From: Greg Kroah-Hartman Date: Mon, 9 Dec 2019 12:34:43 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v5.4.3~56 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e470e19a94769d92944e849eb6e517591243dda;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-pcm-oss-avoid-potential-buffer-overflows.patch coresight-etm4x-fix-input-validation-for-sysfs.patch input-goodix-add-upside-down-quirk-for-teclast-x89-tablet.patch --- diff --git a/queue-4.9/alsa-pcm-oss-avoid-potential-buffer-overflows.patch b/queue-4.9/alsa-pcm-oss-avoid-potential-buffer-overflows.patch new file mode 100644 index 00000000000..2156367ac72 --- /dev/null +++ b/queue-4.9/alsa-pcm-oss-avoid-potential-buffer-overflows.patch @@ -0,0 +1,64 @@ +From 4cc8d6505ab82db3357613d36e6c58a297f57f7c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 4 Dec 2019 15:48:24 +0100 +Subject: ALSA: pcm: oss: Avoid potential buffer overflows + +From: Takashi Iwai + +commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. + +syzkaller reported an invalid access in PCM OSS read, and this seems +to be an overflow of the internal buffer allocated for a plugin. +Since the rate plugin adjusts its transfer size dynamically, the +calculation for the chained plugin might be bigger than the given +buffer size in some extreme cases, which lead to such an buffer +overflow as caught by KASAN. + +Fix it by limiting the max transfer size properly by checking against +the destination size in each plugin transfer callback. + +Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/linear.c | 2 ++ + sound/core/oss/mulaw.c | 2 ++ + sound/core/oss/route.c | 2 ++ + 3 files changed, 6 insertions(+) + +--- a/sound/core/oss/linear.c ++++ b/sound/core/oss/linear.c +@@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer + } + } + #endif ++ if (frames > dst_channels[0].frames) ++ frames = dst_channels[0].frames; + convert(plugin, src_channels, dst_channels, frames); + return frames; + } +--- a/sound/core/oss/mulaw.c ++++ b/sound/core/oss/mulaw.c +@@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer( + } + } + #endif ++ if (frames > dst_channels[0].frames) ++ frames = dst_channels[0].frames; + data = (struct mulaw_priv *)plugin->extra_data; + data->func(plugin, src_channels, dst_channels, frames); + return frames; +--- a/sound/core/oss/route.c ++++ b/sound/core/oss/route.c +@@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer( + return -ENXIO; + if (frames == 0) + return 0; ++ if (frames > dst_channels[0].frames) ++ frames = dst_channels[0].frames; + + nsrcs = plugin->src_format.channels; + ndsts = plugin->dst_format.channels; diff --git a/queue-4.9/coresight-etm4x-fix-input-validation-for-sysfs.patch b/queue-4.9/coresight-etm4x-fix-input-validation-for-sysfs.patch new file mode 100644 index 00000000000..b144e50a4f0 --- /dev/null +++ b/queue-4.9/coresight-etm4x-fix-input-validation-for-sysfs.patch @@ -0,0 +1,90 @@ +From 2fe6899e36aa174abefd017887f9cfe0cb60c43a Mon Sep 17 00:00:00 2001 +From: Mike Leach +Date: Mon, 4 Nov 2019 11:12:42 -0700 +Subject: coresight: etm4x: Fix input validation for sysfs. + +From: Mike Leach + +commit 2fe6899e36aa174abefd017887f9cfe0cb60c43a upstream. + +A number of issues are fixed relating to sysfs input validation:- + +1) bb_ctrl_store() - incorrect compare of bit select field to absolute +value. Reworked per ETMv4 specification. +2) seq_event_store() - incorrect mask value - register has two +event values. +3) cyc_threshold_store() - must mask with max before checking min +otherwise wrapped values can set illegal value below min. +4) res_ctrl_store() - update to mask off all res0 bits. + +Reviewed-by: Leo Yan +Reviewed-by: Mathieu Poirier +Signed-off-by: Mike Leach +Fixes: a77de2637c9eb ("coresight: etm4x: moving sysFS entries to a dedicated file") +Cc: stable # 4.9+ +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20191104181251.26732-6-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 