From: Greg Kroah-Hartman Date: Thu, 11 Aug 2022 14:13:07 +0000 (+0200) Subject: 5.18-stable patches X-Git-Tag: v5.15.61~216 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6562d003a7437791464174b56313c8ceba2495ab;p=thirdparty%2Fkernel%2Fstable-queue.git 5.18-stable patches added patches: add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch hid-hid-input-add-surface-go-battery-quirk.patch hid-nintendo-add-missing-array-termination.patch hid-wacom-don-t-register-pad_input-for-touch-switch.patch hid-wacom-only-report-rotation-for-art-pen.patch lockd-detect-and-reject-lock-arguments-that-overflow.patch --- diff --git a/queue-5.18/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch b/queue-5.18/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch new file mode 100644 index 00000000000..10da72ef68e --- /dev/null +++ b/queue-5.18/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch @@ -0,0 +1,77 @@ +From d4252071b97d2027d246f6a82cbee4d52f618b47 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 9 Aug 2022 14:32:13 -0400 +Subject: add barriers to buffer_uptodate and set_buffer_uptodate + +From: Mikulas Patocka + +commit d4252071b97d2027d246f6a82cbee4d52f618b47 upstream. + +Let's have a look at this piece of code in __bread_slow: + + get_bh(bh); + bh->b_end_io = end_buffer_read_sync; + submit_bh(REQ_OP_READ, 0, bh); + wait_on_buffer(bh); + if (buffer_uptodate(bh)) + return bh; + +Neither wait_on_buffer nor buffer_uptodate contain any memory barrier. +Consequently, if someone calls sb_bread and then reads the buffer data, +the read of buffer data may be executed before wait_on_buffer(bh) on +architectures with weak memory ordering and it may return invalid data. + +Fix this bug by adding a memory barrier to set_buffer_uptodate and an +acquire barrier to buffer_uptodate (in a similar way as +folio_test_uptodate and folio_mark_uptodate). + +Signed-off-by: Mikulas Patocka +Reviewed-by: Matthew Wilcox (Oracle) +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/buffer_head.h | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/include/linux/buffer_head.h ++++ b/include/linux/buffer_head.h +@@ -117,7 +117,6 @@ static __always_inline int test_clear_bu + * of the form "mark_buffer_foo()". These are higher-level functions which + * do something in addition to setting a b_state bit. + */ +-BUFFER_FNS(Uptodate, uptodate) + BUFFER_FNS(Dirty, dirty) + TAS_BUFFER_FNS(Dirty, dirty) + BUFFER_FNS(Lock, locked) +@@ -135,6 +134,30 @@ BUFFER_FNS(Meta, meta) + BUFFER_FNS(Prio, prio) + BUFFER_FNS(Defer_Completion, defer_completion) + ++static __always_inline void set_buffer_uptodate(struct buffer_head *bh) ++{ ++ /* ++ * make it consistent with folio_mark_uptodate ++ * pairs with smp_load_acquire in buffer_uptodate ++ */ ++ smp_mb__before_atomic(); ++ set_bit(BH_Uptodate, &bh->b_state); ++} ++ ++static __always_inline void clear_buffer_uptodate(struct buffer_head *bh) ++{ ++ clear_bit(BH_Uptodate, &bh->b_state); ++} ++ ++static __always_inline int buffer_uptodate(const struct buffer_head *bh) ++{ ++ /* ++ * make it consistent with folio_test_uptodate ++ * pairs with smp_mb__before_atomic in set_buffer_uptodate ++ */ ++ return (smp_load_acquire(&bh->b_state) & (1UL << BH_Uptodate)) != 0; ++} ++ + #define bh_offset(bh) ((unsigned long)(bh)->b_data & ~PAGE_MASK) + + /* If we *know* page->private refers to buffer_heads */ diff --git a/queue-5.18/hid-hid-input-add-surface-go-battery-quirk.patch b/queue-5.18/hid-hid-input-add-surface-go-battery-quirk.patch new file mode 100644 index 00000000000..ad401cf473b --- /dev/null +++ b/queue-5.18/hid-hid-input-add-surface-go-battery-quirk.patch @@ -0,0 +1,47 @@ +From db925d809011c37b246434fdce71209fc2e6c0c2 Mon Sep 17 00:00:00 2001 +From: Maximilian Luz +Date: Thu, 26 May 2022 01:08:27 +0200 +Subject: HID: hid-input: add Surface Go battery quirk + +From: Maximilian Luz + +commit db925d809011c37b246434fdce71209fc2e6c0c2 upstream. + +Similar to the Surface Go (1), the (Elantech) touchscreen/digitizer in +the Surface Go 2 mistakenly reports the battery of the stylus. Instead +of over the touchscreen device, battery information is provided via +bluetooth and the touchscreen device reports an empty battery. + +Apply the HID_BATTERY_QUIRK_IGNORE quirk to ignore this battery and +prevent the erroneous low battery warnings. + +Cc: stable@vger.kernel.org +Signed-off-by: Maximilian Luz +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-input.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -413,6 +413,7 @@ + #define USB_DEVICE_ID_ASUS_UX550VE_TOUCHSCREEN 0x2544 + #define USB_DEVICE_ID_ASUS_UX550_TOUCHSCREEN 0x2706 + #define I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN 0x261A ++#define I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN 0x2A1C + + #define USB_VENDOR_ID_ELECOM 0x056e + #define USB_DEVICE_ID_ELECOM_BM084 0x0061 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -381,6 +381,8 @@ static const struct hid_device_id hid_ba + HID_BATTERY_QUIRK_IGNORE }, + { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN), + HID_BATTERY_QUIRK_IGNORE }, ++ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN), ++ HID_BATTERY_QUIRK_IGNORE }, + {} + }; + diff --git a/queue-5.18/hid-nintendo-add-missing-array-termination.patch b/queue-5.18/hid-nintendo-add-missing-array-termination.patch new file mode 100644 index 00000000000..759a12e39cf --- /dev/null +++ b/queue-5.18/hid-nintendo-add-missing-array-termination.patch @@ -0,0 +1,38 @@ +From ab5f3404b7762b88403fbddbdda6b1b464bd6cbc Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Tue, 12 Jul 2022 15:17:05 -0700 +Subject: HID: nintendo: Add missing array termination + +From: Guenter Roeck + +commit ab5f3404b7762b88403fbddbdda6b1b464bd6cbc upstream. + +joycon_dpad_inputs_jc[] is unterminated. This may result in odd warnings +such as + +input: input_set_capability: invalid code 3077588140 for type 1 + +or in kernel crashes in nintendo_hid_probe(). Terminate the array to fix +the problem. + +Fixes: 2af16c1f846bd ("HID: nintendo: add nintendo switch controller driver") +Cc: Daniel J. Ogorchock +Signed-off-by: Guenter Roeck +Reviewed-by: Dmitry Torokhov +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-nintendo.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hid/hid-nintendo.c ++++ b/drivers/hid/hid-nintendo.c +@@ -1586,6 +1586,7 @@ static const unsigned int joycon_button_ + /* We report joy-con d-pad inputs as buttons and pro controller as a hat. */ + static const unsigned int joycon_dpad_inputs_jc[] = { + BTN_DPAD_UP, BTN_DPAD_DOWN, BTN_DPAD_LEFT, BTN_DPAD_RIGHT, ++ 0 /* 0 signals end of array */ + }; + + static int joycon_input_create(struct joycon_ctlr *ctlr) diff --git a/queue-5.18/hid-wacom-don-t-register-pad_input-for-touch-switch.patch b/queue-5.18/hid-wacom-don-t-register-pad_input-for-touch-switch.patch new file mode 100644 index 00000000000..7749a89b096 --- /dev/null +++ b/queue-5.18/hid-wacom-don-t-register-pad_input-for-touch-switch.patch @@ -0,0 +1,107 @@ +From d6b675687a4ab4dba684716d97c8c6f81bf10905 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Fri, 13 May 2022 14:52:37 -0700 +Subject: HID: wacom: Don't register pad_input for touch switch + +From: Ping Cheng + +commit d6b675687a4ab4dba684716d97c8c6f81bf10905 upstream. + +Touch switch state is received through WACOM_PAD_FIELD. However, it +is reported by touch_input. Don't register pad_input if no other pad +events require the interface. + +Cc: stable@vger.kernel.org +Signed-off-by: Ping Cheng +Reviewed-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_sys.c | 2 +- + drivers/hid/wacom_wac.c | 43 +++++++++++++++++++++++++------------------ + 2 files changed, 26 insertions(+), 19 deletions(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2121,7 +2121,7 @@ static int wacom_register_inputs(struct + + error = wacom_setup_pad_input_capabilities(pad_input_dev, wacom_wac); + if (error) { +- /* no pad in use on this interface */ ++ /* no pad events using this interface */ + input_free_device(pad_input_dev); + wacom_wac->pad_input = NULL; + pad_input_dev = NULL; +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2017,7 +2017,6 @@ static void wacom_wac_pad_usage_mapping( + wacom_wac->has_mute_touch_switch = true; + usage->type = EV_SW; + usage->code = SW_MUTE_DEVICE; +- features->device_type |= WACOM_DEVICETYPE_PAD; + break; + case WACOM_HID_WD_TOUCHSTRIP: + wacom_map_usage(input, usage, field, EV_ABS, ABS_RX, 0); +@@ -2097,6 +2096,30 @@ static void wacom_wac_pad_event(struct h + wacom_wac->hid_data.inrange_state |= value; + } + ++ /* Process touch switch state first since it is reported through touch interface, ++ * which is indepentent of pad interface. In the case when there are no other pad ++ * events, the pad interface will not even be created. ++ */ ++ if ((equivalent_usage == WACOM_HID_WD_MUTE_DEVICE) || ++ (equivalent_usage == WACOM_HID_WD_TOUCHONOFF)) { ++ if (wacom_wac->shared->touch_input) { ++ bool *is_touch_on = &wacom_wac->shared->is_touch_on; ++ ++ if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value) ++ *is_touch_on = !(*is_touch_on); ++ else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF) ++ *is_touch_on = value; ++ ++ input_report_switch(wacom_wac->shared->touch_input, ++ SW_MUTE_DEVICE, !(*is_touch_on)); ++ input_sync(wacom_wac->shared->touch_input); ++ } ++ return; ++ } ++ ++ if (!input) ++ return; ++ + switch (equivalent_usage) { + case WACOM_HID_WD_TOUCHRING: + /* +@@ -2132,22 +2155,6 @@ static void wacom_wac_pad_event(struct h + input_event(input, usage->type, usage->code, 0); + break; + +- case WACOM_HID_WD_MUTE_DEVICE: +- case WACOM_HID_WD_TOUCHONOFF: +- if (wacom_wac->shared->touch_input) { +- bool *is_touch_on = &wacom_wac->shared->is_touch_on; +- +- if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value) +- *is_touch_on = !(*is_touch_on); +- else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF) +- *is_touch_on = value; +- +- input_report_switch(wacom_wac->shared->touch_input, +- SW_MUTE_DEVICE, !(*is_touch_on)); +- input_sync(wacom_wac->shared->touch_input); +- } +- break; +- + case WACOM_HID_WD_MODE_CHANGE: + if (wacom_wac->is_direct_mode != value) { + wacom_wac->is_direct_mode = value; +@@ -2808,7 +2815,7 @@ void wacom_wac_event(struct hid_device * + /* usage tests must precede field tests */ + if (WACOM_BATTERY_USAGE(usage)) + wacom_wac_battery_event(hdev, field, usage, value); +- else if (WACOM_PAD_FIELD(field) && wacom->wacom_wac.pad_input) ++ else if (WACOM_PAD_FIELD(field)) + wacom_wac_pad_event(hdev, field, usage, value); + else if (WACOM_PEN_FIELD(field) && wacom->wacom_wac.pen_input) + wacom_wac_pen_event(hdev, field, usage, value); diff --git a/queue-5.18/hid-wacom-only-report-rotation-for-art-pen.patch b/queue-5.18/hid-wacom-only-report-rotation-for-art-pen.patch new file mode 100644 index 00000000000..e257644bf6e --- /dev/null +++ b/queue-5.18/hid-wacom-only-report-rotation-for-art-pen.patch @@ -0,0 +1,88 @@ +From 7ccced33a0ba39b0103ae1dfbf7f1dffdc0a1bc2 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Fri, 13 May 2022 14:51:56 -0700 +Subject: HID: wacom: Only report rotation for art pen + +From: Ping Cheng + +commit 7ccced33a0ba39b0103ae1dfbf7f1dffdc0a1bc2 upstream. + +The generic routine, wacom_wac_pen_event, turns rotation value 90 +degree anti-clockwise before posting the events. This non-zero +event trggers a non-zero ABS_Z event for non art pen tools. However, +HID_DG_TWIST is only supported by art pen. + +[jkosina@suse.cz: fix build: add missing brace] +Cc: stable@vger.kernel.org +Signed-off-by: Ping Cheng +Reviewed-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -638,9 +638,26 @@ static int wacom_intuos_id_mangle(int to + return (tool_id & ~0xFFF) << 4 | (tool_id & 0xFFF); + } + ++static bool wacom_is_art_pen(int tool_id) ++{ ++ bool is_art_pen = false; ++ ++ switch (tool_id) { ++ case 0x885: /* Intuos3 Marker Pen */ ++ case 0x804: /* Intuos4/5 13HD/24HD Marker Pen */ ++ case 0x10804: /* Intuos4/5 13HD/24HD Art Pen */ ++ is_art_pen = true; ++ break; ++ } ++ return is_art_pen; ++} ++ + static int wacom_intuos_get_tool_type(int tool_id) + { +- int tool_type; ++ int tool_type = BTN_TOOL_PEN; ++ ++ if (wacom_is_art_pen(tool_id)) ++ return tool_type; + + switch (tool_id) { + case 0x812: /* Inking pen */ +@@ -655,12 +672,9 @@ static int wacom_intuos_get_tool_type(in + case 0x852: + case 0x823: /* Intuos3 Grip Pen */ + case 0x813: /* Intuos3 Classic Pen */ +- case 0x885: /* Intuos3 Marker Pen */ + case 0x802: /* Intuos4/5 13HD/24HD General Pen */ +- case 0x804: /* Intuos4/5 13HD/24HD Marker Pen */ + case 0x8e2: /* IntuosHT2 pen */ + case 0x022: +- case 0x10804: /* Intuos4/5 13HD/24HD Art Pen */ + case 0x10842: /* MobileStudio Pro Pro Pen slim */ + case 0x14802: /* Intuos4/5 13HD/24HD Classic Pen */ + case 0x16802: /* Cintiq 13HD Pro Pen */ +@@ -718,10 +732,6 @@ static int wacom_intuos_get_tool_type(in + case 0x10902: /* Intuos4/5 13HD/24HD Airbrush */ + tool_type = BTN_TOOL_AIRBRUSH; + break; +- +- default: /* Unknown tool */ +- tool_type = BTN_TOOL_PEN; +- break; + } + return tool_type; + } +@@ -2323,6 +2333,9 @@ static void wacom_wac_pen_event(struct h + } + return; + case HID_DG_TWIST: ++ /* don't modify the value if the pen doesn't support the feature */ ++ if (!wacom_is_art_pen(wacom_wac->id[0])) return; ++ + /* + * Userspace expects pen twist to have its zero point when + * the buttons/finger is on the tablet's left. HID values diff --git a/queue-5.18/lockd-detect-and-reject-lock-arguments-that-overflow.patch b/queue-5.18/lockd-detect-and-reject-lock-arguments-that-overflow.patch new file mode 100644 index 00000000000..080c84d4a70 --- /dev/null +++ b/queue-5.18/lockd-detect-and-reject-lock-arguments-that-overflow.patch @@ -0,0 +1,118 @@ +From 6930bcbfb6ceda63e298c6af6d733ecdf6bd4cde Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 1 Aug 2022 15:57:26 -0400 +Subject: lockd: detect and reject lock arguments that overflow + +From: Jeff Layton + +commit 6930bcbfb6ceda63e298c6af6d733ecdf6bd4cde upstream. + +lockd doesn't currently vet the start and length in nlm4 requests like +it should, and can end up generating lock requests with arguments that +overflow when passed to the filesystem. + +The NLM4 protocol uses unsigned 64-bit arguments for both start and +length, whereas struct file_lock tracks the start and end as loff_t +values. By the time we get around to calling nlm4svc_retrieve_args, +we've lost the information