--- /dev/null
+From c15bdfd5b9831e4cab8cfc118243956e267dd30e Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 16 Dec 2013 07:09:25 -0800
+Subject: Input: elantech - improve clickpad detection
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit c15bdfd5b9831e4cab8cfc118243956e267dd30e upstream.
+
+The current assumption in the elantech driver that hw version 3 touchpads
+are never clickpads and hw version 4 touchpads are always clickpads is
+wrong.
+
+There are several bug reports for this, ie:
+https://bugzilla.redhat.com/show_bug.cgi?id=1030802
+http://superuser.com/questions/619582/right-elantech-touchpad-button-not-working-in-linux
+
+I've spend a couple of hours wading through various bugzillas, launchpads
+and forum posts to create a list of fw-versions and capabilities for
+different laptop models to find a good method to differentiate between
+clickpads and versions with separate hardware buttons.
+
+Which shows that a device being a clickpad is reliable indicated by bit 12
+being set in the fw_version. I've included the gathered list inside the
+driver, so that we've this info at hand if we need to revisit this later.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 45 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 42 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -486,6 +486,7 @@ static void elantech_input_sync_v4(struc
+ unsigned char *packet = psmouse->packet;
+
+ input_report_key(dev, BTN_LEFT, packet[0] & 0x01);
++ input_report_key(dev, BTN_RIGHT, packet[0] & 0x02);
+ input_mt_report_pointer_emulation(dev, true);
+ input_sync(dev);
+ }
+@@ -954,6 +955,44 @@ static int elantech_get_resolution_v4(st
+ }
+
+ /*
++ * Advertise INPUT_PROP_BUTTONPAD for clickpads. The testing of bit 12 in
++ * fw_version for this is based on the following fw_version & caps table:
++ *
++ * Laptop-model: fw_version: caps: buttons:
++ * Acer S3 0x461f00 10, 13, 0e clickpad
++ * Acer S7-392 0x581f01 50, 17, 0d clickpad
++ * Acer V5-131 0x461f02 01, 16, 0c clickpad
++ * Acer V5-551 0x461f00 ? clickpad
++ * Asus K53SV 0x450f01 78, 15, 0c 2 hw buttons
++ * Asus G46VW 0x460f02 00, 18, 0c 2 hw buttons
++ * Asus G750JX 0x360f00 00, 16, 0c 2 hw buttons
++ * Asus UX31 0x361f00 20, 15, 0e clickpad
++ * Asus UX32VD 0x361f02 00, 15, 0e clickpad
++ * Avatar AVIU-145A2 0x361f00 ? clickpad
++ * Gigabyte U2442 0x450f01 58, 17, 0c 2 hw buttons
++ * Lenovo L430 0x350f02 b9, 15, 0c 2 hw buttons (*)
++ * Samsung NF210 0x150b00 78, 14, 0a 2 hw buttons
++ * Samsung NP770Z5E 0x575f01 10, 15, 0f clickpad
++ * Samsung NP700Z5B 0x361f06 21, 15, 0f clickpad
++ * Samsung NP900X3E-A02 0x575f03 ? clickpad
++ * Samsung NP-QX410 0x851b00 19, 14, 0c clickpad
++ * Samsung RC512 0x450f00 08, 15, 0c 2 hw buttons
++ * Samsung RF710 0x450f00 ? 2 hw buttons
++ * System76 Pangolin 0x250f01 ? 2 hw buttons
++ * (*) + 3 trackpoint buttons
++ */
++static void elantech_set_buttonpad_prop(struct psmouse *psmouse)
++{
++ struct input_dev *dev = psmouse->dev;
++ struct elantech_data *etd = psmouse->private;
++
++ if (etd->fw_version & 0x001000) {
++ __set_bit(INPUT_PROP_BUTTONPAD, dev->propbit);
++ __clear_bit(BTN_RIGHT, dev->keybit);
++ }
++}
++
++/*
+ * Set the appropriate event bits for the input subsystem
+ */
+ static int elantech_set_input_params(struct psmouse *psmouse)
+@@ -996,6 +1035,8 @@ static int elantech_set_input_params(str
+ __set_bit(INPUT_PROP_SEMI_MT, dev->propbit);
+ /* fall through */
+ case 3:
++ if (etd->hw_version == 3)
++ elantech_set_buttonpad_prop(psmouse);
+ input_set_abs_params(dev, ABS_X, x_min, x_max, 0, 0);
+ input_set_abs_params(dev, ABS_Y, y_min, y_max, 0, 0);
+ if (etd->reports_pressure) {
