From a3b93ab4449781deb3ffc2abe907cd6266886d98 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 7 Aug 2020 16:03:06 +0200 Subject: [PATCH] 4.9-stable patches added patches: alsa-seq-oss-serialize-ioctls.patch bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch leds-88pm860x-fix-use-after-free-on-unbind.patch leds-da903x-fix-use-after-free-on-unbind.patch leds-lm3533-fix-use-after-free-on-unbind.patch leds-wm831x-status-fix-use-after-free-on-unbind.patch mtd-properly-check-all-write-ioctls-for-permissions.patch net-mlx5e-don-t-support-phys-switch-id-if-not-in-switchdev-mode.patch omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch vgacon-fix-for-missing-check-in-scrollback-handling.patch --- queue-4.9/alsa-seq-oss-serialize-ioctls.patch | 51 ++++++++ ...d-in-hci_extended_inquiry_result_evt.patch | 39 ++++++ ...ounds-read-in-hci_inquiry_result_evt.patch | 31 +++++ ...-in-hci_inquiry_result_with_rssi_evt.patch | 50 ++++++++ ...8pm860x-fix-use-after-free-on-unbind.patch | 63 +++++++++ ...-da903x-fix-use-after-free-on-unbind.patch | 61 +++++++++ ...-lm3533-fix-use-after-free-on-unbind.patch | 66 ++++++++++ ...-status-fix-use-after-free-on-unbind.patch | 61 +++++++++ ...eck-all-write-ioctls-for-permissions.patch | 120 ++++++++++++++++++ ...s-switch-id-if-not-in-switchdev-mode.patch | 40 ++++++ ...ss-fix-max-fclk-divider-for-omap36xx.patch | 42 ++++++ queue-4.9/series | 12 ++ ...missing-check-in-scrollback-handling.patch | 89 +++++++++++++ 13 files changed, 725 insertions(+) create mode 100644 queue-4.9/alsa-seq-oss-serialize-ioctls.patch create mode 100644 queue-4.9/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch create mode 100644 queue-4.9/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch create mode 100644 queue-4.9/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch create mode 100644 queue-4.9/leds-88pm860x-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.9/leds-da903x-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.9/leds-lm3533-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.9/leds-wm831x-status-fix-use-after-free-on-unbind.patch create mode 100644 queue-4.9/mtd-properly-check-all-write-ioctls-for-permissions.patch create mode 100644 queue-4.9/net-mlx5e-don-t-support-phys-switch-id-if-not-in-switchdev-mode.patch create mode 100644 queue-4.9/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch create mode 100644 queue-4.9/vgacon-fix-for-missing-check-in-scrollback-handling.patch diff --git a/queue-4.9/alsa-seq-oss-serialize-ioctls.patch b/queue-4.9/alsa-seq-oss-serialize-ioctls.patch new file mode 100644 index 00000000000..08c9b786f45 --- /dev/null +++ b/queue-4.9/alsa-seq-oss-serialize-ioctls.patch @@ -0,0 +1,51 @@ +From 80982c7e834e5d4e325b6ce33757012ecafdf0bb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 4 Aug 2020 20:58:15 +0200 +Subject: ALSA: seq: oss: Serialize ioctls + +From: Takashi Iwai + +commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. + +Some ioctls via OSS sequencer API may race and lead to UAF when the +port create and delete are performed concurrently, as spotted by a +couple of syzkaller cases. This patch is an attempt to address it by +serializing the ioctls with the existing register_mutex. + +Basically OSS sequencer API is an obsoleted interface and was designed +without much consideration of the concurrency. There are very few +applications with it, and the concurrent performance isn't asked, +hence this "big hammer" approach should be good enough. + +Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com +Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com +Suggested-by: Hillf Danton +Cc: +Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -181,10 +181,16 @@ static long + odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { + struct seq_oss_devinfo *dp; ++ long rc; ++ + dp = file->private_data; + if (snd_BUG_ON(!dp)) + return -ENXIO; +- return snd_seq_oss_ioctl(dp, cmd, arg); ++ ++ mutex_lock(®ister_mutex); ++ rc = snd_seq_oss_ioctl(dp, cmd, arg); ++ mutex_unlock(®ister_mutex); ++ return rc; + } + + #ifdef CONFIG_COMPAT diff --git a/queue-4.9/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch b/queue-4.9/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch new file mode 100644 index 00000000000..b853b207add --- /dev/null +++ b/queue-4.9/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch @@ -0,0 +1,39 @@ +From 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 12:09:15 -0400 +Subject: Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() + +From: Peilin Ye + +commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream. + +Check upon `num_rsp` is insufficient. A malformed event packet with a +large `num_rsp` number makes hci_extended_inquiry_result_evt() go out +of bounds. Fix it. + +This patch fixes the following syzbot bug: + + https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 + +Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Acked-by: Greg Kroah-Hartman +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3826,7 +3826,7 @@ static void hci_extended_inquiry_result_ + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) diff --git a/queue-4.9/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch b/queue-4.9/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch new file mode 100644 index 00000000000..c052648f35c --- /dev/null +++ b/queue-4.9/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch @@ -0,0 +1,31 @@ +From 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 17:39:18 -0400 +Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() + +From: Peilin Ye + +commit 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a upstream. + +Check `num_rsp` before using it as for-loop counter. + +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2094,7 +2094,7 @@ static void hci_inquiry_result_evt(struc + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) diff --git a/queue-4.9/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch b/queue-4.9/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch new file mode 100644 index 00000000000..299abeff401 --- /dev/null +++ b/queue-4.9/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch @@ -0,0 +1,50 @@ +From 629b49c848ee71244203934347bd7730b0ddee8d Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 17:45:26 -0400 +Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() + +From: Peilin Ye + +commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. + +Check `num_rsp` before using it as for-loop counter. Add `unlock` label. + +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3623,6 +3623,9 @@ static void hci_inquiry_result_with_rssi + struct inquiry_info_with_rssi_and_pscan_mode *info; + info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -3644,6 +3647,9 @@ static void hci_inquiry_result_with_rssi + } else { + struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -3664,6 +3670,7 @@ static void hci_inquiry_result_with_rssi + } + } + ++unlock: + hci_dev_unlock(hdev); + } + diff --git a/queue-4.9/leds-88pm860x-fix-use-after-free-on-unbind.patch b/queue-4.9/leds-88pm860x-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..0124847f19a --- /dev/null +++ b/queue-4.9/leds-88pm860x-fix-use-after-free-on-unbind.patch @@ -0,0 +1,63 @@ +From eca21c2d8655387823d695b26e6fe78cf3975c05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:45 +0200 +Subject: leds: 88pm860x: fix use-after-free on unbind + +From: Johan Hovold + +commit eca21c2d8655387823d695b26e6fe78cf3975c05 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: 375446df95ee ("leds: 88pm860x: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-88pm860x.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-88pm860x.c ++++ b/drivers/leds/leds-88pm860x.c +@@ -207,21 +207,33 @@ static int pm860x_led_probe(struct platf + data->cdev.brightness_set_blocking = pm860x_led_set; + mutex_init(&data->lock); + +- ret = devm_led_classdev_register(chip->dev, &data->cdev); ++ ret = led_classdev_register(chip->dev, &data->cdev); + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); + return ret; + } + pm860x_led_set(&data->cdev, 0); ++ ++ platform_set_drvdata(pdev, data); ++ + return 0; + } + ++static int pm860x_led_remove(struct platform_device *pdev) ++{ ++ struct pm860x_led *data = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&data->cdev); ++ ++ return 0; ++} + + static struct platform_driver pm860x_led_driver = { + .driver = { + .name = "88pm860x-led", + }, + .probe = pm860x_led_probe, ++ .remove = pm860x_led_remove, + }; + + module_platform_driver(pm860x_led_driver); diff --git a/queue-4.9/leds-da903x-fix-use-after-free-on-unbind.patch b/queue-4.9/leds-da903x-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..61ba84a2613 --- /dev/null +++ b/queue-4.9/leds-da903x-fix-use-after-free-on-unbind.patch @@ -0,0 +1,61 @@ +From 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:46 +0200 +Subject: leds: da903x: fix use-after-free on unbind + +From: Johan Hovold + +commit 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: eed16255d66b ("leds: da903x: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-da903x.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-da903x.c ++++ b/drivers/leds/leds-da903x.c +@@ -113,12 +113,23 @@ static int da903x_led_probe(struct platf + led->flags = pdata->flags; + led->master = pdev->dev.parent; + +- ret = devm_led_classdev_register(led->master, &led->cdev); ++ ret = led_classdev_register(led->master, &led->cdev); + if (ret) { + dev_err(&pdev->dev, "failed to register LED %d\n", id); + return ret; + } + ++ platform_set_drvdata(pdev, led); ++ ++ return 0; ++} ++ ++static int da903x_led_remove(struct platform_device *pdev) ++{ ++ struct da903x_led *led = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&led->cdev); ++ + return 0; + } + +@@ -127,6 +138,7 @@ static struct platform_driver da903x_led + .name = "da903x-led", + }, + .probe = da903x_led_probe, ++ .remove = da903x_led_remove, + }; + + module_platform_driver(da903x_led_driver); diff --git a/queue-4.9/leds-lm3533-fix-use-after-free-on-unbind.patch b/queue-4.9/leds-lm3533-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..84c4024a939 --- /dev/null +++ b/queue-4.9/leds-lm3533-fix-use-after-free-on-unbind.patch @@ -0,0 +1,66 @@ +From d584221e683bbd173738603b83a315f27d27d043 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:47 +0200 +Subject: leds: lm3533: fix use-after-free on unbind + +From: Johan Hovold + +commit d584221e683bbd173738603b83a315f27d27d043 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: 50154e29e5cc ("leds: lm3533: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-lm3533.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/leds/leds-lm3533.c ++++ b/drivers/leds/leds-lm3533.c +@@ -698,7 +698,7 @@ static int lm3533_led_probe(struct platf + + platform_set_drvdata(pdev, led); + +- ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev); ++ ret = led_classdev_register(pdev->dev.parent, &led->cdev); + if (ret) { + dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id); + return ret; +@@ -708,13 +708,18 @@ static int lm3533_led_probe(struct platf + + ret = lm3533_led_setup(led, pdata); + if (ret) +- return ret; ++ goto err_deregister; + + ret = lm3533_ctrlbank_enable(&led->cb); + if (ret) +- return ret; ++ goto err_deregister; + + return 0; ++ ++err_deregister: ++ led_classdev_unregister(&led->cdev); ++ ++ return ret; + } + + static int lm3533_led_remove(struct platform_device *pdev) +@@ -724,6 +729,7 @@ static int lm3533_led_remove(struct plat + dev_dbg(&pdev->dev, "%s\n", __func__); + + lm3533_ctrlbank_disable(&led->cb); ++ led_classdev_unregister(&led->cdev); + + return 0; + } diff --git a/queue-4.9/leds-wm831x-status-fix-use-after-free-on-unbind.patch b/queue-4.9/leds-wm831x-status-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..62df0284613 --- /dev/null +++ b/queue-4.9/leds-wm831x-status-fix-use-after-free-on-unbind.patch @@ -0,0 +1,61 @@ +From 47a459ecc800a17109d0c496a4e21e478806ee40 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jun 2020 15:39:49 +0200 +Subject: leds: wm831x-status: fix use-after-free on unbind + +From: Johan Hovold + +commit 47a459ecc800a17109d0c496a4e21e478806ee40 upstream. + +Several MFD child drivers register their class devices directly under +the parent device. This means you cannot blindly do devres conversions +so that deregistration ends up being tied to the parent device, +something which leads to use-after-free on driver unbind when the class +device is released while still being registered. + +Fixes: 8d3b6a4001ce ("leds: wm831x-status: Use devm_led_classdev_register") +Cc: stable # 4.6 +Cc: Amitoj Kaur Chawla +Signed-off-by: Johan Hovold +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-wm831x-status.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-wm831x-status.c ++++ b/drivers/leds/leds-wm831x-status.c +@@ -283,12 +283,23 @@ static int wm831x_status_probe(struct pl + drvdata->cdev.blink_set = wm831x_status_blink_set; + drvdata->cdev.groups = wm831x_status_groups; + +- ret = devm_led_classdev_register(wm831x->dev, &drvdata->cdev); ++ ret = led_classdev_register(wm831x->dev, &drvdata->cdev); + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); + return ret; + } + ++ platform_set_drvdata(pdev, drvdata); ++ ++ return 0; ++} ++ ++static int wm831x_status_remove(struct platform_device *pdev) ++{ ++ struct wm831x_status *drvdata = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&drvdata->cdev); ++ + return 0; + } + +@@ -297,6 +308,7 @@ static struct platform_driver wm831x_sta + .name = "wm831x-status", + }, + .probe = wm831x_status_probe, ++ .remove = wm831x_status_remove, + }; + + module_platform_driver(wm831x_status_driver); diff --git a/queue-4.9/mtd-properly-check-all-write-ioctls-for-permissions.patch b/queue-4.9/mtd-properly-check-all-write-ioctls-for-permissions.patch new file mode 100644 index 00000000000..79462e83c66 --- /dev/null +++ b/queue-4.9/mtd-properly-check-all-write-ioctls-for-permissions.patch @@ -0,0 +1,120 @@ +From f7e6b19bc76471ba03725fe58e0c218a3d6266c3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 16 Jul 2020 13:53:46 +0200 +Subject: mtd: properly check all write ioctls for permissions + +From: Greg Kroah-Hartman + +commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream. + +When doing a "write" ioctl call, properly check that we have permissions +to do so before copying anything from userspace or anything else so we +can "fail fast". This includes also covering the MEMWRITE ioctl which +previously missed checking for this. + +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: Vignesh Raghavendra +Cc: stable +Signed-off-by: Greg Kroah-Hartman +[rw: Fixed locking issue] +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtdchar.c | 56 +++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 47 insertions(+), 9 deletions(-) + +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -372,9 +372,6 @@ static int mtdchar_writeoob(struct file + uint32_t retlen; + int ret = 0; + +- if (!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + if (length > 4096) + return -EINVAL; + +@@ -681,6 +678,48 @@ static int mtdchar_ioctl(struct file *fi + return -EFAULT; + } + ++ /* ++ * Check the file mode to require "dangerous" commands to have write ++ * permissions. ++ */ ++ switch (cmd) { ++ /* "safe" commands */ ++ case MEMGETREGIONCOUNT: ++ case MEMGETREGIONINFO: ++ case MEMGETINFO: ++ case MEMREADOOB: ++ case MEMREADOOB64: ++ case MEMLOCK: ++ case MEMUNLOCK: ++ case MEMISLOCKED: ++ case MEMGETOOBSEL: ++ case MEMGETBADBLOCK: ++ case MEMSETBADBLOCK: ++ case OTPSELECT: ++ case OTPGETREGIONCOUNT: ++ case OTPGETREGIONINFO: ++ case OTPLOCK: ++ case ECCGETLAYOUT: ++ case ECCGETSTATS: ++ case MTDFILEMODE: ++ case BLKPG: ++ case BLKRRPART: ++ break; ++ ++ /* "dangerous" commands */ ++ case MEMERASE: ++ case MEMERASE64: ++ case MEMWRITEOOB: ++ case MEMWRITEOOB64: ++ case MEMWRITE: ++ if (!(file->f_mode & FMODE_WRITE)) ++ return -EPERM; ++ break; ++ ++ default: ++ return -ENOTTY; ++ } ++ + switch (cmd) { + case MEMGETREGIONCOUNT: + if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int))) +@@ -728,9 +767,6 @@ static int mtdchar_ioctl(struct file *fi + { + struct erase_info *erase; + +- if(!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL); + if (!erase) + ret = -ENOMEM; +@@ -1051,9 +1087,6 @@ static int mtdchar_ioctl(struct file *fi + ret = 0; + break; + } +- +- default: +- ret = -ENOTTY; + } + + return ret; +@@ -1097,6 +1130,11 @@ static long mtdchar_compat_ioctl(struct + struct mtd_oob_buf32 buf; + struct mtd_oob_buf32 __user *buf_user = argp; + ++ if (!(file->f_mode & FMODE_WRITE)) { ++ ret = -EPERM; ++ break; ++ } ++ + if (copy_from_user(&buf, argp, sizeof(buf))) + ret = -EFAULT; + else diff --git a/queue-4.9/net-mlx5e-don-t-support-phys-switch-id-if-not-in-switchdev-mode.patch b/queue-4.9/net-mlx5e-don-t-support-phys-switch-id-if-not-in-switchdev-mode.patch new file mode 100644 index 00000000000..527881fddcb --- /dev/null +++ b/queue-4.9/net-mlx5e-don-t-support-phys-switch-id-if-not-in-switchdev-mode.patch @@ -0,0 +1,40 @@ +From saeedm@mellanox.com Fri Aug 7 15:12:01 2020 +From: Saeed Mahameed +Date: Thu, 6 Aug 2020 19:05:42 -0700 +Subject: net/mlx5e: Don't support phys switch id if not in switchdev mode +To: Greg Kroah-Hartman , linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org, netdev@vger.kernel.org, Roi Dayan , Saeed Mahameed +Message-ID: <20200807020542.636290-1-saeedm@mellanox.com> + + +From: Roi Dayan + +Support for phys switch id ndo added for representors and if +we do not have representors there is no need to support it. +Since each port return different switch id supporting this +block support for creating bond over PFs and attaching to bridge +in legacy mode. + +This bug doesn't exist upstream as the code got refactored and the +netdev api is totally different. + +Fixes: cb67b832921c ("net/mlx5e: Introduce SRIOV VF representors") +Signed-off-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -139,7 +139,7 @@ int mlx5e_attr_get(struct net_device *de + struct mlx5_eswitch_rep *rep = priv->ppriv; + struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; + +- if (esw->mode == SRIOV_NONE) ++ if (esw->mode != SRIOV_OFFLOADS) + return -EOPNOTSUPP; + + switch (attr->id) { diff --git a/queue-4.9/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch b/queue-4.9/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch new file mode 100644 index 00000000000..287c73c44d0 --- /dev/null +++ b/queue-4.9/omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch @@ -0,0 +1,42 @@ +From 254503a2b186caa668a188dbbd7ab0d25149c0a5 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Tue, 30 Jun 2020 13:26:36 -0500 +Subject: omapfb: dss: Fix max fclk divider for omap36xx + +From: Adam Ford + +commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream. + +The drm/omap driver was fixed to correct an issue where using a +divider of 32 breaks the DSS despite the TRM stating 32 is a valid +number. Through experimentation, it appears that 31 works, and +it is consistent with the value used by the drm/omap driver. + +This patch fixes the divider for fbdev driver instead of the drm. + +Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") +Cc: #4.5+ +Signed-off-by: Adam Ford +Reviewed-by: Tomi Valkeinen +Cc: Dave Airlie +Cc: Rob Clark +[b.zolnierkie: mark patch as applicable to stable 4.5+ (was 4.9+)] +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200630182636.439015-1-aford173@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +@@ -843,7 +843,7 @@ static const struct dss_features omap34x + }; + + static const struct dss_features omap3630_dss_feats = { +- .fck_div_max = 32, ++ .fck_div_max = 31, + .dss_fck_multiplier = 1, + .parent_clk_name = "dpll4_ck", + .dpi_select_source = &dss_dpi_select_source_omap2_omap3, diff --git a/queue-4.9/series b/queue-4.9/series index 707f13f2066..f439c5c8fcb 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -49,3 +49,15 @@ random32-remove-net_rand_state-from-the-latent-entropy-gcc-plugin.patch random32-move-the-pseudo-random-32-bit-definitions-to-prandom.h.patch ext4-fix-direct-i-o-read-error.patch usb-serial-qcserial-add-em7305-qdl-product-id.patch +net-mlx5e-don-t-support-phys-switch-id-if-not-in-switchdev-mode.patch +alsa-seq-oss-serialize-ioctls.patch +bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch +bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch +bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch +omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch +vgacon-fix-for-missing-check-in-scrollback-handling.patch +mtd-properly-check-all-write-ioctls-for-permissions.patch +leds-wm831x-status-fix-use-after-free-on-unbind.patch +leds-da903x-fix-use-after-free-on-unbind.patch +leds-lm3533-fix-use-after-free-on-unbind.patch +leds-88pm860x-fix-use-after-free-on-unbind.patch diff --git a/queue-4.9/vgacon-fix-for-missing-check-in-scrollback-handling.patch b/queue-4.9/vgacon-fix-for-missing-check-in-scrollback-handling.patch new file mode 100644 index 00000000000..08c84ff8123 --- /dev/null +++ b/queue-4.9/vgacon-fix-for-missing-check-in-scrollback-handling.patch @@ -0,0 +1,89 @@ +From ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d Mon Sep 17 00:00:00 2001 +From: Yunhai Zhang +Date: Tue, 28 Jul 2020 09:58:03 +0800 +Subject: vgacon: Fix for missing check in scrollback handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunhai Zhang + +commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream. + +vgacon_scrollback_update() always leaves enbough room in the scrollback +buffer for the next call, but if the console size changed that room +might not actually be enough, and so we need to re-check. + +The check should be in the loop since vgacon_scrollback_cur->tail is +updated in the loop and count may be more than 1 when triggered by CSI M, +as Jiri's PoC: +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char** argv) +{ + int fd = open("/dev/tty1", O_RDWR); + unsigned short size[3] = {25, 200, 0}; + ioctl(fd, 0x5609, size); // VT_RESIZE + + write(fd, "\e[1;1H", 6); + for (int i = 0; i < 30; i++) + write(fd, "\e[10M", 5); +} + +It leads to various crashes as vgacon_scrollback_update writes out of +the buffer: + BUG: unable to handle page fault for address: ffffc900001752a0 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + RIP: 0010:mutex_unlock+0x13/0x30 +... + Call Trace: + n_tty_write+0x1a0/0x4d0 + tty_write+0x1a0/0x2e0 + +Or to KASAN reports: +BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed + +This fixes CVE-2020-14331. + +Reported-by: 张云海 +Reported-by: Yang Yingliang +Reported-by: Kyungtae Kim +Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback) +Cc: stable@vger.kernel.org +Cc: linux-fbdev@vger.kernel.org +Cc: Linus Torvalds +Cc: Solar Designer +Cc: "Srivatsa S. Bhat" +Cc: Anthony Liguori +Cc: Yang Yingliang +Cc: Bartlomiej Zolnierkiewicz +Cc: Jiri Slaby +Signed-off-by: Yunhai Zhang +Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/vgacon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -219,6 +219,10 @@ static void vgacon_scrollback_update(str + p = (void *) (c->vc_origin + t * c->vc_size_row); + + while (count--) { ++ if ((vgacon_scrollback_tail + c->vc_size_row) > ++ vgacon_scrollback_size) ++ vgacon_scrollback_tail = 0; ++ + scr_memcpyw(vgacon_scrollback + vgacon_scrollback_tail, + p, c->vc_size_row); + vgacon_scrollback_cnt++; -- 2.47.3