| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
- High resolution mode for DEll canvas support, from Benjamin Tissoires
- A lot of improvements to pen handling in the Wacom driver, from Jason Gerecke
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
- usbhid: conversion to timer_setup() and from_timer() from Kees Cook
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
- cp2112: GPIO error handling and Kconfig fixes from Sébastien Szymanski
- i2c-hid: fixup / quirk for Apollo-Lake based laptops, from Hans de Goede
- Input/Core: add eraser tool support, from Ping Cheng
- small assorted code fixes
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
- SHANWAN PS3 rumble fix from Bastien Nocera
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
- make sure that we forward MSC_TIMESTAMP in accordance to the specification,
from Nicolas Boichat
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
- small code fixes for Logitech driver from Colin Ian King
|
|
- trivial printk() line termination fix for HyperV
|
|
- Asus laptop fixes (fn keys, backlight), from Mustafa Kuscu and
Maxime Bellengé
|
|
- New ALPS touchpad (T4, found currently on HP EliteBook 1000, Zbook Stduio
and HP Elite book x360) support from Masaki Ota
|
|
- Wacom: recognize PEN application collection properly, from Jason Gerecke
- RMI: avoid cofusion caused by RMI functions being by mistake called on
non-RMI devices, from Andrew Duggan
- small device-ID-specific quirks/fixes
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
When everything goes smoothly, ret is set to 0 which makes the function
to return EIO error.
Fixes: 8e9faa15469e ("HID: cp2112: fix gpio-callback error handling")
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The Dell Canvas exports 2 collections for the Pen part. The only
difference between the 2 is that the default one has half the resolution
of the second one.
The Windows driver switches the tablet into the second mode, so we should
behave the same.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The Wacom Pro Pen 3D includes a third barrel switch which is intended to
be particularly useful in applications where one frequency uses pan, zoom,
and rotate to navigate around a scene or model. The pen is compatible with
the MobileStudio Pro, 2nd-gen Intuos Pro, and Cintiq Pro. When the third
button is pressed, these devices set both the HID_DG_BARRELSWITCH and
HID_DG_BARRELSWITCH2 usages since their HID descriptors do not include a
usage specific to the button.
Rather than send both BTN_STYLUS and BTN_STYLUS2 when the third button is
pressed, userspace (libinput) has requested that we detect this condition
and report a newly-defined BTN_STYLUS3 event instead. We could define a
quirk specific to devices compatible with the Pro Pen 3D, but the liklihood
of seeing both barrel switch bits set with other pens/devices is low enough
to not worry about (pens mechanically prevent accidental activation of
multiple switches).
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The SHANWAN PS3 clone joypad will start its rumble motors as soon as
it is plugged in via USB. As the additional USB interrupt does nothing on
the original PS3 Sixaxis joypads, and makes a number of other
clone joypads actually start sending data, disable that call for
the SHANWAN so the rumble motors aren't started on plug.
Signed-off-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Several cheap Apollo Lake based laptops / 2-in-1s use an i2c-hid mt
touchpad which is advertised by the DSDT with an ACPI HID of "SYNA3602",
this touchpad can be found on e.g. the Cube Thinker and the EZBook 3 Pro.
On my "T-bao Tbook air" the i2c-hid driver fails to bind to this touchpad:
"i2c_hid i2c-SYNA3602:00: failed to reset device.".
After some debuging this it seems that this touchpad simply never sends
an interrupt after a reset as expected by the i2c hid driver. This commit
adds a quirk for this device, making i2c_hid_command sleep 100ms after
a reset instead of waiting for an irq, fixing i2c-hid failing to bind to
this touchpad.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
On laptops such as Asus GL553VD, setting keyboard backlight levels
does not work. This change enables F3/F4 keys to set backlight levels
(from 0 to 3, total 4 levels) on such laptops.
It is intended only to the following device: 0x0b05 1854:
P: Vendor=0b05 ProdID=1854 Rev=03.02
S: Manufacturer=ITE Tech. Inc.
S: Product=ITE Device(8910)
[jkosina@suse.cz: massage changelog a little bit]
Signed-off-by: Mustafa C Kuscu <mustafakuscu@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Otherwise, with HIDRAW=n, the probe function crashes because of null
dereference of hdev->hidraw.
Cc: stable@vger.kernel.org
Fixes: 42cb6b35b9e6 ("HID: cp2112: use proper hidraw name with minor number")
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Add ID 044f:b605 ThrustMaster, Inc. force feedback Racing Wheel
Signed-off-by: Viktor Chapliev <viktor-tch@yandex.ru>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The pointer value is being assigned a value and this is never read, and later
on it is being assigned a new value. This the first assignment is redundant
and can be removed and hence also the variables report and report_list. Cleans
up the clang warning: Value stored to 'value' during its initialization is
never read
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The WACOM_PEN_FIELD macro is used to determine if a given HID field should be
associated with pen input. This field includes several known collection types
that Wacom pen data is contained in, but the WACOM_HID_WD_PEN application
collection type is notably missing. This can result in fields within this
kind of collection being completely ignored by the `wacom_usage_mapping`
function, preventing the later '*_event' functions from being notified about
changes to their value.
Fixes: c9c095874a ("HID: wacom: generic: Support and use 'Custom HID' mode and usages")
Fixes: ac2423c975 ("HID: wacom: generic: add vendor defined touch")
Cc: stable@vger.kernel.org
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The hid-rmi driver may handle non rmi devices on composite USB devices.
Callbacks need to make sure that the current device is a RMI device before
calling RMI specific functions. Most callbacks already have this check, but
this patch adds checks to the remaining callbacks.
Reported-by: Hendrik Langer <hendrik.langer@gmx.de>
Tested-by: Hendrik Langer <hendrik.langer@gmx.de>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The GamepadBlock game controller adapter needs HID_QUIRK_MULTI_INPUT
to split it up into two input devices. Without this quirk the
adapter is falsely recognized as only one device and mixes up the
inputs of the two connected controllers.
Signed-off-by: Florian Mueller <contact@petrockblock.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Add new U1 device Product ID This device is used on HP Elite book x360 series.
[jkosina@suse.cz: update changelog]
Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
- Define T4 device specification value for support T4 device.
- Creeate "t4_contact_data" and "t4_input_report" structure for decoding and
storing T4-specific data
- Create "t4_calc_check_sum()" function for calculating checksum value to send
to the device. T4 needs to send this value when reading or writing device
address value.
- Create "t4_read_write_register()" function for reading and writing device
address value.
- Create "t4_raw_event()" function for decodin XYZ, palm and button data.
- Replace "MAX_TOUCHES" fixed variable to "max_fingers" variable.
- Add T4 devuce product ID. (0x120C)
T4 device is used on HP EliteBook 1000 series and Zbook Stduio
[jkosina@suse.cz: rewrite changelog]
Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Move dev_ctrl, dev_type, sen_line_num_x, sen_line_num_y, pitch_x, pitch_y,
resolution, btn_info from u1_dev structure to "u1_init()", because these
variables are only used in there.
[jkosina@suse.cz: rewrite changelog]
Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Create x_min, y_min and max_fingers variables for set correct XY minimum value
and the number of max finger on each devices.
[jkosina@suse.cz: update shortlog]
Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Create 'static int u1_init()' and factor out U1 device initialization code from
main initialization and introduce per-device 'has_sp' flag.
[jkosina@suse.cz: rewrite changelog]
Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Delete "struct u1_dev devInfo" structure, because u1_dev structure is already
declared as "struct u1_dev *data".
[jkosina@suse.cz: rewrite changelog]
Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:
- fix for potential out-of-bounds memory access (found by fuzzing,
likely requires specially crafted device to trigger) by Jaejoong Kim
- two new device IDs for elecom driver from Alex Manoussakis
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: hid-elecom: extend to fix descriptor for HUGE trackball
HID: usbhid: fix out-of-bounds bug
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"It's been a busy week for defending the attacks from fuzzer people.
This contains various USB-audio driver fixes and sequencer core fixes
spotted by syzkaller and other fuzzer, as well as one quirk for a
Plantronics USB audio device"
* tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: caiaq: Fix stray URB at probe error path
ALSA: seq: Fix use-after-free at creating a port
ALSA: usb-audio: Kill stray URB at exiting
ALSA: line6: Fix leftover URB at error-path during probe
ALSA: line6: Fix NULL dereference at podhd_disconnect()
ALSA: line6: Fix missing initialization before error path
ALSA: seq: Fix copy_from_user() call inside lock
ALSA: usb-audio: Add sample rate quirk for Plantronics P610
|
|
Merge waitid() fix from Kees Cook.
