From: Greg Kroah-Hartman Date: Sat, 2 Apr 2022 09:16:17 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.275~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df77bc6cc0e9b7a8da2f0ac9f3e0ec8b43af3839;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch alsa-hda-avoid-unsol-event-during-rpm-suspending.patch alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch revert-input-clear-btn_right-middle-on-buttonpads.patch riscv-fix-fill_callchain-return-value.patch riscv-increase-stack-size-under-kasan.patch --- diff --git a/queue-5.10/alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch b/queue-5.10/alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch new file mode 100644 index 00000000000..182914cbcac --- /dev/null +++ b/queue-5.10/alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch @@ -0,0 +1,57 @@ +From 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Sun, 27 Mar 2022 14:08:22 +0800 +Subject: ALSA: cs4236: fix an incorrect NULL check on list iterator + +From: Xiaomeng Tong + +commit 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 upstream. + +The bug is here: + err = snd_card_cs423x_pnp(dev, card->private_data, pdev, cdev); + +The list iterator value 'cdev' will *always* be set and non-NULL +by list_for_each_entry(), so it is incorrect to assume that the +iterator value will be NULL if the list is empty or no element +is found. + +To fix the bug, use a new variable 'iter' as the list iterator, +while use the original variable 'cdev' as a dedicated pointer +to point to the found element. And snd_card_cs423x_pnp() itself +has NULL check for cdev. + +Cc: stable@vger.kernel.org +Fixes: c2b73d1458014 ("ALSA: cs4236: cs4232 and cs4236 driver merge to solve PnP BIOS detection") +Signed-off-by: Xiaomeng Tong +Link: https://lore.kernel.org/r/20220327060822.4735-1-xiam0nd.tong@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/cs423x/cs4236.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/sound/isa/cs423x/cs4236.c ++++ b/sound/isa/cs423x/cs4236.c +@@ -544,7 +544,7 @@ static int snd_cs423x_pnpbios_detect(str + static int dev; + int err; + struct snd_card *card; +- struct pnp_dev *cdev; ++ struct pnp_dev *cdev, *iter; + char cid[PNP_ID_LEN]; + + if (pnp_device_is_isapnp(pdev)) +@@ -560,9 +560,11 @@ static int snd_cs423x_pnpbios_detect(str + strcpy(cid, pdev->id[0].id); + cid[5] = '1'; + cdev = NULL; +- list_for_each_entry(cdev, &(pdev->protocol->devices), protocol_list) { +- if (!strcmp(cdev->id[0].id, cid)) ++ list_for_each_entry(iter, &(pdev->protocol->devices), protocol_list) { ++ if (!strcmp(iter->id[0].id, cid)) { ++ cdev = iter; + break; ++ } + } + err = snd_cs423x_card_new(&pdev->dev, dev, &card); + if (err < 0) diff --git a/queue-5.10/alsa-hda-avoid-unsol-event-during-rpm-suspending.patch b/queue-5.10/alsa-hda-avoid-unsol-event-during-rpm-suspending.patch new file mode 100644 index 00000000000..579a411eb66 --- /dev/null +++ b/queue-5.10/alsa-hda-avoid-unsol-event-during-rpm-suspending.patch @@ -0,0 +1,70 @@ +From 6ddc2f749621d5d45ca03edc9f0616bcda136d29 Mon Sep 17 00:00:00 2001 +From: Mohan Kumar +Date: Tue, 29 Mar 2022 21:29:40 +0530 +Subject: ALSA: hda: Avoid unsol event during RPM suspending + +From: Mohan Kumar + +commit 6ddc2f749621d5d45ca03edc9f0616bcda136d29 upstream. + +There is a corner case with unsol event handling during codec runtime +suspending state. When the codec runtime suspend call initiated, the +codec->in_pm atomic variable would be 0, currently the codec runtime +suspend function calls snd_hdac_enter_pm() which will just increments +the codec->in_pm atomic variable. Consider unsol event happened just +after this step and before snd_hdac_leave_pm() in the codec runtime +suspend function. The snd_hdac_power_up_pm() in the unsol event +flow in hdmi_present_sense_via_verbs() function would just increment +the codec->in_pm atomic variable without calling pm_runtime_get_sync +function. + +As codec runtime suspend flow is already in progress and in parallel +unsol event is also accessing the codec verbs, as soon as codec +suspend flow completes and clocks are switched off before completing +the unsol event handling as both functions doesn't wait for each other. +This will result in below errors + +[ 589.428020] tegra-hda 3510000.hda: azx_get_response timeout, switching +to polling mode: last cmd=0x505f2f57 +[ 589.428344] tegra-hda 3510000.hda: spurious response 0x80000074:0x5, +last cmd=0x505f2f57 +[ 589.428547] tegra-hda 3510000.hda: spurious response 0x80000065:0x5, +last cmd=0x505f2f57 + +To avoid this, the unsol event flow should not perform any codec verb +related operations during RPM_SUSPENDING state. + +Signed-off-by: Mohan Kumar +Cc: +Link: https://lore.kernel.org/r/20220329155940.26331-1-mkumard@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1608,6 +1608,7 @@ static void hdmi_present_sense_via_verbs + struct hda_codec *codec = per_pin->codec; + struct hdmi_spec *spec = codec->spec; + struct hdmi_eld *eld = &spec->temp_eld; ++ struct device *dev = hda_codec_dev(codec); + hda_nid_t pin_nid = per_pin->pin_nid; + int dev_id = per_pin->dev_id; + /* +@@ -1621,8 +1622,13 @@ static void hdmi_present_sense_via_verbs + int present; + int ret; + ++#ifdef CONFIG_PM ++ if (dev->power.runtime_status == RPM_SUSPENDING) ++ return; ++#endif ++ + ret = snd_hda_power_up_pm(codec); +- if (ret < 0 && pm_runtime_suspended(hda_codec_dev(codec))) ++ if (ret < 0 && pm_runtime_suspended(dev)) + goto out; + + present = snd_hda_jack_pin_sense(codec, pin_nid, dev_id); diff --git a/queue-5.10/alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch b/queue-5.10/alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch new file mode 100644 index 00000000000..91cc97adf8e --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch @@ -0,0 +1,45 @@ +From f30741cded62f87bb4b1cc58bc627f076abcaba8 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 30 Mar 2022 14:13:33 +0800 +Subject: ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020 + +From: Kai-Heng Feng + +commit f30741cded62f87bb4b1cc58bc627f076abcaba8 upstream. + +Commit 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording +issue") is to solve recording issue met on AL236, by matching codec +variant ALC269_TYPE_ALC257 and ALC269_TYPE_ALC256. + +This match can be too broad and Mi Notebook Pro 2020 is broken by the +patch. + +Instead, use codec ID to be narrow down the scope, in order to make +ALC256 unaffected. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215484 +Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Cc: +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20220330061335.1015533-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3615,8 +3615,8 @@ static void alc256_shutup(struct hda_cod + /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly + * when booting with headset plugged. So skip setting it for the codec alc257 + */ +- if (spec->codec_variant != ALC269_TYPE_ALC257 && +- spec->codec_variant != ALC269_TYPE_ALC256) ++ if (codec->core.vendor_id != 0x10ec0236 && ++ codec->core.vendor_id != 0x10ec0257) + alc_update_coef_idx(codec, 0x46, 0, 3 << 12); + + if (!spec->no_shutup_pins) diff --git a/queue-5.10/alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch b/queue-5.10/alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch new file mode 100644 index 00000000000..0a3d8fe5b50 --- /dev/null +++ b/queue-5.10/alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch @@ -0,0 +1,209 @@ +From bc55cfd5718c7c23e5524582e9fa70b4d10f2433 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 30 Mar 2022 14:09:03 +0200 +Subject: ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock + +From: Takashi Iwai + +commit bc55cfd5718c7c23e5524582e9fa70b4d10f2433 upstream. + +syzbot caught a potential deadlock between the PCM +runtime->buffer_mutex and the mm->mmap_lock. It was brought by the +recent fix to cover the racy read/write and other ioctls, and in that +commit, I overlooked a (hopefully only) corner case that may take the +revert lock, namely, the OSS mmap. The OSS mmap operation +exceptionally allows to re-configure the parameters inside the OSS +mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the +copy_from/to_user calls at read/write operations also take the +mm->mmap_lock internally, hence it may lead to a AB/BA deadlock. + +A similar problem was already seen in the past and we fixed it with a +refcount (in commit b248371628aa). The former fix covered only the +call paths with OSS read/write and OSS ioctls, while we need to cover +the concurrent access via both ALSA and OSS APIs now. + +This patch addresses the problem above by replacing the buffer_mutex +lock in the read/write operations with a refcount similar as we've +used for OSS. The new field, runtime->buffer_accessing, keeps the +number of concurrent read/write operations. Unlike the former +buffer_mutex protection, this protects only around the +copy_from/to_user() calls; the other codes are basically protected by +the PCM stream lock. The refcount can be a negative, meaning blocked +by the ioctls. If a negative value is seen, the read/write aborts +with -EBUSY. In the ioctl side, OTOH, they check this refcount, too, +and set to a negative value for blocking unless it's already being +accessed. + +Reported-by: syzbot+6e5c88838328e99c7e1c@syzkaller.appspotmail.com +Fixes: dca947d4d26d ("ALSA: pcm: Fix races among concurrent read/write and buffer changes") +Cc: +Link: https://lore.kernel.org/r/000000000000381a0d05db622a81@google.com +Link: https://lore.kernel.org/r/20220330120903.4738-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/pcm.h | 1 + + sound/core/pcm.c | 1 + + sound/core/pcm_lib.c | 9 +++++---- + sound/core/pcm_native.c | 39 ++++++++++++++++++++++++++++++++------- + 4 files changed, 39 insertions(+), 11 deletions(-) + +--- a/include/sound/pcm.h ++++ b/include/sound/pcm.h +@@ -399,6 +399,7 @@ struct snd_pcm_runtime { + struct fasync_struct *fasync; + bool stop_operating; /* sync_stop will be called */ + struct mutex buffer_mutex; /* protect for buffer changes */ ++ atomic_t buffer_accessing; /* >0: in r/w operation, <0: blocked */ + + /* -- private section -- */ + void *private_data; +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -970,6 +970,7 @@ int snd_pcm_attach_substream(struct snd_ + + runtime->status->state = SNDRV_PCM_STATE_OPEN; + mutex_init(&runtime->buffer_mutex); ++ atomic_set(&runtime->buffer_accessing, 0); + + substream->runtime = runtime; + substream->private_data = pcm->private_data; +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -1871,11 +1871,9 @@ static int wait_for_avail(struct snd_pcm + if (avail >= runtime->twake) + break; + snd_pcm_stream_unlock_irq(substream); +- mutex_unlock(&runtime->buffer_mutex); + + tout = schedule_timeout(wait_time); + +- mutex_lock(&runtime->buffer_mutex); + snd_pcm_stream_lock_irq(substream); + set_current_state(TASK_INTERRUPTIBLE); + switch (runtime->status->state) { +@@ -2169,7 +2167,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + + nonblock = !!(substream->f_flags & O_NONBLOCK); + +- mutex_lock(&runtime->buffer_mutex); + snd_pcm_stream_lock_irq(substream); + err = pcm_accessible_state(runtime); + if (err < 0) +@@ -2224,10 +2221,15 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + err = -EINVAL; + goto _end_unlock; + } ++ if (!atomic_inc_unless_negative(&runtime->buffer_accessing)) { ++ err = -EBUSY; ++ goto _end_unlock; ++ } + snd_pcm_stream_unlock_irq(substream); + err = writer(substream, appl_ofs, data, offset, frames, + transfer); + snd_pcm_stream_lock_irq(substream); ++ atomic_dec(&runtime->buffer_accessing); + if (err < 0) + goto _end_unlock; + err = pcm_accessible_state(runtime); +@@ -2257,7 +2259,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + if (xfer > 0 && err >= 0) + snd_pcm_update_state(substream, runtime); + snd_pcm_stream_unlock_irq(substream); +- mutex_unlock(&runtime->buffer_mutex); + return xfer > 0 ? (snd_pcm_sframes_t)xfer : err; + } + EXPORT_SYMBOL(__snd_pcm_lib_xfer); +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -667,6 +667,24 @@ static int snd_pcm_hw_params_choose(stru + return 0; + } + ++/* acquire buffer_mutex; if it's in r/w operation, return -EBUSY, otherwise ++ * block the further r/w operations ++ */ ++static int snd_pcm_buffer_access_lock(struct snd_pcm_runtime *runtime) ++{ ++ if (!atomic_dec_unless_positive(&runtime->buffer_accessing)) ++ return -EBUSY; ++ mutex_lock(&runtime->buffer_mutex); ++ return 0; /* keep buffer_mutex, unlocked by below */ ++} ++ ++/* release buffer_mutex and clear r/w access flag */ ++static void snd_pcm_buffer_access_unlock(struct snd_pcm_runtime *runtime) ++{ ++ mutex_unlock(&runtime->buffer_mutex); ++ atomic_inc(&runtime->buffer_accessing); ++} ++ + #if IS_ENABLED(CONFIG_SND_PCM_OSS) + #define is_oss_stream(substream) ((substream)->oss.oss) + #else +@@ -677,14 +695,16 @@ static int snd_pcm_hw_params(struct snd_ + struct snd_pcm_hw_params *params) + { + struct snd_pcm_runtime *runtime; +- int err = 0, usecs; ++ int err, usecs; + unsigned int bits; + snd_pcm_uframes_t frames; + + if (PCM_RUNTIME_CHECK(substream)) + return -ENXIO; + runtime = substream->runtime; +- mutex_lock(&runtime->buffer_mutex); ++ err = snd_pcm_buffer_access_lock(runtime); ++ if (err < 0) ++ return err; + snd_pcm_stream_lock_irq(substream); + switch (runtime->status->state) { + case SNDRV_PCM_STATE_OPEN: +@@ -801,7 +821,7 @@ static int snd_pcm_hw_params(struct snd_ + snd_pcm_lib_free_pages(substream); + } + unlock: +- mutex_unlock(&runtime->buffer_mutex); ++ snd_pcm_buffer_access_unlock(runtime); + return err; + } + +@@ -846,7 +866,9 @@ static int snd_pcm_hw_free(struct snd_pc + if (PCM_RUNTIME_CHECK(substream)) + return -ENXIO; + runtime = substream->runtime; +- mutex_lock(&runtime->buffer_mutex); ++ result = snd_pcm_buffer_access_lock(runtime); ++ if (result < 0) ++ return result; + snd_pcm_stream_lock_irq(substream); + switch (runtime->status->state) { + case SNDRV_PCM_STATE_SETUP: +@@ -865,7 +887,7 @@ static int snd_pcm_hw_free(struct snd_pc + snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); + cpu_latency_qos_remove_request(&substream->latency_pm_qos_req); + unlock: +- mutex_unlock(&runtime->buffer_mutex); ++ snd_pcm_buffer_access_unlock(runtime); + return result; + } + +@@ -1350,12 +1372,15 @@ static int snd_pcm_action_nonatomic(cons + + /* Guarantee the group members won't change during non-atomic action */ + down_read(&snd_pcm_link_rwsem); +- mutex_lock(&substream->runtime->buffer_mutex); ++ res = snd_pcm_buffer_access_lock(substream->runtime); ++ if (res < 0) ++ goto unlock; + if (snd_pcm_stream_linked(substream)) + res = snd_pcm_action_group(ops, substream, state, false); + else + res = snd_pcm_action_single(ops, substream, state); +- mutex_unlock(&substream->runtime->buffer_mutex); ++ snd_pcm_buffer_access_unlock(substream->runtime); ++ unlock: + up_read(&snd_pcm_link_rwsem); + return res; + } diff --git a/queue-5.10/cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch b/queue-5.10/cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch new file mode 100644 index 00000000000..7692736c694 --- /dev/null +++ b/queue-5.10/cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch @@ -0,0 +1,329 @@ +From d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Tue, 29 Mar 2022 16:20:06 -0300 +Subject: cifs: fix NULL ptr dereference in smb2_ioctl_query_info() + +From: Paulo Alcantara + +commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream. + +When calling smb2_ioctl_query_info() with invalid +smb_query_info::flags, a NULL ptr dereference is triggered when trying +to kfree() uninitialised rqst[n].rq_iov array. + +This also fixes leaked paths that are created in SMB2_open_init() +which required SMB2_open_free() to properly free them. + +Here is a small C reproducer that triggers it + + #include + #include + #include + #include + #include + #include + + #define die(s) perror(s), exit(1) + #define QUERY_INFO 0xc018cf07 + + int main(int argc, char *argv[]) + { + int fd; + + if (argc < 2) + exit(1); + fd = open(argv[1], O_RDONLY); + if (fd == -1) + die("open"); + if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1) + die("ioctl"); + close(fd); + return 0; + } + + mount.cifs //srv/share /mnt -o ... + gcc repro.c && ./a.out /mnt/f0 + + [ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4 + [ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI + [ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + [ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2 + [ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 + [ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs] + [ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48 + [ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256 + [ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d + [ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0 + [ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003 + [ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800 + [ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8 + [ 1832.131485] FS: 00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000 + [ 1832.131993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0 + [ 1832.132801] Call Trace: + [ 1832.132962] + [ 1832.133104] ? smb2_query_reparse_tag+0x890/0x890 [cifs] + [ 1832.133489] ? cifs_mapchar+0x460/0x460 [cifs] + [ 1832.133822] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 1832.134125] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs] + [ 1832.134502] ? lock_downgrade+0x6f0/0x6f0 + [ 1832.134760] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs] + [ 1832.135170] ? smb2_check_message+0x1080/0x1080 [cifs] + [ 1832.135545] cifs_ioctl+0x1577/0x3320 [cifs] + [ 1832.135864] ? lock_downgrade+0x6f0/0x6f0 + [ 1832.136125] ? cifs_readdir+0x2e60/0x2e60 [cifs] + [ 1832.136468] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 1832.136769] ? __rseq_handle_notify_resume+0x80b/0xbe0 + [ 1832.137096] ? __up_read+0x192/0x710 + [ 1832.137327] ? __ia32_sys_rseq+0xf0/0xf0 + [ 1832.137578] ? __x64_sys_openat+0x11f/0x1d0 + [ 1832.137850] __x64_sys_ioctl+0x127/0x190 + [ 1832.138103] do_syscall_64+0x3b/0x90 + [ 1832.138378] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 1832.138702] RIP: 0033:0x7fcee9a253df + [ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 + [ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df + [ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003 + [ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e + [ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48 + [ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000 + [ 1832.142851] + [ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs] + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 124 ++++++++++++++++++++++++++++-------------------------- + 1 file changed, 65 insertions(+), 59 