October 2018 - Linux-stable-mirror

[PATCH v2] HID: hiddev: fix potential Spectre v1

by Breno Leitao

uref->usage_index can be indirectly controlled by userspace, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This field is used as an array index by the hiddev_ioctl_usage() function, when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or HIDIOCSUSAGES. For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to field->maxusage and then used as an index to dereference field->usage array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where uref->usage_index is checked against an array maximum value and then it is used as an index in an array. This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the traditional Spectre V1 first load: copy_from_user(uref, user_arg, sizeof(*uref)) if (uref->usage_index >= field->maxusage) goto inval; i = field->usage[uref->usage_index].collection_index; return i; This patch fixes this by sanitizing field uref->usage_index before using it to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load. Signed-off-by: Breno Leitao <leitao(a)debian.org> Cc: <stable(a)vger.kernel.org> -- v2: Contemplate cmd == HIDIOC{G,S}USAGES case diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c index 23872d08308c..a746017fac17 100644 --- a/drivers/hid/usbhid/hiddev.c +++ b/drivers/hid/usbhid/hiddev.c @@ -512,14 +512,24 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, if (cmd == HIDIOCGCOLLECTIONINDEX) { if (uref->usage_index >= field->maxusage) goto inval; + uref->usage_index = + array_index_nospec(uref->usage_index, + field->maxusage); } else if (uref->usage_index >= field->report_count) goto inval; } - if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && - (uref_multi->num_values > HID_MAX_MULTI_USAGES || - uref->usage_index + uref_multi->num_values > field->report_count)) - goto inval; + if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) { + if (uref_multi->num_values > HID_MAX_MULTI_USAGES || + uref->usage_index + uref_multi->num_values > + field->report_count) + goto inval; + + uref->usage_index = + array_index_nospec(uref->usage_index, + field->report_count - + uref_multi->num_values); + } switch (cmd) { case HIDIOCGUSAGE: -- 2.17.1

6 years, 2 months

2
1
0 0

for your photos 15

by Katie

We are a team of 12 image editors and we are here to edit your photos. We mainly provide images cut out and images clipping path, masking. Such as for ecommerce photos, and it is also for beauty portraits and skin images We provide test editing if you send us 1 or 2 photos. Thanks, Katie

6 years, 2 months

1
0
0 0

[PATCH AUTOSEL 4.14 01/15] ARM: dts: imx53-qsb: disable 1.2GHz OPP

by Sasha Levin

From: Sascha Hauer <s.hauer(a)pengutronix.de> [ Upstream commit eea96566c189c77e5272585984eb2729881a2f1d ] The maximum CPU frequency for the i.MX53 QSB is 1GHz, so disable the 1.2GHz OPP. This makes the board work again with configs that have cpufreq enabled like imx_v6_v7_defconfig on which the board stopped working with the addition of cpufreq-dt support. Fixes: 791f416608 ("ARM: dts: imx53: add cpufreq-dt support") Signed-off-by: Sascha Hauer <s.hauer(a)pengutronix.de> Signed-off-by: Shawn Guo <shawnguo(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi index 683dcbe27cbd..8c11190c5218 100644 --- a/arch/arm/boot/dts/imx53-qsb-common.dtsi +++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi @@ -130,6 +130,17 @@ }; }; +&cpu0 { + /* CPU rated to 1GHz, not 1.2GHz as per the default settings */ + operating-points = < + /* kHz uV */ + 166666 850000 + 400000 900000 + 800000 1050000 + 1000000 1200000 + >; +}; + &esdhc1 { pinctrl-names = "default"; pinctrl-0 = <&pinctrl_esdhc1>; -- 2.17.1

6 years, 2 months

4
21
0 0

[PATCH AUTOSEL 3.18 01/98] dm thin: restore requested 'error_if_no_space' setting on OODS to WRITE transition

by Sasha Levin

From: Mike Snitzer <snitzer(a)redhat.com> [ Upstream commit 172c238612ebf81cabccc86b788c9209af591f61 ] A thin-pool that is in out-of-data-space (OODS) mode may transition back to write mode -- without the admin adding more space to the thin-pool -- if/when blocks are released (either by deleting thin devices or discarding provisioned blocks). But as part of the thin-pool's earlier transition to out-of-data-space mode the thin-pool may have set the 'error_if_no_space' flag to true if the no_space_timeout expires without more space having been made available. That implementation detail, of changing the pool's error_if_no_space setting, needs to be reset back to the default that the user specified when the thin-pool's table was loaded. Otherwise we'll drop the user requested behaviour on the floor when this out-of-data-space to write mode transition occurs. Reported-by: Vivek Goyal <vgoyal(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)redhat.com> Acked-by: Joe Thornber <ejt(a)redhat.com> Fixes: 2c43fd26e4 ("dm thin: fix missing out-of-data-space to write mode transition if blocks are released") Cc: stable(a)vger.kernel.org Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/md/dm-thin.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c index 68c7102a64c8..936c57b57539 100644 --- a/drivers/md/dm-thin.c +++ b/drivers/md/dm-thin.c @@ -1909,6 +1909,7 @@ static void set_pool_mode(struct pool *pool, enum pool_mode new_mode) case PM_WRITE: if (old_mode != new_mode) notify_of_pool_mode_change(pool, "write"); + pool->pf.error_if_no_space = pt->requested_pf.error_if_no_space; dm_pool_metadata_read_write(pool->pmd); pool->process_bio = process_bio; pool->process_discard = process_discard; -- 2.17.1

6 years, 2 months

6
106
0 0

[PATCH AUTOSEL 4.4 01/65] KEYS: put keyring if install_session_keyring_to_cred() fails

by Sasha Levin

From: Eric Biggers <ebiggers(a)google.com> [ Upstream commit d636bd9f12a66ea3775c9fabbf3f8e118253467a ] In join_session_keyring(), if install_session_keyring_to_cred() were to fail, we would leak the keyring reference, just like in the bug fixed by commit 23567fd052a9 ("KEYS: Fix keyring ref leak in join_session_keyring()"). Fortunately this cannot happen currently, but we really should be more careful. Do this by adding and using a new error label at which the keyring reference is dropped. Signed-off-by: Eric Biggers <ebiggers(a)google.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Signed-off-by: James Morris <james.l.morris(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- security/keys/process_keys.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index ac1d5b2b1626..a7095372701e 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c @@ -808,15 +808,14 @@ long join_session_keyring(const char *name) ret = PTR_ERR(keyring); goto error2; } else if (keyring == new->session_keyring) { - key_put(keyring); ret = 0; - goto error2; + goto error3; } /* we've got a keyring - now to install it */ ret = install_session_keyring_to_cred(new, keyring); if (ret < 0) - goto error2; + goto error3; commit_creds(new); mutex_unlock(&key_session_mutex); @@ -826,6 +825,8 @@ long join_session_keyring(const char *name) okay: return ret; +error3: + key_put(keyring); error2: mutex_unlock(&key_session_mutex); error: -- 2.17.1

6 years, 2 months

3
69
0 0

[PATCH v2 2/2] drm/i915/hdmi: Reorder structure to match specification

by clinton.a.taylor＠intel.com

From: Clint Taylor <clinton.a.taylor(a)intel.com> reorder structure of 297, 594 N values to group Audio Sample Frequencies together to make updating from HDMI specification easier. V2: Match patch 1/2 version Cc: Jani Nikula <jani.nikula(a)linux.intel.com> Cc: stable(a)vger.kernel.org Signed-off-by: Clint Taylor <clinton.a.taylor(a)intel.com> --- drivers/gpu/drm/i915/intel_audio.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/i915/intel_audio.c b/drivers/gpu/drm/i915/intel_audio.c index ee3ca2d..47caecb 100644 --- a/drivers/gpu/drm/i915/intel_audio.c +++ b/drivers/gpu/drm/i915/intel_audio.c @@ -153,32 +153,32 @@ struct dp_aud_n_m { int n; int cts; } hdmi_aud_ncts[] = { - { 44100, TMDS_296M, 4459, 234375 }, - { 44100, TMDS_297M, 4704, 247500 }, - { 48000, TMDS_296M, 5824, 281250 }, - { 48000, TMDS_297M, 5120, 247500 }, { 32000, TMDS_296M, 5824, 421875 }, { 32000, TMDS_297M, 3072, 222750 }, + { 44100, TMDS_296M, 4459, 234375 }, + { 44100, TMDS_297M, 4704, 247500 }, { 88200, TMDS_296M, 8918, 234375 }, { 88200, TMDS_297M, 9408, 247500 }, - { 96000, TMDS_296M, 11648, 281250 }, - { 96000, TMDS_297M, 10240, 247500 }, { 176400, TMDS_296M, 17836, 234375 }, { 176400, TMDS_297M, 18816, 247500 }, + { 48000, TMDS_296M, 5824, 281250 }, + { 48000, TMDS_297M, 5120, 247500 }, + { 96000, TMDS_296M, 11648, 281250 }, + { 96000, TMDS_297M, 10240, 247500 }, { 192000, TMDS_296M, 23296, 281250 }, { 192000, TMDS_297M, 20480, 247500 }, - { 44100, TMDS_593M, 8918, 937500 }, - { 44100, TMDS_594M, 9408, 990000 }, - { 48000, TMDS_593M, 5824, 562500 }, - { 48000, TMDS_594M, 6144, 594000 }, { 32000, TMDS_593M, 5824, 843750 }, { 32000, TMDS_594M, 3072, 445500 }, + { 44100, TMDS_593M, 8918, 937500 }, + { 44100, TMDS_594M, 9408, 990000 }, { 88200, TMDS_593M, 17836, 937500 }, { 88200, TMDS_594M, 18816, 990000 }, - { 96000, TMDS_593M, 11648, 562500 }, - { 96000, TMDS_594M, 12288, 594000 }, { 176400, TMDS_593M, 35672, 937500 }, { 176400, TMDS_594M, 37632, 990000 }, + { 48000, TMDS_593M, 5824, 562500 }, + { 48000, TMDS_594M, 6144, 594000 }, + { 96000, TMDS_593M, 11648, 562500 }, + { 96000, TMDS_594M, 12288, 594000 }, { 192000, TMDS_593M, 23296, 562500 }, { 192000, TMDS_594M, 24576, 594000 }, }; -- 1.9.1

6 years, 2 months

2
1
0 0

stable@vger.kernel.org RE:For Your Urgent Perusal

by Mr Steven Walter

Dear stable(a)vger.kernel.org , I am sorry for invading your privacy because we do not know each other but I am contacting you because of my late client who died without a will. This is to notify you that your are the beneficiary to the bequest of the sum of £10,500,000.00 GBP in the intent of my deceased client. If you accept please forward your full names, current address and your direct cell for the court documentations and so that we can obtain the probate division of court papers required for you to claim the funds from the holding bank. Thanks, Steven Walter Disclaimer: Adobe® reserves the rights to protect sensitive documents against fraudsters and spyware. Adobe® secured files are encrypted with the receivers' email and can only be viewed by the recipient. For more details visit http://www.adobe.com/legal/terms.html for details.

6 years, 2 months

1
0
0 0

stable@vger.kernel.org RE:For Your Urgent Perusal

by Mr Steven Walter

Dear stable(a)vger.kernel.org , I am sorry for invading your privacy because we do not know each other but I am contacting you because of my late client who died without a will. This is to notify you that your are the beneficiary to the bequest of the sum of £10,500,000.00 GBP in the intent of my deceased client. If you accept please forward your full names, current address and your direct cell for the court documentations and so that we can obtain the probate division of court papers required for you to claim the funds from the holding bank. Thanks, Steven Walter Disclaimer: Adobe® reserves the rights to protect sensitive documents against fraudsters and spyware. Adobe® secured files are encrypted with the receivers' email and can only be viewed by the recipient. For more details visit http://www.adobe.com/legal/terms.html for details.

6 years, 2 months

1
0
0 0

[PATCH v2 1/2] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values

by clinton.a.taylor＠intel.com

From: Clint Taylor <clinton.a.taylor(a)intel.com> HDMI 2.0 594Mhz modes were incorrectly selecting 25.200Mhz Automatic N value mode instead of HDMI specification values. V2: Fix 88.2 Hz N value Cc: Jani Nikula <jani.nikula(a)linux.intel.com> Cc: stable(a)vger.kernel.org Signed-off-by: Clint Taylor <clinton.a.taylor(a)intel.com> --- drivers/gpu/drm/i915/intel_audio.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/gpu/drm/i915/intel_audio.c b/drivers/gpu/drm/i915/intel_audio.c index 769f3f5..ee3ca2d 100644 --- a/drivers/gpu/drm/i915/intel_audio.c +++ b/drivers/gpu/drm/i915/intel_audio.c @@ -144,6 +144,9 @@ struct dp_aud_n_m { /* HDMI N/CTS table */ #define TMDS_297M 297000 #define TMDS_296M 296703 +#define TMDS_594M 594000 +#define TMDS_593M 593407 + static const struct { int sample_rate; int clock; @@ -164,6 +167,20 @@ struct dp_aud_n_m { { 176400, TMDS_297M, 18816, 247500 }, { 192000, TMDS_296M, 23296, 281250 }, { 192000, TMDS_297M, 20480, 247500 }, + { 44100, TMDS_593M, 8918, 937500 }, + { 44100, TMDS_594M, 9408, 990000 }, + { 48000, TMDS_593M, 5824, 562500 }, + { 48000, TMDS_594M, 6144, 594000 }, + { 32000, TMDS_593M, 5824, 843750 }, + { 32000, TMDS_594M, 3072, 445500 }, + { 88200, TMDS_593M, 17836, 937500 }, + { 88200, TMDS_594M, 18816, 990000 }, + { 96000, TMDS_593M, 11648, 562500 }, + { 96000, TMDS_594M, 12288, 594000 }, + { 176400, TMDS_593M, 35672, 937500 }, + { 176400, TMDS_594M, 37632, 990000 }, + { 192000, TMDS_593M, 23296, 562500 }, + { 192000, TMDS_594M, 24576, 594000 }, }; /* get AUD_CONFIG_PIXEL_CLOCK_HDMI_* value for mode */ -- 1.9.1

6 years, 2 months

2
1
0 0

stable@vger.kernel.org RE:For Your Urgent Perusal

by Mr Steven Walter

Dear stable(a)vger.kernel.org , I am sorry for invading your privacy because we do not know each other but I am contacting you because of my late client who died without a will. This is to notify you that your are the beneficiary to the bequest of the sum of £10,500,000.00 GBP in the intent of my deceased client. If you accept please forward your full names, current address and your direct cell for the court documentations and so that we can obtain the probate division of court papers required for you to claim the funds from the holding bank. Thanks, Steven Walter Disclaimer: Adobe® reserves the rights to protect sensitive documents against fraudsters and spyware. Adobe® secured files are encrypted with the receivers' email and can only be viewed by the recipient. For more details visit http://www.adobe.com/legal/terms.html for details.

6 years, 2 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2018