From 5d01d096e542afe1536cf34bf0c1697b0ab463af Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 7 Aug 2020 16:03:36 +0200 Subject: [PATCH] 4.19-stable patches added patches: alsa-seq-oss-serialize-ioctls.patch binder-prevent-context-manager-from-incrementing-ref-0.patch bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch leds-88pm860x-fix-use-after-free-on-unbind.patch leds-da903x-fix-use-after-free-on-unbind.patch leds-lm3533-fix-use-after-free-on-unbind.patch leds-wm831x-status-fix-use-after-free-on-unbind.patch mtd-properly-check-all-write-ioctls-for-permissions.patch omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch usb-xhci-define-ids-for-various-asmedia-host-controllers.patch usb-xhci-fix-asmedia-asm1142-dma-addressing.patch vgacon-fix-for-missing-check-in-scrollback-handling.patch --- .../alsa-seq-oss-serialize-ioctls.patch | 51 ++++++++ ...text-manager-from-incrementing-ref-0.patch | 92 ++++++++++++++ ...d-in-hci_extended_inquiry_result_evt.patch | 39 ++++++ ...ounds-read-in-hci_inquiry_result_evt.patch | 31 +++++ ...-in-hci_inquiry_result_with_rssi_evt.patch | 50 ++++++++ ...8pm860x-fix-use-after-free-on-unbind.patch | 63 +++++++++ ...-da903x-fix-use-after-free-on-unbind.patch | 61 +++++++++ ...-lm3533-fix-use-after-free-on-unbind.patch | 66 ++++++++++ ...-status-fix-use-after-free-on-unbind.patch | 61 +++++++++ ...eck-all-write-ioctls-for-permissions.patch | 120 ++++++++++++++++++ ...ss-fix-max-fclk-divider-for-omap36xx.patch | 42 ++++++ ...untime_allow-for-all-hda-controllers.patch | 41 ++++++ queue-4.19/series | 17 +++ ...-lockdep-warning-for-write-operation.patch | 77 +++++++++++ ...eport-size-handling-for-some-devices.patch | 79 ++++++++++++ ...for-various-asmedia-host-controllers.patch | 52 ++++++++ ...i-fix-asmedia-asm1142-dma-addressing.patch | 45 +++++++ ...missing-check-in-scrollback-handling.patch | 88 +++++++++++++ 18 files changed, 1075 insertions(+) create mode 100644 queue-4.19/alsa-seq-oss-serialize-ioctls.patch create mode 100644 queue-4.19/binder-prevent-context-manager-from-incrementing-ref-0.patch create mode 100644 queue-4.19/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch create mode 100644 queue-4.19/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch create mode 100644 queue-4.19/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch create mode 100644 queue-4.19/leds-88pm860x-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.19/leds-da903x-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.19/leds-lm3533-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.19/leds-wm831x-status-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.19/mtd-properly-check-all-write-ioctls-for-permissions.patch create mode 100644 queue-4.19/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch create mode 100644 queue-4.19/revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch create mode 100644 queue-4.19/staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch create mode 100644 queue-4.19/usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch create mode 100644 queue-4.19/usb-xhci-define-ids-for-various-asmedia-host-controllers.patch create mode 100644 queue-4.19/usb-xhci-fix-asmedia-asm1142-dma-addressing.patch create mode 100644 queue-4.19/vgacon-fix-for-missing-check-in-scrollback-handling.patch diff --git a/queue-4.19/alsa-seq-oss-serialize-ioctls.patch b/queue-4.19/alsa-seq-oss-serialize-ioctls.patch new file mode 100644 index 00000000000..08c9b786f45 --- /dev/null +++ b/queue-4.19/alsa-seq-oss-serialize-ioctls.patch @@ -0,0 +1,51 @@ +From 80982c7e834e5d4e325b6ce33757012ecafdf0bb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 4 Aug 2020 20:58:15 +0200 +Subject: ALSA: seq: oss: Serialize ioctls + +From: Takashi Iwai + +commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. + +Some ioctls via OSS sequencer API may race and lead to UAF when the +port create and delete are performed concurrently, as spotted by a +couple of syzkaller cases. This patch is an attempt to address it by +serializing the ioctls with the existing register_mutex. + +Basically OSS sequencer API is an obsoleted interface and was designed +without much consideration of the concurrency. There are very few +applications with it, and the concurrent performance isn't asked, +hence this "big hammer" approach should be good enough. + +Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com +Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com +Suggested-by: Hillf Danton +Cc: +Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -181,10 +181,16 @@ static long + odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { + struct seq_oss_devinfo *dp; ++ long rc; ++ + dp = file->private_data; + if (snd_BUG_ON(!dp)) + return -ENXIO; +- return snd_seq_oss_ioctl(dp, cmd, arg); ++ ++ mutex_lock(®ister_mutex); ++ rc = snd_seq_oss_ioctl(dp, cmd, arg); ++ mutex_unlock(®ister_mutex); ++ return rc; + } + + #ifdef CONFIG_COMPAT diff --git a/queue-4.19/binder-prevent-context-manager-from-incrementing-ref-0.patch b/queue-4.19/binder-prevent-context-manager-from-incrementing-ref-0.patch new file mode 100644 index 00000000000..a170e9fe701 --- /dev/null +++ b/queue-4.19/binder-prevent-context-manager-from-incrementing-ref-0.patch @@ -0,0 +1,92 @@ +From 4b836a1426cb0f1ef2a6e211d7e553221594f8fc Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 27 Jul 2020 14:04:24 +0200 +Subject: binder: Prevent context manager from incrementing ref 0 + +From: Jann Horn + +commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream. + +Binder is designed such that a binder_proc never has references to +itself. If this rule is violated, memory corruption can occur when a +process sends a transaction to itself; see e.g. +. + +There is a remaining edgecase through which such a transaction-to-self +can still occur from the context of a task with BINDER_SET_CONTEXT_MGR +access: + + - task A opens /dev/binder twice, creating binder_proc instances P1 + and P2 + - P1 becomes context manager + - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its + handle table + - P1 dies (by closing the /dev/binder fd and waiting a bit) + - P2 becomes context manager + - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its + handle table + [this triggers a warning: "binder: 1974:1974 tried to acquire + reference to desc 0, got 1 instead"] + - task B opens /dev/binder once, creating binder_proc instance P3 + - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way + transaction) + - P2 receives the handle and uses it to call P3 (two-way transaction) + - P3 calls P2 (via magic handle 0) (two-way transaction) + - P2 calls P2 (via handle 1) (two-way transaction) + +And then, if P2 does *NOT* accept the incoming transaction work, but +instead closes the binder fd, we get a crash. + +Solve it by preventing the context manager from using ACQUIRE on ref 0. +There shouldn't be any legitimate reason for the context manager to do +that. + +Additionally, print a warning if someone manages to find another way to +trigger a transaction-to-self bug in the future. + +Cc: stable@vger.kernel.org +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Acked-by: Todd Kjos +Signed-off-by: Jann Horn +Reviewed-by: Martijn Coenen +Link: https://lore.kernel.org/r/20200727120424.1627555-1-jannh@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2862,6 +2862,12 @@ static void binder_transaction(struct bi + goto err_dead_binder; + } + e->to_node = target_node->debug_id; ++ if (WARN_ON(proc == target_proc)) { ++ return_error = BR_FAILED_REPLY; ++ return_error_param = -EINVAL; ++ return_error_line = __LINE__; ++ goto err_invalid_target_handle; ++ } + if (security_binder_transaction(proc->tsk, + target_proc->tsk) < 0) { + return_error = BR_FAILED_REPLY; +@@ -3366,10 +3372,17 @@ static int binder_thread_write(struct bi + struct binder_node *ctx_mgr_node; + mutex_lock(&context->context_mgr_node_lock); + ctx_mgr_node = context->binder_context_mgr_node; +- if (ctx_mgr_node) ++ if (ctx_mgr_node) { ++ if (ctx_mgr_node->proc == proc) { ++ binder_user_error("%d:%d context manager tried to acquire desc 0\n", ++ proc->pid, thread->pid); ++ mutex_unlock(&context->context_mgr_node_lock); ++ return -EINVAL; ++ } + ret = binder_inc_ref_for_node( + proc, ctx_mgr_node, + strong, NULL, &rdata); ++ } + mutex_unlock(&context->context_mgr_node_lock); + } + if (ret) diff --git a/queue-4.19/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch b/queue-4.19/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch new file mode 100644 index 00000000000..77c08da3fd5 --- /dev/null +++ b/queue-4.19/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch @@ -0,0 +1,39 @@ +From 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 12:09:15 -0400 +Subject: Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() + +From: Peilin Ye + +commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream. + +Check upon `num_rsp` is insufficient. A malformed event packet with a +large `num_rsp` number makes hci_extended_inquiry_result_evt() go out +of bounds. Fix it. + +This patch fixes the following syzbot bug: + + https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 + +Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Acked-by: Greg