From: Greg Kroah-Hartman Date: Tue, 10 Oct 2017 15:12:45 +0000 (+0200) Subject: 4.13-stable patches X-Git-Tag: v3.18.75~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13e6d7ace7dce3b38b190abde4a069f8387babe5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.13-stable patches added patches: arm64-dt-marvell-fix-ap806-system-controller-size.patch arm64-ensure-the-instruction-emulation-is-ready-for-userspace.patch auxdisplay-charlcd-properly-restore-atomic-counter-on-error-path.patch btrfs-avoid-overflow-when-sector_t-is-32-bit.patch btrfs-fix-overlap-of-fs_info-flags-values.patch cgroup-reinit-cgroup_taskset-structure-before-cgroup_migrate_execute-returns.patch driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch drivers-hv-fcopy-restore-correct-transfer-length.patch ftrace-fix-kmemleak-in-unregister_ftrace_graph.patch hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch hid-rmi-make-sure-the-hid-device-is-opened-on-resume.patch hid-wacom-always-increment-hdev-refcount-within-wacom_get_hdev_data.patch hid-wacom-bits-shifted-too-much-for-9th-and-10th-buttons.patch hid-wacom-correct-coordinate-system-of-touchring-and-pen-twist.patch hid-wacom-generic-clear-abs_misc-when-tool-leaves-proximity.patch hid-wacom-generic-send-msc_serial-and-abs_misc-when-leaving-prox.patch hid-wacom-leds-don-t-try-to-control-the-ekr-s-read-only-leds.patch hid-wacom-properly-report-negative-values-from-intuos-pro-2-bluetooth.patch intel_th-pci-add-cedar-fork-pch-support.patch intel_th-pci-add-lewisburg-pch-support.patch netlink-fix-nla_put_-u8-u16-u32-for-kasan.patch ovl-fix-dentry-leak-in-ovl_indexdir_cleanup.patch ovl-fix-dput-of-err_ptr-in-ovl_cleanup_index.patch ovl-fix-error-value-printed-in-ovl_lookup_index.patch ovl-fix-missing-unlock_rename-in-ovl_do_copy_up.patch ovl-fix-regression-caused-by-exclusive-upper-work-dir-protection.patch rocker-fix-rocker_tlv_put_-functions-for-kasan.patch stm-class-fix-a-use-after-free.patch vmbus-don-t-acquire-the-mutex-in-vmbus_hvsock_device_unregister.patch --- diff --git a/queue-4.13/arm64-dt-marvell-fix-ap806-system-controller-size.patch b/queue-4.13/arm64-dt-marvell-fix-ap806-system-controller-size.patch new file mode 100644 index 00000000000..5ec694438a0 --- /dev/null +++ b/queue-4.13/arm64-dt-marvell-fix-ap806-system-controller-size.patch @@ -0,0 +1,45 @@ +From 9e7460fc325dad06d2066abdbc1f4dd49456f9a4 Mon Sep 17 00:00:00 2001 +From: Baruch Siach +Date: Fri, 15 Sep 2017 10:50:07 +0300 +Subject: arm64: dt marvell: Fix AP806 system controller size + +From: Baruch Siach + +commit 9e7460fc325dad06d2066abdbc1f4dd49456f9a4 upstream. + +Extend the container size to 0x2000 to include the gpio controller at +offset 0x1040. + +While at it, add start address notation to the gpio node name to match +its 'offset' property. + +Fixes: 63dac0f4924b ("arm64: dts: marvell: add gpio support for Armada +7K/8K") +Signed-off-by: Baruch Siach +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/marvell/armada-ap806.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/marvell/armada-ap806.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-ap806.dtsi +@@ -254,7 +254,7 @@ + + ap_syscon: system-controller@6f4000 { + compatible = "syscon", "simple-mfd"; +- reg = <0x6f4000 0x1000>; ++ reg = <0x6f4000 0x2000>; + + ap_clk: clock { + compatible = "marvell,ap806-clock"; +@@ -265,7 +265,7 @@ + compatible = "marvell,ap806-pinctrl"; + }; + +- ap_gpio: gpio { ++ ap_gpio: gpio@1040 { + compatible = "marvell,armada-8k-gpio"; + offset = <0x1040>; + ngpios = <20>; diff --git a/queue-4.13/arm64-ensure-the-instruction-emulation-is-ready-for-userspace.patch b/queue-4.13/arm64-ensure-the-instruction-emulation-is-ready-for-userspace.patch new file mode 100644 index 00000000000..d503f7a6d90 --- /dev/null +++ b/queue-4.13/arm64-ensure-the-instruction-emulation-is-ready-for-userspace.patch @@ -0,0 +1,50 @@ +From c0d8832e78cbfd4a64b7112e34920af4b0b0e60e Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Fri, 6 Oct 2017 14:16:52 +0100 +Subject: arm64: Ensure the instruction emulation is ready for userspace + +From: Suzuki K Poulose + +commit c0d8832e78cbfd4a64b7112e34920af4b0b0e60e upstream. + +We trap and emulate some instructions (e.g, mrs, deprecated instructions) +for the userspace. However the handlers for these are registered as +late_initcalls and the userspace could be up and running from the initramfs +by that time (with populate_rootfs, which is a rootfs_initcall()). This +could cause problems for the early applications ending up in failure +like : + +[ 11.152061] modprobe[93]: undefined instruction: pc=0000ffff8ca48ff4 + +This patch promotes the specific calls to core_initcalls, which are +guaranteed to be completed before we hit userspace. + +Cc: Dave Martin +Cc: Matthias Brugger +Cc: James Morse +Reported-by: Matwey V. Kornilov +Signed-off-by: Suzuki K Poulose +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/armv8_deprecated.c | 2 +- + arch/arm64/kernel/cpufeature.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/armv8_deprecated.c ++++ b/arch/arm64/kernel/armv8_deprecated.c +@@ -649,4 +649,4 @@ static int __init armv8_deprecated_init( + return 0; + } + +-late_initcall(armv8_deprecated_init); ++core_initcall(armv8_deprecated_init); +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -1294,4 +1294,4 @@ static int __init enable_mrs_emulation(v + return 0; + } + +-late_initcall(enable_mrs_emulation); ++core_initcall(enable_mrs_emulation); diff --git a/queue-4.13/auxdisplay-charlcd-properly-restore-atomic-counter-on-error-path.patch b/queue-4.13/auxdisplay-charlcd-properly-restore-atomic-counter-on-error-path.patch new file mode 100644 index 00000000000..241f4338c0a --- /dev/null +++ b/queue-4.13/auxdisplay-charlcd-properly-restore-atomic-counter-on-error-path.patch @@ -0,0 +1,90 @@ +From 93dc1774d2a4c7a298d5cdf78cc8acdcb7b1428d Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Thu, 7 Sep 2017 15:37:30 +0200 +Subject: auxdisplay: charlcd: properly restore atomic counter on error path + +From: Willy Tarreau + +commit 93dc1774d2a4c7a298d5cdf78cc8acdcb7b1428d upstream. + +Commit f4757af ("staging: panel: Fix single-open policy race condition") +introduced in 3.19-rc1 attempted to fix a race condition on the open, but +failed to properly do it and used to exit without restoring the semaphore. + +This results in -EBUSY being returned after the first open error until +the module is reloaded or the system restarted (ie: consecutive to a +dual open resulting in -EBUSY or to a permission error). + +[ Note for stable maintainers: the code moved from drivers/misc/panel.c + to drivers/auxdisplay/{charlcd,panel}.c during 4.12. The patch easily + applies there (modulo the renamed atomic counter) but I can provide a + tested backport if desired. ] + +Fixes: f4757af85 # 3.19-rc1 +Cc: Mariusz Gorski +Cc: Geert Uytterhoeven +Cc: Miguel Ojeda Sandonis +Signed-off-by: Willy Tarreau +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/auxdisplay/charlcd.c | 11 +++++++++-- + drivers/auxdisplay/panel.c | 11 +++++++++-- + 2 files changed, 18 insertions(+), 4 deletions(-) + +--- a/drivers/auxdisplay/charlcd.c ++++ b/drivers/auxdisplay/charlcd.c +@@ -647,18 +647,25 @@ static ssize_t charlcd_write(struct file + static int charlcd_open(struct inode *inode, struct file *file) + { + struct charlcd_priv *priv = to_priv(the_charlcd); ++ int ret; + ++ ret = -EBUSY; + if (!atomic_dec_and_test(&charlcd_available)) +- return -EBUSY; /* open only once at a time */ ++ goto fail; /* open only once at a time */ + ++ ret = -EPERM; + if (file->f_mode & FMODE_READ) /* device is write-only */ +- return -EPERM; ++ goto fail; + + if (priv->must_clear) { + charlcd_clear_display(&priv->lcd); + priv->must_clear = false; + } + return nonseekable_open(inode, file); ++ ++ fail: ++ atomic_inc(&charlcd_available); ++ return ret; + } + + static int charlcd_release(struct inode *inode, struct file *file) +--- a/drivers/auxdisplay/panel.c ++++ b/drivers/auxdisplay/panel.c +@@ -1105,14 +1105,21 @@ static ssize_t keypad_read(struct file * + + static int keypad_open(struct inode *inode, struct file *file) + { ++ int ret; ++ ++ ret = -EBUSY; + if (!atomic_dec_and_test(&keypad_available)) +- return -EBUSY; /* open only once at a time */ ++ goto fail; /* open only once at a time */ + ++ ret = -EPERM; + if (file->f_mode & FMODE_WRITE) /* device is read-only */ +- return -EPERM; ++ goto fail; + + keypad_buflen = 0; /* flush the buffer on opening */ + return 0; ++ fail: ++ atomic_inc(&keypad_available); ++ return ret; + } + + static int keypad_release(struct inode *inode, struct file *file) diff --git a/queue-4.13/btrfs-avoid-overflow-when-sector_t-is-32-bit.patch b/queue-4.13/btrfs-avoid-overflow-when-sector_t-is-32-bit.patch new file mode 100644 index 00000000000..103b092cf3f --- /dev/null +++ b/queue-4.13/btrfs-avoid-overflow-when-sector_t-is-32-bit.patch @@ -0,0 +1,43 @@ +From 2d8ce70a08fe033c904115d59276ad86adeaa337 Mon Sep 17 00:00:00 2001 +From: Goffredo Baroncelli +Date: Tue, 3 Oct 2017 19:31:10 +0200 +Subject: btrfs: avoid overflow when sector_t is 32 bit + +From: Goffredo Baroncelli + +commit 2d8ce70a08fe033c904115d59276ad86adeaa337 upstream. + +Jean-Denis Girard noticed commit c821e7f3 "pass bytes to +btrfs_bio_alloc" (https://patchwork.kernel.org/patch/9763081/) +introduces a regression on 32 bit machines. +When CONFIG_LBDAF is _not_ defined (CONFIG_LBDAF == Support for large +(2TB+) block devices and files) sector_t is 32 bit on 32bit machines. + +In the function submit_extent_page, 'sector' (which is sector_t type) is +multiplied by 512 to convert it from sectors to bytes, leading to an +overflow when the disk is bigger than 4GB (!). + +I added a cast to u64 to avoid overflow. + +Fixes: c821e7f3 ("btrfs: pass bytes to btrfs_bio_alloc") +Signed-off-by: Goffredo Baroncelli +Tested-by: Jean-Denis Girard +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2799,7 +2799,7 @@ static int submit_extent_page(int op, in + } + } + +- bio = btrfs_bio_alloc(bdev, sector << 9); ++ bio = btrfs_bio_alloc(bdev, (u64)sector << 9); + bio_add_page(bio, page, page_size, offset); + bio->bi_end_io = end_io_func; + bio->bi_private = tree; diff --git a/queue-4.13/btrfs-fix-overlap-of-fs_info-flags-values.patch b/queue-4.13/btrfs-fix-overlap-of-fs_info-flags-values.patch new file mode 100644 index 00000000000..c21ebd53376 --- /dev/null +++ b/queue-4.13/btrfs-fix-overlap-of-fs_info-flags-values.patch @@ -0,0 +1,46 @@ +From 69ad59767d094752c23c0fc180a79532fde073d0 Mon Sep 17 00:00:00 2001 +From: Tsutomu Itoh +Date: Wed, 4 Oct 2017 11:05:17 +0900 +Subject: Btrfs: fix overlap of fs_info::flags values + +From: Tsutomu Itoh + +commit 69ad59767d094752c23c0fc180a79532fde073d0 upstream. + +Because the values of BTRFS_FS_EXCL_OP and BTRFS_FS_QUOTA_OVERRIDE overlap, +we should change the value. + +First, BTRFS_FS_EXCL_OP was set to 14. + + commit 171938e52807 ("btrfs: track exclusive filesystem operation in flags") + +Next, the value of BTRFS_FS_QUOTA_OVERRIDE was set to 14. + + commit f29efe292198 ("btrfs: add quota override flag to enable quota override for CAP_SYS_RESOURCE") + +As a result, the value 14 overlapped, by accident. +This problem is solved by defining the value of BTRFS_FS_EXCL_OP as 16, +the flags are internal. + +Fixes: f29efe292198 ("btrfs: add quota override flag to enable quota override for CAP_SYS_RESOURCE") +Signed-off-by: Tsutomu Itoh +Reviewed-by: David Sterba +[ minimize the change, update only BTRFS_FS_EXCL_OP ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ctree.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -723,7 +723,7 @@ struct btrfs_delayed_root; + * Indicate that a whole-filesystem exclusive operation is running + * (device replace, resize, device add/delete, balance) + */ +-#define BTRFS_FS_EXCL_OP 14 ++#define BTRFS_FS_EXCL_OP 16 + + struct btrfs_fs_info { + u8 fsid[BTRFS_FSID_SIZE]; diff --git a/queue-4.13/cgroup-reinit-cgroup_taskset-structure-before-cgroup_migrate_execute-returns.patch b/queue-4.13/cgroup-reinit-cgroup_taskset-structure-before-cgroup_migrate_execute-returns.patch new file mode 100644 index 00000000000..448a153d293 --- /dev/null +++ b/queue-4.13/cgroup-reinit-cgroup_taskset-structure-before-cgroup_migrate_execute-returns.patch @@ -0,0 +1,80 @@ +From c4fa6c43ce4b427350cfbb659436bfe3d9e09a1d Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Thu, 21 Sep 2017 09:54:13 -0400 +Subject: cgroup: Reinit cgroup_taskset structure before cgroup_migrate_execute() returns + +From: Waiman Long + +commit c4fa6c43ce4b427350cfbb659436bfe3d9e09a1d upstream. + +The cgroup_taskset structure within the larger cgroup_mgctx structure +is supposed to be used once and then discarded. That is not really the +case in the hotplug code path: + +cpuset_hotplug_workfn() + - cgroup_transfer_tasks() + - cgroup_migrate() + - cgroup_migrate_add_task() + - cgroup_migrate_execute() + +In this case, the cgroup_migrate() function is called multiple time +with the same cgroup_mgctx structure to transfer the tasks from +one cgroup to another one-by-one. The second time cgroup_migrate() +is called, the cgroup_taskset will be in an incorrect state and so +may cause the system to panic. For example, + + [ 150.888410] Faulting instruction address: 0xc0000000001db648 + [ 150.888414] Oops: Kernel access of bad area, sig: 11 [#1] + [ 150.888417] SMP NR_CPUS=2048 + [ 150.888417] NUMA + [ 150.888419] pSeries + : + [ 150.888545] NIP [c0000000001db648] cpuset_can_attach+0x58/0x1b0 + [ 150.888548] LR [c0000000001db638] cpuset_can_attach+0x48/0x1b0 + [ 150.888551] Call Trace: + [ 150.888554] [c0000005f65cb940] [c0000000001db638] cpuset_can_attach+0x48/0x1b 0 (unreliable) + [ 150.888559] [c0000005f65cb9a0] [c0000000001cff04] cgroup_migrate_execute+0xc4/0x4b0 + [ 150.888563] [c0000005f65cba20] [c0000000001d7d14] cgroup_transfer_tasks+0x1d4/0x370 + [ 150.888568] [c0000005f65cbb70] [c0000000001ddcb0] cpuset_hotplug_workfn+0x710/0x8f0 + [ 150.888572] [c0000005f65cbc80] [c00000000012032c] process_one_work+0x1ac/0x4d0 + [ 150.888576] [c0000005f65cbd20] [c0000000001206f8] worker_thread+0xa8/0x5b0 + [ 150.888580] [c0000005f65cbdc0] [c0000000001293f8] kthread+0x168/0x1b0 + [ 150.888584] [c0000005f65cbe30] [c00000000000b368] ret_from_kernel_thread+0x5c/0x74 + +To allow reuse of the cgroup_mgctx structure, some fields in that +structure are now re-initialized at the end of cgroup_migrate_execute() +function call so that the structure can be reused again in a later +iteration without causing problem. + +This bug was introduced in the commit e595cd706982 ("group: track +migration context in cgroup_mgctx") in 4.11. This commit moves the +cgroup_taskset initialization out of cgroup_migrate(). The commit +10467270fb3 ("cgroup: don't call migration methods if there are no +tasks to migrate") helped, but did not completely resolve the problem. + +Fixes: e595cd706982bff0211e6fafe5a108421e747fbc ("group: track migration context in cgroup_mgctx") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cgroup.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -2168,6 +2168,14 @@ out_release_tset: + list_del_init(&cset->mg_node); + } + spin_unlock_irq(&css_set_lock); ++ ++ /* ++ * Re-initialize the cgroup_taskset structure in case it is reused ++ * again in another cgroup_migrate_add_task()/cgroup_migrate_execute() ++ * iteration. ++ */ ++ tset->nr_tasks = 0; ++ tset->csets = &tset->src_csets; + return ret; + } + diff --git a/queue-4.13/driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch b/queue-4.13/driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch new file mode 100644 index 00000000000..6d77a3e7027 --- /dev/null +++ b/queue-4.13/driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch @@ -0,0 +1,38 @@ +From bf563b01c2895a4bfd1a29cc5abc67fe706ecffd Mon Sep 17 00:00:00 2001 +From: Nicolai Stange +Date: Mon, 11 Sep 2017 09:45:42 +0200 +Subject: driver core: platform: Don't read past the end of "driver_override" buffer + +From: Nicolai Stange + +commit bf563b01c2895a4bfd1a29cc5abc67fe706ecffd upstream. + +When printing the driver_override parameter when it is 4095 and 4094 bytes +long, the printing code would access invalid memory because we need count+1 +bytes for printing. + +Reject driver_override values of these lengths in driver_override_store(). + +This is in close analogy to commit 4efe874aace5 ("PCI: Don't read past the +end of sysfs "driver_override" buffer") from Sasha Levin. + +Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'") +Signed-off-by: Nicolai Stange +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -868,7 +868,8 @@ static ssize_t driver_override_store(str + struct platform_device *pdev = to_platform_device(dev); + char *driver_override, *old, *cp; + +- if (count > PATH_MAX) ++ /* We need to keep extra room for a newline */ ++ if (count >= (PAGE_SIZE - 1)) + return -EINVAL; + + driver_override = kstrndup(buf, count, GFP_KERNEL); diff --git a/queue-4.13/drivers-hv-fcopy-restore-correct-transfer-length.patch b/queue-4.13/drivers-hv-fcopy-restore-correct-transfer-length.patch new file mode 100644 index 00000000000..9bbd364d084 --- /dev/null +++ b/queue-4.13/drivers-hv-fcopy-restore-correct-transfer-length.patch @@ -0,0 +1,53 @@ +From 549e658a0919e355a2b2144dc380b3729bef7f3e Mon Sep 17 00:00:00 2001 +From: Olaf Hering +Date: Thu, 21 Sep 2017 23:41:48 -0700 +Subject: Drivers: hv: fcopy: restore correct transfer length + +From: Olaf Hering + +commit 549e658a0919e355a2b2144dc380b3729bef7f3e upstream. + +Till recently the expected length of bytes read by the +daemon did depend on the context. It was either hv_start_fcopy or +hv_do_fcopy. The daemon had a buffer size of two pages, which was much +larger than needed. + +Now the expected length of bytes read by the +daemon changed slightly. For START_FILE_COPY it is still the size of +hv_start_fcopy. But for WRITE_TO_FILE and the other operations it is as +large as the buffer that arrived via vmbus. In case of WRITE_TO_FILE +that is slightly larger than a struct hv_do_fcopy. Since the buffer in +the daemon was still larger everything was fine. + +Currently, the daemon reads only what is actually needed. +The new buffer layout is as large as a struct hv_do_fcopy, for the +WRITE_TO_FILE operation. Since the kernel expects a slightly larger +size, hvt_op_read will return -EINVAL because the daemon will read +slightly less than expected. Address this by restoring the expected +buffer size in case of WRITE_TO_FILE. + +Fixes: 'c7e490fc23eb ("Drivers: hv: fcopy: convert to hv_utils_transport")' +Fixes: '3f2baa8a7d2e ("Tools: hv: update buffer handling in hv_fcopy_daemon")' + +Signed-off-by: Olaf Hering +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_fcopy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/hv/hv_fcopy.c ++++ b/drivers/hv/hv_fcopy.c +@@ -170,6 +170,10 @@ static void fcopy_send_data(struct work_ + out_src = smsg_out; + break; + ++ case WRITE_TO_FILE: ++ out_src = fcopy_transaction.fcopy_msg; ++ out_len = sizeof(struct hv_do_fcopy); ++ break; + default: + out_src = fcopy_transaction.fcopy_msg; + out_len = fcopy_transaction.recv_len; diff --git a/queue-4.13/ftrace-fix-kmemleak-in-unregister_ftrace_graph.patch b/queue-4.13/ftrace-fix-kmemleak-in-unregister_ftrace_graph.patch new file mode 100644 index 00000000000..e5535308b61 --- /dev/null +++ b/queue-4.13/ftrace-fix-kmemleak-in-unregister_ftrace_graph.patch @@ -0,0 +1,83 @@ +From 2b0b8499ae75df91455bbeb7491d45affc384fb0 Mon Sep 17 00:00:00 2001 +From: Shu Wang +Date: Tue, 12 Sep 2017 10:14:54 +0800 +Subject: ftrace: Fix kmemleak in unregister_ftrace_graph + +From: Shu Wang + +commit 2b0b8499ae75df91455bbeb7491d45affc384fb0 upstream. + +The trampoline allocated by function tracer was overwriten by function_graph +tracer, and caused a memory leak. The save_global_trampoline should have +saved the previous trampoline in register_ftrace_graph() and restored it in +unregister_ftrace_graph(). But as it is implemented, save_global_trampoline was +only used in unregister_ftrace_graph as default value 0, and it overwrote the +previous trampoline's value. Causing the previous allocated trampoline to be +lost. + +kmmeleak backtrace: + kmemleak_vmalloc+0x77/0xc0 + __vmalloc_node_range+0x1b5/0x2c0 + module_alloc+0x7c/0xd0 + arch_ftrace_update_trampoline+0xb5/0x290 + ftrace_startup+0x78/0x210 + register_ftrace_function+0x8b/0xd0 + function_trace_init+0x4f/0x80 + tracing_set_tracer+0xe6/0x170 + tracing_set_trace_write+0x90/0xd0 + __vfs_write+0x37/0x170 + vfs_write+0xb2/0x1b0 + SyS_write+0x55/0xc0 + do_syscall_64+0x67/0x180 + return_from_SYSCALL_64+0x0/0x6a + +[ + Looking further into this, I found that this was left over from when the + function and function graph tracers shared the same ftrace_ops. But in + commit 5f151b2401 ("ftrace: Fix function_profiler and function tracer + together"), the two were separated, and the save_global_trampoline no + longer was necessary (and it may have been broken back then too). + -- Steven Rostedt +] + +Link: http://lkml.kernel.org/r/20170912021454.5976-1-shuwang@redhat.com + +Fixes: 5f151b2401 ("ftrace: Fix function_profiler and function tracer together") +Signed-off-by: Shu Wang +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 14 -------------- + 1 file changed, 14 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4954,9 +4954,6 @@ static char ftrace_graph_buf[FTRACE_FILT + static char ftrace_graph_notrace_buf[FTRACE_FILTER_SIZE] __initdata; + static int ftrace_graph_set_hash(struct ftrace_hash *hash, char *buffer); + +-static unsigned long save_global_trampoline; +-static unsigned long save_global_flags; +- + static int __init set_graph_function(char *str) + { + strlcpy(ftrace_graph_buf, str, FTRACE_FILTER_SIZE); +@@ -6756,17 +6753,6 @@ void unregister_ftrace_graph(void) + unregister_pm_notifier(&ftrace_suspend_notifier); + unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL); + +-#ifdef CONFIG_DYNAMIC_FTRACE +- /* +- * Function graph does not allocate the trampoline, but +- * other global_ops do. We need to reset the ALLOC_TRAMP flag +- * if one was used. +- */ +- global_ops.trampoline = save_global_trampoline; +- if (save_global_flags & FTRACE_OPS_FL_ALLOC_TRAMP) +- global_ops.flags |= FTRACE_OPS_FL_ALLOC_TRAMP; +-#endif +- + out: + mutex_unlock(&ftrace_lock); + } diff --git a/queue-4.13/hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch b/queue-4.13/hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch new file mode 100644 index 00000000000..cb2c3254e37 --- /dev/null +++ b/queue-4.13/hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch @@ -0,0 +1,36 @@ +From 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b Mon Sep 17 00:00:00 2001 +From: Adrian Salido +Date: Fri, 8 Sep 2017 10:55:27 -0700 +Subject: HID: i2c-hid: allocate hid buffers for real worst case + +From: Adrian Salido + +commit 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b upstream. + +The buffer allocation is not currently accounting for an extra byte for +the report id. This can cause an out of bounds access in function +i2c_hid_set_or_send_report() with reportID > 15. + +Signed-off-by: Adrian Salido +Reviewed-by: Benson Leung +Signed-off-by: Guenter Roeck +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/i2c-hid/i2c-hid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -543,7 +543,8 @@ static int i2c_hid_alloc_buffers(struct + { + /* the worst case is computed from the set_report command with a + * reportID > 15 and the maximum report length */ +- int args_len = sizeof(__u8) + /* optional ReportID byte */ ++ int args_len = sizeof(__u8) + /* ReportID */ ++ sizeof(__u8) + /* optional ReportID byte */ + sizeof(__u16) + /* data register */ + sizeof(__u16) + /* size of the report */ + report_size; /* report */ diff --git a/queue-4.13/hid-rmi-make-sure-the-hid-device-is-opened-on-resume.patch b/queue-4.13/hid-rmi-make-sure-the-hid-device-is-opened-on-resume.patch new file mode 100644 index 00000000000..3d93190dff3 --- /dev/null +++ b/queue-4.13/hid-rmi-make-sure-the-hid-device-is-opened-on-resume.patch @@ -0,0 +1,65 @@ +From cac72b990d34f4c70208998a86f910ba38253c94 Mon Sep 17 00:00:00 2001 +From: Lyude +Date: Sat, 22 Jul 2017 21:15:09 -0400 +Subject: HID: rmi: Make sure the HID device is opened on resume + +From: Lyude + +commit cac72b990d34f4c70208998a86f910ba38253c94 upstream. + +So it looks like that suspend/resume has actually always been broken on +hid-rmi. The fact it worked was a rather silly coincidence that was +relying on the HID device to already be opened upon resume. This means +that so long as anything was reading the /dev/input/eventX node for for +an RMI device, it would suspend and resume correctly. As well, if +nothing happened to be keeping the HID device away it would shut off, +then the RMI driver would get confused on resume when it stopped +responding and explode. + +So, call hid_hw_open() in rmi_post_resume() so we make sure that the +device is alive before we try talking to it. + +This fixes RMI device suspend/resume over HID. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=196851 +[jkosina@suse.cz: removed useless hunk that was zero-initializing 'ret'] +Signed-off-by: Lyude +Cc: Andrew Duggan +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-rmi.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-rmi.c ++++ b/drivers/hid/hid-rmi.c +@@ -436,17 +436,24 @@ static int rmi_post_resume(struct hid_de + if (!(data->device_flags & RMI_DEVICE)) + return 0; + +- ret = rmi_reset_attn_mode(hdev); ++ /* Make sure the HID device is ready to receive events */ ++ ret = hid_hw_open(hdev); + if (ret) + return ret; + ++ ret = rmi_reset_attn_mode(hdev); ++ if (ret) ++ goto out; ++ + ret = rmi_driver_resume(rmi_dev, false); + if (ret) { + hid_warn(hdev, "Failed to resume device: %d\n", ret); +- return ret; ++ goto out; + } + +- return 0; ++out: ++ hid_hw_close(hdev); ++ return ret; + } + #endif /* CONFIG_PM */ + diff --git a/queue-4.13/hid-wacom-always-increment-hdev-refcount-within-wacom_get_hdev_data.patch b/queue-4.13/hid-wacom-always-increment-hdev-refcount-within-wacom_get_hdev_data.patch new file mode 100644 index 00000000000..793e7cd1d76 --- /dev/null +++ b/queue-4.13/hid-wacom-always-increment-hdev-refcount-within-wacom_get_hdev_data.patch @@ -0,0 +1,45 @@ +From 2a5e597c6bb1b873e473e5f57147e9e5d2755430 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Mon, 18 Sep 2017 09:27:42 -0700 +Subject: HID: wacom: Always increment hdev refcount within wacom_get_hdev_data + +From: Jason Gerecke + +commit 2a5e597c6bb1b873e473e5f57147e9e5d2755430 upstream. + +The wacom_get_hdev_data function is used to find and return a reference to +the "other half" of a Wacom device (i.e., the touch device associated with +a pen, or vice-versa). To ensure these references are properly accounted +for, the function is supposed to automatically increment the refcount before +returning. This was not done, however, for devices which have pen & touch +on different interfaces of the same USB device. This can lead to a WARNING +("refcount_t: underflow; use-after-free") when removing the module or device +as we call kref_put() more times than kref_get(). Triggering an "actual" use- +after-free would be difficult since both devices will disappear nearly- +simultaneously. To silence this warning and prevent the potential error, we +need to increment the refcount for all cases within wacom_get_hdev_data. + +Fixes: 41372d5d40 ("HID: wacom: Augment 'oVid' and 'oPid' with heuristics for HID_GENERIC") +Signed-off-by: Jason Gerecke +Reviewed-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_sys.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -668,8 +668,10 @@ static struct wacom_hdev_data *wacom_get + + /* Try to find an already-probed interface from the same device */ + list_for_each_entry(data, &wacom_udev_list, list) { +- if (compare_device_paths(hdev, data->dev, '/')) ++ if (compare_device_paths(hdev, data->dev, '/')) { ++ kref_get(&data->kref); + return data; ++ } + } + + /* Fallback to finding devices that appear to be "siblings" */ diff --git a/queue-4.13/hid-wacom-bits-shifted-too-much-for-9th-and-10th-buttons.patch b/queue-4.13/hid-wacom-bits-shifted-too-much-for-9th-and-10th-buttons.patch new file mode 100644 index 00000000000..078f16a9639 --- /dev/null +++ b/queue-4.13/hid-wacom-bits-shifted-too-much-for-9th-and-10th-buttons.patch @@ -0,0 +1,37 @@ +From ce06760ba46b66dae50f2519ae76bd15e89b5710 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Thu, 31 Aug 2017 15:50:03 -0700 +Subject: HID: wacom: bits shifted too much for 9th and 10th buttons + +From: Ping Cheng + +commit ce06760ba46b66dae50f2519ae76bd15e89b5710 upstream. + +Cintiq 12 has 10 expresskey buttons. The bit shift for the last +two buttons were off by 5. + +Fixes: c7f0522 ("HID: wacom: Slim down wacom_intuos_pad processing") + +Signed-off-by: Ping Cheng +Tested-by: Matthieu Robin +Signed-off-by: Jiri Kosina +Cc: Jason Gerecke +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_wac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -567,8 +567,8 @@ static int wacom_intuos_pad(struct wacom + keys = data[9] & 0x07; + } + } else { +- buttons = ((data[6] & 0x10) << 10) | +- ((data[5] & 0x10) << 9) | ++ buttons = ((data[6] & 0x10) << 5) | ++ ((data[5] & 0x10) << 4) | + ((data[6] & 0x0F) << 4) | + (data[5] & 0x0F); + } diff --git a/queue-4.13/hid-wacom-correct-coordinate-system-of-touchring-and-pen-twist.patch b/queue-4.13/hid-wacom-correct-coordinate-system-of-touchring-and-pen-twist.patch new file mode 100644 index 00000000000..0d3fe25f118 --- /dev/null +++ b/queue-4.13/hid-wacom-correct-coordinate-system-of-touchring-and-pen-twist.patch @@ -0,0 +1,167 @@ +From d252f4a10fb9c8f7187c6c936ff530039f8cb799 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Wed, 30 Aug 2017 15:13:26 -0700 +Subject: HID: wacom: Correct coordinate system of touchring and pen twist + +From: Jason Gerecke + +commit d252f4a10fb9c8f7187c6c936ff530039f8cb799 upstream. + +The MobileStudio Pro, Cintiq Pro, and 2nd-gen Intuos Pro devices use a +different coordinate system for their touchring and pen twist than prior +devices. Prior devices had zero aligned to the tablet's left and would +increase clockwise. Userspace expects data from the kernel to be in this +old coordinate space, so adjustments are necessary. + +While the coordinate system for pen twist is formally defined by the HID +standard, no such definition existed for the touchring at the time these +tablets were introduced. Future tablets are expected to report touchring +data using the same "zero-up clockwise-increasing" coordinate system +defined for twist. + +Fixes: 50066a042d ("HID: wacom: generic: Add support for height, tilt, and twist usages") +Fixes: 4922cd26f0 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") +Fixes: 60a2218698 ("HID: wacom: generic: add support for touchring") +Signed-off-by: Jason Gerecke +Reviewed-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_wac.c | 73 ++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 68 insertions(+), 5 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1227,11 +1227,17 @@ static void wacom_intuos_pro2_bt_pen(str + continue; + + if (range) { ++ /* Fix rotation alignment: userspace expects zero at left */ ++ int16_t rotation = (int16_t)get_unaligned_le16(&frame[9]); ++ rotation += 1800/4; ++ if (rotation > 899) ++ rotation -= 1800; ++ + input_report_abs(pen_input, ABS_X, get_unaligned_le16(&frame[1])); + input_report_abs(pen_input, ABS_Y, get_unaligned_le16(&frame[3])); + input_report_abs(pen_input, ABS_TILT_X, (char)frame[7]); + input_report_abs(pen_input, ABS_TILT_Y, (char)frame[8]); +- input_report_abs(pen_input, ABS_Z, (int16_t)get_unaligned_le16(&frame[9])); ++ input_report_abs(pen_input, ABS_Z, rotation); + input_report_abs(pen_input, ABS_WHEEL, get_unaligned_le16(&frame[11])); + } + input_report_abs(pen_input, ABS_PRESSURE, get_unaligned_le16(&frame[5])); +@@ -1319,12 +1325,19 @@ static void wacom_intuos_pro2_bt_pad(str + unsigned char *data = wacom->data; + + int buttons = (data[282] << 1) | ((data[281] >> 6) & 0x01); +- int ring = data[285]; +- int prox = buttons | (ring & 0x80); ++ int ring = data[285] & 0x7F; ++ bool ringstatus = data[285] & 0x80; ++ bool prox = buttons || ringstatus; ++ ++ /* Fix touchring data: userspace expects 0 at left and increasing clockwise */ ++ ring = 71 - ring; ++ ring += 3*72/16; ++ if (ring > 71) ++ ring -= 72; + + wacom_report_numbered_buttons(pad_input, 9, buttons); + +- input_report_abs(pad_input, ABS_WHEEL, (ring & 0x80) ? (ring & 0x7f) : 0); ++ input_report_abs(pad_input, ABS_WHEEL, ringstatus ? ring : 0); + + input_report_key(pad_input, wacom->tool[1], prox ? 1 : 0); + input_report_abs(pad_input, ABS_MISC, prox ? PAD_DEVICE_ID : 0); +@@ -1616,6 +1629,20 @@ static int wacom_tpc_irq(struct wacom_wa + return 0; + } + ++static int wacom_offset_rotation(struct input_dev *input, struct hid_usage *usage, ++ int value, int num, int denom) ++{ ++ struct input_absinfo *abs = &input->absinfo[usage->code]; ++ int range = (abs->maximum - abs->minimum + 1); ++ ++ value += num*range/denom; ++ if (value > abs->maximum) ++ value -= range; ++ else if (value < abs->minimum) ++ value += range; ++ return value; ++} ++ + int wacom_equivalent_usage(int usage) + { + if ((usage & HID_USAGE_PAGE) == WACOM_HID_UP_WACOMDIGITIZER) { +@@ -1898,6 +1925,7 @@ static void wacom_wac_pad_event(struct h + unsigned equivalent_usage = wacom_equivalent_usage(usage->hid); + int i; + bool is_touch_on = value; ++ bool do_report = false; + + /* + * Avoid reporting this event and setting inrange_state if this usage +@@ -1912,6 +1940,29 @@ static void wacom_wac_pad_event(struct h + } + + switch (equivalent_usage) { ++ case WACOM_HID_WD_TOUCHRING: ++ /* ++ * Userspace expects touchrings to increase in value with ++ * clockwise gestures and have their zero point at the ++ * tablet's left. HID events "should" be clockwise- ++ * increasing and zero at top, though the MobileStudio ++ * Pro and 2nd-gen Intuos Pro don't do this... ++ */ ++ if (hdev->vendor == 0x56a && ++ (hdev->product == 0x34d || hdev->product == 0x34e || /* MobileStudio Pro */ ++ hdev->product == 0x357 || hdev->product == 0x358)) { /* Intuos Pro 2 */ ++ value = (field->logical_maximum - value); ++ ++ if (hdev->product == 0x357 || hdev->product == 0x358) ++ value = wacom_offset_rotation(input, usage, value, 3, 16); ++ else if (hdev->product == 0x34d || hdev->product == 0x34e) ++ value = wacom_offset_rotation(input, usage, value, 1, 2); ++ } ++ else { ++ value = wacom_offset_rotation(input, usage, value, 1, 4); ++ } ++ do_report = true; ++ break; + case WACOM_HID_WD_TOUCHRINGSTATUS: + if (!value) + input_event(input, usage->type, usage->code, 0); +@@ -1945,10 +1996,14 @@ static void wacom_wac_pad_event(struct h + value, i); + /* fall through*/ + default: ++ do_report = true; ++ break; ++ } ++ ++ if (do_report) { + input_event(input, usage->type, usage->code, value); + if (value) + wacom_wac->hid_data.pad_input_event_flag = true; +- break; + } + } + +@@ -2089,6 +2144,14 @@ static void wacom_wac_pen_event(struct h + wacom_wac->serial[0] = (wacom_wac->serial[0] & ~0xFFFFFFFFULL); + wacom_wac->serial[0] |= (__u32)value; + return; ++ case HID_DG_TWIST: ++ /* ++ * Userspace expects pen twist to have its zero point when ++ * the buttons/finger is on the tablet's left. HID values ++ * are zero when buttons are toward the top. ++ */ ++ value = wacom_offset_rotation(input, usage, value, 1, 4); ++ break; + case WACOM_HID_WD_SENSE: + wacom_wac->hid_data.sense_state = value; + return; diff --git a/queue-4.13/hid-wacom-generic-clear-abs_misc-when-tool-leaves-proximity.patch b/queue-4.13/hid-wacom-generic-clear-abs_misc-when-tool-leaves-proximity.patch new file mode 100644 index 00000000000..5253a421fb3 --- /dev/null +++ b/queue-4.13/hid-wacom-generic-clear-abs_misc-when-tool-leaves-proximity.patch @@ -0,0 +1,37 @@ +From 92380b572d95caf48f8424746aeee63c5a2b1922 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 7 Sep 2017 17:47:38 -0700 +Subject: HID: wacom: generic: Clear ABS_MISC when tool leaves proximity + +From: Jason Gerecke + +commit 92380b572d95caf48f8424746aeee63c5a2b1922 upstream. + +The tool ID information sent in ABS_MISC is expected to be reset to 0 +when a tool leaves proximity. Not doing this can cause problems if a +tool is removed and then re-introduced. Kernel event filtering will +prevent the (identical) ABS_MISC event from being sent when the tool +re-enters proxmity. This can cause userspace to not properly set the +tool ID. + +Fixes: f85c9dc678 ("HID: wacom: generic: Support tool ID and additional tool types") +Signed-off-by: Ping Cheng +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_wac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2272,7 +2272,7 @@ static void wacom_wac_pen_report(struct + input_report_key(input, wacom_wac->tool[0], prox); + if (wacom_wac->serial[0]) { + input_event(input, EV_MSC, MSC_SERIAL, wacom_wac->serial[0]); +- input_report_abs(input, ABS_MISC, id); ++ input_report_abs(input, ABS_MISC, prox ? id : 0); + } + + wacom_wac->hid_data.tipswitch = false; diff --git a/queue-4.13/hid-wacom-generic-send-msc_serial-and-abs_misc-when-leaving-prox.patch b/queue-4.13/hid-wacom-generic-send-msc_serial-and-abs_misc-when-leaving-prox.patch new file mode 100644 index 00000000000..d5f8fbbaed4 --- /dev/null +++ b/queue-4.13/hid-wacom-generic-send-msc_serial-and-abs_misc-when-leaving-prox.patch @@ -0,0 +1,93 @@ +From 993f0d93f8538c15bd5c12a1a9fd74c777efea1b Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 7 Sep 2017 17:44:12 -0700 +Subject: HID: wacom: generic: Send MSC_SERIAL and ABS_MISC when leaving prox + +From: Jason Gerecke + +commit 993f0d93f8538c15bd5c12a1a9fd74c777efea1b upstream. + +The latest generation of pro devices (MobileStudio Pro, 2nd-gen Intuos +Pro, Cintiq Pro) send a serial number of '0' whenever the pen is too far +away for reliable communication. Userspace defines that a serial number +of '0' is invalid, so we need to be careful not to actually forward +this value. Additionally, since EMR ISDv4 devices do not support serial +numbers or tool IDs, we'd like to not send these events if they aren't +necessary. + +The existing code achieves these goals by adding a check for a non-zero +serial number within the wacom_wac_pen_report function. The MSC_SERIAL +and ABS_MISC events are only sent if the serial number is non-zero. This +code fails, however when the pen for a pro device leaves proximity. When +the pen leaves prox and the tablet sends a serial of 0, wacom_wac_pen_event +dutifully clears the serial number. When wacom_wac_pen_report is called, +it does not send either the MSC_SERIAL of the exiting tool nor an ABS_MISC +event. + +This patch prevents the wacom_wac_pen_event function from clearing an +already-set serial number. This ensures that we have the serial number +handy when exiting proximity, but requires us to manually clear it +afterwards to ensure the driver does not send stale data (e.g. when +switching between AES pens that report a serial nubmer of 0 for the +first few fully in-proximity packets). + +Fixes: f85c9dc678 ("HID: wacom: generic: Support tool ID and additional tool types") +Signed-off-by: Ping Cheng +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_wac.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2141,8 +2141,10 @@ static void wacom_wac_pen_event(struct h + wacom_wac->hid_data.tipswitch |= value; + return; + case HID_DG_TOOLSERIALNUMBER: +- wacom_wac->serial[0] = (wacom_wac->serial[0] & ~0xFFFFFFFFULL); +- wacom_wac->serial[0] |= (__u32)value; ++ if (value) { ++ wacom_wac->serial[0] = (wacom_wac->serial[0] & ~0xFFFFFFFFULL); ++ wacom_wac->serial[0] |= (__u32)value; ++ } + return; + case HID_DG_TWIST: + /* +@@ -2156,15 +2158,17 @@ static void wacom_wac_pen_event(struct h + wacom_wac->hid_data.sense_state = value; + return; + case WACOM_HID_WD_SERIALHI: +- wacom_wac->serial[0] = (wacom_wac->serial[0] & 0xFFFFFFFF); +- wacom_wac->serial[0] |= ((__u64)value) << 32; +- /* +- * Non-USI EMR devices may contain additional tool type +- * information here. See WACOM_HID_WD_TOOLTYPE case for +- * more details. +- */ +- if (value >> 20 == 1) { +- wacom_wac->id[0] |= value & 0xFFFFF; ++ if (value) { ++ wacom_wac->serial[0] = (wacom_wac->serial[0] & 0xFFFFFFFF); ++ wacom_wac->serial[0] |= ((__u64)value) << 32; ++ /* ++ * Non-USI EMR devices may contain additional tool type ++ * information here. See WACOM_HID_WD_TOOLTYPE case for ++ * more details. ++ */ ++ if (value >> 20 == 1) { ++ wacom_wac->id[0] |= value & 0xFFFFF; ++ } + } + return; + case WACOM_HID_WD_TOOLTYPE: +@@ -2279,6 +2283,7 @@ static void wacom_wac_pen_report(struct + if (!prox) { + wacom_wac->tool[0] = 0; + wacom_wac->id[0] = 0; ++ wacom_wac->serial[0] = 0; + } + } + diff --git a/queue-4.13/hid-wacom-leds-don-t-try-to-control-the-ekr-s-read-only-leds.patch b/queue-4.13/hid-wacom-leds-don-t-try-to-control-the-ekr-s-read-only-leds.patch new file mode 100644 index 00000000000..4b446327a78 --- /dev/null +++ b/queue-4.13/hid-wacom-leds-don-t-try-to-control-the-ekr-s-read-only-leds.patch @@ -0,0 +1,38 @@ +From 74aebed6dc13425233f2224668353cff7a112776 Mon Sep 17 00:00:00 2001 +From: Aaron Armstrong Skomra +Date: Mon, 28 Aug 2017 14:15:39 -0700 +Subject: HID: wacom: leds: Don't try to control the EKR's read-only LEDs + +From: Aaron Armstrong Skomra + +commit 74aebed6dc13425233f2224668353cff7a112776 upstream. + +Commit a50aac7193f1 introduces 'led.groups' and adds EKR support +for these groups. However, unlike the other devices with LEDs, +the EKR's LEDs are read-only and we shouldn't attempt to control +them in wacom_led_control(). + +See bug: https://sourceforge.net/p/linuxwacom/bugs/342/ + +Fixes: a50aac7193f1 ("HID: wacom: leds: dynamically allocate LED groups") +Signed-off-by: Aaron Armstrong Skomra +Reviewed-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_sys.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -766,6 +766,9 @@ static int wacom_led_control(struct waco + if (!wacom->led.groups) + return -ENOTSUPP; + ++ if (wacom->wacom_wac.features.type == REMOTE) ++ return -ENOTSUPP; ++ + if (wacom->wacom_wac.pid) { /* wireless connected */ + report_id = WAC_CMD_WL_LED_CONTROL; + buf_size = 13; diff --git a/queue-4.13/hid-wacom-properly-report-negative-values-from-intuos-pro-2-bluetooth.patch b/queue-4.13/hid-wacom-properly-report-negative-values-from-intuos-pro-2-bluetooth.patch new file mode 100644 index 00000000000..dc99ff29109 --- /dev/null +++ b/queue-4.13/hid-wacom-properly-report-negative-values-from-intuos-pro-2-bluetooth.patch @@ -0,0 +1,40 @@ +From b63c4c2718d641ba9bec888994f0cb0c23a1ef45 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Wed, 30 Aug 2017 15:13:25 -0700 +Subject: HID: wacom: Properly report negative values from Intuos Pro 2 Bluetooth + +From: Jason Gerecke + +commit b63c4c2718d641ba9bec888994f0cb0c23a1ef45 upstream. + +The wacom driver's IRQ handler for Bluetooth reports from the 2nd-gen +Intuos Pro does not correctly process negative numbers. Values for +tilt and rotation (which can go negative) are instead interpreted as +unsigned and so jump to very large values when the data should be +negative. This commit properly casts the data to ensure we report +negative numbers when necessary. + +Fixes: 4922cd2 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_wac.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1229,9 +1229,9 @@ static void wacom_intuos_pro2_bt_pen(str + if (range) { + input_report_abs(pen_input, ABS_X, get_unaligned_le16(&frame[1])); + input_report_abs(pen_input, ABS_Y, get_unaligned_le16(&frame[3])); +- input_report_abs(pen_input, ABS_TILT_X, frame[7]); +- input_report_abs(pen_input, ABS_TILT_Y, frame[8]); +- input_report_abs(pen_input, ABS_Z, get_unaligned_le16(&frame[9])); ++ input_report_abs(pen_input, ABS_TILT_X, (char)frame[7]); ++ input_report_abs(pen_input, ABS_TILT_Y, (char)frame[8]); ++ input_report_abs(pen_input, ABS_Z, (int16_t)get_unaligned_le16(&frame[9])); + input_report_abs(pen_input, ABS_WHEEL, get_unaligned_le16(&frame[11])); + } + input_report_abs(pen_input, ABS_PRESSURE, get_unaligned_le16(&frame[5])); diff --git a/queue-4.13/intel_th-pci-add-cedar-fork-pch-support.patch b/queue-4.13/intel_th-pci-add-cedar-fork-pch-support.patch new file mode 100644 index 00000000000..d30c765c9e5 --- /dev/null +++ b/queue-4.13/intel_th-pci-add-cedar-fork-pch-support.patch @@ -0,0 +1,32 @@ +From 920ce7c33db25cf4acb4ade3ae8c93bd23dfd730 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 19 Sep 2017 18:47:41 +0300 +Subject: intel_th: pci: Add Cedar Fork PCH support + +From: Alexander Shishkin + +commit 920ce7c33db25cf4acb4ade3ae8c93bd23dfd730 upstream. + +This adds Intel(R) Trace Hub PCI ID for Cedar Fork PCH. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -105,6 +105,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9da6), + .driver_data = (kernel_ulong_t)0, + }, ++ { ++ /* Cedar Fork PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x18e1), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, + { 0 }, + }; + diff --git a/queue-4.13/intel_th-pci-add-lewisburg-pch-support.patch b/queue-4.13/intel_th-pci-add-lewisburg-pch-support.patch new file mode 100644 index 00000000000..4d49657567f --- /dev/null +++ b/queue-4.13/intel_th-pci-add-lewisburg-pch-support.patch @@ -0,0 +1,32 @@ +From 24600840c74112ad04a9ddd99d7d7f731dcaa1cb Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 19 Sep 2017 18:47:42 +0300 +Subject: intel_th: pci: Add Lewisburg PCH support + +From: Alexander Shishkin + +commit 24600840c74112ad04a9ddd99d7d7f731dcaa1cb upstream. + +This adds Intel(R) Trace Hub PCI ID for Lewisburg PCH. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -91,6 +91,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)0, + }, + { ++ /* Lewisburg PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa1a6), ++ .driver_data = (kernel_ulong_t)0, ++ }, ++ { + /* Gemini Lake */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e), + .driver_data = (kernel_ulong_t)0, diff --git a/queue-4.13/netlink-fix-nla_put_-u8-u16-u32-for-kasan.patch b/queue-4.13/netlink-fix-nla_put_-u8-u16-u32-for-kasan.patch new file mode 100644 index 00000000000..513a5e53c8c --- /dev/null +++ b/queue-4.13/netlink-fix-nla_put_-u8-u16-u32-for-kasan.patch @@ -0,0 +1,238 @@ +From b4391db42308c9940944b5d7be5ca4b78fb88dd0 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Sep 2017 23:29:19 +0200 +Subject: netlink: fix nla_put_{u8,u16,u32} for KASAN + +From: Arnd Bergmann + +commit b4391db42308c9940944b5d7be5ca4b78fb88dd0 upstream. + +When CONFIG_KASAN is enabled, the "--param asan-stack=1" causes rather large +stack frames in some functions. This goes unnoticed normally because +CONFIG_FRAME_WARN is disabled with CONFIG_KASAN by default as of commit +3f181b4d8652 ("lib/Kconfig.debug: disable -Wframe-larger-than warnings with +KASAN=y"). + +The kernelci.org build bot however has the warning enabled and that led +me to investigate it a little further, as every build produces these warnings: + +net/wireless/nl80211.c:4389:1: warning: the frame size of 2240 bytes is larger than 2048 bytes [-Wframe-larger-than=] +net/wireless/nl80211.c:1895:1: warning: the frame size of 3776 bytes is larger than 2048 bytes [-Wframe-larger-than=] +net/wireless/nl80211.c:1410:1: warning: the frame size of 2208 bytes is larger than 2048 bytes [-Wframe-larger-than=] +net/bridge/br_netlink.c:1282:1: warning: the frame size of 2544 bytes is larger than 2048 bytes [-Wframe-larger-than=] + +Most of this problem is now solved in gcc-8, which can consolidate +the stack slots for the inline function arguments. On older compilers +we can add a workaround by declaring a local variable in each function +to pass the inline function argument. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/netlink.h | 73 +++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 55 insertions(+), 18 deletions(-) + +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -768,7 +768,10 @@ static inline int nla_parse_nested(struc + */ + static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value) + { +- return nla_put(skb, attrtype, sizeof(u8), &value); ++ /* temporary variables to work around GCC PR81715 with asan-stack=1 */ ++ u8 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(u8), &tmp); + } + + /** +@@ -779,7 +782,9 @@ static inline int nla_put_u8(struct sk_b + */ + static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value) + { +- return nla_put(skb, attrtype, sizeof(u16), &value); ++ u16 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(u16), &tmp); + } + + /** +@@ -790,7 +795,9 @@ static inline int nla_put_u16(struct sk_ + */ + static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value) + { +- return nla_put(skb, attrtype, sizeof(__be16), &value); ++ __be16 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__be16), &tmp); + } + + /** +@@ -801,7 +808,9 @@ static inline int nla_put_be16(struct sk + */ + static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value) + { +- return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value); ++ __be16 tmp = value; ++ ++ return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, tmp); + } + + /** +@@ -812,7 +821,9 @@ static inline int nla_put_net16(struct s + */ + static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value) + { +- return nla_put(skb, attrtype, sizeof(__le16), &value); ++ __le16 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__le16), &tmp); + } + + /** +@@ -823,7 +834,9 @@ static inline int nla_put_le16(struct sk + */ + static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value) + { +- return nla_put(skb, attrtype, sizeof(u32), &value); ++ u32 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(u32), &tmp); + } + + /** +@@ -834,7 +847,9 @@ static inline int nla_put_u32(struct sk_ + */ + static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value) + { +- return nla_put(skb, attrtype, sizeof(__be32), &value); ++ __be32 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__be32), &tmp); + } + + /** +@@ -845,7 +860,9 @@ static inline int nla_put_be32(struct sk + */ + static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value) + { +- return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value); ++ __be32 tmp = value; ++ ++ return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, tmp); + } + + /** +@@ -856,7 +873,9 @@ static inline int nla_put_net32(struct s + */ + static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value) + { +- return nla_put(skb, attrtype, sizeof(__le32), &value); ++ __le32 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__le32), &tmp); + } + + /** +@@ -869,7 +888,9 @@ static inline int nla_put_le32(struct sk + static inline int nla_put_u64_64bit(struct sk_buff *skb, int attrtype, + u64 value, int padattr) + { +- return nla_put_64bit(skb, attrtype, sizeof(u64), &value, padattr); ++ u64 tmp = value; ++ ++ return nla_put_64bit(skb, attrtype, sizeof(u64), &tmp, padattr); + } + + /** +@@ -882,7 +903,9 @@ static inline int nla_put_u64_64bit(stru + static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value, + int padattr) + { +- return nla_put_64bit(skb, attrtype, sizeof(__be64), &value, padattr); ++ __be64 tmp = value; ++ ++ return nla_put_64bit(skb, attrtype, sizeof(__be64), &tmp, padattr); + } + + /** +@@ -895,7 +918,9 @@ static inline int nla_put_be64(struct sk + static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value, + int padattr) + { +- return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, value, ++ __be64 tmp = value; ++ ++ return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, tmp, + padattr); + } + +@@ -909,7 +934,9 @@ static inline int nla_put_net64(struct s + static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value, + int padattr) + { +- return nla_put_64bit(skb, attrtype, sizeof(__le64), &value, padattr); ++ __le64 tmp = value; ++ ++ return nla_put_64bit(skb, attrtype, sizeof(__le64), &tmp, padattr); + } + + /** +@@ -920,7 +947,9 @@ static inline int nla_put_le64(struct sk + */ + static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value) + { +- return nla_put(skb, attrtype, sizeof(s8), &value); ++ s8 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(s8), &tmp); + } + + /** +@@ -931,7 +960,9 @@ static inline int nla_put_s8(struct sk_b + */ + static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value) + { +- return nla_put(skb, attrtype, sizeof(s16), &value); ++ s16 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(s16), &tmp); + } + + /** +@@ -942,7 +973,9 @@ static inline int nla_put_s16(struct sk_ + */ + static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value) + { +- return nla_put(skb, attrtype, sizeof(s32), &value); ++ s32 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(s32), &tmp); + } + + /** +@@ -955,7 +988,9 @@ static inline int nla_put_s32(struct sk_ + static inline int nla_put_s64(struct sk_buff *skb, int attrtype, s64 value, + int padattr) + { +- return nla_put_64bit(skb, attrtype, sizeof(s64), &value, padattr); ++ s64 tmp = value; ++ ++ return nla_put_64bit(skb, attrtype, sizeof(s64), &tmp, padattr); + } + + /** +@@ -1005,7 +1040,9 @@ static inline int nla_put_msecs(struct s + static inline int nla_put_in_addr(struct sk_buff *skb, int attrtype, + __be32 addr) + { +- return nla_put_be32(skb, attrtype, addr); ++ __be32 tmp = addr; ++ ++ return nla_put_be32(skb, attrtype, tmp); + } + + /** diff --git a/queue-4.13/ovl-fix-dentry-leak-in-ovl_indexdir_cleanup.patch b/queue-4.13/ovl-fix-dentry-leak-in-ovl_indexdir_cleanup.patch new file mode 100644 index 00000000000..43b668ce982 --- /dev/null +++ b/queue-4.13/ovl-fix-dentry-leak-in-ovl_indexdir_cleanup.patch @@ -0,0 +1,58 @@ +From dc7ab6773e8171e07f16fd0df0c5eea28c899503 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Sun, 24 Sep 2017 22:19:10 +0300 +Subject: ovl: fix dentry leak in ovl_indexdir_cleanup() + +From: Amir Goldstein + +commit dc7ab6773e8171e07f16fd0df0c5eea28c899503 upstream. + +index dentry was not released when breaking out of the loop +due to index verification error. + +Fixes: 415543d5c64f ("ovl: cleanup bad and stale index entries on mount") +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/readdir.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/readdir.c ++++ b/fs/overlayfs/readdir.c +@@ -672,6 +672,7 @@ int ovl_indexdir_cleanup(struct dentry * + struct path *lowerstack, unsigned int numlower) + { + int err; ++ struct dentry *index = NULL; + struct inode *dir = dentry->d_inode; + struct path path = { .mnt = mnt, .dentry = dentry }; + LIST_HEAD(list); +@@ -690,8 +691,6 @@ int ovl_indexdir_cleanup(struct dentry * + + inode_lock_nested(dir, I_MUTEX_PARENT); + list_for_each_entry(p, &list, l_node) { +- struct dentry *index; +- + if (p->name[0] == '.') { + if (p->len == 1) + continue; +@@ -701,6 +700,7 @@ int ovl_indexdir_cleanup(struct dentry * + index = lookup_one_len(p->name, dentry, p->len); + if (IS_ERR(index)) { + err = PTR_ERR(index); ++ index = NULL; + break; + } + err = ovl_verify_index(index, lowerstack, numlower); +@@ -712,7 +712,9 @@ int ovl_indexdir_cleanup(struct dentry * + break; + } + dput(index); ++ index = NULL; + } ++ dput(index); + inode_unlock(dir); + out: + ovl_cache_free(&list); diff --git a/queue-4.13/ovl-fix-dput-of-err_ptr-in-ovl_cleanup_index.patch b/queue-4.13/ovl-fix-dput-of-err_ptr-in-ovl_cleanup_index.patch new file mode 100644 index 00000000000..383eb0a0959 --- /dev/null +++ b/queue-4.13/ovl-fix-dput-of-err_ptr-in-ovl_cleanup_index.patch @@ -0,0 +1,39 @@ +From 9f4ec904dbd4eb1a2db10d5e7dc16eae386fe64d Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Sun, 24 Sep 2017 17:36:26 +0300 +Subject: ovl: fix dput() of ERR_PTR in ovl_cleanup_index() + +From: Amir Goldstein + +commit 9f4ec904dbd4eb1a2db10d5e7dc16eae386fe64d upstream. + +Fixes: caf70cb2ba5d ("ovl: cleanup orphan index entries") +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/util.c ++++ b/fs/overlayfs/util.c +@@ -418,7 +418,7 @@ void ovl_inuse_unlock(struct dentry *den + } + } + +-/* Called must hold OVL_I(inode)->oi_lock */ ++/* Caller must hold OVL_I(inode)->lock */ + static void ovl_cleanup_index(struct dentry *dentry) + { + struct inode *dir = ovl_indexdir(dentry->d_sb)->d_inode; +@@ -457,6 +457,9 @@ static void ovl_cleanup_index(struct den + err = PTR_ERR(index); + if (!IS_ERR(index)) + err = ovl_cleanup(dir, index); ++ else ++ index = NULL; ++ + inode_unlock(dir); + if (err) + goto fail; diff --git a/queue-4.13/ovl-fix-error-value-printed-in-ovl_lookup_index.patch b/queue-4.13/ovl-fix-error-value-printed-in-ovl_lookup_index.patch new file mode 100644 index 00000000000..b1412227fe8 --- /dev/null +++ b/queue-4.13/ovl-fix-error-value-printed-in-ovl_lookup_index.patch @@ -0,0 +1,28 @@ +From e0082a0f04c432cb6d7128ef60d8e425e45ce025 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Sun, 24 Sep 2017 13:01:35 +0300 +Subject: ovl: fix error value printed in ovl_lookup_index() + +From: Amir Goldstein + +commit e0082a0f04c432cb6d7128ef60d8e425e45ce025 upstream. + +Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin") +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/namei.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/overlayfs/namei.c ++++ b/fs/overlayfs/namei.c +@@ -506,6 +506,7 @@ static struct dentry *ovl_lookup_index(s + + index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len); + if (IS_ERR(index)) { ++ err = PTR_ERR(index); + pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n" + "overlayfs: mount with '-o index=off' to disable inodes index.\n", + d_inode(origin)->i_ino, name.len, name.name, diff --git a/queue-4.13/ovl-fix-missing-unlock_rename-in-ovl_do_copy_up.patch b/queue-4.13/ovl-fix-missing-unlock_rename-in-ovl_do_copy_up.patch new file mode 100644 index 00000000000..b5c4eb630d6 --- /dev/null +++ b/queue-4.13/ovl-fix-missing-unlock_rename-in-ovl_do_copy_up.patch @@ -0,0 +1,103 @@ +From 5820dc0888d302ac05f8b91ffdf7e4e53b4fbf53 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Mon, 25 Sep 2017 16:39:55 +0300 +Subject: ovl: fix missing unlock_rename() in ovl_do_copy_up() + +From: Amir Goldstein + +commit 5820dc0888d302ac05f8b91ffdf7e4e53b4fbf53 upstream. + +Use the ovl_lock_rename_workdir() helper which requires +unlock_rename() only on lock success. + +Fixes: ("fd210b7d67ee ovl: move copy up lock out") +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/copy_up.c | 6 ++---- + fs/overlayfs/dir.c | 20 -------------------- + fs/overlayfs/overlayfs.h | 1 + + fs/overlayfs/util.c | 19 +++++++++++++++++++ + 4 files changed, 22 insertions(+), 24 deletions(-) + +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -561,10 +561,8 @@ static int ovl_do_copy_up(struct ovl_cop + c->tmpfile = true; + err = ovl_copy_up_locked(c); + } else { +- err = -EIO; +- if (lock_rename(c->workdir, c->destdir) != NULL) { +- pr_err("overlayfs: failed to lock workdir+upperdir\n"); +- } else { ++ err = ovl_lock_rename_workdir(c->workdir, c->destdir); ++ if (!err) { + err = ovl_copy_up_locked(c); + unlock_rename(c->workdir, c->destdir); + } +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -216,26 +216,6 @@ out_unlock: + return err; + } + +-static int ovl_lock_rename_workdir(struct dentry *workdir, +- struct dentry *upperdir) +-{ +- /* Workdir should not be the same as upperdir */ +- if (workdir == upperdir) +- goto err; +- +- /* Workdir should not be subdir of upperdir and vice versa */ +- if (lock_rename(workdir, upperdir) != NULL) +- goto err_unlock; +- +- return 0; +- +-err_unlock: +- unlock_rename(workdir, upperdir); +-err: +- pr_err("overlayfs: failed to lock workdir+upperdir\n"); +- return -EIO; +-} +- + static struct dentry *ovl_clear_empty(struct dentry *dentry, + struct list_head *list) + { +--- a/fs/overlayfs/overlayfs.h ++++ b/fs/overlayfs/overlayfs.h +@@ -234,6 +234,7 @@ bool ovl_inuse_trylock(struct dentry *de + void ovl_inuse_unlock(struct dentry *dentry); + int ovl_nlink_start(struct dentry *dentry, bool *locked); + void ovl_nlink_end(struct dentry *dentry, bool locked); ++int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *upperdir); + + static inline bool ovl_is_impuredir(struct dentry *dentry) + { +--- a/fs/overlayfs/util.c ++++ b/fs/overlayfs/util.c +@@ -548,3 +548,22 @@ void ovl_nlink_end(struct dentry *dentry + mutex_unlock(&OVL_I(d_inode(dentry))->lock); + } + } ++ ++int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *upperdir) ++{ ++ /* Workdir should not be the same as upperdir */ ++ if (workdir == upperdir) ++ goto err; ++ ++ /* Workdir should not be subdir of upperdir and vice versa */ ++ if (lock_rename(workdir, upperdir) != NULL) ++ goto err_unlock; ++ ++ return 0; ++ ++err_unlock: ++ unlock_rename(workdir, upperdir); ++err: ++ pr_err("overlayfs: failed to lock workdir+upperdir\n"); ++ return -EIO; ++} diff --git a/queue-4.13/ovl-fix-regression-caused-by-exclusive-upper-work-dir-protection.patch b/queue-4.13/ovl-fix-regression-caused-by-exclusive-upper-work-dir-protection.patch new file mode 100644 index 00000000000..8b4823f3426 --- /dev/null +++ b/queue-4.13/ovl-fix-regression-caused-by-exclusive-upper-work-dir-protection.patch @@ -0,0 +1,144 @@ +From 85fdee1eef1a9e48ad5716916677e0c5fbc781e3 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Fri, 29 Sep 2017 10:21:21 +0300 +Subject: ovl: fix regression caused by exclusive upper/work dir protection + +From: Amir Goldstein + +commit 85fdee1eef1a9e48ad5716916677e0c5fbc781e3 upstream. + +Enforcing exclusive ownership on upper/work dirs caused a docker +regression: https://github.com/moby/moby/issues/34672. + +Euan spotted the regression and pointed to the offending commit. +Vivek has brought the regression to my attention and provided this +reproducer: + +Terminal 1: + + mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none + merged/ + +Terminal 2: + + unshare -m + +Terminal 1: + + umount merged + mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none + merged/ + mount: /root/overlay-testing/merged: none already mounted or mount point + busy + +To fix the regression, I replaced the error with an alarming warning. +With index feature enabled, mount does fail, but logs a suggestion to +override exclusive dir protection by disabling index. +Note that index=off mount does take the inuse locks, so a concurrent +index=off will issue the warning and a concurrent index=on mount will fail. + +Documentation was updated to reflect this change. + +Fixes: 2cac0c00a6cd ("ovl: get exclusive ownership on upper/work dirs") +Reported-by: Euan Kemp +Reported-by: Vivek Goyal +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/filesystems/overlayfs.txt | 5 ++++- + fs/overlayfs/ovl_entry.h | 3 +++ + fs/overlayfs/super.c | 27 +++++++++++++++++++-------- + 3 files changed, 26 insertions(+), 9 deletions(-) + +--- a/Documentation/filesystems/overlayfs.txt ++++ b/Documentation/filesystems/overlayfs.txt +@@ -210,8 +210,11 @@ path as another overlay mount and it may + beneath or above the path of another overlay lower layer path. + + Using an upper layer path and/or a workdir path that are already used by +-another overlay mount is not allowed and will fail with EBUSY. Using ++another overlay mount is not allowed and may fail with EBUSY. Using + partially overlapping paths is not allowed but will not fail with EBUSY. ++If files are accessed from two overlayfs mounts which share or overlap the ++upper layer and/or workdir path the behavior of the overlay is undefined, ++though it will not result in a crash or deadlock. + + Mounting an overlay using an upper layer path, where the upper layer path + was previously used by another mounted overlay in combination with a +--- a/fs/overlayfs/ovl_entry.h ++++ b/fs/overlayfs/ovl_entry.h +@@ -37,6 +37,9 @@ struct ovl_fs { + bool noxattr; + /* sb common to all layers */ + struct super_block *same_sb; ++ /* Did we take the inuse lock? */ ++ bool upperdir_locked; ++ bool workdir_locked; + }; + + /* private information held for every overlayfs dentry */ +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -210,9 +210,10 @@ static void ovl_put_super(struct super_b + + dput(ufs->indexdir); + dput(ufs->workdir); +- ovl_inuse_unlock(ufs->workbasedir); ++ if (ufs->workdir_locked) ++ ovl_inuse_unlock(ufs->workbasedir); + dput(ufs->workbasedir); +- if (ufs->upper_mnt) ++ if (ufs->upper_mnt && ufs->upperdir_locked) + ovl_inuse_unlock(ufs->upper_mnt->mnt_root); + mntput(ufs->upper_mnt); + for (i = 0; i < ufs->numlower; i++) +@@ -880,9 +881,13 @@ static int ovl_fill_super(struct super_b + goto out_put_upperpath; + + err = -EBUSY; +- if (!ovl_inuse_trylock(upperpath.dentry)) { +- pr_err("overlayfs: upperdir is in-use by another mount\n"); ++ if (ovl_inuse_trylock(upperpath.dentry)) { ++ ufs->upperdir_locked = true; ++ } else if (ufs->config.index) { ++ pr_err("overlayfs: upperdir is in-use by another mount, mount with '-o index=off' to override exclusive upperdir protection.\n"); + goto out_put_upperpath; ++ } else { ++ pr_warn("overlayfs: upperdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n"); + } + + err = ovl_mount_dir(ufs->config.workdir, &workpath); +@@ -900,9 +905,13 @@ static int ovl_fill_super(struct super_b + } + + err = -EBUSY; +- if (!ovl_inuse_trylock(workpath.dentry)) { +- pr_err("overlayfs: workdir is in-use by another mount\n"); ++ if (ovl_inuse_trylock(workpath.dentry)) { ++ ufs->workdir_locked = true; ++ } else if (ufs->config.index) { ++ pr_err("overlayfs: workdir is in-use by another mount, mount with '-o index=off' to override exclusive workdir protection.\n"); + goto out_put_workpath; ++ } else { ++ pr_warn("overlayfs: workdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n"); + } + + ufs->workbasedir = workpath.dentry; +@@ -1155,11 +1164,13 @@ out_put_lowerpath: + out_free_lowertmp: + kfree(lowertmp); + out_unlock_workdentry: +- ovl_inuse_unlock(workpath.dentry); ++ if (ufs->workdir_locked) ++ ovl_inuse_unlock(workpath.dentry); + out_put_workpath: + path_put(&workpath); + out_unlock_upperdentry: +- ovl_inuse_unlock(upperpath.dentry); ++ if (ufs->upperdir_locked) ++ ovl_inuse_unlock(upperpath.dentry); + out_put_upperpath: + path_put(&upperpath); + out_free_config: diff --git a/queue-4.13/rocker-fix-rocker_tlv_put_-functions-for-kasan.patch b/queue-4.13/rocker-fix-rocker_tlv_put_-functions-for-kasan.patch new file mode 100644 index 00000000000..8bdcfcad7b4 --- /dev/null +++ b/queue-4.13/rocker-fix-rocker_tlv_put_-functions-for-kasan.patch @@ -0,0 +1,102 @@ +From 6098d7ddd62f532f80ee2a4b01aca500a8e4e9e4 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Sep 2017 23:29:18 +0200 +Subject: rocker: fix rocker_tlv_put_* functions for KASAN + +From: Arnd Bergmann + +commit 6098d7ddd62f532f80ee2a4b01aca500a8e4e9e4 upstream. + +Inlining these functions creates lots of stack variables that each take +64 bytes when KASAN is enabled, leading to this warning about potential +stack overflow: + +drivers/net/ethernet/rocker/rocker_ofdpa.c: In function 'ofdpa_cmd_flow_tbl_add': +drivers/net/ethernet/rocker/rocker_ofdpa.c:621:1: error: the frame size of 2752 bytes is larger than 1536 bytes [-Werror=frame-larger-than=] + +gcc-8 can now consolidate the stack slots itself, but on older versions +we get the same behavior by using a temporary variable that holds a +copy of the inline function argument. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/rocker/rocker_tlv.h | 48 +++++++++++++++++++------------ + 1 file changed, 30 insertions(+), 18 deletions(-) + +--- a/drivers/net/ethernet/rocker/rocker_tlv.h ++++ b/drivers/net/ethernet/rocker/rocker_tlv.h +@@ -139,40 +139,52 @@ rocker_tlv_start(struct rocker_desc_info + int rocker_tlv_put(struct rocker_desc_info *desc_info, + int attrtype, int attrlen, const void *data); + +-static inline int rocker_tlv_put_u8(struct rocker_desc_info *desc_info, +- int attrtype, u8 value) ++static inline int ++rocker_tlv_put_u8(struct rocker_desc_info *desc_info, int attrtype, u8 value) + { +- return rocker_tlv_put(desc_info, attrtype, sizeof(u8), &value); ++ u8 tmp = value; /* work around GCC PR81715 */ ++ ++ return rocker_tlv_put(desc_info, attrtype, sizeof(u8), &tmp); + } + +-static inline int rocker_tlv_put_u16(struct rocker_desc_info *desc_info, +- int attrtype, u16 value) ++static inline int ++rocker_tlv_put_u16(struct rocker_desc_info *desc_info, int attrtype, u16 value) + { +- return rocker_tlv_put(desc_info, attrtype, sizeof(u16), &value); ++ u16 tmp = value; ++ ++ return rocker_tlv_put(desc_info, attrtype, sizeof(u16), &tmp); + } + +-static inline int rocker_tlv_put_be16(struct rocker_desc_info *desc_info, +- int attrtype, __be16 value) ++static inline int ++rocker_tlv_put_be16(struct rocker_desc_info *desc_info, int attrtype, __be16 value) + { +- return rocker_tlv_put(desc_info, attrtype, sizeof(__be16), &value); ++ __be16 tmp = value; ++ ++ return rocker_tlv_put(desc_info, attrtype, sizeof(__be16), &tmp); + } + +-static inline int rocker_tlv_put_u32(struct rocker_desc_info *desc_info, +- int attrtype, u32 value) ++static inline int ++rocker_tlv_put_u32(struct rocker_desc_info *desc_info, int attrtype, u32 value) + { +- return rocker_tlv_put(desc_info, attrtype, sizeof(u32), &value); ++ u32 tmp = value; ++ ++ return rocker_tlv_put(desc_info, attrtype, sizeof(u32), &tmp); + } + +-static inline int rocker_tlv_put_be32(struct rocker_desc_info *desc_info, +- int attrtype, __be32 value) ++static inline int ++rocker_tlv_put_be32(struct rocker_desc_info *desc_info, int attrtype, __be32 value) + { +- return rocker_tlv_put(desc_info, attrtype, sizeof(__be32), &value); ++ __be32 tmp = value; ++ ++ return rocker_tlv_put(desc_info, attrtype, sizeof(__be32), &tmp); + } + +-static inline int rocker_tlv_put_u64(struct rocker_desc_info *desc_info, +- int attrtype, u64 value) ++static inline int ++rocker_tlv_put_u64(struct rocker_desc_info *desc_info, int attrtype, u64 value) + { +- return rocker_tlv_put(desc_info, attrtype, sizeof(u64), &value); ++ u64 tmp = value; ++ ++ return rocker_tlv_put(desc_info, attrtype, sizeof(u64), &tmp); + } + + static inline struct rocker_tlv * diff --git a/queue-4.13/series b/queue-4.13/series index e060e0b2a5b..0df03d4dbea 100644 --- a/queue-4.13/series +++ b/queue-4.13/series @@ -110,3 +110,32 @@ powerpc-fix-action-argument-for-cpufeatures-based-tlb-flush.patch powerpc-64s-use-emergency-stack-for-kernel-tm-bad-thing-program-checks.patch powerpc-tm-fix-illegal-tm-state-in-signal-handler.patch percpu-make-this_cpu_generic_read-atomic-w.r.t.-interrupts.patch +intel_th-pci-add-cedar-fork-pch-support.patch +intel_th-pci-add-lewisburg-pch-support.patch +driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch +cgroup-reinit-cgroup_taskset-structure-before-cgroup_migrate_execute-returns.patch +drivers-hv-fcopy-restore-correct-transfer-length.patch +vmbus-don-t-acquire-the-mutex-in-vmbus_hvsock_device_unregister.patch +stm-class-fix-a-use-after-free.patch +auxdisplay-charlcd-properly-restore-atomic-counter-on-error-path.patch +ftrace-fix-kmemleak-in-unregister_ftrace_graph.patch +ovl-fix-error-value-printed-in-ovl_lookup_index.patch +ovl-fix-dput-of-err_ptr-in-ovl_cleanup_index.patch +ovl-fix-dentry-leak-in-ovl_indexdir_cleanup.patch +ovl-fix-missing-unlock_rename-in-ovl_do_copy_up.patch +ovl-fix-regression-caused-by-exclusive-upper-work-dir-protection.patch +arm64-dt-marvell-fix-ap806-system-controller-size.patch +arm64-ensure-the-instruction-emulation-is-ready-for-userspace.patch +hid-rmi-make-sure-the-hid-device-is-opened-on-resume.patch +hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch +hid-wacom-leds-don-t-try-to-control-the-ekr-s-read-only-leds.patch +hid-wacom-properly-report-negative-values-from-intuos-pro-2-bluetooth.patch +hid-wacom-correct-coordinate-system-of-touchring-and-pen-twist.patch +hid-wacom-generic-send-msc_serial-and-abs_misc-when-leaving-prox.patch +hid-wacom-generic-clear-abs_misc-when-tool-leaves-proximity.patch +hid-wacom-always-increment-hdev-refcount-within-wacom_get_hdev_data.patch +hid-wacom-bits-shifted-too-much-for-9th-and-10th-buttons.patch +btrfs-avoid-overflow-when-sector_t-is-32-bit.patch +btrfs-fix-overlap-of-fs_info-flags-values.patch +rocker-fix-rocker_tlv_put_-functions-for-kasan.patch +netlink-fix-nla_put_-u8-u16-u32-for-kasan.patch diff --git a/queue-4.13/stm-class-fix-a-use-after-free.patch b/queue-4.13/stm-class-fix-a-use-after-free.patch new file mode 100644 index 00000000000..615977ce19a --- /dev/null +++ b/queue-4.13/stm-class-fix-a-use-after-free.patch @@ -0,0 +1,40 @@ +From fd085bb1766d6a598f53af2308374a546a49775a Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 19 Sep 2017 18:47:40 +0300 +Subject: stm class: Fix a use-after-free + +From: Alexander Shishkin + +commit fd085bb1766d6a598f53af2308374a546a49775a upstream. + +For reasons unknown, the stm_source removal path uses device_destroy() +to kill the underlying device object. Because device_destroy() uses +devt to look for the device to destroy and the fact that stm_source +devices don't have one (or all have the same one), it just picks the +first device in the class, which may well be the wrong one. + +That is, loading stm_console and stm_heartbeat and then removing both +will die in dereferencing a freed object. + +Since this should have been device_unregister() in the first place, +use it instead of device_destroy(). + +Signed-off-by: Alexander Shishkin +Fixes: 7bd1d4093c2 ("stm class: Introduce an abstraction for System Trace Module devices") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -1119,7 +1119,7 @@ void stm_source_unregister_device(struct + + stm_source_link_drop(src); + +- device_destroy(&stm_source_class, src->dev.devt); ++ device_unregister(&src->dev); + } + EXPORT_SYMBOL_GPL(stm_source_unregister_device); + diff --git a/queue-4.13/vmbus-don-t-acquire-the-mutex-in-vmbus_hvsock_device_unregister.patch b/queue-4.13/vmbus-don-t-acquire-the-mutex-in-vmbus_hvsock_device_unregister.patch new file mode 100644 index 00000000000..2a757c3629d --- /dev/null +++ b/queue-4.13/vmbus-don-t-acquire-the-mutex-in-vmbus_hvsock_device_unregister.patch @@ -0,0 +1,45 @@ +From 33c150c2ee4a65a59190a124b45d05b1abf9478e Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Thu, 21 Sep 2017 23:41:47 -0700 +Subject: vmbus: don't acquire the mutex in vmbus_hvsock_device_unregister() + +From: Dexuan Cui + +commit 33c150c2ee4a65a59190a124b45d05b1abf9478e upstream. + +Due to commit 54a66265d675 ("Drivers: hv: vmbus: Fix rescind handling"), +we need this patch to resolve the below deadlock: + +after we get the mutex in vmbus_hvsock_device_unregister() and call +vmbus_device_unregister() -> device_unregister() -> ... -> device_release() +-> vmbus_device_release(), we'll get a deadlock, because +vmbus_device_release() tries to get the same mutex. + +Signed-off-by: Dexuan Cui +Cc: K. Y. Srinivasan +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel_mgmt.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -922,14 +922,10 @@ static void vmbus_onoffer_rescind(struct + + void vmbus_hvsock_device_unregister(struct vmbus_channel *channel) + { +- mutex_lock(&vmbus_connection.channel_mutex); +- + BUG_ON(!is_hvsock_channel(channel)); + + channel->rescind = true; + vmbus_device_unregister(channel->device_obj); +- +- mutex_unlock(&vmbus_connection.channel_mutex); + } + EXPORT_SYMBOL_GPL(vmbus_hvsock_device_unregister); +