21 ++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c +@@ -667,10 +667,13 @@ static ssize_t cyc_threshold_store(struc + + if (kstrtoul(buf, 16, &val)) + return -EINVAL; ++ ++ /* mask off max threshold before checking min value */ ++ val &= ETM_CYC_THRESHOLD_MASK; + if (val < drvdata->ccitmin) + return -EINVAL; + +- config->ccctlr = val & ETM_CYC_THRESHOLD_MASK; ++ config->ccctlr = val; + return size; + } + static DEVICE_ATTR_RW(cyc_threshold); +@@ -701,14 +704,16 @@ static ssize_t bb_ctrl_store(struct devi + return -EINVAL; + if (!drvdata->nr_addr_cmp) + return -EINVAL; ++ + /* +- * Bit[7:0] selects which address range comparator is used for +- * branch broadcast control. ++ * Bit[8] controls include(1) / exclude(0), bits[0-7] select ++ * individual range comparators. If include then at least 1 ++ * range must be selected. + */ +- if (BMVAL(val, 0, 7) > drvdata->nr_addr_cmp) ++ if ((val & BIT(8)) && (BMVAL(val, 0, 7) == 0)) + return -EINVAL; + +- config->bb_ctrl = val; ++ config->bb_ctrl = val & GENMASK(8, 0); + return size; + } + static DEVICE_ATTR_RW(bb_ctrl); +@@ -1341,8 +1346,8 @@ static ssize_t seq_event_store(struct de + + spin_lock(&drvdata->spinlock); + idx = config->seq_idx; +- /* RST, bits[7:0] */ +- config->seq_ctrl[idx] = val & 0xFF; ++ /* Seq control has two masks B[15:8] F[7:0] */ ++ config->seq_ctrl[idx] = val & 0xFFFF; + spin_unlock(&drvdata->spinlock); + return size; + } +@@ -1597,7 +1602,7 @@ static ssize_t res_ctrl_store(struct dev + if (idx % 2 != 0) + /* PAIRINV, bit[21] */ + val &= ~BIT(21); +- config->res_ctrl[idx] = val; ++ config->res_ctrl[idx] = val & GENMASK(21, 0); + spin_unlock(&drvdata->spinlock); + return size; + } diff --git a/queue-4.9/input-goodix-add-upside-down-quirk-for-teclast-x89-tablet.patch b/queue-4.9/input-goodix-add-upside-down-quirk-for-teclast-x89-tablet.patch new file mode 100644 index 00000000000..18dc25e64df --- /dev/null +++ b/queue-4.9/input-goodix-add-upside-down-quirk-for-teclast-x89-tablet.patch @@ -0,0 +1,43 @@ +From df5b5e555b356662a5e4a23c6774fdfce8547d54 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 2 Dec 2019 09:36:15 -0800 +Subject: Input: goodix - add upside-down quirk for Teclast X89 tablet + +From: Hans de Goede + +commit df5b5e555b356662a5e4a23c6774fdfce8547d54 upstream. + +The touchscreen on the Teclast X89 is mounted upside down in relation to +the display orientation (the touchscreen itself is mounted upright, but the +display is mounted upside-down). Add a quirk for this so that we send +coordinates which match the display orientation. + +Signed-off-by: Hans de Goede +Reviewed-by: Bastien Nocera +Link: https://lore.kernel.org/r/20191202085636.6650-1-hdegoede@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/goodix.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -90,6 +90,15 @@ static const unsigned long goodix_irq_fl + static const struct dmi_system_id rotated_screen[] = { + #if defined(CONFIG_DMI) && defined(CONFIG_X86) + { ++ .ident = "Teclast X89", ++ .matches = { ++ /* tPAD is too generic, also match on bios date */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "TECLAST"), ++ DMI_MATCH(DMI_BOARD_NAME, "tPAD"), ++ DMI_MATCH(DMI_BIOS_DATE, "12/19/2014"), ++ }, ++ }, ++ { + .ident = "WinBook TW100", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "WinBook"), diff --git a/queue-4.9/series b/queue-4.9/series index 3434e18b77c..8d4226a12e1 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -73,3 +73,6 @@ arm-dts-sunxi-fix-pmu-compatible-strings.patch sched-fair-scale-bandwidth-quota-and-period-without-losing-quota-period-ratio-precision.patch fuse-verify-nlink.patch fuse-verify-attributes.patch +alsa-pcm-oss-avoid-potential-buffer-overflows.patch +input-goodix-add-upside-down-quirk-for-teclast-x89-tablet.patch +coresight-etm4x-fix-input-validation-for-sysfs.patch