Kroah-Hartman +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4151,7 +4151,7 @@ static void hci_extended_inquiry_result_ + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) diff --git a/queue-4.19/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch b/queue-4.19/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch new file mode 100644 index 00000000000..61e22fc8f89 --- /dev/null +++ b/queue-4.19/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch @@ -0,0 +1,31 @@ +From 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 17:39:18 -0400 +Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() + +From: Peilin Ye + +commit 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a upstream. + +Check `num_rsp` before using it as for-loop counter. + +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2360,7 +2360,7 @@ static void hci_inquiry_result_evt(struc + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) diff --git a/queue-4.19/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch b/queue-4.19/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch new file mode 100644 index 00000000000..281c19041ec --- /dev/null +++ b/queue-4.19/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch @@ -0,0 +1,50 @@ +From 629b49c848ee71244203934347bd7730b0ddee8d Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 17:45:26 -0400 +Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() + +From: Peilin Ye + +commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. + +Check `num_rsp` before using it as for-loop counter. Add `unlock` label. + +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3948,6 +3948,9 @@ static void hci_inquiry_result_with_rssi + struct inquiry_info_with_rssi_and_pscan_mode *info; + info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -3969,6 +3972,9 @@ static void hci_inquiry_result_with_rssi + } else { + struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -3989,6 +3995,7 @@ static void hci_inquiry_result_with_rssi + } + } + ++unlock: + hci_dev_unlock(hdev); + } + diff --git a/queue-4.19/leds-88pm860x-fix-use-after-free-on-unbind.patch b/queue-4.19/leds-88pm860x-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..0124847f19a --- /dev/null +++ b/queue-4.19/leds-88pm860x-fix-use-after-free-on-unbind.patch @@ -0,0 +1,63 @@ +From eca21c2d8655387823d695b26e6fe78cf3975c05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:45 +0200 +Subject: leds: 88pm860x: fix use-after-free on unbind + +From: Johan Hovold + +commit eca21c2d8655387823d695b26e6fe78cf3975c05 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: 375446df95ee ("leds: 88pm860x: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-88pm860x.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-88pm860x.c ++++ b/drivers/leds/leds-88pm860x.c +@@ -207,21 +207,33 @@ static int pm860x_led_probe(struct platf + data->cdev.brightness_set_blocking = pm860x_led_set; + mutex_init(&data->lock); + +- ret = devm_led_classdev_register(chip->dev, &data->cdev); ++ ret = led_classdev_register(chip->dev, &data->cdev); + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); + return ret; + } + pm860x_led_set(&data->cdev, 0); ++ ++ platform_set_drvdata(pdev, data); ++ + return 0; + } + ++static int pm860x_led_remove(struct platform_device *pdev) ++{ ++ struct pm860x_led *data = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&data->cdev); ++ ++ return 0; ++} + + static struct platform_driver pm860x_led_driver = { + .driver = { + .name = "88pm860x-led", + }, + .probe = pm860x_led_probe, ++ .remove = pm860x_led_remove, + }; + + module_platform_driver(pm860x_led_driver); diff --git a/queue-4.19/leds-da903x-fix-use-after-free-on-unbind.patch b/queue-4.19/leds-da903x-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..61ba84a2613 --- /dev/null +++ b/queue-4.19/leds-da903x-fix-use-after-free-on-unbind.patch @@ -0,0 +1,61 @@ +From 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:46 +0200 +Subject: leds: da903x: fix use-after-free on unbind + +From: Johan Hovold + +commit 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: eed16255d66b ("leds: da903x: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-da903x.