From 1b713e384ae8ad8e6dbc4ac996d210eeb67a907b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 11 Aug 2022 16:11:44 +0200 Subject: [PATCH] 4.19-stable patches added patches: add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch hid-wacom-don-t-register-pad_input-for-touch-switch.patch --- ...fer_uptodate-and-set_buffer_uptodate.patch | 77 +++++++++++++ ...-register-pad_input-for-touch-switch.patch | 107 ++++++++++++++++++ queue-4.19/series | 2 + 3 files changed, 186 insertions(+) create mode 100644 queue-4.19/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch create mode 100644 queue-4.19/hid-wacom-don-t-register-pad_input-for-touch-switch.patch diff --git a/queue-4.19/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch b/queue-4.19/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch new file mode 100644 index 00000000000..10da72ef68e --- /dev/null +++ b/queue-4.19/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch @@ -0,0 +1,77 @@ +From d4252071b97d2027d246f6a82cbee4d52f618b47 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 9 Aug 2022 14:32:13 -0400 +Subject: add barriers to buffer_uptodate and set_buffer_uptodate + +From: Mikulas Patocka + +commit d4252071b97d2027d246f6a82cbee4d52f618b47 upstream. + +Let's have a look at this piece of code in __bread_slow: + + get_bh(bh); + bh->b_end_io = end_buffer_read_sync; + submit_bh(REQ_OP_READ, 0, bh); + wait_on_buffer(bh); + if (buffer_uptodate(bh)) + return bh; + +Neither wait_on_buffer nor buffer_uptodate contain any memory barrier. +Consequently, if someone calls sb_bread and then reads the buffer data, +the read of buffer data may be executed before wait_on_buffer(bh) on +architectures with weak memory ordering and it may return invalid data. + +Fix this bug by adding a memory barrier to set_buffer_uptodate and an +acquire barrier to buffer_uptodate (in a similar way as +folio_test_uptodate and folio_mark_uptodate). + +Signed-off-by: Mikulas Patocka +Reviewed-by: Matthew Wilcox (Oracle) +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/buffer_head.h | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/include/linux/buffer_head.h ++++ b/include/linux/buffer_head.h +@@ -117,7 +117,6 @@ static __always_inline int test_clear_bu + * of the form "mark_buffer_foo()". These are higher-level functions which + * do something in addition to setting a b_state bit. + */ +-BUFFER_FNS(Uptodate, uptodate) + BUFFER_FNS(Dirty, dirty) + TAS_BUFFER_FNS(Dirty, dirty) + BUFFER_FNS(Lock, locked) +@@ -135,6 +134,30 @@ BUFFER_FNS(Meta, meta) + BUFFER_FNS(Prio, prio) + BUFFER_FNS(Defer_Completion, defer_completion) + ++static __always_inline void set_buffer_uptodate(struct buffer_head *bh) ++{ ++ /* ++ * make it consistent with folio_mark_uptodate ++ * pairs with smp_load_acquire in buffer_uptodate ++ */ ++ smp_mb__before_atomic(); ++ set_bit(BH_Uptodate, &bh->b_state); ++} ++ ++static __always_inline void clear_buffer_uptodate(struct buffer_head *bh) ++{ ++ clear_bit(BH_Uptodate, &bh->b_state); ++} ++ ++static __always_inline int buffer_uptodate(const struct buffer_head *bh) ++{ ++ /* ++ * make it consistent with folio_test_uptodate ++ * pairs with smp_mb__before_atomic in set_buffer_uptodate ++ */ ++ return (smp_load_acquire(&bh->b_state) & (1UL << BH_Uptodate)) != 0; ++} ++ + #define bh_offset(bh) ((unsigned long)(bh)->b_data & ~PAGE_MASK) + + /* If we *know* page->private refers to buffer_heads */ diff --git a/queue-4.19/hid-wacom-don-t-register-pad_input-for-touch-switch.patch b/queue-4.19/hid-wacom-don-t-register-pad_input-for-touch-switch.patch new file mode 100644 index 00000000000..ff1d1896ddb --- /dev/null +++ b/queue-4.19/hid-wacom-don-t-register-pad_input-for-touch-switch.patch @@ -0,0 +1,107 @@ +From d6b675687a4ab4dba684716d97c8c6f81bf10905 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Fri, 13 May 2022 14:52:37 -0700 +Subject: HID: wacom: Don't register pad_input for touch switch + +From: Ping Cheng + +commit d6b675687a4ab4dba684716d97c8c6f81bf10905 upstream. + +Touch switch state is received through WACOM_PAD_FIELD. However, it +is reported by touch_input. Don't register pad_input if no other pad +events require the interface. + +Cc: stable@vger.kernel.org +Signed-off-by: Ping Cheng +Reviewed-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_sys.c | 2 +- + drivers/hid/wacom_wac.c | 43 +++++++++++++++++++++++++------------------ + 2 files changed, 26 insertions(+), 19 deletions(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2095,7 +2095,7 @@ static int wacom_register_inputs(struct + + error = wacom_setup_pad_input_capabilities(pad_input_dev, wacom_wac); + if (error) { +- /* no pad in use on this interface */ ++ /* no pad events using this interface */ + input_free_device(pad_input_dev); + wacom_wac->pad_input = NULL; + pad_input_dev = NULL; +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1954,7 +1954,6 @@ static void wacom_wac_pad_usage_mapping( + wacom_wac->has_mute_touch_switch = true; + usage->type = EV_SW; + usage->code = SW_MUTE_DEVICE; +- features->device_type |= WACOM_DEVICETYPE_PAD; + break; + case WACOM_HID_WD_TOUCHSTRIP: + wacom_map_usage(input, usage, field, EV_ABS, ABS_RX, 0); +@@ -2034,6 +2033,30 @@ static void wacom_wac_pad_event(struct h + wacom_wac->hid_data.inrange_state |= value; + } + ++ /* Process touch switch state first since it is reported through touch interface, ++ * which is indepentent of pad interface. In the case when there are no other pad ++ * events, the pad interface will not even be created. ++ */ ++ if ((equivalent_usage == WACOM_HID_WD_MUTE_DEVICE) || ++ (equivalent_usage == WACOM_HID_WD_TOUCHONOFF)) { ++ if (wacom_wac->shared->touch_input) { ++ bool *is_touch_on = &wacom_wac->shared->is_touch_on; ++ ++ if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value) ++ *is_touch_on = !(*is_touch_on); ++ else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF) ++ *is_touch_on = value; ++ ++ input_report_switch(wacom_wac->shared->touch_input, ++ SW_MUTE_DEVICE, !(*is_touch_on)); ++ input_sync(wacom_wac->shared->touch_input); ++ } ++ return; ++ } ++ ++ if (!input) ++ return; ++ + switch (equivalent_usage) { + case WACOM_HID_WD_TOUCHRING: + /* +@@ -2063,22 +2086,6 @@ static void wacom_wac_pad_event(struct h + input_event(input, usage->type, usage->code, 0); + break; + +- case WACOM_HID_WD_MUTE_DEVICE: +- case WACOM_HID_WD_TOUCHONOFF: +- if (wacom_wac->shared->touch_input) { +- bool *is_touch_on = &wacom_wac->shared->is_touch_on; +- +- if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value) +- *is_touch_on = !(*is_touch_on); +- else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF) +- *is_touch_on = value; +- +- input_report_switch(wacom_wac->shared->touch_input, +- SW_MUTE_DEVICE, !(*is_touch_on)); +- input_sync(wacom_wac->shared->touch_input); +- } +- break; +- + case WACOM_HID_WD_MODE_CHANGE: + if (wacom_wac->is_direct_mode != value) { + wacom_wac->is_direct_mode = value; +@@ -2719,7 +2726,7 @@ void wacom_wac_event(struct hid_device * + /* usage tests must precede field tests */ + if (WACOM_BATTERY_USAGE(usage)) + wacom_wac_battery_event(hdev, field, usage, value); +- else if (WACOM_PAD_FIELD(field) && wacom->wacom_wac.pad_input) ++ else if (WACOM_PAD_FIELD(field)) + wacom_wac_pad_event(hdev, field, usage, value); + else if (WACOM_PEN_FIELD(field) && wacom->wacom_wac.pen_input) + wacom_wac_pen_event(hdev, field, usage, value); diff --git a/queue-4.19/series b/queue-4.19/series index c8c9e581125..fabd491214d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -4,3 +4,5 @@ alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-probing.patch wifi-mac80211_hwsim-fix-race-condition-in-pending-packet.patch wifi-mac80211_hwsim-add-back-erroneously-removed-cast.patch wifi-mac80211_hwsim-use-32-bit-skb-cookie.patch +add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch +hid-wacom-don-t-register-pad_input-for-touch-switch.patch -- 2.47.3