From 45bd8dcae3d4e0815984b76827b87fa6bcd0d1dc Mon Sep 17 00:00:00 2001 From: Jan200101 Date: Mon, 1 Feb 2021 21:28:08 +0100 Subject: kernel 5.10.11 --- ...ect-null-dereference-on-aes-pen-proximity.patch | 85 ++++++++++++++++++++++ .../media-pwc-fix-the-urb-buffer-allocation.patch | 58 +++++++++++++++ SPECS/kernel.spec | 17 ++++- 3 files changed, 157 insertions(+), 3 deletions(-) create mode 100644 SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch create mode 100644 SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch diff --git a/SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch b/SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch new file mode 100644 index 0000000..d76b648 --- /dev/null +++ b/SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch @@ -0,0 +1,85 @@ +From MAILER-DAEMON Wed Jan 27 14:42:50 2021 +From: Jason Gerecke +To: linux-input@vger.kernel.org, Jiri Kosina , Benjamin Tissoires +Cc: Jason Gerecke , stable@vger.kernel.org, Ping Cheng +Subject: [PATCH] HID: wacom: Correct NULL dereference on AES pen proximity +Date: Thu, 21 Jan 2021 10:46:49 -0800 +Message-Id: <20210121184649.157189-1-jason.gerecke@wacom.com> +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +The recent commit to fix a memory leak introduced an inadvertant NULL +pointer dereference. The `wacom_wac->pen_fifo` variable was never +intialized, resuling in a crash whenever functions tried to use it. +Since the FIFO is only used by AES pens (to buffer events from pen +proximity until the hardware reports the pen serial number) this would +have been easily overlooked without testing an AES device. + +This patch converts `wacom_wac->pen_fifo` over to a pointer (since the +call to `devres_alloc` allocates memory for us) and ensures that we assign +it to point to the allocated and initalized `pen_fifo` before the function +returns. + +Fixes: 37309f47e2f5 ("HID: wacom: Fix memory leakage caused by kfifo_alloc") +Signed-off-by: Jason Gerecke +Tested-by: Ping Cheng +CC: stable@vger.kernel.org # v4.19+ +Link: https://github.com/linuxwacom/input-wacom/issues/230 +--- + drivers/hid/wacom_sys.c | 7 ++++--- + drivers/hid/wacom_wac.h | 2 +- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c +index e8acd235db2a..aa9e48876ced 100644 +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -147,9 +147,9 @@ static int wacom_wac_pen_serial_enforce(struct hid_device *hdev, + } + + if (flush) +- wacom_wac_queue_flush(hdev, &wacom_wac->pen_fifo); ++ wacom_wac_queue_flush(hdev, wacom_wac->pen_fifo); + else if (insert) +- wacom_wac_queue_insert(hdev, &wacom_wac->pen_fifo, ++ wacom_wac_queue_insert(hdev, wacom_wac->pen_fifo, + raw_data, report_size); + + return insert && !flush; +@@ -1280,7 +1280,7 @@ static void wacom_devm_kfifo_release(struct device *dev, void *res) + static int wacom_devm_kfifo_alloc(struct wacom *wacom) + { + struct wacom_wac *wacom_wac = &wacom->wacom_wac; +- struct kfifo_rec_ptr_2 *pen_fifo = &wacom_wac->pen_fifo; ++ struct kfifo_rec_ptr_2 *pen_fifo; + int error; + + pen_fifo = devres_alloc(wacom_devm_kfifo_release, +@@ -1297,6 +1297,7 @@ static int wacom_devm_kfifo_alloc(struct wacom *wacom) + } + + devres_add(&wacom->hdev->dev, pen_fifo); ++ wacom_wac->pen_fifo = pen_fifo; + + return 0; + } +diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h +index da612b6e9c77..195910dd2154 100644 +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -342,7 +342,7 @@ struct wacom_wac { + struct input_dev *pen_input; + struct input_dev *touch_input; + struct input_dev *pad_input; +- struct kfifo_rec_ptr_2 pen_fifo; ++ struct