I'd have hoped that the unsafe_{get|put}_user() naming would have
avoided these kinds of stupid bugs, but no such luck.
* waitid-fix:
waitid(): Add missing access_ok() checks
|
|
Pull rpmsg fixes from Bjorn Andersson:
"This corrects two mistakes in the Qualcomm GLINK SMEM driver"
* tag 'rpmsg-v4.14-fixes' of git://github.com/andersson/remoteproc:
rpmsg: glink: Fix memory leak in qcom_glink_alloc_intent()
rpmsg: glink: Unlock on error in qcom_glink_request_intent()
|
|
Pull remoteproc fixes from Bjorn Andersson:
"This fixes a couple of issues in the imx_rproc driver and corrects the
Kconfig dependencies of the Qualcomm remoteproc drivers"
* tag 'rproc-v4.14-fixes' of git://github.com/andersson/remoteproc:
remoteproc: imx_rproc: fix return value check in imx_rproc_addr_init()
remoteproc: qcom: fix RPMSG_QCOM_GLINK_SMEM dependencies
remoteproc: imx_rproc: fix a couple off by one bugs
|
|
In case of error, the function devm_ioremap() returns NULL pointer
not ERR_PTR(). The IS_ERR() test in the return value check should
be replaced with NULL test.
Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
|
|
Commit 77469c3f570 prevented setting the page as uptodate when we wrote
the right amount of data, fix that.
Fixes: 77469c3f570 ("9p: saner ->write_end() on failing copy into non-uptodate page")
Reviewed-by: Jan Kara <jack@suse.com>
Signed-off-by: Alexander Levin <alexander.levin@verizon.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"Here are some smallish GPIO fixes for v4.14. Like with pin control:
some build/Kconfig noise and one serious bug in a specific driver.
- Three Kconfig/build warning fixes
- A fix for lost edge IRQs in the OMAP driver"
* tag 'gpio-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: omap: Fix lost edge interrupts
gpio: omap: omap_gpio_show_rev is not __init
gpio: acpi: work around false-positive -Wstring-overflow warning
gpio: thunderx: select IRQ_DOMAIN_HIERARCHY instead of depends on
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
"Two small things and a slightly larger thing in the Intel Cherryview.
- Fix two build problems
- Fix a regression on the Intel Cherryview interrupt path"
* tag 'pinctrl-v4.14-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
pinctrl: cherryview: fix issues caused by dynamic gpio irqs mapping
pinctrl/amd: Fix build dependency on pinmux code
pinctrl: bcm2835: fix build warning in bcm2835_gpio_irq_handle_bank
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro:
"Fairly old DIO bug caught by Andreas (3.10+) and several slightly
younger blk_rq_map_user_iov() bugs, both on map and copy codepaths
(Vitaly and me)"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
bio_copy_user_iov(): don't ignore ->iov_offset
more bio_map_user_iov() leak fixes
fix unbalanced page refcounting in bio_map_user_iov
direct-io: Prevent NULL pointer access in submit_page_section
|
|
caiaq driver doesn't kill the URB properly at its error path during
the probe, which may lead to a use-after-free error later. This patch
addresses it.
Reported-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
In addition to DEFT, Elecom introduced a larger trackball called HUGE, in
both wired (M-HT1URBK) and wireless (M-HT1DRBK) versions. It has the same
buttons and behavior as the DEFT. This patch adds the two relevant USB IDs
to enable operation of the three Fn buttons on the top of the device.
Cc: Diego Elio Petteno <flameeyes@flameeyes.eu>
Signed-off-by: Alex Manoussakis <amanou@gnu.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The hid descriptor identifies the length and type of subordinate
descriptors for a device. If the received hid descriptor is smaller than
the size of the struct hid_descriptor, it is possible to cause
out-of-bounds.
In addition, if bNumDescriptors of the hid descriptor have an incorrect
value, this can also cause out-of-bounds while approaching hdesc->desc[n].
So check the size of hid descriptor and bNumDescriptors.
BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
4.14.0-rc1-42251-gebb2c2437d80 #169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x22f/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Cc: stable@vger.kernel.org
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
(introduced by 686fef928bba ("timer: Prepare to change timer callback
argument type")) to pass the timer pointer explicitly. Adds pointer back to
hid_device for multitouch.
[jkosina@suse.cz: extend changelog a little bit as asked for by Benjamin]
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-input@vger.kernel.org
Cc: linux-usb@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
range"
This reverts commit 3e70969e44ee52d72053145dab2cbad74109c685.
This commit causes a few problems for userspace. The most noteworthy are
problems related to the distinguishing of different pens and pointer jumps
when entering proximity. Userspace is written with the expectation that a
pen will provide its tool ID and serial number (if available) in the very
first in-prox report. By sending BTN_TOOL_PEN when the tablet starts
communicating rather than waiting until a tool ID/serial number is
available, userspace ends up treating all pens as being the same and
lacking a serial number. Similarly, userspace assumes that the first
report will contain X/Y data, but by marking the pen as being in-prox
without an X/Y coordinate, userspace ends up warping the pen to the last-
known X/Y location. As of commit 5b40104edfb0 ("HID: wacom: generic: Reset
events back to zero when pen leaves") this means warping to (0,0).
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
There is a potential race window opened at creating and deleting a
port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates
a port object and returns its pointer, but it doesn't take the
refcount, thus it can be deleted immediately by another thread.
Meanwhile, snd_seq_ioctl_create_port() still calls the function
snd_seq_system_client_ev_port_start() with the created port object
that is being deleted, and this triggers use-after-free like:
BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
=============================================================================
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
___slab_alloc+0x425/0x460
__slab_alloc+0x20/0x40
kmem_cache_alloc_trace+0x150/0x190
snd_seq_create_port+0x94/0x9b0 [snd_seq]
snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
snd_seq_ioctl+0x40/0x80 [snd_seq]
do_vfs_ioctl+0x54b/0xda0
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x16/0x75
INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
__slab_free+0x204/0x310
kfree+0x15f/0x180
port_delete+0x136/0x1a0 [snd_seq]
snd_seq_delete_port+0x235/0x350 [snd_seq]
snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
snd_seq_ioctl+0x40/0x80 [snd_seq]
do_vfs_ioctl+0x54b/0xda0
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x16/0x75
Call Trace:
[<ffffffff81b03781>] dump_stack+0x63/0x82
[<ffffffff81531b3b>] print_trailer+0xfb/0x160
[<ffffffff81536db4>] object_err+0x34/0x40
[<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
[<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
[<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
[<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
[<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
[<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
[<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
[<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
[<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
[<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
.....
We may fix this in a few different ways, and in this patch, it's fixed
simply by taking the refcount properly at snd_seq_create_port() and
letting the caller unref the object after use. Also, there is another
potential use-after-free by sprintf() call in snd_seq_create_port(),
and this is moved inside the lock.
This fix covers CVE-2017-15265.
Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Since "block: support large requests in blk_rq_map_user_iov" we
started to call it with partially drained iter; that works fine
on the write side, but reads create a copy of iter for completion
time. And that needs to take the possibility of ->iov_iter != 0
into account...
Cc: stable@vger.kernel.org #v4.5+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
we need to take care of failure exit as well - pages already
in bio should be dropped by analogue of bio_unmap_pages(),
since their refcounts had been bumped only once per reference
in bio.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
IO vector has small consecutive buffers belonging to the same page.
bio_add_pc_page merges them into one, but the page reference is never
dropped.
Cc: stable@vger.kernel.org
Signed-off-by: Vitaly Mayatskikh <v.mayatskih@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
In the code added to function submit_page_section by commit b1058b981,
sdio->bio can currently be NULL when calling dio_bio_submit. This then
leads to a NULL pointer access in dio_bio_submit, so check for a NULL
bio in submit_page_section before trying to submit it instead.
Fixes xfstest generic/250 on gfs2.
Cc: stable@vger.kernel.org # v3.10+
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull seccomp fixlet from Kees Cook:
"Minor seccomp fix for v4.14-rc5. I debated sending this at all for
v4.14, but since it fixes a minor issue in the prior fix, which also
went to -stable, it seemed better to just get all of it cleaned up
right now.
- fix missed "static" to avoid Sparse warning (Colin King)"
* tag 'seccomp-v4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
seccomp: make function __get_seccomp_filter static
|