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-da903x.c ++++ b/drivers/leds/leds-da903x.c +@@ -113,12 +113,23 @@ static int da903x_led_probe(struct platf + led->flags = pdata->flags; + led->master = pdev->dev.parent; + +- ret = devm_led_classdev_register(led->master, &led->cdev); ++ ret = led_classdev_register(led->master, &led->cdev); + if (ret) { + dev_err(&pdev->dev, "failed to register LED %d\n", id); + return ret; + } + ++ platform_set_drvdata(pdev, led); ++ ++ return 0; ++} ++ ++static int da903x_led_remove(struct platform_device *pdev) ++{ ++ struct da903x_led *led = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&led->cdev); ++ + return 0; + } + +@@ -127,6 +138,7 @@ static struct platform_driver da903x_led + .name = "da903x-led", + }, + .probe = da903x_led_probe, ++ .remove = da903x_led_remove, + }; + + module_platform_driver(da903x_led_driver); diff --git a/queue-4.19/leds-lm3533-fix-use-after-free-on-unbind.patch b/queue-4.19/leds-lm3533-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..84c4024a939 --- /dev/null +++ b/queue-4.19/leds-lm3533-fix-use-after-free-on-unbind.patch @@ -0,0 +1,66 @@ +From d584221e683bbd173738603b83a315f27d27d043 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:47 +0200 +Subject: leds: lm3533: fix use-after-free on unbind + +From: Johan Hovold + +commit d584221e683bbd173738603b83a315f27d27d043 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: 50154e29e5cc ("leds: lm3533: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-lm3533.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/leds/leds-lm3533.c ++++ b/drivers/leds/leds-lm3533.c +@@ -698,7 +698,7 @@ static int lm3533_led_probe(struct platf + + platform_set_drvdata(pdev, led); + +- ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev); ++ ret = led_classdev_register(pdev->dev.parent, &led->cdev); + if (ret) { + dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id); + return ret; +@@ -708,13 +708,18 @@ static int lm3533_led_probe(struct platf + + ret = lm3533_led_setup(led, pdata); + if (ret) +- return ret; ++ goto err_deregister; + + ret = lm3533_ctrlbank_enable(&led->cb); + if (ret) +- return ret; ++ goto err_deregister; + + return 0; ++ ++err_deregister: ++ led_classdev_unregister(&led->cdev); ++ ++ return ret; + } + + static int lm3533_led_remove(struct platform_device *pdev) +@@ -724,6 +729,7 @@ static int lm3533_led_remove(struct plat + dev_dbg(&pdev->dev, "%s\n", __func__); + + lm3533_ctrlbank_disable(&led->cb); ++ led_classdev_unregister(&led->cdev); + + return 0; + } diff --git a/queue-4.19/leds-wm831x-status-fix-use-after-free-on-unbind.patch b/queue-4.19/leds-wm831x-status-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..f1cb7401649 --- /dev/null +++ b/queue-4.19/leds-wm831x-status-fix-use-after-free-on-unbind.patch @@ -0,0 +1,61 @@ +From 47a459ecc800a17109d0c496a4e21e478806ee40 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:49 +0200 +Subject: leds: wm831x-status: fix use-after-free on unbind + +From: Johan Hovold + +commit 47a459ecc800a17109d0c496a4e21e478806ee40 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: 8d3b6a4001ce ("leds: wm831x-status: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-wm831x-status.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-wm831x-status.c ++++ b/drivers/leds/leds-wm831x-status.c +@@ -273,12 +273,23 @@ static int wm831x_status_probe(struct pl + drvdata->cdev.blink_set = wm831x_status_blink_set; + drvdata->cdev.groups = wm831x_status_groups; + +- ret = devm_led_classdev_register(wm831x->dev, &drvdata->cdev); ++ ret = led_classdev_register(wm831x->dev, &drvdata->cdev); + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); + return ret; + } + ++ platform_set_drvdata(pdev, drvdata); ++ ++ return 0; ++} ++ ++static int wm831x_status_remove(struct platform_device *pdev) ++{ ++ struct wm831x_status *drvdata = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&drvdata->cdev); ++ + return 0; + } + +@@ -287,6 +298,7 @@ static struct platform_driver wm831x_sta + .name = "wm831x-status", + }, + .probe = wm831x_status_probe, ++ .remove = wm831x_status_remove, + }; + + module_platform_driver(wm831x_status_driver); diff --git a/queue-4.19/mtd-properly-check-all-write-ioctls-for-permissions.patch b/queue-4.19/mtd-properly-check-all-write-ioctls-for-permissions.patch new file mode 100644 index 00000000000..b951911060e --- /dev/null +++ b/queue-4.19/mtd-properly-check-all-write-ioctls-for-permissions.patch @@ -0,0 +1,120 @@ +From f7e6b19bc76471ba03725fe58e0c218a3d6266c3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 16 Jul 2020 13:53:46 +0200 +Subject: mtd: properly check all write ioctls for permissions + +From: Greg Kroah-Hartman + +commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream. + +When doing a "write" ioctl call, properly check that we have permissions +to do so before copying anything from userspace or anything else so we +can "fail fast". This includes also covering the MEMWRITE ioctl which +previously missed checking for this. + +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: Vignesh Raghavendra +Cc: stable +Signed-off-by: Greg Kroah-Hartman +[rw: Fixed locking issue] +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtdchar.c | 56 +++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 47 insertions(+), 9 deletions(-) + +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -368,9 +368,6 @@ static int mtdchar_writeoob(struct file + uint32_t retlen; + int ret = 0; + +- if (!