--- /dev/null
+From 22315a2296f4c251fa92aec45fbbae37e9301b6c Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 13 Apr 2021 17:08:04 -0700
+Subject: arm64: alternatives: Move length validation in alternative_{insn, endif}
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 22315a2296f4c251fa92aec45fbbae37e9301b6c upstream.
+
+After commit 2decad92f473 ("arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is
+set atomically"), LLVM's integrated assembler fails to build entry.S:
+
+<instantiation>:5:7: error: expected assembly-time absolute expression
+ .org . - (664b-663b) + (662b-661b)
+ ^
+<instantiation>:6:7: error: expected assembly-time absolute expression
+ .org . - (662b-661b) + (664b-663b)
+ ^
+
+The root cause is LLVM's assembler has a one-pass design, meaning it
+cannot figure out these instruction lengths when the .org directive is
+outside of the subsection that they are in, which was changed by the
+.arch_extension directive added in the above commit.
+
+Apply the same fix from commit 966a0acce2fc ("arm64/alternatives: move
+length validation inside the subsection") to the alternative_endif
+macro, shuffling the .org directives so that the length validation
+happen will always happen in the same subsections. alternative_insn has
+not shown any issue yet but it appears that it could have the same issue
+in the future so just preemptively change it.
+
+Fixes: f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences")
+Cc: <stable@vger.kernel.org> # 5.8.x
+Link: https://github.com/ClangBuiltLinux/linux/issues/1347
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://lore.kernel.org/r/20210414000803.662534-1-nathan@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/alternative-macros.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/include/asm/alternative-macros.h
++++ b/arch/arm64/include/asm/alternative-macros.h
+@@ -97,9 +97,9 @@
+ .popsection
+ .subsection 1
+ 663: \insn2
+-664: .previous
+- .org . - (664b-663b) + (662b-661b)
++664: .org . - (664b-663b) + (662b-661b)
+ .org . - (662b-661b) + (664b-663b)
++ .previous
+ .endif
+ .endm
+
+@@ -169,11 +169,11 @@
+ */
+ .macro alternative_endif
+ 664:
++ .org . - (664b-663b) + (662b-661b)
++ .org . - (662b-661b) + (664b-663b)
+ .if .Lasm_alt_mode==0
+ .previous
+ .endif
+- .org . - (664b-663b) + (662b-661b)
+- .org . - (662b-661b) + (664b-663b)
+ .endm
+
+ /*
--- /dev/null
+From 185f2e5f51c2029efd9dd26cceb968a44fe053c6 Mon Sep 17 00:00:00 2001
+From: Peter Collingbourne <pcc@google.com>
+Date: Thu, 1 Apr 2021 09:51:10 -0700
+Subject: arm64: fix inline asm in load_unaligned_zeropad()
+
+From: Peter Collingbourne <pcc@google.com>
+
+commit 185f2e5f51c2029efd9dd26cceb968a44fe053c6 upstream.
+
+The inline asm's addr operand is marked as input-only, however in
+the case where an exception is taken it may be modified by the BIC
+instruction on the exception path. Fix the problem by using a temporary
+register as the destination register for the BIC instruction.
+
+Signed-off-by: Peter Collingbourne <pcc@google.com>
+Cc: stable@vger.kernel.org
+Link: https://linux-review.googlesource.com/id/I84538c8a2307d567b4f45bb20b715451005f9617
+Link: https://lore.kernel.org/r/20210401165110.3952103-1-pcc@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/word-at-a-time.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/include/asm/word-at-a-time.h
++++ b/arch/arm64/include/asm/word-at-a-time.h
+@@ -53,7 +53,7 @@ static inline unsigned long find_zero(un
+ */
+ static inline unsigned long load_unaligned_zeropad(const void *addr)
+ {
+- unsigned long ret, offset;
++ unsigned long ret, tmp;
+
+ /* Load word from unaligned pointer addr */
+ asm(
+@@ -61,9 +61,9 @@ static inline unsigned long load_unalign
+ "2:\n"
+ " .pushsection .fixup,\"ax\"\n"
+ " .align 2\n"
+- "3: and %1, %2, #0x7\n"
+- " bic %2, %2, #0x7\n"
+- " ldr %0, [%2]\n"
++ "3: bic %1, %2, #0x7\n"
++ " ldr %0, [%1]\n"
++ " and %1, %2, #0x7\n"
+ " lsl %1, %1, #0x3\n"
+ #ifndef __AARCH64EB__
+ " lsr %0, %0, %1\n"
+@@ -73,7 +73,7 @@ static inline unsigned long load_unalign
+ " b 2b\n"
+ " .popsection\n"
+ _ASM_EXTABLE(1b, 3b)
+- : "=&r" (ret), "=&r" (offset)
++ : "=&r" (ret), "=&r" (tmp)
+ : "r" (addr), "Q" (*(unsigned long *)addr));
+
+ return ret;
--- /dev/null
+From 2decad92f4731fac9755a083fcfefa66edb7d67d Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Fri, 9 Apr 2021 18:37:10 +0100
+Subject: arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 2decad92f4731fac9755a083fcfefa66edb7d67d upstream.
