1. 19 6月, 2019 40 次提交
    • C
      nvme: remove the ifdef around nvme_nvm_ioctl · 54261634
      Christoph Hellwig 提交于
      [ Upstream commit 3f98bcc58cd5f1e4668db289dcab771874cc0920 ]
      
      We already have a proper stub if lightnvm is not enabled, so don't bother
      with the ifdef.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Reviewed-by: NKeith Busch <keith.busch@intel.com>
      Reviewed-by: NChaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      54261634
    • C
      nvme: fix srcu locking on error return in nvme_get_ns_from_disk · a6515af9
      Christoph Hellwig 提交于
      [ Upstream commit 100c815cbd56480b3e31518475b04719c363614a ]
      
      If we can't get a namespace don't leak the SRCU lock.  nvme_ioctl was
      working around this, but nvme_pr_command wasn't handling this properly.
      Just do what callers would usually expect.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Reviewed-by: NKeith Busch <keith.busch@intel.com>
      Reviewed-by: NChaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a6515af9
    • M
      arm64/mm: Inhibit huge-vmap with ptdump · c4e97af6
      Mark Rutland 提交于
      [ Upstream commit 7ba36eccb3f83983a651efd570b4f933ecad1b5c ]
      
      The arm64 ptdump code can race with concurrent modification of the
      kernel page tables. At the time this was added, this was sound as:
      
      * Modifications to leaf entries could result in stale information being
        logged, but would not result in a functional problem.
      
      * Boot time modifications to non-leaf entries (e.g. freeing of initmem)
        were performed when the ptdump code cannot be invoked.
      
      * At runtime, modifications to non-leaf entries only occurred in the
        vmalloc region, and these were strictly additive, as intermediate
        entries were never freed.
      
      However, since commit:
      
        commit 324420bf ("arm64: add support for ioremap() block mappings")
      
      ... it has been possible to create huge mappings in the vmalloc area at
      runtime, and as part of this existing intermediate levels of table my be
      removed and freed.
      
      It's possible for the ptdump code to race with this, and continue to
      walk tables which have been freed (and potentially poisoned or
      reallocated). As a result of this, the ptdump code may dereference bogus
      addresses, which could be fatal.
      
      Since huge-vmap is a TLB and memory optimization, we can disable it when
      the runtime ptdump code is in use to avoid this problem.
      
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Fixes: 324420bf ("arm64: add support for ioremap() block mappings")
      Acked-by: NArd Biesheuvel <ard.biesheuvel@arm.com>
      Signed-off-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NAnshuman Khandual <anshuman.khandual@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c4e97af6
    • J
      scsi: lpfc: add check for loss of ndlp when sending RRQ · 0e50da1e
      James Smart 提交于
      [ Upstream commit c8cb261a072c88ca1aff0e804a30db4c7606521b ]
      
      There was a missing qualification of a valid ndlp structure when calling to
      send an RRQ for an abort.  Add the check.
      Signed-off-by: NDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: NJames Smart <jsmart2021@gmail.com>
      Tested-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0e50da1e
    • J
      scsi: lpfc: correct rcu unlock issue in lpfc_nvme_info_show · 334d1a23
      James Smart 提交于
      [ Upstream commit 79080d349f7f58a2e86c56043a3d04184d5f294a ]
      
      Many of the exit cases were not releasing the rcu read lock.  Corrected the
      exit paths.
      Signed-off-by: NDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: NJames Smart <jsmart2021@gmail.com>
      Tested-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      334d1a23
    • Y
      scsi: qedi: remove set but not used variables 'cdev' and 'udev' · 32d3f7d9
      YueHaibing 提交于
      [ Upstream commit d0adee5d12752256ff0c87ad7f002f21fe49d618 ]
      
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      drivers/scsi/qedi/qedi_iscsi.c: In function 'qedi_ep_connect':
      drivers/scsi/qedi/qedi_iscsi.c:813:23: warning: variable 'udev' set but not used [-Wunused-but-set-variable]
      drivers/scsi/qedi/qedi_iscsi.c:812:18: warning: variable 'cdev' set but not used [-Wunused-but-set-variable]
      
      These have never been used since introduction.
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Acked-by: NManish Rangankar <mrangankar@marvell.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      32d3f7d9
    • Y
      scsi: qedi: remove memset/memcpy to nfunc and use func instead · f3a7a113
      YueHaibing 提交于
      [ Upstream commit c09581a52765a85f19fc35340127396d5e3379cc ]
      
      KASAN reports this:
      
      BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi]
      Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429
      
      CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xfa/0x1ce lib/dump_stack.c:113
       print_address_description+0x1c4/0x270 mm/kasan/report.c:187
       kasan_report+0x149/0x18d mm/kasan/report.c:317
       memcpy+0x1f/0x50 mm/kasan/common.c:130
       qedi_dbg_err+0xda/0x330 [qedi]
       ? 0xffffffffc12d0000
       qedi_init+0x118/0x1000 [qedi]
       ? 0xffffffffc12d0000
       ? 0xffffffffc12d0000
       ? 0xffffffffc12d0000
       do_one_initcall+0xfa/0x5ca init/main.c:887
       do_init_module+0x204/0x5f6 kernel/module.c:3460
       load_module+0x66b2/0x8570 kernel/module.c:3808
       __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003
      RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc
      R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
      
      The buggy address belongs to the variable:
       __func__.67584+0x0/0xffffffffffffd520 [qedi]
      
      Memory state around the buggy address:
       ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa
       ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa
      > ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa
                                                                ^
       ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa
       ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa
      
      Currently the qedi_dbg_* family of functions can overrun the end of the
      source string if it is less than the destination buffer length because of
      the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc
      and just use func instead as it is always a null terminated string.
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Fixes: ace7f46b ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f3a7a113
    • R
      f2fs: fix to avoid accessing xattr across the boundary · ae3787d4
      Randall Huang 提交于
      [ Upstream commit 2777e654371dd4207a3a7f4fb5fa39550053a080 ]
      
      When we traverse xattr entries via __find_xattr(),
      if the raw filesystem content is faked or any hardware failure occurs,
      out-of-bound error can be detected by KASAN.
      Fix the issue by introducing boundary check.
      
