diff options
author | Jan200101 <sentrycraft123@gmail.com> | 2021-02-01 21:28:08 +0100 |
---|---|---|
committer | Jan200101 <sentrycraft123@gmail.com> | 2021-02-01 21:28:08 +0100 |
commit | 45bd8dcae3d4e0815984b76827b87fa6bcd0d1dc (patch) | |
tree | 7523e6cee96caa519d6716f6b92d64522417dce1 /SOURCES | |
parent | f3175a4c2f4867c0e82cea444031a1dfcb5a7509 (diff) | |
download | kernel-fsync-45bd8dcae3d4e0815984b76827b87fa6bcd0d1dc.tar.gz kernel-fsync-45bd8dcae3d4e0815984b76827b87fa6bcd0d1dc.zip |
kernel 5.10.11
Diffstat (limited to 'SOURCES')
-rw-r--r-- | SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch | 85 | ||||
-rw-r--r-- | SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch | 58 |
2 files changed, 143 insertions, 0 deletions
diff --git a/SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch b/SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch new file mode 100644 index 0000000..d76b648 --- /dev/null +++ b/SOURCES/hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch @@ -0,0 +1,85 @@ +From MAILER-DAEMON Wed Jan 27 14:42:50 2021 +From: Jason Gerecke <killertofu@gmail.com> +To: linux-input@vger.kernel.org, Jiri Kosina <jikos@kernel.org>, Benjamin Tissoires <benjamin.tissoires@redhat.com> +Cc: Jason Gerecke <jason.gerecke@wacom.com>, stable@vger.kernel.org, Ping Cheng <ping.cheng@wacom.com> +Subject: [PATCH] HID: wacom: Correct NULL dereference on AES pen proximity +Date: Thu, 21 Jan 2021 10:46:49 -0800 +Message-Id: <20210121184649.157189-1-jason.gerecke@wacom.com> +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +The recent commit to fix a memory leak introduced an inadvertant NULL +pointer dereference. The `wacom_wac->pen_fifo` variable was never +intialized, resuling in a crash whenever functions tried to use it. +Since the FIFO is only used by AES pens (to buffer events from pen +proximity until the hardware reports the pen serial number) this would +have been easily overlooked without testing an AES device. + +This patch converts `wacom_wac->pen_fifo` over to a pointer (since the +call to `devres_alloc` allocates memory for us) and ensures that we assign +it to point to the allocated and initalized `pen_fifo` before the function +returns. + +Fixes: 37309f47e2f5 ("HID: wacom: Fix memory leakage caused by kfifo_alloc") +Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com> +Tested-by: Ping Cheng <ping.cheng@wacom.com> +CC: stable@vger.kernel.org # v4.19+ +Link: https://github.com/linuxwacom/input-wacom/issues/230 +--- + drivers/hid/wacom_sys.c | 7 ++++--- + drivers/hid/wacom_wac.h | 2 +- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c +index e8acd235db2a..aa9e48876ced 100644 +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -147,9 +147,9 @@ static int wacom_wac_pen_serial_enforce(struct hid_device *hdev, + } + + if (flush) +- wacom_wac_queue_flush(hdev, &wacom_wac->pen_fifo); ++ wacom_wac_queue_flush(hdev, wacom_wac->pen_fifo); + else if (insert) +- wacom_wac_queue_insert(hdev, &wacom_wac->pen_fifo, ++ wacom_wac_queue_insert(hdev, wacom_wac->pen_fifo, + raw_data, report_size); + + return insert && !flush; +@@ -1280,7 +1280,7 @@ static void wacom_devm_kfifo_release(struct device *dev, void *res) + static int wacom_devm_kfifo_alloc(struct wacom *wacom) + { + struct wacom_wac *wacom_wac = &wacom->wacom_wac; +- struct kfifo_rec_ptr_2 *pen_fifo = &wacom_wac->pen_fifo; ++ struct kfifo_rec_ptr_2 *pen_fifo; + int error; + + pen_fifo = devres_alloc(wacom_devm_kfifo_release, +@@ -1297,6 +1297,7 @@ static int wacom_devm_kfifo_alloc(struct wacom *wacom) + } + + devres_add(&wacom->hdev->dev, pen_fifo); ++ wacom_wac->pen_fifo = pen_fifo; + + return 0; + } +diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h +index da612b6e9c77..195910dd2154 100644 +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -342,7 +342,7 @@ struct wacom_wac { + struct input_dev *pen_input; + struct input_dev *touch_input; + struct input_dev *pad_input; +- struct kfifo_rec_ptr_2 pen_fifo; ++ struct kfifo_rec_ptr_2 *pen_fifo; + int pid; + int num_contacts_left; + u8 bt_features; +-- +2.30.0 + + diff --git a/SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch b/SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch new file mode 100644 index 0000000..413868b --- /dev/null +++ b/SOURCES/media-pwc-fix-the-urb-buffer-allocation.patch @@ -0,0 +1,58 @@ +From MAILER-DAEMON Wed Jan 27 14:16:57 2021 +From: Takashi Iwai <tiwai@suse.de> +To: Hans Verkuil <hverkuil@xs4all.nl> +Cc: Mauro Carvalho Chehab <mchehab@kernel.org>, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org +Subject: [PATCH] media: pwc: Fix the URB buffer allocation +Date: Thu, 21 Jan 2021 21:28:55 +0100 +Message-Id: <20210121202855.17400-1-tiwai@suse.de> +List-ID: <linux-media.vger.kernel.org> +X-Mailing-List: linux-media@vger.kernel.org +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +The URB buffer allocation of pwc driver involves with the +dma_map_single(), and it needs to pass the right device. Currently it +passes usb_device.dev, but it's no real device that manages the DMA. +Since the passed device has no DMA mask set up, now the pwc driver +hits the WARN_ON_ONCE() check in dma_map_page_attrs() (that was +introduced in 5.10), resulting in an error at URB allocations. +Eventually this ended up with the black output. + +This patch fixes the bug by passing the proper device, the bus +controller, to make the URB allocation and map working again. + +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Reviewed-by: Robert Foss <robert.foss@linaro.org> +Cc: <stable@vger.kernel.org> +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1181133 +--- + drivers/media/usb/pwc/pwc-if.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c +index 61869636ec61..d771160bb168 100644 +--- a/drivers/media/usb/pwc/pwc-if.c ++++ b/drivers/media/usb/pwc/pwc-if.c +@@ -461,7 +461,7 @@ static int pwc_isoc_init(struct pwc_device *pdev) + urb->pipe = usb_rcvisocpipe(udev, pdev->vendpoint); + urb->transfer_flags = URB_ISO_ASAP | URB_NO_TRANSFER_DMA_MAP; + urb->transfer_buffer_length = ISO_BUFFER_SIZE; +- urb->transfer_buffer = pwc_alloc_urb_buffer(&udev->dev, ++ urb->transfer_buffer = pwc_alloc_urb_buffer(udev->bus->controller, + urb->transfer_buffer_length, + &urb->transfer_dma); + if (urb->transfer_buffer == NULL) { +@@ -524,7 +524,7 @@ static void pwc_iso_free(struct pwc_device *pdev) + if (urb) { + PWC_DEBUG_MEMORY("Freeing URB\n"); + if (urb->transfer_buffer) +- pwc_free_urb_buffer(&urb->dev->dev, ++ pwc_free_urb_buffer(urb->dev->bus->controller, + urb->transfer_buffer_length, + urb->transfer_buffer, + urb->transfer_dma); +-- +2.26.2 + + |