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + if (length > 4096) + return -EINVAL; + +@@ -655,6 +652,48 @@ static int mtdchar_ioctl(struct file *fi + + pr_debug("MTD_ioctl\n"); + ++ /* ++ * Check the file mode to require "dangerous" commands to have write ++ * permissions. ++ */ ++ switch (cmd) { ++ /* "safe" commands */ ++ case MEMGETREGIONCOUNT: ++ case MEMGETREGIONINFO: ++ case MEMGETINFO: ++ case MEMREADOOB: ++ case MEMREADOOB64: ++ case MEMLOCK: ++ case MEMUNLOCK: ++ case MEMISLOCKED: ++ case MEMGETOOBSEL: ++ case MEMGETBADBLOCK: ++ case MEMSETBADBLOCK: ++ case OTPSELECT: ++ case OTPGETREGIONCOUNT: ++ case OTPGETREGIONINFO: ++ case OTPLOCK: ++ case ECCGETLAYOUT: ++ case ECCGETSTATS: ++ case MTDFILEMODE: ++ case BLKPG: ++ case BLKRRPART: ++ break; ++ ++ /* "dangerous" commands */ ++ case MEMERASE: ++ case MEMERASE64: ++ case MEMWRITEOOB: ++ case MEMWRITEOOB64: ++ case MEMWRITE: ++ if (!(file->f_mode & FMODE_WRITE)) ++ return -EPERM; ++ break; ++ ++ default: ++ return -ENOTTY; ++ } ++ + switch (cmd) { + case MEMGETREGIONCOUNT: + if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int))) +@@ -702,9 +741,6 @@ static int mtdchar_ioctl(struct file *fi + { + struct erase_info *erase; + +- if(!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL); + if (!erase) + ret = -ENOMEM; +@@ -997,9 +1033,6 @@ static int mtdchar_ioctl(struct file *fi + ret = 0; + break; + } +- +- default: +- ret = -ENOTTY; + } + + return ret; +@@ -1043,6 +1076,11 @@ static long mtdchar_compat_ioctl(struct + struct mtd_oob_buf32 buf; + struct mtd_oob_buf32 __user *buf_user = argp; + ++ if (!(file->f_mode & FMODE_WRITE)) { ++ ret = -EPERM; ++ break; ++ } ++ + if (copy_from_user(&buf, argp, sizeof(buf))) + ret = -EFAULT; + else diff --git a/queue-4.19/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch b/queue-4.19/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch new file mode 100644 index 00000000000..695da807f6f --- /dev/null +++ b/queue-4.19/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch @@ -0,0 +1,42 @@ +From 254503a2b186caa668a188dbbd7ab0d25149c0a5 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Tue, 30 Jun 2020 13:26:36 -0500 +Subject: omapfb: dss: Fix max fclk divider for omap36xx + +From: Adam Ford + +commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream. + +The drm/omap driver was fixed to correct an issue where using a +divider of 32 breaks the DSS despite the TRM stating 32 is a valid +number. Through experimentation, it appears that 31 works, and +it is consistent with the value used by the drm/omap driver. + +This patch fixes the divider for fbdev driver instead of the drm. + +Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") +Cc: #4.5+ +Signed-off-by: Adam Ford +Reviewed-by: Tomi Valkeinen +Cc: Dave Airlie +Cc: Rob Clark +[b.zolnierkie: mark patch as applicable to stable 4.5+ (was 4.9+)] +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200630182636.439015-1-aford173@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +@@ -844,7 +844,7 @@ static const struct dss_features omap34x + }; + + static const struct dss_features omap3630_dss_feats = { +- .fck_div_max = 32, ++ .fck_div_max = 31, + .dss_fck_multiplier = 1, + .parent_clk_name = "dpll4_ck", + .dpi_select_source = &dss_dpi_select_source_omap2_omap3, diff --git a/queue-4.19/revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch b/queue-4.19/revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch new file mode 100644 index 00000000000..dcb97f97d2d --- /dev/null +++ b/queue-4.19/revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch @@ -0,0 +1,41 @@ +From 07c9983b567d0ef33aefc063299de95a987e12a8 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Mon, 3 Aug 2020 14:46:38 +0800 +Subject: Revert "ALSA: hda: call runtime_allow() for all hda controllers" + +From: Hui Wang + +commit 07c9983b567d0ef33aefc063299de95a987e12a8 upstream. + +This reverts commit 9a6418487b56 ("ALSA: hda: call runtime_allow() +for all hda controllers"). + +The reverted patch already introduced some regressions on some +machines: + - on gemini-lake machines, the error of "azx_get_response timeout" + happens in the hda driver. + - on the machines with