From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 23 Jun 2019 16:04:02 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v5.1.15~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1be13adaeece3d4258f981b9c219e4c2133a9a71;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	apparmor-enforce-nullbyte-at-end-of-tag-string.patch
	ib-hfi1-silence-txreq-allocation-warnings.patch
	input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch
	input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
---

diff --git a/queue-4.14/apparmor-enforce-nullbyte-at-end-of-tag-string.patch b/queue-4.14/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
new file mode 100644
index 00000000000..322972a15fa
--- /dev/null
+++ b/queue-4.14/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
@@ -0,0 +1,38 @@
+From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 May 2019 17:32:26 +0200
+Subject: apparmor: enforce nullbyte at end of tag string
+
+From: Jann Horn <jannh@google.com>
+
+commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
+
+A packed AppArmor policy contains null-terminated tag strings that are read
+by unpack_nameX(). However, unpack_nameX() uses string functions on them
+without ensuring that they are actually null-terminated, potentially
+leading to out-of-bounds accesses.
+
+Make sure that the tag string is null-terminated before passing it to
+strcmp().
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/policy_unpack.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -259,7 +259,7 @@ static bool unpack_nameX(struct aa_ext *
+ 		char *tag = NULL;
+ 		size_t size = unpack_u16_chunk(e, &tag);
+ 		/* if a name is specified it must match. otherwise skip tag */
+-		if (name && (!size || strcmp(name, tag)))
++		if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
+ 			goto fail;
+ 	} else if (name) {
+ 		/* if a name is specified and there is no name tag fail */
diff --git a/queue-4.14/ib-hfi1-silence-txreq-allocation-warnings.patch b/queue-4.14/ib-hfi1-silence-txreq-allocation-warnings.patch
new file mode 100644
index 00000000000..4dd3d7c7ed6
--- /dev/null
+++ b/queue-4.14/ib-hfi1-silence-txreq-allocation-warnings.patch
@@ -0,0 +1,91 @@
+From 3230f4a8d44e4a0bb7afea814b280b5129521f52 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:32 -0400
+Subject: IB/hfi1: Silence txreq allocation warnings
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 3230f4a8d44e4a0bb7afea814b280b5129521f52 upstream.
+
+The following warning can happen when a memory shortage
+occurs during txreq allocation:
+
+[10220.939246] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+[10220.939246] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016
+[10220.939247]   cache: mnt_cache, object size: 384, buffer size: 384, default order: 2, min order: 0
+[10220.939260] Workqueue: hfi0_0 _hfi1_do_send [hfi1]
+[10220.939261]   node 0: slabs: 1026568, objs: 43115856, free: 0
+[10220.939262] Call Trace:
+[10220.939262]   node 1: slabs: 820872, objs: 34476624, free: 0
+[10220.939263]  dump_stack+0x5a/0x73
+[10220.939265]  warn_alloc+0x103/0x190
+[10220.939267]  ? wake_all_kswapds+0x54/0x8b
+[10220.939268]  __alloc_pages_slowpath+0x86c/0xa2e
+[10220.939270]  ? __alloc_pages_nodemask+0x2fe/0x320
+[10220.939271]  __alloc_pages_nodemask+0x2fe/0x320
+[10220.939273]  new_slab+0x475/0x550
+[10220.939275]  ___slab_alloc+0x36c/0x520
+[10220.939287]  ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939299]  ? __get_txreq+0x54/0x160 [hfi1]
+[10220.939310]  ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939312]  __slab_alloc+0x40/0x61
+[10220.939323]  ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939325]  kmem_cache_alloc+0x181/0x1b0
+[10220.939336]  hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939348]  ? hfi1_verbs_send_dma+0x386/0xa10 [hfi1]
+[10220.939359]  ? find_prev_entry+0xb0/0xb0 [hfi1]
+[10220.939371]  hfi1_do_send+0x1d9/0x3f0 [hfi1]
+[10220.939372]  process_one_work+0x171/0x380
+[10220.939374]  worker_thread+0x49/0x3f0
+[10220.939375]  kthread+0xf8/0x130
+[10220.939377]  ? max_active_store+0x80/0x80
+[10220.939378]  ? kthread_bind+0x10/0x10
+[10220.939379]  ret_from_fork+0x35/0x40
+[10220.939381] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+
+The shortage is handled properly so the message isn't needed. Silence by
+adding the no warn option to the slab allocation.
+
+Fixes: 45842abbb292 ("staging/rdma/hfi1: move txreq header code")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/verbs_txreq.c |    2 +-
+ drivers/infiniband/hw/hfi1/verbs_txreq.h |    3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.c
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.c
+@@ -100,7 +100,7 @@ struct verbs_txreq *__get_txreq(struct h
+ 	if (ib_rvt_state_ops[qp->state] & RVT_PROCESS_RECV_OK) {
+ 		struct hfi1_qp_priv *priv;
+ 
+-		tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++		tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ 		if (tx)
+ 			goto out;
+ 		priv = qp->priv;
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.h
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.h
+@@ -72,6 +72,7 @@ struct hfi1_ibdev;
+ struct verbs_txreq *__get_txreq(struct hfi1_ibdev *dev,
+ 				struct rvt_qp *qp);
+ 
++#define VERBS_TXREQ_GFP (GFP_ATOMIC | __GFP_NOWARN)
+ static inline struct verbs_txreq *get_txreq(struct hfi1_ibdev *dev,
+ 					    struct rvt_qp *qp)
+ 	__must_hold(&qp->slock)
+@@ -79,7 +80,7 @@ static inline struct verbs_txreq *get_tx
+ 	struct verbs_txreq *tx;
+ 	struct hfi1_qp_priv *priv = qp->priv;
+ 
+-	tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++	tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ 	if (unlikely(!tx)) {
+ 		/* call slow path to get the lock */
+ 		tx = __get_txreq(dev, qp);
diff --git a/queue-4.14/input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch b/queue-4.14/input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch
new file mode 100644
index 00000000000..bd9d0adc571
--- /dev/null
+++ b/queue-4.14/input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch
@@ -0,0 +1,36 @@
+From 9843f3e08e2144724be7148e08d77a195dea257a Mon Sep 17 00:00:00 2001
+From: Alexander Mikhaylenko <exalm7659@gmail.com>
+Date: Wed, 12 Jun 2019 14:59:46 -0700
+Subject: Input: synaptics - enable SMBus on ThinkPad E480 and E580
+
+From: Alexander Mikhaylenko <exalm7659@gmail.com>
+
+commit 9843f3e08e2144724be7148e08d77a195dea257a upstream.
+
+They are capable of using intertouch and it works well with
+psmouse.synaptics_intertouch=1, so add them to the list.
+
+Without it, scrolling and gestures are jumpy, three-finger pinch gesture
+doesn't work and three- or four-finger swipes sometimes get stuck.
+
+Signed-off-by: Alexander Mikhaylenko <exalm7659@gmail.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/synaptics.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -179,6 +179,8 @@ static const char * const smbus_pnp_ids[
+ 	"LEN0096", /* X280 */
+ 	"LEN0097", /* X280 -> ALPS trackpoint */
+ 	"LEN200f", /* T450s */
++	"LEN2054", /* E480 */
++	"LEN2055", /* E580 */
+ 	"SYN3052", /* HP EliteBook 840 G4 */
+ 	"SYN3221", /* HP 15-ay000 */
+ 	NULL
diff --git a/queue-4.14/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch b/queue-4.14/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
new file mode 100644
index 00000000000..f7ead14e4d4
--- /dev/null
+++ b/queue-4.14/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
@@ -0,0 +1,61 @@
+From 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 Mon Sep 17 00:00:00 2001
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Thu, 23 May 2019 12:55:26 -0700
+Subject: Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
+
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+
+commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream.
+
+In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and
+UI_END_FF_UPLOAD need to be adjusted before being passed on
+uinput_ioctl_handler() since code built with -m32 will be passing
+slightly different values. Extend the code already covering
+UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well.
+
+Reported-by: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/uinput.c |   22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -1012,13 +1012,31 @@ static long uinput_ioctl(struct file *fi
+ 
+ #ifdef CONFIG_COMPAT
+ 
+-#define UI_SET_PHYS_COMPAT	_IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++/*
++ * These IOCTLs change their size and thus their numbers between
++ * 32 and 64 bits.
++ */
++#define UI_SET_PHYS_COMPAT		\
++	_IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++#define UI_BEGIN_FF_UPLOAD_COMPAT	\
++	_IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
++#define UI_END_FF_UPLOAD_COMPAT		\
++	_IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
+ 
+ static long uinput_compat_ioctl(struct file *file,
+ 				unsigned int cmd, unsigned long arg)
+ {
+-	if (cmd == UI_SET_PHYS_COMPAT)
++	switch (cmd) {
++	case UI_SET_PHYS_COMPAT:
+ 		cmd = UI_SET_PHYS;
++		break;
++	case UI_BEGIN_FF_UPLOAD_COMPAT:
++		cmd = UI_BEGIN_FF_UPLOAD;
++		break;
++	case UI_END_FF_UPLOAD_COMPAT:
++		cmd = UI_END_FF_UPLOAD;
++		break;
++	}
+ 
+ 	return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
+ }
diff --git a/queue-4.14/series b/queue-4.14/series
index bd35598ae8a..502fdfe184a 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -5,3 +5,7 @@ net-phy-broadcom-use-strlcpy-for-ethtool-get_strings.patch
 mmc-core-prevent-processing-sdio-irqs-when-the-card-is-suspended.patch
 scsi-ufs-avoid-runtime-suspend-possibly-being-blocked-forever.patch
 usb-chipidea-udc-workaround-for-endpoint-conflict-issue.patch
+ib-hfi1-silence-txreq-allocation-warnings.patch
+input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch
+input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
+apparmor-enforce-nullbyte-at-end-of-tag-string.patch