From c1c91e58ab6fc63e74bf5b494affd2e96f5db3e9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 5 Jun 2020 13:00:47 +0200 Subject: [PATCH] 5.6-stable patches added patches: crypto-api-fix-use-after-free-and-race-in-crypto_spawn_alg.patch hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch hid-multitouch-enable-multi-input-as-a-quirk-for-some-devices.patch hid-sony-fix-for-broken-buttons-on-ds3-usb-dongles.patch kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch media-revert-staging-imgu-address-a-compiler-warning-on-alignment.patch media-staging-ipu3-imgu-move-alignment-attribute-to-field.patch mm-fix-mremap-not-considering-huge-pmd-devmap.patch mmc-fix-compilation-of-user-api.patch mt76-mt76x02u-add-support-for-newer-versions-of-the-xbox-one-wifi-adapter.patch p54usb-add-airvast-usb-stick-device-id.patch --- ...er-free-and-race-in-crypto_spawn_alg.patch | 96 +++++++++++++++++ ...der-scl142alm-to-descriptor-override.patch | 38 +++++++ ...ti-input-as-a-quirk-for-some-devices.patch | 102 ++++++++++++++++++ ...or-broken-buttons-on-ds3-usb-dongles.patch | 60 +++++++++++ ..._percpu-returning-null-in-relay_open.patch | 71 ++++++++++++ ...ress-a-compiler-warning-on-alignment.patch | 38 +++++++ ...gu-move-alignment-attribute-to-field.patch | 46 ++++++++ ...emap-not-considering-huge-pmd-devmap.patch | 56 ++++++++++ .../mmc-fix-compilation-of-user-api.patch | 41 +++++++ ...ersions-of-the-xbox-one-wifi-adapter.patch | 41 +++++++ ...4usb-add-airvast-usb-stick-device-id.patch | 35 ++++++ queue-5.6/series | 11 ++ 12 files changed, 635 insertions(+) create mode 100644 queue-5.6/crypto-api-fix-use-after-free-and-race-in-crypto_spawn_alg.patch create mode 100644 queue-5.6/hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch create mode 100644 queue-5.6/hid-multitouch-enable-multi-input-as-a-quirk-for-some-devices.patch create mode 100644 queue-5.6/hid-sony-fix-for-broken-buttons-on-ds3-usb-dongles.patch create mode 100644 queue-5.6/kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch create mode 100644 queue-5.6/media-revert-staging-imgu-address-a-compiler-warning-on-alignment.patch create mode 100644 queue-5.6/media-staging-ipu3-imgu-move-alignment-attribute-to-field.patch create mode 100644 queue-5.6/mm-fix-mremap-not-considering-huge-pmd-devmap.patch create mode 100644 queue-5.6/mmc-fix-compilation-of-user-api.patch create mode 100644 queue-5.6/mt76-mt76x02u-add-support-for-newer-versions-of-the-xbox-one-wifi-adapter.patch create mode 100644 queue-5.6/p54usb-add-airvast-usb-stick-device-id.patch diff --git a/queue-5.6/crypto-api-fix-use-after-free-and-race-in-crypto_spawn_alg.patch b/queue-5.6/crypto-api-fix-use-after-free-and-race-in-crypto_spawn_alg.patch new file mode 100644 index 00000000000..ab80ad63271 --- /dev/null +++ b/queue-5.6/crypto-api-fix-use-after-free-and-race-in-crypto_spawn_alg.patch @@ -0,0 +1,96 @@ +From 6603523bf5e432c7c8490fb500793bb15d4e5f61 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 10 Apr 2020 16:09:42 +1000 +Subject: crypto: api - Fix use-after-free and race in crypto_spawn_alg + +From: Herbert Xu + +commit 6603523bf5e432c7c8490fb500793bb15d4e5f61 upstream. + +There are two problems in crypto_spawn_alg. First of all it may +return spawn->alg even if spawn->dead is set. This results in a +double-free as