Talos™ II Linux sources for OpenPOWER https://git.raptorcs.com/git/talos-op-linux/atom?h=master 2019-09-06T13:55:40+00:00 2019-09-06T13:55:40+00:00 Dan Elkouby streetwalkermc@gmail.com 2019-09-06T11:06:44+00:00 urn:sha1:8bb3537095f107ed55ad51f6241165b397aaafac hidp_send_message was changed to return non-zero values on success, which some other bits did not expect. This caused spurious errors to be propagated through the stack, breaking some drivers, such as hid-sony for the Dualshock 4 in Bluetooth mode. As pointed out by Dan Carpenter, hid-microsoft directly relied on that assumption as well. Fixes: 48d9cc9d85dd ("Bluetooth: hidp: Let hidp_send_message return number of queued bytes") Signed-off-by: Dan Elkouby <streetwalkermc@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2019-08-12T16:23:50+00:00 Fabian Henneke fabian.henneke@gmail.com 2019-07-15T17:40:56+00:00 urn:sha1:48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 Let hidp_send_message return the number of successfully queued bytes instead of an unconditional 0. With the return value fixed to 0, other drivers relying on hidp, such as hidraw, can not return meaningful values from their respective implementations of write(). In particular, with the current behavior, a hidraw device's write() will have different return values depending on whether the device is connected via USB or Bluetooth, which makes it harder to abstract away the transport layer. Signed-off-by: Fabian Henneke <fabian.henneke@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2019-07-06T11:07:41+00:00 Dan Carpenter dan.carpenter@oracle.com 2019-05-16T18:24:00+00:00 urn:sha1:dcae9052ebb0c5b2614de620323d615fcbfda7f8 This change is similar to commit a1616a5ac99e ("Bluetooth: hidp: fix buffer overflow") but for the compat ioctl. We take a string from the user and forgot to ensure that it's NUL terminated. I have also changed the strncpy() in to strscpy() in hidp_setup_hid(). The difference is the strncpy() doesn't necessarily NUL terminate the destination string. Either change would fix the problem but it's nice to take a belt and suspenders approach and do both. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2019-05-21T08:50:46+00:00 Thomas Gleixner tglx@linutronix.de 2019-05-19T12:07:45+00:00 urn:sha1:ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1 Add SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any form These files fall under the project license, GPL v2 only. The resulting SPDX license identifier is: GPL-2.0-only Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-04-23T17:04:38+00:00 Young Xiao YangX92@hotmail.com 2019-04-12T07:24:30+00:00 urn:sha1:a1616a5ac99ede5d605047a9012481ce7ff18b16 Struct ca is copied from userspace. It is not checked whether the "name" field is NULL terminated, which allows local users to obtain potentially sensitive information from kernel stack memory, via a HIDPCONNADD command. This vulnerability is similar to CVE-2011-1079. Signed-off-by: Young Xiao <YangX92@hotmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Cc: stable@vger.kernel.org 2018-10-25T19:48:22+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-10-25T19:48:22+00:00 urn:sha1:ba7d4f36a2ec7d6f8d9e5c6cabbc57469dd4dc22 Pull compat_ioctl fixes from Al Viro: "A bunch of compat_ioctl fixes, mostly in bluetooth. Hopefully, most of fs/compat_ioctl.c will get killed off over the next few cycles; between this, tty series already merged and Arnd's work this cycle ought to take a good chunk out of the damn thing..." * 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: hidp: fix compat_ioctl hidp: constify hidp_connection_add() cmtp: fix compat_ioctl bnep: fix compat_ioctl compat_ioctl: trim the pointless includes 2018-09-27T09:59:58+00:00 Andrea Parri andrea.parri@amarulasolutions.com 2018-08-14T18:41:06+00:00 urn:sha1:5aac49378742a52bbe8af3d25bc51b487be7b17f The barriers are unneeded; wait_woken() and woken_wake_function() already provide us with the required synchronization: remove them and document that we're relying on the (implicit) synchronization provided by wait_woken() and woken_wake_function(). Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com> Reviewed-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2018-09-10T16:41:07+00:00 Al Viro viro@zeniv.linux.org.uk 2018-08-17T01:55:55+00:00 urn:sha1:702ec3072ae61cdf018725b353ff043e196548a6 1) no point putting it into fs/compat_ioctl.c when you handle it in your ->compat_ioctl() anyway. 2) HIDPCONNADD is *not* COMPATIBLE_IOCTL() stuff at all - it does layout massage (pointer-chasing there) 3) use compat_ptr() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2018-09-10T16:41:07+00:00 Al Viro viro@zeniv.linux.org.uk 2018-08-17T01:44:35+00:00 urn:sha1:535221481a8ed131e75c7f04c22298411b5abe32 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2018-08-01T07:12:35+00:00 Mark Salyzyn salyzyn@android.com 2018-07-31T22:02:13+00:00 urn:sha1:7992c18810e568b95c869b227137a2215702a805 CVE-2018-9363 The buffer length is unsigned at all layers, but gets cast to int and checked in hidp_process_report and can lead to a buffer overflow. Switch len parameter to unsigned int to resolve issue. This affects 3.18 and newer kernels. Signed-off-by: Mark Salyzyn <salyzyn@android.com> Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Kees Cook <keescook@chromium.org> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: linux-bluetooth@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: security@kernel.org Cc: kernel-team@android.com Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>