From 430b4d6ba4b233848c45d630b50942cecb41749f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 13 Oct 2022 19:18:16 +0200 Subject: [PATCH] 5.19-stable patches added patches: input-xpad-add-supported-devices-as-contributed-on-github.patch input-xpad-fix-wireless-360-controller-breaking-after-suspend.patch mctp-prevent-double-key-removal-and-unref.patch misc-pci_endpoint_test-aggregate-params-checking-for-xfer.patch misc-pci_endpoint_test-fix-pci_endpoint_test_-copy-write-read-panic.patch --- ...ted-devices-as-contributed-on-github.patch | 104 ++++++++++++++++++ ...60-controller-breaking-after-suspend.patch | 39 +++++++ ...prevent-double-key-removal-and-unref.patch | 93 ++++++++++++++++ ...t-aggregate-params-checking-for-xfer.patch | 82 ++++++++++++++ ...endpoint_test_-copy-write-read-panic.patch | 77 +++++++++++++ queue-5.19/series | 5 + 6 files changed, 400 insertions(+) create mode 100644 queue-5.19/input-xpad-add-supported-devices-as-contributed-on-github.patch create mode 100644 queue-5.19/input-xpad-fix-wireless-360-controller-breaking-after-suspend.patch create mode 100644 queue-5.19/mctp-prevent-double-key-removal-and-unref.patch create mode 100644 queue-5.19/misc-pci_endpoint_test-aggregate-params-checking-for-xfer.patch create mode 100644 queue-5.19/misc-pci_endpoint_test-fix-pci_endpoint_test_-copy-write-read-panic.patch diff --git a/queue-5.19/input-xpad-add-supported-devices-as-contributed-on-github.patch b/queue-5.19/input-xpad-add-supported-devices-as-contributed-on-github.patch new file mode 100644 index 00000000000..5db32a0ecc4 --- /dev/null +++ b/queue-5.19/input-xpad-add-supported-devices-as-contributed-on-github.patch @@ -0,0 +1,104 @@ +From b382c5e37344883dc97525d05f1f6b788f549985 Mon Sep 17 00:00:00 2001 +From: Pavel Rojtberg +Date: Thu, 18 Aug 2022 17:44:08 +0200 +Subject: Input: xpad - add supported devices as contributed on github + +From: Pavel Rojtberg + +commit b382c5e37344883dc97525d05f1f6b788f549985 upstream. + +This is based on multiple commits at https://github.com/paroj/xpad + +Cc: stable@vger.kernel.org +Signed-off-by: Jasper Poppe +Signed-off-by: Jeremy Palmer +Signed-off-by: Ruineka +Signed-off-by: Cleber de Mattos Casali +Signed-off-by: Kyle Gospodnetich +Signed-off-by: Pavel Rojtberg +Link: https://lore.kernel.org/r/20220818154411.510308-2-rojtberg@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -113,6 +113,8 @@ static const struct xpad_device { + u8 xtype; + } xpad_device[] = { + { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 }, ++ { 0x03eb, 0xff01, "Wooting One (Legacy)", 0, XTYPE_XBOX360 }, ++ { 0x03eb, 0xff02, "Wooting Two (Legacy)", 0, XTYPE_XBOX360 }, + { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, +@@ -244,6 +246,7 @@ static const struct xpad_device { + { 0x0f0d, 0x0063, "Hori Real Arcade Pro Hayabusa (USA) Xbox One", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, + { 0x0f0d, 0x0067, "HORIPAD ONE", 0, XTYPE_XBOXONE }, + { 0x0f0d, 0x0078, "Hori Real Arcade Pro V Kai Xbox One", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, ++ { 0x0f0d, 0x00c5, "Hori Fighting Commander ONE", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, + { 0x0f30, 0x010b, "Philips Recoil", 0, XTYPE_XBOX }, + { 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX }, + { 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX }, +@@ -260,6 +263,7 @@ static const struct xpad_device { + { 0x1430, 0x8888, "TX6500+ Dance Pad (first generation)", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX }, + { 0x1430, 0xf801, "RedOctane Controller", 0, XTYPE_XBOX360 }, + { 0x146b, 0x0601, "BigBen Interactive XBOX 360 Controller", 0, XTYPE_XBOX360 }, ++ { 0x146b, 0x0604, "Bigben Interactive DAIJA Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x1532, 0x0037, "Razer Sabertooth", 0, XTYPE_XBOX360 }, + { 0x1532, 0x0a00, "Razer Atrox Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, + { 0x1532, 0x0a03, "Razer Wildcat", 0, XTYPE_XBOXONE }, +@@ -325,6 +329,7 @@ static const struct xpad_device { + { 0x24c6, 0x5502, "Hori Fighting Stick VX Alt", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x24c6, 0x5503, "Hori Fighting Edge", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x24c6, 0x5506, "Hori SOULCALIBUR V Stick", 0, XTYPE_XBOX360 }, ++ { 0x24c6, 0x5510, "Hori Fighting Commander ONE (Xbox 360/PC Mode)", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x24c6, 0x550d, "Hori GEM Xbox controller", 0, XTYPE_XBOX360 }, + { 0x24c6, 0x550e, "Hori Real Arcade Pro V Kai 360", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x24c6, 0x551a, "PowerA FUSION Pro Controller", 0, XTYPE_XBOXONE }, +@@ -334,6 +339,14 @@ static const struct xpad_device { + { 0x24c6, 0x5b03, "Thrustmaster Ferrari 458 Racing Wheel", 0, XTYPE_XBOX360 }, + { 0x24c6, 0x5d04, "Razer Sabertooth", 0, XTYPE_XBOX360 }, + { 0x24c6, 0xfafe, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 }, ++ { 0x2563, 0x058d, "OneXPlayer Gamepad", 0, XTYPE_XBOX360 }, ++ { 0x2dc8, 0x2000, "8BitDo Pro 2 Wired Controller fox Xbox", 0, XTYPE_XBOXONE }, ++ { 0x31e3, 0x1100, "Wooting One", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1200, "Wooting Two", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1210, "Wooting Lekker", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1220, "Wooting Two HE", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1300, "Wooting 60HE (AVR)", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1310, "Wooting 60HE (ARM)", 0, XTYPE_XBOX360 }, + { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 }, + { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX }, + { 0xffff, 0xffff, "Chinese-made Xbox Controller", 0, XTYPE_XBOX }, +@@ -419,6 +432,7 @@ static const signed short xpad_abs_trigg + static const struct usb_device_id xpad_table[] = { + { USB_INTERFACE_INFO('X', 'B', 0) }, /* X-Box USB-IF not approved class */ + XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 Controller */ ++ XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */ + XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster X-Box 360 controllers */ + XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */ + XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */ +@@ -429,6 +443,7 @@ static const struct usb_device_id xpad_t + { USB_DEVICE(0x0738, 0x4540) }, /* Mad Catz Beat Pad */ + XPAD_XBOXONE_VENDOR(0x0738), /* Mad Catz FightStick TE 2 */ + XPAD_XBOX360_VENDOR(0x07ff), /* Mad Catz GamePad */ ++ XPAD_XBOX360_VENDOR(0x0c12), /* Zeroplus X-Box 360 controllers */ + XPAD_XBOX360_VENDOR(0x0e6f), /* 0x0e6f X-Box 360 controllers */ + XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f X-Box One controllers */ + XPAD_XBOX360_VENDOR(0x0f0d), /* Hori Controllers */ +@@ -450,8 +465,12 @@ static const struct usb_device_id xpad_t + XPAD_XBOXONE_VENDOR(0x20d6), /* PowerA Controllers */ + XPAD_XBOX360_VENDOR(0x24c6), /* PowerA Controllers */ + XPAD_XBOXONE_VENDOR(0x24c6), /* PowerA Controllers */ ++ XPAD_XBOX360_VENDOR(0x2563), /* OneXPlayer Gamepad */ ++ XPAD_XBOX360_VENDOR(0x260d), /* Dareu H101 */ ++ XPAD_XBOXONE_VENDOR(0x2dc8), /* 8BitDo Pro 2 Wired Controller for Xbox */ + XPAD_XBOXONE_VENDOR(0x2e24), /* Hyperkin Duke X-Box One pad */ + XPAD_XBOX360_VENDOR(0x2f24), /* GameSir Controllers */ ++ XPAD_XBOX360_VENDOR(0x31e3), /* Wooting Keyboards */ + XPAD_XBOX360_VENDOR(0x3285), /* Nacon GC-100 */ + { } + }; diff --git a/queue-5.19/input-xpad-fix-wireless-360-controller-breaking-after-suspend.patch b/queue-5.19/input-xpad-fix-wireless-360-controller-breaking-after-suspend.patch new file mode 100644 index 00000000000..8b913ea42af --- /dev/null +++ b/queue-5.19/input-xpad-fix-wireless-360-controller-breaking-after-suspend.patch @@ -0,0 +1,39 @@ +From a17b9841152e7f4621619902b347e2cc39c32996 Mon Sep 17 00:00:00 2001 +From: Cameron Gutman +Date: Thu, 18 Aug 2022 17:44:09 +0200 +Subject: Input: xpad - fix wireless 360 controller breaking after suspend + +From: Cameron Gutman + +commit a17b9841152e7f4621619902b347e2cc39c32996 upstream. + +Suspending and resuming the system can sometimes cause the out +URB to get hung after a reset_resume. This causes LED setting +and force feedback to break on resume. To avoid this, just drop +the reset_resume callback so the USB core rebinds xpad to the +wireless pads on resume if a reset happened. + +A nice side effect of this change is the LED ring on wireless +controllers is now set correctly on system resume. + +Cc: stable@vger.kernel.org +Fixes: 4220f7db1e42 ("Input: xpad - workaround dead irq_out after suspend/ resume") +Signed-off-by: Cameron Gutman +Signed-off-by: Pavel Rojtberg +Link: https://lore.kernel.org/r/20220818154411.510308-3-rojtberg@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -1991,7 +1991,6 @@ static struct usb_driver xpad_driver = { + .disconnect = xpad_disconnect, + .suspend = xpad_suspend, + .resume = xpad_resume, +- .reset_resume = xpad_resume, + .id_table = xpad_table, + }; + diff --git a/queue-5.19/mctp-prevent-double-key-removal-and-unref.patch b/queue-5.19/mctp-prevent-double-key-removal-and-unref.patch new file mode 100644 index 00000000000..ace9b64e16b --- /dev/null +++ b/queue-5.19/mctp-prevent-double-key-removal-and-unref.patch @@ -0,0 +1,93 @@ +From 3a732b46736cd8a29092e4b0b1a9ba83e672bf89 Mon Sep 17 00:00:00 2001 +From: Jeremy Kerr +Date: Wed, 12 Oct 2022 10:08:51 +0800 +Subject: mctp: prevent double key removal and unref + +From: Jeremy Kerr + +commit 3a732b46736cd8a29092e4b0b1a9ba83e672bf89 upstream. + +Currently, we have a bug where a simultaneous DROPTAG ioctl and socket +close may race, as we attempt to remove a key from lists twice, and +perform an unref for each removal operation. This may result in a uaf +when we attempt the second unref. + +This change fixes the race by making __mctp_key_remove tolerant to being +called on a key that has already been removed from the socket/net lists, +and only performs the unref when we do the actual remove. We also need +to hold the list lock on the ioctl cleanup path. + +This fix is based on a bug report and comprehensive analysis from +butt3rflyh4ck , found via syzkaller. + +Cc: stable@vger.kernel.org +Fixes: 63ed1aab3d40 ("mctp: Add SIOCMCTP{ALLOC,DROP}TAG ioctls for tag control") +Reported-by: butt3rflyh4ck +Signed-off-by: Jeremy Kerr +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mctp/af_mctp.c | 23 ++++++++++++++++------- + net/mctp/route.c | 10 +++++----- + 2 files changed, 21 insertions(+), 12 deletions(-) + +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -295,11 +295,12 @@ __must_hold(&net->mctp.keys_lock) + mctp_dev_release_key(key->dev, key); + spin_unlock_irqrestore(&key->lock, flags); + +- hlist_del(&key->hlist); +- hlist_del(&key->sklist); +- +- /* unref for the lists */ +- mctp_key_unref(key); ++ if (!hlist_unhashed(&key->hlist)) { ++ hlist_del_init(&key->hlist); ++ hlist_del_init(&key->sklist); ++ /* unref for the lists */ ++ mctp_key_unref(key); ++ } + + kfree_skb(skb); + } +@@ -373,9 +374,17 @@ static int mctp_ioctl_alloctag(struct mc + + ctl.tag = tag | MCTP_TAG_OWNER | MCTP_TAG_PREALLOC; + if (copy_to_user((void __user *)arg, &ctl, sizeof(ctl))) { +- spin_lock_irqsave(&key->lock, flags); +- __mctp_key_remove(key, net, flags, MCTP_TRACE_KEY_DROPPED); ++ unsigned long fl2; ++ /* Unwind our key allocation: the keys list lock needs to be ++ * taken before the individual key locks, and we need a valid ++ * flags value (fl2) to pass to __mctp_key_remove, hence the ++ * second spin_lock_irqsave() rather than a plain spin_lock(). ++ */ ++ spin_lock_irqsave(&net->mctp.keys_lock, flags); ++ spin_lock_irqsave(&key->lock, fl2); ++ __mctp_key_remove(key, net, fl2, MCTP_TRACE_KEY_DROPPED); + mctp_key_unref(key); ++ spin_unlock_irqrestore(&net->mctp.keys_lock, flags); + return -EFAULT; + } + +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -228,12 +228,12 @@ __releases(&key->lock) + + if (!key->manual_alloc) { + spin_lock_irqsave(&net->mctp.keys_lock, flags); +- hlist_del(&key->hlist); +- hlist_del(&key->sklist); ++ if (!hlist_unhashed(&key->hlist)) { ++ hlist_del_init(&key->hlist); ++ hlist_del_init(&key->sklist); ++ mctp_key_unref(key); ++ } + spin_unlock_irqrestore(&net->mctp.keys_lock, flags); +- +- /* unref for the lists */ +- mctp_key_unref(key); + } + + /* and one for the local reference */ diff --git a/queue-5.19/misc-pci_endpoint_test-aggregate-params-checking-for-xfer.patch b/queue-5.19/misc-pci_endpoint_test-aggregate-params-checking-for-xfer.patch new file mode 100644 index 00000000000..70c8b946d3f --- /dev/null +++ b/queue-5.19/misc-pci_endpoint_test-aggregate-params-checking-for-xfer.patch @@ -0,0 +1,82 @@ +From 3e42deaac06567c7e86d287c305ccda24db4ae3d Mon Sep 17 00:00:00 2001 +From: Shunsuke Mie +Date: Wed, 7 Sep 2022 11:00:59 +0900 +Subject: misc: pci_endpoint_test: Aggregate params checking for xfer + +From: Shunsuke Mie + +commit 3e42deaac06567c7e86d287c305ccda24db4ae3d upstream. + +Each transfer test functions have same parameter checking code. This patch +unites those to an introduced function. + +Signed-off-by: Shunsuke Mie +Cc: stable +Link: https://lore.kernel.org/r/20220907020100.122588-1-mie@igel.co.jp +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -332,6 +332,17 @@ static bool pci_endpoint_test_msi_irq(st + return false; + } + ++static int pci_endpoint_test_validate_xfer_params(struct device *dev, ++ struct pci_endpoint_test_xfer_param *param, size_t alignment) ++{ ++ if (param->size > SIZE_MAX - alignment) { ++ dev_dbg(dev, "Maximum transfer data size exceeded\n"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static bool pci_endpoint_test_copy(struct pci_endpoint_test *test, + unsigned long arg) + { +@@ -363,9 +374,11 @@ static bool pci_endpoint_test_copy(struc + return false; + } + ++ err = pci_endpoint_test_validate_xfer_params(dev, ¶m, alignment); ++ if (err) ++ return false; ++ + size = param.size; +- if (size > SIZE_MAX - alignment) +- goto err; + + use_dma = !!(param.flags & PCITEST_FLAGS_USE_DMA); + if (use_dma) +@@ -497,9 +510,11 @@ static bool pci_endpoint_test_write(stru + return false; + } + ++ err = pci_endpoint_test_validate_xfer_params(dev, ¶m, alignment); ++ if (err) ++ return false; ++ + size = param.size; +- if (size > SIZE_MAX - alignment) +- goto err; + + use_dma = !!(param.flags & PCITEST_FLAGS_USE_DMA); + if (use_dma) +@@ -595,9 +610,11 @@ static bool pci_endpoint_test_read(struc + return false; + } + ++ err = pci_endpoint_test_validate_xfer_params(dev, ¶m, alignment); ++ if (err) ++ return false; ++ + size = param.size; +- if (size > SIZE_MAX - alignment) +- goto err; + + use_dma = !!(param.flags & PCITEST_FLAGS_USE_DMA); + if (use_dma) diff --git a/queue-5.19/misc-pci_endpoint_test-fix-pci_endpoint_test_-copy-write-read-panic.patch b/queue-5.19/misc-pci_endpoint_test-fix-pci_endpoint_test_-copy-write-read-panic.patch new file mode 100644 index 00000000000..70f7f888c2c --- /dev/null +++ b/queue-5.19/misc-pci_endpoint_test-fix-pci_endpoint_test_-copy-write-read-panic.patch @@ -0,0 +1,77 @@ +From 8e30538eca016de8e252bef174beadecd64239f0 Mon Sep 17 00:00:00 2001 +From: Shunsuke Mie +Date: Wed, 7 Sep 2022 11:01:00 +0900 +Subject: misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic + +From: Shunsuke Mie + +commit 8e30538eca016de8e252bef174beadecd64239f0 upstream. + +The dma_map_single() doesn't permit zero length mapping. It causes a follow +panic. + +A panic was reported on arm64: + +[ 60.137988] ------------[ cut here ]------------ +[ 60.142630] kernel BUG at kernel/dma/swiotlb.c:624! +[ 60.147508] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +[ 60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rcar_fdp1 vsp1 rcar_vin videobuf2_vmalloc rcar_csi2 v4l +2_mem2mem videobuf2_dma_contig videobuf2_memops pci_endpoint_test videobuf2_v4l2 videobuf2_common rcar_fcp v4l2_fwnode v4l2_asyn +c videodev mc gpio_bd9571mwv max9611 pwm_rcar ccree at24 authenc libdes phy_rcar_gen3_usb3 usb_dmac display_connector pwm_bl +[ 60.186252] CPU: 0 PID: 508 Comm: pcitest Not tainted 6.0.0-rc1rpci-dev+ #237 +[ 60.193387] Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT) +[ 60.201302] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 60.208263] pc : swiotlb_tbl_map_single+0x2c0/0x590 +[ 60.213149] lr : swiotlb_map+0x88/0x1f0 +[ 60.216982] sp : ffff80000a883bc0 +[ 60.220292] x29: ffff80000a883bc0 x28: 0000000000000000 x27: 0000000000000000 +[ 60.227430] x26: 0000000000000000 x25: ffff0004c0da20d0 x24: ffff80000a1f77c0 +[ 60.234567] x23: 0000000000000002 x22: 0001000040000010 x21: 000000007a000000 +[ 60.241703] x20: 0000000000200000 x19: 0000000000000000 x18: 0000000000000000 +[ 60.248840] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0006ff7b9180 +[ 60.255977] x14: ffff0006ff7b9180 x13: 0000000000000000 x12: 0000000000000000 +[ 60.263113] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 +[ 60.270249] x8 : 0001000000000010 x7 : ffff0004c6754b20 x6 : 0000000000000000 +[ 60.277385] x5 : ffff0004c0da2090 x4 : 0000000000000000 x3 : 0000000000000001 +[ 60.284521] x2 : 0000000040000000 x1 : 0000000000000000 x0 : 0000000040000010 +[ 60.291658] Call trace: +[ 60.294100] swiotlb_tbl_map_single+0x2c0/0x590 +[ 60.298629] swiotlb_map+0x88/0x1f0 +[ 60.302115] dma_map_page_attrs+0x188/0x230 +[ 60.306299] pci_endpoint_test_ioctl+0x5e4/0xd90 [pci_endpoint_test] +[ 60.312660] __arm64_sys_ioctl+0xa8/0xf0 +[ 60.316583] invoke_syscall+0x44/0x108 +[ 60.320334] el0_svc_common.constprop.0+0xcc/0xf0 +[ 60.325038] do_el0_svc+0x2c/0xb8 +[ 60.328351] el0_svc+0x2c/0x88 +[ 60.331406] el0t_64_sync_handler+0xb8/0xc0 +[ 60.335587] el0t_64_sync+0x18c/0x190 +[ 60.339251] Code: 52800013 d2e00414 35fff45c d503201f (d4210000) +[ 60.345344] ---[ end trace 0000000000000000 ]--- + +To fix it, this patch adds a checking the payload length if it is zero. + +Fixes: 343dc693f7b7 ("misc: pci_endpoint_test: Prevent some integer overflows") +Cc: stable +Signed-off-by: Shunsuke Mie +Link: https://lore.kernel.org/r/20220907020100.122588-2-mie@igel.co.jp +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -335,6 +335,11 @@ static bool pci_endpoint_test_msi_irq(st + static int pci_endpoint_test_validate_xfer_params(struct device *dev, + struct pci_endpoint_test_xfer_param *param, size_t alignment) + { ++ if (!param->size) { ++ dev_dbg(dev, "Data size is zero\n"); ++ return -EINVAL; ++ } ++ + if (param->size > SIZE_MAX - alignment) { + dev_dbg(dev, "Maximum transfer data size exceeded\n"); + return -EINVAL; diff --git a/queue-5.19/series b/queue-5.19/series index 0dfbf32947c..d2a80453ce8 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -26,3 +26,8 @@ wifi-cfg80211-avoid-nontransmitted-bss-list-corruption.patch wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-rate.patch wifi-mac80211-fix-crash-in-beacon-protection-for-p2p-device.patch wifi-cfg80211-update-hidden-bsses-to-avoid-warn_on.patch +mctp-prevent-double-key-removal-and-unref.patch +input-xpad-add-supported-devices-as-contributed-on-github.patch +input-xpad-fix-wireless-360-controller-breaking-after-suspend.patch +misc-pci_endpoint_test-aggregate-params-checking-for-xfer.patch +misc-pci_endpoint_test-fix-pci_endpoint_test_-copy-write-read-panic.patch -- 2.47.3