      [   38.402878] c7   1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c
      [   38.402891] c7   1827 Read of size 4 at addr ffffffc0b6fb35dc by task
      [   38.402935] c7   1827 Call trace:
      [   38.402952] c7   1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc
      [   38.402966] c7   1827 [<ffffff9008090030>] show_stack+0x20/0x2c
      [   38.402981] c7   1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140
      [   38.402995] c7   1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8
      [   38.403009] c7   1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc
      [   38.403022] c7   1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc
      [   38.403037] c7   1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8
      [   38.403051] c7   1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c
      [   38.403066] c7   1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0
      [   38.403080] c7   1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc
      [   38.403096] c7   1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938
      [   38.403109] c7   1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38
      [   38.403123] c7   1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98
      [   38.403136] c7   1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348
      [   38.403149] c7   1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774
      [   38.403163] c7   1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc
      [   38.403177] c7   1827 [<ffffff9008367fe0>] walk_component+0x160/0x520
      [   38.403190] c7   1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4
      [   38.403203] c7   1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8
      [   38.403216] c7   1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68
      [   38.403229] c7   1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c
      [   38.403241] c7   1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38
      Signed-off-by: NRandall Huang <huangrandall@google.com>
      [Jaegeuk Kim: Fix wrong ending boundary]
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ae3787d4
    • Y
      Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var · 32f26da4
      Young Xiao 提交于
      [ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ]
      
      There is an out-of-bounds access to "config[len - 1]" array when the
      variable "len" is zero.
      
      See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug
      in param_set_kgdboc_var()") for details.
      Signed-off-by: NYoung Xiao <YangX92@hotmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      32f26da4
    • V
      s390/kasan: fix strncpy_from_user kasan checks · fcc1ce5b
      Vasily Gorbik 提交于
      [ Upstream commit 01eb42afb45719cb41bb32c278e068073738899d ]
      
      arch/s390/lib/uaccess.c is built without kasan instrumentation. Kasan
      checks are performed explicitly in copy_from_user/copy_to_user
      functions. But since those functions could be inlined, calls from
      files like uaccess.c with instrumentation disabled won't generate
      kasan reports. This is currently the case with strncpy_from_user
      function which was revealed by newly added kasan test. Avoid inlining of
      copy_from_user/copy_to_user when the kernel is built with kasan support
      to make sure kasan checks are fully functional.
      Signed-off-by: NVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fcc1ce5b
    • T
      Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex" · eddfe967
      Takashi Iwai 提交于
      [ Upstream commit f0654ba94e33699b295ce4f3dc73094db6209035 ]
      
      This reverts commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32.
      
      The fix attempt was incorrect, leading to the mutex deadlock through
      the close of OSS sequencer client.  The proper fix needs more
      consideration, so let's revert it now.
      
      Fixes: feb689025fbb ("ALSA: seq: Protect in-kernel ioctl calls with mutex")
      Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      eddfe967
    • T
      ALSA: seq: Fix race of get-subscription call vs port-delete ioctls · 731ebeed
      Takashi Iwai 提交于
      [ Upstream commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 ]
      
      The snd_seq_ioctl_get_subscription() retrieves the port subscriber
      information as a pointer, while the object isn't protected, hence it
      may be deleted before the actual reference.  This race was spotted by
      syzkaller and may lead to a UAF.
      
      The fix is simply copying the data in the lookup function that
      performs in the rwsem to protect against the deletion.
      
      Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      731ebeed
    • T
      ALSA: seq: Protect in-kernel ioctl calls with mutex · b52fd8af
      Takashi Iwai 提交于
      [ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]
      
      ALSA OSS sequencer calls the ioctl function indirectly via
      snd_seq_kernel_client_ctl().  While we already applied the protection
      against races between the normal ioctls and writes via the client's
      ioctl_mutex, this code path was left untouched.  And this seems to be
      the cause of still remaining some rare UAF as spontaneously triggered
      by syzkaller.
      
      For the sake of robustness, wrap the ioctl_mutex also for the call via
      snd_seq_kernel_client_ctl(), too.
      
      Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b52fd8af
    • P
      x86/uaccess, kcov: Disable stack protector · 82055ad3
      Peter Zijlstra 提交于
      [ Upstream commit 40ea97290b08be2e038b31cbb33097d1145e8169 ]
      
      New tooling noticed this mishap:
      
        kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled
        kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled
      
      All the other instrumentation (KASAN,UBSAN) also have stack protector
      disabled.
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      82055ad3
    • V
      drm/i915/sdvo: Implement proper HDMI audio support for SDVO · b08ec06c
      Ville Syrjälä 提交于
      commit d74408f528261f900dddb9778f61b5c5a7a6249c upstream.
      