detected by syzbot. + +Secondly the setting of the DYING flag is racy because we hold +the read-lock instead of the write-lock. We should instead call +crypto_shoot_alg in a safe manner by gaining a refcount, dropping +the lock, and then releasing the refcount. + +This patch fixes both problems. + +Reported-by: syzbot+fc0674cde00b66844470@syzkaller.appspotmail.com +Fixes: 4f87ee118d16 ("crypto: api - Do not zap spawn->alg") +Fixes: 73669cc55646 ("crypto: api - Fix race condition in...") +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algapi.c | 22 ++++++++++++++++------ + crypto/api.c | 3 ++- + crypto/internal.h | 1 + + 3 files changed, 19 insertions(+), 7 deletions(-) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -716,17 +716,27 @@ EXPORT_SYMBOL_GPL(crypto_drop_spawn); + + static struct crypto_alg *crypto_spawn_alg(struct crypto_spawn *spawn) + { +- struct crypto_alg *alg; ++ struct crypto_alg *alg = ERR_PTR(-EAGAIN); ++ struct crypto_alg *target; ++ bool shoot = false; + + down_read(&crypto_alg_sem); +- alg = spawn->alg; +- if (!spawn->dead && !crypto_mod_get(alg)) { +- alg->cra_flags |= CRYPTO_ALG_DYING; +- alg = NULL; ++ if (!spawn->dead) { ++ alg = spawn->alg; ++ if (!crypto_mod_get(alg)) { ++ target = crypto_alg_get(alg); ++ shoot = true; ++ alg = ERR_PTR(-EAGAIN); ++ } + } + up_read(&crypto_alg_sem); + +- return alg ?: ERR_PTR(-EAGAIN); ++ if (shoot) { ++ crypto_shoot_alg(target); ++ crypto_alg_put(target); ++ } ++ ++ return alg; + } + + struct crypto_tfm *crypto_spawn_tfm(struct crypto_spawn *spawn, u32 type, +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -333,12 +333,13 @@ static unsigned int crypto_ctxsize(struc + return len; + } + +-static void crypto_shoot_alg(struct crypto_alg *alg) ++void crypto_shoot_alg(struct crypto_alg *alg) + { + down_write(&crypto_alg_sem); + alg->cra_flags |= CRYPTO_ALG_DYING; + up_write(&crypto_alg_sem); + } ++EXPORT_SYMBOL_GPL(crypto_shoot_alg); + + struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type, + u32 mask) +--- a/crypto/internal.h ++++ b/crypto/internal.h +@@ -65,6 +65,7 @@ void crypto_alg_tested(const char *name, + void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list, + struct crypto_alg *nalg); + void crypto_remove_final(struct list_head *list); ++void crypto_shoot_alg(struct crypto_alg *alg); + struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type, + u32 mask); + void *crypto_create_tfm(struct crypto_alg *alg, diff --git a/queue-5.6/hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch b/queue-5.6/hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch new file mode 100644 index 00000000000..9c6962753d2 --- /dev/null +++ b/queue-5.6/hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch @@ -0,0 +1,38 @@ +From 6507ef10660efdfee93f0f3b9fac24b5e4d83e56 Mon Sep 17 00:00:00 2001 +From: Julian Sax +Date: Tue, 5 May 2020 17:10:42 +0200 +Subject: HID: i2c-hid: add Schneider SCL142ALM to descriptor override + +From: Julian Sax + +commit 6507ef10660efdfee93f0f3b9fac24b5e4d83e56 upstream. + +This device uses the SIPODEV SP1064 touchpad, which does not +supply descriptors, so it has to be added to the override list. + +Cc: stable@vger.kernel.org +Signed-off-by: Julian Sax +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c ++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +@@ -389,6 +389,14 @@ static const struct dmi_system_id i2c_hi + }, + .driver_data = (void *)&sipodev_desc + }, ++ { ++ .ident = "Schneider SCL142ALM", ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SCHNEIDER"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "SCL142ALM"), ++ }, ++ .driver_data = (void *)&sipodev_desc ++ }, + { } /* Terminate list */ + }; + diff --git a/queue-5.6/hid-multitouch-enable-multi-input-as-a-quirk-for-some-devices.patch b/queue-5.6/hid-multitouch-enable-multi-input-as-a-quirk-for-some-devices.patch new file mode 100644 index 00000000000..f23c01320c0 --- /dev/null +++ b/queue-5.6/hid-multitouch-enable-multi-input-as-a-quirk-for-some-devices.patch @@ -0,0 +1,102 @@ +From 40d5bb87377a599d0405af765290f28aaa6abb1e Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 26 May 2020 17:07:17 +0200 +Subject: HID: multitouch: enable multi-input as a quirk for some devices + +From: Benjamin Tissoires + +commit 40d5bb87377a599d0405af765290f28aaa6abb1e upstream. + +Two touchpad/trackstick combos are currently not behaving properly. +They define a mouse emulation collection, as per Win8 requirements, +but also define a separate mouse collection for the trackstick. + +The way the kernel currently treat the collections is that it +merges both in one device. However, given that the first mouse +collection already defines X,Y and left, right buttons, when +mapping the events from the second mouse collection, hid-multitouch +sees that these events are already mapped, and simply ignores them. + +To be able to report events from the tracktick, add a new quirked +class for it, and manually add the 2 devices we know about. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=207235 +Cc: stable@vger.kernel.org +Tested-by: Kai-Heng Feng +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-multitouch.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -69,6 +69,7 @@ MODULE_LICENSE("GPL"); + #define MT_QUIRK_ASUS_CUSTOM_UP BIT(17) + #define MT_QUIRK_WIN8_PTP_BUTTONS BIT(18) + #define MT_QUIRK_SEPARATE_APP_REPORT BIT(19) ++#define MT_QUIRK_FORCE_MULTI_INPUT BIT(20) + + #define MT_INPUTMODE_TOUCHSCREEN 0x02 + #define MT_INPUTMODE_TOUCHPAD 0x03 +@@ -189,6 +190,7 @@ static void mt_post_parse(struct mt_devi + #define MT_CLS_WIN_8 0x0012 + #define MT_CLS_EXPORT_ALL_INPUTS 0x0013 + #define MT_CLS_WIN_8_DUAL 0x0014 ++#define MT_CLS_WIN_8_FORCE_MULTI_INPUT 0x0015 + + /* vendor specific classes */ + #define MT_CLS_3M 0x0101 +@@ -279,6 +281,15 @@ static const struct mt_class mt_classes[ + MT_QUIRK_CONTACT_CNT_ACCURATE | + MT_QUIRK_WIN8_PTP_BUTTONS, + .export_all_inputs = true }, ++ { .name = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ .quirks = MT_QUIRK_ALWAYS_VALID | ++ MT_QUIRK_IGNORE_DUPLICATES | ++ MT_QUIRK_HOVERING | ++ MT_QUIRK_CONTACT_CNT_ACCURATE | ++ MT_QUIRK_STICKY_FINGERS | ++ MT_QUIRK_WIN8_PTP_BUTTONS | ++ MT_QUIRK_FORCE_MULTI_INPUT, ++ .export_all_inputs = true }, + + /* + * vendor specific classes +@@ -1714,6 +1725,11 @@ static int mt_probe(struct hid_device *h + if (id->group != HID_GROUP_MULTITOUCH_WIN_8) + hdev->quirks |= HID_QUIRK_MULTI_INPUT; + ++ if (mtclass->quirks & MT_QUIRK_FORCE_MULTI_INPUT) { ++ hdev->quirks &= ~HID_QUIRK_INPUT_PER_APP; ++ hdev->quirks |= HID_QUIRK_MULTI_INPUT; ++ } ++ + timer_setup(&td->release_timer, mt_expired_timeout, 0); + + ret = hid_parse(hdev); +@@ -1926,6 +1942,11 @@ static const struct hid_device_id mt_dev + MT_USB_DEVICE(USB_VENDOR_ID_DWAV, + USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002) }, + ++ /* Elan devices */ ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_ELAN, 0x313a) }, ++ + /* Elitegroup panel */ + { .driver_data = MT_CLS_SERIAL, + MT_USB_DEVICE(USB_VENDOR_ID_ELITEGROUP, +@@ -2056,6 +2077,11 @@ static const struct hid_device_id mt_dev + MT_USB_DEVICE(USB_VENDOR_ID_STANTUM_STM, + USB_DEVICE_ID_MTP_STM)}, + ++ /* Synaptics devices */ ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_SYNAPTICS, 0xce08) }, ++ + /* TopSeed panels */ + { .driver_data = MT_CLS_TOPSEED, + MT_USB_DEVICE(USB_VENDOR_ID_TOPSEED2, diff --git a/queue-5.6/hid-sony-fix-for-broken-buttons-on-ds3-usb-dongles.patch b/queue-5.6/hid-sony-fix-for-broken-buttons-on-ds3-usb-dongles.patch new file mode 100644 index 00000000000..2bff7ffcf8f --- /dev/null +++ b/queue-5.6/hid-sony-fix-for-broken-buttons-on-ds3-usb-dongles.patch @@ -0,0 +1,60 @@ +From e72455b898ac678667c5674668186b4670d87d11 Mon Sep 17 00:00:00 2001 +From: Scott Shumate +Date: Wed, 13 May 2020 13:39:26 -0500 +Subject: HID: sony: Fix for broken buttons on DS3 USB dongles + +From: Scott Shumate + +commit e72455b898ac678667c5674668186b4670d87d11 upstream. + +Fix for non-working buttons on knock-off USB dongles for Sony +controllers. These USB dongles are used to connect older Sony DA/DS1/DS2 +controllers via USB and are common on Amazon, AliExpress, etc. Without +the patch, the square, X, and circle buttons do not function. These +dongles used to work prior to kernel 4.10 but removing the global DS3 +report fixup in commit e19a267b9987 ("HID: sony: DS3 comply to Linux gamepad +spec") exposed the problem. + +Many people reported the problem on the Ubuntu forums and are working +around the problem by falling back to the 4.9 hid-sony driver. + +The problem stems from these dongles incorrectly reporting their button +count as 13 instead of 16. This patch fixes up the report descriptor by +changing the button report count to 16 and removing 3 padding bits. + +Cc: stable@vger.kernel.org +Fixes: e19a267b9987 ("HID: sony: DS3 comply to Linux gamepad spec") +Signed-off-by: Scott Shumate +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-sony.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -867,6 +867,23 @@ static u8 *sony_report_fixup(struct hid_ + if (sc->quirks & PS3REMOTE) + return ps3remote_fixup(hdev, rdesc, rsize); + ++ /* ++ * Some knock-off USB dongles incorrectly report their button count ++ * as 13 instead of 16 causing three non-functional buttons. ++ */ ++ if ((sc->quirks & SIXAXIS_CONTROLLER_USB) && *rsize >= 45 && ++ /* Report Count (13) */ ++ rdesc[23] == 0x95 && rdesc[24] == 0x0D && ++ /* Usage Maximum (13) */ ++ rdesc[37] == 0x29 && rdesc[38] == 0x0D && ++ /* Report Count (3) */ ++ rdesc[43] == 0x95 && rdesc[44] == 0x03) { ++ hid_info(hdev, "Fixing up USB dongle report descriptor\n"); ++ rdesc[24] = 0x10; ++ rdesc[38] = 0x10; ++ rdesc[44] = 0x00; ++ } ++ + return rdesc; + } + diff --git a/queue-5.6/kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch b/queue-5.6/kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch new file mode 100644 index 