From: Greg Kroah-Hartman Date: Wed, 3 Aug 2016 05:24:34 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.14.75~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2bedb5c7afa0e9719da4f77b15758330b03c2cc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch cgroup-set-css-id-to-1-during-init.patch ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch input-elantech-add-more-ic-body-types-to-the-list.patch input-tsc200x-report-proper-input_dev-name.patch input-vmmouse-remove-port-reservation.patch input-wacom_w8001-ignore-invalid-pen-data-packets.patch input-wacom_w8001-w8001_max_length-should-be-13.patch input-xpad-fix-oops-when-attaching-an-unknown-xbox-one-gamepad.patch input-xpad-validate-usb-endpoint-count-during-probe.patch locks-use-file_inode.patch pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch power_supply-power_supply_read_temp-only-if-use_cnt-0.patch pvclock-add-cpu-barriers-to-get-correct-version-value.patch revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch --- diff --git a/queue-4.4/alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch b/queue-4.4/alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch new file mode 100644 index 00000000000..c4234d116e1 --- /dev/null +++ b/queue-4.4/alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch @@ -0,0 +1,34 @@ +From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:20 -0400 +Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 upstream. + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1247,6 +1247,7 @@ static void snd_timer_user_ccallback(str + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; diff --git a/queue-4.4/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch b/queue-4.4/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch new file mode 100644 index 00000000000..6f0cdc139b6 --- /dev/null +++ b/queue-4.4/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch @@ -0,0 +1,34 @@ +From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:32 -0400 +Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit e4ec8cc8039a7063e24204299b462bd1383184a5 upstream. + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1282,6 +1282,7 @@ static void snd_timer_user_tinterrupt(st + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; diff --git a/queue-4.4/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch b/queue-4.4/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch new file mode 100644 index 00000000000..01deaaedc3f --- /dev/null +++ b/queue-4.4/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch @@ -0,0 +1,34 @@ +From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:07 -0400 +Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream. + +The stack object “tread” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1746,6 +1746,7 @@ static int snd_timer_user_params(struct + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; diff --git a/queue-4.4/cgroup-set-css-id-to-1-during-init.patch b/queue-4.4/cgroup-set-css-id-to-1-during-init.patch new file mode 100644 index 00000000000..989e4d0f8aa --- /dev/null +++ b/queue-4.4/cgroup-set-css-id-to-1-during-init.patch @@ -0,0 +1,34 @@ +From 8fa3b8d689a54d6d04ff7803c724fb7aca6ce98e Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 26 May 2016 15:42:13 -0400 +Subject: cgroup: set css->id to -1 during init + +From: Tejun Heo + +commit 8fa3b8d689a54d6d04ff7803c724fb7aca6ce98e upstream. + +If percpu_ref initialization fails during css_create(), the free path +can end up trying to free css->id of zero. As ID 0 is unused, it +doesn't cause a critical breakage but it does trigger a warning +message. Fix it by setting css->id to -1 from init_and_link_css(). + +Signed-off-by: Tejun Heo +Cc: Wenwei Tao +Fixes: 01e586598b22 ("cgroup: release css->id after css_free") +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -4793,6 +4793,7 @@ static void init_and_link_css(struct cgr + memset(css, 0, sizeof(*css)); + css->cgroup = cgrp; + css->ss = ss; ++ css->id = -1; + INIT_LIST_HEAD(&css->sibling); + INIT_LIST_HEAD(&css->children); + css->serial_nr = css_serial_nr_next++; diff --git a/queue-4.4/ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch b/queue-4.4/ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch new file mode 100644 index 00000000000..497088cedda --- /dev/null +++ b/queue-4.4/ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch @@ -0,0 +1,55 @@ +From f0fe970df3838c202ef6c07a4c2b36838ef0a88b Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 5 Jul 2016 17:32:30 -0400 +Subject: ecryptfs: don't allow mmap when the lower fs doesn't support it + +From: Jeff Mahoney + +commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b upstream. + +There are legitimate reasons to disallow mmap on certain files, notably +in sysfs or procfs. We shouldn't emulate mmap support on file systems +that don't offer support natively. + +CVE-2016-1583 + +Signed-off-by: Jeff Mahoney +[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()] +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/file.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -170,6 +170,19 @@ out: + return rc; + } + ++static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ struct file *lower_file = ecryptfs_file_to_lower(file); ++ /* ++ * Don't allow mmap on top of file systems that don't support it ++ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs ++ * allows recursive mounting, this will need to be extended. ++ */ ++ if (!lower_file->f_op->mmap) ++ return -ENODEV; ++ return generic_file_mmap(file, vma); ++} ++ + /** + * ecryptfs_open + * @inode: inode speciying file to open +@@ -364,7 +377,7 @@ const struct file_operations ecryptfs_ma + #ifdef CONFIG_COMPAT + .compat_ioctl = ecryptfs_compat_ioctl, + #endif +- .mmap = generic_file_mmap, ++ .mmap = ecryptfs_mmap, + .open = ecryptfs_open, + .flush = ecryptfs_flush, + .release = ecryptfs_release, diff --git a/queue-4.4/input-elantech-add-more-ic-body-types-to-the-list.patch b/queue-4.4/input-elantech-add-more-ic-body-types-to-the-list.patch new file mode 100644 index 00000000000..ab0222840ae --- /dev/null +++ b/queue-4.4/input-elantech-add-more-ic-body-types-to-the-list.patch @@ -0,0 +1,39 @@ +From 226ba707744a51acb4244724e09caacb1d96aed9 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 21 Jun 2016 16:09:00 -0700 +Subject: Input: elantech - add more IC body types to the list + +From: Dmitry Torokhov + +commit 226ba707744a51acb4244724e09caacb1d96aed9 upstream. + +The touchpad in HP Pavilion 14-ab057ca reports it's version as 12 and +according to Elan both 11 and 12 are valid IC types and should be +identified as hw_version 4. + +Reported-by: Patrick Lessard +Tested-by: Patrick Lessard +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elantech.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1568,13 +1568,7 @@ static int elantech_set_properties(struc + case 5: + etd->hw_version = 3; + break; +- case 6: +- case 7: +- case 8: +- case 9: +- case 10: +- case 13: +- case 14: ++ case 6 ... 14: + etd->hw_version = 4; + break; + default: diff --git a/queue-4.4/input-tsc200x-report-proper-input_dev-name.patch b/queue-4.4/input-tsc200x-report-proper-input_dev-name.patch new file mode 100644 index 00000000000..af5557cac26 --- /dev/null +++ b/queue-4.4/input-tsc200x-report-proper-input_dev-name.patch @@ -0,0 +1,122 @@ +From e9003c9cfaa17d26991688268b04244adb67ee2b Mon Sep 17 00:00:00 2001 +From: Michael Welling +Date: Wed, 20 Jul 2016 10:02:07 -0700 +Subject: Input: tsc200x - report proper input_dev name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Welling + +commit e9003c9cfaa17d26991688268b04244adb67ee2b upstream. + +Passes input_id struct to the common probe function for the tsc200x drivers +instead of just the bustype. + +This allows for the use of the product variable to set the input_dev->name +variable according to the type of touchscreen used. Note that when we +introduced support for TSC2004 we started calling everything TSC200X, so +let's keep this quirk. + +Signed-off-by: Michael Welling +Acked-by: Pavel Machek +Acked-by: Pali Rohár +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/tsc2004.c | 7 ++++++- + drivers/input/touchscreen/tsc2005.c | 7 ++++++- + drivers/input/touchscreen/tsc200x-core.c | 15 ++++++++++++--- + drivers/input/touchscreen/tsc200x-core.h | 2 +- + 4 files changed, 25 insertions(+), 6 deletions(-) + +--- a/drivers/input/touchscreen/tsc2004.c ++++ b/drivers/input/touchscreen/tsc2004.c +@@ -22,6 +22,11 @@ + #include + #include "tsc200x-core.h" + ++static const struct input_id tsc2004_input_id = { ++ .bustype = BUS_I2C, ++ .product = 2004, ++}; ++ + static int tsc2004_cmd(struct device *dev, u8 cmd) + { + u8 tx = TSC200X_CMD | TSC200X_CMD_12BIT | cmd; +@@ -42,7 +47,7 @@ static int tsc2004_probe(struct i2c_clie + const struct i2c_device_id *id) + + { +- return tsc200x_probe(&i2c->dev, i2c->irq, BUS_I2C, ++ return tsc200x_probe(&i2c->dev, i2c->irq, &tsc2004_input_id, + devm_regmap_init_i2c(i2c, &tsc200x_regmap_config), + tsc2004_cmd); + } +--- a/drivers/input/touchscreen/tsc2005.c ++++ b/drivers/input/touchscreen/tsc2005.c +@@ -24,6 +24,11 @@ + #include + #include "tsc200x-core.h" + ++static const struct input_id tsc2005_input_id = { ++ .bustype = BUS_SPI, ++ .product = 2005, ++}; ++ + static int tsc2005_cmd(struct device *dev, u8 cmd) + { + u8 tx = TSC200X_CMD | TSC200X_CMD_12BIT | cmd; +@@ -62,7 +67,7 @@ static int tsc2005_probe(struct spi_devi + if (error) + return error; + +- return tsc200x_probe(&spi->dev, spi->irq, BUS_SPI, ++ return tsc200x_probe(&spi->dev, spi->irq, &tsc2005_input_id, + devm_regmap_init_spi(spi, &tsc200x_regmap_config), + tsc2005_cmd); + } +--- a/drivers/input/touchscreen/tsc200x-core.c ++++ b/drivers/input/touchscreen/tsc200x-core.c +@@ -450,7 +450,7 @@ static void tsc200x_close(struct input_d + mutex_unlock(&ts->mutex); + } + +-int tsc200x_probe(struct device *dev, int irq, __u16 bustype, ++int tsc200x_probe(struct device *dev, int irq, const struct input_id *tsc_id, + struct regmap *regmap, + int (*tsc200x_cmd)(struct device *dev, u8 cmd)) + { +@@ -547,9 +547,18 @@ int tsc200x_probe(struct device *dev, in + snprintf(ts->phys, sizeof(ts->phys), + "%s/input-ts", dev_name(dev)); + +- input_dev->name = "TSC200X touchscreen"; ++ if (tsc_id->product == 2004) { ++ input_dev->name = "TSC200X touchscreen"; ++ } else { ++ input_dev->name = devm_kasprintf(dev, GFP_KERNEL, ++ "TSC%04d touchscreen", ++ tsc_id->product); ++ if (!input_dev->name) ++ return -ENOMEM; ++ } ++ + input_dev->phys = ts->phys; +- input_dev->id.bustype = bustype; ++ input_dev->id = *tsc_id; + input_dev->dev.parent = dev; + input_dev->evbit[0] = BIT(EV_ABS) | BIT(EV_KEY); + input_dev->keybit[BIT_WORD(BTN_TOUCH)] = BIT_MASK(BTN_TOUCH); +--- a/drivers/input/touchscreen/tsc200x-core.h ++++ b/drivers/input/touchscreen/tsc200x-core.h +@@ -70,7 +70,7 @@ + extern const struct regmap_config tsc200x_regmap_config; + extern const struct dev_pm_ops tsc200x_pm_ops; + +-int tsc200x_probe(struct device *dev, int irq, __u16 bustype, ++int tsc200x_probe(struct device *dev, int irq, const struct input_id *tsc_id, + struct regmap *regmap, + int (*tsc200x_cmd)(struct device *dev, u8 cmd)); + int tsc200x_remove(struct device *dev); diff --git a/queue-4.4/input-vmmouse-remove-port-reservation.patch b/queue-4.4/input-vmmouse-remove-port-reservation.patch new file mode 100644 index 00000000000..c4fdc896b92 --- /dev/null +++ b/queue-4.4/input-vmmouse-remove-port-reservation.patch @@ -0,0 +1,97 @@ +From 60842ef8128e7bf58c024814cd0dc14319232b6c Mon Sep 17 00:00:00 2001 +From: Sinclair Yeh +Date: Thu, 23 Jun 2016 17:37:34 -0700 +Subject: Input: vmmouse - remove port reservation + +From: Sinclair Yeh + +commit 60842ef8128e7bf58c024814cd0dc14319232b6c upstream. + +The VMWare EFI BIOS will expose port 0x5658 as an ACPI resource. This +causes the port to be reserved by the APCI module as the system comes up, +making it unavailable to be reserved again by other drivers, thus +preserving this VMWare port for special use in a VMWare guest. + +This port is designed to be shared among multiple VMWare services, such as +the VMMOUSE. Because of this, VMMOUSE should not try to reserve this port +on its own. + +The VMWare non-EFI BIOS does not do this to preserve compatibility with +existing/legacy VMs. It is known that there is small chance a VM may be +configured such that these ports get reserved by other non-VMWare devices, +and if this ever happens, the result is undefined. + +Signed-off-by: Sinclair Yeh +Reviewed-by: Thomas Hellstrom +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/vmmouse.c | 22 ++-------------------- + 1 file changed, 2 insertions(+), 20 deletions(-) + +--- a/drivers/input/mouse/vmmouse.c ++++ b/drivers/input/mouse/vmmouse.c +@@ -355,18 +355,11 @@ int vmmouse_detect(struct psmouse *psmou + return -ENXIO; + } + +- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) { +- psmouse_dbg(psmouse, "VMMouse port in use.