kfifo_rec_ptr_2 *pen_fifo; + int pid; + int num_contacts_left; + u8 bt_features; +-- +2.30.0 + + diff --git a/SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch b/SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch new file mode 100644 index 0000000..413868b --- /dev/null +++ b/SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch @@ -0,0 +1,58 @@ +From MAILER-DAEMON Wed Jan 27 14:16:57 2021 +From: Takashi Iwai +To: Hans Verkuil +Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org +Subject: [PATCH] media: pwc: Fix the URB buffer allocation +Date: Thu, 21 Jan 2021 21:28:55 +0100 +Message-Id: <20210121202855.17400-1-tiwai@suse.de> +List-ID: +X-Mailing-List: linux-media@vger.kernel.org +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +The URB buffer allocation of pwc driver involves with the +dma_map_single(), and it needs to pass the right device. Currently it +passes usb_device.dev, but it's no real device that manages the DMA. +Since the passed device has no DMA mask set up, now the pwc driver +hits the WARN_ON_ONCE() check in dma_map_page_attrs() (that was +introduced in 5.10), resulting in an error at URB allocations. +Eventually this ended up with the black output. + +This patch fixes the bug by passing the proper device, the bus +controller, to make the URB allocation and map working again. + +Signed-off-by: Takashi Iwai +Reviewed-by: Robert Foss +Cc: +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1181133 +--- + drivers/media/usb/pwc/pwc-if.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c +index 61869636ec61..d771160bb168 100644 +--- a/drivers/media/usb/pwc/pwc-if.c ++++ b/drivers/media/usb/pwc/pwc-if.c +@@ -461,7 +461,7 @@ static int pwc_isoc_init(struct pwc_device *pdev) + urb->pipe = usb_rcvisocpipe(udev, pdev->vendpoint); + urb->transfer_flags = URB_ISO_ASAP | URB_NO_TRANSFER_DMA_MAP; + urb->transfer_buffer_length = ISO_BUFFER_SIZE; +- urb->transfer_buffer = pwc_alloc_urb_buffer(&udev->dev, ++ urb->transfer_buffer = pwc_alloc_urb_buffer(udev->bus->controller, + urb->transfer_buffer_length, + &urb->transfer_dma); + if (urb->transfer_buffer == NULL) { +@@ -524,7 +524,7 @@ static void pwc_iso_free(struct pwc_device *pdev) + if (urb) { + PWC_DEBUG_MEMORY("Freeing URB\n"); + if (urb->transfer_buffer) +- pwc_free_urb_buffer(&urb->dev->dev, ++ pwc_free_urb_buffer(urb->dev->bus->controller, + urb->transfer_buffer_length, + urb->transfer_buffer, + urb->transfer_dma); +-- +2.26.2 + + diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 11d30be..852d914 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -94,7 +94,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 10 +%define stable_update 11 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -852,6 +852,12 @@ Patch104: 0001-brcm-rpi4-fix-usb-numeration.patch # Nouveau mDP detection fix Patch107: 0001-drm-nouveau-kms-handle-mDP-connectors.patch +# rhbz 1918778 +Patch108: media-pwc-fix-the-urb-buffer-allocation.patch + +#rhbz 1918486 +Patch109: hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch + # linux-fsync patches Patch200: zen.patch Patch201: futex2.patch @@ -2969,8 +2975,13 @@ fi # # %changelog -* Tue Jan 26 2021 Jan Drögehoff - 5.10.10-201.fsync -- Linux v5.10.10 futex2 zen +* Mon Feb 01 2021 Jan Drögehoff - 5.10.11-201.fsync +- Linux v5.10.11 futex2 zen + +* Wed Jan 27 08:07:48 CST 2021 Justin M. Forbes - 5.10.11-200 +- Linux v5.10.11 +- Fix URB buffer allocation of pwc driver (rhbz 1918778) +- Fix wacom touchscreens (rhbz 1918486) * Sun Jan 24 11:28:41 CST 2021 Justin M. Forbes - 5.10.10-200 - Linux v5.10.10 -- cgit v1.2.3