From: Greg Kroah-Hartman Date: Mon, 18 Feb 2019 12:08:00 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.135~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b2e79473cb6fe8985cb012433a4860cc775a5d9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alpha-fix-eiger-nr_irqs-to-128.patch alpha-fix-page-fault-handling-for-r16-r18-targets.patch alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch input-bma150-register-input-device-after-setting-private-data.patch input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch perf-core-fix-impossible-ring-buffer-sizes-warning.patch perf-x86-add-check_period-pmu-callback.patch revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch signal-restore-the-stop-ptrace_event_exit.patch tracing-uprobes-fix-output-for-multiple-string-arguments.patch x86-a.out-clear-the-dump-structure-initially.patch x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch --- diff --git a/queue-4.9/alpha-fix-eiger-nr_irqs-to-128.patch b/queue-4.9/alpha-fix-eiger-nr_irqs-to-128.patch new file mode 100644 index 00000000000..77413bb0489 --- /dev/null +++ b/queue-4.9/alpha-fix-eiger-nr_irqs-to-128.patch @@ -0,0 +1,51 @@ +From bfc913682464f45bc4d6044084e370f9048de9d5 Mon Sep 17 00:00:00 2001 +From: Meelis Roos +Date: Fri, 12 Oct 2018 12:27:51 +0300 +Subject: alpha: Fix Eiger NR_IRQS to 128 + +From: Meelis Roos + +commit bfc913682464f45bc4d6044084e370f9048de9d5 upstream. + +Eiger machine vector definition has nr_irqs 128, and working 2.6.26 +boot shows SCSI getting IRQ-s 64 and 65. Current kernel boot fails +because Symbios SCSI fails to request IRQ-s and does not find the disks. +It has been broken at least since 3.18 - the earliest I could test with +my gcc-5. + +The headers have moved around and possibly another order of defines has +worked in the past - but since 128 seems to be correct and used, fix +arch/alpha/include/asm/irq.h to have NR_IRQS=128 for Eiger. + +This fixes 4.19-rc7 boot on my Force Flexor A264 (Eiger subarch). + +Cc: stable@vger.kernel.org # v3.18+ +Signed-off-by: Meelis Roos +Signed-off-by: Matt Turner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/include/asm/irq.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/alpha/include/asm/irq.h ++++ b/arch/alpha/include/asm/irq.h +@@ -55,15 +55,15 @@ + + #elif defined(CONFIG_ALPHA_DP264) || \ + defined(CONFIG_ALPHA_LYNX) || \ +- defined(CONFIG_ALPHA_SHARK) || \ +- defined(CONFIG_ALPHA_EIGER) ++ defined(CONFIG_ALPHA_SHARK) + # define NR_IRQS 64 + + #elif defined(CONFIG_ALPHA_TITAN) + #define NR_IRQS 80 + + #elif defined(CONFIG_ALPHA_RAWHIDE) || \ +- defined(CONFIG_ALPHA_TAKARA) ++ defined(CONFIG_ALPHA_TAKARA) || \ ++ defined(CONFIG_ALPHA_EIGER) + # define NR_IRQS 128 + + #elif defined(CONFIG_ALPHA_WILDFIRE) diff --git a/queue-4.9/alpha-fix-page-fault-handling-for-r16-r18-targets.patch b/queue-4.9/alpha-fix-page-fault-handling-for-r16-r18-targets.patch new file mode 100644 index 00000000000..d781ebdbef4 --- /dev/null +++ b/queue-4.9/alpha-fix-page-fault-handling-for-r16-r18-targets.patch @@ -0,0 +1,118 @@ +From 491af60ffb848b59e82f7c9145833222e0bf27a5 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Mon, 31 Dec 2018 11:53:55 +0000 +Subject: alpha: fix page fault handling for r16-r18 targets + +From: Sergei Trofimovich + +commit 491af60ffb848b59e82f7c9145833222e0bf27a5 upstream. + +Fix page fault handling code to fixup r16-r18 registers. +Before the patch code had off-by-two registers bug. +This bug caused overwriting of ps,pc,gp registers instead +of fixing intended r16,r17,r18 (see `struct pt_regs`). + +More details: + +Initially Dmitry noticed a kernel bug as a failure +on strace test suite. Test passes unmapped userspace +pointer to io_submit: + +```c + #include + #include + #include + #include + int main(void) + { + unsigned long ctx = 0; + if (syscall(__NR_io_setup, 1, &ctx)) + err(1, "io_setup"); + const size_t page_size = sysconf(_SC_PAGESIZE); + const size_t size = page_size * 2; + void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (MAP_FAILED == ptr) + err(1, "mmap(%zu)", size); + if (munmap(ptr, size)) + err(1, "munmap"); + syscall(__NR_io_submit, ctx, 1, ptr + page_size); + syscall(__NR_io_destroy, ctx); + return 0; + } +``` + +Running this test causes kernel to crash when handling page fault: + +``` + Unable to handle kernel paging request at virtual address ffffffffffff9468 + CPU 3 + aio(26027): Oops 0 + pc = [] ra = [] ps = 0000 Not tainted + pc is at sys_io_submit+0x108/0x200 + ra is at sys_io_submit+0x6c/0x200 + v0 = fffffc00c58e6300 t0 = fffffffffffffff2 t1 = 000002000025e000 + t2 = fffffc01f159fef8 t3 = fffffc0001009640 t4 = fffffc0000e0f6e0 + t5 = 0000020001002e9e t6 = 4c41564e49452031 t7 = fffffc01f159c000 + s0 = 0000000000000002 s1 = 000002000025e000 s2 = 0000000000000000 + s3 = 0000000000000000 s4 = 0000000000000000 s5 = fffffffffffffff2 + s6 = fffffc00c58e6300 + a0 = fffffc00c58e6300 a1 = 0000000000000000 a2 = 000002000025e000 + a3 = 00000200001ac260 a4 = 00000200001ac1e8 a5 = 0000000000000001 + t8 = 0000000000000008 t9 = 000000011f8bce30 t10= 00000200001ac440 + t11= 0000000000000000 pv = fffffc00006fd320 at = 0000000000000000 + gp = 0000000000000000 sp = 00000000265fd174 + Disabling lock debugging due to kernel taint + Trace: + [] entSys+0xa4/0xc0 +``` + +Here `gp` has invalid value. `gp is s overwritten by a fixup for the +following page fault handler in `io_submit` syscall handler: + +``` + __se_sys_io_submit + ... + ldq a1,0(t1) + bne t0,4280 <__se_sys_io_submit+0x180> +``` + +After a page fault `t0` should contain -EFALUT and `a1` is 0. +Instead `gp` was overwritten in place of `a1`. + +This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18` +(aka `a0-a2`). + +I think the bug went unnoticed for a long time as `gp` is one +of scratch registers. Any kernel function call would re-calculate `gp`. + +Dmitry tracked down the bug origin back to 2.1.32 kernel version +where trap_a{0,1,2} fields were inserted into struct pt_regs. +And even before that `dpf_reg()` contained off-by-one error. + +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Cc: linux-alpha@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Reported-and-reviewed-by: "Dmitry V. Levin" +Cc: stable@vger.kernel.org # v2.1.32+ +Bug: https://bugs.gentoo.org/672040 +Signed-off-by: Sergei Trofimovich +Signed-off-by: Matt Turner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/mm/fault.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/alpha/mm/fault.c ++++ b/arch/alpha/mm/fault.c +@@ -77,7 +77,7 @@ __load_new_mm_context(struct mm_struct * + /* Macro for exception fixup code to access integer registers. */ + #define dpf_reg(r) \ + (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \ +- (r) <= 18 ? (r)+8 : (r)-10]) ++ (r) <= 18 ? (r)+10 : (r)-10]) + + asmlinkage void + do_page_fault(unsigned long address, unsigned long mmcsr, diff --git a/queue-4.9/alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch b/queue-4.9/alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch new file mode 100644 index 00000000000..b90b899eb15 --- /dev/null +++ b/queue-4.9/alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch @@ -0,0 +1,31 @@ +From 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e Mon Sep 17 00:00:00 2001 +From: Jurica Vukadin +Date: Thu, 7 Feb 2019 16:29:37 +0100 +Subject: ALSA: hda - Add quirk for HP EliteBook 840 G5 + +From: Jurica Vukadin + +commit 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e upstream. + +This enables mute LED support and fixes switching jacks when the laptop +is docked. + +Signed-off-by: Jurica Vukadin +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -854,6 +854,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), diff --git a/queue-4.9/alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch b/queue-4.9/alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch new file mode 100644 index 00000000000..688b1dcd561 --- /dev/null +++ b/queue-4.9/alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch @@ -0,0 +1,58 @@ +From 2bc16b9f3223d049b57202ee702fcb5b9b507019 Mon Sep 17 00:00:00 2001 +From: Manuel Reinhardt +Date: Thu, 31 Jan 2019 15:32:35 +0100 +Subject: ALSA: usb-audio: Fix implicit fb endpoint setup by quirk + +From: Manuel Reinhardt + +commit 2bc16b9f3223d049b57202ee702fcb5b9b507019 upstream. + +The commit a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to +separate function") introduced an error in the handling of quirks for +implicit feedback endpoints. This commit fixes this. + +If a quirk successfully sets up an implicit feedback endpoint, usb-audio +no longer tries to find the implicit fb endpoint itself. + +Fixes: a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to separate function") +Signed-off-by: Manuel Reinhardt +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/pcm.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -313,6 +313,9 @@ static int search_roland_implicit_fb(str + return 0; + } + ++/* Setup an implicit feedback endpoint from a quirk. Returns 0 if no quirk ++ * applies. Returns 1 if a quirk was found. ++ */ + static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs, + struct usb_device *dev, + struct usb_interface_descriptor *altsd, +@@ -391,7 +394,7 @@ add_sync_ep: + + subs->data_endpoint->sync_master = subs->sync_endpoint; + +- return 0; ++ return 1; + } + + static int set_sync_endpoint(struct snd_usb_substream *subs, +@@ -430,6 +433,10 @@ static int set_sync_endpoint(struct snd_ + if (err < 0) + return err; + ++ /* endpoint set by quirk */ ++ if (err > 0) ++ return 0; ++ + if (altsd->bNumEndpoints < 2) + return 0; + diff --git a/queue-4.9/dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch b/queue-4.9/dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch new file mode 100644 index 00000000000..bc13d9d2ee2 --- /dev/null +++ b/queue-4.9/dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch @@ -0,0 +1,156 @@ +From 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Thu, 14 Feb 2019 20:38:47 +0200 +Subject: dm thin: fix bug where bio that overwrites thin block ignores FUA + +From: Nikos Tsironis + +commit 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 upstream. + +When provisioning a new data block for a virtual block, either because +the block was previously unallocated or because we are breaking sharing, +if the whole block of data is being overwritten the bio that triggered +the provisioning is issued immediately, skipping copying or zeroing of +the data block. + +When this bio completes the new mapping is inserted in to the pool's +metadata by process_prepared_mapping(), where the bio completion is +signaled to the upper layers. + +This completion is signaled without first committing the metadata. If +the bio in question has the REQ_FUA flag set and the system crashes +right after its completion and before the next metadata commit, then the +write is lost despite the REQ_FUA flag requiring that I/O completion for +this request must only be signaled after the data has been committed to +non-volatile storage. + +Fix this by deferring the completion of overwrite bios, with the REQ_FUA +flag set, until after the metadata has been committed. + +Cc: stable@vger.kernel.org +Signed-off-by: Nikos Tsironis +Acked-by: Joe Thornber +Acked-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 50 insertions(+), 5 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -257,6 +257,7 @@ struct pool { + + spinlock_t lock; + struct bio_list deferred_flush_bios; ++ struct bio_list deferred_flush_completions; + struct list_head prepared_mappings; + struct list_head prepared_discards; + struct list_head prepared_discards_pt2; +@@ -925,6 +926,39 @@ static void process_prepared_mapping_fai + mempool_free(m, m->tc->pool->mapping_pool); + } + ++static void complete_overwrite_bio(struct thin_c *tc, struct bio *bio) ++{ ++ struct pool *pool = tc->pool; ++ unsigned long flags; ++ ++ /* ++ * If the bio has the REQ_FUA flag set we must commit the metadata ++ * before signaling its completion. ++ */ ++ if (!bio_triggers_commit(tc, bio)) { ++ bio_endio(bio); ++ return; ++ } ++ ++ /* ++ * Complete bio with an error if earlier I/O caused changes to the ++ * metadata that can't be committed, e.g, due to I/O errors on the ++ * metadata device. ++ */ ++ if (dm_thin_aborted_changes(tc->td)) { ++ bio_io_error(bio); ++ return; ++ } ++ ++ /* ++ * Batch together any bios that trigger commits and then issue a ++ * single commit for them in process_deferred_bios(). ++ */ ++ spin_lock_irqsave(&pool->lock, flags); ++ bio_list_add(&pool->deferred_flush_completions, bio); ++ spin_unlock_irqrestore(&pool->lock, flags); ++} ++ + static void process_prepared_mapping(struct dm_thin_new_mapping *m) + { + struct thin_c *tc = m->tc; +@@ -957,7 +991,7 @@ static void process_prepared_mapping(str + */ + if (bio) { + inc_remap_and_issue_cell(tc, m->cell, m->data_block); +- bio_endio(bio); ++ complete_overwrite_bio(tc, bio); + } else { + inc_all_io_entry(tc->pool, m->cell->holder); + remap_and_issue(tc, m->cell->holder, m->data_block); +@@ -2303,7 +2337,7 @@ static void process_deferred_bios(struct + { + unsigned long flags; + struct bio *bio; +- struct bio_list bios; ++ struct bio_list bios, bio_completions; + struct thin_c *tc; + + tc = get_first_thin(pool); +@@ -2314,26 +2348,36 @@ static void process_deferred_bios(struct + } + + /* +- * If there are any deferred flush bios, we must commit +- * the metadata before issuing them. ++ * If there are any deferred flush bios, we must commit the metadata ++ * before issuing them or signaling their completion. + */ + bio_list_init(&bios); ++ bio_list_init(&bio_completions); ++ + spin_lock_irqsave(&pool->lock, flags); + bio_list_merge(&bios, &pool->deferred_flush_bios); + bio_list_init(&pool->deferred_flush_bios); ++ ++ bio_list_merge(&bio_completions, &pool->deferred_flush_completions); ++ bio_list_init(&pool->deferred_flush_completions); + spin_unlock_irqrestore(&pool->lock, flags); + +- if (bio_list_empty(&bios) && ++ if (bio_list_empty(&bios) && bio_list_empty(&bio_completions) && + !(dm_pool_changed_this_transaction(pool->pmd) && need_commit_due_to_time(pool))) + return; + + if (commit(pool)) { ++ bio_list_merge(&bios, &bio_completions); ++ + while ((bio = bio_list_pop(&bios))) + bio_io_error(bio); + return; + } + pool->last_commit_jiffies = jiffies; + ++ while ((bio = bio_list_pop(&bio_completions))) ++ bio_endio(bio); ++ + while ((bio = bio_list_pop(&bios))) + generic_make_request(bio); + } +@@ -2968,6 +3012,7 @@ static struct pool *pool_create(struct m + INIT_DELAYED_WORK(&pool->no_space_timeout, do_no_space_timeout); + spin_lock_init(&pool->lock); + bio_list_init(&pool->deferred_flush_bios); ++ bio_list_init(&pool->deferred_flush_completions); + INIT_LIST_HEAD(&pool->prepared_mappings); + INIT_LIST_HEAD(&pool->prepared_discards); + INIT_LIST_HEAD(&pool->prepared_discards_pt2); diff --git a/queue-4.9/drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch b/queue-4.9/drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch new file mode 100644 index 00000000000..dcec01f8529 --- /dev/null +++ b/queue-4.9/drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch @@ -0,0 +1,67 @@ +From 2e7bd10e05afb866b5fb13eda25095c35d7a27cc Mon Sep 17 00:00:00 2001 +From: Joonas Lahtinen +Date: Thu, 7 Feb 2019 10:54:53 +0200 +Subject: drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set + +From: Joonas Lahtinen + +commit 2e7bd10e05afb866b5fb13eda25095c35d7a27cc upstream. + +Make sure the underlying VMA in the process address space is the +same as it was during vm_mmap to avoid applying WC to wrong VMA. + +A more long-term solution would be to have vm_mmap_locked variant +in linux/mmap.h for when caller wants to hold mmap_sem for an +extended duration. + +v2: +- Refactor the compare function + +Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") +Reported-by: Adam Zabrocki +Suggested-by: Linus Torvalds +Signed-off-by: Joonas Lahtinen +Cc: # v4.0+ +Cc: Akash Goel +Cc: Chris Wilson +Cc: Tvrtko Ursulin +Cc: Adam Zabrocki +Reviewed-by: Chris Wilson +Reviewed-by: Tvrtko Ursulin #v1 +Link: https://patchwork.freedesktop.org/patch/msgid/20190207085454.10598-1-joonas.lahtinen@linux.intel.com +(cherry picked from commit 5c4604e757ba9b193b09768d75a7d2105a5b883f) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -1593,6 +1593,16 @@ i915_gem_sw_finish_ioctl(struct drm_devi + return err; + } + ++static inline bool ++__vma_matches(struct vm_area_struct *vma, struct file *filp, ++ unsigned long addr, unsigned long size) ++{ ++ if (vma->vm_file != filp) ++ return false; ++ ++ return vma->vm_start == addr && (vma->vm_end - vma->vm_start) == size; ++} ++ + /** + * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address + * it is mapped to. +@@ -1651,7 +1661,7 @@ i915_gem_mmap_ioctl(struct drm_device *d + return -EINTR; + } + vma = find_vma(mm, addr); +- if (vma) ++ if (vma && __vma_matches(vma, obj->base.filp, addr, args->size)) + vma->vm_page_prot = + pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); + else diff --git a/queue-4.9/input-bma150-register-input-device-after-setting-private-data.patch b/queue-4.9/input-bma150-register-input-device-after-setting-private-data.patch new file mode 100644 index 00000000000..5a4f541af5f --- /dev/null +++ b/queue-4.9/input-bma150-register-input-device-after-setting-private-data.patch @@ -0,0 +1,106 @@ +From 90cc55f067f6ca0e64e5e52883ece47d8af7b67b Mon Sep 17 00:00:00 2001 +From: Jonathan Bakker +Date: Wed, 6 Feb 2019 10:45:37 -0800 +Subject: Input: bma150 - register input device after setting private data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Bakker + +commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream. + +Otherwise we introduce a race condition where userspace can request input +before we're ready leading to null pointer dereference such as + +input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3 +Unable to handle kernel NULL pointer dereference at virtual address 00000018 +pgd = (ptrval) +[00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000 +Internal error: Oops: 17 [#1] PREEMPT ARM +Modules linked in: bma150 input_polldev [last unloaded: bma150] +CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46 +Hardware name: Samsung S5PC110/S5PV210-based board +PC is at input_event+0x8/0x60 +LR is at bma150_report_xyz+0x9c/0xe0 [bma150] +pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013 +sp : a4c1fd78 ip : 00000081 fp : 00020000 +r10: 00000000 r9 : a5e2944c r8 : a7455000 +r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048 +r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 54e34019 DAC: 00000051 +Process accelerometer (pid: 2870, stack limit = 0x(ptrval)) +Stackck: (0xa4c1fd78 to 0xa4c20000) +fd60: fffffff3 fc813f6c +fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324 +fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10 +fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0 +fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c +fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000 +fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041 +fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8 +fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001 +fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048 +fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8 +fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720 +fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00 +ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3 +ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002 +ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c +ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100 +ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000 +ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000 +ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038 +ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000 +[<80450f70>] (input_event) from [] (0xa5e2817c) +Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018) +---[ end trace 1c691ee85f2ff243 ]--- + +Signed-off-by: Jonathan Bakker +Signed-off-by: Paweł Chmiel +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/bma150.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/input/misc/bma150.c ++++ b/drivers/input/misc/bma150.c +@@ -482,13 +482,14 @@ static int bma150_register_input_device( + idev->close = bma150_irq_close; + input_set_drvdata(idev, bma150); + ++ bma150->input = idev; ++ + error = input_register_device(idev); + if (error) { + input_free_device(idev); + return error; + } + +- bma150->input = idev; + return 0; + } + +@@ -511,15 +512,15 @@ static int bma150_register_polled_device + + bma150_init_input_device(bma150, ipoll_dev->input); + ++ bma150->input_polled = ipoll_dev; ++ bma150->input = ipoll_dev->input; ++ + error = input_register_polled_device(ipoll_dev); + if (error) { + input_free_polled_device(ipoll_dev); + return error; + } + +- bma150->input_polled = ipoll_dev; +- bma150->input = ipoll_dev->input; +- + return 0; + } + diff --git a/queue-4.9/input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch b/queue-4.9/input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch new file mode 100644 index 00000000000..c51c3623d0e --- /dev/null +++ b/queue-4.9/input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch @@ -0,0 +1,31 @@ +From 7ad222b3aed350adfc27ee7eec4587ffe55dfdce Mon Sep 17 00:00:00 2001 +From: Mauro Ciancio +Date: Mon, 14 Jan 2019 10:24:53 -0300 +Subject: Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK + +From: Mauro Ciancio + +commit 7ad222b3aed350adfc27ee7eec4587ffe55dfdce upstream. + +This adds ELAN0617 to the ACPI table to support Elan touchpad found in +Lenovo V330-15ISK. + +Signed-off-by: Mauro Ciancio +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1250,6 +1250,7 @@ static const struct acpi_device_id elan_ + { "ELAN060C", 0 }, + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, ++ { "ELAN0617", 0 }, + { "ELAN0618", 0 }, + { "ELAN061C", 0 }, + { "ELAN061D", 0 }, diff --git a/queue-4.9/input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch b/queue-4.9/input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch new file mode 100644 index 00000000000..9019c2de96a --- /dev/null +++ b/queue-4.9/input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch @@ -0,0 +1,52 @@ +From e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 Mon Sep 17 00:00:00 2001 +From: Matti Kurkela +Date: Thu, 7 Feb 2019 23:49:23 -0800 +Subject: Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 + +From: Matti Kurkela + +commit e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 upstream. + +Like Fujitsu CELSIUS H760, the H780 also has a three-button Elantech +touchpad, but the driver needs to be told so to enable the middle touchpad +button. + +The elantech_dmi_force_crc_enabled quirk was not necessary with the H780. + +Also document the fw_version and caps values detected for both H760 and +H780 models. + +Signed-off-by: Matti Kurkela +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elantech.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1117,6 +1117,8 @@ static int elantech_get_resolution_v4(st + * Asus UX31 0x361f00 20, 15, 0e clickpad + * Asus UX32VD 0x361f02 00, 15, 0e clickpad + * Avatar AVIU-145A2 0x361f00 ? clickpad ++ * Fujitsu CELSIUS H760 0x570f02 40, 14, 0c 3 hw buttons (**) ++ * Fujitsu CELSIUS H780 0x5d0f02 41, 16, 0d 3 hw buttons (**) + * Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons + * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons + * Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons +@@ -1169,6 +1171,13 @@ static const struct dmi_system_id elante + DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"), + }, + }, ++ { ++ /* Fujitsu H780 also has a middle button */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H780"), ++ }, ++ }, + #endif + { } + }; diff --git a/queue-4.9/kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch b/queue-4.9/kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch new file mode 100644 index 00000000000..6f5192ec1f5 --- /dev/null +++ b/queue-4.9/kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch @@ -0,0 +1,36 @@ +From 98ae70cc476e833332a2c6bb72f941a25f0de226 Mon Sep 17 00:00:00 2001 +From: Xiaoyao Li +Date: Thu, 14 Feb 2019 12:08:58 +0800 +Subject: kvm: vmx: Fix entry number check for add_atomic_switch_msr() + +From: Xiaoyao Li + +commit 98ae70cc476e833332a2c6bb72f941a25f0de226 upstream. + +Commit ca83b4a7f2d068da79a0 ("x86/KVM/VMX: Add find_msr() helper function") +introduces the helper function find_msr(), which returns -ENOENT when +not find the msr in vmx->msr_autoload.guest/host. Correct checking contion +of no more available entry in vmx->msr_autoload. + +Fixes: ca83b4a7f2d0 ("x86/KVM/VMX: Add find_msr() helper function") +Cc: stable@vger.kernel.org +Signed-off-by: Xiaoyao Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2178,7 +2178,8 @@ static void add_atomic_switch_msr(struct + if (!entry_only) + j = find_msr(&m->host, msr); + +- if (i == NR_AUTOLOAD_MSRS || j == NR_AUTOLOAD_MSRS) { ++ if ((i < 0 && m->guest.nr == NR_AUTOLOAD_MSRS) || ++ (j < 0 && m->host.nr == NR_AUTOLOAD_MSRS)) { + printk_once(KERN_WARNING "Not enough msr switch entries. " + "Can't add msr %x\n", msr); + return; diff --git a/queue-4.9/perf-core-fix-impossible-ring-buffer-sizes-warning.patch b/queue-4.9/perf-core-fix-impossible-ring-buffer-sizes-warning.patch new file mode 100644 index 00000000000..e9ca90d4f8b --- /dev/null +++ b/queue-4.9/perf-core-fix-impossible-ring-buffer-sizes-warning.patch @@ -0,0 +1,64 @@ +From 528871b456026e6127d95b1b2bd8e3a003dc1614 Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Wed, 13 Feb 2019 07:57:02 +0100 +Subject: perf/core: Fix impossible ring-buffer sizes warning + +From: Ingo Molnar + +commit 528871b456026e6127d95b1b2bd8e3a003dc1614 upstream. + +The following commit: + + 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes") + +results in perf recording failures with larger mmap areas: + + root@skl:/tmp# perf record -g -a + failed to mmap with 12 (Cannot allocate memory) + +The root cause is that the following condition is buggy: + + if (order_base_2(size) >= MAX_ORDER) + goto fail; + +The problem is that @size is in bytes and MAX_ORDER is in pages, +so the right test is: + + if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER) + goto fail; + +Fix it. + +Reported-by: "Jin, Yao" +Bisected-by: Borislav Petkov +Analyzed-by: Peter Zijlstra +Cc: Julien Thierry +Cc: Mark Rutland +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Greg Kroah-Hartman +Cc: +Fixes: 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes") +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -700,7 +700,7 @@ struct ring_buffer *rb_alloc(int nr_page + size = sizeof(struct ring_buffer); + size += nr_pages * sizeof(void *); + +- if (order_base_2(size) >= MAX_ORDER) ++ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER) + goto fail; + + rb = kzalloc(size, GFP_KERNEL); diff --git a/queue-4.9/perf-x86-add-check_period-pmu-callback.patch b/queue-4.9/perf-x86-add-check_period-pmu-callback.patch new file mode 100644 index 00000000000..9746975d3e2 --- /dev/null +++ b/queue-4.9/perf-x86-add-check_period-pmu-callback.patch @@ -0,0 +1,250 @@ +From 81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 4 Feb 2019 13:35:32 +0100 +Subject: perf/x86: Add check_period PMU callback + +From: Jiri Olsa + +commit 81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb upstream. + +Vince (and later on Ravi) reported crashes in the BTS code during +fuzzing with the following backtrace: + + general protection fault: 0000 [#1] SMP PTI + ... + RIP: 0010:perf_prepare_sample+0x8f/0x510 + ... + Call Trace: + + ? intel_pmu_drain_bts_buffer+0x194/0x230 + intel_pmu_drain_bts_buffer+0x160/0x230 + ? tick_nohz_irq_exit+0x31/0x40 + ? smp_call_function_single_interrupt+0x48/0xe0 + ? call_function_single_interrupt+0xf/0x20 + ? call_function_single_interrupt+0xa/0x20 + ? x86_schedule_events+0x1a0/0x2f0 + ? x86_pmu_commit_txn+0xb4/0x100 + ? find_busiest_group+0x47/0x5d0 + ? perf_event_set_state.part.42+0x12/0x50 + ? perf_mux_hrtimer_restart+0x40/0xb0 + intel_pmu_disable_event+0xae/0x100 + ? intel_pmu_disable_event+0xae/0x100 + x86_pmu_stop+0x7a/0xb0 + x86_pmu_del+0x57/0x120 + event_sched_out.isra.101+0x83/0x180 + group_sched_out.part.103+0x57/0xe0 + ctx_sched_out+0x188/0x240 + ctx_resched+0xa8/0xd0 + __perf_event_enable+0x193/0x1e0 + event_function+0x8e/0xc0 + remote_function+0x41/0x50 + flush_smp_call_function_queue+0x68/0x100 + generic_smp_call_function_single_interrupt+0x13/0x30 + smp_call_function_single_interrupt+0x3e/0xe0 + call_function_single_interrupt+0xf/0x20 + + +The reason is that while event init code does several checks +for BTS events and prevents several unwanted config bits for +BTS event (like precise_ip), the PERF_EVENT_IOC_PERIOD allows +to create BTS event without those checks being done. + +Following sequence will cause the crash: + +If we create an 'almost' BTS event with precise_ip and callchains, +and it into a BTS event it will crash the perf_prepare_sample() +function because precise_ip events are expected to come +in with callchain data initialized, but that's not the +case for intel_pmu_drain_bts_buffer() caller. + +Adding a check_period callback to be called before the period +is changed via PERF_EVENT_IOC_PERIOD. It will deny the change +if the event would become BTS. Plus adding also the limit_period +check as well. + +Reported-by: Vince Weaver +Signed-off-by: Jiri Olsa +Acked-by: Peter Zijlstra +Cc: +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Naveen N. Rao +Cc: Ravi Bangoria +Cc: Stephane Eranian +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20190204123532.GA4794@krava +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/core.c | 14 ++++++++++++++ + arch/x86/events/intel/core.c | 9 +++++++++ + arch/x86/events/perf_event.h | 16 ++++++++++++++-- + include/linux/perf_event.h | 5 +++++ + kernel/events/core.c | 16 ++++++++++++++++ + 5 files changed, 58 