From: Greg Kroah-Hartman Date: Mon, 3 Apr 2023 08:12:01 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.14.312~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08659a3a89e03d7963ecfb92a106038056d14b34;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch input-alps-fix-compatibility-with-funsigned-char.patch input-focaltech-use-explicitly-signed-char-type.patch input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch --- diff --git a/queue-5.4/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch b/queue-5.4/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch new file mode 100644 index 00000000000..97a51f75208 --- /dev/null +++ b/queue-5.4/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch @@ -0,0 +1,62 @@ +From 179a88a8558bbf42991d361595281f3e45d7edfc Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Wed, 29 Mar 2023 22:24:06 +0200 +Subject: cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL + +From: David Disseldorp + +commit 179a88a8558bbf42991d361595281f3e45d7edfc upstream. + +When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount +is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to +S_AUTOMOUNT and corresponding dentry flags is retained regardless of +CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in +VFS follow_automount() when traversing a DFS referral link: + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ... + Call Trace: + + __traverse_mounts+0xb5/0x220 + ? cifs_revalidate_mapping+0x65/0xc0 [cifs] + step_into+0x195/0x610 + ? lookup_fast+0xe2/0xf0 + path_lookupat+0x64/0x140 + filename_lookup+0xc2/0x140 + ? __create_object+0x299/0x380 + ? kmem_cache_alloc+0x119/0x220 + ? user_path_at_empty+0x31/0x50 + user_path_at_empty+0x31/0x50 + __x64_sys_chdir+0x2a/0xd0 + ? exit_to_user_mode_prepare+0xca/0x100 + do_syscall_64+0x42/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler +when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to +avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This +approach was chosen as it provides more control over the error path. + +Signed-off-by: David Disseldorp +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/cifs/cifsfs.h ++++ b/fs/cifs/cifsfs.h +@@ -125,7 +125,10 @@ extern const struct dentry_operations ci + #ifdef CONFIG_CIFS_DFS_UPCALL + extern struct vfsmount *cifs_dfs_d_automount(struct path *path); + #else +-#define cifs_dfs_d_automount NULL ++static inline struct vfsmount *cifs_dfs_d_automount(struct path *path) ++{ ++ return ERR_PTR(-EREMOTE); ++} + #endif + + /* Functions related to symlinks */ diff --git a/queue-5.4/cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch b/queue-5.4/cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch new file mode 100644 index 00000000000..5c091d9f64d --- /dev/null +++ b/queue-5.4/cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch @@ -0,0 +1,40 @@ +From 09ba47b44d26b475bbdf9c80db9e0193d2b58956 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 29 Mar 2023 17:14:22 -0300 +Subject: cifs: prevent infinite recursion in CIFSGetDFSRefer() + +From: Paulo Alcantara + +commit 09ba47b44d26b475bbdf9c80db9e0193d2b58956 upstream. + +We can't call smb_init() in CIFSGetDFSRefer() as cifs_reconnect_tcon() +may end up calling CIFSGetDFSRefer() again to get new DFS referrals +and thus causing an infinite recursion. + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Cc: stable@vger.kernel.org # 6.2 +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifssmb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -4933,8 +4933,13 @@ CIFSGetDFSRefer(const unsigned int xid, + return -ENODEV; + + getDFSRetry: +- rc = smb_init(SMB_COM_TRANSACTION2, 15, ses->tcon_ipc, (void **) &pSMB, +- (void **) &pSMBr); ++ /* ++ * Use smb_init_no_reconnect() instead of smb_init() as ++ * CIFSGetDFSRefer() may be called from cifs_reconnect_tcon() and thus ++ * causing an infinite recursion. ++ */ ++ rc = smb_init_no_reconnect(SMB_COM_TRANSACTION2, 15, ses->tcon_ipc, ++ (void **)&pSMB, (void **)&pSMBr); + if (rc) + return rc; + diff --git a/queue-5.4/input-alps-fix-compatibility-with-funsigned-char.patch b/queue-5.4/input-alps-fix-compatibility-with-funsigned-char.patch new file mode 100644 index 00000000000..ffd0054172a --- /dev/null +++ b/queue-5.4/input-alps-fix-compatibility-with-funsigned-char.patch @@ -0,0 +1,77 @@ +From 754ff5060daf5a1cf4474eff9b4edeb6c17ef7ab Mon Sep 17 00:00:00 2001 +From: msizanoen +Date: Sun, 19 Mar 2023 23:02:56 -0700 +Subject: Input: alps - fix compatibility with -funsigned-char + +From: msizanoen + +commit 754ff5060daf5a1cf4474eff9b4edeb6c17ef7ab upstream. + +The AlpsPS/2 code previously relied on the assumption that `char` is a +signed type, which was true on x86 platforms (the only place where this +driver is used) before kernel 6.2. However, on 6.2 and later, this +assumption is broken due to the introduction of -funsigned-char as a new +global compiler flag. + +Fix this by explicitly specifying the signedness of `char` when sign +extending the values received from the device. + +Fixes: f3f33c677699 ("Input: alps - Rushmore and v7 resolution support") +Signed-off-by: msizanoen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230320045228.182259-1-msizanoen@qtmlabs.xyz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/alps.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -852,8 +852,8 @@ static void alps_process_packet_v6(struc + x = y = z = 0; + + /* Divide 4 since trackpoint's speed is too fast */ +- input_report_rel(dev2, REL_X, (char)x / 4); +- input_report_rel(dev2, REL_Y, -((char)y / 4)); ++ input_report_rel(dev2, REL_X, (s8)x / 4); ++ input_report_rel(dev2, REL_Y, -((s8)y / 4)); + + psmouse_report_standard_buttons(dev2, packet[3]); + +@@ -1104,8 +1104,8 @@ static void alps_process_trackstick_pack + ((packet[3] & 0x20) << 1); + z = (packet[5] & 0x3f) | ((packet[3] & 0x80) >> 1); + +- input_report_rel(dev2, REL_X, (char)x); +- input_report_rel(dev2, REL_Y, -((char)y)); ++ input_report_rel(dev2, REL_X, (s8)x); ++ input_report_rel(dev2, REL_Y, -((s8)y)); + input_report_abs(dev2, ABS_PRESSURE, z); + + psmouse_report_standard_buttons(dev2, packet[1]); +@@ -2294,20 +2294,20 @@ static int alps_get_v3_v7_resolution(str + if (reg < 0) + return reg; + +- x_pitch = (char)(reg << 4) >> 4; /* sign extend lower 4 bits */ ++ x_pitch = (s8)(reg << 4) >> 4; /* sign extend lower 4 bits */ + x_pitch = 50 + 2 * x_pitch; /* In 0.1 mm units */ + +- y_pitch = (char)reg >> 4; /* sign extend upper 4 bits */ ++ y_pitch = (s8)reg >> 4; /* sign extend upper 4 bits */ + y_pitch = 36 + 2 * y_pitch; /* In 0.1 mm units */ + + reg = alps_command_mode_read_reg(psmouse, reg_pitch + 1); + if (reg < 0) + return reg; + +- x_electrode = (char)(reg << 4) >> 4; /* sign extend lower 4 bits */ ++ x_electrode = (s8)(reg << 4) >> 4; /* sign extend lower 4 bits */ + x_electrode = 17 + x_electrode; + +- y_electrode = (char)reg >> 4; /* sign extend upper 4 bits */ ++ y_electrode = (s8)reg >> 4; /* sign extend upper 4 bits */ + y_electrode = 13 + y_electrode; + + x_phys = x_pitch * (x_electrode - 1); /* In 0.1 mm units */ diff --git a/queue-5.4/input-focaltech-use-explicitly-signed-char-type.patch b/queue-5.4/input-focaltech-use-explicitly-signed-char-type.patch new file mode 100644 index 00000000000..1ee4c59f373 --- /dev/null +++ b/queue-5.4/input-focaltech-use-explicitly-signed-char-type.patch @@ -0,0 +1,50 @@ +From 8980f190947ba29f23110408e712444884b74251 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 19 Mar 2023 21:36:36 -0700 +Subject: Input: focaltech - use explicitly signed char type + +From: Jason A. Donenfeld + +commit 8980f190947ba29f23110408e712444884b74251 upstream. + +The recent change of -funsigned-char causes additions of negative +numbers to become additions of large positive numbers, leading to wrong +calculations of mouse movement. Change these casts to be explicitly +signed, to take into account negative offsets. + +Fixes: 3bc753c06dd0 ("kbuild: treat char as always unsigned") +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Hans de Goede +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217211 +Link: https://lore.kernel.org/r/20230318133010.1285202-1-Jason@zx2c4.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/focaltech.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/mouse/focaltech.c ++++ b/drivers/input/mouse/focaltech.c +@@ -202,8 +202,8 @@ static void focaltech_process_rel_packet + state->pressed = packet[0] >> 7; + finger1 = ((packet[0] >> 4) & 0x7) - 1; + if (finger1 < FOC_MAX_FINGERS) { +- state->fingers[finger1].x += (char)packet[1]; +- state->fingers[finger1].y += (char)packet[2]; ++ state->fingers[finger1].x += (s8)packet[1]; ++ state->fingers[finger1].y += (s8)packet[2]; + } else { + psmouse_err(psmouse, "First finger in rel packet invalid: %d\n", + finger1); +@@ -218,8 +218,8 @@ static void focaltech_process_rel_packet + */ + finger2 = ((packet[3] >> 4) & 0x7) - 1; + if (finger2 < FOC_MAX_FINGERS) { +- state->fingers[finger2].x += (char)packet[4]; +- state->fingers[finger2].y += (char)packet[5]; ++ state->fingers[finger2].x += (s8)packet[4]; ++ state->fingers[finger2].y += (s8)packet[5]; + } + } + diff --git a/queue-5.4/input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch b/queue-5.4/input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch new file mode 100644 index 00000000000..fde4e2746e4 --- /dev/null +++ b/queue-5.4/input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch @@ -0,0 +1,53 @@ +From 8a0432bab6ea3203d220785da7ab3c7677f70ecb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 17 Mar 2023 03:13:12 -0700 +Subject: Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table + +From: Hans de Goede + +commit 8a0432bab6ea3203d220785da7ab3c7677f70ecb upstream. + +The Android Lenovo Yoga Book X90F / X90L uses the same goodix touchscreen +with 9 bytes touch reports for its touch keyboard as the already supported +Windows Lenovo Yoga Book X91F/L, add a DMI match for this to +the nine_bytes_report DMI table. + +When the quirk for the X91F/L was initially added it was written to +also apply to the X90F/L but this does not work because the Android +version of the Yoga Book uses completely different DMI strings. +Also adjust the X91F/L quirk to reflect that it only applies to +the X91F/L models. + +Signed-off-by: Hans de Goede +Reviewed-by: Bastien Nocera +Link: https://lore.kernel.org/r/20230315134442.71787-1-hdegoede@redhat.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/goodix.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -170,10 +170,18 @@ static const struct dmi_system_id rotate + static const struct dmi_system_id nine_bytes_report[] = { + #if defined(CONFIG_DMI) && defined(CONFIG_X86) + { +- .ident = "Lenovo YogaBook", +- /* YB1-X91L/F and YB1-X90L/F */ ++ /* Lenovo Yoga Book X90F / X90L */ + .matches = { +- DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9") ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), ++ } ++ }, ++ { ++ /* Lenovo Yoga Book X91F / X91L */ ++ .matches = { ++ /* Non exact match to match F + L versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"), + } + }, + #endif diff --git a/queue-5.4/series b/queue-5.4/series index 13351d060d0..a783a574fc0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -86,3 +86,8 @@ bnxt_en-fix-typo-in-pci-id-to-device-description-str.patch net-dsa-mv88e6xxx-enable-igmp-snooping-on-user-ports.patch net-mvneta-make-tx-buffer-array-agnostic.patch pinctrl-ocelot-fix-alt-mode-for-ocelot.patch +input-alps-fix-compatibility-with-funsigned-char.patch +input-focaltech-use-explicitly-signed-char-type.patch +cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch +cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch +input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch