From: Greg Kroah-Hartman Date: Tue, 24 Sep 2019 06:48:21 +0000 (+0200) Subject: 5.3-stable patches X-Git-Tag: v5.3.2~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9913cf25bdda3c4efae02ffd9259e83ca97235a0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.3-stable patches added patches: hid-add-quirk-for-hp-x500-pixart-oem-mouse.patch hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch hid-logitech-dj-fix-crash-when-initial-logi_dj_recv_query_paired_devices-fails.patch hid-logitech-fix-general-protection-fault-caused-by-logitech-driver.patch hid-prodikeys-fix-general-protection-fault-during-probe.patch hid-sony-fix-memory-corruption-issue-on-cleanup.patch mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch --- diff --git a/queue-5.3/hid-add-quirk-for-hp-x500-pixart-oem-mouse.patch b/queue-5.3/hid-add-quirk-for-hp-x500-pixart-oem-mouse.patch new file mode 100644 index 00000000000..60f9cebcec3 --- /dev/null +++ b/queue-5.3/hid-add-quirk-for-hp-x500-pixart-oem-mouse.patch @@ -0,0 +1,46 @@ +From 2acf40f0454d41b8d51c95d317283c20c931164d Mon Sep 17 00:00:00 2001 +From: Sebastian Parschauer +Date: Mon, 2 Sep 2019 12:39:30 +0200 +Subject: HID: Add quirk for HP X500 PIXART OEM mouse + +From: Sebastian Parschauer + +commit 2acf40f0454d41b8d51c95d317283c20c931164d upstream. + +The PixArt OEM mice are known for disconnecting every minute in +runlevel 1 or 3 if they are not always polled. So add quirk +ALWAYS_POLL for this one as well. + +Ville Viinikka (viinikv) reported and tested the quirk. +Link: https://github.com/sriemer/fix-linux-mouse issue 15 + +Signed-off-by: Sebastian Parschauer +CC: stable@vger.kernel.org # v4.16+ +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -568,6 +568,7 @@ + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A 0x0b4a + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A 0x094a ++#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0941 0x0941 + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0641 0x0641 + + #define USB_VENDOR_ID_HUION 0x256c +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -92,6 +92,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0941), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0641), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_IDEACOM, USB_DEVICE_ID_IDEACOM_IDC6680), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_INNOMEDIA, USB_DEVICE_ID_INNEX_GENESIS_ATARI), HID_QUIRK_MULTI_INPUT }, diff --git a/queue-5.3/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch b/queue-5.3/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch new file mode 100644 index 00000000000..32e953609fd --- /dev/null +++ b/queue-5.3/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch @@ -0,0 +1,72 @@ +From 416dacb819f59180e4d86a5550052033ebb6d72c Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 21 Aug 2019 13:27:12 -0400 +Subject: HID: hidraw: Fix invalid read in hidraw_ioctl + +From: Alan Stern + +commit 416dacb819f59180e4d86a5550052033ebb6d72c upstream. + +The syzbot fuzzer has reported a pair of problems in the +hidraw_ioctl() function: slab-out-of-bounds read and use-after-free +read. An example of the first: + +BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525 +Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833 + +CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xca/0x13e lib/dump_stack.c:113 + print_address_description+0x6a/0x32c mm/kasan/report.c:351 + __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 + kasan_report+0xe/0x12 mm/kasan/common.c:612 + strlen+0x79/0x90 lib/string.c:525 + strlen include/linux/string.h:281 [inline] + hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 + ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 + do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x459829 +Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 +48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff +ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829 +RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004 +RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4 +R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff + +The two problems have the same cause: hidraw_ioctl() fails to test +whether the device has been removed. This patch adds the missing test. + +Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +CC: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hidraw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -370,7 +370,7 @@ static long hidraw_ioctl(struct file *fi + + mutex_lock(&minors_lock); + dev = hidraw_table[minor]; +- if (!dev) { ++ if (!dev || !dev->exist) { + ret = -ENODEV; + goto out; + } diff --git a/queue-5.3/hid-logitech-dj-fix-crash-when-initial-logi_dj_recv_query_paired_devices-fails.patch b/queue-5.3/hid-logitech-dj-fix-crash-when-initial-logi_dj_recv_query_paired_devices-fails.patch new file mode 100644 index 00000000000..8d5893cb464 --- /dev/null +++ b/queue-5.3/hid-logitech-dj-fix-crash-when-initial-logi_dj_recv_query_paired_devices-fails.patch @@ -0,0 +1,97 @@ +From 8ccff2843fb4e6d9d26e5ae9ffe9840b38b92638 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 25 Aug 2019 17:35:42 +0200 +Subject: HID: logitech-dj: Fix crash when initial logi_dj_recv_query_paired_devices fails + +From: Hans de Goede + +commit 8ccff2843fb4e6d9d26e5ae9ffe9840b38b92638 upstream. + +Before this commit dj_probe would exit with an error if the initial +logi_dj_recv_query_paired_devices fails. The initial call may fail +when the receiver is connected through a kvm and the focus is away. + +When the call fails this causes 2 problems: + +1) dj_probe calls logi_dj_recv_query_paired_devices after calling +hid_device_io_start() so a HID report may have been received in between +and our delayedwork_callback may be running. It seems that the initial +logi_dj_recv_query_paired_devices failure happening with some KVMs triggers +this exact scenario, causing the work-queue to run on free-ed memory, +leading to: + + BUG: unable to handle page fault for address: 0000000000001e88 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 3 PID: 257 Comm: kworker/3:3 Tainted: G OE 5.3.0-rc5+ #100 + Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./B150M Pro4S/D3, BIOS P7.10 12/06/2016 + Workqueue: events 0xffffffffc02ba200 + RIP: 0010:0xffffffffc02ba1bd + Code: e8 e8 13 00 d8 48 89 c5 48 85 c0 74 4c 48 8b 7b 10 48 89 ea b9 07 00 00 00 41 b9 09 00 00 00 41 b8 01 00 00 00 be 10 00 00 00 <48> 8b 87 88 1e 00 00 48 8b 40 40 e8 b3 6b b4 d8 48 89 ef 41 89 c4 + RSP: 0018:ffffb760c046bdb8 EFLAGS: 00010286 + RAX: ffff935038ea4550 RBX: ffff935046778000 RCX: 0000000000000007 + RDX: ffff935038ea4550 RSI: 0000000000000010 RDI: 0000000000000000 + RBP: ffff935038ea4550 R08: 0000000000000001 R09: 0000000000000009 + R10: 000000000000e011 R11: 0000000000000001 R12: ffff9350467780e8 + R13: ffff935046778000 R14: 0000000000000000 R15: ffff935046778070 + FS: 0000000000000000(0000) GS:ffff935054e00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000001e88 CR3: 000000075a612002 CR4: 00000000003606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + 0xffffffffc02ba2f7 + ? process_one_work+0x1b1/0x560 + process_one_work+0x234/0x560 + worker_thread+0x50/0x3b0 + kthread+0x10a/0x140 + ? process_one_work+0x560/0x560 + ? kthread_park+0x80/0x80 + ret_from_fork+0x3a/0x50 + Modules linked in: vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) bnep vfat fat btusb btrtl btbcm btintel bluetooth intel_rapl_msr ecdh_generic rfkill ecc snd_usb_audio snd_usbmidi_lib intel_rapl_common snd_rawmidi mc x86_pkg_temp_thermal intel_powerclamp coretemp iTCO_wdt iTCO_vendor_support mei_wdt mei_hdcp ppdev kvm_intel kvm irqbypass crct10dif_pclmul crc32_generic crc32_pclmul snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio ghash_clmulni_intel intel_cstate snd_hda_intel snd_hda_codec intel_uncore snd_hda_core snd_hwdep intel_rapl_perf snd_seq snd_seq_device snd_pcm snd_timer intel_wmi_thunderbolt snd e1000e soundcore mxm_wmi i2c_i801 bfq mei_me mei intel_pch_thermal parport_pc parport acpi_pad binfmt_misc hid_lg_g15(E) hid_logitech_dj(E) i915 crc32c_intel i2c_algo_bit drm_kms_helper nvme nvme_core drm wmi video uas usb_storage i2c_dev + CR2: 0000000000001e88 + ---[ end trace 1d3f8afdcfcbd842 ]--- + +2) Even if we were to fix 1. by making sure the work is stopped before +failing probe, failing probe is the wrong thing to do, we have +logi_dj_recv_queue_unknown_work to deal with the initial +logi_dj_recv_query_paired_devices failure. + +Rather then error-ing out of the probe, causing the receiver to not work at +all we should rely on this, so that the attached devices will get properly +enumerated once the KVM focus is switched back. + +Cc: stable@vger.kernel.org +Fixes: 74808f9115ce ("HID: logitech-dj: add support for non unifying receivers") +Signed-off-by: Hans de Goede +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-logitech-dj.