From: Greg Kroah-Hartman Date: Tue, 25 Mar 2014 21:18:48 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.4.85~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1299a60342160beff47c8a5e1aa309cb3a4f6e1e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: input-elantech-improve-clickpad-detection.patch input-wacom-make-sure-touch_max-is-set-for-touch-devices.patch kvm-mmu-handle-invalid-root_hpa-at-__direct_map.patch kvm-vmx-fix-use-after-free-of-vmx-loaded_vmcs.patch kvm-x86-handle-invalid-root_hpa-everywhere.patch --- diff --git a/queue-3.10/input-elantech-improve-clickpad-detection.patch b/queue-3.10/input-elantech-improve-clickpad-detection.patch new file mode 100644 index 00000000000..6ce87da9996 --- /dev/null +++ b/queue-3.10/input-elantech-improve-clickpad-detection.patch @@ -0,0 +1,111 @@ +From c15bdfd5b9831e4cab8cfc118243956e267dd30e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 16 Dec 2013 07:09:25 -0800 +Subject: Input: elantech - improve clickpad detection + +From: Hans de Goede + +commit c15bdfd5b9831e4cab8cfc118243956e267dd30e upstream. + +The current assumption in the elantech driver that hw version 3 touchpads +are never clickpads and hw version 4 touchpads are always clickpads is +wrong. + +There are several bug reports for this, ie: +https://bugzilla.redhat.com/show_bug.cgi?id=1030802 +http://superuser.com/questions/619582/right-elantech-touchpad-button-not-working-in-linux + +I've spend a couple of hours wading through various bugzillas, launchpads +and forum posts to create a list of fw-versions and capabilities for +different laptop models to find a good method to differentiate between +clickpads and versions with separate hardware buttons. + +Which shows that a device being a clickpad is reliable indicated by bit 12 +being set in the fw_version. I've included the gathered list inside the +driver, so that we've this info at hand if we need to revisit this later. + +Signed-off-by: Hans de Goede +Reviewed-by: Benjamin Tissoires +Signed-off-by: Dmitry Torokhov +Cc: Josh Boyer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elantech.c | 45 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 42 insertions(+), 3 deletions(-) + +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -486,6 +486,7 @@ static void elantech_input_sync_v4(struc + unsigned char *packet = psmouse->packet; + + input_report_key(dev, BTN_LEFT, packet[0] & 0x01); ++ input_report_key(dev, BTN_RIGHT, packet[0] & 0x02); + input_mt_report_pointer_emulation(dev, true); + input_sync(dev); + } +@@ -954,6 +955,44 @@ static int elantech_get_resolution_v4(st + } + + /* ++ * Advertise INPUT_PROP_BUTTONPAD for clickpads. The testing of bit 12 in ++ * fw_version for this is based on the following fw_version & caps table: ++ * ++ * Laptop-model: fw_version: caps: buttons: ++ * Acer S3 0x461f00 10, 13, 0e clickpad ++ * Acer S7-392 0x581f01 50, 17, 0d clickpad ++ * Acer V5-131 0x461f02 01, 16, 0c clickpad ++ * Acer V5-551 0x461f00 ? clickpad ++ * Asus K53SV 0x450f01 78, 15, 0c 2 hw buttons ++ * Asus G46VW 0x460f02 00, 18, 0c 2 hw buttons ++ * Asus G750JX 0x360f00 00, 16, 0c 2 hw buttons ++ * Asus UX31 0x361f00 20, 15, 0e clickpad ++ * Asus UX32VD 0x361f02 00, 15, 0e clickpad ++ * Avatar AVIU-145A2 0x361f00 ? clickpad ++ * Gigabyte U2442 0x450f01 58, 17, 0c 2 hw buttons ++ * Lenovo L430 0x350f02 b9, 15, 0c 2 hw buttons (*) ++ * Samsung NF210 0x150b00 78, 14, 0a 2 hw buttons ++ * Samsung NP770Z5E 0x575f01 10, 15, 0f clickpad ++ * Samsung NP700Z5B 0x361f06 21, 15, 0f clickpad ++ * Samsung NP900X3E-A02 0x575f03 ? clickpad ++ * Samsung NP-QX410 0x851b00 19, 14, 0c clickpad ++ * Samsung RC512 0x450f00 08, 15, 0c 2 hw buttons ++ * Samsung RF710 0x450f00 ? 