+@@ -1017,9 +1058,7 @@ static int elantech_set_input_params(str
+ */
+ psmouse_warn(psmouse, "couldn't query resolution data.\n");
+ }
+- /* v4 is clickpad, with only one button. */
+- __set_bit(INPUT_PROP_BUTTONPAD, dev->propbit);
+- __clear_bit(BTN_RIGHT, dev->keybit);
++ elantech_set_buttonpad_prop(psmouse);
+ __set_bit(BTN_TOOL_QUADTAP, dev->keybit);
+ /* For X to recognize me as touchpad. */
+ input_set_abs_params(dev, ABS_X, x_min, x_max, 0, 0);
--- /dev/null
+From 1d0d6df02750b4a6f466768cbfbf860e24f4c8d4 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Mon, 25 Nov 2013 18:43:45 -0800
+Subject: Input: wacom - make sure touch_max is set for touch devices
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 1d0d6df02750b4a6f466768cbfbf860e24f4c8d4 upstream.
+
+Old single touch Tablet PCs do not have touch_max set at
+wacom_features. Since touch device at lease supports one
+finger, assign touch_max to 1 when touch usage is defined
+in its HID Descriptor and touch_max is not pre-defined.
+
+Tested-by: Jason Gerecke <killertofu@gmail.com>
+Signed-off-by: Ping Cheng <pingc@wacom.com>
+Reviewed-by: Chris Bagwell <chris@cnpbagwell.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/wacom_sys.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/tablet/wacom_sys.c
++++ b/drivers/input/tablet/wacom_sys.c
+@@ -339,7 +339,7 @@ static int wacom_parse_hid(struct usb_in
+ struct usb_device *dev = interface_to_usbdev(intf);
+ char limit = 0;
+ /* result has to be defined as int for some devices */
+- int result = 0;
++ int result = 0, touch_max = 0;
+ int i = 0, usage = WCM_UNDEFINED, finger = 0, pen = 0;
+ unsigned char *report;
+
+@@ -386,7 +386,8 @@ static int wacom_parse_hid(struct usb_in
+ if (usage == WCM_DESKTOP) {
+ if (finger) {
+ features->device_type = BTN_TOOL_FINGER;
+-
++ /* touch device at least supports one touch point */
++ touch_max = 1;
+ switch (features->type) {
+ case TABLETPC2FG:
+ features->pktlen = WACOM_PKGLEN_TPC2FG;
+@@ -539,6 +540,8 @@ static int wacom_parse_hid(struct usb_in
+ }
+
+ out:
++ if (!features->touch_max && touch_max)
++ features->touch_max = touch_max;
+ result = 0;
+ kfree(report);
+ return result;
--- /dev/null
+From 989c6b34f6a9480e397b170cc62237e89bf4fdb9 Mon Sep 17 00:00:00 2001
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Thu, 19 Dec 2013 15:28:51 -0200
+Subject: KVM: MMU: handle invalid root_hpa at __direct_map
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+commit 989c6b34f6a9480e397b170cc62237e89bf4fdb9 upstream.
+
+It is possible for __direct_map to be called on invalid root_hpa
+(-1), two examples:
+
+1) try_async_pf -> can_do_async_pf
+ -> vmx_interrupt_allowed -> nested_vmx_vmexit
+2) vmx_handle_exit -> vmx_interrupt_allowed -> nested_vmx_vmexit
+
+Then to load_vmcs12_host_state and kvm_mmu_reset_context.
+
+Check for this possibility, let fault exception be regenerated.
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=924916
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2585,6 +2585,9 @@ static int __direct_map(struct kvm_vcpu
+ int emulate = 0;
+ gfn_t pseudo_gfn;
+
++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
++ return 0;
++
+ for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) {
+ if (iterator.level == level) {
+ mmu_set_spte(vcpu, iterator.sptep, ACC_ALL,
--- /dev/null
+From 26a865f4aa8e66a6d94958de7656f7f1b03c6c56 Mon Sep 17 00:00:00 2001
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 3 Jan 2014 17:00:51 -0200
+Subject: KVM: VMX: fix use after free of vmx->loaded_vmcs
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+commit 26a865f4aa8e66a6d94958de7656f7f1b03c6c56 upstream.
+
+After free_loaded_vmcs executes, the "loaded_vmcs" structure
+is kfreed, and now vmx->loaded_vmcs points to a kfreed area.
+Subsequent free_loaded_vmcs then attempts to manipulate
+vmx->loaded_vmcs.
+
+Switch the order to avoid the problem.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1047892
+
+Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7133,8 +7133,8 @@ static void vmx_free_vcpu(struct kvm_vcp
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+ free_vpid(vmx);
+- free_nested(vmx);
+ free_loaded_vmcs(vmx->loaded_vmcs);
++ free_nested(vmx);
+ kfree(vmx->guest_msrs);
+ kvm_vcpu_uninit(vcpu);
+ kmem_cache_free(kvm_vcpu_cache, vmx);
--- /dev/null
+From 37f6a4e237303549c8676dfe1fd1991ceab512eb Mon Sep 17 00:00:00 2001
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 3 Jan 2014 17:09:32 -0200
+Subject: KVM: x86: handle invalid root_hpa everywhere
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+commit 37f6a4e237303549c8676dfe1fd1991ceab512eb upstream.
+
+Rom Freiman <rom@stratoscale.com> notes other code paths vulnerable to
+bug fixed by 989c6b34f6a9480e397b.
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 9 +++++++++
+ arch/x86/kvm/paging_tmpl.h | 8 ++++++++
+ 2 files changed, 17 insertions(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2751,6 +2751,9 @@ static bool fast_page_fault(struct kvm_v
+ bool ret = false;
+ u64 spte = 0ull;
+
++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
++ return false;
++
+ if (!page_fault_can_be_fast(vcpu, error_code))
+ return false;
+
+@@ -3142,6 +3145,9 @@ static u64 walk_shadow_page_get_mmio_spt
+ struct kvm_shadow_walk_iterator iterator;
+ u64 spte = 0ull;
+
++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
++ return spte;
++
+ walk_shadow_page_lockless_begin(vcpu);
+ for_each_shadow_entry_lockless(vcpu, addr, iterator, spte)
+ if (!is_shadow_present_pte(spte))
+@@ -4332,6 +4338,9 @@ int kvm_mmu_get_spte_hierarchy(struct kv
+ u64 spte;
+ int nr_sptes = 0;
+
++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
++ return nr_sptes;
++
+ walk_shadow_page_lockless_begin(vcpu);
+ for_each_shadow_entry_lockless(vcpu, addr, iterator, spte) {
+ sptes[iterator.level-1] = spte;
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -423,6 +423,9 @@ static int FNAME(fetch)(struct kvm_vcpu
+ if (FNAME(gpte_changed)(vcpu, gw, top_level))
+ goto out_gpte_changed;
+
++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
++ goto out_gpte_changed;
++
+ for (shadow_walk_init(&it, vcpu, addr);
+ shadow_walk_okay(&it) && it.level > gw->level;
+ shadow_walk_next(&it)) {
+@@ -671,6 +674,11 @@ static void FNAME(invlpg)(struct kvm_vcp
+ */
+ mmu_topup_memory_caches(vcpu);
+
++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) {
++ WARN_ON(1);
++ return;
++ }
++
+ spin_lock(&vcpu->kvm->mmu_lock);
+ for_each_shadow_entry(vcpu, gva, iterator) {
+ level = iterator.level;
regulator-core-replace-direct-ops-disable-usage.patch
arm-move-outer_cache-declaration-out-of-ifdef.patch
arm-highbank-avoid-l2-cache-smc-calls-when-pl310-is-not.patch
+input-elantech-improve-clickpad-detection.patch
+kvm-mmu-handle-invalid-root_hpa-at-__direct_map.patch
+kvm-x86-handle-invalid-root_hpa-everywhere.patch
+kvm-vmx-fix-use-after-free-of-vmx-loaded_vmcs.patch
+input-wacom-make-sure-touch_max-is-set-for-touch-devices.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