      Our SDVO audio support is pretty bogus. We can't push audio over the
      SDVO bus, so trying to enable audio in the SDVO control register doesn't
      do anything. In fact it looks like the SDVO encoder will always mix in
      the audio coming over HDA, and there's no (at least documented) way to
      disable that from our side. So HDMI audio does work currently on gen4
      but only by luck really. On gen3 it got broken by the referenced commit.
      And what has always been missing on every platform is the ELD.
      
      To pass the ELD to the audio driver we need to write it to magic buffer
      in the SDVO encoder hardware which then gets pulled out via HDA in the
      other end. Ie. pretty much the same thing we had for native HDMI before
      we started to just pass the ELD between the drivers. This sort of
      explains why we even have that silly hardware buffer with native HDMI.
      
      $ cat /proc/asound/card0/eld#1.0
      -monitor_present		0
      -eld_valid		0
      +monitor_present		1
      +eld_valid		1
      +monitor_name		LG TV
      +connection_type		HDMI
      +...
      
      This also fixes our state readout since we can now query the SDVO
      encoder about the state of the "ELD valid" and "presence detect"
      bits. As mentioned those don't actually control whether audio
      gets sent over the HDMI cable, but it's the best we can do. And with
      the state checker appeased we can re-enable HDMI audio for gen3.
      
      Cc: stable@vger.kernel.org
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: zardam@gmail.com
      Tested-by: zardam@gmail.com
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108976
      Fixes: de44e256 ("drm/i915/sdvo: Shut up state checker with hdmi cards on gen3")
      Signed-off-by: NVille Syrjälä <ville.syrjala@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190409144054.24561-3-ville.syrjala@linux.intel.comReviewed-by: NImre Deak <imre.deak@intel.com>
      (cherry picked from commit dc49a56bd43bb04982e64b44436831da801d0237)
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b08ec06c
    • S
      ASoC: fsl_asrc: Fix the issue about unsupported rate · b7398f45
      S.j. Wang 提交于
      commit b06c58c2a1eed571ea2a6640fdb85b7b00196b1e upstream.
      
      When the output sample rate is [8kHz, 30kHz], the limitation
      of the supported ratio range is [1/24, 8]. In the driver
      we use (8kHz, 30kHz) instead of [8kHz, 30kHz].
      So this patch is to fix this issue and the potential rounding
      issue with divider.
      
      Fixes: fff6e03c ("ASoC: fsl_asrc: add support for 8-30kHz
      output sample rate")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NShengjiu Wang <shengjiu.wang@nxp.com>
      Acked-by: NNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7398f45
    • S
      ASoC: cs42xx8: Add regcache mask dirty · d7d15ac3
      S.j. Wang 提交于
      commit ad6eecbfc01c987e0253371f274c3872042e4350 upstream.
      
      Add regcache_mark_dirty before regcache_sync for power
      of codec may be lost at suspend, then all the register
      need to be reconfigured.
      
      Fixes: 0c516b4f ("ASoC: cs42xx8: Add codec driver
      support for CS42448/CS42888")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NShengjiu Wang <shengjiu.wang@nxp.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7d15ac3
    • T
      cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css() · c3b85bda
      Tejun Heo 提交于
      commit 18fa84a2db0e15b02baa5d94bdb5bd509175d2f6 upstream.
      
      A PF_EXITING task can stay associated with an offline css.  If such
      task calls task_get_css(), it can get stuck indefinitely.  This can be
      triggered by BSD process accounting which writes to a file with
      PF_EXITING set when racing against memcg disable as in the backtrace
      at the end.
      
      After this change, task_get_css() may return a css which was already
      offline when the function was called.  None of the existing users are
      affected by this change.
      
        INFO: rcu_sched self-detected stall on CPU
        INFO: rcu_sched detected stalls on CPUs/tasks:
        ...
        NMI backtrace for cpu 0
        ...
        Call Trace:
         <IRQ>
         dump_stack+0x46/0x68
         nmi_cpu_backtrace.cold.2+0x13/0x57
         nmi_trigger_cpumask_backtrace+0xba/0xca
         rcu_dump_cpu_stacks+0x9e/0xce
         rcu_check_callbacks.cold.74+0x2af/0x433
         update_process_times+0x28/0x60
         tick_sched_timer+0x34/0x70
         __hrtimer_run_queues+0xee/0x250
         hrtimer_interrupt+0xf4/0x210
         smp_apic_timer_interrupt+0x56/0x110
         apic_timer_interrupt+0xf/0x20
         </IRQ>
        RIP: 0010:balance_dirty_pages_ratelimited+0x28f/0x3d0
        ...
         btrfs_file_write_iter+0x31b/0x563
         __vfs_write+0xfa/0x140
         __kernel_write+0x4f/0x100
         do_acct_process+0x495/0x580
         acct_process+0xb9/0xdb
         do_exit+0x748/0xa00
         do_group_exit+0x3a/0xa0
         get_signal+0x254/0x560
         do_signal+0x23/0x5c0
         exit_to_usermode_loop+0x5d/0xa0
         prepare_exit_to_usermode+0x53/0x80
         retint_user+0x8/0x8
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Cc: stable@vger.kernel.org # v4.2+
      Fixes: ec438699 ("cgroup, block: implement task_get_css() and use it in bio_associate_current()")
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3b85bda
    • C
      bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached · e599bfe5
      Coly Li 提交于
      commit 1f0ffa67349c56ea54c03ccfd1e073c990e7411e upstream.
      
