From: Greg Kroah-Hartman Date: Thu, 1 Sep 2022 18:49:20 +0000 (+0200) Subject: 5.19-stable patches X-Git-Tag: v4.9.327~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0988c592ae91e8b32eff56a30d5a8f2f9ae33ff2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.19-stable patches added patches: alsa-usb-audio-add-quirk-for-lh-labs-geek-out-hd-audio-1v5.patch hid-add-apple-touchbar-on-t2-macs-in-hid_have_special_driver-list.patch hid-add-lenovo-yoga-c630-battery-quirk.patch hid-amd_sfh-add-a-dmi-quirk-entry-for-chromebooks.patch hid-asus-rog-nkey-ignore-portion-of-0x5a-report.patch hid-input-fix-uclogic-tablets.patch hid-intel-ish-hid-ipc-add-meteor-lake-pci-device-id.patch hid-nintendo-fix-rumble-worker-null-pointer-deref.patch hid-thrustmaster-add-sparco-wheel-and-fix-array-length.patch mm-rmap-fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch --- diff --git a/queue-5.19/alsa-usb-audio-add-quirk-for-lh-labs-geek-out-hd-audio-1v5.patch b/queue-5.19/alsa-usb-audio-add-quirk-for-lh-labs-geek-out-hd-audio-1v5.patch new file mode 100644 index 00000000000..e0e514d607a --- /dev/null +++ b/queue-5.19/alsa-usb-audio-add-quirk-for-lh-labs-geek-out-hd-audio-1v5.patch @@ -0,0 +1,35 @@ +From 5f3d9e8161bb8cb23ab3b4678cd13f6e90a06186 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 28 Aug 2022 09:41:43 +0200 +Subject: ALSA: usb-audio: Add quirk for LH Labs Geek Out HD Audio 1V5 + +From: Takashi Iwai + +commit 5f3d9e8161bb8cb23ab3b4678cd13f6e90a06186 upstream. + +The USB DAC from LH Labs (2522:0007) seems requiring the same quirk as +Sony Walkman to set up the interface like UAC1; otherwise it gets the +constant errors "usb_set_interface failed (-71)". This patch adds a +quirk entry for addressing the buggy behavior. + +Reported-by: Lennert Van Alboom +Cc: +Link: https://lore.kernel.org/r/T3VPXtCc4uFws9Gfh2RjX6OdwM1RqfC6VqQr--_LMDyB2x5N3p9_q6AtPna17IXhHwBtcJVdXuS80ZZSCMjh_BafIbnzJPhbrkmhmWS6DlI=@vanalboom.org +Link: https://lore.kernel.org/r/20220828074143.14736-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1903,6 +1903,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER), + DEVICE_FLG(0x21b4, 0x0081, /* AudioQuest DragonFly */ + QUIRK_FLAG_GET_SAMPLE_RATE), ++ DEVICE_FLG(0x2522, 0x0007, /* LH Labs Geek Out HD Audio 1V5 */ ++ QUIRK_FLAG_SET_IFACE_FIRST), + DEVICE_FLG(0x2708, 0x0002, /* Audient iD14 */ + QUIRK_FLAG_IGNORE_CTL_ERROR), + DEVICE_FLG(0x2912, 0x30c8, /* Audioengine D1 */ diff --git a/queue-5.19/hid-add-apple-touchbar-on-t2-macs-in-hid_have_special_driver-list.patch b/queue-5.19/hid-add-apple-touchbar-on-t2-macs-in-hid_have_special_driver-list.patch new file mode 100644 index 00000000000..bbd6d8c1971 --- /dev/null +++ b/queue-5.19/hid-add-apple-touchbar-on-t2-macs-in-hid_have_special_driver-list.patch @@ -0,0 +1,59 @@ +From 750ec977288d96e9a11424e3507ede097af732c4 Mon Sep 17 00:00:00 2001 +From: Aditya Garg +Date: Sun, 21 Aug 2022 08:04:45 +0000 +Subject: HID: Add Apple Touchbar on T2 Macs in hid_have_special_driver list + +From: Aditya Garg + +commit 750ec977288d96e9a11424e3507ede097af732c4 upstream. + +The touchbar on Apple T2 Macs has 2 modes, one that shows the function +keys and other that shows the media controls. The user can use the fn +key on his keyboard to switch between the 2 modes. + +On Linux, if people were using an external keyboard or mouse, the +touchbar failed to change modes on pressing the fn key with the following +in dmesg :- + +[ 10.661445] apple-ib-als 0003:05AC:8262.0001: : USB HID v1.01 Device [Apple Inc. Ambient