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -2196,6 +2196,19 @@ void perf_check_microcode(void) + } + EXPORT_SYMBOL_GPL(perf_check_microcode); + ++static int x86_pmu_check_period(struct perf_event *event, u64 value) ++{ ++ if (x86_pmu.check_period && x86_pmu.check_period(event, value)) ++ return -EINVAL; ++ ++ if (value && x86_pmu.limit_period) { ++ if (x86_pmu.limit_period(event, value) > value) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static struct pmu pmu = { + .pmu_enable = x86_pmu_enable, + .pmu_disable = x86_pmu_disable, +@@ -2220,6 +2233,7 @@ static struct pmu pmu = { + .event_idx = x86_pmu_event_idx, + .sched_task = x86_pmu_sched_task, + .task_ctx_size = sizeof(struct x86_perf_task_context), ++ .check_period = x86_pmu_check_period, + }; + + void arch_perf_update_userpage(struct perf_event *event, +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3262,6 +3262,11 @@ static void intel_pmu_sched_task(struct + intel_pmu_lbr_sched_task(ctx, sched_in); + } + ++static int intel_pmu_check_period(struct perf_event *event, u64 value) ++{ ++ return intel_pmu_has_bts_period(event, value) ? -EINVAL : 0; ++} ++ + PMU_FORMAT_ATTR(offcore_rsp, "config1:0-63"); + + PMU_FORMAT_ATTR(ldlat, "config1:0-15"); +@@ -3328,6 +3333,8 @@ static __initconst const struct x86_pmu + .cpu_starting = intel_pmu_cpu_starting, + .cpu_dying = intel_pmu_cpu_dying, + .cpu_dead = intel_pmu_cpu_dead, ++ ++ .check_period = intel_pmu_check_period, + }; + + static __initconst const struct x86_pmu intel_pmu = { +@@ -3367,6 +3374,8 @@ static __initconst const struct x86_pmu + + .guest_get_msrs = intel_guest_get_msrs, + .sched_task = intel_pmu_sched_task, ++ ++ .check_period = intel_pmu_check_period, + }; + + static __init void intel_clovertown_quirk(void) +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -626,6 +626,11 @@ struct x86_pmu { + * Intel host/guest support (KVM) + */ + struct perf_guest_switch_msr *(*guest_get_msrs)(int *nr); ++ ++ /* ++ * Check period value for PERF_EVENT_IOC_PERIOD ioctl. ++ */ ++ int (*check_period) (struct perf_event *event, u64 period); + }; + + struct x86_perf_task_context { +@@ -833,7 +838,7 @@ static inline int amd_pmu_init(void) + + #ifdef CONFIG_CPU_SUP_INTEL + +-static inline bool intel_pmu_has_bts(struct perf_event *event) ++static inline bool intel_pmu_has_bts_period(struct perf_event *event, u64 period) + { + struct hw_perf_event *hwc = &event->hw; + unsigned int hw_event, bts_event; +@@ -844,7 +849,14 @@ static inline bool intel_pmu_has_bts(str + hw_event = hwc->config & INTEL_ARCH_EVENT_MASK; + bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS); + +- return hw_event == bts_event && hwc->sample_period == 1; ++ return hw_event == bts_event && period == 1; ++} ++ ++static inline bool intel_pmu_has_bts(struct perf_event *event) ++{ ++ struct hw_perf_event *hwc = &event->hw; ++ ++ return intel_pmu_has_bts_period(event, hwc->sample_period); + } + + int intel_pmu_save_and_restart(struct perf_event *event); +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -455,6 +455,11 @@ struct pmu { + * Filter events for PMU-specific reasons. + */ + int (*filter_match) (struct perf_event *event); /* optional */ ++ ++ /* ++ * Check period value for PERF_EVENT_IOC_PERIOD ioctl. ++ */ ++ int (*check_period) (struct perf_event *event, u64 value); /* optional */ + }; + + /** +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -4600,6 +4600,11 @@ static void __perf_event_period(struct p + } + } + ++static int perf_event_check_period(struct perf_event *event, u64 value) ++{ ++ return event->pmu->check_period(event, value); ++} ++ + static int perf_event_period(struct perf_event *event, u64 __user *arg) + { + u64 value; +@@ -4616,6 +4621,9 @@ static int perf_event_period(struct perf + if (event->attr.freq && value > sysctl_perf_event_sample_rate) + return -EINVAL; + ++ if (perf_event_check_period(event, value)) ++ return -EINVAL; ++ + event_function_call(event, __perf_event_period, &value); + + return 0; +@@ -8622,6 +8630,11 @@ static int perf_pmu_nop_int(struct pmu * + return 0; + } + ++static int perf_event_nop_int(struct perf_event *event, u64 value) ++{ ++ return 0; ++} ++ + static DEFINE_PER_CPU(unsigned int, nop_txn_flags); + + static void perf_pmu_start_txn(struct pmu *pmu, unsigned int flags) +@@ -8944,6 +8957,9 @@ got_cpu_context: + pmu->pmu_disable = perf_pmu_nop_void; + } + ++ if (!pmu->check_period) ++ pmu->check_period = perf_event_nop_int; ++ + if (!pmu->event_idx) + pmu->event_idx = perf_event_idx_default; + diff --git a/queue-4.9/revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch b/queue-4.9/revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch new file mode 100644 index 00000000000..b79e4218b68 --- /dev/null +++ b/queue-4.9/revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch @@ -0,0 +1,34 @@ +From f420c54e4b12c1361c6ed313002ee7bd7ac58362 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 11 Feb 2019 14:32:40 -0800 +Subject: Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G" + +From: Dmitry Torokhov + +commit f420c54e4b12c1361c6ed313002ee7bd7ac58362 upstream. + +This reverts commit 7db54c89f0b30a101584e09d3729144e6170059d as it +breaks Acer Aspire V-371 and other devices. According to Elan: + +"Acer Aspire F5-573G is MS Precision touchpad which should use hid + multitouch driver. ELAN0501 should not be added in elan_i2c." + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202503 +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1240,7 +1240,6 @@ MODULE_DEVICE_TABLE(i2c, elan_id); + static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0000", 0 }, + { "ELAN0100", 0 }, +- { "ELAN0501", 0 }, + { "ELAN0600", 0 }, + { "ELAN0602", 0 }, + { "ELAN0605", 0 }, diff --git a/queue-4.9/series b/queue-4.9/series index 508cf3104d2..bb30904b444 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -32,3 +32,20 @@ arm-dts-kirkwood-fix-polarity-of-gpio-fan-lines.patch gpio-pl061-handle-failed-allocations.patch cifs-limit-memory-used-by-lock-request-calls-to-a-pa.patch perf-report-include-partial-stacks-unwound-with-libd.patch +revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch +input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch +perf-core-fix-impossible-ring-buffer-sizes-warning.patch +perf-x86-add-check_period-pmu-callback.patch +alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch +alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch +kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch +input-bma150-register-input-device-after-setting-private-data.patch +input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch +alpha-fix-page-fault-handling-for-r16-r18-targets.patch +alpha-fix-eiger-nr_irqs-to-128.patch +tracing-uprobes-fix-output-for-multiple-string-arguments.patch +x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch +signal-restore-the-stop-ptrace_event_exit.patch +x86-a.out-clear-the-dump-structure-initially.patch +dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch +drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch diff --git a/queue-4.9/signal-restore-the-stop-ptrace_event_exit.patch b/queue-4.9/signal-restore-the-stop-ptrace_event_exit.patch new file mode 100644 index 00000000000..0b005d007bf --- /dev/null +++ b/queue-4.9/signal-restore-the-stop-ptrace_event_exit.patch @@ -0,0 +1,58 @@ +From cf43a757fd49442bc38f76088b70c2299eed2c2f Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 11 Feb 2019 23:27:42 -0600 +Subject: signal: Restore the stop PTRACE_EVENT_EXIT + +From: Eric W. Biederman + +commit cf43a757fd49442bc38f76088b70c2299eed2c2f upstream. + +In the middle of do_exit() there is there is a call +"ptrace_event(PTRACE_EVENT_EXIT, code);" That call places the process +in TACKED_TRACED aka "(TASK_WAKEKILL | __TASK_TRACED)" and waits for +for the debugger to release the task or SIGKILL to be delivered. + +Skipping past dequeue_signal when we know a fatal signal has already +been delivered resulted in SIGKILL remaining pending and +TIF_SIGPENDING remaining set. This in turn caused the +scheduler to not sleep in PTACE_EVENT_EXIT as it figured +a fatal signal was pending. This also caused ptrace_freeze_traced +in ptrace_check_attach to fail because it left a per thread +SIGKILL pending which is what fatal_signal_pending tests for. + +This difference in signal state caused strace to report +strace: Exit of unknown pid NNNNN ignored + +Therefore update the signal handling state like dequeue_signal +would when removing a per thread SIGKILL, by removing SIGKILL +from the per thread signal mask and clearing TIF_SIGPENDING. + +Acked-by: Oleg Nesterov +Reported-by: Oleg Nesterov +Reported-by: Ivan Delalande +Cc: stable@vger.kernel.org +Fixes: 35634ffa1751 ("signal: Always notice exiting tasks") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2241,9 +2241,12 @@ relock: + } + + /* Has this task already been marked for death? */ +- ksig->info.si_signo = signr = SIGKILL; +- if (signal_group_exit(signal)) ++ if (signal_group_exit(signal)) { ++ ksig->info.si_signo = signr = SIGKILL; ++ sigdelset(¤t->pending.signal, SIGKILL); ++ recalc_sigpending(); + goto fatal; ++ } + + for (;;) { + struct k_sigaction *ka; diff --git a/queue-4.9/tracing-uprobes-fix-output-for-multiple-string-arguments.patch b/queue-4.9/tracing-uprobes-fix-output-for-multiple-string-arguments.patch new file mode 100644 index 00000000000..6545f96da2b --- /dev/null +++ b/queue-4.9/tracing-uprobes-fix-output-for-multiple-string-arguments.patch @@ -0,0 +1,79 @@ +From 0722069a5374b904ec1a67f91249f90e1cfae259 Mon Sep 17 00:00:00 2001 +From: Andreas Ziegler +Date: Wed, 16 Jan 2019 15:16:29 +0100 +Subject: tracing/uprobes: Fix output for multiple string arguments + +From: Andreas Ziegler + +commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream. + +When printing multiple uprobe arguments as strings the output for the +earlier arguments would also include all later string arguments. + +This is best explained in an example: + +Consider adding a uprobe to a function receiving two strings as +parameters which is at offset 0xa0 in strlib.so and we want to print +both parameters when the uprobe is hit (on x86_64): + +$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \ + /sys/kernel/debug/tracing/uprobe_events + +When the function is called as func("foo", "bar") and we hit the probe, +the trace file shows a line like the following: + + [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar" + +Note the extra "bar" printed as part of arg1. This behaviour stacks up +for additional string arguments. + +The strings are stored in a dynamically growing part of the uprobe +buffer by fetch_store_string() after copying them from userspace via +strncpy_from_user(). The return value of strncpy_from_user() is then +directly used as the required size for the string. However, this does +not take the terminating null byte into account as the documentation +for strncpy_from_user() cleary states that it "[...] returns the +length of the string (not including the trailing NUL)" even though the +null byte will be copied to the destination. + +Therefore, subsequent calls to fetch_store_string() will overwrite +the terminating null byte of the most recently fetched string with +the first character of the current string, leading to the +"accumulation" of strings in earlier arguments in the output. + +Fix this by incrementing the return value of strncpy_from_user() by +one if we did not hit the maximum buffer size. + +Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de + +Cc: Ingo Molnar +Cc: stable@vger.kernel.org +Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes") +Acked-by: Masami Hiramatsu +Signed-off-by: Andreas Ziegler +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Masami Hiramatsu +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_uprobe.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -150,7 +150,14 @@ static void FETCH_FUNC_NAME(memory, stri + + ret = strncpy_from_user(dst, src, maxlen); + if (ret == maxlen) +- dst[--ret] = '\0'; ++ dst[ret - 1] = '\0'; ++ else if (ret >= 0) ++ /* ++ * Include the terminating null byte. In this case it ++ * was copied by strncpy_from_user but not accounted ++ * for in ret. ++ */ ++ ret++; + + if (ret < 0) { /* Failed to fetch string */ + ((u8 *)get_rloc_data(dest))[0] = '\0'; diff --git a/queue-4.9/x86-a.out-clear-the-dump-structure-initially.patch b/queue-4.9/x86-a.out-clear-the-dump-structure-initially.patch new file mode 100644 index 00000000000..97b6ee2b1cb --- /dev/null +++ b/queue-4.9/x86-a.out-clear-the-dump-structure-initially.patch @@ -0,0 +1,59 @@ +From 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Tue, 12 Feb 2019 14:28:03 +0100 +Subject: x86/a.out: Clear the dump structure initially + +From: Borislav Petkov + +commit 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c upstream. + +dump_thread32() in aout_core_dump() does not clear the user32 structure +allocated on the stack as the first thing on function entry. + +As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get +assigned before the clearing, get overwritten. + +Rename that function to fill_dump() to make it clear what it does and +call it first thing. + +This was caught while staring at a patch by Derek Robson +. + +Signed-off-by: Borislav Petkov +Cc: Derek Robson +Cc: Linus Torvalds +Cc: Michael Matz +Cc: x86@kernel.org +Cc: +Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32_aout.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/ia32/ia32_aout.c ++++ b/arch/x86/ia32/ia32_aout.c +@@ -50,7 +50,7 @@ static unsigned long get_dr(int n) + /* + * fill in the user structure for a core dump.. + */ +-static void dump_thread32(struct pt_regs *regs, struct user32 *dump) ++static void fill_dump(struct pt_regs *regs, struct user32 *dump) + { + u32 fs, gs; + memset(dump, 0, sizeof(*dump)); +@@ -156,10 +156,12 @@ static int aout_core_dump(struct coredum + fs = get_fs(); + set_fs(KERNEL_DS); + has_dumped = 1; ++ ++ fill_dump(cprm->regs, &dump); ++ + strncpy(dump.u_comm, current->comm, sizeof(current->comm)); + dump.u_ar0 = offsetof(struct user32, regs); + dump.signal = cprm->siginfo->si_signo; +- dump_thread32(cprm->regs, &dump); + + /* + * If the size of the dump file exceeds the rlimit, then see diff --git a/queue-4.9/x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch b/queue-4.9/x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch new file mode 100644 index 00000000000..7041573cb54 --- /dev/null +++ b/queue-4.9/x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch @@ -0,0 +1,126 @@ +From f331e766c4be33f4338574f3c9f7f77e98ab4571 Mon Sep 17 00:00:00 2001 +From: Hedi Berriche +Date: Wed, 13 Feb 2019 19:34:13 +0000 +Subject: x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls + +From: Hedi Berriche + +commit f331e766c4be33f4338574f3c9f7f77e98ab4571 upstream. + +Calls into UV firmware must be protected against concurrency, expose the +efi_runtime_lock to the UV platform, and use it to serialise UV BIOS +calls. + +Signed-off-by: Hedi Berriche +Signed-off-by: Borislav Petkov +Reviewed-by: Ard Biesheuvel +Reviewed-by: Russ Anderson +Reviewed-by: Dimitri Sivanich +Reviewed-by: Mike Travis +Cc: Andy Shevchenko +Cc: Bhupesh Sharma +Cc: Darren Hart +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: linux-efi +Cc: platform-driver-x86@vger.kernel.org +Cc: stable@vger.kernel.org # v4.9+ +Cc: Steve Wahl +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190213193413.25560-5-hedi.berriche@hpe.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/uv/bios.h | 8 +++++++- + arch/x86/platform/uv/bios_uv.c | 23 +++++++++++++++++++++-- + drivers/firmware/efi/runtime-wrappers.c | 7 +++++++ + 3 files changed, 35 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/uv/bios.h ++++ b/arch/x86/include/asm/uv/bios.h +@@ -48,7 +48,8 @@ enum { + BIOS_STATUS_SUCCESS = 0, + BIOS_STATUS_UNIMPLEMENTED = -ENOSYS, + BIOS_STATUS_EINVAL = -EINVAL, +- BIOS_STATUS_UNAVAIL = -EBUSY ++ BIOS_STATUS_UNAVAIL = -EBUSY, ++ BIOS_STATUS_ABORT = -EINTR, + }; + + /* Address map parameters */ +@@ -167,4 +168,9 @@ extern long system_serial_number; + + extern struct kobject *sgi_uv_kobj; /* /sys/firmware/sgi_uv */ + ++/* ++ * EFI runtime lock; cf. firmware/efi/runtime-wrappers.c for details ++ */ ++extern struct semaphore __efi_uv_runtime_lock; ++ + #endif /* _ASM_X86_UV_BIOS_H */ +--- a/arch/x86/platform/uv/bios_uv.c ++++ b/arch/x86/platform/uv/bios_uv.c +@@ -29,7 +29,8 @@ + + struct uv_systab *uv_systab; + +-s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) ++static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, ++ u64 a4, u64 a5) + { + struct uv_systab *tab = uv_systab; + s64 ret; +@@ -51,6 +52,19 @@ s64 uv_bios_call(enum uv_bios_cmd which, + + return ret; + } ++ ++s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) ++{ ++ s64 ret; ++ ++ if (down_interruptible(&__efi_uv_runtime_lock)) ++ return BIOS_STATUS_ABORT; ++ ++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5); ++ up(&__efi_uv_runtime_lock); ++ ++ return ret; ++} + EXPORT_SYMBOL_GPL(uv_bios_call); + + s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, +@@ -59,10 +73,15 @@ s64 uv_bios_call_irqsave(enum uv_bios_cm + unsigned long bios_flags; + s64 ret; + ++ if (down_interruptible(&__efi_uv_runtime_lock)) ++ return BIOS_STATUS_ABORT; ++ + local_irq_save(bios_flags); +- ret = uv_bios_call(which, a1, a2, a3, a4, a5); ++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5); + local_irq_restore(bios_flags); + ++ up(&__efi_uv_runtime_lock); ++ + return ret; + } + +--- a/drivers/firmware/efi/runtime-wrappers.c ++++ b/drivers/firmware/efi/runtime-wrappers.c +@@ -50,6 +50,13 @@ void efi_call_virt_check_flags(unsigned + } + + /* ++ * Expose the EFI runtime lock to the UV platform ++ */ ++#ifdef CONFIG_X86_UV ++extern struct semaphore __efi_uv_runtime_lock __alias(efi_runtime_lock); ++#endif ++ ++/* + * According to section 7.1 of the UEFI spec, Runtime Services are not fully + * reentrant, and there are particular combinations of calls that need to be + * serialized. (source: UEFI Specification v2.4A)