      When people set a writeback percent via sysfs file,
        /sys/block/bcache<N>/bcache/writeback_percent
      current code directly sets BCACHE_DEV_WB_RUNNING to dc->disk.flags
      and schedules kworker dc->writeback_rate_update.
      
      If there is no cache set attached to, the writeback kernel thread is
      not running indeed, running dc->writeback_rate_update does not make
      sense and may cause NULL pointer deference when reference cache set
      pointer inside update_writeback_rate().
      
      This patch checks whether the cache set point (dc->disk.c) is NULL in
      sysfs interface handler, and only set BCACHE_DEV_WB_RUNNING and
      schedule dc->writeback_rate_update when dc->disk.c is not NULL (it
      means the cache device is attached to a cache set).
      
      This problem might be introduced from initial bcache commit, but
      commit 3fd47bfe ("bcache: stop dc->writeback_rate_update properly")
      changes part of the original code piece, so I add 'Fixes: 3fd47bfe'
      to indicate from which commit this patch can be applied.
      
      Fixes: 3fd47bfe ("bcache: stop dc->writeback_rate_update properly")
      Reported-by: NBjørn Forsman <bjorn.forsman@gmail.com>
      Signed-off-by: NColy Li <colyli@suse.de>
      Reviewed-by: NBjørn Forsman <bjorn.forsman@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e599bfe5
    • C
      bcache: fix stack corruption by PRECEDING_KEY() · 973fc2b3
      Coly Li 提交于
      commit 31b90956b124240aa8c63250243ae1a53585c5e2 upstream.
      
      Recently people report bcache code compiled with gcc9 is broken, one of
      the buggy behavior I observe is that two adjacent 4KB I/Os should merge
      into one but they don't. Finally it turns out to be a stack corruption
      caused by macro PRECEDING_KEY().
      
      See how PRECEDING_KEY() is defined in bset.h,
      437 #define PRECEDING_KEY(_k)                                       \
      438 ({                                                              \
      439         struct bkey *_ret = NULL;                               \
      440                                                                 \
      441         if (KEY_INODE(_k) || KEY_OFFSET(_k)) {                  \
      442                 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0);  \
      443                                                                 \
      444                 if (!_ret->low)                                 \
      445                         _ret->high--;                           \
      446                 _ret->low--;                                    \
      447         }                                                       \
      448                                                                 \
      449         _ret;                                                   \
      450 })
      
      At line 442, _ret points to address of a on-stack variable combined by
      KEY(), the life range of this on-stack variable is in line 442-446,
      once _ret is returned to bch_btree_insert_key(), the returned address
      points to an invalid stack address and this address is overwritten in
      the following called bch_btree_iter_init(). Then argument 'search' of
      bch_btree_iter_init() points to some address inside stackframe of
      bch_btree_iter_init(), exact address depends on how the compiler
      allocates stack space. Now the stack is corrupted.
      
      Fixes: 0eacac22 ("bcache: PRECEDING_KEY()")
      Signed-off-by: NColy Li <colyli@suse.de>
      Reviewed-by: NRolf Fokkens <rolf@rolffokkens.nl>
      Reviewed-by: NPierre JUHEN <pierre.juhen@orange.fr>
      Tested-by: NShenghui Wang <shhuiw@foxmail.com>
      Tested-by: NPierre JUHEN <pierre.juhen@orange.fr>
      Cc: Kent Overstreet <kent.overstreet@gmail.com>
      Cc: Nix <nix@esperi.org.uk>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      973fc2b3
    • R
      i2c: acorn: fix i2c warning · da3b915a
      Russell King 提交于
      commit ca21f851cc9643af049226d57fabc3c883ea648e upstream.
      
      The Acorn i2c driver (for RiscPC) triggers the "i2c adapter has no name"
      warning in the I2C core driver, resulting in the RTC being inaccessible.
      Fix this.
      
      Fixes: 2236baa7 ("i2c: Sanity checks on adapter registration")
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da3b915a
    • R
      iommu/arm-smmu: Avoid constant zero in TLBI writes · d3e58022
      Robin Murphy 提交于
      commit 4e4abae311e4b44aaf61f18a826fd7136037f199 upstream.
      
      Apparently, some Qualcomm arm64 platforms which appear to expose their
      SMMU global register space are still, in fact, using a hypervisor to
      mediate it by trapping and emulating register accesses. Sadly, some
      deployed versions of said trapping code have bugs wherein they go
      horribly wrong for stores using r31 (i.e. XZR/WZR) as the source
      register.
      
      While this can be mitigated for GCC today by tweaking the constraints
      for the implementation of writel_relaxed(), to avoid any potential
      arms race with future compilers more aggressively optimising register
      allocation, the simple way is to just remove all the problematic
      constant zeros. For the write-only TLB operations, the actual value is
      irrelevant anyway and any old nearby variable will provide a suitable
      GPR to encode. The one point at which we really do need a zero to clear
      a context bank happens before any of the TLB maintenance where crashes
      have been reported, so is apparently not a problem... :/
      Reported-by: NAngeloGioacchino Del Regno <kholk11@gmail.com>
      Tested-by: NMarc Gonzalez <marc.w.gonzalez@free.fr>
      Signed-off-by: NRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: NMarc Gonzalez <marc.w.gonzalez@free.fr>
      Acked-by: NWill Deacon <will.deacon@arm.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJoerg Roedel <jroedel@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d3e58022
    • J
      ptrace: restore smp_rmb() in __ptrace_may_access() · 31e216cf
      Jann Horn 提交于
      commit f6581f5b55141a95657ef5742cf6a6bfa20a109f upstream.
      
      Restore the read memory barrier in __ptrace_may_access() that was deleted
      a couple years ago. Also add comments on this barrier and the one it pairs
      with to explain why they're there (as far as I understand).
      
      Fixes: bfedb589 ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks")
      Cc: stable@vger.kernel.org
      Acked-by: NKees Cook <keescook@chromium.org>
      Acked-by: NOleg Nesterov <oleg@redhat.com>
      Signed-off-by: NJann Horn <jannh@google.com>
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31e216cf
    • E
      signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO · 662b831d
      Eric W. Biederman 提交于
      [ Upstream commit f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 ]
      
      Recently syzbot in conjunction with KMSAN reported that
      ptrace_peek_siginfo can copy an uninitialized siginfo to userspace.
      Inspecting ptrace_peek_siginfo confirms this.
      
      The problem is that off when initialized from args.off can be
      initialized to a negaive value.  At which point the "if (off >= 0)"
      test to see if off became negative fails because off started off
      negative.
      
      Prevent the core problem by adding a variable found that is only true
      if a siginfo is found and copied to a temporary in preparation for
      being copied to userspace.
      
      Prevent args.off from being truncated when being assigned to off by
      testing that off is <= the maximum possible value of off.  Convert off
      to an unsigned long so that we should not have to truncate args.off,
      we have well defined overflow behavior so if we add another check we
      won't risk fighting undefined compiler behavior, and so that we have a
      type whose maximum value is easy to test for.
      
      Cc: Andrei Vagin <avagin@gmail.com>
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com
      Fixes: 84c751bd ("ptrace: add ability to retrieve signals without removing from a queue (v4)")
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      662b831d
    • M
      mm/vmscan.c: fix trying to reclaim unevictable LRU page · 54a20289
      Minchan Kim 提交于
      commit a58f2cef26e1ca44182c8b22f4f4395e702a5795 upstream.
      
      There was the below bug report from Wu Fangsuo.
      
      On the CMA allocation path, isolate_migratepages_range() could isolate
      unevictable LRU pages and reclaim_clean_page_from_list() can try to
      reclaim them if they are clean file-backed pages.
      
        page:ffffffbf02f33b40 count:86 mapcount:84 mapping:ffffffc08fa7a810 index:0x24
        flags: 0x19040c(referenced|uptodate|arch_1|mappedtodisk|unevictable|mlocked)
        raw: 000000000019040c ffffffc08fa7a810 0000000000000024 0000005600000053
        raw: ffffffc009b05b20 ffffffc009b05b20 0000000000000000 ffffffc09bf3ee80
        page dumped because: VM_BUG_ON_PAGE(PageLRU(page) || PageUnevictable(page))
        page->mem_cgroup:ffffffc09bf3ee80
        ------------[ cut here ]------------
        kernel BUG at /home/build/farmland/adroid9.0/kernel/linux/mm/vmscan.c:1350!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 7125 Comm: syz-executor Tainted: G S              4.14.81 #3
        Hardware name: ASR AQUILAC EVB (DT)
        task: ffffffc00a54cd00 task.stack: ffffffc009b00000
        PC is at shrink_page_list+0x1998/0x3240
        LR is at shrink_page_list+0x1998/0x3240
        pc : [<ffffff90083a2158>] lr : [<ffffff90083a2158>] pstate: 60400045
        sp : ffffffc009b05940
        ..
           shrink_page_list+0x1998/0x3240
           reclaim_clean_pages_from_list+0x3c0/0x4f0
           alloc_contig_range+0x3bc/0x650
           cma_alloc+0x214/0x668
           ion_cma_allocate+0x98/0x1d8
           ion_alloc+0x200/0x7e0
           ion_ioctl+0x18c/0x378
           do_vfs_ioctl+0x17c/0x1780
           SyS_ioctl+0xac/0xc0
      
      Wu found it's due to commit ad6b6704 ("mm: remove SWAP_MLOCK in
      ttu").  Before that, unevictable pages go to cull_mlocked so that we
      can't reach the VM_BUG_ON_PAGE line.
      
      To fix the issue, this patch filters out unevictable LRU pages from the
      reclaim_clean_pages_from_list in CMA.
      
      Link: http://lkml.kernel.org/r/20190524071114.74202-1-minchan@kernel.org
      Fixes: ad6b6704 ("mm: remove SWAP_MLOCK in ttu")
      Signed-off-by: NMinchan Kim <minchan@kernel.org>
      Reported-by: NWu Fangsuo <fangsuowu@asrmicro.com>
      Debugged-by: NWu Fangsuo <fangsuowu@asrmicro.com>
      Tested-by: NWu Fangsuo <fangsuowu@asrmicro.com>
      Reviewed-by: NAndrew Morton <akpm@linux-foundation.org>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Cc: Pankaj Suryawanshi <pankaj.suryawanshi@einfochips.com>
      Cc: <stable@vger.kernel.org>	[4.12+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54a20289
    • W
      fs/ocfs2: fix race in ocfs2_dentry_attach_lock() · 6b9aa7ac
      Wengang Wang 提交于
      commit be99ca2716972a712cde46092c54dee5e6192bf8 upstream.
      
      ocfs2_dentry_attach_lock() can be executed in parallel threads against the
      same dentry.  Make that race safe.  The race is like this:
      
                  thread A                               thread B
      
      (A1) enter ocfs2_dentry_attach_lock,
      seeing dentry->d_fsdata is NULL,
      and no alias found by
      ocfs2_find_local_alias, so kmalloc
      a new ocfs2_dentry_lock structure
      to local variable "dl", dl1
      
                     .....
      
                                          (B1) enter ocfs2_dentry_attach_lock,
                                          seeing dentry->d_fsdata is NULL,
                                          and no alias found by
                                          ocfs2_find_local_alias so kmalloc
                                          a new ocfs2_dentry_lock structure
                                          to local variable "dl", dl2.
      
                                                         ......
      
      (A2) set dentry->d_fsdata with dl1,
      call ocfs2_dentry_lock() and increase
      dl1->dl_lockres.l_ro_holders to 1 on
      success.
                    ......
      
                                          (B2) set dentry->d_fsdata with dl2
                                          call ocfs2_dentry_lock() and increase
      				    dl2->dl_lockres.l_ro_holders to 1 on
      				    success.
      
                                                        ......
      
      (A3) call ocfs2_dentry_unlock()
      and decrease
      dl2->dl_lockres.l_ro_holders to 0
      on success.
                   ....
      
                                          (B3) call ocfs2_dentry_unlock(),
                                          decreasing
      				    dl2->dl_lockres.l_ro_holders, but
      				    see it's zero now, panic
      
      Link: http://lkml.kernel.org/r/20190529174636.22364-1-wen.gang.wang@oracle.comSigned-off-by: NWengang Wang <wen.gang.wang@oracle.com>
      Reported-by: NDaniel Sobe <daniel.sobe@nxp.com>
      Tested-by: NDaniel Sobe <daniel.sobe@nxp.com>
      Reviewed-by: NChangwei Ge <gechangwei@live.cn>
      Reviewed-by: NJoseph Qi <joseph.qi@linux.alibaba.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Gang He <ghe@suse.com>
      Cc: Jun Piao <piaojun@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b9aa7ac
    • S
      mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node · 553a1f0d
      Shakeel Butt 提交于
      commit 3510955b327176fd4cbab5baa75b449f077722a2 upstream.
      
      Syzbot reported following memory leak:
      
      ffffffffda RBX: 0000000000000003 RCX: 0000000000441f79
      BUG: memory leak
      unreferenced object 0xffff888114f26040 (size 32):
        comm "syz-executor626", pid 7056, jiffies 4294948701 (age 39.410s)
        hex dump (first 32 bytes):
          40 60 f2 14 81 88 ff ff 40 60 f2 14 81 88 ff ff  @`......@`......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
           slab_post_alloc_hook mm/slab.h:439 [inline]
           slab_alloc mm/slab.c:3326 [inline]
           kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
           kmalloc include/linux/slab.h:547 [inline]
           __memcg_init_list_lru_node+0x58/0xf0 mm/list_lru.c:352
           memcg_init_list_lru_node mm/list_lru.c:375 [inline]
           memcg_init_list_lru mm/list_lru.c:459 [inline]
           __list_lru_init+0x193/0x2a0 mm/list_lru.c:626
           alloc_super+0x2e0/0x310 fs/super.c:269
           sget_userns+0x94/0x2a0 fs/super.c:609
           sget+0x8d/0xb0 fs/super.c:660
           mount_nodev+0x31/0xb0 fs/super.c:1387
           fuse_mount+0x2d/0x40 fs/fuse/inode.c:1236
           legacy_get_tree+0x27/0x80 fs/fs_context.c:661
           vfs_get_tree+0x2e/0x120 fs/super.c:1476
           do_new_mount fs/namespace.c:2790 [inline]
           do_mount+0x932/0xc50 fs/namespace.c:3110
           ksys_mount+0xab/0x120 fs/namespace.c:3319
           __do_sys_mount fs/namespace.c:3333 [inline]
           __se_sys_mount fs/namespace.c:3330 [inline]
           __x64_sys_mount+0x26/0x30 fs/namespace.c:3330
           do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
           entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      This is a simple off by one bug on the error path.
      
      Link: http://lkml.kernel.org/r/20190528043202.99980-1-shakeelb@google.com
      Fixes: 60d3fd32 ("list_lru: introduce per-memcg lists")
      Reported-by: syzbot+f90a420dfe2b1b03cb2c@syzkaller.appspotmail.com
      Signed-off-by: NShakeel Butt <shakeelb@google.com>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Reviewed-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Cc: <stable@vger.kernel.org>	[4.0+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      553a1f0d
    • H
      libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk · b7f8bbbb
      Hans de Goede 提交于
      commit 31f6264e225fb92cf6f4b63031424f20797c297d upstream.
      
      We've received a bugreport that using LPM with ST1000LM024 drives leads
      to system lockups. So it seems that these models are buggy in more then
      1 way. Add NOLPM quirk to the existing quirks entry for BROKEN_FPDMA_AA.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1571330
      Cc: stable@vger.kernel.org
      Reviewed-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7f8bbbb
    • T
      ALSA: firewire-motu: fix destruction of data for isochronous resources · 88fe0307
      Takashi Sakamoto 提交于
      commit 0e3fb6995bfabb23c172e8b883bf5ac57102678e upstream.
      
      The data for isochronous resources is not destroyed in expected place.
      This commit fixes the bug.
      
      Cc: <stable@vger.kernel.org> # v4.12+
      Fixes: 9b2bb4f2 ("ALSA: firewire-motu: add stream management functionality")
      Signed-off-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88fe0307
    • K
      ALSA: hda/realtek - Update headset mode for ALC256 · 786b1b40
      Kailang Yang 提交于
      commit 717f43d81afc1250300479075952a0e36d74ded3 upstream.
      
      ALC255 and ALC256 were some difference for hidden register.
      This update was suitable for ALC256.
      
      Fixes: e69e7e03 ("ALSA: hda/realtek - ALC256 speaker noise issue")
      Signed-off-by: NKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      786b1b40
    • T
      ALSA: oxfw: allow PCM capture for Stanton SCS.1m · 27effeff
      Takashi Sakamoto 提交于
      commit d8fa87c368f5b4096c4746894fdcc195da285df1 upstream.
      
      Stanton SCS.1m can transfer isochronous packet with Multi Bit Linear
      Audio data channels, therefore it allows software to capture PCM
      substream. However, ALSA oxfw driver doesn't.
      
      This commit changes the driver to add one PCM substream for capture
      direction.
      
      Fixes: de5126cc ("ALSA: oxfw: add stream format quirk for SCS.1 models")
      Cc: <stable@vger.kernel.org> # v4.5+
      Signed-off-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27effeff
    • H
      Revert "ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops" · b59c9322
      Hui Wang 提交于
      commit 17d304604a88cf20c8dfd2c95d3decb9c4f8bca4 upstream.
      
      This reverts commit 9cb40eb184c4220d244a532bd940c6345ad9dbd9.
      
      This patch introduces noise and headphone playback issue after
      rebooting or suspending/resuming. Let us revert it.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=203831
      Fixes: 9cb40eb184c4 ("ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NHui Wang <hui.wang@canonical.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b59c9322
    • J
      HID: wacom: Sync INTUOSP2_BT touch state after each frame if necessary · 9fbd67c5
      Jason Gerecke 提交于
      commit 69dbdfffef20c715df9f381b2cee4e9e0a4efd93 upstream.
      
      The Bluetooth interface of the 2nd-gen Intuos Pro batches together four
      independent "frames" of finger data into a single report. Each frame
      is essentially equivalent to a single USB report, with the up-to-10
      fingers worth of information being spread across two frames. At the
      moment the driver only calls `input_sync` after processing all four
      frames have been processed, which can result in the driver sending
      multiple updates for a single slot within the same SYN_REPORT. This
      can confuse userspace, so modify the driver to sync more often if
      necessary (i.e., after reporting the state of all fingers).
      
      Fixes: 4922cd26 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
      Cc: <stable@vger.kernel.org> # 4.11+
      Signed-off-by: NJason Gerecke <jason.gerecke@wacom.com>
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9fbd67c5
    • J
      HID: wacom: Correct button numbering 2nd-gen Intuos Pro over Bluetooth · dd1d71ad
      Jason Gerecke 提交于
      commit 6441fc781c344df61402be1fde582c4491fa35fa upstream.
      
      The button numbering of the 2nd-gen Intuos Pro is not consistent between
      the USB and Bluetooth interfaces. Over USB, the HID_GENERIC codepath
      enumerates the eight ExpressKeys first (BTN_0 - BTN_7) followed by the
      center modeswitch button (BTN_8). The Bluetooth codepath, however, has
      the center modeswitch button as BTN_0 and the the eight ExpressKeys as
      BTN_1 - BTN_8. To ensure userspace button mappings do not change
      depending on how the tablet is connected, modify the Bluetooth codepath
      to report buttons in the same order as USB.
      
      To ensure the mode switch LED continues to toggle in response to the
      mode switch button, the `wacom_is_led_toggled` function also requires
      a small update.
      
      Link: https://github.com/linuxwacom/input-wacom/pull/79
      Fixes: 4922cd26 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
      Cc: <stable@vger.kernel.org> # 4.11+
      Signed-off-by: NJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: NAaron Skomra <aaron.skomra@wacom.com>
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd1d71ad
    • J
      HID: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact · 52901353
      Jason Gerecke 提交于
      commit fe7f8d73d1af19b678171170e4e5384deb57833d upstream.
      
      The Bluetooth reports from the 2nd-gen Intuos Pro have separate bits for
      indicating if the tip or eraser is in contact with the tablet. At the
      moment, only the tip contact bit controls the state of the BTN_TOUCH
      event. This prevents the eraser from working as expected. This commit
      changes the driver to send BTN_TOUCH whenever either the tip or eraser
      contact bit is set.
      
      Fixes: 4922cd26 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
      Cc: <stable@vger.kernel.org> # 4.11+
      Signed-off-by: NJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: NAaron Skomra <aaron.skomra@wacom.com>
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52901353
    • J
      HID: wacom: Don't report anything prior to the tool entering range · 3e9c0eb1
      Jason Gerecke 提交于
      commit e92a7be7fe5b2510fa60965eaf25f9e3dc08b8cc upstream.
      
      If the tool spends some time in prox before entering range, a series of
      events (e.g. ABS_DISTANCE, MSC_SERIAL) can be sent before we or userspace
      have any clue about the pen whose data is being reported. We need to hold
      off on reporting anything until the pen has entered range. Since we still
      want to report events that occur "in prox" after the pen has *left* range
      we use 'wacom-tool[0]' as the indicator that the pen did at one point
      enter range and provide us/userspace with tool type and serial number
      information.
      
      Fixes: a48324de ("HID: wacom: Bluetooth IRQ for Intuos Pro should handle prox/range")
      Cc: <stable@vger.kernel.org> # 4.11+
      Signed-off-by: NJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: NAaron Armstrong Skomra <aaron.skomra@wacom.com>
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e9c0eb1
    • J
      HID: wacom: Don't set tool type until we're in range · 52a7d604
      Jason Gerecke 提交于
      commit 2cc08800a6b9fcda7c7afbcf2da1a6e8808da725 upstream.
      
      The serial number and tool type information that is reported by the tablet
      while a pen is merely "in prox" instead of fully "in range" can be stale
      and cause us to report incorrect tool information. Serial number, tool
      type, and other information is only valid once the pen comes fully in range
      so we should be careful to not use this information until that point.
      
      In particular, this issue may cause the driver to incorectly report
      BTN_TOOL_RUBBER after switching from the eraser tool back to the pen.
      
      Fixes: a48324de ("HID: wacom: Bluetooth IRQ for Intuos Pro should handle prox/range")
      Cc: <stable@vger.kernel.org> # 4.11+
      Signed-off-by: NJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: NAaron Armstrong Skomra <aaron.skomra@wacom.com>
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52a7d604
    • B
      HID: multitouch: handle faulty Elo touch device · fa212dd5
      Benjamin Tissoires 提交于
      commit 81bcbad53bab4bf9f200eda303d7a05cdb9bd73b upstream.
      
      Since kernel v5.0, one single win8 touchscreen device failed.
      And it turns out this is because it reports 2 InRange usage per touch.
      
      It's a first, and I *really* wonder how this was allowed by Microsoft in
      the first place. But IIRC, Breno told me this happened *after* a firmware
      upgrade...
      
      Anyway, better be safe for those crappy devices, and make sure we have
      a full slot before jumping to the next.
      This won't prevent all crappy devices to fail here, but at least we will
      have a safeguard as long as the contact ID and the X and Y coordinates
      are placed in the report after the grabage.
      
      Fixes: 01eaac7e ("HID: multitouch: remove one copy of values")
      CC: stable@vger.kernel.org # v5.0+
      Reported-and-tested-by: NBreno Leitao <leitao@debian.org>
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa212dd5
    • T
      nouveau: Fix build with CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT disabled · 9ae306d8
      Thomas Backlund 提交于
      Not-entirely-upstream-sha1-but-equivalent: bed2dd8421
      ("drm/ttm: Quick-test mmap offset in ttm_bo_mmap()")
      
      Setting CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=n (added by commit: b30a43ac7132)
      causes the build to fail with:
      
      ERROR: "drm_legacy_mmap" [drivers/gpu/drm/nouveau/nouveau.ko] undefined!
      
      This does not happend upstream as the offending code got removed in:
      bed2dd8421 ("drm/ttm: Quick-test mmap offset in ttm_bo_mmap()")
      
      Fix that by adding check for CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT around
      the drm_legacy_mmap() call.
      
      Also, as Sven Joachim pointed out, we need to make the check in
      CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=n case return -EINVAL as its done
      for basically all other gpu drivers, especially in upstream kernels
      drivers/gpu/drm/ttm/ttm_bo_vm.c as of the upstream commit bed2dd8421.
      
      NOTE. This is a minimal stable-only fix for trees where b30a43ac7132 is
      backported as the build error affects nouveau only.
      
      Fixes: b30a43ac7132 ("drm/nouveau: add kconfig option to turn off nouveau
             legacy contexts. (v3)")
      Signed-off-by: NThomas Backlund <tmb@mageia.org>
      Cc: stable@vger.kernel.org
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Sven Joachim <svenjoac@gmx.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ae306d8
    • D
      drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3) · d54e1b84
      Dave Airlie 提交于
      commit b30a43ac7132cdda833ac4b13dd1ebd35ace14b7 upstream.
      
      There was a nouveau DDX that relied on legacy context ioctls to work,
      but we fixed it years ago, give distros that have a modern DDX the
      option to break the uAPI and close the mess of holes that legacy
      context support is.
      
      Full context of the story:
      
      commit 0e975980
      Author: Peter Antoine <peter.antoine@intel.com>
      Date:   Tue Jun 23 08:18:49 2015 +0100
      
          drm: Turn off Legacy Context Functions
      
          The context functions are not used by the i915 driver and should not
          be used by modeset drivers. These driver functions contain several bugs
          and security holes. This change makes these functions optional can be
          turned on by a setting, they are turned off by default for modeset
          driver with the exception of the nouvea driver that may require them with
          an old version of libdrm.
      
          The previous attempt was
      
          commit 7c510133
          Author: Daniel Vetter <daniel.vetter@ffwll.ch>
          Date:   Thu Aug 8 15:41:21 2013 +0200
      
              drm: mark context support as a legacy subsystem
      
          but this had to be reverted
      
          commit c21eb21c
          Author: Dave Airlie <airlied@redhat.com>
          Date:   Fri Sep 20 08:32:59 2013 +1000
      
              Revert "drm: mark context support as a legacy subsystem"
      
          v2: remove returns from void function, and formatting (Daniel Vetter)
      
          v3:
          - s/Nova/nouveau/ in the commit message, and add references to the
            previous attempts
          - drop the part touching the drm hw lock, that should be a separate
            patch.
      
          Signed-off-by: Peter Antoine <peter.antoine@intel.com> (v2)
          Cc: Peter Antoine <peter.antoine@intel.com> (v2)
      Reviewed-by: NPeter Antoine <peter.antoine@intel.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      
      v2: move DRM_VM dependency into legacy config.
      v3: fix missing dep (kbuild robot)
      
      Cc: stable@vger.kernel.org
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d54e1b84