+
+The entry from EL0 code checks the TFSRE0_EL1 register for any
+asynchronous tag check faults in user space and sets the
+TIF_MTE_ASYNC_FAULT flag. This is not done atomically, potentially
+racing with another CPU calling set_tsk_thread_flag().
+
+Replace the non-atomic ORR+STR with an STSET instruction. While STSET
+requires ARMv8.1 and an assembler that understands LSE atomics, the MTE
+feature is part of ARMv8.5 and already requires an updated assembler.
+
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Fixes: 637ec831ea4f ("arm64: mte: Handle synchronous and asynchronous tag check faults")
+Cc: <stable@vger.kernel.org> # 5.10.x
+Reported-by: Will Deacon <will@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20210409173710.18582-1-catalin.marinas@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Kconfig | 6 +++++-
+ arch/arm64/kernel/entry.S | 10 ++++++----
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -1399,10 +1399,13 @@ config ARM64_PAN
+ config AS_HAS_LDAPR
+ def_bool $(as-instr,.arch_extension rcpc)
+
++config AS_HAS_LSE_ATOMICS
++ def_bool $(as-instr,.arch_extension lse)
++
+ config ARM64_LSE_ATOMICS
+ bool
+ default ARM64_USE_LSE_ATOMICS
+- depends on $(as-instr,.arch_extension lse)
++ depends on AS_HAS_LSE_ATOMICS
+
+ config ARM64_USE_LSE_ATOMICS
+ bool "Atomic instructions"
+@@ -1659,6 +1662,7 @@ config ARM64_MTE
+ default y
+ depends on ARM64_AS_HAS_MTE && ARM64_TAGGED_ADDR_ABI
+ depends on AS_HAS_ARMV8_5
++ depends on AS_HAS_LSE_ATOMICS
+ # Required for tag checking in the uaccess routines
+ depends on ARM64_PAN
+ select ARCH_USES_HIGH_VMA_FLAGS
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -148,16 +148,18 @@ alternative_cb_end
+ .endm
+
+ /* Check for MTE asynchronous tag check faults */
+- .macro check_mte_async_tcf, flgs, tmp
++ .macro check_mte_async_tcf, tmp, ti_flags
+ #ifdef CONFIG_ARM64_MTE
++ .arch_extension lse
+ alternative_if_not ARM64_MTE
+ b 1f
+ alternative_else_nop_endif
+ mrs_s \tmp, SYS_TFSRE0_EL1
+ tbz \tmp, #SYS_TFSR_EL1_TF0_SHIFT, 1f
+ /* Asynchronous TCF occurred for TTBR0 access, set the TI flag */
+- orr \flgs, \flgs, #_TIF_MTE_ASYNC_FAULT
+- str \flgs, [tsk, #TSK_TI_FLAGS]
++ mov \tmp, #_TIF_MTE_ASYNC_FAULT
++ add \ti_flags, tsk, #TSK_TI_FLAGS
++ stset \tmp, [\ti_flags]
+ msr_s SYS_TFSRE0_EL1, xzr
+ 1:
+ #endif
+@@ -244,7 +246,7 @@ alternative_else_nop_endif
+ disable_step_tsk x19, x20
+
+ /* Check for asynchronous tag check faults in user space */
+- check_mte_async_tcf x19, x22
++ check_mte_async_tcf x22, x23
+ apply_ssbd 1, x22, x23
+
+ ptrauth_keys_install_kernel tsk, x20, x22, x23
--- /dev/null
+From 8ca7cab82bda4eb0b8064befeeeaa38106cac637 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@google.com>
+Date: Wed, 14 Apr 2021 08:28:28 -0700
+Subject: dm verity fec: fix misaligned RS roots IO
+
+From: Jaegeuk Kim <jaegeuk@google.com>
+
+commit 8ca7cab82bda4eb0b8064befeeeaa38106cac637 upstream.