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1526,6 +1526,7 @@ smb2_ioctl_query_info(const unsigned int + unsigned int size[2]; + void *data[2]; + int create_options = is_dir ? CREATE_NOT_FILE : CREATE_NOT_DIR; ++ void (*free_req1_func)(struct smb_rqst *r); + + vars = kzalloc(sizeof(*vars), GFP_ATOMIC); + if (vars == NULL) +@@ -1535,17 +1536,18 @@ smb2_ioctl_query_info(const unsigned int + + resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER; + +- if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) +- goto e_fault; +- ++ if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) { ++ rc = -EFAULT; ++ goto free_vars; ++ } + if (qi.output_buffer_length > 1024) { +- kfree(vars); +- return -EINVAL; ++ rc = -EINVAL; ++ goto free_vars; + } + + if (!ses || !server) { +- kfree(vars); +- return -EIO; ++ rc = -EIO; ++ goto free_vars; + } + + if (smb3_encryption_required(tcon)) +@@ -1554,8 +1556,8 @@ smb2_ioctl_query_info(const unsigned int + if (qi.output_buffer_length) { + buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length); + if (IS_ERR(buffer)) { +- kfree(vars); +- return PTR_ERR(buffer); ++ rc = PTR_ERR(buffer); ++ goto free_vars; + } + } + +@@ -1594,48 +1596,45 @@ smb2_ioctl_query_info(const unsigned int + rc = SMB2_open_init(tcon, server, + &rqst[0], &oplock, &oparms, path); + if (rc) +- goto iqinf_exit; ++ goto free_output_buffer; + smb2_set_next_command(tcon, &rqst[0]); + + /* Query */ + if (qi.flags & PASSTHRU_FSCTL) { + /* Can eventually relax perm check since server enforces too */ +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN)) { + rc = -EPERM; +- else { +- rqst[1].rq_iov = &vars->io_iov[0]; +- rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE; +- +- rc = SMB2_ioctl_init(tcon, server, +- &rqst[1], +- COMPOUND_FID, COMPOUND_FID, +- qi.info_type, true, buffer, +- qi.output_buffer_length, +- CIFSMaxBufSize - +- MAX_SMB2_CREATE_RESPONSE_SIZE - +- MAX_SMB2_CLOSE_RESPONSE_SIZE); ++ goto free_open_req; + } ++ rqst[1].rq_iov = &vars->io_iov[0]; ++ rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE; ++ ++ rc = SMB2_ioctl_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID, ++ qi.info_type, true, buffer, qi.output_buffer_length, ++ CIFSMaxBufSize - MAX_SMB2_CREATE_RESPONSE_SIZE - ++ MAX_SMB2_CLOSE_RESPONSE_SIZE); ++ free_req1_func = SMB2_ioctl_free; + } else if (qi.flags == PASSTHRU_SET_INFO) { + /* Can eventually relax perm check since server enforces too */ +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN)) { + rc = -EPERM; +- else if (qi.output_buffer_length < 8) ++ goto free_open_req; ++ } ++ if (qi.output_buffer_length < 8) { + rc = -EINVAL; +- else { +- rqst[1].rq_iov = &vars->si_iov[0]; +- rqst[1].rq_nvec = 1; +- +- /* MS-FSCC 2.4.13 FileEndOfFileInformation */ +- size[0] = 8; +- data[0] = buffer; +- +- rc = SMB2_set_info_init(tcon, server, +- &rqst[1], +- COMPOUND_FID, COMPOUND_FID, +- current->tgid, +- FILE_END_OF_FILE_INFORMATION, +- SMB2_O_INFO_FILE, 0, data, size); ++ goto free_open_req; + } ++ rqst[1].rq_iov = &vars->si_iov[0]; ++ rqst[1].rq_nvec = 1; ++ ++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */ ++ size[0] = 8; ++ data[0] = buffer; ++ ++ rc = SMB2_set_info_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID, ++ current->tgid, FILE_END_OF_FILE_INFORMATION, ++ SMB2_O_INFO_FILE, 0, data, size); ++ free_req1_func = SMB2_set_info_free; + } else if (qi.flags == PASSTHRU_QUERY_INFO) { + rqst[1].rq_iov = &vars->qi_iov[0]; + rqst[1].rq_nvec = 1; +@@ -1646,6 +1645,7 @@ smb2_ioctl_query_info(const unsigned int + qi.info_type, qi.additional_information, + qi.input_buffer_length, + qi.output_buffer_length, buffer); ++ free_req1_func = SMB2_query_info_free; + } else { /* unknown flags */ + cifs_tcon_dbg(VFS, "Invalid passthru query flags: 0x%x\n", + qi.flags); +@@ -1653,7 +1653,7 @@ smb2_ioctl_query_info(const unsigned int + } + + if (rc) +- goto iqinf_exit; ++ goto free_open_req; + smb2_set_next_command(tcon, &rqst[1]); + smb2_set_related(&rqst[1]); + +@@ -1664,14 +1664,14 @@ smb2_ioctl_query_info(const unsigned int + rc = SMB2_close_init(tcon, server, + &rqst[2], COMPOUND_FID, COMPOUND_FID, false); + if (rc) +- goto iqinf_exit; ++ goto free_req_1; + smb2_set_related(&rqst[2]); + + rc = compound_send_recv(xid, ses, server, + flags, 3, rqst, + resp_buftype, rsp_iov); + if (rc) +- goto iqinf_exit; ++ goto out; + + /* No need to bump num_remote_opens since handle immediately closed */ + if (qi.flags & PASSTHRU_FSCTL) { +@@ -1681,18 +1681,22 @@ smb2_ioctl_query_info(const unsigned int + qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount); + if (qi.input_buffer_length > 0 && + le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length +- > rsp_iov[1].iov_len) +- goto