From: Greg Kroah-Hartman Date: Mon, 2 Mar 2020 18:39:28 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.108~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ce8794932fa089fee0be0f7d3773e2db7aa0ad5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: acpi-watchdog-fix-gas-access_width-usage.patch acpica-introduce-acpi_access_byte_width-macro.patch audit-fix-error-handling-in-audit_data_to_entry.patch ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch hid-core-increase-hid-report-buffer-size-to-8kib.patch hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch tracing-disable-trace_printk-on-post-poned-tests.patch --- diff --git a/queue-4.14/acpi-watchdog-fix-gas-access_width-usage.patch b/queue-4.14/acpi-watchdog-fix-gas-access_width-usage.patch new file mode 100644 index 00000000000..f05b78852a2 --- /dev/null +++ b/queue-4.14/acpi-watchdog-fix-gas-access_width-usage.patch @@ -0,0 +1,54 @@ +From 2ba33a4e9e22ac4dda928d3e9b5978a3a2ded4e0 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 12 Feb 2020 17:59:40 +0300 +Subject: ACPI: watchdog: Fix gas->access_width usage + +From: Mika Westerberg + +commit 2ba33a4e9e22ac4dda928d3e9b5978a3a2ded4e0 upstream. + +ACPI Generic Address Structure (GAS) access_width field is not in bytes +as the driver seems to expect in few places so fix this by using the +newly introduced macro ACPI_ACCESS_BYTE_WIDTH(). + +Fixes: b1abf6fc4982 ("ACPI / watchdog: Fix off-by-one error at resource assignment") +Fixes: 058dfc767008 ("ACPI / watchdog: Add support for WDAT hardware watchdog") +Reported-by: Jean Delvare +Signed-off-by: Mika Westerberg +Reviewed-by: Jean Delvare +Cc: 4.16+ # 4.16+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_watchdog.c | 3 +-- + drivers/watchdog/wdat_wdt.c | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/acpi_watchdog.c ++++ b/drivers/acpi/acpi_watchdog.c +@@ -129,12 +129,11 @@ void __init acpi_watchdog_init(void) + gas = &entries[i].register_region; + + res.start = gas->address; ++ res.end = res.start + ACPI_ACCESS_BYTE_WIDTH(gas->access_width) - 1; + if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { + res.flags = IORESOURCE_MEM; +- res.end = res.start + ALIGN(gas->access_width, 4) - 1; + } else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { + res.flags = IORESOURCE_IO; +- res.end = res.start + gas->access_width - 1; + } else { + pr_warn("Unsupported address space: %u\n", + gas->space_id); +--- a/drivers/watchdog/wdat_wdt.c ++++ b/drivers/watchdog/wdat_wdt.c +@@ -392,7 +392,7 @@ static int wdat_wdt_probe(struct platfor + + memset(&r, 0, sizeof(r)); + r.start = gas->address; +- r.end = r.start + gas->access_width - 1; ++ r.end = r.start + ACPI_ACCESS_BYTE_WIDTH(gas->access_width) - 1; + if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { + r.flags = IORESOURCE_MEM; + } else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { diff --git a/queue-4.14/acpica-introduce-acpi_access_byte_width-macro.patch b/queue-4.14/acpica-introduce-acpi_access_byte_width-macro.patch new file mode 100644 index 00000000000..9d3f997ee08 --- /dev/null +++ b/queue-4.14/acpica-introduce-acpi_access_byte_width-macro.patch @@ -0,0 +1,39 @@ +From 1dade3a7048ccfc675650cd2cf13d578b095e5fb Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 12 Feb 2020 17:59:39 +0300 +Subject: ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro + +From: Mika Westerberg + +commit 1dade3a7048ccfc675650cd2cf13d578b095e5fb upstream. + +Sometimes it is useful to find the access_width field value in bytes and +not in bits so add a helper that can be used for this purpose. + +Suggested-by: Jean Delvare +Signed-off-by: Mika Westerberg +Reviewed-by: Jean Delvare +Cc: 4.16+ # 4.16+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + include/acpi/actypes.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -556,11 +556,12 @@ typedef u64 acpi_integer; + #define ACPI_MAKE_RSDP_SIG(dest) (memcpy (ACPI_CAST_PTR (char, (dest)), ACPI_SIG_RSDP, 8)) + + /* +- * Algorithm to obtain access bit width. ++ * Algorithm to obtain access bit or byte width. + * Can be used with access_width of struct acpi_generic_address and access_size of + * struct acpi_resource_generic_register. + */ + #define ACPI_ACCESS_BIT_WIDTH(size) (1 << ((size) + 2)) ++#define ACPI_ACCESS_BYTE_WIDTH(size) (1 << ((size) - 1)) + + /******************************************************************************* + * diff --git a/queue-4.14/audit-fix-error-handling-in-audit_data_to_entry.patch b/queue-4.14/audit-fix-error-handling-in-audit_data_to_entry.patch new file mode 100644 index 00000000000..accb9ba9fad --- /dev/null +++ b/queue-4.14/audit-fix-error-handling-in-audit_data_to_entry.patch @@ -0,0 +1,204 @@ +From 2ad3e17ebf94b7b7f3f64c050ff168f9915345eb Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Sat, 22 Feb 2020 20:36:47 -0500 +Subject: audit: fix error handling in audit_data_to_entry() + +From: Paul Moore + +commit 2ad3e17ebf94b7b7f3f64c050ff168f9915345eb upstream. + +Commit 219ca39427bf ("audit: use union for audit_field values since +they are mutually exclusive") combined a number of separate fields in +the audit_field struct into a single union. Generally this worked +just fine because they are generally mutually exclusive. +Unfortunately in audit_data_to_entry() the overlap can be a problem +when a specific error case is triggered that causes the error path +code to attempt to cleanup an audit_field struct and the cleanup +involves attempting to free a stored LSM string (the lsm_str field). +Currently the code always has a non-NULL value in the +audit_field.lsm_str field as the top of the for-loop transfers a +value into audit_field.val (both .lsm_str and .val are part of the +same union); if audit_data_to_entry() fails and the audit_field +struct is specified to contain a LSM string, but the +audit_field.lsm_str has not yet been properly set, the error handling +code will attempt to free the bogus audit_field.lsm_str value that +was set with audit_field.val at the top of the for-loop. + +This patch corrects this by ensuring that the audit_field.val is only +set when needed (it is cleared when the audit_field struct is +allocated with kcalloc()). It also corrects a few other issues to +ensure that in case of error the proper error code is returned. + +Cc: stable@vger.kernel.org +Fixes: 219ca39427bf ("audit: use union for audit_field values since they are mutually exclusive") +Reported-by: syzbot+1f4d90ead370d72e450b@syzkaller.appspotmail.com +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditfilter.c | 71 ++++++++++++++++++++++++++++----------------------- + 1 file changed, 39 insertions(+), 32 deletions(-) + +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -435,6 +435,7 @@ static struct audit_entry *audit_data_to + bufp = data->buf; + for (i = 0; i < data->field_count; i++) { + struct audit_field *f = &entry->rule.fields[i]; ++ u32 f_val; + + err = -EINVAL; + +@@ -443,12 +444,12 @@ static struct audit_entry *audit_data_to + goto exit_free; + + f->type = data->fields[i]; +- f->val = data->values[i]; ++ f_val = data->values[i]; + + /* Support legacy tests for a valid loginuid */ +- if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { ++ if ((f->type == AUDIT_LOGINUID) && (f_val == AUDIT_UID_UNSET)) { + f->type = AUDIT_LOGINUID_SET; +- f->val = 0; ++ f_val = 0; + entry->rule.pflags |= AUDIT_LOGINUID_LEGACY; + } + +@@ -464,7 +465,7 @@ static struct audit_entry *audit_data_to + case AUDIT_SUID: + case AUDIT_FSUID: + case AUDIT_OBJ_UID: +- f->uid = make_kuid(current_user_ns(), f->val); ++ f->uid = make_kuid(current_user_ns(), f_val); + if (!uid_valid(f->uid)) + goto exit_free; + break; +@@ -473,12 +474,13 @@ static struct audit_entry *audit_data_to + case AUDIT_SGID: + case AUDIT_FSGID: + case AUDIT_OBJ_GID: +- f->gid = make_kgid(current_user_ns(), f->val); ++ f->gid = make_kgid(current_user_ns(), f_val); + if (!gid_valid(f->gid)) + goto exit_free; + break; + case AUDIT_SESSIONID: + case AUDIT_ARCH: ++ f->val = f_val; + entry->rule.arch_f = f; + break; + case AUDIT_SUBJ_USER: +@@ -491,11 +493,13 @@ static struct audit_entry *audit_data_to + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; +- ++ } ++ entry->rule.buflen += f_val; ++ f->lsm_str = str; + err = security_audit_rule_init(f->type, f->op, str, + (void **)&f->lsm_rule); + /* Keep currently invalid fields around in case they +@@ -504,68 +508,71 @@ static struct audit_entry *audit_data_to + pr_warn("audit rule for LSM \'%s\' is invalid\n", + str); + err = 0; +- } +- if (err) { +- kfree(str); ++ } else if (err) + goto exit_free; +- } else +- f->lsm_str = str; + break; + case AUDIT_WATCH: +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; +- +- err = audit_to_watch(&entry->rule, str, f->val, f->op); ++ } ++ err = audit_to_watch(&entry->rule, str, f_val, f->op); + if (err) { + kfree(str); + goto exit_free; + } ++ entry->rule.buflen += f_val; + break; + case AUDIT_DIR: +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; +- ++ } + err = audit_make_tree(&entry->rule, str, f->op); + kfree(str); + if (err) + goto exit_free; ++ entry->rule.buflen += f_val; + break; + case AUDIT_INODE: ++ f->val = f_val; + err = audit_to_inode(&entry->rule, f); + if (err) + goto exit_free; + break; + case AUDIT_FILTERKEY: +- if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) ++ if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN) + goto exit_free; +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; ++ } ++ entry->rule.buflen += f_val; + entry->rule.filterkey = str; + break; + case AUDIT_EXE: +- if (entry->rule.exe || f->val > PATH_MAX) ++ if (entry->rule.exe || f_val > PATH_MAX) + goto exit_free; +- str = audit_unpack_string(&bufp, &remain, f->val); ++ str = audit_unpack_string(&bufp, &remain, f_val); + if (IS_ERR(str)) { + err = PTR_ERR(str); + goto exit_free; + } +- entry->rule.buflen += f->val; +- +- audit_mark = audit_alloc_mark(&entry->rule, str, f->val); ++ audit_mark = audit_alloc_mark(&entry->rule, str, f_val); + if (IS_ERR(audit_mark)) { + kfree(str); + err = PTR_ERR(audit_mark); + goto exit_free; + } ++ entry->rule.buflen += f_val; + entry->rule.exe = audit_mark; + break; ++ default: ++ f->val = f_val; ++ break; + } + } + diff --git a/queue-4.14/ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch b/queue-4.14/ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch new file mode 100644 index 00000000000..1e0cfc1f39f --- /dev/null +++ b/queue-4.14/ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch @@ -0,0 +1,50 @@ +From 37b0b6b8b99c0e1c1f11abbe7cf49b6d03795b3f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 28 Feb 2020 12:22:56 +0300 +Subject: ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() + +From: Dan Carpenter + +commit 37b0b6b8b99c0e1c1f11abbe7cf49b6d03795b3f upstream. + +If sbi->s_flex_groups_allocated is zero and the first allocation fails +then this code will crash. The problem is that "i--" will set "i" to +-1 but when we compare "i >= sbi->s_flex_groups_allocated" then the -1 +is type promoted to unsigned and becomes UINT_MAX. Since UINT_MAX +is more than zero, the condition is true so we call kvfree(new_groups[-1]). +The loop will carry on freeing invalid memory until it crashes. + +Fixes: 7c990728b99e ("ext4: fix potential race between s_flex_groups online resizing and access") +Reviewed-by: Suraj Jitindar Singh +Signed-off-by: Dan Carpenter +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20200228092142.7irbc44yaz3by7nb@kili.mountain +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2238,7 +2238,7 @@ int ext4_alloc_flex_bg_array(struct supe + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct flex_groups **old_groups, **new_groups; +- int size, i; ++ int size, i, j; + + if (!sbi->s_log_groups_per_flex) + return 0; +@@ -2259,8 +2259,8 @@ int ext4_alloc_flex_bg_array(struct supe + sizeof(struct flex_groups)), + GFP_KERNEL); + if (!new_groups[i]) { +- for (i--; i >= sbi->s_flex_groups_allocated; i--) +- kvfree(new_groups[i]); ++ for (j = sbi->s_flex_groups_allocated; j < i; j++) ++ kvfree(new_groups[j]); + kvfree(new_groups); + ext4_msg(sb, KERN_ERR, + "not enough memory for %d flex groups", size); diff --git a/queue-4.14/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch b/queue-4.14/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch new file mode 100644 index 00000000000..482cf9183e7 --- /dev/null +++ b/queue-4.14/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch @@ -0,0 +1,46 @@ +From 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f Mon Sep 17 00:00:00 2001 +From: Johan Korsnes +Date: Fri, 17 Jan 2020 13:08:35 +0100 +Subject: HID: core: fix off-by-one memset in hid_report_raw_event() + +From: Johan Korsnes + +commit 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f upstream. + +In case a report is greater than HID_MAX_BUFFER_SIZE, it is truncated, +but the report-number byte is not correctly handled. This results in a +off-by-one in the following memset, causing a kernel Oops and ensuing +system crash. + +Note: With commit 8ec321e96e05 ("HID: Fix slab-out-of-bounds read in +hid_field_extract") I no longer hit the kernel Oops as we instead fail +"controlled" at probe if there is a report too long in the HID +report-descriptor. hid_report_raw_event() is an exported symbol, so +presumabely we cannot always rely on this being the case. + +Fixes: 966922f26c7f ("HID: fix a crash in hid_report_raw_event() + function.") +Signed-off-by: Johan Korsnes +Cc: Armando Visconti +Cc: Jiri Kosina +Cc: Alan Stern +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1567,7 +1567,9 @@ int hid_report_raw_event(struct hid_devi + + rsize = ((report->size - 1) >> 3) + 1; + +- if (rsize > HID_MAX_BUFFER_SIZE) ++ if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE) ++ rsize = HID_MAX_BUFFER_SIZE - 1; ++ else if (rsize > HID_MAX_BUFFER_SIZE) + rsize = HID_MAX_BUFFER_SIZE; + + if (csize < rsize) { diff --git a/queue-4.14/hid-core-increase-hid-report-buffer-size-to-8kib.patch b/queue-4.14/hid-core-increase-hid-report-buffer-size-to-8kib.patch new file mode 100644 index 00000000000..3aacfef834c --- /dev/null +++ b/queue-4.14/hid-core-increase-hid-report-buffer-size-to-8kib.patch @@ -0,0 +1,37 @@ +From 84a4062632462c4320704fcdf8e99e89e94c0aba Mon Sep 17 00:00:00 2001 +From: Johan Korsnes +Date: Fri, 17 Jan 2020 13:08:36 +0100 +Subject: HID: core: increase HID report buffer size to 8KiB + +From: Johan Korsnes + +commit 84a4062632462c4320704fcdf8e99e89e94c0aba upstream. + +We have a HID touch device that reports its opens and shorts test +results in HID buffers of size 8184 bytes. The maximum size of the HID +buffer is currently set to 4096 bytes, causing probe of this device to +fail. With this patch we increase the maximum size of the HID buffer to +8192 bytes, making device probe and acquisition of said buffers succeed. + +Signed-off-by: Johan Korsnes +Cc: Alan Stern +Cc: Armando Visconti +Cc: Jiri Kosina +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/hid.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -477,7 +477,7 @@ struct hid_report_enum { + }; + + #define HID_MIN_BUFFER_SIZE 64 /* make sure there is at least a packet size of space */ +-#define HID_MAX_BUFFER_SIZE 4096 /* 4kb */ ++#define HID_MAX_BUFFER_SIZE 8192 /* 8kb */ + #define HID_CONTROL_FIFO_SIZE 256 /* to init devices with >100 reports */ + #define HID_OUTPUT_FIFO_SIZE 64 + diff --git a/queue-4.14/hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch b/queue-4.14/hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch new file mode 100644 index 00000000000..85828ed3cbd --- /dev/null +++ b/queue-4.14/hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch @@ -0,0 +1,64 @@ +From beae56192a2570578ae45050e73c5ff9254f63e6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 1 Feb 2020 12:56:48 +0100 +Subject: HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit beae56192a2570578ae45050e73c5ff9254f63e6 upstream. + +Commit 8f18eca9ebc5 ("HID: ite: Add USB id match for Acer SW5-012 keyboard +dock") added the USB id for the Acer SW5-012's keyboard dock to the +hid-ite driver to fix the rfkill driver not working. + +Most keyboard docks with an ITE 8595 keyboard/touchpad controller have the +"Wireless Radio Control" bits which need the special hid-ite driver on the +second USB interface (the mouse interface) and their touchpad only supports +mouse emulation, so using generic hid-input handling for anything but +the "Wireless Radio Control" bits is fine. On these devices we simply bind +to all USB interfaces. + +But unlike other ITE8595 using keyboard docks, the Acer Aspire Switch 10 +(SW5-012)'s touchpad not only does mouse emulation it also supports +HID-multitouch and all the keys including the "Wireless Radio Control" +bits have been moved to the first USB interface (the keyboard intf). + +So we need hid-ite to handle the first (keyboard) USB interface and have +it NOT bind to the second (mouse) USB interface so that that can be +handled by hid-multitouch.c and we get proper multi-touch support. + +This commit changes the hid_device_id for the SW5-012 keyboard dock to +only match on hid devices from the HID_GROUP_GENERIC group, this way +hid-ite will not bind the the mouse/multi-touch interface which has +HID_GROUP_MULTITOUCH_WIN_8 as group. +This fixes the regression to mouse-emulation mode introduced by adding +the keyboard dock USB id. + +Cc: stable@vger.kernel.org +Fixes: 8f18eca9ebc5 ("HID: ite: Add USB id match for Acer SW5-012 keyboard dock") +Reported-by: Zdeněk Rampas +Signed-off-by: Hans de Goede +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ite.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-ite.c ++++ b/drivers/hid/hid-ite.c +@@ -44,8 +44,9 @@ static const struct hid_device_id ite_de + { HID_USB_DEVICE(USB_VENDOR_ID_ITE, USB_DEVICE_ID_ITE8595) }, + { HID_USB_DEVICE(USB_VENDOR_ID_258A, USB_DEVICE_ID_258A_6A88) }, + /* ITE8595 USB kbd ctlr, with Synaptics touchpad connected to it. */ +- { HID_USB_DEVICE(USB_VENDOR_ID_SYNAPTICS, +- USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) }, ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_SYNAPTICS, ++ USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) }, + { } + }; + MODULE_DEVICE_TABLE(hid, ite_devices); diff --git a/queue-4.14/kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch b/queue-4.14/kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch new file mode 100644 index 00000000000..15dd8a737e7 --- /dev/null +++ b/queue-4.14/kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch @@ -0,0 +1,61 @@ +From 86f7e90ce840aa1db407d3ea6e9b3a52b2ce923c Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Sat, 29 Feb 2020 11:30:14 -0800 +Subject: KVM: VMX: check descriptor table exits on instruction emulation + +From: Oliver Upton + +commit 86f7e90ce840aa1db407d3ea6e9b3a52b2ce923c upstream. + +KVM emulates UMIP on hardware that doesn't support it by setting the +'descriptor table exiting' VM-execution control and performing +instruction emulation. When running nested, this emulation is broken as +KVM refuses to emulate L2 instructions by default. + +Correct this regression by allowing the emulation of descriptor table +instructions if L1 hasn't requested 'descriptor table exiting'. + +Fixes: 07721feee46b ("KVM: nVMX: Don't emulate instructions in guest mode") +Reported-by: Jan Kiszka +Cc: stable@vger.kernel.org +Cc: Paolo Bonzini +Cc: Jim Mattson +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -12370,6 +12370,7 @@ static int vmx_check_intercept_io(struct + else + intercept = nested_vmx_check_io_bitmaps(vcpu, port, size); + ++ /* FIXME: produce nested vmexit and return X86EMUL_INTERCEPTED. */ + return intercept ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; + } + +@@ -12399,6 +12400,20 @@ static int vmx_check_intercept(struct kv + case x86_intercept_outs: + return vmx_check_intercept_io(vcpu, info); + ++ case x86_intercept_lgdt: ++ case x86_intercept_lidt: ++ case x86_intercept_lldt: ++ case x86_intercept_ltr: ++ case x86_intercept_sgdt: ++ case x86_intercept_sidt: ++ case x86_intercept_sldt: ++ case x86_intercept_str: ++ if (!nested_cpu_has2(vmcs12, SECONDARY_EXEC_DESC)) ++ return X86EMUL_CONTINUE; ++ ++ /* FIXME: produce nested vmexit and return X86EMUL_INTERCEPTED. */ ++ break; ++ + /* TODO: check more intercepts... */ + default: + break; diff --git a/queue-4.14/revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch b/queue-4.14/revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch new file mode 100644 index 00000000000..82e39f65e0c --- /dev/null +++ b/queue-4.14/revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch @@ -0,0 +1,54 @@ +From 66d0e797bf095d407479c89952d42b1d96ef0a7f Mon Sep 17 00:00:00 2001 +From: Orson Zhai +Date: Fri, 21 Feb 2020 01:37:04 +0800 +Subject: Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs" + +From: Orson Zhai + +commit 66d0e797bf095d407479c89952d42b1d96ef0a7f upstream. + +This reverts commit 4585fbcb5331fc910b7e553ad3efd0dd7b320d14. + +The name changing as devfreq(X) breaks some user space applications, +such as Android HAL from Unisoc and Hikey [1]. +The device name will be changed unexpectly after every boot depending +on module init sequence. It will make trouble to setup some system +configuration like selinux for Android. + +So we'd like to revert it back to old naming rule before any better +way being found. + +[1] https://lkml.org/lkml/2018/5/8/1042 + +Cc: John Stultz +Cc: Greg Kroah-Hartman +Cc: stable@vger.kernel.org +Signed-off-by: Orson Zhai +Acked-by: Greg Kroah-Hartman +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/devfreq/devfreq.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -513,7 +513,6 @@ struct devfreq *devfreq_add_device(struc + { + struct devfreq *devfreq; + struct devfreq_governor *governor; +- static atomic_t devfreq_no = ATOMIC_INIT(-1); + int err = 0; + + if (!dev || !profile || !governor_name) { +@@ -556,8 +555,7 @@ struct devfreq *devfreq_add_device(struc + mutex_lock(&devfreq->lock); + } + +- dev_set_name(&devfreq->dev, "devfreq%d", +- atomic_inc_return(&devfreq_no)); ++ dev_set_name(&devfreq->dev, "%s", dev_name(dev)); + err = device_register(&devfreq->dev); + if (err) { + mutex_unlock(&devfreq->lock); diff --git a/queue-4.14/series b/queue-4.14/series index 082d21d22a4..177740a1d0f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -33,3 +33,13 @@ ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch ipv6-fix-route-replacement-with-dev-only-route.patch qede-fix-race-between-rdma-destroy-workqueue-and-link-change-event.patch net-sched-correct-flower-port-blocking.patch +ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch +audit-fix-error-handling-in-audit_data_to_entry.patch +acpica-introduce-acpi_access_byte_width-macro.patch +acpi-watchdog-fix-gas-access_width-usage.patch +kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch +hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch +hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch +hid-core-increase-hid-report-buffer-size-to-8kib.patch +tracing-disable-trace_printk-on-post-poned-tests.patch +revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch diff --git a/queue-4.14/tracing-disable-trace_printk-on-post-poned-tests.patch b/queue-4.14/tracing-disable-trace_printk-on-post-poned-tests.patch new file mode 100644 index 00000000000..e312e1bac93 --- /dev/null +++ b/queue-4.14/tracing-disable-trace_printk-on-post-poned-tests.patch @@ -0,0 +1,51 @@ +From 78041c0c9e935d9ce4086feeff6c569ed88ddfd4 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 20 Feb 2020 15:38:01 -0500 +Subject: tracing: Disable trace_printk() on post poned tests + +From: Steven Rostedt (VMware) + +commit 78041c0c9e935d9ce4086feeff6c569ed88ddfd4 upstream. + +The tracing seftests checks various aspects of the tracing infrastructure, +and one is filtering. If trace_printk() is active during a self test, it can +cause the filtering to fail, which will disable that part of the trace. + +To keep the selftests from failing because of trace_printk() calls, +trace_printk() checks the variable tracing_selftest_running, and if set, it +does not write to the tracing buffer. + +As some tracers were registered earlier in boot, the selftest they triggered +would fail because not all the infrastructure was set up for the full +selftest. Thus, some of the tests were post poned to when their +infrastructure was ready (namely file system code). The postpone code did +not set the tracing_seftest_running variable, and could fail if a +trace_printk() was added and executed during their run. + +Cc: stable@vger.kernel.org +Fixes: 9afecfbb95198 ("tracing: Postpone tracer start-up tests till the system is more robust") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1543,6 +1543,7 @@ static __init int init_trace_selftests(v + + pr_info("Running postponed tracer tests:\n"); + ++ tracing_selftest_running = true; + list_for_each_entry_safe(p, n, &postponed_selftests, list) { + ret = run_tracer_selftest(p->type); + /* If the test fails, then warn and remove from available_tracers */ +@@ -1561,6 +1562,7 @@ static __init int init_trace_selftests(v + list_del(&p->list); + kfree(p); + } ++ tracing_selftest_running = false; + + out: + mutex_unlock(&trace_types_lock);