+
+commit df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to
+block size") introduced the possibility for misaligned roots IO
+relative to the underlying device's logical block size. E.g. Android's
+default RS roots=2 results in dm_bufio->block_size=1024, which causes
+the following EIO if the logical block size of the device is 4096,
+given v->data_dev_block_bits=12:
+
+E sd 0 : 0:0:0: [sda] tag#30 request not aligned to the logical block size
+E blk_update_request: I/O error, dev sda, sector 10368424 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
+E device-mapper: verity-fec: 254:8: FEC 9244672: parity read failed (block 18056): -5
+
+Fix this by onlu using f->roots for dm_bufio blocksize IFF it is
+aligned to v->data_dev_block_bits.
+
+Fixes: df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-fec.c | 11 ++++++++---
+ drivers/md/dm-verity-fec.h | 1 +
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -65,7 +65,7 @@ static u8 *fec_read_parity(struct dm_ver
+ u8 *res;
+
+ position = (index + rsb) * v->fec->roots;
+- block = div64_u64_rem(position, v->fec->roots << SECTOR_SHIFT, &rem);
++ block = div64_u64_rem(position, v->fec->io_size, &rem);
+ *offset = (unsigned)rem;
+
+ res = dm_bufio_read(v->fec->bufio, block, buf);
+@@ -154,7 +154,7 @@ static int fec_decode_bufs(struct dm_ver
+
+ /* read the next block when we run out of parity bytes */
+ offset += v->fec->roots;
+- if (offset >= v->fec->roots << SECTOR_SHIFT) {
++ if (offset >= v->fec->io_size) {
+ dm_bufio_release(buf);
+
+ par = fec_read_parity(v, rsb, block_offset, &offset, &buf);
+@@ -742,8 +742,13 @@ int verity_fec_ctr(struct dm_verity *v)
+ return -E2BIG;
+ }
+
++ if ((f->roots << SECTOR_SHIFT) & ((1 << v->data_dev_block_bits) - 1))
++ f->io_size = 1 << v->data_dev_block_bits;
++ else
++ f->io_size = v->fec->roots << SECTOR_SHIFT;
++
+ f->bufio = dm_bufio_client_create(f->dev->bdev,
+- f->roots << SECTOR_SHIFT,
++ f->io_size,
+ 1, 0, NULL, NULL);
+ if (IS_ERR(f->bufio)) {
+ ti->error = "Cannot initialize FEC bufio client";
+--- a/drivers/md/dm-verity-fec.h
++++ b/drivers/md/dm-verity-fec.h
+@@ -36,6 +36,7 @@ struct dm_verity_fec {
+ struct dm_dev *dev; /* parity data device */
+ struct dm_bufio_client *data_bufio; /* for data dev access */
+ struct dm_bufio_client *bufio; /* for parity data access */
++ size_t io_size; /* IO size for roots */
+ sector_t start; /* parity data start in blocks */
+ sector_t blocks; /* number of blocks covered */
+ sector_t rounds; /* number of interleaving rounds */
--- /dev/null
+From bf52dc49ba0101f648b4c3ea26b812061406b0d4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Sat, 27 Mar 2021 02:59:45 +0200
+Subject: drm/i915: Don't zero out the Y plane's watermarks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit bf52dc49ba0101f648b4c3ea26b812061406b0d4 upstream.
+
+Don't zero out the watermarks for the Y plane since we've already
+computed them when computing the UV plane's watermarks (since the
+UV plane always appears before ethe Y plane when iterating through
+the planes).
+
+This leads to allocating no DDB for the Y plane since .min_ddb_alloc
+also gets zeroed. And that of course leads to underruns when scanning
+out planar formats.
+
+Cc: stable@vger.kernel.org
+Cc: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Fixes: dbf71381d733 ("drm/i915: Nuke intel_atomic_crtc_state_for_each_plane_state() from skl+ wm code")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210327005945.4929-1-ville.syrjala@linux.intel.com
+Reviewed-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+(cherry picked from commit f99b805fb9413ff007ca0b6add871737664117dd)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/intel_pm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -5539,12 +5539,12 @@ static int icl_build_plane_wm(struct int
+ struct skl_plane_wm *wm = &crtc_state->wm.skl.raw.planes[plane_id];
+ int ret;
+
+- memset(wm, 0, sizeof(*wm));
+-
+ /* Watermarks calculated in master */
+ if (plane_state->planar_slave)
+ return 0;
+
++ memset(wm, 0, sizeof(*wm));
++
+ if (plane_state->planar_linked_plane) {
+ const struct drm_framebuffer *fb = plane_state->hw.fb;
+ enum plane_id y_plane_id = plane_state->planar_linked_plane->id;
--- /dev/null
+From 276559d8d02c2709281578976ca2f53bc62063d4 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Thu, 11 Mar 2021 11:30:09 -0800
+Subject: HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 276559d8d02c2709281578976ca2f53bc62063d4 upstream.
+
+Valid HID_GENERIC type of devices set EV_KEY and EV_ABS by wacom_map_usage.
+When *_input_capabilities are reached, those devices should already have
+their proper EV_* set. EV_KEY and EV_ABS only need to be set for
+non-HID_GENERIC type of devices in *_input_capabilities.
+
+Devices that don't support HID descitoprs will pass back to hid-input for
+registration without being accidentally rejected by the introduction of
+patch: "Input: refuse to register absolute devices without absinfo"
+
+Fixes: 6ecfe51b4082 ("Input: refuse to register absolute devices without absinfo")
+Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
+Reviewed-by: Jason Gerecke <Jason.Gerecke@wacom.com>
+Tested-by: Juan Garrido <Juan.Garrido@wacom.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_wac.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -3574,8 +3574,6 @@ int wacom_setup_pen_input_capabilities(s
+ {
+ struct wacom_features *features = &wacom_wac->features;
+
+- input_dev->evbit[0] |= BIT_MASK(EV_KEY) | BIT_MASK(EV_ABS);
+-
+ if (!(features->device_type & WACOM_DEVICETYPE_PEN))
+ return -ENODEV;
+
+@@ -3590,6 +3588,7 @@ int wacom_setup_pen_input_capabilities(s
+ return 0;
+ }
+
++ input_dev->evbit[0] |= BIT_MASK(EV_KEY) | BIT_MASK(EV_ABS);
+ __set_bit(BTN_TOUCH, input_dev->keybit);
+ __set_bit(ABS_MISC, input_dev->absbit);
+
+@@ -3742,8 +3741,6 @@ int wacom_setup_touch_input_capabilities
+ {
+ struct wacom_features *features = &wacom_wac->features;
+
+- input_dev->evbit[0] |= BIT_MASK(EV_KEY) | BIT_MASK(EV_ABS);
+-
+ if (!(features->device_type & WACOM_DEVICETYPE_TOUCH))
+ return -ENODEV;
+
+@@ -3756,6 +3753,7 @@ int wacom_setup_touch_input_capabilities
+ /* setup has already been done */
+ return 0;
+
++ input_dev->evbit[0] |= BIT_MASK(EV_KEY) | BIT_MASK(EV_ABS);
+ __set_bit(BTN_TOUCH, input_dev->keybit);
+
+ if (features->touch_max == 1) {
--- /dev/null
+From daa58c8eec0a65ac8e2e77ff3ea8a233d8eec954 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 23 Mar 2021 09:56:34 -0700
+Subject: Input: i8042 - fix Pegatron C15B ID entry
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit daa58c8eec0a65ac8e2e77ff3ea8a233d8eec954 upstream.
+
+The Zenbook Flip entry that was added overwrites a previous one
+because of a typo:
+
+In file included from drivers/input/serio/i8042.h:23,
+ from drivers/input/serio/i8042.c:131:
+drivers/input/serio/i8042-x86ia64io.h:591:28: error: initialized field overwritten [-Werror=override-init]
+ 591 | .matches = {
+ | ^
+drivers/input/serio/i8042-x86ia64io.h:591:28: note: (near initialization for 'i8042_dmi_noselftest_table[0].matches')
+
+Add the missing separator between the two.
+
+Fixes: b5d6e7ab7fe7 ("Input: i8042 - add ASUS Zenbook Flip to noselftest list")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Marcos Paulo de Souza <mpdesouza@suse.com>
+Link: https://lore.kernel.org/r/20210323130623.2302402-1-arnd@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-x86ia64io.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -588,6 +588,7 @@ static const struct dmi_system_id i8042_
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_CHASSIS_TYPE, "10"), /* Notebook */
+ },
++ }, {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_CHASSIS_TYPE, "31"), /* Convertible Notebook */
--- /dev/null
+From 30b3f68715595dee7fe4d9bd91a2252c3becdf0a Mon Sep 17 00:00:00 2001
+From: Caleb Connolly <caleb@connolly.tech>
+Date: Sun, 7 Mar 2021 15:12:22 -0800
+Subject: Input: s6sy761 - fix coordinate read bit shift
+
+From: Caleb Connolly <caleb@connolly.tech>
+
+commit 30b3f68715595dee7fe4d9bd91a2252c3becdf0a upstream.
+
+The touch coordinate register contains the following:
+
+ byte 3 byte 2 byte 1
++--------+--------+ +-----------------+ +-----------------+
+| | | | | | |
+| X[3:0] | Y[3:0] | | Y[11:4] | | X[11:4] |
+| | | | | | |
++--------+--------+ +-----------------+ +-----------------+
+
+Bytes 2 and 1 need to be shifted left by 4 bits, the least significant
+nibble of each is stored in byte 3. Currently they are only
+being shifted by 3 causing the reported coordinates to be incorrect.
+
+This matches downstream examples, and has been confirmed on my
+device (OnePlus 7 Pro).
+
+Fixes: 0145a7141e59 ("Input: add support for the Samsung S6SY761 touchscreen")
+Signed-off-by: Caleb Connolly <caleb@connolly.tech>
+Reviewed-by: Andi Shyti <andi@etezian.org>
+Link: https://lore.kernel.org/r/20210305185710.225168-1-caleb@connolly.tech
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/s6sy761.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/touchscreen/s6sy761.c
++++ b/drivers/input/touchscreen/s6sy761.c
+@@ -145,8 +145,8 @@ static void s6sy761_report_coordinates(s
+ u8 major = event[4];
+ u8 minor = event[5];
+ u8 z = event[6] & S6SY761_MASK_Z;
+- u16 x = (event[1] << 3) | ((event[3] & S6SY761_MASK_X) >> 4);
+- u16 y = (event[2] << 3) | (event[3] & S6SY761_MASK_Y);
++ u16 x = (event[1] << 4) | ((event[3] & S6SY761_MASK_X) >> 4);
++ u16 y = (event[2] << 4) | (event[3] & S6SY761_MASK_Y);
+
+ input_mt_slot(sdata->input, tid);
+
--- /dev/null
+From 0c93ac69407d63a85be0129aa55ffaec27ffebd3 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 17 Apr 2021 09:27:04 -0700
+Subject: readdir: make sure to verify directory entry for legacy interfaces too
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0c93ac69407d63a85be0129aa55ffaec27ffebd3 upstream.
+
+This does the directory entry name verification for the legacy
+"fillonedir" (and compat) interface that goes all the way back to the
+dark ages before we had a proper dirent, and the readdir() system call
+returned just a single entry at a time.
+
+Nobody should use this interface unless you still have binaries from
+1991, but let's do it right.
+
+This came up during discussions about unsafe_copy_to_user() and proper
+checking of all the inputs to it, as the networking layer is looking to
+use it in a few new places. So let's make sure the _old_ users do it
+all right and proper, before we add new ones.
+
+See also commit 8a23eb804ca4 ("Make filldir[64]() verify the directory
+entry filename is valid") which did the proper modern interfaces that
+people actually use. It had a note:
+
+ Note that I didn't bother adding the checks to any legacy interfaces
+ that nobody uses.
+
+which this now corrects. Note that we really don't care about POSIX and
+the presense of '/' in a directory entry, but verify_dirent_name() also
+ends up doing the proper name length verification which is what the
+input checking discussion was about.
+
+[ Another option would be to remove the support for this particular very
+ old interface: any binaries that use it are likely a.out binaries, and
+ they will no longer run anyway since we removed a.out binftm support
+ in commit eac616557050 ("x86: Deprecate a.out support").