e_fault; ++ > rsp_iov[1].iov_len) { ++ rc = -EFAULT; ++ goto out; ++ } + + if (copy_to_user(&pqi->input_buffer_length, + &qi.input_buffer_length, +- sizeof(qi.input_buffer_length))) +- goto e_fault; ++ sizeof(qi.input_buffer_length))) { ++ rc = -EFAULT; ++ goto out; ++ } + + if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info), + (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset), + qi.input_buffer_length)) +- goto e_fault; ++ rc = -EFAULT; + } else { + pqi = (struct smb_query_info __user *)arg; + qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base; +@@ -1700,28 +1704,30 @@ smb2_ioctl_query_info(const unsigned int + qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength); + if (copy_to_user(&pqi->input_buffer_length, + &qi.input_buffer_length, +- sizeof(qi.input_buffer_length))) +- goto e_fault; ++ sizeof(qi.input_buffer_length))) { ++ rc = -EFAULT; ++ goto out; ++ } + + if (copy_to_user(pqi + 1, qi_rsp->Buffer, + qi.input_buffer_length)) +- goto e_fault; ++ rc = -EFAULT; + } + +- iqinf_exit: +- cifs_small_buf_release(rqst[0].rq_iov[0].iov_base); +- cifs_small_buf_release(rqst[1].rq_iov[0].iov_base); +- cifs_small_buf_release(rqst[2].rq_iov[0].iov_base); ++out: + free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base); + free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base); + free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base); +- kfree(vars); ++ SMB2_close_free(&rqst[2]); ++free_req_1: ++ free_req1_func(&rqst[1]); ++free_open_req: ++ SMB2_open_free(&rqst[0]); ++free_output_buffer: + kfree(buffer); ++free_vars: ++ kfree(vars); + return rc; +- +-e_fault: +- rc = -EFAULT; +- goto iqinf_exit; + } + + static ssize_t diff --git a/queue-5.10/cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch b/queue-5.10/cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch new file mode 100644 index 00000000000..772cb1d4706 --- /dev/null +++ b/queue-5.10/cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch @@ -0,0 +1,175 @@ +From b92e358757b91c2827af112cae9af513f26a3f34 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Tue, 29 Mar 2022 16:20:05 -0300 +Subject: cifs: prevent bad output lengths in smb2_ioctl_query_info() + +From: Paulo Alcantara + +commit b92e358757b91c2827af112cae9af513f26a3f34 upstream. + +When calling smb2_ioctl_query_info() with +smb_query_info::flags=PASSTHRU_FSCTL and +smb_query_info::output_buffer_length=0, the following would return +0x10 + + buffer = memdup_user(arg + sizeof(struct smb_query_info), + qi.output_buffer_length); + if (IS_ERR(buffer)) { + kfree(vars); + return PTR_ERR(buffer); + } + +rather than a valid pointer thus making IS_ERR() check fail. This +would then cause a NULL ptr deference in @buffer when accessing it +later in smb2_ioctl_query_ioctl(). While at it, prevent having a +@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO +FileEndOfFileInformation requests when +smb_query_info::flags=PASSTHRU_SET_INFO. + +Here is a small C reproducer which triggers a NULL ptr in @buffer when +passing an invalid smb_query_info::flags + + #include + #include + #include + #include + #include + #include + + #define die(s) perror(s), exit(1) + #define QUERY_INFO 0xc018cf07 + + int main(int argc, char *argv[]) + { + int fd; + + if (argc < 2) + exit(1); + fd = open(argv[1], O_RDONLY); + if (fd == -1) + die("open"); + if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1) + die("ioctl"); + close(fd); + return 0; + } + + mount.cifs //srv/share /mnt -o ... + gcc repro.c && ./a.out /mnt/f0 + + [ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI + [ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + [ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1 + [ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 + [ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs] + [ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24 + [ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256 + [ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d + [ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380 + [ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003 + [ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288 + [ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000 + [ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000 + [ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0 + [ 114.146131] Call Trace: + [ 114.146291] + [ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs] + [ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs] + [ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs] + [ 114.147775] ? dentry_path_raw+0xa6/0xf0 + [ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs] + [ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs] + [ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs] + [ 114.149371] ? lock_downgrade+0x6f0/0x6f0 + [ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs] + [ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0 + [ 114.150562] ? __up_read+0x192/0x710 + [ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0 + [ 114.151025] ? __x64_sys_openat+0x11f/0x1d0 + [ 114.151296] __x64_sys_ioctl+0x127/0x190 + [ 114.151549] do_syscall_64+0x3b/0x90 + [ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 114.152079] RIP: 0033:0x7f7aead043df + [ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 + [ 114.153431] RSP: 002b:00007ffc2e0c1f80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [ 114.153890] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7aead043df + [ 114.154315] RDX: 00007ffc2e0c1ff0 RSI: 00000000c018cf07 RDI: 0000000000000003 + [ 114.154747] RBP: 00007ffc2e0c2010 R08: 00007f7aeae03db0 R09: 00007f7aeae24c4e + [ 114.155192] R10: 00007f7aeabf7d40 R11: 0000000000000246 R12: 00007ffc2e0c2128 + [ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000 + [ 114.156071] + [ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload + [ 114.156608] ---[ end trace 0000000000000000 ]--- + [ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs] + [ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24 + [ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256 + [ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d + [ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380 + [ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003 + [ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288 + [ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000 + [ 114.156071] + [ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload + [ 114.156608] ---[ end trace 0000000000000000 ]--- + [ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs] + [ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24 + [ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256 + [ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d + [ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380 + [ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003 + [ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288 + [ 114.161823] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000 + [ 114.162274] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000 + [ 114.162853] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 114.163218] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0 + [ 114.163691] Kernel panic - not syncing: Fatal exception + [ 114.164087] Kernel Offset: disabled + [ 114.164316] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1551,11 +1551,12 @@ smb2_ioctl_query_info(const unsigned int + if (smb3_encryption_required(tcon)) + flags |= CIFS_TRANSFORM_REQ; + +- buffer = memdup_user(arg + sizeof(struct smb_query_info), +- qi.output_buffer_length); +- if (IS_ERR(buffer)) { +- kfree(vars); +- return PTR_ERR(buffer); ++ if (qi.output_buffer_length) { ++ buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length); ++ if (IS_ERR(buffer)) { ++ kfree(vars); ++ return PTR_ERR(buffer); ++ } + } + + /* Open */ +@@ -1618,10 +1619,13 @@ smb2_ioctl_query_info(const unsigned int + /* Can eventually relax perm check since server enforces too */ + if (!capable(CAP_SYS_ADMIN)) + rc = -EPERM; +- else { ++ else if (qi.output_buffer_length < 8) ++ rc = -EINVAL; ++ else { + rqst[1].rq_iov = &vars->si_iov[0]; + rqst[1].rq_nvec = 1; + ++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */ + size[0] = 8; + data[0] = buffer; + diff --git a/queue-5.10/revert-input-clear-btn_right-middle-on-buttonpads.patch b/queue-5.10/revert-input-clear-btn_right-middle-on-buttonpads.patch new file mode 100644 index 00000000000..57f38f610b3 --- /dev/null +++ b/queue-5.10/revert-input-clear-btn_right-middle-on-buttonpads.patch @@ -0,0 +1,62 @@ +From 8b188fba75195745026e11d408e4a7e94e01d701 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Thu, 31 Mar 2022 21:15:36 -0700 +Subject: Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +commit 8b188fba75195745026e11d408e4a7e94e01d701 upstream. + +This reverts commit 37ef4c19b4c659926ce65a7ac709ceaefb211c40. + +The touchpad present in the Dell Precision 7550 and 7750 laptops +reports a HID_DG_BUTTONTYPE of type MT_BUTTONTYPE_CLICKPAD. However, +the device is not a clickpad, it is a touchpad with physical buttons. + +In order to fix this issue, a quirk for the device was introduced in +libinput [1] [2] to disable the INPUT_PROP_BUTTONPAD property: + + [Precision 7x50 Touchpad] + MatchBus=i2c + MatchUdevType=touchpad + MatchDMIModalias=dmi:*svnDellInc.:pnPrecision7?50* + AttrInputPropDisable=INPUT_PROP_BUTTONPAD + +However, because of the change introduced in 37ef4c19b4 ("Input: clear +BTN_RIGHT/MIDDLE on buttonpads") the BTN_RIGHT key bit is not mapped +anymore breaking the device right click button and making impossible to +workaround it in user space. + +In order to avoid breakage on other present or future devices, revert +the patch causing the issue. + +Signed-off-by: José Expósito +Reviewed-by: Hans de Goede +Acked-by: Peter Hutterer +Acked-by: Benjamin Tissoires +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220321184404.20025-1-jose.exposito89@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/input.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -2179,12 +2179,6 @@ int input_register_device(struct input_d + /* KEY_RESERVED is not supposed to be transmitted to userspace. */ + __clear_bit(KEY_RESERVED, dev->keybit); + +- /* Buttonpads should not map BTN_RIGHT and/or BTN_MIDDLE. */ +- if (test_bit(INPUT_PROP_BUTTONPAD, dev->propbit)) { +- __clear_bit(BTN_RIGHT, dev->keybit); +- __clear_bit(BTN_MIDDLE, dev->keybit); +- } +- + /* Make sure that bitmasks not mentioned in dev->evbit are clean. */ + input_cleanse_bitmasks(dev); + diff --git a/queue-5.10/riscv-fix-fill_callchain-return-value.patch b/queue-5.10/riscv-fix-fill_callchain-return-value.patch new file mode 100644 index 00000000000..346df6096ba --- /dev/null +++ b/queue-5.10/riscv-fix-fill_callchain-return-value.patch @@ -0,0 +1,32 @@ +From 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f Mon Sep 17 00:00:00 2001 +From: Nikita Shubin +Date: Fri, 11 Mar 2022 09:58:15 +0300 +Subject: riscv: Fix fill_callchain return value + +From: Nikita Shubin + +commit 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f upstream. + +perf_callchain_store return 0 on success, -1 otherwise, +fix fill_callchain to return correct bool value. + +Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support") +Signed-off-by: Nikita Shubin +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/perf_callchain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/kernel/perf_callchain.c ++++ b/arch/riscv/kernel/perf_callchain.c +@@ -77,7 +77,7 @@ void perf_callchain_user(struct perf_cal + + bool fill_callchain(unsigned long pc, void *entry) + { +- return perf_callchain_store(entry, pc); ++ return perf_callchain_store(entry, pc) == 0; + } + + void notrace walk_stackframe(struct task_struct *task, diff --git a/queue-5.10/riscv-increase-stack-size-under-kasan.patch b/queue-5.10/riscv-increase-stack-size-under-kasan.patch new file mode 100644 index 00000000000..b5b7ae361e6 --- /dev/null +++ b/queue-5.10/riscv-increase-stack-size-under-kasan.patch @@ -0,0 +1,44 @@ +From b81d591386c3a50b96dddcf663628ea0df0bf2b3 Mon Sep 17 00:00:00 2001 +From: Dmitry Vyukov +Date: Mon, 14 Mar 2022 10:06:52 +0100 +Subject: riscv: Increase stack size under KASAN + +From: Dmitry Vyukov + +commit b81d591386c3a50b96dddcf663628ea0df0bf2b3 upstream. + +KASAN requires more stack space because of compiler instrumentation. +Increase stack size as other arches do. + +Signed-off-by: Dmitry Vyukov +Reported-by: syzbot+0600986d88e2d4d7ebb8@syzkaller.appspotmail.com +Fixes: 8ad8b72721d0 ("riscv: Add KASAN support") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/thread_info.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/thread_info.h ++++ b/arch/riscv/include/asm/thread_info.h +@@ -11,11 +11,17 @@ + #include + #include + ++#ifdef CONFIG_KASAN ++#define KASAN_STACK_ORDER 1 ++#else ++#define KASAN_STACK_ORDER 0 ++#endif ++ + /* thread information allocation */ + #ifdef CONFIG_64BIT +-#define THREAD_SIZE_ORDER (2) ++#define THREAD_SIZE_ORDER (2 + KASAN_STACK_ORDER) + #else +-#define THREAD_SIZE_ORDER (1) ++#define THREAD_SIZE_ORDER (1 + KASAN_STACK_ORDER) + #endif + #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER) + diff --git a/queue-5.10/series b/queue-5.10/series index 189d94900dd..f77bbf7ae78 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -62,3 +62,12 @@ mempolicy-mbind_range-set_policy-after-vma_merge.patch scsi-libsas-fix-sas_ata_qc_issue-handling-of-ncq-non-data-commands.patch qed-display-vf-trust-config.patch qed-validate-and-restrict-untrusted-vfs-vlan-promisc-mode.patch +riscv-fix-fill_callchain-return-value.patch +riscv-increase-stack-size-under-kasan.patch +revert-input-clear-btn_right-middle-on-buttonpads.patch +cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch +cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch +alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch +alsa-hda-avoid-unsol-event-during-rpm-suspending.patch +alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch +alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch