From: Greg Kroah-Hartman Date: Wed, 3 Aug 2016 05:25:19 +0000 (+0200) Subject: 4.6-stable patches X-Git-Tag: v3.14.75~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8976aa562f5d6e8e555f78577ef9a83946741fe;p=thirdparty%2Fkernel%2Fstable-queue.git 4.6-stable patches added patches: alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch cgroup-disable-irqs-while-holding-css_set_lock.patch cgroup-remove-redundant-cleanup-in-css_create.patch cgroup-set-css-id-to-1-during-init.patch ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch input-elantech-add-more-ic-body-types-to-the-list.patch input-synaptics-rmi4-fix-maximum-size-check-for-f12-control-register-8.patch input-tsc200x-report-proper-input_dev-name.patch input-vmmouse-remove-port-reservation.patch input-wacom_w8001-ignore-invalid-pen-data-packets.patch input-wacom_w8001-w8001_max_length-should-be-13.patch input-xpad-fix-oops-when-attaching-an-unknown-xbox-one-gamepad.patch input-xpad-validate-usb-endpoint-count-during-probe.patch locks-use-file_inode.patch pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch power_supply-power_supply_read_temp-only-if-use_cnt-0.patch pvclock-add-cpu-barriers-to-get-correct-version-value.patch revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch revert-input-wacom_w8001-drop-use-of-abs_mt_tool_type.patch --- diff --git a/queue-4.6/alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch b/queue-4.6/alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch new file mode 100644 index 00000000000..2ef18cbc0fc --- /dev/null +++ b/queue-4.6/alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch @@ -0,0 +1,34 @@ +From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:20 -0400 +Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 upstream. + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(str + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; diff --git a/queue-4.6/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch b/queue-4.6/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch new file mode 100644 index 00000000000..0e6f8c1637e --- /dev/null +++ b/queue-4.6/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch @@ -0,0 +1,34 @@ +From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:32 -0400 +Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit e4ec8cc8039a7063e24204299b462bd1383184a5 upstream. + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(st + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; diff --git a/queue-4.6/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch b/queue-4.6/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch new file mode 100644 index 00000000000..3456f5b5fbf --- /dev/null +++ b/queue-4.6/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch @@ -0,0 +1,34 @@ +From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:07 -0400 +Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream. + +The stack object “tread” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; diff --git a/queue-4.6/cgroup-disable-irqs-while-holding-css_set_lock.patch b/queue-4.6/cgroup-disable-irqs-while-holding-css_set_lock.patch new file mode 100644 index 00000000000..ca34d60d455 --- /dev/null +++ b/queue-4.6/cgroup-disable-irqs-while-holding-css_set_lock.patch @@ -0,0 +1,612 @@ +From 82d6489d0fed2ec8a8c48c19e8d8a04ac8e5bb26 Mon Sep 17 00:00:00 2001 +From: Daniel Bristot de Oliveira +Date: Wed, 22 Jun 2016 17:28:41 -0300 +Subject: cgroup: Disable IRQs while holding css_set_lock + +From: Daniel Bristot de Oliveira + +commit 82d6489d0fed2ec8a8c48c19e8d8a04ac8e5bb26 upstream. + +While testing the deadline scheduler + cgroup setup I hit this +warning. + +[ 132.612935] ------------[ cut here ]------------ +[ 132.612951] WARNING: CPU: 5 PID: 0 at kernel/softirq.c:150 __local_bh_enable_ip+0x6b/0x80 +[ 132.612952] Modules linked in: (a ton of modules...) +[ 132.612981] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.7.0-rc2 #2 +[ 132.612981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 +[ 132.612982] 0000000000000086 45c8bb5effdd088b ffff88013fd43da0 ffffffff813d229e +[ 132.612984] 0000000000000000 0000000000000000 ffff88013fd43de0 ffffffff810a652b +[ 132.612985] 00000096811387b5 0000000000000200 ffff8800bab29d80 ffff880034c54c00 +[ 132.612986] Call Trace: +[ 132.612987] [] dump_stack+0x63/0x85 +[ 132.612994] [] __warn+0xcb/0xf0 +[ 132.612997] [] ? push_dl_task.part.32+0x170/0x170 +[ 132.612999] [] warn_slowpath_null+0x1d/0x20 +[ 132.613000] [] __local_bh_enable_ip+0x6b/0x80 +[ 132.613008] [] _raw_write_unlock_bh+0x1a/0x20 +[ 132.613010] [] _raw_spin_unlock_bh+0xe/0x10 +[ 132.613015] [] put_css_set+0x5c/0x60 +[ 132.613016] [] cgroup_free+0x7f/0xa0 +[ 132.613017] [] __put_task_struct+0x42/0x140 +[ 132.613018] [] dl_task_timer+0xca/0x250 +[ 132.613027] [] ? push_dl_task.part.32+0x170/0x170 +[ 132.613030] [] __hrtimer_run_queues+0xee/0x270 +[ 132.613031] [] hrtimer_interrupt+0xa8/0x190 +[ 132.613034] [] local_apic_timer_interrupt+0x38/0x60 +[ 132.613035] [] smp_apic_timer_interrupt+0x3d/0x50 +[ 132.613037] [] apic_timer_interrupt+0x8c/0xa0 +[ 132.613038] [] ? native_safe_halt+0x6/0x10 +[ 132.613043] [] default_idle+0x1e/0xd0 +[ 132.613044] [] arch_cpu_idle+0xf/0x20 +[ 132.613046] [] default_idle_call+0x2a/0x40 +[ 132.613047] [] cpu_startup_entry+0x2e7/0x340 +[ 132.613048] [] start_secondary+0x155/0x190 +[ 132.613049] ---[ end trace f91934d162ce9977 ]--- + +The warn is the spin_(lock|unlock)_bh(&css_set_lock) in the interrupt +context. Converting the spin_lock_bh to spin_lock_irq(save) to avoid +this problem - and other problems of sharing a spinlock with an +interrupt. + +Cc: Tejun Heo +Cc: Li Zefan +Cc: Johannes Weiner +Cc: Juri Lelli +Cc: Steven Rostedt +Cc: cgroups@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Reviewed-by: Rik van Riel +Reviewed-by: "Luis Claudio R. Goncalves" +Signed-off-by: Daniel Bristot de Oliveira +Acked-by: Zefan Li +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 142 +++++++++++++++++++++++++++++--------------------------- + 1 file changed, 74 insertions(+), 68 deletions(-) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -837,6 +837,8 @@ static void put_css_set_locked(struct cs + + static void put_css_set(struct css_set *cset) + { ++ unsigned long flags; ++ + /* + * Ensure that the refcount doesn't hit zero while any readers + * can see it. Similar to atomic_dec_and_lock(), but for an +@@ -845,9 +847,9 @@ static void put_css_set(struct css_set * + if (atomic_add_unless(&cset->refcount, -1, 1)) + return; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irqsave(&css_set_lock, flags); + put_css_set_locked(cset); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irqrestore(&css_set_lock, flags); + } + + /* +@@ -1070,11 +1072,11 @@ static struct css_set *find_css_set(stru + + /* First see if we already have a cgroup group that matches + * the desired set */ +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + cset = find_existing_css_set(old_cset, cgrp, template); + if (cset) + get_css_set(cset); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + if (cset) + return cset; +@@ -1102,7 +1104,7 @@ static struct css_set *find_css_set(stru + * find_existing_css_set() */ + memcpy(cset->subsys, template, sizeof(cset->subsys)); + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + /* Add reference counts and links from the new css_set. */ + list_for_each_entry(link, &old_cset->cgrp_links, cgrp_link) { + struct cgroup *c = link->cgrp; +@@ -1128,7 +1130,7 @@ static struct css_set *find_css_set(stru + css_get(css); + } + +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + return cset; + } +@@ -1192,7 +1194,7 @@ static void cgroup_destroy_root(struct c + * Release all the links from cset_links to this hierarchy's + * root cgroup + */ +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + + list_for_each_entry_safe(link, tmp_link, &cgrp->cset_links, cset_link) { + list_del(&link->cset_link); +@@ -1200,7 +1202,7 @@ static void cgroup_destroy_root(struct c + kfree(link); + } + +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + if (!list_empty(&root->root_list)) { + list_del(&root->root_list); +@@ -1600,11 +1602,11 @@ static int rebind_subsystems(struct cgro + ss->root = dst_root; + css->cgroup = dcgrp; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + hash_for_each(css_set_table, i, cset, hlist) + list_move_tail(&cset->e_cset_node[ss->id], + &dcgrp->e_csets[ss->id]); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + /* default hierarchy doesn't enable controllers by default */ + dst_root->subsys_mask |= 1 << ssid; +@@ -1640,10 +1642,10 @@ static int cgroup_show_path(struct seq_f + if (!buf) + return -ENOMEM; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + ns_cgroup = current_cgns_cgroup_from_root(kf_cgroot); + len = kernfs_path_from_node(kf_node, ns_cgroup->kn, buf, PATH_MAX); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + if (len >= PATH_MAX) + len = -ERANGE; +@@ -1897,7 +1899,7 @@ static void cgroup_enable_task_cg_lists( + { + struct task_struct *p, *g; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + + if (use_task_css_set_links) + goto out_unlock; +@@ -1922,8 +1924,12 @@ static void cgroup_enable_task_cg_lists( + * entry won't be deleted though the process has exited. + * Do it while holding siglock so that we don't end up + * racing against cgroup_exit(). ++ * ++ * Interrupts were already disabled while acquiring ++ * the css_set_lock, so we do not need to disable it ++ * again when acquiring the sighand->siglock here. + */ +- spin_lock_irq(&p->sighand->siglock); ++ spin_lock(&p->sighand->siglock); + if (!(p->flags & PF_EXITING)) { + struct css_set *cset = task_css_set(p); + +@@ -1932,11 +1938,11 @@ static void cgroup_enable_task_cg_lists( + list_add_tail(&p->cg_list, &cset->tasks); + get_css_set(cset); + } +- spin_unlock_irq(&p->sighand->siglock); ++ spin_unlock(&p->sighand->siglock); + } while_each_thread(g, p); + read_unlock(&tasklist_lock); + out_unlock: +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + } + + static void init_cgroup_housekeeping(struct cgroup *cgrp) +@@ -2043,13 +2049,13 @@ static int cgroup_setup_root(struct cgro + * Link the root cgroup in this hierarchy into all the css_set + * objects. + */ +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + hash_for_each(css_set_table, i, cset, hlist) { + link_css_set(&tmp_links, cset, root_cgrp); + if (css_set_populated(cset)) + cgroup_update_populated(root_cgrp, true); + } +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + BUG_ON(!list_empty(&root_cgrp->self.children)); + BUG_ON(atomic_read(&root->nr_cgrps) != 1); +@@ -2256,11 +2262,11 @@ out_mount: + struct cgroup *cgrp; + + mutex_lock(&cgroup_mutex); +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + + cgrp = cset_cgroup_from_root(ns->root_cset, root); + +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + mutex_unlock(&cgroup_mutex); + + nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb); +@@ -2337,11 +2343,11 @@ char *cgroup_path_ns(struct cgroup *cgrp + char *ret; + + mutex_lock(&cgroup_mutex); +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + + ret = cgroup_path_ns_locked(cgrp, buf, buflen, ns); + +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + mutex_unlock(&cgroup_mutex); + + return ret; +@@ -2369,7 +2375,7 @@ char *task_cgroup_path(struct task_struc + char *path = NULL; + + mutex_lock(&cgroup_mutex); +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + + root = idr_get_next(&cgroup_hierarchy_idr, &hierarchy_id); + +@@ -2382,7 +2388,7 @@ char *task_cgroup_path(struct task_struc + path = buf; + } + +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + mutex_unlock(&cgroup_mutex); + return path; + } +@@ -2557,7 +2563,7 @@ static int cgroup_taskset_migrate(struct + * the new cgroup. There are no failure cases after here, so this + * is the commit point. + */ +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + list_for_each_entry(cset, &tset->src_csets, mg_node) { + list_for_each_entry_safe(task, tmp_task, &cset->mg_tasks, cg_list) { + struct css_set *from_cset = task_css_set(task); +@@ -2568,7 +2574,7 @@ static int cgroup_taskset_migrate(struct + put_css_set_locked(from_cset); + } + } +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + /* + * Migration is committed, all target tasks are now on dst_csets. +@@ -2597,13 +2603,13 @@ out_cancel_attach: + } + } while_each_subsys_mask(); + out_release_tset: +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + list_splice_init(&tset->dst_csets, &tset->src_csets); + list_for_each_entry_safe(cset, tmp_cset, &tset->src_csets, mg_node) { + list_splice_tail_init(&cset->mg_tasks, &cset->tasks); + list_del_init(&cset->mg_node); + } +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + return ret; + } + +@@ -2634,7 +2640,7 @@ static void cgroup_migrate_finish(struct + + lockdep_assert_held(&cgroup_mutex); + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + list_for_each_entry_safe(cset, tmp_cset, preloaded_csets, mg_preload_node) { + cset->mg_src_cgrp = NULL; + cset->mg_dst_cgrp = NULL; +@@ -2642,7 +2648,7 @@ static void cgroup_migrate_finish(struct + list_del_init(&cset->mg_preload_node); + put_css_set_locked(cset); + } +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + } + + /** +@@ -2783,7 +2789,7 @@ static int cgroup_migrate(struct task_st + * already PF_EXITING could be freed from underneath us unless we + * take an rcu_read_lock. + */ +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + rcu_read_lock(); + task = leader; + do { +@@ -2792,7 +2798,7 @@ static int cgroup_migrate(struct task_st + break; + } while_each_thread(leader, task); + rcu_read_unlock(); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + return cgroup_taskset_migrate(&tset, root); + } +@@ -2816,7 +2822,7 @@ static int cgroup_attach_task(struct cgr + return -EBUSY; + + /* look up all src csets */ +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + rcu_read_lock(); + task = leader; + do { +@@ -2826,7 +2832,7 @@ static int cgroup_attach_task(struct cgr + break; + } while_each_thread(leader, task); + rcu_read_unlock(); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + /* prepare dst csets and commit */ + ret = cgroup_migrate_prepare_dst(&preloaded_csets); +@@ -2859,9 +2865,9 @@ static int cgroup_procs_write_permission + struct cgroup *cgrp; + struct inode *inode; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + cgrp = task_cgroup_from_root(task, &cgrp_dfl_root); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + while (!cgroup_is_descendant(dst_cgrp, cgrp)) + cgrp = cgroup_parent(cgrp); +@@ -2962,9 +2968,9 @@ int cgroup_attach_task_all(struct task_s + if (root == &cgrp_dfl_root) + continue; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + from_cgrp = task_cgroup_from_root(from, root); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + retval = cgroup_attach_task(from_cgrp, tsk, false); + if (retval) +@@ -3080,7 +3086,7 @@ static int cgroup_update_dfl_csses(struc + percpu_down_write(&cgroup_threadgroup_rwsem); + + /* look up all csses currently attached to @cgrp's subtree */ +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + cgroup_for_each_live_descendant_pre(dsct, d_css, cgrp) { + struct cgrp_cset_link *link; + +@@ -3088,14 +3094,14 @@ static int cgroup_update_dfl_csses(struc + cgroup_migrate_add_src(link->cset, dsct, + &preloaded_csets); + } +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + /* NULL dst indicates self on default hierarchy */ + ret = cgroup_migrate_prepare_dst(&preloaded_csets); + if (ret) + goto out_finish; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + list_for_each_entry(src_cset, &preloaded_csets, mg_preload_node) { + struct task_struct *task, *ntask; + +@@ -3107,7 +3113,7 @@ static int cgroup_update_dfl_csses(struc + list_for_each_entry_safe(task, ntask, &src_cset->tasks, cg_list) + cgroup_taskset_add(task, &tset); + } +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + ret = cgroup_taskset_migrate(&tset, cgrp->root); + out_finish: +@@ -3908,10 +3914,10 @@ static int cgroup_task_count(const struc + int count = 0; + struct cgrp_cset_link *link; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + list_for_each_entry(link, &cgrp->cset_links, cset_link) + count += atomic_read(&link->cset->refcount); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + return count; + } + +@@ -4249,7 +4255,7 @@ void css_task_iter_start(struct cgroup_s + + memset(it, 0, sizeof(*it)); + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + + it->ss = css->ss; + +@@ -4262,7 +4268,7 @@ void css_task_iter_start(struct cgroup_s + + css_task_iter_advance_css_set(it); + +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + } + + /** +@@ -4280,7 +4286,7 @@ struct task_struct *css_task_iter_next(s + it->cur_task = NULL; + } + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + + if (it->task_pos) { + it->cur_task = list_entry(it->task_pos, struct task_struct, +@@ -4289,7 +4295,7 @@ struct task_struct *css_task_iter_next(s + css_task_iter_advance(it); + } + +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + return it->cur_task; + } +@@ -4303,10 +4309,10 @@ struct task_struct *css_task_iter_next(s + void css_task_iter_end(struct css_task_iter *it) + { + if (it->cur_cset) { +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + list_del(&it->iters_node); + put_css_set_locked(it->cur_cset); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + } + + if (it->cur_task) +@@ -4338,10 +4344,10 @@ int cgroup_transfer_tasks(struct cgroup + mutex_lock(&cgroup_mutex); + + /* all tasks in @from are being moved, all csets are source */ +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + list_for_each_entry(link, &from->cset_links, cset_link) + cgroup_migrate_add_src(link->cset, to, &preloaded_csets); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + ret = cgroup_migrate_prepare_dst(&preloaded_csets); + if (ret) +@@ -5449,10 +5455,10 @@ static int cgroup_destroy_locked(struct + */ + cgrp->self.flags &= ~CSS_ONLINE; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + list_for_each_entry(link, &cgrp->cset_links, cset_link) + link->cset->dead = true; +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + + /* initiate massacre of all css's */ + for_each_css(css, ssid, cgrp) +@@ -5723,7 +5729,7 @@ int proc_cgroup_show(struct seq_file *m, + goto out; + + mutex_lock(&cgroup_mutex); +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + + for_each_root(root) { + struct cgroup_subsys *ss; +@@ -5776,7 +5782,7 @@ int proc_cgroup_show(struct seq_file *m, + + retval = 0; + out_unlock: +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + mutex_unlock(&cgroup_mutex); + kfree(buf); + out: +@@ -5921,13 +5927,13 @@ void cgroup_post_fork(struct task_struct + if (use_task_css_set_links) { + struct css_set *cset; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + cset = task_css_set(current); + if (list_empty(&child->cg_list)) { + get_css_set(cset); + css_set_move_task(child, NULL, cset, false); + } +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + } + + /* +@@ -5972,9 +5978,9 @@ void cgroup_exit(struct task_struct *tsk + cset = task_css_set(tsk); + + if (!list_empty(&tsk->cg_list)) { +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + css_set_move_task(tsk, cset, NULL, false); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + } else { + get_css_set(cset); + } +@@ -6042,9 +6048,9 @@ static void cgroup_release_agent(struct + if (!pathbuf || !agentbuf) + goto out; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + path = cgroup_path_ns_locked(cgrp, pathbuf, PATH_MAX, &init_cgroup_ns); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + if (!path) + goto out; + +@@ -6304,12 +6310,12 @@ struct cgroup_namespace *copy_cgroup_ns( + return ERR_PTR(-EPERM); + + mutex_lock(&cgroup_mutex); +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + + cset = task_css_set(current); + get_css_set(cset); + +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + mutex_unlock(&cgroup_mutex); + + new_ns = alloc_cgroup_ns(); +@@ -6433,7 +6439,7 @@ static int current_css_set_cg_links_read + if (!name_buf) + return -ENOMEM; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + rcu_read_lock(); + cset = rcu_dereference(current->cgroups); + list_for_each_entry(link, &cset->cgrp_links, cgrp_link) { +@@ -6444,7 +6450,7 @@ static int current_css_set_cg_links_read + c->root->hierarchy_id, name_buf); + } + rcu_read_unlock(); +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + kfree(name_buf); + return 0; + } +@@ -6455,7 +6461,7 @@ static int cgroup_css_links_read(struct + struct cgroup_subsys_state *css = seq_css(seq); + struct cgrp_cset_link *link; + +- spin_lock_bh(&css_set_lock); ++ spin_lock_irq(&css_set_lock); + list_for_each_entry(link, &css->cgroup->cset_links, cset_link) { + struct css_set *cset = link->cset; + struct task_struct *task; +@@ -6478,7 +6484,7 @@ static int cgroup_css_links_read(struct + overflow: + seq_puts(seq, " ...\n"); + } +- spin_unlock_bh(&css_set_lock); ++ spin_unlock_irq(&css_set_lock); + return 0; + } + diff --git a/queue-4.6/cgroup-remove-redundant-cleanup-in-css_create.patch b/queue-4.6/cgroup-remove-redundant-cleanup-in-css_create.patch new file mode 100644 index 00000000000..233dca455db --- /dev/null +++ b/queue-4.6/cgroup-remove-redundant-cleanup-in-css_create.patch @@ -0,0 +1,51 @@ +From b00c52dae6d9ee8d0f2407118ef6544ae5524781 Mon Sep 17 00:00:00 2001 +From: Wenwei Tao +Date: Fri, 13 May 2016 22:59:20 +0800 +Subject: cgroup: remove redundant cleanup in css_create + +From: Wenwei Tao + +commit b00c52dae6d9ee8d0f2407118ef6544ae5524781 upstream. + +When create css failed, before call css_free_rcu_fn, we remove the css +id and exit the percpu_ref, but we will do these again in +css_free_work_fn, so they are redundant. Especially the css id, that +would cause problem if we remove it twice, since it may be assigned to +another css after the first remove. + +tj: This was broken by two commits updating the free path without + synchronizing the creation failure path. This can be easily + triggered by trying to create more than 64k memory cgroups. + +Signed-off-by: Wenwei Tao +Signed-off-by: Tejun Heo +Cc: Vladimir Davydov +Fixes: 9a1049da9bd2 ("percpu-refcount: require percpu_ref to be exited explicitly") +Fixes: 01e586598b22 ("cgroup: release css->id after css_free") +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -5150,7 +5150,7 @@ static struct cgroup_subsys_state *css_c + + err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_KERNEL); + if (err < 0) +- goto err_free_percpu_ref; ++ goto err_free_css; + css->id = err; + + /* @css is ready to be brought online now, make it visible */ +@@ -5174,9 +5174,6 @@ static struct cgroup_subsys_state *css_c + + err_list_del: + list_del_rcu(&css->sibling); +- cgroup_idr_remove(&ss->css_idr, css->id); +-err_free_percpu_ref: +- percpu_ref_exit(&css->refcnt); + err_free_css: + call_rcu(&css->rcu_head, css_free_rcu_fn); + return ERR_PTR(err); diff --git a/queue-4.6/cgroup-set-css-id-to-1-during-init.patch b/queue-4.6/cgroup-set-css-id-to-1-during-init.patch new file mode 100644 index 00000000000..449c6c17eee --- /dev/null +++ b/queue-4.6/cgroup-set-css-id-to-1-during-init.patch @@ -0,0 +1,34 @@ +From 8fa3b8d689a54d6d04ff7803c724fb7aca6ce98e Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 26 May 2016 15:42:13 -0400 +Subject: cgroup: set css->id to -1 during init + +From: Tejun Heo + +commit 8fa3b8d689a54d6d04ff7803c724fb7aca6ce98e upstream. + +If percpu_ref initialization fails during css_create(), the free path +can end up trying to free css->id of zero. As ID 0 is unused, it +doesn't cause a critical breakage but it does trigger a warning +message. Fix it by setting css->id to -1 from init_and_link_css(). + +Signed-off-by: Tejun Heo +Cc: Wenwei Tao +Fixes: 01e586598b22 ("cgroup: release css->id after css_free") +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -5063,6 +5063,7 @@ static void init_and_link_css(struct cgr + memset(css, 0, sizeof(*css)); + css->cgroup = cgrp; + css->ss = ss; ++ css->id = -1; + INIT_LIST_HEAD(&css->sibling); + INIT_LIST_HEAD(&css->children); + css->serial_nr = css_serial_nr_next++; diff --git a/queue-4.6/ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch b/queue-4.6/ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch new file mode 100644 index 00000000000..a8ba610ad20 --- /dev/null +++ b/queue-4.6/ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch @@ -0,0 +1,55 @@ +From f0fe970df3838c202ef6c07a4c2b36838ef0a88b Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 5 Jul 2016 17:32:30 -0400 +Subject: ecryptfs: don't allow mmap when the lower fs doesn't support it + +From: Jeff Mahoney + +commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b upstream. + +There are legitimate reasons to disallow mmap on certain files, notably +in sysfs or procfs. We shouldn't emulate mmap support on file systems +that don't offer support natively. + +CVE-2016-1583 + +Signed-off-by: Jeff Mahoney +[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()] +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/file.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -169,6 +169,19 @@ out: + return rc; + } + ++static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ struct file *lower_file = ecryptfs_file_to_lower(file); ++ /* ++ * Don't allow mmap on top of file systems that don't support it ++ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs ++ * allows recursive mounting, this will need to be extended. ++ */ ++ if (!lower_file->f_op->mmap) ++ return -ENODEV; ++ return generic_file_mmap(file, vma); ++} ++ + /** + * ecryptfs_open + * @inode: inode speciying file to open +@@ -403,7 +416,7 @@ const struct file_operations ecryptfs_ma + #ifdef CONFIG_COMPAT + .compat_ioctl = ecryptfs_compat_ioctl, + #endif +- .mmap = generic_file_mmap, ++ .mmap = ecryptfs_mmap, + .open = ecryptfs_open, + .flush = ecryptfs_flush, + .release = ecryptfs_release, diff --git a/queue-4.6/input-elantech-add-more-ic-body-types-to-the-list.patch b/queue-4.6/input-elantech-add-more-ic-body-types-to-the-list.patch new file mode 100644 index 00000000000..ab0222840ae --- /dev/null +++ b/queue-4.6/input-elantech-add-more-ic-body-types-to-the-list.patch @@ -0,0 +1,39 @@ +From 226ba707744a51acb4244724e09caacb1d96aed9 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 21 Jun 2016 16:09:00 -0700 +Subject: Input: elantech - add more IC body types to the list + +From: Dmitry Torokhov + +commit 226ba707744a51acb4244724e09caacb1d96aed9 upstream. + +The touchpad in HP Pavilion 14-ab057ca reports it's version as 12 and +according to Elan both 11 and 12 are valid IC types and should be +identified as hw_version 4. + +Reported-by: Patrick Lessard +Tested-by: Patrick Lessard +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elantech.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1568,13 +1568,7 @@ static int elantech_set_properties(struc + case 5: + etd->hw_version = 3; + break; +- case 6: +- case 7: +- case 8: +- case 9: +- case 10: +- case 13: +- case 14: ++ case 6 ... 14: + etd->hw_version = 4; + break; + default: diff --git a/queue-4.6/input-synaptics-rmi4-fix-maximum-size-check-for-f12-control-register-8.patch b/queue-4.6/input-synaptics-rmi4-fix-maximum-size-check-for-f12-control-register-8.patch new file mode 100644 index 00000000000..f0d9e7ec818 --- /dev/null +++ b/queue-4.6/input-synaptics-rmi4-fix-maximum-size-check-for-f12-control-register-8.patch @@ -0,0 +1,48 @@ +From e4add7b6beaff4061693d0632bc1dcb306edba10 Mon Sep 17 00:00:00 2001 +From: Andrew Duggan +Date: Tue, 19 Jul 2016 17:53:59 -0700 +Subject: Input: synaptics-rmi4 - fix maximum size check for F12 control register 8 + +From: Andrew Duggan + +commit e4add7b6beaff4061693d0632bc1dcb306edba10 upstream. + +According to the RMI4 spec the maximum size of F12 control register 8 is +15 bytes. The current code incorrectly reports an error if control 8 is +greater then 14. Making sensors with a control register 8 with 15 bytes +unusable. + +Signed-off-by: Andrew Duggan +Reported-by: Chris Healy +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/rmi4/rmi_f12.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/input/rmi4/rmi_f12.c ++++ b/drivers/input/rmi4/rmi_f12.c +@@ -66,7 +66,7 @@ static int rmi_f12_read_sensor_tuning(st + struct rmi_device *rmi_dev = fn->rmi_dev; + int ret; + int offset; +- u8 buf[14]; ++ u8 buf[15]; + int pitch_x = 0; + int pitch_y = 0; + int clip_x_low = 0; +@@ -86,9 +86,10 @@ static int rmi_f12_read_sensor_tuning(st + + offset = rmi_register_desc_calc_reg_offset(&f12->control_reg_desc, 8); + +- if (item->reg_size > 14) { +- dev_err(&fn->dev, "F12 control8 should be 14 bytes, not: %ld\n", +- item->reg_size); ++ if (item->reg_size > sizeof(buf)) { ++ dev_err(&fn->dev, ++ "F12 control8 should be no bigger than %zd bytes, not: %ld\n", ++ sizeof(buf), item->reg_size); + return -ENODEV; + } + diff --git a/queue-4.6/input-tsc200x-report-proper-input_dev-name.patch b/queue-4.6/input-tsc200x-report-proper-input_dev-name.patch new file mode 100644 index 00000000000..af5557cac26 --- /dev/null +++ b/queue-4.6/input-tsc200x-report-proper-input_dev-name.patch @@ -0,0 +1,122 @@ +From e9003c9cfaa17d26991688268b04244adb67ee2b Mon Sep 17 00:00:00 2001 +From: Michael Welling +Date: Wed, 20 Jul 2016 10:02:07 -0700 +Subject: Input: tsc200x - report proper input_dev name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Welling + +commit e9003c9cfaa17d26991688268b04244adb67ee2b upstream. + +Passes input_id struct to the common probe function for the tsc200x drivers +instead of just the bustype. + +This allows for the use of the product variable to set the input_dev->name +variable according to the type of touchscreen used. Note that when we +introduced support for TSC2004 we started calling everything TSC200X, so +let's keep this quirk. + +Signed-off-by: Michael Welling +Acked-by: Pavel Machek +Acked-by: Pali Rohár +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/tsc2004.c | 7 ++++++- + drivers/input/touchscreen/tsc2005.c | 7 ++++++- + drivers/input/touchscreen/tsc200x-core.c | 15 ++++++++++++--- + drivers/input/touchscreen/tsc200x-core.h | 2 +- + 4 files changed, 25 insertions(+), 6 deletions(-) + +--- a/drivers/input/touchscreen/tsc2004.c ++++ b/drivers/input/touchscreen/tsc2004.c +@@ -22,6 +22,11 @@ + #include + #include "tsc200x-core.h" + ++static const struct input_id tsc2004_input_id = { ++ .bustype = BUS_I2C, ++ .product = 2004, ++}; ++ + static int tsc2004_cmd(struct device *dev, u8 cmd) + { + u8 tx = TSC200X_CMD | TSC200X_CMD_12BIT | cmd; +@@ -42,7 +47,7 @@ static int tsc2004_probe(struct i2c_clie + const struct i2c_device_id *id) + + { +- return tsc200x_probe(&i2c->dev, i2c->irq, BUS_I2C, ++ return tsc200x_probe(&i2c->dev, i2c->irq, &tsc2004_input_id, + devm_regmap_init_i2c(i2c, &tsc200x_regmap_config), + tsc2004_cmd); + } +--- a/drivers/input/touchscreen/tsc2005.c ++++ b/drivers/input/touchscreen/tsc2005.c +@@ -24,6 +24,11 @@ + #include + #include "tsc200x-core.h" + ++static const struct input_id tsc2005_input_id = { ++ .bustype = BUS_SPI, ++ .product = 2005, ++}; ++ + static int tsc2005_cmd(struct device *dev, u8 cmd) + { + u8 tx = TSC200X_CMD | TSC200X_CMD_12BIT | cmd; +@@ -62,7 +67,7 @@ static int tsc2005_probe(struct spi_devi + if (error) + return error; + +- return tsc200x_probe(&spi->dev, spi->irq, BUS_SPI, ++ return tsc200x_probe(&spi->dev, spi->irq, &tsc2005_input_id, + devm_regmap_init_spi(spi, &tsc200x_regmap_config), + tsc2005_cmd); + } +--- a/drivers/input/touchscreen/tsc200x-core.c ++++ b/drivers/input/touchscreen/tsc200x-core.c +@@ -450,7 +450,7 @@ static void tsc200x_close(struct input_d + mutex_unlock(&ts->mutex); + } + +-int tsc200x_probe(struct device *dev, int irq, __u16 bustype, ++int tsc200x_probe(struct device *dev, int irq, const struct input_id *tsc_id, + struct regmap *regmap, + int (*tsc200x_cmd)(struct device *dev, u8 cmd)) + { +@@ -547,9 +547,18 @@ int tsc200x_probe(struct device *dev, in + snprintf(ts->phys, sizeof(ts->phys), + "%s/input-ts", dev_name(dev)); + +- input_dev->name = "TSC200X touchscreen"; ++ if (tsc_id->product == 2004) { ++ input_dev->name = "TSC200X touchscreen"; ++ } else { ++ input_dev->name = devm_kasprintf(dev, GFP_KERNEL, ++ "TSC%04d touchscreen", ++ tsc_id->product); ++ if (!input_dev->name) ++ return -ENOMEM; ++ } ++ + input_dev->phys = ts->phys; +- input_dev->id.bustype = bustype; ++ input_dev->id = *tsc_id; + input_dev->dev.parent = dev; + input_dev->evbit[0] = BIT(EV_ABS) | BIT(EV_KEY); + input_dev->keybit[BIT_WORD(BTN_TOUCH)] = BIT_MASK(BTN_TOUCH); +--- a/drivers/input/touchscreen/tsc200x-core.h ++++ b/drivers/input/touchscreen/tsc200x-core.h +@@ -70,7 +70,7 @@ + extern const struct regmap_config tsc200x_regmap_config; + extern const struct dev_pm_ops tsc200x_pm_ops; + +-int tsc200x_probe(struct device *dev, int irq, __u16 bustype, ++int tsc200x_probe(struct device *dev, int irq, const struct input_id *tsc_id, + struct regmap *regmap, + int (*tsc200x_cmd)(struct device *dev, u8 cmd)); + int tsc200x_remove(struct device *dev); diff --git a/queue-4.6/input-vmmouse-remove-port-reservation.patch b/queue-4.6/input-vmmouse-remove-port-reservation.patch new file mode 100644 index 00000000000..c4fdc896b92 --- /dev/null +++ b/queue-4.6/input-vmmouse-remove-port-reservation.patch @@ -0,0 +1,97 @@ +From 60842ef8128e7bf58c024814cd0dc14319232b6c Mon Sep 17 00:00:00 2001 +From: Sinclair Yeh +Date: Thu, 23 Jun 2016 17:37:34 -0700 +Subject: Input: vmmouse - remove port reservation + +From: Sinclair Yeh + +commit 60842ef8128e7bf58c024814cd0dc14319232b6c upstream. + +The VMWare EFI BIOS will expose port 0x5658 as an ACPI resource. This +causes the port to be reserved by the APCI module as the system comes up, +making it unavailable to be reserved again by other drivers, thus +preserving this VMWare port for special use in a VMWare guest. + +This port is designed to be shared among multiple VMWare services, such as +the VMMOUSE. Because of this, VMMOUSE should not try to reserve this port +on its own. + +The VMWare non-EFI BIOS does not do this to preserve compatibility with +existing/legacy VMs. It is known that there is small chance a VM may be +configured such that these ports get reserved by other non-VMWare devices, +and if this ever happens, the result is undefined. + +Signed-off-by: Sinclair Yeh +Reviewed-by: Thomas Hellstrom +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/vmmouse.c | 22 ++-------------------- + 1 file changed, 2 insertions(+), 20 deletions(-) + +--- a/drivers/input/mouse/vmmouse.c ++++ b/drivers/input/mouse/vmmouse.c +@@ -355,18 +355,11 @@ int vmmouse_detect(struct psmouse *psmou + return -ENXIO; + } + +- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) { +- psmouse_dbg(psmouse, "VMMouse port in use.\n"); +- return -EBUSY; +- } +- + /* Check if the device is present */ + response = ~VMMOUSE_PROTO_MAGIC; + VMMOUSE_CMD(GETVERSION, 0, version, response, dummy1, dummy2); +- if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU) { +- release_region(VMMOUSE_PROTO_PORT, 4); ++ if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU) + return -ENXIO; +- } + + if (set_properties) { + psmouse->vendor = VMMOUSE_VENDOR; +@@ -374,8 +367,6 @@ int vmmouse_detect(struct psmouse *psmou + psmouse->model = version; + } + +- release_region(VMMOUSE_PROTO_PORT, 4); +- + return 0; + } + +@@ -394,7 +385,6 @@ static void vmmouse_disconnect(struct ps + psmouse_reset(psmouse); + input_unregister_device(priv->abs_dev); + kfree(priv); +- release_region(VMMOUSE_PROTO_PORT, 4); + } + + /** +@@ -438,15 +428,10 @@ int vmmouse_init(struct psmouse *psmouse + struct input_dev *rel_dev = psmouse->dev, *abs_dev; + int error; + +- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) { +- psmouse_dbg(psmouse, "VMMouse port in use.\n"); +- return -EBUSY; +- } +- + psmouse_reset(psmouse); + error = vmmouse_enable(psmouse); + if (error) +- goto release_region; ++ return error; + + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + abs_dev = input_allocate_device(); +@@ -502,8 +487,5 @@ init_fail: + kfree(priv); + psmouse->private = NULL; + +-release_region: +- release_region(VMMOUSE_PROTO_PORT, 4); +- + return error; + } diff --git a/queue-4.6/input-wacom_w8001-ignore-invalid-pen-data-packets.patch b/queue-4.6/input-wacom_w8001-ignore-invalid-pen-data-packets.patch new file mode 100644 index 00000000000..5c56e313807 --- /dev/null +++ b/queue-4.6/input-wacom_w8001-ignore-invalid-pen-data-packets.patch @@ -0,0 +1,41 @@ +From 9e72ac7492149a229ce9039c680849cb682d7092 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Thu, 23 Jun 2016 10:55:11 -0700 +Subject: Input: wacom_w8001 - ignore invalid pen data packets + +From: Ping Cheng + +commit 9e72ac7492149a229ce9039c680849cb682d7092 upstream. + +ThinkPad X60 Tablet PC (pen only device) sometime posts +packets that are larger than W8001_PKTLEN_TPCPEN. + +Reported-by: Chris J Arges +Tested-by: Chris J Arges +Signed-off-by: Ping Cheng +Reviewed-by: Peter Hutterer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/wacom_w8001.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/input/touchscreen/wacom_w8001.c ++++ b/drivers/input/touchscreen/wacom_w8001.c +@@ -339,6 +339,15 @@ static irqreturn_t w8001_interrupt(struc + w8001->idx = 0; + parse_multi_touch(w8001); + break; ++ ++ default: ++ /* ++ * ThinkPad X60 Tablet PC (pen only device) sometimes ++ * sends invalid data packets that are larger than ++ * W8001_PKTLEN_TPCPEN. Let's start over again. ++ */ ++ if (!w8001->touch_dev && w8001->idx > W8001_PKTLEN_TPCPEN - 1) ++ w8001->idx = 0; + } + + return IRQ_HANDLED; diff --git a/queue-4.6/input-wacom_w8001-w8001_max_length-should-be-13.patch b/queue-4.6/input-wacom_w8001-w8001_max_length-should-be-13.patch new file mode 100644 index 00000000000..c134360146b --- /dev/null +++ b/queue-4.6/input-wacom_w8001-w8001_max_length-should-be-13.patch @@ -0,0 +1,32 @@ +From 12afb34400eb2b301f06b2aa3535497d14faee59 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Thu, 23 Jun 2016 10:54:17 -0700 +Subject: Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 + +From: Ping Cheng + +commit 12afb34400eb2b301f06b2aa3535497d14faee59 upstream. + +Somehow the patch that added two-finger touch support forgot to update +W8001_MAX_LENGTH from 11 to 13. + +Signed-off-by: Ping Cheng +Reviewed-by: Peter Hutterer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/wacom_w8001.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/wacom_w8001.c ++++ b/drivers/input/touchscreen/wacom_w8001.c +@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar +Date: Thu, 23 Jun 2016 10:24:42 -0700 +Subject: Input: xpad - fix oops when attaching an unknown Xbox One gamepad + +From: Cameron Gutman + +commit c7f1429389ec1aa25e042bb13451385fbb596f8c upstream. + +Xbox One controllers have multiple interfaces which all have the +same class, subclass, and protocol. One of the these interfaces +has only a single endpoint. When Xpad attempts to bind to this +interface, it causes an oops when trying initialize the output URB +by trying to access the second endpoint's descriptor. + +This situation was avoided for known Xbox One devices by checking +the XTYPE constant associated with the VID and PID tuple. However, +this breaks when new or previously unknown Xbox One controllers +are attached to the system. + +This change addresses the problem by deriving the XTYPE for Xbox +One controllers based on the interface protocol before checking +the interface number. + +Fixes: 1a48ff81b391 ("Input: xpad - add support for Xbox One controllers") +Signed-off-by: Cameron Gutman +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/xpad.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -1427,16 +1427,6 @@ static int xpad_probe(struct usb_interfa + break; + } + +- if (xpad_device[i].xtype == XTYPE_XBOXONE && +- intf->cur_altsetting->desc.bInterfaceNumber != 0) { +- /* +- * The Xbox One controller lists three interfaces all with the +- * same interface class, subclass and protocol. Differentiate by +- * interface number. +- */ +- return -ENODEV; +- } +- + xpad = kzalloc(sizeof(struct usb_xpad), GFP_KERNEL); + if (!xpad) + return -ENOMEM; +@@ -1468,6 +1458,8 @@ static int xpad_probe(struct usb_interfa + if (intf->cur_altsetting->desc.bInterfaceClass == USB_CLASS_VENDOR_SPEC) { + if (intf->cur_altsetting->desc.bInterfaceProtocol == 129) + xpad->xtype = XTYPE_XBOX360W; ++ else if (intf->cur_altsetting->desc.bInterfaceProtocol == 208) ++ xpad->xtype = XTYPE_XBOXONE; + else + xpad->xtype = XTYPE_XBOX360; + } else { +@@ -1482,6 +1474,17 @@ static int xpad_probe(struct usb_interfa + xpad->mapping |= MAP_STICKS_TO_NULL; + } + ++ if (xpad->xtype == XTYPE_XBOXONE && ++ intf->cur_altsetting->desc.bInterfaceNumber != 0) { ++ /* ++ * The Xbox One controller lists three interfaces all with the ++ * same interface class, subclass and protocol. Differentiate by ++ * interface number. ++ */ ++ error = -ENODEV; ++ goto err_free_in_urb; ++ } ++ + error = xpad_init_output(intf, xpad); + if (error) + goto err_free_in_urb; diff --git a/queue-4.6/input-xpad-validate-usb-endpoint-count-during-probe.patch b/queue-4.6/input-xpad-validate-usb-endpoint-count-during-probe.patch new file mode 100644 index 00000000000..80f584661cc --- /dev/null +++ b/queue-4.6/input-xpad-validate-usb-endpoint-count-during-probe.patch @@ -0,0 +1,31 @@ +From caca925fca4fb30c67be88cacbe908eec6721e43 Mon Sep 17 00:00:00 2001 +From: Cameron Gutman +Date: Wed, 29 Jun 2016 09:51:35 -0700 +Subject: Input: xpad - validate USB endpoint count during probe + +From: Cameron Gutman + +commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream. + +This prevents a malicious USB device from causing an oops. + +Signed-off-by: Cameron Gutman +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/xpad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -1421,6 +1421,9 @@ static int xpad_probe(struct usb_interfa + int ep_irq_in_idx; + int i, error; + ++ if (intf->cur_altsetting->desc.bNumEndpoints != 2) ++ return -ENODEV; ++ + for (i = 0; xpad_device[i].idVendor; i++) { + if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) && + (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct)) diff --git a/queue-4.6/locks-use-file_inode.patch b/queue-4.6/locks-use-file_inode.patch new file mode 100644 index 00000000000..6537ee2ee48 --- /dev/null +++ b/queue-4.6/locks-use-file_inode.patch @@ -0,0 +1,45 @@ +From 6343a2120862f7023006c8091ad95c1f16a32077 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 1 Jul 2016 14:56:07 +0200 +Subject: locks: use file_inode() + +From: Miklos Szeredi + +commit 6343a2120862f7023006c8091ad95c1f16a32077 upstream. + +(Another one for the f_path debacle.) + +ltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask. + +The reason is that generic_add_lease() used filp->f_path.dentry->inode +while all the others use file_inode(). This makes a difference for files +opened on overlayfs since the former will point to the overlay inode the +latter to the underlying inode. + +So generic_add_lease() added the lease to the overlay inode and +generic_delete_lease() removed it from the underlying inode. When the file +was released the lease remained on the overlay inode's lock list, resulting +in use after free. + +Reported-by: Eryu Guan +Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay") +Signed-off-by: Miklos Szeredi +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/locks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -1628,7 +1628,7 @@ generic_add_lease(struct file *filp, lon + { + struct file_lock *fl, *my_fl = NULL, *lease; + struct dentry *dentry = filp->f_path.dentry; +- struct inode *inode = dentry->d_inode; ++ struct inode *inode = file_inode(filp); + struct file_lock_context *ctx; + bool is_deleg = (*flp)->fl_flags & FL_DELEG; + int error; diff --git a/queue-4.6/pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch b/queue-4.6/pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch new file mode 100644 index 00000000000..bebb1870e2e --- /dev/null +++ b/queue-4.6/pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch @@ -0,0 +1,35 @@ +From ba562d5e54fd3136bfea0457add3675850247774 Mon Sep 17 00:00:00 2001 +From: Alexander Shiyan +Date: Wed, 1 Jun 2016 22:21:53 +0300 +Subject: pinctrl: imx: Do not treat a PIN without MUX register as an error + +From: Alexander Shiyan + +commit ba562d5e54fd3136bfea0457add3675850247774 upstream. + +Some PINs do not have a MUX register, it is not an error. +It is necessary to allow the continuation of the PINs configuration, +otherwise the whole PIN-group will be configured incorrectly. + +Signed-off-by: Alexander Shiyan +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/freescale/pinctrl-imx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/freescale/pinctrl-imx.c ++++ b/drivers/pinctrl/freescale/pinctrl-imx.c +@@ -209,9 +209,9 @@ static int imx_pmx_set(struct pinctrl_de + pin_reg = &info->pin_regs[pin_id]; + + if (pin_reg->mux_reg == -1) { +- dev_err(ipctl->dev, "Pin(%s) does not support mux function\n", ++ dev_dbg(ipctl->dev, "Pin(%s) does not support mux function\n", + info->pins[pin_id].name); +- return -EINVAL; ++ continue; + } + + if (info->flags & SHARE_MUX_CONF_REG) { diff --git a/queue-4.6/pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch b/queue-4.6/pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch new file mode 100644 index 00000000000..4bf9f82cbe3 --- /dev/null +++ b/queue-4.6/pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch @@ -0,0 +1,37 @@ +From 0ac3c0a4025f41748a083bdd4970cb3ede802b15 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 31 May 2016 14:17:06 -0700 +Subject: pinctrl: single: Fix missing flush of posted write for a wakeirq + +From: Tony Lindgren + +commit 0ac3c0a4025f41748a083bdd4970cb3ede802b15 upstream. + +With many repeated suspend resume cycles, the pin specific wakeirq +may not always work on omaps. This is because the write to enable the +pin interrupt may not have reached the device over the interconnect +before suspend happens. + +Let's fix the issue with a flush of posted write with a readback. + +Reported-by: Nishanth Menon +Signed-off-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-single.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1580,6 +1580,9 @@ static inline void pcs_irq_set(struct pc + else + mask &= ~soc_mask; + pcs->write(mask, pcswi->reg); ++ ++ /* flush posted write */ ++ mask = pcs->read(pcswi->reg); + raw_spin_unlock(&pcs->lock); + } + diff --git a/queue-4.6/power_supply-power_supply_read_temp-only-if-use_cnt-0.patch b/queue-4.6/power_supply-power_supply_read_temp-only-if-use_cnt-0.patch new file mode 100644 index 00000000000..ea8fdf553a9 --- /dev/null +++ b/queue-4.6/power_supply-power_supply_read_temp-only-if-use_cnt-0.patch @@ -0,0 +1,104 @@ +From 5bc28b93a36e3cb3acc2870fb75cb6ffb182fece Mon Sep 17 00:00:00 2001 +From: Rhyland Klein +Date: Thu, 9 Jun 2016 17:28:39 -0400 +Subject: power_supply: power_supply_read_temp only if use_cnt > 0 + +From: Rhyland Klein + +commit 5bc28b93a36e3cb3acc2870fb75cb6ffb182fece upstream. + +Change power_supply_read_temp() to use power_supply_get_property() +so that it will check the use_cnt and ensure it is > 0. The use_cnt +will be incremented at the end of __power_supply_register, so this +will block to case where get_property can be called before the supply +is fully registered. This fixes the issue show in the stack below: + +[ 1.452598] power_supply_read_temp+0x78/0x80 +[ 1.458680] thermal_zone_get_temp+0x5c/0x11c +[ 1.464765] thermal_zone_device_update+0x34/0xb4 +[ 1.471195] thermal_zone_device_register+0x87c/0x8cc +[ 1.477974] __power_supply_register+0x364/0x424 +[ 1.484317] power_supply_register_no_ws+0x10/0x18 +[ 1.490833] bq27xxx_battery_setup+0x10c/0x164 +[ 1.497003] bq27xxx_battery_i2c_probe+0xd0/0x1b0 +[ 1.503435] i2c_device_probe+0x174/0x240 +[ 1.509172] driver_probe_device+0x1fc/0x29c +[ 1.515167] __driver_attach+0xa4/0xa8 +[ 1.520643] bus_for_each_dev+0x58/0x98 +[ 1.526204] driver_attach+0x20/0x28 +[ 1.531505] bus_add_driver+0x1c8/0x22c +[ 1.537067] driver_register+0x68/0x108 +[ 1.542630] i2c_register_driver+0x38/0x7c +[ 1.548457] bq27xxx_battery_i2c_driver_init+0x18/0x20 +[ 1.555321] do_one_initcall+0x38/0x12c +[ 1.560886] kernel_init_freeable+0x148/0x1ec +[ 1.566972] kernel_init+0x10/0xfc +[ 1.572101] ret_from_fork+0x10/0x40 + +Also make the same change to ps_get_max_charge_cntl_limit() and +ps_get_cur_chrage_cntl_limit() to be safe. Lastly, change the return +value of power_supply_get_property() to -EAGAIN from -ENODEV if +use_cnt <= 0. + +Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core") +Signed-off-by: Rhyland Klein +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/power_supply_core.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/drivers/power/power_supply_core.c ++++ b/drivers/power/power_supply_core.c +@@ -565,11 +565,12 @@ static int power_supply_read_temp(struct + + WARN_ON(tzd == NULL); + psy = tzd->devdata; +- ret = psy->desc->get_property(psy, POWER_SUPPLY_PROP_TEMP, &val); ++ ret = power_supply_get_property(psy, POWER_SUPPLY_PROP_TEMP, &val); ++ if (ret) ++ return ret; + + /* Convert tenths of degree Celsius to milli degree Celsius. */ +- if (!ret) +- *temp = val.intval * 100; ++ *temp = val.intval * 100; + + return ret; + } +@@ -612,10 +613,12 @@ static int ps_get_max_charge_cntl_limit( + int ret; + + psy = tcd->devdata; +- ret = psy->desc->get_property(psy, +- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX, &val); +- if (!ret) +- *state = val.intval; ++ ret = power_supply_get_property(psy, ++ POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX, &val); ++ if (ret) ++ return ret; ++ ++ *state = val.intval; + + return ret; + } +@@ -628,10 +631,12 @@ static int ps_get_cur_chrage_cntl_limit( + int ret; + + psy = tcd->devdata; +- ret = psy->desc->get_property(psy, +- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT, &val); +- if (!ret) +- *state = val.intval; ++ ret = power_supply_get_property(psy, ++ POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT, &val); ++ if (ret) ++ return ret; ++ ++ *state = val.intval; + + return ret; + } diff --git a/queue-4.6/pvclock-add-cpu-barriers-to-get-correct-version-value.patch b/queue-4.6/pvclock-add-cpu-barriers-to-get-correct-version-value.patch new file mode 100644 index 00000000000..5e3dba0c87c --- /dev/null +++ b/queue-4.6/pvclock-add-cpu-barriers-to-get-correct-version-value.patch @@ -0,0 +1,59 @@ +From 749d088b8e7f4b9826ede02b9a043e417fa84aa1 Mon Sep 17 00:00:00 2001 +From: Minfei Huang +Date: Fri, 27 May 2016 14:17:10 +0800 +Subject: pvclock: Add CPU barriers to get correct version value + +From: Minfei Huang + +commit 749d088b8e7f4b9826ede02b9a043e417fa84aa1 upstream. + +Protocol for the "version" fields is: hypervisor raises it (making it +uneven) before it starts updating the fields and raises it again (making +it even) when it is done. Thus the guest can make sure the time values +it got are consistent by checking the version before and after reading +them. + +Add CPU barries after getting version value just like what function +vread_pvclock does, because all of callees in this function is inline. + +Fixes: 502dfeff239e8313bfbe906ca0a1a6827ac8481b +Signed-off-by: Minfei Huang +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pvclock.h | 2 ++ + arch/x86/kernel/pvclock.c | 4 ++++ + 2 files changed, 6 insertions(+) + +--- a/arch/x86/include/asm/pvclock.h ++++ b/arch/x86/include/asm/pvclock.h +@@ -85,6 +85,8 @@ unsigned __pvclock_read_cycles(const str + u8 ret_flags; + + version = src->version; ++ /* Make the latest version visible */ ++ smp_rmb(); + + offset = pvclock_get_nsec_offset(src); + ret = src->system_time + offset; +--- a/arch/x86/kernel/pvclock.c ++++ b/arch/x86/kernel/pvclock.c +@@ -66,6 +66,8 @@ u8 pvclock_read_flags(struct pvclock_vcp + + do { + version = __pvclock_read_cycles(src, &ret, &flags); ++ /* Make sure that the version double-check is last. */ ++ smp_rmb(); + } while ((src->version & 1) || version != src->version); + + return flags & valid_flags; +@@ -80,6 +82,8 @@ cycle_t pvclock_clocksource_read(struct + + do { + version = __pvclock_read_cycles(src, &ret, &flags); ++ /* Make sure that the version double-check is last. */ ++ smp_rmb(); + } while ((src->version & 1) || version != src->version); + + if (unlikely((flags & PVCLOCK_GUEST_STOPPED) != 0)) { diff --git a/queue-4.6/revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch b/queue-4.6/revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch new file mode 100644 index 00000000000..a3503590463 --- /dev/null +++ b/queue-4.6/revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch @@ -0,0 +1,61 @@ +From 78c4e172412de5d0456dc00d2b34050aa0b683b5 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 5 Jul 2016 17:32:29 -0400 +Subject: Revert "ecryptfs: forbid opening files without mmap handler" + +From: Jeff Mahoney + +commit 78c4e172412de5d0456dc00d2b34050aa0b683b5 upstream. + +This reverts commit 2f36db71009304b3f0b95afacd8eba1f9f046b87. + +It fixed a local root exploit but also introduced a dependency on +the lower file system implementing an mmap operation just to open a file, +which is a bit of a heavy hammer. The right fix is to have mmap depend +on the existence of the mmap handler instead. + +Signed-off-by: Jeff Mahoney +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/kthread.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/fs/ecryptfs/kthread.c ++++ b/fs/ecryptfs/kthread.c +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include "ecryptfs_kernel.h" + + struct ecryptfs_open_req { +@@ -148,7 +147,7 @@ int ecryptfs_privileged_open(struct file + flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR; + (*lower_file) = dentry_open(&req.path, flags, cred); + if (!IS_ERR(*lower_file)) +- goto have_file; ++ goto out; + if ((flags & O_ACCMODE) == O_RDONLY) { + rc = PTR_ERR((*lower_file)); + goto out; +@@ -166,16 +165,8 @@ int ecryptfs_privileged_open(struct file + mutex_unlock(&ecryptfs_kthread_ctl.mux); + wake_up(&ecryptfs_kthread_ctl.wait); + wait_for_completion(&req.done); +- if (IS_ERR(*lower_file)) { ++ if (IS_ERR(*lower_file)) + rc = PTR_ERR(*lower_file); +- goto out; +- } +-have_file: +- if ((*lower_file)->f_op->mmap == NULL) { +- fput(*lower_file); +- *lower_file = NULL; +- rc = -EMEDIUMTYPE; +- } + out: + return rc; + } diff --git a/queue-4.6/revert-input-wacom_w8001-drop-use-of-abs_mt_tool_type.patch b/queue-4.6/revert-input-wacom_w8001-drop-use-of-abs_mt_tool_type.patch new file mode 100644 index 00000000000..d4a39af8266 --- /dev/null +++ b/queue-4.6/revert-input-wacom_w8001-drop-use-of-abs_mt_tool_type.patch @@ -0,0 +1,39 @@ +From 3e9161bfe0482f26efeaf584d5fd69398c69313c Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 14 Jul 2016 09:33:41 -0700 +Subject: Revert "Input: wacom_w8001 - drop use of ABS_MT_TOOL_TYPE" + +From: Dmitry Torokhov + +commit 3e9161bfe0482f26efeaf584d5fd69398c69313c upstream. + +This reverts commit 5f7e5445a2de848c66d2d80ba5479197e8287c33 because +removal of input_mt_report_slot_state() means we no longer generate +tracking IDs for the reported contacts. + +Acked-by: Peter Hutterer +Acked-by: Ping Cheng + +--- + drivers/input/touchscreen/wacom_w8001.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/touchscreen/wacom_w8001.c ++++ b/drivers/input/touchscreen/wacom_w8001.c +@@ -155,6 +155,7 @@ static void parse_multi_touch(struct w80 + bool touch = data[0] & (1 << i); + + input_mt_slot(dev, i); ++ input_mt_report_slot_state(dev, MT_TOOL_FINGER, touch); + if (touch) { + x = (data[6 * i + 1] << 7) | data[6 * i + 2]; + y = (data[6 * i + 3] << 7) | data[6 * i + 4]; +@@ -522,6 +523,8 @@ static int w8001_setup_touch(struct w800 + 0, touch.x, 0, 0); + input_set_abs_params(dev, ABS_MT_POSITION_Y, + 0, touch.y, 0, 0); ++ input_set_abs_params(dev, ABS_MT_TOOL_TYPE, ++ 0, MT_TOOL_MAX, 0, 0); + + strlcat(basename, " 2FG", basename_sz); + if (w8001->max_pen_x && w8001->max_pen_y) diff --git a/queue-4.6/series b/queue-4.6/series index f665e079812..3e1dec41ea5 100644 --- a/queue-4.6/series +++ b/queue-4.6/series @@ -31,3 +31,25 @@ xenbus-don-t-bug-on-user-mode-induced-condition.patch xenbus-don-t-bail-early-from-xenbus_dev_request_and_reply.patch xen-blkfront-fix-resume-issues-after-a-migration.patch xen-blkfront-don-t-call-talk_to_blkback-when-already-connected-to-blkback.patch +alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch +alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch +alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch +input-vmmouse-remove-port-reservation.patch +input-elantech-add-more-ic-body-types-to-the-list.patch +input-xpad-fix-oops-when-attaching-an-unknown-xbox-one-gamepad.patch +input-wacom_w8001-w8001_max_length-should-be-13.patch +input-wacom_w8001-ignore-invalid-pen-data-packets.patch +input-xpad-validate-usb-endpoint-count-during-probe.patch +revert-input-wacom_w8001-drop-use-of-abs_mt_tool_type.patch +input-synaptics-rmi4-fix-maximum-size-check-for-f12-control-register-8.patch +input-tsc200x-report-proper-input_dev-name.patch +pvclock-add-cpu-barriers-to-get-correct-version-value.patch +pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch +pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch +cgroup-remove-redundant-cleanup-in-css_create.patch +cgroup-set-css-id-to-1-during-init.patch +cgroup-disable-irqs-while-holding-css_set_lock.patch +power_supply-power_supply_read_temp-only-if-use_cnt-0.patch +locks-use-file_inode.patch +revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch +ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch