From ebf01ab77c486be326a20c62b38db7ccb9932290 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 21 Mar 2022 10:15:23 +0100
Subject: [PATCH] 4.19-stable patches

added patches:
	input-aiptek-properly-check-endpoint-type.patch
	perf-symbols-fix-symbol-size-calculation-condition.patch
---
 ...-aiptek-properly-check-endpoint-type.patch | 63 ++++++++++++++++
 ...ix-symbol-size-calculation-condition.patch | 71 +++++++++++++++++++
 queue-4.19/series                             |  2 +
 3 files changed, 136 insertions(+)
 create mode 100644 queue-4.19/input-aiptek-properly-check-endpoint-type.patch
 create mode 100644 queue-4.19/perf-symbols-fix-symbol-size-calculation-condition.patch

diff --git a/queue-4.19/input-aiptek-properly-check-endpoint-type.patch b/queue-4.19/input-aiptek-properly-check-endpoint-type.patch
new file mode 100644
index 00000000000..1a73f35aa61
--- /dev/null
+++ b/queue-4.19/input-aiptek-properly-check-endpoint-type.patch
@@ -0,0 +1,63 @@
+From 5600f6986628dde8881734090588474f54a540a8 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Sun, 13 Mar 2022 22:56:32 -0700
+Subject: Input: aiptek - properly check endpoint type
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 5600f6986628dde8881734090588474f54a540a8 upstream.
+
+Syzbot reported warning in usb_submit_urb() which is caused by wrong
+endpoint type. There was a check for the number of endpoints, but not
+for the type of endpoint.
+
+Fix it by replacing old desc.bNumEndpoints check with
+usb_find_common_endpoints() helper for finding endpoints
+
+Fail log:
+
+usb 5-1: BOGUS urb xfer, pipe 1 != type 3
+WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
+Modules linked in:
+CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
+Workqueue: usb_hub_wq hub_event
+...
+Call Trace:
+ <TASK>
+ aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830
+ input_open_device+0x1bb/0x320 drivers/input/input.c:629
+ kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593
+
+Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints")
+Reported-and-tested-by: syzbot+75cccf2b7da87fb6f84b@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/20220308194328.26220-1-paskripkin@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/tablet/aiptek.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/tablet/aiptek.c
++++ b/drivers/input/tablet/aiptek.c
+@@ -1814,15 +1814,13 @@ aiptek_probe(struct usb_interface *intf,
+ 	input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
+ 	input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
+ 
+-	/* Verify that a device really has an endpoint */
+-	if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
++	err = usb_find_common_endpoints(intf->cur_altsetting,
++					NULL, NULL, &endpoint, NULL);
++	if (err) {
+ 		dev_err(&intf->dev,
+-			"interface has %d endpoints, but must have minimum 1\n",
+-			intf->cur_altsetting->desc.bNumEndpoints);
+-		err = -EINVAL;
++			"interface has no int in endpoints, but must have minimum 1\n");
+ 		goto fail3;
+ 	}
+-	endpoint = &intf->cur_altsetting->endpoint[0].desc;
+ 
+ 	/* Go set up our URB, which is called when the tablet receives
+ 	 * input.
diff --git a/queue-4.19/perf-symbols-fix-symbol-size-calculation-condition.patch b/queue-4.19/perf-symbols-fix-symbol-size-calculation-condition.patch
new file mode 100644
index 00000000000..9d3baf35d31
--- /dev/null
+++ b/queue-4.19/perf-symbols-fix-symbol-size-calculation-condition.patch
@@ -0,0 +1,71 @@
+From 3cf6a32f3f2a45944dd5be5c6ac4deb46bcd3bee Mon Sep 17 00:00:00 2001
+From: Michael Petlan <mpetlan@redhat.com>
+Date: Thu, 17 Mar 2022 14:55:36 +0100
+Subject: perf symbols: Fix symbol size calculation condition
+
+From: Michael Petlan <mpetlan@redhat.com>
+
+commit 3cf6a32f3f2a45944dd5be5c6ac4deb46bcd3bee upstream.
+
+Before this patch, the symbol end address fixup to be called, needed two
+conditions being met:
+
+  if (prev->end == prev->start && prev->end != curr->start)
+
+Where
+  "prev->end == prev->start" means that prev is zero-long
+                             (and thus needs a fixup)
+and
+  "prev->end != curr->start" means that fixup hasn't been applied yet
+
+However, this logic is incorrect in the following situation:
+
+*curr  = {rb_node = {__rb_parent_color = 278218928,
+  rb_right = 0x0, rb_left = 0x0},
+  start = 0xc000000000062354,
+  end = 0xc000000000062354, namelen = 40, type = 2 '\002',
+  binding = 0 '\000', idle = 0 '\000', ignore = 0 '\000',
+  inlined = 0 '\000', arch_sym = 0 '\000', annotate2 = false,
+  name = 0x1159739e "kprobe_optinsn_page\t[__builtin__kprobes]"}
+
+*prev = {rb_node = {__rb_parent_color = 278219041,
+  rb_right = 0x109548b0, rb_left = 0x109547c0},
+  start = 0xc000000000062354,
+  end = 0xc000000000062354, namelen = 12, type = 2 '\002',
+  binding = 1 '\001', idle = 0 '\000', ignore = 0 '\000',
+  inlined = 0 '\000', arch_sym = 0 '\000', annotate2 = false,
+  name = 0x1095486e "optinsn_slot"}
+
+In this case, prev->start == prev->end == curr->start == curr->end,
+thus the condition above thinks that "we need a fixup due to zero
+length of prev symbol, but it has been probably done, since the
+prev->end == curr->start", which is wrong.
+
+After the patch, the execution path proceeds to arch__symbols__fixup_end
+function which fixes up the size of prev symbol by adding page_size to
+its end offset.
+
+Fixes: 3b01a413c196c910 ("perf symbols: Improve kallsyms symbol end addr calculation")
+Signed-off-by: Michael Petlan <mpetlan@redhat.com>
+Cc: Athira Jajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kajol Jain <kjain@linux.ibm.com>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: http://lore.kernel.org/lkml/20220317135536.805-1-mpetlan@redhat.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/symbol.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/symbol.c
++++ b/tools/perf/util/symbol.c
+@@ -217,7 +217,7 @@ void symbols__fixup_end(struct rb_root *
+ 		prev = curr;
+ 		curr = rb_entry(nd, struct symbol, rb_node);
+ 
+-		if (prev->end == prev->start && prev->end != curr->start)
++		if (prev->end == prev->start || prev->end != curr->start)
+ 			arch__symbols__fixup_end(prev, curr);
+ 	}
+ 
diff --git a/queue-4.19/series b/queue-4.19/series
index 7b0a6c747c3..2c4a840dd06 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -53,3 +53,5 @@ net-handle-arphrd_pimreg-in-dev_is_mac_header_xmit.patch
 net-dsa-add-missing-of_node_put-in-dsa_port_parse_of.patch
 usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch
 usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch
+input-aiptek-properly-check-endpoint-type.patch
+perf-symbols-fix-symbol-size-calculation-condition.patch
-- 
2.47.3