device *hwmon; ++ struct thermal_zone_device *thermal; + int error; + u32 reg; + bool ts_attached; +@@ -365,7 +366,10 @@ static int sun4i_ts_probe(struct platfor + if (IS_ERR(hwmon)) + return PTR_ERR(hwmon); + +- devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, &sun4i_ts_tz_ops); ++ thermal = devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, ++ &sun4i_ts_tz_ops); ++ if (IS_ERR(thermal)) ++ return PTR_ERR(thermal); + + writel(TEMP_IRQ_EN(1), ts->base + TP_INT_FIFOC); + diff --git a/queue-4.19/input-sur40-fix-interface-sanity-checks.patch b/queue-4.19/input-sur40-fix-interface-sanity-checks.patch new file mode 100644 index 00000000000..58cb5c2b8d4 --- /dev/null +++ b/queue-4.19/input-sur40-fix-interface-sanity-checks.patch @@ -0,0 +1,37 @@ +From 6b32391ed675827f8425a414abbc6fbd54ea54fe Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Jan 2020 12:01:27 -0800 +Subject: Input: sur40 - fix interface sanity checks + +From: Johan Hovold + +commit 6b32391ed675827f8425a414abbc6fbd54ea54fe upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)") +Signed-off-by: Johan Hovold +Acked-by: Vladis Dronov +Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/sur40.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/sur40.c ++++ b/drivers/input/touchscreen/sur40.c +@@ -657,7 +657,7 @@ static int sur40_probe(struct usb_interf + int error; + + /* Check if we really have the right interface. */ +- iface_desc = &interface->altsetting[0]; ++ iface_desc = interface->cur_altsetting; + if (iface_desc->desc.bInterfaceClass != 0xFF) + return -ENODEV; + diff --git a/queue-4.19/netfilter-nft_osf-add-missing-check-for-dreg-attribute.patch b/queue-4.19/netfilter-nft_osf-add-missing-check-for-dreg-attribute.patch new file mode 100644 index 00000000000..57abc784a76 --- /dev/null +++ b/queue-4.19/netfilter-nft_osf-add-missing-check-for-dreg-attribute.patch @@ -0,0 +1,34 @@ +From 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 18 Jan 2020 11:27:25 +0100 +Subject: netfilter: nft_osf: add missing check for DREG attribute + +From: Florian Westphal + +commit 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 upstream. + +syzbot reports just another NULL deref crash because of missing test +for presence of the attribute. + +Reported-by: syzbot+cf23983d697c26c34f60@syzkaller.appspotmail.com +Fixes: b96af92d6eaf9fadd ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_osf.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nft_osf.c ++++ b/net/netfilter/nft_osf.c +@@ -47,6 +47,9 @@ static int nft_osf_init(const struct nft + struct nft_osf *priv = nft_expr_priv(expr); + int err; + ++ if (!tb[NFTA_OSF_DREG]) ++ return -EINVAL; ++ + priv->dreg = nft_parse_register(tb[NFTA_OSF_DREG]); + err = nft_validate_register_store(ctx, priv->dreg, NULL, + NFT_DATA_VALUE, NFT_OSF_MAXGENRELEN); diff --git a/queue-4.19/series b/queue-4.19/series index 4156865cfbd..d58e205ddbc 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -26,3 +26,10 @@ arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch mmc-tegra-fix-sdr50-tuning-override.patch mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch documentation-document-arm64-kpti-control.patch +input-pm8xxx-vib-fix-handling-of-separate-enable-register.patch +input-sur40-fix-interface-sanity-checks.patch +input-gtco-fix-endpoint-sanity-check.patch +input-aiptek-fix-endpoint-sanity-check.patch +input-pegasus_notetaker-fix-endpoint-sanity-check.patch +input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch +netfilter-nft_osf-add-missing-check-for-dreg-attribute.patch -- 2.47.3