+
+ But I'm not sure which came first: getdents() or ELF support, so let's
+ pretend somebody might still have a working binary that uses the
+ legacy readdir() case.. ]
+
+Link: https://lore.kernel.org/lkml/CAHk-=wjbvzCAhAtvG0d81W5o0-KT5PPTHhfJ5ieDFq+bGtgOYg@mail.gmail.com/
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/readdir.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/readdir.c
++++ b/fs/readdir.c
+@@ -150,6 +150,9 @@ static int fillonedir(struct dir_context
+
+ if (buf->result)
+ return -EINVAL;
++ buf->result = verify_dirent_name(name, namlen);
++ if (buf->result < 0)
++ return buf->result;
+ d_ino = ino;
+ if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
+ buf->result = -EOVERFLOW;
+@@ -405,6 +408,9 @@ static int compat_fillonedir(struct dir_
+
+ if (buf->result)
+ return -EINVAL;
++ buf->result = verify_dirent_name(name, namlen);
++ if (buf->result < 0)
++ return buf->result;
+ d_ino = ino;
+ if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
+ buf->result = -EOVERFLOW;
--- /dev/null
+From 199fc6b8dee7d6d50467a57e0dc7e3e1b7d59966 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Mon, 29 Mar 2021 11:13:07 +0800
+Subject: riscv: Fix spelling mistake "SPARSEMEM" to "SPARSMEM"
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+commit 199fc6b8dee7d6d50467a57e0dc7e3e1b7d59966 upstream.
+
+There is a spelling mistake when SPARSEMEM Kconfig copy.
+
+Fixes: a5406a7ff56e ("riscv: Correct SPARSEMEM configuration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/Kconfig
++++ b/arch/riscv/Kconfig
+@@ -147,7 +147,7 @@ config ARCH_FLATMEM_ENABLE
+ config ARCH_SPARSEMEM_ENABLE
+ def_bool y
+ depends on MMU
+- select SPARSEMEM_STATIC if 32BIT && SPARSMEM
++ select SPARSEMEM_STATIC if 32BIT && SPARSEMEM
+ select SPARSEMEM_VMEMMAP_ENABLE if 64BIT
+
+ config ARCH_SELECT_MEMORY_MODEL
virt_wifi-return-micros-for-bss-tsf-values.patch
lib-fix-kconfig-dependency-on-arch_want_frame_pointe.patch
net-sctp-fix-race-condition-in-sctp_destroy_sock.patch
+input-s6sy761-fix-coordinate-read-bit-shift.patch
+input-i8042-fix-pegatron-c15b-id-entry.patch
+hid-wacom-set-ev_key-and-ev_abs-only-for-non-hid_generic-type-of-devices.patch
+dm-verity-fec-fix-misaligned-rs-roots-io.patch
+readdir-make-sure-to-verify-directory-entry-for-legacy-interfaces-too.patch
+drm-i915-don-t-zero-out-the-y-plane-s-watermarks.patch
+arm64-fix-inline-asm-in-load_unaligned_zeropad.patch
+arm64-mte-ensure-tif_mte_async_fault-is-set-atomically.patch
+arm64-alternatives-move-length-validation-in-alternative_-insn-endif.patch
+vfio-pci-add-missing-range-check-in-vfio_pci_mmap.patch
+riscv-fix-spelling-mistake-sparsemem-to-sparsmem.patch
--- /dev/null
+From 909290786ea335366e21d7f1ed5812b90f2f0a92 Mon Sep 17 00:00:00 2001
+From: "Christian A. Ehrhardt" <lk@c--e.de>
+Date: Mon, 12 Apr 2021 23:41:24 +0200
+Subject: vfio/pci: Add missing range check in vfio_pci_mmap
+
+From: Christian A. Ehrhardt <lk@c--e.de>
+
+commit 909290786ea335366e21d7f1ed5812b90f2f0a92 upstream.
+
+When mmaping an extra device region verify that the region index
+derived from the mmap offset is valid.
+
+Fixes: a15b1883fee1 ("vfio_pci: Allow mapping extra regions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
+Message-Id: <20210412214124.GA241759@lisa.in-ulm.de>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/pci/vfio_pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -1658,6 +1658,8 @@ static int vfio_pci_mmap(void *device_da
+
+ index = vma->vm_pgoff >> (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT);
+
++ if (index >= VFIO_PCI_NUM_REGIONS + vdev->num_regions)
++ return -EINVAL;
+ if (vma->vm_end < vma->vm_start)
+ return -EINVAL;
+ if ((vma->vm_flags & VM_SHARED) == 0)
+@@ -1666,7 +1668,7 @@ static int vfio_pci_mmap(void *device_da
+ int regnum = index - VFIO_PCI_NUM_REGIONS;
+ struct vfio_pci_region *region = vdev->region + regnum;
+
+- if (region && region->ops && region->ops->mmap &&
++ if (region->ops && region->ops->mmap &&
+ (region->flags & VFIO_REGION_INFO_FLAG_MMAP))
+ return region->ops->mmap(vdev, region, vma);
+ return -EINVAL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