\n"); +- return -EBUSY; +- } +- + /* Check if the device is present */ + response = ~VMMOUSE_PROTO_MAGIC; + VMMOUSE_CMD(GETVERSION, 0, version, response, dummy1, dummy2); +- if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU) { +- release_region(VMMOUSE_PROTO_PORT, 4); ++ if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU) + return -ENXIO; +- } + + if (set_properties) { + psmouse->vendor = VMMOUSE_VENDOR; +@@ -374,8 +367,6 @@ int vmmouse_detect(struct psmouse *psmou + psmouse->model = version; + } + +- release_region(VMMOUSE_PROTO_PORT, 4); +- + return 0; + } + +@@ -394,7 +385,6 @@ static void vmmouse_disconnect(struct ps + psmouse_reset(psmouse); + input_unregister_device(priv->abs_dev); + kfree(priv); +- release_region(VMMOUSE_PROTO_PORT, 4); + } + + /** +@@ -438,15 +428,10 @@ int vmmouse_init(struct psmouse *psmouse + struct input_dev *rel_dev = psmouse->dev, *abs_dev; + int error; + +- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) { +- psmouse_dbg(psmouse, "VMMouse port in use.\n"); +- return -EBUSY; +- } +- + psmouse_reset(psmouse); + error = vmmouse_enable(psmouse); + if (error) +- goto release_region; ++ return error; + + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + abs_dev = input_allocate_device(); +@@ -502,8 +487,5 @@ init_fail: + kfree(priv); + psmouse->private = NULL; + +-release_region: +- release_region(VMMOUSE_PROTO_PORT, 4); +- + return error; + } diff --git a/queue-4.4/input-wacom_w8001-ignore-invalid-pen-data-packets.patch b/queue-4.4/input-wacom_w8001-ignore-invalid-pen-data-packets.patch new file mode 100644 index 00000000000..191973c15e7 --- /dev/null +++ b/queue-4.4/input-wacom_w8001-ignore-invalid-pen-data-packets.patch @@ -0,0 +1,41 @@ +From 9e72ac7492149a229ce9039c680849cb682d7092 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Thu, 23 Jun 2016 10:55:11 -0700 +Subject: Input: wacom_w8001 - ignore invalid pen data packets + +From: Ping Cheng + +commit 9e72ac7492149a229ce9039c680849cb682d7092 upstream. + +ThinkPad X60 Tablet PC (pen only device) sometime posts +packets that are larger than W8001_PKTLEN_TPCPEN. + +Reported-by: Chris J Arges +Tested-by: Chris J Arges +Signed-off-by: Ping Cheng +Reviewed-by: Peter Hutterer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/wacom_w8001.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/input/touchscreen/wacom_w8001.c ++++ b/drivers/input/touchscreen/wacom_w8001.c +@@ -342,6 +342,15 @@ static irqreturn_t w8001_interrupt(struc + w8001->idx = 0; + parse_multi_touch(w8001); + break; ++ ++ default: ++ /* ++ * ThinkPad X60 Tablet PC (pen only device) sometimes ++ * sends invalid data packets that are larger than ++ * W8001_PKTLEN_TPCPEN. Let's start over again. ++ */ ++ if (!w8001->touch_dev && w8001->idx > W8001_PKTLEN_TPCPEN - 1) ++ w8001->idx = 0; + } + + return IRQ_HANDLED; diff --git a/queue-4.4/input-wacom_w8001-w8001_max_length-should-be-13.patch b/queue-4.4/input-wacom_w8001-w8001_max_length-should-be-13.patch new file mode 100644 index 00000000000..c134360146b --- /dev/null +++ b/queue-4.4/input-wacom_w8001-w8001_max_length-should-be-13.patch @@ -0,0 +1,32 @@ +From 12afb34400eb2b301f06b2aa3535497d14faee59 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Thu, 23 Jun 2016 10:54:17 -0700 +Subject: Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 + +From: Ping Cheng + +commit 12afb34400eb2b301f06b2aa3535497d14faee59 upstream. + +Somehow the patch that added two-finger touch support forgot to update +W8001_MAX_LENGTH from 11 to 13. + +Signed-off-by: Ping Cheng +Reviewed-by: Peter Hutterer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/wacom_w8001.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/wacom_w8001.c ++++ b/drivers/input/touchscreen/wacom_w8001.c +@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar +Date: Thu, 23 Jun 2016 10:24:42 -0700 +Subject: Input: xpad - fix oops when attaching an unknown Xbox One gamepad + +From: Cameron Gutman + +commit c7f1429389ec1aa25e042bb13451385fbb596f8c upstream. + +Xbox One controllers have multiple interfaces which all have the +same class, subclass, and protocol. One of the these interfaces +has only a single endpoint. When Xpad attempts to bind to this +interface, it causes an oops when trying initialize the output URB +by trying to access the second endpoint's descriptor. + +This situation was avoided for known Xbox One devices by checking +the XTYPE constant associated with the VID and PID tuple. However, +this breaks when new or previously unknown Xbox One controllers +are attached to the system. + +This change addresses the problem by deriving the XTYPE for Xbox +One controllers based on the interface protocol before checking +the interface number. + +Fixes: 1a48ff81b391 ("Input: xpad - add support for Xbox One controllers") +Signed-off-by: Cameron Gutman +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/xpad.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -1206,16 +1206,6 @@ static int xpad_probe(struct usb_interfa + break; + } + +- if (xpad_device[i].xtype == XTYPE_XBOXONE && +- intf->cur_altsetting->desc.bInterfaceNumber != 0) { +- /* +- * The Xbox One controller lists three interfaces all with the +- * same interface class, subclass and protocol. Differentiate by +- * interface number. +- */ +- return -ENODEV; +- } +- + xpad = kzalloc(sizeof(struct usb_xpad), GFP_KERNEL); + if (!xpad) + return -ENOMEM; +@@ -1246,6 +1236,8 @@ static int xpad_probe(struct usb_interfa + if (intf->cur_altsetting->desc.bInterfaceClass == USB_CLASS_VENDOR_SPEC) { + if (intf->cur_altsetting->desc.bInterfaceProtocol == 129) + xpad->xtype = XTYPE_XBOX360W; ++ else if (intf->cur_altsetting->desc.bInterfaceProtocol == 208) ++ xpad->xtype = XTYPE_XBOXONE; + else + xpad->xtype = XTYPE_XBOX360; + } else { +@@ -1260,6 +1252,17 @@ static int xpad_probe(struct usb_interfa + xpad->mapping |= MAP_STICKS_TO_NULL; + } + ++ if (xpad->xtype == XTYPE_XBOXONE && ++ intf->cur_altsetting->desc.bInterfaceNumber != 0) { ++ /* ++ * The Xbox One controller lists three interfaces all with the ++ * same interface class, subclass and protocol. Differentiate by ++ * interface number. ++ */ ++ error = -ENODEV; ++ goto err_free_in_urb; ++ } ++ + error = xpad_init_output(intf, xpad); + if (error) + goto err_free_in_urb; diff --git a/queue-4.4/input-xpad-validate-usb-endpoint-count-during-probe.patch b/queue-4.4/input-xpad-validate-usb-endpoint-count-during-probe.patch new file mode 100644 index 00000000000..067e951c4b2 --- /dev/null +++ b/queue-4.4/input-xpad-validate-usb-endpoint-count-during-probe.patch @@ -0,0 +1,31 @@ +From caca925fca4fb30c67be88cacbe908eec6721e43 Mon Sep 17 00:00:00 2001 +From: Cameron Gutman +Date: Wed, 29 Jun 2016 09:51:35 -0700 +Subject: Input: xpad - validate USB endpoint count during probe + +From: Cameron Gutman + +commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream. + +This prevents a malicious USB device from causing an oops. + +Signed-off-by: Cameron Gutman +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/xpad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -1200,6 +1200,9 @@ static int xpad_probe(struct usb_interfa + int ep_irq_in_idx; + int i, error; + ++ if (intf->cur_altsetting->desc.bNumEndpoints != 2) ++ return -ENODEV; ++ + for (i = 0; xpad_device[i].idVendor; i++) { + if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) && + (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct)) diff --git a/queue-4.4/locks-use-file_inode.patch b/queue-4.4/locks-use-file_inode.patch new file mode 100644 index 00000000000..7b072ffb088 --- /dev/null +++ b/queue-4.4/locks-use-file_inode.patch @@ -0,0 +1,45 @@ +From 6343a2120862f7023006c8091ad95c1f16a32077 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 1 Jul 2016 14:56:07 +0200 +Subject: locks: use file_inode() + +From: Miklos Szeredi + +commit 6343a2120862f7023006c8091ad95c1f16a32077 upstream. + +(Another one for the f_path debacle.) + +ltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask. + +The reason is that generic_add_lease() used filp->f_path.dentry->inode +while all the others use file_inode(). This makes a difference for files +opened on overlayfs since the former will point to the overlay inode the +latter to the underlying inode. + +So generic_add_lease() added the lease to the overlay inode and +generic_delete_lease() removed it from the underlying inode. When the file +was released the lease remained on the overlay inode's lock list, resulting +in use after free. + +Reported-by: Eryu Guan +Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay") +Signed-off-by: Miklos Szeredi +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/locks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -1602,7 +1602,7 @@ generic_add_lease(struct file *filp, lon + { + struct file_lock *fl, *my_fl = NULL, *lease; + struct dentry *dentry = filp->f_path.dentry; +- struct inode *inode = dentry->d_inode; ++ struct inode *inode = file_inode(filp); + struct file_lock_context *ctx; + bool is_deleg = (*flp)->fl_flags & FL_DELEG; + int error; diff --git a/queue-4.4/pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch b/queue-4.4/pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch new file mode 100644 index 00000000000..62f54c4f75b --- /dev/null +++ b/queue-4.4/pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch @@ -0,0 +1,35 @@ +From ba562d5e54fd3136bfea0457add3675850247774 Mon Sep 17 00:00:00 2001 +From: Alexander Shiyan +Date: Wed, 1 Jun 2016 22:21:53 +0300 +Subject: pinctrl: imx: Do not treat a PIN without MUX register as an error + +From: Alexander Shiyan + +commit ba562d5e54fd3136bfea0457add3675850247774 upstream. + +Some PINs do not have a MUX register, it is not an error. +It is necessary to allow the continuation of the PINs configuration, +otherwise the whole PIN-group will be configured incorrectly. + +Signed-off-by: Alexander Shiyan +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/freescale/pinctrl-imx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/freescale/pinctrl-imx.c ++++ b/drivers/pinctrl/freescale/pinctrl-imx.c +@@ -207,9 +207,9 @@ static int imx_pmx_set(struct pinctrl_de + pin_reg = &info->pin_regs[pin_id]; + + if (pin_reg->mux_reg == -1) { +- dev_err(ipctl->dev, "Pin(%s) does not support mux function\n", ++ dev_dbg(ipctl->dev, "Pin(%s) does not support mux function\n", + info->pins[pin_id].name); +- return -EINVAL; ++ continue; + } + + if (info->flags & SHARE_MUX_CONF_REG) { diff --git a/queue-4.4/pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch b/queue-4.4/pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch new file mode 100644 index 00000000000..d323ff879d9 --- /dev/null +++ b/queue-4.4/pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch @@ -0,0 +1,37 @@ +From 0ac3c0a4025f41748a083bdd4970cb3ede802b15 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 31 May 2016 14:17:06 -0700 +Subject: pinctrl: single: Fix missing flush of posted write for a wakeirq + +From: Tony Lindgren + +commit 0ac3c0a4025f41748a083bdd4970cb3ede802b15 upstream. + +With many repeated suspend resume cycles, the pin specific wakeirq +may not always work on omaps. This is because the write to enable the +pin interrupt may not have reached the device over the interconnect +before suspend happens. + +Let's fix the issue with a flush of posted write with a readback. + +Reported-by: Nishanth Menon +Signed-off-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-single.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1576,6 +1576,9 @@ static inline void pcs_irq_set(struct pc + else + mask &= ~soc_mask; + pcs->write(mask, pcswi->reg); ++ ++ /* flush posted write */ ++ mask = pcs->read(pcswi->reg); + raw_spin_unlock(&pcs->lock); + } + diff --git a/queue-4.4/power_supply-power_supply_read_temp-only-if-use_cnt-0.patch b/queue-4.4/power_supply-power_supply_read_temp-only-if-use_cnt-0.patch new file mode 100644 index 00000000000..ea8fdf553a9 --- /dev/null +++ b/queue-4.4/power_supply-power_supply_read_temp-only-if-use_cnt-0.patch @@ -0,0 +1,104 @@ +From 5bc28b93a36e3cb3acc2870fb75cb6ffb182fece Mon Sep 17 00:00:00 2001 +From: Rhyland Klein +Date: Thu, 9 Jun 2016 17:28:39 -0400 +Subject: power_supply: power_supply_read_temp only if use_cnt > 0 + +From: Rhyland Klein + +commit 5bc28b93a36e3cb3acc2870fb75cb6ffb182fece upstream. + +Change power_supply_read_temp() to use power_supply_get_property() +so that it will check the use_cnt and ensure it is > 0. The use_cnt +will be incremented at the end of __power_supply_register, so this +will block to case where get_property can be called before the supply +is fully registered. This fixes the issue show in the stack below: + +[ 1.452598] power_supply_read_temp+0x78/0x80 +[ 1.458680] thermal_zone_get_temp+0x5c/0x11c +[ 1.464765] thermal_zone_device_update+0x34/0xb4 +[ 1.471195] thermal_zone_device_register+0x87c/0x8cc +[ 1.477974] __power_supply_register+0x364/0x424 +[ 1.484317] power_supply_register_no_ws+0x10/0x18 +[ 1.490833] bq27xxx_battery_setup+0x10c/0x164 +[ 1.497003] bq27xxx_battery_i2c_probe+0xd0/0x1b0 +[ 1.503435] i2c_device_probe+0x174/0x240 +[ 1.509172] driver_probe_device+0x1fc/0x29c +[ 1.515167] __driver_attach+0xa4/0xa8 +[ 1.520643] bus_for_each_dev+0x58/0x98 +[ 1.526204] driver_attach+0x20/0x28 +[ 1.531505] bus_add_driver+0x1c8/0x22c +[ 1.537067] driver_register+0x68/0x108 +[ 1.542630] i2c_register_driver+0x38/0x7c +[ 1.548457] bq27xxx_battery_i2c_driver_init+0x18/0x20 +[ 1.555321] do_one_initcall+0x38/0x12c +[ 1.560886] kernel_init_freeable+0x148/0x1ec +[ 1.566972] kernel_init+0x10/0xfc +[ 1.572101] ret_from_fork+0x10/0x40 + +Also make the same change to ps_get_max_charge_cntl_limit() and +ps_get_cur_chrage_cntl_limit() to be safe. Lastly, change the return +value of power_supply_get_property() to -EAGAIN from -ENODEV if +use_cnt <= 0. + +Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core") +Signed-off-by: Rhyland Klein +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/power_supply_core.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/drivers/power/power_supply_core.c ++++ b/drivers/power/power_supply_core.c +@@ -565,11 +565,12 @@ static int power_supply_read_temp(struct + + WARN_ON(tzd == NULL); + psy = tzd->devdata; +- ret = psy->desc->get_property(psy, POWER_SUPPLY_PROP_TEMP, &val); ++ ret = power_supply_get_property(psy, POWER_SUPPLY_PROP_TEMP, &val); ++ if (ret) ++ return ret; + + /* Convert tenths of degree Celsius to milli degree Celsius. */ +- if (!ret) +- *temp = val.intval * 100; ++ *temp = val.intval * 100; + + return ret; + } +@@ -612,10 +613,12 @@ static int ps_get_max_charge_cntl_limit( + int ret; + + psy = tcd->devdata; +- ret = psy->desc->get_property(psy, +- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX, &val); +- if (!ret) +- *state = val.intval; ++ ret = power_supply_get_property(psy, ++ POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX, &val); ++ if (ret) ++ return ret; ++ ++ *state = val.intval; + + return ret; + } +@@ -628,10 +631,12 @@ static int ps_get_cur_chrage_cntl_limit( + int ret; + + psy = tcd->devdata; +- ret = psy->desc->get_property(psy, +- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT, &val); +- if (!ret) +- *state = val.intval; ++ ret = power_supply_get_property(psy, ++ POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT, &val); ++ if (ret) ++ return ret; ++ ++ *state = val.intval; + + return ret; + } diff --git a/queue-4.4/pvclock-add-cpu-barriers-to-get-correct-version-value.patch b/queue-4.4/pvclock-add-cpu-barriers-to-get-correct-version-value.patch new file mode 100644 index 00000000000..ab05d31485f --- /dev/null +++ b/queue-4.4/pvclock-add-cpu-barriers-to-get-correct-version-value.patch @@ -0,0 +1,59 @@ +From 749d088b8e7f4b9826ede02b9a043e417fa84aa1 Mon Sep 17 00:00:00 2001 +From: Minfei Huang +Date: Fri, 27 May 2016 14:17:10 +0800 +Subject: pvclock: Add CPU barriers to get correct version value + +From: Minfei Huang + +commit 749d088b8e7f4b9826ede02b9a043e417fa84aa1 upstream. + +Protocol for the "version" fields is: hypervisor raises it (making it +uneven) before it starts updating the fields and raises it again (making +it even) when it is done. Thus the guest can make sure the time values +it got are consistent by checking the version before and after reading +them. + +Add CPU barries after getting version value just like what function +vread_pvclock does, because all of callees in this function is inline. + +Fixes: 502dfeff239e8313bfbe906ca0a1a6827ac8481b +Signed-off-by: Minfei Huang +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pvclock.h | 2 ++ + arch/x86/kernel/pvclock.c | 4 ++++ + 2 files changed, 6 insertions(+) + +--- a/arch/x86/include/asm/pvclock.h ++++ b/arch/x86/include/asm/pvclock.h +@@ -76,6 +76,8 @@ unsigned __pvclock_read_cycles(const str + u8 ret_flags; + + version = src->version; ++ /* Make the latest version visible */ ++ smp_rmb(); + + offset = pvclock_get_nsec_offset(src); + ret = src->system_time + offset; +--- a/arch/x86/kernel/pvclock.c ++++ b/arch/x86/kernel/pvclock.c +@@ -66,6 +66,8 @@ u8 pvclock_read_flags(struct pvclock_vcp + + do { + version = __pvclock_read_cycles(src, &ret, &flags); ++ /* Make sure that the version double-check is last. */ ++ smp_rmb(); + } while ((src->version & 1) || version != src->version); + + return flags & valid_flags; +@@ -80,6 +82,8 @@ cycle_t pvclock_clocksource_read(struct + + do { + version = __pvclock_read_cycles(src, &ret, &flags); ++ /* Make sure that the version double-check is last. */ ++ smp_rmb(); + } while ((src->version & 1) || version != src->version); + + if (unlikely((flags & PVCLOCK_GUEST_STOPPED) != 0)) { diff --git a/queue-4.4/revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch b/queue-4.4/revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch new file mode 100644 index 00000000000..a3503590463 --- /dev/null +++ b/queue-4.4/revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch @@ -0,0 +1,61 @@ +From 78c4e172412de5d0456dc00d2b34050aa0b683b5 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 5 Jul 2016 17:32:29 -0400 +Subject: Revert "ecryptfs: forbid opening files without mmap handler" + +From: Jeff Mahoney + +commit 78c4e172412de5d0456dc00d2b34050aa0b683b5 upstream. + +This reverts commit 2f36db71009304b3f0b95afacd8eba1f9f046b87. + +It fixed a local root exploit but also introduced a dependency on +the lower file system implementing an mmap operation just to open a file, +which is a bit of a heavy hammer. The right fix is to have mmap depend +on the existence of the mmap handler instead. + +Signed-off-by: Jeff Mahoney +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/kthread.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/fs/ecryptfs/kthread.c ++++ b/fs/ecryptfs/kthread.c +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include "ecryptfs_kernel.h" + + struct ecryptfs_open_req { +@@ -148,7 +147,7 @@ int ecryptfs_privileged_open(struct file + flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR; + (*lower_file) = dentry_open(&req.path, flags, cred); + if (!IS_ERR(*lower_file)) +- goto have_file; ++ goto out; + if ((flags & O_ACCMODE) == O_RDONLY) { + rc = PTR_ERR((*lower_file)); + goto out; +@@ -166,16 +165,8 @@ int ecryptfs_privileged_open(struct file + mutex_unlock(&ecryptfs_kthread_ctl.mux); + wake_up(&ecryptfs_kthread_ctl.wait); + wait_for_completion(&req.done); +- if (IS_ERR(*lower_file)) { ++ if (IS_ERR(*lower_file)) + rc = PTR_ERR(*lower_file); +- goto out; +- } +-have_file: +- if ((*lower_file)->f_op->mmap == NULL) { +- fput(*lower_file); +- *lower_file = NULL; +- rc = -EMEDIUMTYPE; +- } + out: + return rc; + } diff --git a/queue-4.4/series b/queue-4.4/series index 956f19610e7..7bcf80944bc 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -20,3 +20,21 @@ arc-unwind-ensure-that-.debug_frame-is-generated-vs.-.eh_frame.patch xen-pciback-fix-conf_space-read-write-overlap-check.patch xenbus-don-t-bug-on-user-mode-induced-condition.patch xenbus-don-t-bail-early-from-xenbus_dev_request_and_reply.patch +alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch +alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch +alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch +input-vmmouse-remove-port-reservation.patch +input-elantech-add-more-ic-body-types-to-the-list.patch +input-xpad-fix-oops-when-attaching-an-unknown-xbox-one-gamepad.patch +input-wacom_w8001-w8001_max_length-should-be-13.patch +input-wacom_w8001-ignore-invalid-pen-data-packets.patch +input-xpad-validate-usb-endpoint-count-during-probe.patch +input-tsc200x-report-proper-input_dev-name.patch +pvclock-add-cpu-barriers-to-get-correct-version-value.patch +pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch +pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch +cgroup-set-css-id-to-1-during-init.patch +power_supply-power_supply_read_temp-only-if-use_cnt-0.patch +locks-use-file_inode.patch +revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch +ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch