From: Greg Kroah-Hartman Date: Mon, 3 Apr 2023 08:12:13 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.312~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fcc8a4f7478c79abef19878009fa16d50d6275ab;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: btrfs-fix-race-between-quota-disable-and-quota-assign-ioctls.patch cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch input-alps-fix-compatibility-with-funsigned-char.patch input-focaltech-use-explicitly-signed-char-type.patch input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch --- diff --git a/queue-5.10/btrfs-fix-race-between-quota-disable-and-quota-assign-ioctls.patch b/queue-5.10/btrfs-fix-race-between-quota-disable-and-quota-assign-ioctls.patch new file mode 100644 index 00000000000..26c7cabe87f --- /dev/null +++ b/queue-5.10/btrfs-fix-race-between-quota-disable-and-quota-assign-ioctls.patch @@ -0,0 +1,193 @@ +From 2f1a6be12ab6c8470d5776e68644726c94257c54 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Wed, 22 Mar 2023 10:33:28 +0000 +Subject: btrfs: fix race between quota disable and quota assign ioctls + +From: Filipe Manana + +commit 2f1a6be12ab6c8470d5776e68644726c94257c54 upstream. + +The quota assign ioctl can currently run in parallel with a quota disable +ioctl call. The assign ioctl uses the quota root, while the disable ioctl +frees that root, and therefore we can have a use-after-free triggered in +the assign ioctl, leading to a trace like the following when KASAN is +enabled: + + [672.723][T736] BUG: KASAN: slab-use-after-free in btrfs_search_slot+0x2962/0x2db0 + [672.723][T736] Read of size 8 at addr ffff888022ec0208 by task btrfs_search_sl/27736 + [672.724][T736] + [672.725][T736] CPU: 1 PID: 27736 Comm: btrfs_search_sl Not tainted 6.3.0-rc3 #37 + [672.723][T736] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + [672.727][T736] Call Trace: + [672.728][T736] + [672.728][T736] dump_stack_lvl+0xd9/0x150 + [672.725][T736] print_report+0xc1/0x5e0 + [672.720][T736] ? __virt_addr_valid+0x61/0x2e0 + [672.727][T736] ? __phys_addr+0xc9/0x150 + [672.725][T736] ? btrfs_search_slot+0x2962/0x2db0 + [672.722][T736] kasan_report+0xc0/0xf0 + [672.729][T736] ? btrfs_search_slot+0x2962/0x2db0 + [672.724][T736] btrfs_search_slot+0x2962/0x2db0 + [672.723][T736] ? fs_reclaim_acquire+0xba/0x160 + [672.722][T736] ? split_leaf+0x13d0/0x13d0 + [672.726][T736] ? rcu_is_watching+0x12/0xb0 + [672.723][T736] ? kmem_cache_alloc+0x338/0x3c0 + [672.722][T736] update_qgroup_status_item+0xf7/0x320 + [672.724][T736] ? add_qgroup_rb+0x3d0/0x3d0 + [672.739][T736] ? do_raw_spin_lock+0x12d/0x2b0 + [672.730][T736] ? spin_bug+0x1d0/0x1d0 + [672.737][T736] btrfs_run_qgroups+0x5de/0x840 + [672.730][T736] ? btrfs_qgroup_rescan_worker+0xa70/0xa70 + [672.738][T736] ? __del_qgroup_relation+0x4ba/0xe00 + [672.738][T736] btrfs_ioctl+0x3d58/0x5d80 + [672.735][T736] ? tomoyo_path_number_perm+0x16a/0x550 + [672.737][T736] ? tomoyo_execute_permission+0x4a0/0x4a0 + [672.731][T736] ? btrfs_ioctl_get_supported_features+0x50/0x50 + [672.737][T736] ? __sanitizer_cov_trace_switch+0x54/0x90 + [672.734][T736] ? do_vfs_ioctl+0x132/0x1660 + [672.730][T736] ? vfs_fileattr_set+0xc40/0xc40 + [672.730][T736] ? _raw_spin_unlock_irq+0x2e/0x50 + [672.732][T736] ? sigprocmask+0xf2/0x340 + [672.737][T736] ? __fget_files+0x26a/0x480 + [672.732][T736] ? bpf_lsm_file_ioctl+0x9/0x10 + [672.738][T736] ? btrfs_ioctl_get_supported_features+0x50/0x50 + [672.736][T736] __x64_sys_ioctl+0x198/0x210 + [672.736][T736] do_syscall_64+0x39/0xb0 + [672.731][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.739][T736] RIP: 0033:0x4556ad + [672.742][T736] + [672.743][T736] + [672.748][T736] Allocated by task 27677: + [672.743][T736] kasan_save_stack+0x22/0x40 + [672.741][T736] kasan_set_track+0x25/0x30 + [672.741][T736] __kasan_kmalloc+0xa4/0xb0 + [672.749][T736] btrfs_alloc_root+0x48/0x90 + [672.746][T736] btrfs_create_tree+0x146/0xa20 + [672.744][T736] btrfs_quota_enable+0x461/0x1d20 + [672.743][T736] btrfs_ioctl+0x4a1c/0x5d80 + [672.747][T736] __x64_sys_ioctl+0x198/0x210 + [672.749][T736] do_syscall_64+0x39/0xb0 + [672.744][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.756][T736] + [672.757][T736] Freed by task 27677: + [672.759][T736] kasan_save_stack+0x22/0x40 + [672.759][T736] kasan_set_track+0x25/0x30 + [672.756][T736] kasan_save_free_info+0x2e/0x50 + [672.751][T736] ____kasan_slab_free+0x162/0x1c0 + [672.758][T736] slab_free_freelist_hook+0x89/0x1c0 + [672.752][T736] __kmem_cache_free+0xaf/0x2e0 + [672.752][T736] btrfs_put_root+0x1ff/0x2b0 + [672.759][T736] btrfs_quota_disable+0x80a/0xbc0 + [672.752][T736] btrfs_ioctl+0x3e5f/0x5d80 + [672.756][T736] __x64_sys_ioctl+0x198/0x210 + [672.753][T736] do_syscall_64+0x39/0xb0 + [672.765][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.769][T736] + [672.768][T736] The buggy address belongs to the object at ffff888022ec0000 + [672.768][T736] which belongs to the cache kmalloc-4k of size 4096 + [672.769][T736] The buggy address is located 520 bytes inside of + [672.769][T736] freed 4096-byte region [ffff888022ec0000, ffff888022ec1000) + [672.760][T736] + [672.764][T736] The buggy address belongs to the physical page: + [672.761][T736] page:ffffea00008bb000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22ec0 + [672.766][T736] head:ffffea00008bb000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 + [672.779][T736] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) + [672.770][T736] raw: 00fff00000010200 ffff888012842140 ffffea000054ba00 dead000000000002 + [672.770][T736] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 + [672.771][T736] page dumped because: kasan: bad access detected + [672.778][T736] page_owner tracks the page as allocated + [672.777][T736] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 88 + [672.779][T736] get_page_from_freelist+0x119c/0x2d50 + [672.779][T736] __alloc_pages+0x1cb/0x4a0 + [672.776][T736] alloc_pages+0x1aa/0x270 + [672.773][T736] allocate_slab+0x260/0x390 + [672.771][T736] ___slab_alloc+0xa9a/0x13e0 + [672.778][T736] __slab_alloc.constprop.0+0x56/0xb0 + [672.771][T736] __kmem_cache_alloc_node+0x136/0x320 + [672.789][T736] __kmalloc+0x4e/0x1a0 + [672.783][T736] tomoyo_realpath_from_path+0xc3/0x600 + [672.781][T736] tomoyo_path_perm+0x22f/0x420 + [672.782][T736] tomoyo_path_unlink+0x92/0xd0 + [672.780][T736] security_path_unlink+0xdb/0x150 + [672.788][T736] do_unlinkat+0x377/0x680 + [672.788][T736] __x64_sys_unlink+0xca/0x110 + [672.789][T736] do_syscall_64+0x39/0xb0 + [672.783][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.784][T736] page last free stack trace: + [672.787][T736] free_pcp_prepare+0x4e5/0x920 + [672.787][T736] free_unref_page+0x1d/0x4e0 + [672.784][T736] __unfreeze_partials+0x17c/0x1a0 + [672.797][T736] qlist_free_all+0x6a/0x180 + [672.796][T736] kasan_quarantine_reduce+0x189/0x1d0 + [672.797][T736] __kasan_slab_alloc+0x64/0x90 + [672.793][T736] kmem_cache_alloc+0x17c/0x3c0 + [672.799][T736] getname_flags.part.0+0x50/0x4e0 + [672.799][T736] getname_flags+0x9e/0xe0 + [672.792][T736] vfs_fstatat+0x77/0xb0 + [672.791][T736] __do_sys_newlstat+0x84/0x100 + [672.798][T736] do_syscall_64+0x39/0xb0 + [672.796][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.790][T736] + [672.791][T736] Memory state around the buggy address: + [672.799][T736] ffff888022ec0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + [672.805][T736] ffff888022ec0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + [672.802][T736] >ffff888022ec0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + [672.809][T736] ^ + [672.809][T736] ffff888022ec0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + [672.809][T736] ffff888022ec0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fix this by having the qgroup assign ioctl take the qgroup ioctl mutex +before calling btrfs_run_qgroups(), which is what all qgroup ioctls should +call. + +Reported-by: butt3rflyh4ck +Link: https://lore.kernel.org/linux-btrfs/CAFcO6XN3VD8ogmHwqRk4kbiwtpUSNySu2VAxN8waEPciCHJvMA@mail.gmail.com/ +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 2 ++ + fs/btrfs/qgroup.c | 11 ++++++++++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -4254,7 +4254,9 @@ static long btrfs_ioctl_qgroup_assign(st + } + + /* update qgroup status and info */ ++ mutex_lock(&fs_info->qgroup_ioctl_lock); + err = btrfs_run_qgroups(trans); ++ mutex_unlock(&fs_info->qgroup_ioctl_lock); + if (err < 0) + btrfs_handle_fs_error(fs_info, err, + "failed to update qgroup status and info"); +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2762,13 +2762,22 @@ cleanup: + } + + /* +- * called from commit_transaction. Writes all changed qgroups to disk. ++ * Writes all changed qgroups to disk. ++ * Called by the transaction commit path and the qgroup assign ioctl. + */ + int btrfs_run_qgroups(struct btrfs_trans_handle *trans) + { + struct btrfs_fs_info *fs_info = trans->fs_info; + int ret = 0; + ++ /* ++ * In case we are called from the qgroup assign ioctl, assert that we ++ * are holding the qgroup_ioctl_lock, otherwise we can race with a quota ++ * disable operation (ioctl) and access a freed quota root. ++ */ ++ if (trans->transaction->state != TRANS_STATE_COMMIT_DOING) ++ lockdep_assert_held(&fs_info->qgroup_ioctl_lock); ++ + if (!fs_info->quota_root) + return ret; + diff --git a/queue-5.10/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch b/queue-5.10/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch new file mode 100644 index 00000000000..4d3dc88199d --- /dev/null +++ b/queue-5.10/cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch @@ -0,0 +1,62 @@ +From 179a88a8558bbf42991d361595281f3e45d7edfc Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Wed, 29 Mar 2023 22:24:06 +0200 +Subject: cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL + +From: David Disseldorp + +commit 179a88a8558bbf42991d361595281f3e45d7edfc upstream. + +When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount +is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to +S_AUTOMOUNT and corresponding dentry flags is retained regardless of +CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in +VFS follow_automount() when traversing a DFS referral link: + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ... + Call Trace: + + __traverse_mounts+0xb5/0x220 + ? cifs_revalidate_mapping+0x65/0xc0 [cifs] + step_into+0x195/0x610 + ? lookup_fast+0xe2/0xf0 + path_lookupat+0x64/0x140 + filename_lookup+0xc2/0x140 + ? __create_object+0x299/0x380 + ? kmem_cache_alloc+0x119/0x220 + ? user_path_at_empty+0x31/0x50 + user_path_at_empty+0x31/0x50 + __x64_sys_chdir+0x2a/0xd0 + ? exit_to_user_mode_prepare+0xca/0x100 + do_syscall_64+0x42/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler +when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to +avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This +approach was chosen as it provides more control over the error path. + +Signed-off-by: David Disseldorp +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/cifs/cifsfs.h ++++ b/fs/cifs/cifsfs.h +@@ -126,7 +126,10 @@ extern const struct dentry_operations ci + #ifdef CONFIG_CIFS_DFS_UPCALL + extern struct vfsmount *cifs_dfs_d_automount(struct path *path); + #else +-#define cifs_dfs_d_automount NULL ++static inline struct vfsmount *cifs_dfs_d_automount(struct path *path) ++{ ++ return ERR_PTR(-EREMOTE); ++} + #endif + + /* Functions related to symlinks */ diff --git a/queue-5.10/cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch b/queue-5.10/cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch new file mode 100644 index 00000000000..6aa2199d48a --- /dev/null +++ b/queue-5.10/cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch @@ -0,0 +1,40 @@ +From 09ba47b44d26b475bbdf9c80db9e0193d2b58956 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 29 Mar 2023 17:14:22 -0300 +Subject: cifs: prevent infinite recursion in CIFSGetDFSRefer() + +From: Paulo Alcantara + +commit 09ba47b44d26b475bbdf9c80db9e0193d2b58956 upstream. + +We can't call smb_init() in CIFSGetDFSRefer() as cifs_reconnect_tcon() +may end up calling CIFSGetDFSRefer() again to get new DFS referrals +and thus causing an infinite recursion. + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Cc: stable@vger.kernel.org # 6.2 +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifssmb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -4859,8 +4859,13 @@ CIFSGetDFSRefer(const unsigned int xid, + return -ENODEV; + + getDFSRetry: +- rc = smb_init(SMB_COM_TRANSACTION2, 15, ses->tcon_ipc, (void **) &pSMB, +- (void **) &pSMBr); ++ /* ++ * Use smb_init_no_reconnect() instead of smb_init() as ++ * CIFSGetDFSRefer() may be called from cifs_reconnect_tcon() and thus ++ * causing an infinite recursion. ++ */ ++ rc = smb_init_no_reconnect(SMB_COM_TRANSACTION2, 15, ses->tcon_ipc, ++ (void **)&pSMB, (void **)&pSMBr); + if (rc) + return rc; + diff --git a/queue-5.10/input-alps-fix-compatibility-with-funsigned-char.patch b/queue-5.10/input-alps-fix-compatibility-with-funsigned-char.patch new file mode 100644 index 00000000000..ffd0054172a --- /dev/null +++ b/queue-5.10/input-alps-fix-compatibility-with-funsigned-char.patch @@ -0,0 +1,77 @@ +From 754ff5060daf5a1cf4474eff9b4edeb6c17ef7ab Mon Sep 17 00:00:00 2001 +From: msizanoen +Date: Sun, 19 Mar 2023 23:02:56 -0700 +Subject: Input: alps - fix compatibility with -funsigned-char + +From: msizanoen + +commit 754ff5060daf5a1cf4474eff9b4edeb6c17ef7ab upstream. + +The AlpsPS/2 code previously relied on the assumption that `char` is a +signed type, which was true on x86 platforms (the only place where this +driver is used) before kernel 6.2. However, on 6.2 and later, this +assumption is broken due to the introduction of -funsigned-char as a new +global compiler flag. + +Fix this by explicitly specifying the signedness of `char` when sign +extending the values received from the device. + +Fixes: f3f33c677699 ("Input: alps - Rushmore and v7 resolution support") +Signed-off-by: msizanoen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230320045228.182259-1-msizanoen@qtmlabs.xyz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/alps.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -852,8 +852,8 @@ static void alps_process_packet_v6(struc + x = y = z = 0; + + /* Divide 4 since trackpoint's speed is too fast */ +- input_report_rel(dev2, REL_X, (char)x / 4); +- input_report_rel(dev2, REL_Y, -((char)y / 4)); ++ input_report_rel(dev2, REL_X, (s8)x / 4); ++ input_report_rel(dev2, REL_Y, -((s8)y / 4)); + + psmouse_report_standard_buttons(dev2, packet[3]); + +@@ -1104,8 +1104,8 @@ static void alps_process_trackstick_pack + ((packet[3] & 0x20) << 1); + z = (packet[5] & 0x3f) | ((packet[3] & 0x80) >> 1); + +- input_report_rel(dev2, REL_X, (char)x); +- input_report_rel(dev2, REL_Y, -((char)y)); ++ input_report_rel(dev2, REL_X, (s8)x); ++ input_report_rel(dev2, REL_Y, -((s8)y)); + input_report_abs(dev2, ABS_PRESSURE, z); + + psmouse_report_standard_buttons(dev2, packet[1]); +@@ -2294,20 +2294,20 @@ static int alps_get_v3_v7_resolution(str + if (reg < 0) + return reg; + +- x_pitch = (char)(reg << 4) >> 4; /* sign extend lower 4 bits */ ++ x_pitch = (s8)(reg << 4) >> 4; /* sign extend lower 4 bits */ + x_pitch = 50 + 2 * x_pitch; /* In 0.1 mm units */ + +- y_pitch = (char)reg >> 4; /* sign extend upper 4 bits */ ++ y_pitch = (s8)reg >> 4; /* sign extend upper 4 bits */ + y_pitch = 36 + 2 * y_pitch; /* In 0.1 mm units */ + + reg = alps_command_mode_read_reg(psmouse, reg_pitch + 1); + if (reg < 0) + return reg; + +- x_electrode = (char)(reg << 4) >> 4; /* sign extend lower 4 bits */ ++ x_electrode = (s8)(reg << 4) >> 4; /* sign extend lower 4 bits */ + x_electrode = 17 + x_electrode; + +- y_electrode = (char)reg >> 4; /* sign extend upper 4 bits */ ++ y_electrode = (s8)reg >> 4; /* sign extend upper 4 bits */ + y_electrode = 13 + y_electrode; + + x_phys = x_pitch * (x_electrode - 1); /* In 0.1 mm units */ diff --git a/queue-5.10/input-focaltech-use-explicitly-signed-char-type.patch b/queue-5.10/input-focaltech-use-explicitly-signed-char-type.patch new file mode 100644 index 00000000000..1ee4c59f373 --- /dev/null +++ b/queue-5.10/input-focaltech-use-explicitly-signed-char-type.patch @@ -0,0 +1,50 @@ +From 8980f190947ba29f23110408e712444884b74251 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 19 Mar 2023 21:36:36 -0700 +Subject: Input: focaltech - use explicitly signed char type + +From: Jason A. Donenfeld + +commit 8980f190947ba29f23110408e712444884b74251 upstream. + +The recent change of -funsigned-char causes additions of negative +numbers to become additions of large positive numbers, leading to wrong +calculations of mouse movement. Change these casts to be explicitly +signed, to take into account negative offsets. + +Fixes: 3bc753c06dd0 ("kbuild: treat char as always unsigned") +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Hans de Goede +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217211 +Link: https://lore.kernel.org/r/20230318133010.1285202-1-Jason@zx2c4.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/focaltech.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/mouse/focaltech.c ++++ b/drivers/input/mouse/focaltech.c +@@ -202,8 +202,8 @@ static void focaltech_process_rel_packet + state->pressed = packet[0] >> 7; + finger1 = ((packet[0] >> 4) & 0x7) - 1; + if (finger1 < FOC_MAX_FINGERS) { +- state->fingers[finger1].x += (char)packet[1]; +- state->fingers[finger1].y += (char)packet[2]; ++ state->fingers[finger1].x += (s8)packet[1]; ++ state->fingers[finger1].y += (s8)packet[2]; + } else { + psmouse_err(psmouse, "First finger in rel packet invalid: %d\n", + finger1); +@@ -218,8 +218,8 @@ static void focaltech_process_rel_packet + */ + finger2 = ((packet[3] >> 4) & 0x7) - 1; + if (finger2 < FOC_MAX_FINGERS) { +- state->fingers[finger2].x += (char)packet[4]; +- state->fingers[finger2].y += (char)packet[5]; ++ state->fingers[finger2].x += (s8)packet[4]; ++ state->fingers[finger2].y += (s8)packet[5]; + } + } + diff --git a/queue-5.10/input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch b/queue-5.10/input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch new file mode 100644 index 00000000000..cb1f9dfe129 --- /dev/null +++ b/queue-5.10/input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch @@ -0,0 +1,53 @@ +From 8a0432bab6ea3203d220785da7ab3c7677f70ecb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 17 Mar 2023 03:13:12 -0700 +Subject: Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table + +From: Hans de Goede + +commit 8a0432bab6ea3203d220785da7ab3c7677f70ecb upstream. + +The Android Lenovo Yoga Book X90F / X90L uses the same goodix touchscreen +with 9 bytes touch reports for its touch keyboard as the already supported +Windows Lenovo Yoga Book X91F/L, add a DMI match for this to +the nine_bytes_report DMI table. + +When the quirk for the X91F/L was initially added it was written to +also apply to the X90F/L but this does not work because the Android +version of the Yoga Book uses completely different DMI strings. +Also adjust the X91F/L quirk to reflect that it only applies to +the X91F/L models. + +Signed-off-by: Hans de Goede +Reviewed-by: Bastien Nocera +Link: https://lore.kernel.org/r/20230315134442.71787-1-hdegoede@redhat.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/goodix.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -183,10 +183,18 @@ static const unsigned long goodix_irq_fl + static const struct dmi_system_id nine_bytes_report[] = { + #if defined(CONFIG_DMI) && defined(CONFIG_X86) + { +- .ident = "Lenovo YogaBook", +- /* YB1-X91L/F and YB1-X90L/F */ ++ /* Lenovo Yoga Book X90F / X90L */ + .matches = { +- DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9") ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), ++ } ++ }, ++ { ++ /* Lenovo Yoga Book X91F / X91L */ ++ .matches = { ++ /* Non exact match to match F + L versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"), + } + }, + #endif diff --git a/queue-5.10/series b/queue-5.10/series index 96bbc8d9761..ed4e788f284 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -142,3 +142,9 @@ bnxt_en-fix-typo-in-pci-id-to-device-description-str.patch bnxt_en-add-missing-200g-link-speed-reporting.patch net-dsa-mv88e6xxx-enable-igmp-snooping-on-user-ports.patch pinctrl-ocelot-fix-alt-mode-for-ocelot.patch +input-alps-fix-compatibility-with-funsigned-char.patch +input-focaltech-use-explicitly-signed-char-type.patch +cifs-prevent-infinite-recursion-in-cifsgetdfsrefer.patch +cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch +input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch +btrfs-fix-race-between-quota-disable-and-quota-assign-ioctls.patch