Intel OpenBMC Linux kernel source tree (mirror) https://git.radix-linux.su/BMC/Intel-BMC/linux.git/atom?h=dev-5.14-intel 2021-10-07T05:53:19+00:00 2021-10-07T05:53:19+00:00 Basavaraj Natikar Basavaraj.Natikar@amd.com 2021-09-23T12:29:27+00:00 urn:sha1:81971ea5ec5c37509cc2a2f520ba4127e973fb41 commit 88a04049c08cd62e698bc1b1af2d09574b9e0aee upstream. The cl_data field of a privdata must be allocated and updated before using in amd_sfh_hid_client_init() function. Hence handling NULL pointer cl_data accordingly. Fixes: d46ef750ed58 ("HID: amd_sfh: Fix potential NULL pointer dereference") Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-10-07T05:53:19+00:00 Anirudh Rayabharam mail@anirudhrb.com 2021-06-23T18:40:29+00:00 urn:sha1:2b704864c92dcec2b295f276fcfbfb81d9831f81 commit f7744fa16b96da57187dc8e5634152d3b63d72de upstream. Free the unsent raw_report buffers when the device is removed. Fixes a memory leak reported by syzbot at: https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47 Reported-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com Tested-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-10-07T05:53:18+00:00 F.A.Sulaiman asha.16@itfac.mrt.ac.lk 2021-08-24T15:07:30+00:00 urn:sha1:708107b80aa616976d1c5fa60ac0c1390749db5e commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream. Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. The problem is the driver assumes the device must have an input report but some malicious devices violate this assumption. So this patch checks hid_device's input is non empty before it's been used. Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk> Reviewed-by: Pavel Skripkin <paskripkin@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-10-07T05:53:18+00:00 Andrej Shadura andrew.shadura@collabora.co.uk 2021-09-16T16:33:11+00:00 urn:sha1:aa3a4f5913a97adf14ade542e937b42377909c05 commit 22d65765f211cc83186fd8b87521159f354c0da9 upstream. Since the actual_length calculation is performed unsigned, packets shorter than 7 bytes (e.g. packets without data or otherwise truncated) or non-received packets ("zero" bytes) can cause buffer overflow. Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437 Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG") Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-10-07T05:53:04+00:00 Evgeny Novikov novikov@ispras.ru 2021-06-01T16:38:01+00:00 urn:sha1:283e4bee701dfcd409dd293f19a268bb2bc8ff38 [ Upstream commit d46ef750ed58cbeeba2d9a55c99231c30a172764 ] devm_add_action_or_reset() can suddenly invoke amd_mp2_pci_remove() at registration that will cause NULL pointer dereference since corresponding data is not initialized yet. The patch moves initialization of data before devm_add_action_or_reset(). Found by Linux Driver Verification project (linuxtesting.org). [jkosina@suse.cz: rebase] Signed-off-by: Evgeny Novikov <novikov@ispras.ru> Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-09-18T11:43:31+00:00 Lukas Bulwahn lukas.bulwahn@gmail.com 2021-08-10T10:21:48+00:00 urn:sha1:94cf0f3b3a9fdc1873c06ac177665ba5f80feb98 [ Upstream commit 462ba66198a4a8ea996028915af10a698086e302 ] Commit c49c33637802 ("HID: support for initialization of some Thrustmaster wheels") messed up the Makefile and quirks during the refactoring of this commit. Luckily, ./scripts/checkkconfigsymbols.py warns on non-existing configs: HID_TMINIT Referencing files: drivers/hid/Makefile, drivers/hid/hid-quirks.c Following the discussion (see Link), CONFIG_HID_THRUSTMASTER is the intended config for CONFIG_HID_TMINIT and the file hid-tminit.c was actually added as hid-thrustmaster.c. So, clean up Makefile and adapt quirks to that refactoring. Fixes: c49c33637802 ("HID: support for initialization of some Thrustmaster wheels") Link: https://lore.kernel.org/linux-input/CAKXUXMx6dByO03f3dX0X5zjvQp0j2AhJBg0vQFDmhZUhtKxRxw@mail.gmail.com/ Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-09-18T11:43:31+00:00 Jim Broadus jbroadus@gmail.com 2021-08-09T06:55:05+00:00 urn:sha1:e36c92fa9482ebf2c1bed3065cf8e1ae107a125e [ Upstream commit 786537063bbfb3a7ebc6fc21b2baf37fb91df401 ] A quirk was recently added for Elan devices that has same device match as an entry earlier in the list. The i2c_hid_lookup_quirk function will always return the last match in the list, so the new entry shadows the old entry. The quirk in the previous entry, I2C_HID_QUIRK_BOGUS_IRQ, silenced a flood of messages which have reappeared in the 5.13 kernel. This change moves the two quirk flags into the same entry. Fixes: ca66a6770bd9 (HID: i2c-hid: Skip ELAN power-on command after reset) Signed-off-by: Jim Broadus <jbroadus@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-09-18T11:43:31+00:00 Basavaraj Natikar Basavaraj.Natikar@amd.com 2021-08-02T14:03:37+00:00 urn:sha1:dbd53e75f3a42a4e37ddbbfbc5458b7b827e5966 [ Upstream commit 3978f54817559b28535c58a00d3d31bbd5d0b65a ] Existing amd-sfh driver is programming the MP2 firmware period field in units of jiffies, but the MP2 firmware expects in milliseconds unit. Changing it to milliseconds. Fixes: 4b2c53d93a4b ("SFH:Transport Driver to add support of AMD Sensor Fusion Hub (SFH)") Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com> Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-09-18T11:43:26+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2021-06-29T18:25:50+00:00 urn:sha1:73d06a2836f834b8ae64a30796a372dbbd111e5c [ Upstream commit f4abaa9eebde334045ed6ac4e564d050f1df3013 ] The power supply states of discharging, charging, full, etc, represent state of charging, not the capacity level of the battery (for which we have a separate property). Current HID usage tables to not allow for expressing charging state of the batteries found in generic styli, so we should simply assume that the battery is discharging even if current capacity is at 100% when battery strength reporting is done via HID interface. In fact, we were doing just that before commit 581c4484769e. This change helps UIs to not mis-represent fully charged batteries in styli as being charging/topping-off. Fixes: 581c4484769e ("HID: input: map digitizer battery usage") Reported-by: Kenneth Albanowski <kenalba@google.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-09-08T06:52:40+00:00 Alan Stern stern@rowland.harvard.edu 2021-09-01T16:36:00+00:00 urn:sha1:9260f15e0ad0a8140b2b43b2c02d0cc1296a05d9 commit 0a824efdb724e07574bafcd2c2486b2a3de35ff6 upstream. Syzbot found a warning caused by hid_submit_ctrl() submitting a control request to transfer a 0-length input report: usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType a1 (The warning message is a little difficult to understand. It means that the control request claims to be for an IN transfer but this contradicts the USB spec, which requires 0-length control transfers always to be in the OUT direction.) Now, a zero-length report isn't good for anything and there's no reason for a device to have one, but the fuzzer likes to pick out these weird edge cases. In the future, perhaps we will decide to reject 0-length reports at probe time. For now, the simplest approach for avoiding these warnings is to pretend that the report actually has length 1. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+9b57a46bf1801ce2a2ca@syzkaller.appspotmail.com Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name> Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>