Light Sensor] on usb-bce-vhci-3/input0 +[ 11.830992] apple-ib-touchbar 0003:05AC:8302.0007: input: USB HID v1.01 Keyboard [Apple Inc. Touch Bar Display] on usb-bce-vhci-6/input0 +[ 12.139407] apple-ib-touchbar 0003:05AC:8102.0008: : USB HID v1.01 Device [Apple Inc. Touch Bar Backlight] on usb-bce-vhci-7/input0 +[ 12.211824] apple-ib-touchbar 0003:05AC:8102.0009: : USB HID v1.01 Device [Apple Inc. Touch Bar Backlight] on usb-bce-vhci-7/input1 +[ 14.219759] apple-ib-touchbar 0003:05AC:8302.0007: tb: Failed to set touch bar mode to 2 (-110) +[ 24.395670] apple-ib-touchbar 0003:05AC:8302.0007: tb: Failed to set touch bar mode to 2 (-110) +[ 34.635791] apple-ib-touchbar 0003:05AC:8302.0007: tb: Failed to set touch bar mode to 2 (-110) +[ 269.579233] apple-ib-touchbar 0003:05AC:8302.0007: tb: Failed to set touch bar mode to 1 (-110) + +Add the USB IDs of the touchbar found in T2 Macs to HID have special +driver list to fix the issue. + +Signed-off-by: Aditya Garg +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 2 ++ + drivers/hid/hid-quirks.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -185,6 +185,8 @@ + #define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_2021 0x029c + #define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_FINGERPRINT_2021 0x029a + #define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_2021 0x029f ++#define USB_DEVICE_ID_APPLE_TOUCHBAR_BACKLIGHT 0x8102 ++#define USB_DEVICE_ID_APPLE_TOUCHBAR_DISPLAY 0x8302 + + #define USB_VENDOR_ID_ASUS 0x0486 + #define USB_DEVICE_ID_ASUS_T91MT 0x0185 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -314,6 +314,8 @@ static const struct hid_device_id hid_ha + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY) }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_2021) }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_FINGERPRINT_2021) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_TOUCHBAR_BACKLIGHT) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_TOUCHBAR_DISPLAY) }, + #endif + #if IS_ENABLED(CONFIG_HID_APPLEIR) + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_IRCONTROL) }, diff --git a/queue-5.19/hid-add-lenovo-yoga-c630-battery-quirk.patch b/queue-5.19/hid-add-lenovo-yoga-c630-battery-quirk.patch new file mode 100644 index 00000000000..22fedb72c51 --- /dev/null +++ b/queue-5.19/hid-add-lenovo-yoga-c630-battery-quirk.patch @@ -0,0 +1,45 @@ +From 3a47fa7b14c7d9613909a844aba27f99d3c58634 Mon Sep 17 00:00:00 2001 +From: Steev Klimaszewski +Date: Thu, 18 Aug 2022 21:39:24 -0500 +Subject: HID: add Lenovo Yoga C630 battery quirk + +From: Steev Klimaszewski + +commit 3a47fa7b14c7d9613909a844aba27f99d3c58634 upstream. + +Similar to the Surface Go devices, the Elantech touchscreen/digitizer in +the Lenovo Yoga C630 mistakenly reports the battery of the stylus, and +always reports an empty battery. + +Apply the HID_BATTERY_QUIRK_IGNORE quirk to ignore this battery and +prevent the erroneous low battery warnings. + +Signed-off-by: Steev Klimaszewski +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-input.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -414,6 +414,7 @@ + #define USB_DEVICE_ID_ASUS_UX550_TOUCHSCREEN 0x2706 + #define I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN 0x261A + #define I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN 0x2A1C ++#define I2C_DEVICE_ID_LENOVO_YOGA_C630_TOUCHSCREEN 0x279F + + #define USB_VENDOR_ID_ELECOM 0x056e + #define USB_DEVICE_ID_ELECOM_BM084 0x0061 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -383,6 +383,8 @@ static const struct hid_device_id hid_ba + HID_BATTERY_QUIRK_IGNORE }, + { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN), + HID_BATTERY_QUIRK_IGNORE }, ++ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_LENOVO_YOGA_C630_TOUCHSCREEN), ++ HID_BATTERY_QUIRK_IGNORE }, + {} + }; + diff --git a/queue-5.19/hid-amd_sfh-add-a-dmi-quirk-entry-for-chromebooks.patch b/queue-5.19/hid-amd_sfh-add-a-dmi-quirk-entry-for-chromebooks.patch new file mode 100644 index 00000000000..f208b7ecffa --- /dev/null +++ b/queue-5.19/hid-amd_sfh-add-a-dmi-quirk-entry-for-chromebooks.patch @@ -0,0 +1,57 @@ +From adada3f4930ac084740ea340bd8e94028eba4f22 Mon Sep 17 00:00:00 2001 +From: Akihiko Odaki +Date: Tue, 16 Aug 2022 19:21:20 +0900 +Subject: HID: AMD_SFH: Add a DMI quirk entry for Chromebooks + +From: Akihiko Odaki + +commit adada3f4930ac084740ea340bd8e94028eba4f22 upstream. + +Google Chromebooks use Chrome OS Embedded Controller Sensor Hub instead +of Sensor Hub Fusion and leaves MP2 uninitialized, which disables all +functionalities, even including the registers necessary for feature +detections. + +The behavior was observed with Lenovo ThinkPad C13 Yoga. + +Signed-off-by: Akihiko Odaki +Suggested-by: Mario Limonciello +Acked-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c +@@ -285,11 +285,29 @@ static int amd_sfh_irq_init(struct amd_m + return 0; + } + ++static const struct dmi_system_id dmi_nodevs[] = { ++ { ++ /* ++ * Google Chromebooks use Chrome OS Embedded Controller Sensor ++ * Hub instead of Sensor Hub Fusion and leaves MP2 ++ * uninitialized, which disables all functionalities, even ++ * including the registers necessary for feature detections. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Google"), ++ }, ++ }, ++ { } ++}; ++ + static int amd_mp2_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { + struct amd_mp2_dev *privdata; + int rc; + ++ if (dmi_first_match(dmi_nodevs)) ++ return -ENODEV; ++ + privdata = devm_kzalloc(&pdev->dev, sizeof(*privdata), GFP_KERNEL); + if (!privdata) + return -ENOMEM; diff --git a/queue-5.19/hid-asus-rog-nkey-ignore-portion-of-0x5a-report.patch b/queue-5.19/hid-asus-rog-nkey-ignore-portion-of-0x5a-report.patch new file mode 100644 index 00000000000..87914954e92 --- /dev/null +++ b/queue-5.19/hid-asus-rog-nkey-ignore-portion-of-0x5a-report.patch @@ -0,0 +1,40 @@ +From 1c0cc9d11c665020cbeb80e660fb8929164407f4 Mon Sep 17 00:00:00 2001 +From: Josh Kilmer +Date: Thu, 28 Jul 2022 12:51:11 -0500 +Subject: HID: asus: ROG NKey: Ignore portion of 0x5a report + +From: Josh Kilmer + +commit 1c0cc9d11c665020cbeb80e660fb8929164407f4 upstream. + +On an Asus G513QY, of the 5 bytes in a 0x5a report, only the first byte +is a meaningful keycode. The other bytes are zeroed out or hold garbage +from the last packet sent to the keyboard. + +This patch fixes up the report descriptor for this event so that the +general hid code will only process 1 byte for keycodes, avoiding +spurious key events and unmapped Asus vendor usagepage code warnings. + +Signed-off-by: Josh Kilmer +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-asus.