00000000000..371f43e155b --- /dev/null +++ b/queue-5.6/kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch @@ -0,0 +1,71 @@ +From 54e200ab40fc14c863bcc80a51e20b7906608fce Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 4 Jun 2020 16:51:27 -0700 +Subject: kernel/relay.c: handle alloc_percpu returning NULL in relay_open + +From: Daniel Axtens + +commit 54e200ab40fc14c863bcc80a51e20b7906608fce upstream. + +alloc_percpu() may return NULL, which means chan->buf may be set to NULL. +In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an +invalid pointer: + + BUG: Unable to handle kernel data access at 0x7dae0000 + Faulting instruction address: 0xc0000000003f3fec + ... + NIP relay_open+0x29c/0x600 + LR relay_open+0x270/0x600 + Call Trace: + relay_open+0x264/0x600 (unreliable) + __blk_trace_setup+0x254/0x600 + blk_trace_setup+0x68/0xa0 + sg_ioctl+0x7bc/0x2e80 + do_vfs_ioctl+0x13c/0x1300 + ksys_ioctl+0x94/0x130 + sys_ioctl+0x48/0xb0 + system_call+0x5c/0x68 + +Check if alloc_percpu returns NULL. + +This was found by syzkaller both on x86 and powerpc, and the reproducer +it found on powerpc is capable of hitting the issue as an unprivileged +user. + +Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") +Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com +Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com +Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com +Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com +Signed-off-by: Daniel Axtens +Signed-off-by: Andrew Morton +Reviewed-by: Michael Ellerman +Reviewed-by: Andrew Donnellan +Acked-by: David Rientjes +Cc: Akash Goel +Cc: Andrew Donnellan +Cc: Guenter Roeck +Cc: Salvatore Bonaccorso +Cc: [4.10+] +Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/relay.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -581,6 +581,11 @@ struct rchan *relay_open(const char *bas + return NULL; + + chan->buf = alloc_percpu(struct rchan_buf *); ++ if (!chan->buf) { ++ kfree(chan); ++ return NULL; ++ } ++ + chan->version = RELAYFS_CHANNEL_VERSION; + chan->n_subbufs = n_subbufs; + chan->subbuf_size = subbuf_size; diff --git a/queue-5.6/media-revert-staging-imgu-address-a-compiler-warning-on-alignment.patch b/queue-5.6/media-revert-staging-imgu-address-a-compiler-warning-on-alignment.patch new file mode 100644 index 00000000000..00218d77dc8 --- /dev/null +++ b/queue-5.6/media-revert-staging-imgu-address-a-compiler-warning-on-alignment.patch @@ -0,0 +1,38 @@ +From 81d1adeb52c97fbe097e8c94e36c3eb702cdb110 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 15 Apr 2020 17:34:05 +0200 +Subject: media: Revert "staging: imgu: Address a compiler warning on alignment" + +From: Sakari Ailus + +commit 81d1adeb52c97fbe097e8c94e36c3eb702cdb110 upstream. + +This reverts commit c9d52c114a9fcc61c30512c7f810247a9f2812af. + +The patch being reverted changed the memory layout of struct +ipu3_uapi_acc_param. Revert it, and address the compiler warning issues in +further patches. + +Fixes: commit c9d52c114a9f ("media: staging: imgu: Address a compiler warning on alignment") +Reported-by: Tomasz Figa +Tested-by: Bingbu Cao +Cc: stable@vger.kernel.org # for v5.3 and up +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/media/ipu3/include/intel-ipu3.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/media/ipu3/include/intel-ipu3.h ++++ b/drivers/staging/media/ipu3/include/intel-ipu3.h +@@ -2477,7 +2477,7 @@ struct ipu3_uapi_acc_param { + struct ipu3_uapi_yuvp1_yds_config yds2 __attribute__((aligned(32))); + struct ipu3_uapi_yuvp2_tcc_static_config tcc __attribute__((aligned(32))); + struct ipu3_uapi_anr_config anr; +- struct ipu3_uapi_awb_fr_config_s awb_fr __attribute__((aligned(32))); ++ struct ipu3_uapi_awb_fr_config_s awb_fr; + struct ipu3_uapi_ae_config ae; + struct ipu3_uapi_af_config_s af; + struct ipu3_uapi_awb_config awb; diff --git a/queue-5.6/media-staging-ipu3-imgu-move-alignment-attribute-to-field.patch b/queue-5.6/media-staging-ipu3-imgu-move-alignment-attribute-to-field.patch new file mode 100644 index 00000000000..7efdec29bef --- /dev/null +++ b/queue-5.6/media-staging-ipu3-imgu-move-alignment-attribute-to-field.patch @@ -0,0 +1,46 @@ +From 8c038effd893920facedf18c2c0976cec4a33408 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 15 Apr 2020 17:40:09 +0200 +Subject: media: staging: ipu3-imgu: Move alignment attribute to field + +From: Sakari Ailus + +commit 8c038effd893920facedf18c2c0976cec4a33408 upstream. + +Move the alignment attribute of struct ipu3_uapi_awb_fr_config_s to the +field in struct ipu3_uapi_4a_config, the other location where the struct +is used. + +Fixes: commit c9d52c114a9f ("media: staging: imgu: Address a compiler warning on alignment") +Reported-by: Tomasz Figa +Tested-by: Bingbu Cao +Cc: stable@vger.kernel.org # for v5.3 and up +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/media/ipu3/include/intel-ipu3.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/staging/media/ipu3/include/intel-ipu3.h ++++ b/drivers/staging/media/ipu3/include/intel-ipu3.h +@@ -450,7 +450,7 @@ struct ipu3_uapi_awb_fr_config_s { + __u32 bayer_sign; + __u8 bayer_nf; + __u8 reserved2[7]; +-} __attribute__((aligned(32))) __packed; ++} __packed; + + /** + * struct ipu3_uapi_4a_config - 4A config +@@ -466,7 +466,8 @@ struct ipu3_uapi_4a_config { + struct ipu3_uapi_ae_grid_config ae_grd_config; + __u8 padding[20]; + struct ipu3_uapi_af_config_s af_config; +- struct ipu3_uapi_awb_fr_config_s awb_fr_config; ++ struct ipu3_uapi_awb_fr_config_s awb_fr_config ++ __attribute__((aligned(32))); + } __packed; + + /** diff --git a/queue-5.6/mm-fix-mremap-not-considering-huge-pmd-devmap.patch b/queue-5.6/mm-fix-mremap-not-considering-huge-pmd-devmap.patch new file mode 100644 index 00000000000..4626df0cda3 --- /dev/null +++ b/queue-5.6/mm-fix-mremap-not-considering-huge-pmd-devmap.patch @@ -0,0 +1,56 @@ +From 5bfea2d9b17f1034a68147a8b03b9789af5700f9 Mon Sep 17 00:00:00 2001 +From: Fan Yang +Date: Thu, 4 Jun 2020 18:22:07 +0800 +Subject: mm: Fix mremap not considering huge pmd devmap + +From: Fan Yang + +commit 5bfea2d9b17f1034a68147a8b03b9789af5700f9 upstream. + +The original code in mm/mremap.c checks huge pmd by: + + if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { + +However, a DAX mapped nvdimm is mapped as huge page (by default) but it +is not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit +changes the condition to include the case. + +This addresses CVE-2020-10757. + +Fixes: 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd") +Cc: +Reported-by: Fan Yang +Signed-off-by: Fan Yang +Tested-by: Fan Yang +Tested-by: Dan Williams +Reviewed-by: Dan Williams +Acked-by: Kirill A. Shutemov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pgtable.h | 1 + + mm/mremap.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -256,6 +256,7 @@ static inline int pmd_large(pmd_t pte) + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE ++/* NOTE: when predicate huge page, consider also pmd_devmap, or use pmd_large */ + static inline int pmd_trans_huge(pmd_t pmd) + { + return (pmd_val(pmd) & (_PAGE_PSE|_PAGE_DEVMAP)) == _PAGE_PSE; +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -266,7 +266,7 @@ unsigned long move_page_tables(struct vm + new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr); + if (!new_pmd) + break; +- if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { ++ if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) { + if (extent == HPAGE_PMD_SIZE) { + bool moved; + /* See comment in move_ptes() */ diff --git a/queue-5.6/mmc-fix-compilation-of-user-api.patch b/queue-5.6/mmc-fix-compilation-of-user-api.patch new file mode 100644 index 00000000000..b86191f2803 --- /dev/null +++ b/queue-5.6/mmc-fix-compilation-of-user-api.patch @@ -0,0 +1,41 @@ +From 83fc5dd57f86c3ec7d6d22565a6ff6c948853b64 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Pouiller?= +Date: Mon, 11 May 2020 18:19:02 +0200 +Subject: mmc: fix compilation of user API +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jérôme Pouiller + +commit 83fc5dd57f86c3ec7d6d22565a6ff6c948853b64 upstream. + +The definitions of MMC_IOC_CMD and of MMC_IOC_MULTI_CMD rely on +MMC_BLOCK_MAJOR: + + #define MMC_IOC_CMD _IOWR(MMC_BLOCK_MAJOR, 0, struct mmc_ioc_cmd) + #define MMC_IOC_MULTI_CMD _IOWR(MMC_BLOCK_MAJOR, 1, struct mmc_ioc_multi_cmd) + +However, MMC_BLOCK_MAJOR is defined in linux/major.h and +linux/mmc/ioctl.h did not include it. + +Signed-off-by: Jérôme Pouiller +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200511161902.191405-1-Jerome.Pouiller@silabs.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/mmc/ioctl.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/uapi/linux/mmc/ioctl.h ++++ b/include/uapi/linux/mmc/ioctl.h +@@ -3,6 +3,7 @@ + #define LINUX_MMC_IOCTL_H + + #include ++#include + + struct mmc_ioc_cmd { + /* diff --git a/queue-5.6/mt76-mt76x02u-add-support-for-newer-versions-of-the-xbox-one-wifi-adapter.patch b/queue-5.6/mt76-mt76x02u-add-support-for-newer-versions-of-the-xbox-one-wifi-adapter.patch new file mode 100644 index 00000000000..d289f2db98f --- /dev/null +++ b/queue-5.6/mt76-mt76x02u-add-support-for-newer-versions-of-the-xbox-one-wifi-adapter.patch @@ -0,0 +1,41 @@ +From b2934279c3e9719145ff4090d4ab951e340df17e Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Wed, 18 Mar 2020 16:07:48 -0700 +Subject: mt76: mt76x02u: Add support for newer versions of the XBox One wifi adapter + +From: Matthew Garrett + +commit b2934279c3e9719145ff4090d4ab951e340df17e upstream. + +The current version has a new USB ID and reports as an 0x7632 device. +Adding the IDs results in it working out of the box. + +Signed-off-by: Matthew Garrett +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mediatek/mt76/mt76x02.h | 1 + + drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt76x02.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02.h +@@ -211,6 +211,7 @@ static inline bool is_mt76x0(struct mt76 + static inline bool is_mt76x2(struct mt76x02_dev *dev) + { + return mt76_chip(&dev->mt76) == 0x7612 || ++ mt76_chip(&dev->mt76) == 0x7632 || + mt76_chip(&dev->mt76) == 0x7662 || + mt76_chip(&dev->mt76) == 0x7602; + } +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c +@@ -18,6 +18,7 @@ static const struct usb_device_id mt76x2 + { USB_DEVICE(0x7392, 0xb711) }, /* Edimax EW 7722 UAC */ + { USB_DEVICE(0x0846, 0x9053) }, /* Netgear A6210 */ + { USB_DEVICE(0x045e, 0x02e6) }, /* XBox One Wireless Adapter */ ++ { USB_DEVICE(0x045e, 0x02fe) }, /* XBox One Wireless Adapter */ + { }, + }; + diff --git a/queue-5.6/p54usb-add-airvast-usb-stick-device-id.patch b/queue-5.6/p54usb-add-airvast-usb-stick-device-id.patch new file mode 100644 index 00000000000..d5ee0118a0e --- /dev/null +++ b/queue-5.6/p54usb-add-airvast-usb-stick-device-id.patch @@ -0,0 +1,35 @@ +From 63e49a9fdac1b4e97ac26cb3fe953f210d83bc53 Mon Sep 17 00:00:00 2001 +From: Giuseppe Marco Randazzo +Date: Mon, 6 Apr 2020 00:06:59 +0200 +Subject: p54usb: add AirVasT USB stick device-id + +From: Giuseppe Marco Randazzo + +commit 63e49a9fdac1b4e97ac26cb3fe953f210d83bc53 upstream. + +This patch adds the AirVasT USB wireless devices 124a:4026 +to the list of supported devices. It's using the ISL3886 +usb firmware. Without this modification, the wiki adapter +is not recognized. + +Cc: +Signed-off-by: Giuseppe Marco Randazzo +Signed-off-by: Christian Lamparter [formatted, reworded] +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200405220659.45621-1-chunkeey@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/p54usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/intersil/p54/p54usb.c ++++ b/drivers/net/wireless/intersil/p54/p54usb.c +@@ -61,6 +61,7 @@ static const struct usb_device_id p54u_t + {USB_DEVICE(0x0db0, 0x6826)}, /* MSI UB54G (MS-6826) */ + {USB_DEVICE(0x107b, 0x55f2)}, /* Gateway WGU-210 (Gemtek) */ + {USB_DEVICE(0x124a, 0x4023)}, /* Shuttle PN15, Airvast WM168g, IOGear GWU513 */ ++ {USB_DEVICE(0x124a, 0x4026)}, /* AirVasT USB wireless device */ + {USB_DEVICE(0x1435, 0x0210)}, /* Inventel UR054G */ + {USB_DEVICE(0x15a9, 0x0002)}, /* Gemtek WUBI-100GW 802.11g */ + {USB_DEVICE(0x1630, 0x0005)}, /* 2Wire 802.11g USB (v1) / Z-Com */ diff --git a/queue-5.6/series b/queue-5.6/series index f3bc9963ae8..431b3e4b884 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -28,3 +28,14 @@ net-ethernet-stmmac-enable-interface-clocks-on-probe.patch selftests-mlxsw-qos_mc_aware-specify-arping-timeout-.patch net-fix-return-value-about-devm_platform_ioremap_res.patch net-smsc911x-fix-runtime-pm-imbalance-on-error.patch +mm-fix-mremap-not-considering-huge-pmd-devmap.patch +hid-sony-fix-for-broken-buttons-on-ds3-usb-dongles.patch +hid-multitouch-enable-multi-input-as-a-quirk-for-some-devices.patch +hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch +p54usb-add-airvast-usb-stick-device-id.patch +mt76-mt76x02u-add-support-for-newer-versions-of-the-xbox-one-wifi-adapter.patch +crypto-api-fix-use-after-free-and-race-in-crypto_spawn_alg.patch +kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch +mmc-fix-compilation-of-user-api.patch +media-revert-staging-imgu-address-a-compiler-warning-on-alignment.patch +media-staging-ipu3-imgu-move-alignment-attribute-to-field.patch -- 2.47.3