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -1734,14 +1734,14 @@ static int logi_dj_probe(struct hid_devi + if (retval < 0) { + hid_err(hdev, "%s: logi_dj_recv_query_paired_devices error:%d\n", + __func__, retval); +- goto logi_dj_recv_query_paired_devices_failed; ++ /* ++ * This can happen with a KVM, let the probe succeed, ++ * logi_dj_recv_queue_unknown_work will retry later. ++ */ + } + } + +- return retval; +- +-logi_dj_recv_query_paired_devices_failed: +- hid_hw_close(hdev); ++ return 0; + + llopen_failed: + switch_to_dj_mode_fail: diff --git a/queue-5.3/hid-logitech-fix-general-protection-fault-caused-by-logitech-driver.patch b/queue-5.3/hid-logitech-fix-general-protection-fault-caused-by-logitech-driver.patch new file mode 100644 index 00000000000..7a44535e5c3 --- /dev/null +++ b/queue-5.3/hid-logitech-fix-general-protection-fault-caused-by-logitech-driver.patch @@ -0,0 +1,108 @@ +From 5f9242775bb61f390f0885f23fc16397262c7538 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 20 Aug 2019 16:00:21 -0400 +Subject: HID: logitech: Fix general protection fault caused by Logitech driver + +From: Alan Stern + +commit 5f9242775bb61f390f0885f23fc16397262c7538 upstream. + +The syzbot fuzzer found a general protection fault in the HID subsystem: + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN +CPU: 0 PID: 3715 Comm: syz-executor.3 Not tainted 5.2.0-rc6+ #15 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:__pm_runtime_resume+0x49/0x180 drivers/base/power/runtime.c:1069 +Code: ed 74 d5 fe 45 85 ed 0f 85 9a 00 00 00 e8 6f 73 d5 fe 48 8d bd c1 02 +00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 +89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 fe 00 00 00 +RSP: 0018:ffff8881d99d78e0 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000020 RCX: ffffc90003f3f000 +RDX: 0000000416d8686d RSI: ffffffff82676841 RDI: 00000020b6c3436a +RBP: 00000020b6c340a9 R08: ffff8881c6d64800 R09: fffffbfff0e84c25 +R10: ffff8881d99d7940 R11: ffffffff87426127 R12: 0000000000000004 +R13: 0000000000000000 R14: ffff8881d9b94000 R15: ffffffff897f9048 +FS: 00007f047f542700(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b30f21000 CR3: 00000001ca032000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline] + usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1707 + usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234 + hid_hw_power include/linux/hid.h:1038 [inline] + hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282 + chrdev_open+0x219/0x5c0 fs/char_dev.c:413 + do_dentry_open+0x497/0x1040 fs/open.c:778 + do_last fs/namei.c:3416 [inline] + path_openat+0x1430/0x3ff0 fs/namei.c:3533 + do_filp_open+0x1a1/0x280 fs/namei.c:3563 + do_sys_open+0x3c0/0x580 fs/open.c:1070 + do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +It turns out the fault was caused by a bug in the HID Logitech driver, +which violates the requirement that every pathway calling +hid_hw_start() must also call hid_hw_stop(). This patch fixes the bug +by making sure the requirement is met. + +Reported-and-tested-by: syzbot+3cbe5cd105d2ad56a1df@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +CC: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-lg.c | 10 ++++++---- + drivers/hid/hid-lg4ff.c | 1 - + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/hid/hid-lg.c ++++ b/drivers/hid/hid-lg.c +@@ -818,7 +818,7 @@ static int lg_probe(struct hid_device *h + + if (!buf) { + ret = -ENOMEM; +- goto err_free; ++ goto err_stop; + } + + ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf), +@@ -850,9 +850,12 @@ static int lg_probe(struct hid_device *h + ret = lg4ff_init(hdev); + + if (ret) +- goto err_free; ++ goto err_stop; + + return 0; ++ ++err_stop: ++ hid_hw_stop(hdev); + err_free: + kfree(drv_data); + return ret; +@@ -863,8 +866,7 @@ static void lg_remove(struct hid_device + struct lg_drv_data *drv_data = hid_get_drvdata(hdev); + if (drv_data->quirks & LG_FF4) + lg4ff_deinit(hdev); +- else +- hid_hw_stop(hdev); ++ hid_hw_stop(hdev); + kfree(drv_data); + } + +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -1477,7 +1477,6 @@ int lg4ff_deinit(struct hid_device *hid) + } + } + #endif +- hid_hw_stop(hid); + drv_data->device_props = NULL; + + kfree(entry); diff --git a/queue-5.3/hid-prodikeys-fix-general-protection-fault-during-probe.patch b/queue-5.3/hid-prodikeys-fix-general-protection-fault-during-probe.patch new file mode 100644 index 00000000000..424cfd54ff8 --- /dev/null +++ b/queue-5.3/hid-prodikeys-fix-general-protection-fault-during-probe.patch @@ -0,0 +1,76 @@ +From 98375b86c79137416e9fd354177b85e768c16e56 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 4 Sep 2019 11:54:20 -0400 +Subject: HID: prodikeys: Fix general protection fault during probe + +From: Alan Stern + +commit 98375b86c79137416e9fd354177b85e768c16e56 upstream. + +The syzbot fuzzer provoked a general protection fault in the +hid-prodikeys driver: + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc5+ #28 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +RIP: 0010:pcmidi_submit_output_report drivers/hid/hid-prodikeys.c:300 [inline] +RIP: 0010:pcmidi_set_operational drivers/hid/hid-prodikeys.c:558 [inline] +RIP: 0010:pcmidi_snd_initialise drivers/hid/hid-prodikeys.c:686 [inline] +RIP: 0010:pk_probe+0xb51/0xfd0 drivers/hid/hid-prodikeys.c:836 +Code: 0f 85 50 04 00 00 48 8b 04 24 4c 89 7d 10 48 8b 58 08 e8 b2 53 e4 fc +48 8b 54 24 20 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f +85 13 04 00 00 48 ba 00 00 00 00 00 fc ff df 49 8b + +The problem is caused by the fact that pcmidi_get_output_report() will +return an error if the HID device doesn't provide the right sort of +output report, but pcmidi_set_operational() doesn't bother to check +the return code and assumes the function call always succeeds. + +This patch adds the missing check and aborts the probe operation if +necessary. + +Reported-and-tested-by: syzbot+1088533649dafa1c9004@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +CC: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-prodikeys.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-prodikeys.c ++++ b/drivers/hid/hid-prodikeys.c +@@ -551,10 +551,14 @@ static void pcmidi_setup_extra_keys( + + static int pcmidi_set_operational(struct pcmidi_snd *pm) + { ++ int rc; ++ + if (pm->ifnum != 1) + return 0; /* only set up ONCE for interace 1 */ + +- pcmidi_get_output_report(pm); ++ rc = pcmidi_get_output_report(pm); ++ if (rc < 0) ++ return rc; + pcmidi_submit_output_report(pm, 0xc1); + return 0; + } +@@ -683,7 +687,11 @@ static int pcmidi_snd_initialise(struct + spin_lock_init(&pm->rawmidi_in_lock); + + init_sustain_timers(pm); +- pcmidi_set_operational(pm); ++ err = pcmidi_set_operational(pm); ++ if (err < 0) { ++ pk_error("failed to find output report\n"); ++ goto fail_register; ++ } + + /* register it */ + err = snd_card_register(card); diff --git a/queue-5.3/hid-sony-fix-memory-corruption-issue-on-cleanup.patch b/queue-5.3/hid-sony-fix-memory-corruption-issue-on-cleanup.patch new file mode 100644 index 00000000000..e05bd2a576a --- /dev/null +++ b/queue-5.3/hid-sony-fix-memory-corruption-issue-on-cleanup.patch @@ -0,0 +1,42 @@ +From 2bcdacb70327013ca2066bfcf2af1009eff01f1d Mon Sep 17 00:00:00 2001 +From: Roderick Colenbrander +Date: Wed, 4 Sep 2019 14:22:11 -0700 +Subject: HID: sony: Fix memory corruption issue on cleanup. + +From: Roderick Colenbrander + +commit 2bcdacb70327013ca2066bfcf2af1009eff01f1d upstream. + +The sony driver is not properly cleaning up from potential failures in +sony_input_configured. Currently it calls hid_hw_stop, while hid_connect +is still running. This is not a good idea, instead hid_hw_stop should +be moved to sony_probe. Similar changes were recently made to Logitech +drivers, which were also doing improper cleanup. + +Signed-off-by: Roderick Colenbrander +CC: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-sony.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -2811,7 +2811,6 @@ err_stop: + sony_cancel_work_sync(sc); + sony_remove_dev_list(sc); + sony_release_device_id(sc); +- hid_hw_stop(hdev); + return ret; + } + +@@ -2876,6 +2875,7 @@ static int sony_probe(struct hid_device + */ + if (!(hdev->claimed & HID_CLAIMED_INPUT)) { + hid_err(hdev, "failed to claim input\n"); ++ hid_hw_stop(hdev); + return -ENODEV; + } + diff --git a/queue-5.3/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch b/queue-5.3/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch new file mode 100644 index 00000000000..a27d8c4182c --- /dev/null +++ b/queue-5.3/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch @@ -0,0 +1,87 @@ +From 37c673ade35c707d50583b5b25091ff8ebdeafd7 Mon Sep 17 00:00:00 2001 +From: Tokunori Ikegami +Date: Tue, 6 Aug 2019 04:03:18 +0900 +Subject: mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() + +From: Tokunori Ikegami + +commit 37c673ade35c707d50583b5b25091ff8ebdeafd7 upstream. + +As reported by the OpenWRT team, write requests sometimes fail on some +platforms. +Currently to check the state chip_ready() is used correctly as described by +the flash memory S29GL256P11TFI01 datasheet. +Also chip_good() is used to check if the write is succeeded and it was +implemented by the commit fb4a90bfcd6d8 ("[MTD] CFI-0002 - Improve error +checking"). +But actually the write failure is caused on some platforms and also it can +be fixed by using chip_good() to check the state and retry instead. +Also it seems that it is caused after repeated about 1,000 times to retry +the write one word with the reset command. +By using chip_good() to check the state to be done it can be reduced the +retry with reset. +It is depended on the actual flash chip behavior so the root cause is +unknown. + +Cc: Chris Packham +Cc: Joakim Tjernlund +Cc: linux-mtd@lists.infradead.org +Cc: stable@vger.kernel.org +Reported-by: Fabio Bettoni +Signed-off-by: Felix Fietkau +Signed-off-by: Hauke Mehrtens +Signed-off-by: Tokunori Ikegami +[vigneshr@ti.com: Fix a checkpatch warning] +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -1717,31 +1717,37 @@ static int __xipram do_write_oneword(str + continue; + } + ++ /* ++ * We check "time_after" and "!chip_good" before checking ++ * "chip_good" to avoid the failure due to scheduling. ++ */ + if (time_after(jiffies, timeo) && +- !chip_ready(map, chip, adr)) { ++ !chip_good(map, chip, adr, datum)) { + xip_enable(map, chip, adr); + printk(KERN_WARNING "MTD %s(): software timeout\n", __func__); + xip_disable(map, chip, adr); ++ ret = -EIO; + break; + } + +- if (chip_ready(map, chip, adr)) ++ if (chip_good(map, chip, adr, datum)) + break; + + /* Latency issues. Drop the lock, wait a while and retry */ + UDELAY(map, chip, adr, 1); + } ++ + /* Did we succeed? */ +- if (!chip_good(map, chip, adr, datum)) { ++ if (ret) { + /* reset on all failures. */ + cfi_check_err_status(map, chip, adr); + map_write(map, CMD(0xF0), chip->start); + /* FIXME - should have reset delay before continuing */ + +- if (++retry_cnt <= MAX_RETRIES) ++ if (++retry_cnt <= MAX_RETRIES) { ++ ret = 0; + goto retry; +- +- ret = -EIO; ++ } + } + xip_enable(map, chip, adr); + op_done: diff --git a/queue-5.3/series b/queue-5.3/series index 04c08bd05fc..309f87889ce 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -6,3 +6,10 @@ drm-amd-display-skip-determining-update-type-for-async-updates.patch drm-amd-display-don-t-replace-the-dc_state-for-fast-updates.patch drm-amd-display-readd-msse2-to-prevent-clang-from-emitting-libcalls-to-undefined-sw-fp-routines.patch powerpc-xive-fix-bogus-error-code-returned-by-opal.patch +hid-prodikeys-fix-general-protection-fault-during-probe.patch +hid-sony-fix-memory-corruption-issue-on-cleanup.patch +hid-logitech-fix-general-protection-fault-caused-by-logitech-driver.patch +hid-logitech-dj-fix-crash-when-initial-logi_dj_recv_query_paired_devices-fails.patch +hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch +hid-add-quirk-for-hp-x500-pixart-oem-mouse.patch +mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch