From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 23 Dec 2020 14:17:19 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v5.10.3~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1ee8ea85807eaa952a54db28ba624dfc200f7675;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	hid-i2c-hid-add-vero-k147-to-descriptor-override.patch
	scsi-megaraid_sas-check-user-provided-offsets.patch
	serial_core-check-for-port-state-when-tty-is-in-error-state.patch
---

diff --git a/queue-5.4/hid-i2c-hid-add-vero-k147-to-descriptor-override.patch b/queue-5.4/hid-i2c-hid-add-vero-k147-to-descriptor-override.patch
new file mode 100644
index 00000000000..5a5db328135
--- /dev/null
+++ b/queue-5.4/hid-i2c-hid-add-vero-k147-to-descriptor-override.patch
@@ -0,0 +1,39 @@
+From c870d50ce387d84b6438211a7044c60afbd5d60a Mon Sep 17 00:00:00 2001
+From: Julian Sax <jsbc@gmx.de>
+Date: Thu, 26 Nov 2020 18:51:58 +0100
+Subject: HID: i2c-hid: add Vero K147 to descriptor override
+
+From: Julian Sax <jsbc@gmx.de>
+
+commit c870d50ce387d84b6438211a7044c60afbd5d60a upstream.
+
+This device uses the SIPODEV SP1064 touchpad, which does not
+supply descriptors, so it has to be added to the override list.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Julian Sax <jsbc@gmx.de>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+@@ -405,6 +405,14 @@ static const struct dmi_system_id i2c_hi
+ 		},
+ 		.driver_data = (void *)&sipodev_desc
+ 	},
++	{
++		.ident = "Vero K147",
++		.matches = {
++			DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VERO"),
++			DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "K147"),
++		},
++		.driver_data = (void *)&sipodev_desc
++	},
+ 	{ }	/* Terminate list */
+ };
+ 
diff --git a/queue-5.4/scsi-megaraid_sas-check-user-provided-offsets.patch b/queue-5.4/scsi-megaraid_sas-check-user-provided-offsets.patch
new file mode 100644
index 00000000000..56c680b1518
--- /dev/null
+++ b/queue-5.4/scsi-megaraid_sas-check-user-provided-offsets.patch
@@ -0,0 +1,71 @@
+From 381d34e376e3d9d27730fda8a0e870600e6c8196 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 30 Oct 2020 17:44:20 +0100
+Subject: scsi: megaraid_sas: Check user-provided offsets
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 381d34e376e3d9d27730fda8a0e870600e6c8196 upstream.
+
+It sounds unwise to let user space pass an unchecked 32-bit offset into a
+kernel structure in an ioctl. This is an unsigned variable, so checking the
+upper bound for the size of the structure it points into is sufficient to
+avoid data corruption, but as the pointer might also be unaligned, it has
+to be written carefully as well.
+
+While I stumbled over this problem by reading the code, I did not continue
+checking the function for further problems like it.
+
+Link: https://lore.kernel.org/r/20201030164450.1253641-2-arnd@kernel.org
+Fixes: c4a3e0a529ab ("[SCSI] MegaRAID SAS RAID: new driver")
+Cc: <stable@vger.kernel.org> # v2.6.15+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -8038,7 +8038,7 @@ megasas_mgmt_fw_ioctl(struct megasas_ins
+ 	int error = 0, i;
+ 	void *sense = NULL;
+ 	dma_addr_t sense_handle;
+-	unsigned long *sense_ptr;
++	void *sense_ptr;
+ 	u32 opcode = 0;
+ 
+ 	memset(kbuff_arr, 0, sizeof(kbuff_arr));
+@@ -8160,6 +8160,13 @@ megasas_mgmt_fw_ioctl(struct megasas_ins
+ 	}
+ 
+ 	if (ioc->sense_len) {
++		/* make sure the pointer is part of the frame */
++		if (ioc->sense_off >
++		    (sizeof(union megasas_frame) - sizeof(__le64))) {
++			error = -EINVAL;
++			goto out;
++		}
++
+ 		sense = dma_alloc_coherent(&instance->pdev->dev, ioc->sense_len,
+ 					     &sense_handle, GFP_KERNEL);
+ 		if (!sense) {
+@@ -8167,12 +8174,11 @@ megasas_mgmt_fw_ioctl(struct megasas_ins
+ 			goto out;
+ 		}
+ 
+-		sense_ptr =
+-		(unsigned long *) ((unsigned long)cmd->frame + ioc->sense_off);
++		sense_ptr = (void *)cmd->frame + ioc->sense_off;
+ 		if (instance->consistent_mask_64bit)
+-			*sense_ptr = cpu_to_le64(sense_handle);
++			put_unaligned_le64(sense_handle, sense_ptr);
+ 		else
+-			*sense_ptr = cpu_to_le32(sense_handle);
++			put_unaligned_le32(sense_handle, sense_ptr);
+ 	}
+ 
+ 	/*
diff --git a/queue-5.4/serial_core-check-for-port-state-when-tty-is-in-error-state.patch b/queue-5.4/serial_core-check-for-port-state-when-tty-is-in-error-state.patch
new file mode 100644
index 00000000000..714cdc6fc33
--- /dev/null
+++ b/queue-5.4/serial_core-check-for-port-state-when-tty-is-in-error-state.patch
@@ -0,0 +1,47 @@
+From 2f70e49ed860020f5abae4f7015018ebc10e1f0e Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Thu, 3 Dec 2020 16:58:34 +1100
+Subject: serial_core: Check for port state when tty is in error state
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+commit 2f70e49ed860020f5abae4f7015018ebc10e1f0e upstream.
+
+At the moment opening a serial device node (such as /dev/ttyS3)
+succeeds even if there is no actual serial device behind it.
+Reading/writing/ioctls fail as expected because the uart port is not
+initialized (the type is PORT_UNKNOWN) and the TTY_IO_ERROR error state
+bit is set fot the tty.
+
+However setting line discipline does not have these checks
+8250_port.c (8250 is the default choice made by univ8250_console_init()).
+As the result of PORT_UNKNOWN, uart_port::iobase is NULL which
+a platform translates onto some address accessing which produces a crash
+like below.
+
+This adds tty_port_initialized() to uart_set_ldisc() to prevent the crash.
+
+Found by syzkaller.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Link: https://lore.kernel.org/r/20201203055834.45838-1-aik@ozlabs.ru
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/serial_core.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -1465,6 +1465,10 @@ static void uart_set_ldisc(struct tty_st
+ {
+ 	struct uart_state *state = tty->driver_data;
+ 	struct uart_port *uport;
++	struct tty_port *port = &state->port;
++
++	if (!tty_port_initialized(port))
++		return;
+ 
+ 	mutex_lock(&state->port.mutex);
+ 	uport = uart_port_check(state);
diff --git a/queue-5.4/series b/queue-5.4/series
index a16b5e66234..a3a3c983118 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -61,3 +61,6 @@ coresight-tmc-etf-fix-null-ptr-dereference-in-tmc_enable_etf_sink_perf.patch
 coresight-tmc-etr-check-if-page-is-valid-before-dma_map_page.patch
 coresight-tmc-etr-fix-barrier-packet-insertion-for-perf-buffer.patch
 coresight-etb10-fix-possible-null-ptr-dereference-in-etb_enable_perf.patch
+scsi-megaraid_sas-check-user-provided-offsets.patch
+hid-i2c-hid-add-vero-k147-to-descriptor-override.patch
+serial_core-check-for-port-state-when-tty-is-in-error-state.patch