2 hw buttons ++ * System76 Pangolin 0x250f01 ? 2 hw buttons ++ * (*) + 3 trackpoint buttons ++ */ ++static void elantech_set_buttonpad_prop(struct psmouse *psmouse) ++{ ++ struct input_dev *dev = psmouse->dev; ++ struct elantech_data *etd = psmouse->private; ++ ++ if (etd->fw_version & 0x001000) { ++ __set_bit(INPUT_PROP_BUTTONPAD, dev->propbit); ++ __clear_bit(BTN_RIGHT, dev->keybit); ++ } ++} ++ ++/* + * Set the appropriate event bits for the input subsystem + */ + static int elantech_set_input_params(struct psmouse *psmouse) +@@ -996,6 +1035,8 @@ static int elantech_set_input_params(str + __set_bit(INPUT_PROP_SEMI_MT, dev->propbit); + /* fall through */ + case 3: ++ if (etd->hw_version == 3) ++ elantech_set_buttonpad_prop(psmouse); + input_set_abs_params(dev, ABS_X, x_min, x_max, 0, 0); + input_set_abs_params(dev, ABS_Y, y_min, y_max, 0, 0); + if (etd->reports_pressure) { +@@ -1017,9 +1058,7 @@ static int elantech_set_input_params(str + */ + psmouse_warn(psmouse, "couldn't query resolution data.\n"); + } +- /* v4 is clickpad, with only one button. */ +- __set_bit(INPUT_PROP_BUTTONPAD, dev->propbit); +- __clear_bit(BTN_RIGHT, dev->keybit); ++ elantech_set_buttonpad_prop(psmouse); + __set_bit(BTN_TOOL_QUADTAP, dev->keybit); + /* For X to recognize me as touchpad. */ + input_set_abs_params(dev, ABS_X, x_min, x_max, 0, 0); diff --git a/queue-3.10/input-wacom-make-sure-touch_max-is-set-for-touch-devices.patch b/queue-3.10/input-wacom-make-sure-touch_max-is-set-for-touch-devices.patch new file mode 100644 index 00000000000..859279c04f2 --- /dev/null +++ b/queue-3.10/input-wacom-make-sure-touch_max-is-set-for-touch-devices.patch @@ -0,0 +1,55 @@ +From 1d0d6df02750b4a6f466768cbfbf860e24f4c8d4 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Mon, 25 Nov 2013 18:43:45 -0800 +Subject: Input: wacom - make sure touch_max is set for touch devices + +From: Ping Cheng + +commit 1d0d6df02750b4a6f466768cbfbf860e24f4c8d4 upstream. + +Old single touch Tablet PCs do not have touch_max set at +wacom_features. Since touch device at lease supports one +finger, assign touch_max to 1 when touch usage is defined +in its HID Descriptor and touch_max is not pre-defined. + +Tested-by: Jason Gerecke +Signed-off-by: Ping Cheng +Reviewed-by: Chris Bagwell +Signed-off-by: Dmitry Torokhov +Cc: Josh Boyer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/wacom_sys.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/input/tablet/wacom_sys.c ++++ b/drivers/input/tablet/wacom_sys.c +@@ -339,7 +339,7 @@ static int wacom_parse_hid(struct usb_in + struct usb_device *dev = interface_to_usbdev(intf); + char limit = 0; + /* result has to be defined as int for some devices */ +- int result = 0; ++ int result = 0, touch_max = 0; + int i = 0, usage = WCM_UNDEFINED, finger = 0, pen = 0; + unsigned char *report; + +@@ -386,7 +386,8 @@ static int wacom_parse_hid(struct usb_in + if (usage == WCM_DESKTOP) { + if (finger) { + features->device_type = BTN_TOOL_FINGER; +- ++ /* touch device at least supports one touch point */ ++ touch_max = 1; + switch (features->type) { + case TABLETPC2FG: + features->pktlen = WACOM_PKGLEN_TPC2FG; +@@ -539,6 +540,8 @@ static int wacom_parse_hid(struct usb_in + } + + out: ++ if (!features->touch_max && touch_max) ++ features->touch_max = touch_max; + result = 0; + kfree(report); + return result; diff --git a/queue-3.10/kvm-mmu-handle-invalid-root_hpa-at-__direct_map.patch b/queue-3.10/kvm-mmu-handle-invalid-root_hpa-at-__direct_map.patch new file mode 100644 index 00000000000..c8956454d9e --- /dev/null +++ b/queue-3.10/kvm-mmu-handle-invalid-root_hpa-at-__direct_map.patch @@ -0,0 +1,43 @@ +From 989c6b34f6a9480e397b170cc62237e89bf4fdb9 Mon Sep 17 00:00:00 2001 +From: Marcelo Tosatti +Date: Thu, 19 Dec 2013 15:28:51 -0200 +Subject: KVM: MMU: handle invalid root_hpa at __direct_map + +From: Marcelo Tosatti + +commit 989c6b34f6a9480e397b170cc62237e89bf4fdb9 upstream. + +It is possible for __direct_map to be called on invalid root_hpa +(-1), two examples: + +1) try_async_pf -> can_do_async_pf + -> vmx_interrupt_allowed -> nested_vmx_vmexit +2) vmx_handle_exit -> vmx_interrupt_allowed -> nested_vmx_vmexit + +Then to load_vmcs12_host_state and kvm_mmu_reset_context. + +Check for this possibility, let fault exception be regenerated. + +BZ: https://bugzilla.redhat.com/show_bug.cgi?id=924916 + +Signed-off-by: Marcelo Tosatti +Signed-off-by: Paolo Bonzini +Cc: Josh Boyer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2585,6 +2585,9 @@ static int __direct_map(struct kvm_vcpu + int emulate = 0; + gfn_t pseudo_gfn; + ++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) ++ return 0; ++ + for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) { + if (iterator.level == level) { + mmu_set_spte(vcpu, iterator.sptep, ACC_ALL, diff --git a/queue-3.10/kvm-vmx-fix-use-after-free-of-vmx-loaded_vmcs.patch b/queue-3.10/kvm-vmx-fix-use-after-free-of-vmx-loaded_vmcs.patch new file mode 100644 index 00000000000..940c13728b1 --- /dev/null +++ b/queue-3.10/kvm-vmx-fix-use-after-free-of-vmx-loaded_vmcs.patch @@ -0,0 +1,39 @@ +From 26a865f4aa8e66a6d94958de7656f7f1b03c6c56 Mon Sep 17 00:00:00 2001 +From: Marcelo Tosatti +Date: Fri, 3 Jan 2014 17:00:51 -0200 +Subject: KVM: VMX: fix use after free of vmx->loaded_vmcs + +From: Marcelo Tosatti + +commit 26a865f4aa8e66a6d94958de7656f7f1b03c6c56 upstream. + +After free_loaded_vmcs executes, the "loaded_vmcs" structure +is kfreed, and now vmx->loaded_vmcs points to a kfreed area. +Subsequent free_loaded_vmcs then attempts to manipulate +vmx->loaded_vmcs. + +Switch the order to avoid the problem. + +https://bugzilla.redhat.com/show_bug.cgi?id=1047892 + +Reviewed-by: Jan Kiszka +Signed-off-by: Marcelo Tosatti +Cc: Josh Boyer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7133,8 +7133,8 @@ static void vmx_free_vcpu(struct kvm_vcp + struct vcpu_vmx *vmx = to_vmx(vcpu); + + free_vpid(vmx); +- free_nested(vmx); + free_loaded_vmcs(vmx->loaded_vmcs); ++ free_nested(vmx); + kfree(vmx->guest_msrs); + kvm_vcpu_uninit(vcpu); + kmem_cache_free(kvm_vcpu_cache, vmx); diff --git a/queue-3.10/kvm-x86-handle-invalid-root_hpa-everywhere.patch b/queue-3.10/kvm-x86-handle-invalid-root_hpa-everywhere.patch new file mode 100644 index 00000000000..226a197d18c --- /dev/null +++ b/queue-3.10/kvm-x86-handle-invalid-root_hpa-everywhere.patch @@ -0,0 +1,77 @@ +From 37f6a4e237303549c8676dfe1fd1991ceab512eb Mon Sep 17 00:00:00 2001 +From: Marcelo Tosatti +Date: Fri, 3 Jan 2014 17:09:32 -0200 +Subject: KVM: x86: handle invalid root_hpa everywhere + +From: Marcelo Tosatti + +commit 37f6a4e237303549c8676dfe1fd1991ceab512eb upstream. + +Rom Freiman notes other code paths vulnerable to +bug fixed by 989c6b34f6a9480e397b. + +Signed-off-by: Marcelo Tosatti +Cc: Josh Boyer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 9 +++++++++ + arch/x86/kvm/paging_tmpl.h | 8 ++++++++ + 2 files changed, 17 insertions(+) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2751,6 +2751,9 @@ static bool fast_page_fault(struct kvm_v + bool ret = false; + u64 spte = 0ull; + ++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) ++ return false; ++ + if (!page_fault_can_be_fast(vcpu, error_code)) + return false; + +@@ -3142,6 +3145,9 @@ static u64 walk_shadow_page_get_mmio_spt + struct kvm_shadow_walk_iterator iterator; + u64 spte = 0ull; + ++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) ++ return spte; ++ + walk_shadow_page_lockless_begin(vcpu); + for_each_shadow_entry_lockless(vcpu, addr, iterator, spte) + if (!is_shadow_present_pte(spte)) +@@ -4332,6 +4338,9 @@ int kvm_mmu_get_spte_hierarchy(struct kv + u64 spte; + int nr_sptes = 0; + ++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) ++ return nr_sptes; ++ + walk_shadow_page_lockless_begin(vcpu); + for_each_shadow_entry_lockless(vcpu, addr, iterator, spte) { + sptes[iterator.level-1] = spte; +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -423,6 +423,9 @@ static int FNAME(fetch)(struct kvm_vcpu + if (FNAME(gpte_changed)(vcpu, gw, top_level)) + goto out_gpte_changed; + ++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) ++ goto out_gpte_changed; ++ + for (shadow_walk_init(&it, vcpu, addr); + shadow_walk_okay(&it) && it.level > gw->level; + shadow_walk_next(&it)) { +@@ -671,6 +674,11 @@ static void FNAME(invlpg)(struct kvm_vcp + */ + mmu_topup_memory_caches(vcpu); + ++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) { ++ WARN_ON(1); ++ return; ++ } ++ + spin_lock(&vcpu->kvm->mmu_lock); + for_each_shadow_entry(vcpu, gva, iterator) { + level = iterator.level; diff --git a/queue-3.10/series b/queue-3.10/series index 461312481fc..029dbc32ee1 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -13,3 +13,8 @@ p54-clamp-properly-instead-of-just-truncating.patch regulator-core-replace-direct-ops-disable-usage.patch arm-move-outer_cache-declaration-out-of-ifdef.patch arm-highbank-avoid-l2-cache-smc-calls-when-pl310-is-not.patch +input-elantech-improve-clickpad-detection.patch +kvm-mmu-handle-invalid-root_hpa-at-__direct_map.patch +kvm-x86-handle-invalid-root_hpa-everywhere.patch +kvm-vmx-fix-use-after-free-of-vmx-loaded_vmcs.patch +input-wacom-make-sure-touch_max-is-set-for-touch-devices.patch