summaryrefslogtreecommitdiff
path: root/SOURCES
diff options
context:
space:
mode:
authorJan200101 <sentrycraft123@gmail.com>2021-02-01 21:28:08 +0100
committerJan200101 <sentrycraft123@gmail.com>2021-02-01 21:28:08 +0100
commit45bd8dcae3d4e0815984b76827b87fa6bcd0d1dc (patch)
tree7523e6cee96caa519d6716f6b92d64522417dce1 /SOURCES
parentf3175a4c2f4867c0e82cea444031a1dfcb5a7509 (diff)
downloadkernel-fsync-45bd8dcae3d4e0815984b76827b87fa6bcd0d1dc.tar.gz
kernel-fsync-45bd8dcae3d4e0815984b76827b87fa6bcd0d1dc.zip
kernel 5.10.11
Diffstat (limited to 'SOURCES')
-rw-r--r--SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch85
-rw-r--r--SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch58
2 files changed, 143 insertions, 0 deletions
diff --git a/SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch b/SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch
new file mode 100644
index 0000000..d76b648
--- /dev/null
+++ b/SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch
@@ -0,0 +1,85 @@
+From MAILER-DAEMON Wed Jan 27 14:42:50 2021
+From: Jason Gerecke <killertofu@gmail.com>
+To: linux-input@vger.kernel.org, Jiri Kosina <jikos@kernel.org>, Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: Jason Gerecke <jason.gerecke@wacom.com>, stable@vger.kernel.org, Ping Cheng <ping.cheng@wacom.com>
+Subject: [PATCH] HID: wacom: Correct NULL dereference on AES pen proximity
+Date: Thu, 21 Jan 2021 10:46:49 -0800
+Message-Id: <20210121184649.157189-1-jason.gerecke@wacom.com>
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input@vger.kernel.org
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 7bit
+
+The recent commit to fix a memory leak introduced an inadvertant NULL
+pointer dereference. The `wacom_wac->pen_fifo` variable was never
+intialized, resuling in a crash whenever functions tried to use it.
+Since the FIFO is only used by AES pens (to buffer events from pen
+proximity until the hardware reports the pen serial number) this would
+have been easily overlooked without testing an AES device.
+
+This patch converts `wacom_wac->pen_fifo` over to a pointer (since the
+call to `devres_alloc` allocates memory for us) and ensures that we assign
+it to point to the allocated and initalized `pen_fifo` before the function
+returns.
+
+Fixes: 37309f47e2f5 ("HID: wacom: Fix memory leakage caused by kfifo_alloc")
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Tested-by: Ping Cheng <ping.cheng@wacom.com>
+CC: stable@vger.kernel.org # v4.19+
+Link: https://github.com/linuxwacom/input-wacom/issues/230
+---
+ drivers/hid/wacom_sys.c | 7 ++++---
+ drivers/hid/wacom_wac.h | 2 +-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
+index e8acd235db2a..aa9e48876ced 100644
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -147,9 +147,9 @@ static int wacom_wac_pen_serial_enforce(struct hid_device *hdev,
+ }
+
+ if (flush)
+- wacom_wac_queue_flush(hdev, &wacom_wac->pen_fifo);
++ wacom_wac_queue_flush(hdev, wacom_wac->pen_fifo);
+ else if (insert)
+- wacom_wac_queue_insert(hdev, &wacom_wac->pen_fifo,
++ wacom_wac_queue_insert(hdev, wacom_wac->pen_fifo,
+ raw_data, report_size);
+
+ return insert && !flush;
+@@ -1280,7 +1280,7 @@ static void wacom_devm_kfifo_release(struct device *dev, void *res)
+ static int wacom_devm_kfifo_alloc(struct wacom *wacom)
+ {
+ struct wacom_wac *wacom_wac = &wacom->wacom_wac;
+- struct kfifo_rec_ptr_2 *pen_fifo = &wacom_wac->pen_fifo;
++ struct kfifo_rec_ptr_2 *pen_fifo;
+ int error;
+
+ pen_fifo = devres_alloc(wacom_devm_kfifo_release,
+@@ -1297,6 +1297,7 @@ static int wacom_devm_kfifo_alloc(struct wacom *wacom)
+ }
+
+ devres_add(&wacom->hdev->dev, pen_fifo);
++ wacom_wac->pen_fifo = pen_fifo;
+
+ return 0;
+ }
+diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h
+index da612b6e9c77..195910dd2154 100644
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -342,7 +342,7 @@ struct wacom_wac {
+ struct input_dev *pen_input;
+ struct input_dev *touch_input;
+ struct input_dev *pad_input;
+- struct kfifo_rec_ptr_2 pen_fifo;
++ struct kfifo_rec_ptr_2 *pen_fifo;
+ int pid;
+ int num_contacts_left;
+ u8 bt_features;
+--
+2.30.0
+
+
diff --git a/SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch b/SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch
new file mode 100644
index 0000000..413868b
--- /dev/null
+++ b/SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch
@@ -0,0 +1,58 @@
+From MAILER-DAEMON Wed Jan 27 14:16:57 2021
+From: Takashi Iwai <tiwai@suse.de>
+To: Hans Verkuil <hverkuil@xs4all.nl>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
+Subject: [PATCH] media: pwc: Fix the URB buffer allocation
+Date: Thu, 21 Jan 2021 21:28:55 +0100
+Message-Id: <20210121202855.17400-1-tiwai@suse.de>
+List-ID: <linux-media.vger.kernel.org>
+X-Mailing-List: linux-media@vger.kernel.org
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 7bit
+
+The URB buffer allocation of pwc driver involves with the
+dma_map_single(), and it needs to pass the right device. Currently it
+passes usb_device.dev, but it's no real device that manages the DMA.
+Since the passed device has no DMA mask set up, now the pwc driver
+hits the WARN_ON_ONCE() check in dma_map_page_attrs() (that was
+introduced in 5.10), resulting in an error at URB allocations.
+Eventually this ended up with the black output.
+
+This patch fixes the bug by passing the proper device, the bus
+controller, to make the URB allocation and map working again.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Cc: <stable@vger.kernel.org>
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1181133
+---
+ drivers/media/usb/pwc/pwc-if.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c
+index 61869636ec61..d771160bb168 100644
+--- a/drivers/media/usb/pwc/pwc-if.c
++++ b/drivers/media/usb/pwc/pwc-if.c
+@@ -461,7 +461,7 @@ static int pwc_isoc_init(struct pwc_device *pdev)
+ urb->pipe = usb_rcvisocpipe(udev, pdev->vendpoint);
+ urb->transfer_flags = URB_ISO_ASAP | URB_NO_TRANSFER_DMA_MAP;
+ urb->transfer_buffer_length = ISO_BUFFER_SIZE;
+- urb->transfer_buffer = pwc_alloc_urb_buffer(&udev->dev,
++ urb->transfer_buffer = pwc_alloc_urb_buffer(udev->bus->controller,
+ urb->transfer_buffer_length,
+ &urb->transfer_dma);
+ if (urb->transfer_buffer == NULL) {
+@@ -524,7 +524,7 @@ static void pwc_iso_free(struct pwc_device *pdev)
+ if (urb) {
+ PWC_DEBUG_MEMORY("Freeing URB\n");
+ if (urb->transfer_buffer)
+- pwc_free_urb_buffer(&urb->dev->dev,
++ pwc_free_urb_buffer(urb->dev->bus->controller,
+ urb->transfer_buffer_length,
+ urb->transfer_buffer,
+ urb->transfer_dma);
+--
+2.26.2
+
+