alc662 codec, the audio jack detection doesn't + work anymore. + +Fixes: 9a6418487b56 ("ALSA: hda: call runtime_allow() for all hda controllers") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208511 +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20200803064638.6139-1-hui.wang@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2478,7 +2478,6 @@ static int azx_probe_continue(struct azx + + if (azx_has_pm_runtime(chip)) { + pm_runtime_use_autosuspend(&pci->dev); +- pm_runtime_allow(&pci->dev); + pm_runtime_put_autosuspend(&pci->dev); + } + diff --git a/queue-4.19/series b/queue-4.19/series index 4c924ad1cfd..7866ad4670e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1 +1,18 @@ usb-serial-qcserial-add-em7305-qdl-product-id.patch +usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch +usb-xhci-define-ids-for-various-asmedia-host-controllers.patch +usb-xhci-fix-asmedia-asm1142-dma-addressing.patch +revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch +alsa-seq-oss-serialize-ioctls.patch +staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch +bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch +bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch +bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch +omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch +binder-prevent-context-manager-from-incrementing-ref-0.patch +vgacon-fix-for-missing-check-in-scrollback-handling.patch +mtd-properly-check-all-write-ioctls-for-permissions.patch +leds-wm831x-status-fix-use-after-free-on-unbind.patch +leds-da903x-fix-use-after-free-on-unbind.patch +leds-lm3533-fix-use-after-free-on-unbind.patch +leds-88pm860x-fix-use-after-free-on-unbind.patch diff --git a/queue-4.19/staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch b/queue-4.19/staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch new file mode 100644 index 00000000000..01dcf9b87b5 --- /dev/null +++ b/queue-4.19/staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch @@ -0,0 +1,77 @@ +From 3e338d3c95c735dc3265a86016bb4c022ec7cadc Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Thu, 30 Jul 2020 12:26:32 -0700 +Subject: staging: android: ashmem: Fix lockdep warning for write operation + +From: Suren Baghdasaryan + +commit 3e338d3c95c735dc3265a86016bb4c022ec7cadc upstream. + +syzbot report [1] describes a deadlock when write operation against an +ashmem fd executed at the time when ashmem is shrinking its cache results +in the following lock sequence: + +Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(fs_reclaim); + lock(&sb->s_type->i_mutex_key#13); + lock(fs_reclaim); + lock(&sb->s_type->i_mutex_key#13); + +kswapd takes fs_reclaim and then inode_lock while generic_perform_write +takes inode_lock and then fs_reclaim. However ashmem does not support +writing into backing shmem with a write syscall. The only way to change +its content is to mmap it and operate on mapped memory. Therefore the race +that lockdep is warning about is not valid. Resolve this by introducing a +separate lockdep class for the backing shmem inodes. + +[1]: https://lkml.kernel.org/lkml/0000000000000b5f9d059aa2037f@google.com/ + +Reported-by: syzbot+7a0d9d0b26efefe61780@syzkaller.appspotmail.com +Signed-off-by: Suren Baghdasaryan +Cc: stable +Reviewed-by: Joel Fernandes (Google) +Link: https://lore.kernel.org/r/20200730192632.3088194-1-surenb@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -95,6 +95,15 @@ static DEFINE_MUTEX(ashmem_mutex); + static struct kmem_cache *ashmem_area_cachep __read_mostly; + static struct kmem_cache *ashmem_range_cachep __read_mostly; + ++/* ++ * A separate lockdep class for the backing shmem inodes to resolve the lockdep ++ * warning about the race between kswapd taking fs_reclaim before inode_lock ++ * and write syscall taking inode_lock and then fs_reclaim. ++ * Note that such race is impossible because ashmem does not support write ++ * syscalls operating on the backing shmem. ++ */ ++static struct lock_class_key backing_shmem_inode_class; ++ + static inline unsigned long range_size(struct ashmem_range *range) + { + return range->pgend - range->pgstart + 1; +@@ -395,6 +404,7 @@ static int ashmem_mmap(struct file *file + if (!asma->file) { + char *name = ASHMEM_NAME_DEF; + struct file *vmfile; ++ struct inode *inode; + + if (asma->name[ASHMEM_NAME_PREFIX_LEN] != '\0') + name = asma->name; +@@ -406,6 +416,8 @@ static int ashmem_mmap(struct file *file + goto out; + } + vmfile->f_mode |= FMODE_LSEEK; ++ inode = file_inode(vmfile); ++ lockdep_set_class(&inode->i_rwsem, &backing_shmem_inode_class); + asma->file = vmfile; + /* + * override mmap operation of the vmfile so that it can't be diff --git a/queue-4.19/usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch b/queue-4.19/usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch new file mode 100644 index 00000000000..42374a8a444 --- /dev/null +++ b/queue-4.19/usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch @@ -0,0 +1,79 @@ +From 17a82716587e9d7c3b246a789add490b2b5dcab6 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 26 Jul 2020 11:49:39 +0200 +Subject: USB: iowarrior: fix up report size handling for some devices + +From: Greg Kroah-Hartman + +commit 17a82716587e9d7c3b246a789add490b2b5dcab6 upstream. + +In previous patches that added support for new iowarrior devices, the +handling of the report size was not done correct. + +Fix that up and update the copyright date for the driver + +Reworked from an original patch written by Christoph Jung. + +Fixes: bab5417f5f01 ("USB: misc: iowarrior: add support for the 100 device") +Fixes: 5f6f8da2d7b5 ("USB: misc: iowarrior: add support for the 28 and 28L devices") +Fixes: 461d8deb26a7 ("USB: misc: iowarrior: add support for 2 OEMed devices") +Cc: stable +Reported-by: Christoph Jung +Link: https://lore.kernel.org/r/20200726094939.1268978-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 35 +++++++++++++++++++++++++---------- + 1 file changed, 25 insertions(+), 10 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -2,8 +2,9 @@ + /* + * Native support for the I/O-Warrior USB devices + * +- * Copyright (c) 2003-2005 Code Mercenaries GmbH +- * written by Christian Lucht ++ * Copyright (c) 2003-2005, 2020 Code Mercenaries GmbH ++ * written by Christian Lucht and ++ * Christoph Jung + * + * based on + +@@ -817,14 +818,28 @@ static int iowarrior_probe(struct usb_in + + /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ + dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); +- if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && +- ((dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56AM) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28L) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW100))) +- /* IOWarrior56 has wMaxPacketSize different from report size */ +- dev->report_size = 7; ++ ++ /* ++ * Some devices need the report size to be different than the ++ * endpoint size. ++ */ ++ if (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) { ++ switch (dev->product_id) { ++ case USB_DEVICE_ID_CODEMERCS_IOW56: ++ case USB_DEVICE_ID_CODEMERCS_IOW56AM: ++ dev->report_size = 7; ++ break; ++ ++ case USB_DEVICE_ID_CODEMERCS_IOW28: ++ case USB_DEVICE_ID_CODEMERCS_IOW28L: ++ dev->report_size = 4; ++ break; ++ ++ case USB_DEVICE_ID_CODEMERCS_IOW100: ++ dev->report_size = 13; ++ break; ++ } ++ } + + /* create the urb and buffer for reading */ + dev->int_in_urb = usb_alloc_urb(0, GFP_KERNEL); diff --git a/queue-4.19/usb-xhci-define-ids-for-various-asmedia-host-controllers.patch b/queue-4.19/usb-xhci-define-ids-for-various-asmedia-host-controllers.patch new file mode 100644 index 00000000000..f6e723ffcbc --- /dev/null +++ b/queue-4.19/usb-xhci-define-ids-for-various-asmedia-host-controllers.patch @@ -0,0 +1,52 @@ +From 1841cb255da41e87bed9573915891d056f80e2e7 Mon Sep 17 00:00:00 2001 +From: Forest Crossman +Date: Mon, 27 Jul 2020 23:24:07 -0500 +Subject: usb: xhci: define IDs for various ASMedia host controllers + +From: Forest Crossman + +commit 1841cb255da41e87bed9573915891d056f80e2e7 upstream. + +Not all ASMedia host controllers have a device ID that matches its part +number. #define some of these IDs to make it clearer at a glance which +chips require what quirks. + +Acked-by: Mathias Nyman +Signed-off-by: Forest Crossman +Link: https://lore.kernel.org/r/20200728042408.180529-2-cyrozap@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -47,7 +47,9 @@ + #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba + #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb + #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc ++#define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 + #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 ++#define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 + + static const char hcd_name[] = "xhci_hcd"; + +@@ -226,13 +228,13 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_BROKEN_STREAMS; + + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && +- pdev->device == 0x1042) ++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI) + xhci->quirks |= XHCI_BROKEN_STREAMS; + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && +- pdev->device == 0x1142) ++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && +- pdev->device == 0x2142) ++ pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI) + xhci->quirks |= XHCI_NO_64BIT_SUPPORT; + + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && diff --git a/queue-4.19/usb-xhci-fix-asmedia-asm1142-dma-addressing.patch b/queue-4.19/usb-xhci-fix-asmedia-asm1142-dma-addressing.patch new file mode 100644 index 00000000000..b199af9d5f6 --- /dev/null +++ b/queue-4.19/usb-xhci-fix-asmedia-asm1142-dma-addressing.patch @@ -0,0 +1,45 @@ +From ec37198acca7b4c17b96247697406e47aafe0605 Mon Sep 17 00:00:00 2001 +From: Forest Crossman +Date: Mon, 27 Jul 2020 23:24:08 -0500 +Subject: usb: xhci: Fix ASMedia ASM1142 DMA addressing + +From: Forest Crossman + +commit ec37198acca7b4c17b96247697406e47aafe0605 upstream. + +I've confirmed that the ASMedia ASM1142 has the same problem as the +ASM2142/ASM3142, in that it too reports that it supports 64-bit DMA +addresses when in fact it does not. As with the ASM2142/ASM3142, this +can cause problems on systems where the upper bits matter, and adding +the XHCI_NO_64BIT_SUPPORT quirk completely fixes the issue. + +Acked-by: Mathias Nyman +Signed-off-by: Forest Crossman +Cc: stable +Link: https://lore.kernel.org/r/20200728042408.180529-3-cyrozap@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -49,6 +49,7 @@ + #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc + #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 + #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 ++#define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242 + #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 + + static const char hcd_name[] = "xhci_hcd"; +@@ -234,7 +235,8 @@ static void xhci_pci_quirks(struct devic + pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && +- pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI) ++ (pdev->device == PCI_DEVICE_ID_ASMEDIA_1142_XHCI || ++ pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI)) + xhci->quirks |= XHCI_NO_64BIT_SUPPORT; + + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && diff --git a/queue-4.19/vgacon-fix-for-missing-check-in-scrollback-handling.patch b/queue-4.19/vgacon-fix-for-missing-check-in-scrollback-handling.patch new file mode 100644 index 00000000000..55a0ee9754e --- /dev/null +++ b/queue-4.19/vgacon-fix-for-missing-check-in-scrollback-handling.patch @@ -0,0 +1,88 @@ +From ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d Mon Sep 17 00:00:00 2001 +From: Yunhai Zhang +Date: Tue, 28 Jul 2020 09:58:03 +0800 +Subject: vgacon: Fix for missing check in scrollback handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunhai Zhang + +commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream. + +vgacon_scrollback_update() always leaves enbough room in the scrollback +buffer for the next call, but if the console size changed that room +might not actually be enough, and so we need to re-check. + +The check should be in the loop since vgacon_scrollback_cur->tail is +updated in the loop and count may be more than 1 when triggered by CSI M, +as Jiri's PoC: +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char** argv) +{ + int fd = open("/dev/tty1", O_RDWR); + unsigned short size[3] = {25, 200, 0}; + ioctl(fd, 0x5609, size); // VT_RESIZE + + write(fd, "\e[1;1H", 6); + for (int i = 0; i < 30; i++) + write(fd, "\e[10M", 5); +} + +It leads to various crashes as vgacon_scrollback_update writes out of +the buffer: + BUG: unable to handle page fault for address: ffffc900001752a0 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + RIP: 0010:mutex_unlock+0x13/0x30 +... + Call Trace: + n_tty_write+0x1a0/0x4d0 + tty_write+0x1a0/0x2e0 + +Or to KASAN reports: +BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed + +This fixes CVE-2020-14331. + +Reported-by: 张云海 +Reported-by: Yang Yingliang +Reported-by: Kyungtae Kim +Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback) +Cc: stable@vger.kernel.org +Cc: linux-fbdev@vger.kernel.org +Cc: Linus Torvalds +Cc: Solar Designer +Cc: "Srivatsa S. Bhat" +Cc: Anthony Liguori +Cc: Yang Yingliang +Cc: Bartlomiej Zolnierkiewicz +Cc: Jiri Slaby +Signed-off-by: Yunhai Zhang +Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/vgacon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -251,6 +251,10 @@ static void vgacon_scrollback_update(str + p = (void *) (c->vc_origin + t * c->vc_size_row); + + while (count--) { ++ if ((vgacon_scrollback_cur->tail + c->vc_size_row) > ++ vgacon_scrollback_cur->size) ++ vgacon_scrollback_cur->tail = 0; ++ + scr_memcpyw(vgacon_scrollback_cur->data + + vgacon_scrollback_cur->tail, + p, c->vc_size_row); -- 2.47.3