that would allow us to determine if there was +an overflow. + +Start tracking the actual start and len for NLM4 requests in the +nlm_lock. In nlm4svc_retrieve_args, vet these values to ensure they +won't cause an overflow, and return NLM4_FBIG if they do. + +Link: https://bugzilla.linux-nfs.org/show_bug.cgi?id=392 +Reported-by: Jan Kasiak +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Cc: # 5.14+ +Signed-off-by: Greg Kroah-Hartman +--- + fs/lockd/svc4proc.c | 8 ++++++++ + fs/lockd/xdr4.c | 19 ++----------------- + include/linux/lockd/xdr.h | 2 ++ + 3 files changed, 12 insertions(+), 17 deletions(-) + +--- a/fs/lockd/svc4proc.c ++++ b/fs/lockd/svc4proc.c +@@ -32,6 +32,10 @@ nlm4svc_retrieve_args(struct svc_rqst *r + if (!nlmsvc_ops) + return nlm_lck_denied_nolocks; + ++ if (lock->lock_start > OFFSET_MAX || ++ (lock->lock_len && ((lock->lock_len - 1) > (OFFSET_MAX - lock->lock_start)))) ++ return nlm4_fbig; ++ + /* Obtain host handle */ + if (!(host = nlmsvc_lookup_host(rqstp, lock->caller, lock->len)) + || (argp->monitor && nsm_monitor(host) < 0)) +@@ -50,6 +54,10 @@ nlm4svc_retrieve_args(struct svc_rqst *r + /* Set up the missing parts of the file_lock structure */ + lock->fl.fl_file = file->f_file[mode]; + lock->fl.fl_pid = current->tgid; ++ lock->fl.fl_start = (loff_t)lock->lock_start; ++ lock->fl.fl_end = lock->lock_len ? ++ (loff_t)(lock->lock_start + lock->lock_len - 1) : ++ OFFSET_MAX; + lock->fl.fl_lmops = &nlmsvc_lock_operations; + nlmsvc_locks_init_private(&lock->fl, host, (pid_t)lock->svid); + if (!lock->fl.fl_owner) { +--- a/fs/lockd/xdr4.c ++++ b/fs/lockd/xdr4.c +@@ -20,13 +20,6 @@ + + #include "svcxdr.h" + +-static inline loff_t +-s64_to_loff_t(__s64 offset) +-{ +- return (loff_t)offset; +-} +- +- + static inline s64 + loff_t_to_s64(loff_t offset) + { +@@ -70,8 +63,6 @@ static bool + svcxdr_decode_lock(struct xdr_stream *xdr, struct nlm_lock *lock) + { + struct file_lock *fl = &lock->fl; +- u64 len, start; +- s64 end; + + if (!svcxdr_decode_string(xdr, &lock->caller, &lock->len)) + return false; +@@ -81,20 +72,14 @@ svcxdr_decode_lock(struct xdr_stream *xd + return false; + if (xdr_stream_decode_u32(xdr, &lock->svid) < 0) + return false; +- if (xdr_stream_decode_u64(xdr, &start) < 0) ++ if (xdr_stream_decode_u64(xdr, &lock->lock_start) < 0) + return false; +- if (xdr_stream_decode_u64(xdr, &len) < 0) ++ if (xdr_stream_decode_u64(xdr, &lock->lock_len) < 0) + return false; + + locks_init_lock(fl); + fl->fl_flags = FL_POSIX; + fl->fl_type = F_RDLCK; +- end = start + len - 1; +- fl->fl_start = s64_to_loff_t(start); +- if (len == 0 || end < 0) +- fl->fl_end = OFFSET_MAX; +- else +- fl->fl_end = s64_to_loff_t(end); + + return true; + } +--- a/include/linux/lockd/xdr.h ++++ b/include/linux/lockd/xdr.h +@@ -41,6 +41,8 @@ struct nlm_lock { + struct nfs_fh fh; + struct xdr_netobj oh; + u32 svid; ++ u64 lock_start; ++ u64 lock_len; + struct file_lock fl; + }; + diff --git a/queue-5.18/series b/queue-5.18/series index c91ddc797bb..d3c233015da 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -14,3 +14,9 @@ asoc-amd-yc-update-dmi-table-entries.patch wifi-mac80211_hwsim-fix-race-condition-in-pending-packet.patch wifi-mac80211_hwsim-add-back-erroneously-removed-cast.patch wifi-mac80211_hwsim-use-32-bit-skb-cookie.patch +add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch +lockd-detect-and-reject-lock-arguments-that-overflow.patch +hid-hid-input-add-surface-go-battery-quirk.patch +hid-nintendo-add-missing-array-termination.patch +hid-wacom-only-report-rotation-for-art-pen.patch +hid-wacom-don-t-register-pad_input-for-touch-switch.patch