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/hid/hid-asus.c ++++ b/drivers/hid/hid-asus.c +@@ -1212,6 +1212,13 @@ static __u8 *asus_report_fixup(struct hi + rdesc = new_rdesc; + } + ++ if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && ++ *rsize == 331 && rdesc[190] == 0x85 && rdesc[191] == 0x5a && ++ rdesc[204] == 0x95 && rdesc[205] == 0x05) { ++ hid_info(hdev, "Fixing up Asus N-KEY keyb report descriptor\n"); ++ rdesc[205] = 0x01; ++ } ++ + return rdesc; + } + diff --git a/queue-5.19/hid-input-fix-uclogic-tablets.patch b/queue-5.19/hid-input-fix-uclogic-tablets.patch new file mode 100644 index 00000000000..2a449622dc9 --- /dev/null +++ b/queue-5.19/hid-input-fix-uclogic-tablets.patch @@ -0,0 +1,43 @@ +From 8db8be9cfc89935c97d791c7e6264e710a7e8a56 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Mon, 22 Aug 2022 08:22:47 +0200 +Subject: HID: input: fix uclogic tablets + +From: Benjamin Tissoires + +commit 8db8be9cfc89935c97d791c7e6264e710a7e8a56 upstream. + +commit 87562fcd1342 ("HID: input: remove the need for HID_QUIRK_INVERT") +made the assumption that it was the only one handling tablets and thus +kept an internal state regarding the tool. + +Turns out that the uclogic driver has a timer to release the in range +bit, effectively making hid-input ignoring all in range information +after the very first one. + +Fix that by having a more rationale approach which consists in forwarding +every event and let the input stack filter out the duplicates. + +Reported-by: Stefan Hansson +Fixes: 87562fcd1342 ("HID: input: remove the need for HID_QUIRK_INVERT") +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-input.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1532,7 +1532,10 @@ void hidinput_hid_event(struct hid_devic + * assume ours + */ + if (!report->tool) +- hid_report_set_tool(report, input, usage->code); ++ report->tool = usage->code; ++ ++ /* drivers may have changed the value behind our back, resend it */ ++ hid_report_set_tool(report, input, report->tool); + } else { + hid_report_release_tool(report, input, usage->code); + } diff --git a/queue-5.19/hid-intel-ish-hid-ipc-add-meteor-lake-pci-device-id.patch b/queue-5.19/hid-intel-ish-hid-ipc-add-meteor-lake-pci-device-id.patch new file mode 100644 index 00000000000..4727e184d0f --- /dev/null +++ b/queue-5.19/hid-intel-ish-hid-ipc-add-meteor-lake-pci-device-id.patch @@ -0,0 +1,40 @@ +From 467249a7dff68451868ca79696aef69764193a8a Mon Sep 17 00:00:00 2001 +From: Even Xu +Date: Tue, 23 Aug 2022 09:10:59 +0800 +Subject: HID: intel-ish-hid: ipc: Add Meteor Lake PCI device ID + +From: Even Xu + +commit 467249a7dff68451868ca79696aef69764193a8a upstream. + +Add device ID of Meteor Lake P into ishtp support list. + +Signed-off-by: Even Xu +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/intel-ish-hid/ipc/hw-ish.h | 1 + + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/intel-ish-hid/ipc/hw-ish.h ++++ b/drivers/hid/intel-ish-hid/ipc/hw-ish.h +@@ -32,6 +32,7 @@ + #define ADL_P_DEVICE_ID 0x51FC + #define ADL_N_DEVICE_ID 0x54FC + #define RPL_S_DEVICE_ID 0x7A78 ++#define MTL_P_DEVICE_ID 0x7E45 + + #define REVISION_ID_CHT_A0 0x6 + #define REVISION_ID_CHT_Ax_SI 0x0 +--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c ++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +@@ -43,6 +43,7 @@ static const struct pci_device_id ish_pc + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, ADL_P_DEVICE_ID)}, + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, ADL_N_DEVICE_ID)}, + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, RPL_S_DEVICE_ID)}, ++ {PCI_DEVICE(PCI_VENDOR_ID_INTEL, MTL_P_DEVICE_ID)}, + {0, } + }; + MODULE_DEVICE_TABLE(pci, ish_pci_tbl); diff --git a/queue-5.19/hid-nintendo-fix-rumble-worker-null-pointer-deref.patch b/queue-5.19/hid-nintendo-fix-rumble-worker-null-pointer-deref.patch new file mode 100644 index 00000000000..f7637465c55 --- /dev/null +++ b/queue-5.19/hid-nintendo-fix-rumble-worker-null-pointer-deref.patch @@ -0,0 +1,51 @@ +From 1ff89e06c2e5fab30274e4b02360d4241d6e605e Mon Sep 17 00:00:00 2001 +From: "Daniel J. Ogorchock" +Date: Wed, 13 Jul 2022 16:20:59 -0400 +Subject: HID: nintendo: fix rumble worker null pointer deref + +From: Daniel J. Ogorchock + +commit 1ff89e06c2e5fab30274e4b02360d4241d6e605e upstream. + +We can dereference a null pointer trying to queue work to a destroyed +workqueue. + +If the device is disconnected, nintendo_hid_remove is called, in which +the rumble_queue is destroyed. Avoid using that queue to defer rumble +work once the controller state is set to JOYCON_CTLR_STATE_REMOVED. + +This eliminates the null pointer dereference. + +Signed-off-by: Daniel J. Ogorchock +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-nintendo.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-nintendo.c ++++ b/drivers/hid/hid-nintendo.c +@@ -1222,6 +1222,7 @@ static void joycon_parse_report(struct j + + spin_lock_irqsave(&ctlr->lock, flags); + if (IS_ENABLED(CONFIG_NINTENDO_FF) && rep->vibrator_report && ++ ctlr->ctlr_state != JOYCON_CTLR_STATE_REMOVED && + (msecs - ctlr->rumble_msecs) >= JC_RUMBLE_PERIOD_MS && + (ctlr->rumble_queue_head != ctlr->rumble_queue_tail || + ctlr->rumble_zero_countdown > 0)) { +@@ -1546,12 +1547,13 @@ static int joycon_set_rumble(struct joyc + ctlr->rumble_queue_head = 0; + memcpy(ctlr->rumble_data[ctlr->rumble_queue_head], data, + JC_RUMBLE_DATA_SIZE); +- spin_unlock_irqrestore(&ctlr->lock, flags); + + /* don't wait for the periodic send (reduces latency) */ +- if (schedule_now) ++ if (schedule_now && ctlr->ctlr_state != JOYCON_CTLR_STATE_REMOVED) + queue_work(ctlr->rumble_queue, &ctlr->rumble_worker); + ++ spin_unlock_irqrestore(&ctlr->lock, flags); ++ + return 0; + } + diff --git a/queue-5.19/hid-thrustmaster-add-sparco-wheel-and-fix-array-length.patch b/queue-5.19/hid-thrustmaster-add-sparco-wheel-and-fix-array-length.patch new file mode 100644 index 00000000000..062d38e2ca0 --- /dev/null +++ b/queue-5.19/hid-thrustmaster-add-sparco-wheel-and-fix-array-length.patch @@ -0,0 +1,40 @@ +From d9a17651f3749e69890db57ca66e677dfee70829 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20H=C3=BCbner?= +Date: Fri, 5 Aug 2022 10:05:23 +0200 +Subject: HID: thrustmaster: Add sparco wheel and fix array length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Hübner + +commit d9a17651f3749e69890db57ca66e677dfee70829 upstream. + +Add device id for the Sparco R383 Mod wheel. + +Fix wheel info array length to match actual wheel count present in the array. + +Signed-off-by: Michael Hübner +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-thrustmaster.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-thrustmaster.c ++++ b/drivers/hid/hid-thrustmaster.c +@@ -67,12 +67,13 @@ static const struct tm_wheel_info tm_whe + {0x0200, 0x0005, "Thrustmaster T300RS (Missing Attachment)"}, + {0x0206, 0x0005, "Thrustmaster T300RS"}, + {0x0209, 0x0005, "Thrustmaster T300RS (Open Wheel Attachment)"}, ++ {0x020a, 0x0005, "Thrustmaster T300RS (Sparco R383 Mod)"}, + {0x0204, 0x0005, "Thrustmaster T300 Ferrari Alcantara Edition"}, + {0x0002, 0x0002, "Thrustmaster T500RS"} + //{0x0407, 0x0001, "Thrustmaster TMX"} + }; + +-static const uint8_t tm_wheels_infos_length = 4; ++static const uint8_t tm_wheels_infos_length = 7; + + /* + * This structs contains (in little endian) the response data diff --git a/queue-5.19/mm-rmap-fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch b/queue-5.19/mm-rmap-fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch new file mode 100644 index 00000000000..a246c8083d1 --- /dev/null +++ b/queue-5.19/mm-rmap-fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch @@ -0,0 +1,167 @@ +From 2555283eb40df89945557273121e9393ef9b542b Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 31 Aug 2022 19:06:00 +0200 +Subject: mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse + +From: Jann Horn + +commit 2555283eb40df89945557273121e9393ef9b542b upstream. + +anon_vma->degree tracks the combined number of child anon_vmas and VMAs +that use the anon_vma as their ->anon_vma. + +anon_vma_clone() then assumes that for any anon_vma attached to +src->anon_vma_chain other than src->anon_vma, it is impossible for it to +be a leaf node of the VMA tree, meaning that for such VMAs ->degree is +elevated by 1 because of a child anon_vma, meaning that if ->degree +equals 1 there are no VMAs that use the anon_vma as their ->anon_vma. + +This assumption is wrong because the ->degree optimization leads to leaf +nodes being abandoned on anon_vma_clone() - an existing anon_vma is +reused and no new parent-child relationship is created. So it is +possible to reuse an anon_vma for one VMA while it is still tied to +another VMA. + +This is an issue because is_mergeable_anon_vma() and its callers assume +that if two VMAs have the same ->anon_vma, the list of anon_vmas +attached to the VMAs is guaranteed to be the same. When this assumption +is violated, vma_merge() can merge pages into a VMA that is not attached +to the corresponding anon_vma, leading to dangling page->mapping +pointers that will be dereferenced during rmap walks. + +Fix it by separately tracking the number of child anon_vmas and the +number of VMAs using the anon_vma as their ->anon_vma. + +Fixes: 7a3ef208e662 ("mm: prevent endless growth of anon_vma hierarchy") +Cc: stable@kernel.org +Acked-by: Michal Hocko +Acked-by: Vlastimil Babka +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/rmap.h | 7 +++++-- + mm/rmap.c | 29 ++++++++++++++++------------- + 2 files changed, 21 insertions(+), 15 deletions(-) + +--- a/include/linux/rmap.h ++++ b/include/linux/rmap.h +@@ -41,12 +41,15 @@ struct anon_vma { + atomic_t refcount; + + /* +- * Count of child anon_vmas and VMAs which points to this anon_vma. ++ * Count of child anon_vmas. Equals to the count of all anon_vmas that ++ * have ->parent pointing to this one, including itself. + * + * This counter is used for making decision about reusing anon_vma + * instead of forking new one. See comments in function anon_vma_clone. + */ +- unsigned degree; ++ unsigned long num_children; ++ /* Count of VMAs whose ->anon_vma pointer points to this object. */ ++ unsigned long num_active_vmas; + + struct anon_vma *parent; /* Parent of this anon_vma */ + +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -93,7 +93,8 @@ static inline struct anon_vma *anon_vma_ + anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL); + if (anon_vma) { + atomic_set(&anon_vma->refcount, 1); +- anon_vma->degree = 1; /* Reference for first vma */ ++ anon_vma->num_children = 0; ++ anon_vma->num_active_vmas = 0; + anon_vma->parent = anon_vma; + /* + * Initialise the anon_vma root to point to itself. If called +@@ -201,6 +202,7 @@ int __anon_vma_prepare(struct vm_area_st + anon_vma = anon_vma_alloc(); + if (unlikely(!anon_vma)) + goto out_enomem_free_avc; ++ anon_vma->num_children++; /* self-parent link for new root */ + allocated = anon_vma; + } + +@@ -210,8 +212,7 @@ int __anon_vma_prepare(struct vm_area_st + if (likely(!vma->anon_vma)) { + vma->anon_vma = anon_vma; + anon_vma_chain_link(vma, avc, anon_vma); +- /* vma reference or self-parent link for new root */ +- anon_vma->degree++; ++ anon_vma->num_active_vmas++; + allocated = NULL; + avc = NULL; + } +@@ -296,19 +297,19 @@ int anon_vma_clone(struct vm_area_struct + anon_vma_chain_link(dst, avc, anon_vma); + + /* +- * Reuse existing anon_vma if its degree lower than two, +- * that means it has no vma and only one anon_vma child. ++ * Reuse existing anon_vma if it has no vma and only one ++ * anon_vma child. + * +- * Do not choose parent anon_vma, otherwise first child +- * will always reuse it. Root anon_vma is never reused: ++ * Root anon_vma is never reused: + * it has self-parent reference and at least one child. + */ + if (!dst->anon_vma && src->anon_vma && +- anon_vma != src->anon_vma && anon_vma->degree < 2) ++ anon_vma->num_children < 2 && ++ anon_vma->num_active_vmas == 0) + dst->anon_vma = anon_vma; + } + if (dst->anon_vma) +- dst->anon_vma->degree++; ++ dst->anon_vma->num_active_vmas++; + unlock_anon_vma_root(root); + return 0; + +@@ -358,6 +359,7 @@ int anon_vma_fork(struct vm_area_struct + anon_vma = anon_vma_alloc(); + if (!anon_vma) + goto out_error; ++ anon_vma->num_active_vmas++; + avc = anon_vma_chain_alloc(GFP_KERNEL); + if (!avc) + goto out_error_free_anon_vma; +@@ -378,7 +380,7 @@ int anon_vma_fork(struct vm_area_struct + vma->anon_vma = anon_vma; + anon_vma_lock_write(anon_vma); + anon_vma_chain_link(vma, avc, anon_vma); +- anon_vma->parent->degree++; ++ anon_vma->parent->num_children++; + anon_vma_unlock_write(anon_vma); + + return 0; +@@ -410,7 +412,7 @@ void unlink_anon_vmas(struct vm_area_str + * to free them outside the lock. + */ + if (RB_EMPTY_ROOT(&anon_vma->rb_root.rb_root)) { +- anon_vma->parent->degree--; ++ anon_vma->parent->num_children--; + continue; + } + +@@ -418,7 +420,7 @@ void unlink_anon_vmas(struct vm_area_str + anon_vma_chain_free(avc); + } + if (vma->anon_vma) { +- vma->anon_vma->degree--; ++ vma->anon_vma->num_active_vmas--; + + /* + * vma would still be needed after unlink, and anon_vma will be prepared +@@ -436,7 +438,8 @@ void unlink_anon_vmas(struct vm_area_str + list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) { + struct anon_vma *anon_vma = avc->anon_vma; + +- VM_WARN_ON(anon_vma->degree); ++ VM_WARN_ON(anon_vma->num_children); ++ VM_WARN_ON(anon_vma->num_active_vmas); + put_anon_vma(anon_vma); + + list_del(&avc->same_vma); diff --git a/queue-5.19/series b/queue-5.19/series index 96b00d8dd7e..6c1a9960531 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -15,3 +15,13 @@ net-fix-refcount-bug-in-sk_psock_get-2.patch fbdev-fb_pm2fb-avoid-potential-divide-by-zero-error.patch ftrace-fix-null-pointer-dereference-in-is_ftrace_trampoline-when-ftrace-is-dead.patch bpf-don-t-redirect-packets-with-invalid-pkt_len.patch +mm-rmap-fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch +alsa-usb-audio-add-quirk-for-lh-labs-geek-out-hd-audio-1v5.patch +hid-input-fix-uclogic-tablets.patch +hid-add-lenovo-yoga-c630-battery-quirk.patch +hid-amd_sfh-add-a-dmi-quirk-entry-for-chromebooks.patch +hid-add-apple-touchbar-on-t2-macs-in-hid_have_special_driver-list.patch +hid-asus-rog-nkey-ignore-portion-of-0x5a-report.patch +hid-nintendo-fix-rumble-worker-null-pointer-deref.patch +hid-thrustmaster-add-sparco-wheel-and-fix-array-length.patch +hid-intel-ish-hid-ipc-add-meteor-lake-pci-device-id.patch