diff options
| -rw-r--r-- | 0001-Revert-zram-convert-remaining-CLASS_ATTR-to-CLASS_AT.patch | 30 | ||||
| -rw-r--r-- | 0001-USB-iowarrior-fix-up-report-size-handling-for-some-d.patch | 73 | ||||
| -rw-r--r-- | 0001-mtd-properly-check-all-write-ioctls-for-permissions.patch | 110 | ||||
| -rw-r--r-- | series | 3 |
4 files changed, 185 insertions, 31 deletions
diff --git a/0001-Revert-zram-convert-remaining-CLASS_ATTR-to-CLASS_AT.patch b/0001-Revert-zram-convert-remaining-CLASS_ATTR-to-CLASS_AT.patch deleted file mode 100644 index 585456a140ae54..00000000000000 --- a/0001-Revert-zram-convert-remaining-CLASS_ATTR-to-CLASS_AT.patch +++ /dev/null @@ -1,30 +0,0 @@ -From dc2440d69ee81aff9c56ec8ded0fd37b7b344130 Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Date: Wed, 17 Jun 2020 12:28:23 +0200 -Subject: [PATCH] Revert "zram: convert remaining CLASS_ATTR() to - CLASS_ATTR_RO()" - -Turns out that the permissions for 0400 really are what we want here, -otherwise any user can write to this file. - -Reported-by: Wade Mealing <wmealing@redhat.com> -Cc: stable <stable@vger.kernel.org> -Fixes: f40609d1591f ("zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()") -Link: https://bugzilla.redhat.com/show_bug.cgi?id=1847832 -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/block/zram/zram_drv.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/block/zram/zram_drv.c -+++ b/drivers/block/zram/zram_drv.c -@@ -2021,7 +2021,8 @@ static ssize_t hot_add_show(struct class - return ret; - return scnprintf(buf, PAGE_SIZE, "%d\n", ret); - } --static CLASS_ATTR_RO(hot_add); -+static struct class_attribute class_attr_hot_add = -+ __ATTR(hot_add, 0400, hot_add_show, NULL); - - static ssize_t hot_remove_store(struct class *class, - struct class_attribute *attr, diff --git a/0001-USB-iowarrior-fix-up-report-size-handling-for-some-d.patch b/0001-USB-iowarrior-fix-up-report-size-handling-for-some-d.patch new file mode 100644 index 00000000000000..0a030978716d4f --- /dev/null +++ b/0001-USB-iowarrior-fix-up-report-size-handling-for-some-d.patch @@ -0,0 +1,73 @@ +From 9f2f3f81bd9e9d4bd12202b765e1dbd964b4bbac Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Sun, 26 Jul 2020 11:45:33 +0200 +Subject: [PATCH] USB: iowarrior: fix up report size handling for some devices + +In previous patches that added support for new iowarrior devices, the +handling of the report size was not done correct. + +Fix that up and update the copyright date for the driver + +Reworked from an original patch written by Christoph Jung. + +Fixes: bab5417f5f01 ("USB: misc: iowarrior: add support for the 100 device") +Fixes: 5f6f8da2d7b5 ("USB: misc: iowarrior: add support for the 28 and 28L devices") +Fixes: 461d8deb26a7 ("USB: misc: iowarrior: add support for 2 OEMed devices") +Cc: stable <stable@kernel.org> +Reported-by: Christoph Jung <jung@codemercs.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/misc/iowarrior.c | 35 +++++++++++++++++++++++++---------- + 1 file changed, 25 insertions(+), 10 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -2,8 +2,9 @@ + /* + * Native support for the I/O-Warrior USB devices + * +- * Copyright (c) 2003-2005 Code Mercenaries GmbH +- * written by Christian Lucht <lucht@codemercs.com> ++ * Copyright (c) 2003-2005, 2020 Code Mercenaries GmbH ++ * written by Christian Lucht <lucht@codemercs.com> and ++ * Christoph Jung <jung@codemercs.com> + * + * based on + +@@ -802,14 +803,28 @@ static int iowarrior_probe(struct usb_in + + /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ + dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); +- if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && +- ((dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56AM) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28L) || +- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW100))) +- /* IOWarrior56 has wMaxPacketSize different from report size */ +- dev->report_size = 7; ++ ++ /* ++ * Some devices need the report size to be different than the ++ * endpoint size. ++ */ ++ if (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) { ++ switch (dev->product_id) { ++ case USB_DEVICE_ID_CODEMERCS_IOW56: ++ case USB_DEVICE_ID_CODEMERCS_IOW56AM: ++ dev->report_size = 7; ++ break; ++ ++ case USB_DEVICE_ID_CODEMERCS_IOW28: ++ case USB_DEVICE_ID_CODEMERCS_IOW28L: ++ dev->report_size = 4; ++ break; ++ ++ case USB_DEVICE_ID_CODEMERCS_IOW100: ++ dev->report_size = 13; ++ break; ++ } ++ } + + /* create the urb and buffer for reading */ + dev->int_in_urb = usb_alloc_urb(0, GFP_KERNEL); diff --git a/0001-mtd-properly-check-all-write-ioctls-for-permissions.patch b/0001-mtd-properly-check-all-write-ioctls-for-permissions.patch new file mode 100644 index 00000000000000..66b766d88c3527 --- /dev/null +++ b/0001-mtd-properly-check-all-write-ioctls-for-permissions.patch @@ -0,0 +1,110 @@ +From 02c6bc84e034fc1930dd3e57c933ea22351e9f85 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Sat, 11 Jul 2020 08:51:20 +0200 +Subject: [PATCH 1/2] mtd: properly check all write ioctls for permissions + +When doing a "write" ioctl call, properly check that we have permissions +to do so before copying anything from userspace or anything else so we +can "fail fast". This includes also covering the MEMWRITE ioctl which +previously missed checking for this. + +Cc: Miquel Raynal <miquel.raynal@bootlin.com> +Cc: Richard Weinberger <richard@nod.at> +Cc: Vignesh Raghavendra <vigneshr@ti.com> +Cc: stable <stable@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/mtd/mtdchar.c | 54 +++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 45 insertions(+), 9 deletions(-) + +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -355,9 +355,6 @@ static int mtdchar_writeoob(struct file + uint32_t retlen; + int ret = 0; + +- if (!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + if (length > 4096) + return -EINVAL; + +@@ -643,6 +640,48 @@ static int mtdchar_ioctl(struct file *fi + + pr_debug("MTD_ioctl\n"); + ++ /* ++ * Check the file mode to require "dangerous" commands to have write ++ * permissions. ++ */ ++ switch (cmd) { ++ /* "safe" commands */ ++ case MEMGETREGIONCOUNT: ++ case MEMGETREGIONINFO: ++ case MEMGETINFO: ++ case MEMREADOOB: ++ case MEMREADOOB64: ++ case MEMLOCK: ++ case MEMUNLOCK: ++ case MEMISLOCKED: ++ case MEMGETOOBSEL: ++ case MEMGETBADBLOCK: ++ case MEMSETBADBLOCK: ++ case OTPSELECT: ++ case OTPGETREGIONCOUNT: ++ case OTPGETREGIONINFO: ++ case OTPLOCK: ++ case ECCGETLAYOUT: ++ case ECCGETSTATS: ++ case MTDFILEMODE: ++ case BLKPG: ++ case BLKRRPART: ++ break; ++ ++ /* "dangerous" commands */ ++ case MEMERASE: ++ case MEMERASE64: ++ case MEMWRITEOOB: ++ case MEMWRITEOOB64: ++ case MEMWRITE: ++ if (!(file->f_mode & FMODE_WRITE)) ++ return -EPERM; ++ break; ++ ++ default: ++ return -ENOTTY; ++ } ++ + switch (cmd) { + case MEMGETREGIONCOUNT: + if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int))) +@@ -690,9 +729,6 @@ static int mtdchar_ioctl(struct file *fi + { + struct erase_info *erase; + +- if(!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL); + if (!erase) + ret = -ENOMEM; +@@ -985,9 +1021,6 @@ static int mtdchar_ioctl(struct file *fi + ret = 0; + break; + } +- +- default: +- ret = -ENOTTY; + } + + return ret; +@@ -1031,6 +1064,9 @@ static long mtdchar_compat_ioctl(struct + struct mtd_oob_buf32 buf; + struct mtd_oob_buf32 __user *buf_user = argp; + ++ if (!(file->f_mode & FMODE_WRITE)) ++ return -EPERM; ++ + if (copy_from_user(&buf, argp, sizeof(buf))) + ret = -EFAULT; + else @@ -1,5 +1,6 @@ # -0001-Revert-zram-convert-remaining-CLASS_ATTR-to-CLASS_AT.patch +0001-mtd-properly-check-all-write-ioctls-for-permissions.patch +0001-USB-iowarrior-fix-up-report-size-handling-for-some-d.patch 0001-readfile-implement-readfile-syscall.patch 0002-arch-wire-up-the-readfile-syscall.patch 0003-selftests-add-readfile-2-selftests.patch |