Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2016-02-26 22:18:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes 2016-02-17 10:23:16.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes 2016-02-26 22:18:18.000000000 +0100 @@ -1,0 +2,41 @@ +Tue Feb 23 11:30:49 CET 2016 - [email protected] + +- ALSA: hda - Apply clock gate workaround to Skylake, too + (bsc#966137). +- commit c601f8d + +------------------------------------------------------------------- +Thu Feb 18 13:48:14 CET 2016 - [email protected] + +- floppy: fix lock_fdc() signal handling (bnc#966880). +- commit f12d966 + +------------------------------------------------------------------- +Thu Feb 18 13:45:27 CET 2016 - [email protected] + +- floppy: refactor open() flags handling (bnc#966880). +- commit 70a427d + +------------------------------------------------------------------- +Thu Feb 18 10:31:57 CET 2016 - [email protected] + +- Update patches.kernel.org/patch-4.4.1-2 (CVE-2016-0723 + CVE-2016-2384 bnc#961500 bnc#966883 boo#954532 bsc#966693). +- commit 5c471bf + +------------------------------------------------------------------- +Thu Feb 18 08:56:03 CET 2016 - [email protected] + +- Linux 4.4.2 (CVE-2016-0723 CVE-2016-2384 bnc#961500 boo#954532 + bsc#966693). +- Delete + patches.drivers/ALSA-usb-audio-avoid-freeing-umidi-object-twice. +- Delete + patches.fixes/0001-tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch. +- Delete + patches.fixes/0002-n_tty-Fix-unsafe-reference-to-other-ldisc.patch. +- Delete + patches.fixes/HID-multitouch-fix-input-mode-switching-on-some-Elan. +- commit 19ca782 + +------------------------------------------------------------------- kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kernel-debug.spec ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:28.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:28.000000000 +0100 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.4 -%define patchversion 4.4.1 +%define patchversion 4.4.2 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: A Debug Version of the Kernel License: GPL-2.0 Group: System/Kernel -Version: 4.4.1 +Version: 4.4.2 %if 0%{?is_kotd} -Release: <RELEASE>.g6398c2d +Release: <RELEASE>.gc601f8d %else Release: 0 %endif kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:28.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:28.000000000 +0100 @@ -16,7 +16,7 @@ # -%define patchversion 4.4.1 +%define patchversion 4.4.2 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -27,9 +27,9 @@ Summary: Kernel Documentation (man pages) License: GPL-2.0 Group: Documentation/Man -Version: 4.4.1 +Version: 4.4.2 %if 0%{?is_kotd} -Release: <RELEASE>.g6398c2d +Release: <RELEASE>.gc601f8d %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:28.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:28.000000000 +0100 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.4 -%define patchversion 4.4.1 +%define patchversion 4.4.2 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.4.1 +Version: 4.4.2 %if 0%{?is_kotd} -Release: <RELEASE>.g6398c2d +Release: <RELEASE>.gc601f8d %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:28.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:28.000000000 +0100 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.4.1 +%define patchversion 4.4.2 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -51,9 +51,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.4.1 +Version: 4.4.2 %if 0%{?is_kotd} -Release: <RELEASE>.g6398c2d +Release: <RELEASE>.gc601f8d %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:28.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:28.000000000 +0100 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.4.1 +%define patchversion 4.4.2 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.4.1 +Version: 4.4.2 %if 0%{?is_kotd} -Release: <RELEASE>.g6398c2d +Release: <RELEASE>.gc601f8d %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:28.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:28.000000000 +0100 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.4 -%define patchversion 4.4.1 +%define patchversion 4.4.2 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.4.1 +Version: 4.4.2 %if 0%{?is_kotd} -Release: <RELEASE>.g6398c2d +Release: <RELEASE>.gc601f8d %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:28.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:28.000000000 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.4 -%define patchversion 4.4.1 +%define patchversion 4.4.2 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.4.1 +Version: 4.4.2 %if 0%{?is_kotd} -Release: <RELEASE>.g6398c2d +Release: <RELEASE>.gc601f8d %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:28.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:28.000000000 +0100 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.4.1 +Version: 4.4.2 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.g6398c2d +Release: <RELEASE>.gc601f8d %else Release: 0 %endif ++++++ kernel-vanilla.spec ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:28.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:28.000000000 +0100 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.4 -%define patchversion 4.4.1 +%define patchversion 4.4.2 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: The Standard Kernel - without any SUSE patches License: GPL-2.0 Group: System/Kernel -Version: 4.4.1 +Version: 4.4.2 %if 0%{?is_kotd} -Release: <RELEASE>.g6398c2d +Release: <RELEASE>.gc601f8d %else Release: 0 %endif ++++++ patches.drivers.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/ALSA-hda-Apply-clock-gate-workaround-to-Skylake-too new/patches.drivers/ALSA-hda-Apply-clock-gate-workaround-to-Skylake-too --- old/patches.drivers/ALSA-hda-Apply-clock-gate-workaround-to-Skylake-too 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/ALSA-hda-Apply-clock-gate-workaround-to-Skylake-too 2016-02-23 11:30:49.000000000 +0100 @@ -0,0 +1,90 @@ +From 7e31a0159461818a1bda49662921b98a29c1187b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <[email protected]> +Date: Mon, 22 Feb 2016 15:18:13 +0100 +Subject: [PATCH] ALSA: hda - Apply clock gate workaround to Skylake, too +Git-commit: 7e31a0159461818a1bda49662921b98a29c1187b +Patch-mainline: 4.5-rc6 +References: bsc#966137 + +Some Skylake machines show the codec probe errors in certain +situations, e.g. HP Z240 desktop fails to probe the onboard Realtek +codec at reloading the snd-hda-intel module like: + snd_hda_intel 0000:00:1f.3: spurious response 0x200:0x2, last cmd=0x000000 + snd_hda_intel 0000:00:1f.3: azx_get_response timeout, switching to polling mode: lastcmd=0x000f0000 + snd_hda_intel 0000:00:1f.3: No response from codec, disabling MSI: last cmd=0x000f0000 + snd_hda_intel 0000:00:1f.3: Codec #0 probe error; disabling it... + hdaudio hdaudioC0D2: no AFG or MFG node found + snd_hda_intel 0000:00:1f.3: no codecs initialized + +Also, HP G470 G3 suffers from the similar problem, as reported in +bugzilla below. On this machine, the codec probe error appears even +at a fresh boot. + +As Libin suggested, the same workaround used for Broxton in the commit +[6639484ddaf6: ALSA: hda - disable dynamic clock gating on Broxton before reset] can be applied for Skylake in order to fix this problem. +The Intel HW team also confirmed that this is needed for SKL. + +This patch makes the workaround applied to both SKL and BXT +platforms. The referred macros are moved and one superfluous macro +(IS_BROXTON()) is another one (IS_BXT()) as well. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112731 +Suggested-by: Libin Yang <[email protected]> +Cc: <[email protected]> # v4.4+ +Signed-off-by: Takashi Iwai <[email protected]> + +--- + sound/pci/hda/hda_intel.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -357,7 +357,10 @@ enum { + ((pci)->device == 0x0d0c) || \ + ((pci)->device == 0x160c)) + +-#define IS_BROXTON(pci) ((pci)->device == 0x5a98) ++#define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170) ++#define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70) ++#define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) ++#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci)) + + static char *driver_short_names[] = { + [AZX_DRIVER_ICH] = "HDA Intel", +@@ -534,13 +537,13 @@ static void hda_intel_init_chip(struct a + + if (chip->driver_caps & AZX_DCAPS_I915_POWERWELL) + snd_hdac_set_codec_wakeup(bus, true); +- if (IS_BROXTON(pci)) { ++ if (IS_SKL_PLUS(pci)) { + pci_read_config_dword(pci, INTEL_HDA_CGCTL, &val); + val = val & ~INTEL_HDA_CGCTL_MISCBDCGE; + pci_write_config_dword(pci, INTEL_HDA_CGCTL, val); + } + azx_init_chip(chip, full_reset); +- if (IS_BROXTON(pci)) { ++ if (IS_SKL_PLUS(pci)) { + pci_read_config_dword(pci, INTEL_HDA_CGCTL, &val); + val = val | INTEL_HDA_CGCTL_MISCBDCGE; + pci_write_config_dword(pci, INTEL_HDA_CGCTL, val); +@@ -549,7 +552,7 @@ static void hda_intel_init_chip(struct a + snd_hdac_set_codec_wakeup(bus, false); + + /* reduce dma latency to avoid noise */ +- if (IS_BROXTON(pci)) ++ if (IS_BXT(pci)) + bxt_reduce_dma_latency(chip); + } + +@@ -971,11 +974,6 @@ static int azx_resume(struct device *dev + /* put codec down to D3 at hibernation for Intel SKL+; + * otherwise BIOS may still access the codec and screw up the driver + */ +-#define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170) +-#define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70) +-#define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) +-#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci)) +- + static int azx_freeze_noirq(struct device *dev) + { + struct pci_dev *pci = to_pci_dev(dev); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/ALSA-usb-audio-avoid-freeing-umidi-object-twice new/patches.drivers/ALSA-usb-audio-avoid-freeing-umidi-object-twice --- old/patches.drivers/ALSA-usb-audio-avoid-freeing-umidi-object-twice 2016-02-15 12:03:27.000000000 +0100 +++ new/patches.drivers/ALSA-usb-audio-avoid-freeing-umidi-object-twice 1970-01-01 01:00:00.000000000 +0100 @@ -1,33 +0,0 @@ -From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001 -From: Andrey Konovalov <[email protected]> -Date: Sat, 13 Feb 2016 11:08:06 +0300 -Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice -Git-commit: 07d86ca93db7e5cdf4743564d98292042ec21af7 -Patch-mainline: 4.5-rc4 -References: CVE-2016-2384,bsc#966693 - -The 'umidi' object will be free'd on the error path by snd_usbmidi_free() -when tearing down the rawmidi interface. So we shouldn't try to free it -in snd_usbmidi_create() after having registered the rawmidi interface. - -Found by KASAN. - -Signed-off-by: Andrey Konovalov <[email protected]> -Acked-by: Clemens Ladisch <[email protected]> -Cc: <[email protected]> -Signed-off-by: Takashi Iwai <[email protected]> - ---- - sound/usb/midi.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/sound/usb/midi.c -+++ b/sound/usb/midi.c -@@ -2454,7 +2454,6 @@ int snd_usbmidi_create(struct snd_card * - else - err = snd_usbmidi_create_endpoints(umidi, endpoints); - if (err < 0) { -- snd_usbmidi_free(umidi); - return err; - } - ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/0001-tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch new/patches.fixes/0001-tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch --- old/patches.fixes/0001-tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch 2016-02-02 17:31:39.000000000 +0100 +++ new/patches.fixes/0001-tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,66 +0,0 @@ -From: Peter Hurley <[email protected]> -Date: Sun, 10 Jan 2016 22:40:55 -0800 -Subject: tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) -Patch-mainline: v4.5-rc2 -Git-commit: 5c17c861a357e9458001f021a7afa7aab9937439 -References: bnc#961500 CVE-2016-0723 - -ioctl(TIOCGETD) retrieves the line discipline id directly from the -ldisc because the line discipline id (c_line) in termios is untrustworthy; -userspace may have set termios via ioctl(TCSETS*) without actually -changing the line discipline via ioctl(TIOCSETD). - -However, directly accessing the current ldisc via tty->ldisc is -unsafe; the ldisc ptr dereferenced may be stale if the line discipline -is changing via ioctl(TIOCSETD) or hangup. - -Wait for the line discipline reference (just like read() or write()) -to retrieve the "current" line discipline id. - -Cc: <[email protected]> -Signed-off-by: Peter Hurley <[email protected]> -Signed-off-by: Jiri Slaby <[email protected]> ---- - drivers/tty/tty_io.c | 24 +++++++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - ---- a/drivers/tty/tty_io.c -+++ b/drivers/tty/tty_io.c -@@ -2653,6 +2653,28 @@ static int tiocsetd(struct tty_struct *t - } - - /** -+ * tiocgetd - get line discipline -+ * @tty: tty device -+ * @p: pointer to user data -+ * -+ * Retrieves the line discipline id directly from the ldisc. -+ * -+ * Locking: waits for ldisc reference (in case the line discipline -+ * is changing or the tty is being hungup) -+ */ -+ -+static int tiocgetd(struct tty_struct *tty, int __user *p) -+{ -+ struct tty_ldisc *ld; -+ int ret; -+ -+ ld = tty_ldisc_ref_wait(tty); -+ ret = put_user(ld->ops->num, p); -+ tty_ldisc_deref(ld); -+ return ret; -+} -+ -+/** - * send_break - performed time break - * @tty: device to break on - * @duration: timeout in mS -@@ -2878,7 +2900,7 @@ long tty_ioctl(struct file *file, unsign - case TIOCGSID: - return tiocgsid(tty, real_tty, p); - case TIOCGETD: -- return put_user(tty->ldisc->ops->num, (int __user *)p); -+ return tiocgetd(tty, p); - case TIOCSETD: - return tiocsetd(tty, p); - case TIOCVHANGUP: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/0002-n_tty-Fix-unsafe-reference-to-other-ldisc.patch new/patches.fixes/0002-n_tty-Fix-unsafe-reference-to-other-ldisc.patch --- old/patches.fixes/0002-n_tty-Fix-unsafe-reference-to-other-ldisc.patch 2016-02-02 17:31:39.000000000 +0100 +++ new/patches.fixes/0002-n_tty-Fix-unsafe-reference-to-other-ldisc.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,42 +0,0 @@ -From: Peter Hurley <[email protected]> -Date: Sun, 10 Jan 2016 22:40:56 -0800 -Subject: n_tty: Fix unsafe reference to "other" ldisc -Patch-mainline: v4.5-rc2 -Git-commit: 6d27a63caad3f13e96cf065d2d96828c2006be6b -References: bnc#961500 - -Although n_tty_check_unthrottle() has a valid ldisc reference (since -the tty core gets the ldisc ref in tty_read() before calling the line -discipline read() method), it does not have a valid ldisc reference to -the "other" pty of a pty pair. Since getting an ldisc reference for -tty->link essentially open-codes tty_wakeup(), just replace with the -equivalent tty_wakeup(). - -Cc: <[email protected]> -Signed-off-by: Peter Hurley <[email protected]> -Signed-off-by: Jiri Slaby <[email protected]> ---- - drivers/tty/n_tty.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - ---- a/drivers/tty/n_tty.c -+++ b/drivers/tty/n_tty.c -@@ -258,16 +258,13 @@ static void n_tty_check_throttle(struct - - static void n_tty_check_unthrottle(struct tty_struct *tty) - { -- if (tty->driver->type == TTY_DRIVER_TYPE_PTY && -- tty->link->ldisc->ops->write_wakeup == n_tty_write_wakeup) { -+ if (tty->driver->type == TTY_DRIVER_TYPE_PTY) { - if (chars_in_buffer(tty) > TTY_THRESHOLD_UNTHROTTLE) - return; - if (!tty->count) - return; - n_tty_kick_worker(tty); -- n_tty_write_wakeup(tty->link); -- if (waitqueue_active(&tty->link->write_wait)) -- wake_up_interruptible_poll(&tty->link->write_wait, POLLOUT); -+ tty_wakeup(tty->link); - return; - } - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/HID-multitouch-fix-input-mode-switching-on-some-Elan new/patches.fixes/HID-multitouch-fix-input-mode-switching-on-some-Elan --- old/patches.fixes/HID-multitouch-fix-input-mode-switching-on-some-Elan 2016-02-02 17:31:39.000000000 +0100 +++ new/patches.fixes/HID-multitouch-fix-input-mode-switching-on-some-Elan 1970-01-01 01:00:00.000000000 +0100 @@ -1,94 +0,0 @@ -From 73e7d63efb4d774883a338997943bfa59e127085 Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires <[email protected]> -Date: Tue, 1 Dec 2015 12:41:38 +0100 -Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels -Git-commit: 73e7d63efb4d774883a338997943bfa59e127085 -Patch-mainline: v4.5-rc1 -References: boo#954532 - -as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481 - -This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature -reports on demand for Win8 devices") as the origin of the problem but this -commit actually masked 2 firmware bugs that are annihilating each other: - -The report descriptor declares two features in reports 3 and 5: - -0x05, 0x0d, // Usage Page (Digitizers) 318 -0x09, 0x0e, // Usage (Device Configuration) 320 -0xa1, 0x01, // Collection (Application) 322 -0x85, 0x03, // Report ID (3) 324 -0x09, 0x22, // Usage (Finger) 326 -0xa1, 0x00, // Collection (Physical) 328 -0x09, 0x52, // Usage (Inputmode) 330 -0x15, 0x00, // Logical Minimum (0) 332 -0x25, 0x0a, // Logical Maximum (10) 334 -0x75, 0x08, // Report Size (8) 336 -0x95, 0x02, // Report Count (2) 338 -0xb1, 0x02, // Feature (Data,Var,Abs) 340 -0xc0, // End Collection 342 -0x09, 0x22, // Usage (Finger) 343 -0xa1, 0x00, // Collection (Physical) 345 -0x85, 0x05, // Report ID (5) 347 -0x09, 0x57, // Usage (Surface Switch) 349 -0x09, 0x58, // Usage (Button Switch) 351 -0x15, 0x00, // Logical Minimum (0) 353 -0x75, 0x01, // Report Size (1) 355 -0x95, 0x02, // Report Count (2) 357 -0x25, 0x03, // Logical Maximum (3) 359 -0xb1, 0x02, // Feature (Data,Var,Abs) 361 -0x95, 0x0e, // Report Count (14) 363 -0xb1, 0x03, // Feature (Cnst,Var,Abs) 365 -0xc0, // End Collection 367 - -The report ID 3 presents 2 input mode features, while only the first one -is handled by the device. Given that we did not checked if one was -previously assigned, we were dealing with the ignored featured and we -should never have been able to switch this panel into the multitouch mode. - -However, the firmware presents an other bugs which allowed 6d4f5440 -to counteract the faulty report descriptor. When we request the values -of the feature 5, the firmware answers "03 03 00". The fields are correct -but the report id is wrong. Before 6d4f5440, we retrieved all the features -and injected them in the system. So when we called report 5, we injected -in the system the report 3 with the values "03 00". -Setting the second input mode to 03 in this report changed it to "03 03" -and the touchpad switched to the mt mode. We could have set anything -in the second field because the actual value (the first 03 in this report) -was given by the query of report ID 5. - -To sum up: 2 bugs in the firmware were hiding that we were accessing the -wrong feature. - -Signed-off-by: Benjamin Tissoires <[email protected]> -Signed-off-by: Jiri Kosina <[email protected]> -Acked-by: Takashi Iwai <[email protected]> - ---- - drivers/hid/hid-multitouch.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hi - break; - } - -- td->inputmode = field->report->id; -- td->inputmode_index = usage->usage_index; -+ if (td->inputmode < 0) { -+ td->inputmode = field->report->id; -+ td->inputmode_index = usage->usage_index; -+ } else { -+ /* -+ * Some elan panels wrongly declare 2 input mode -+ * features, and silently ignore when we set the -+ * value in the second field. Skip the second feature -+ * and hope for the best. -+ */ -+ dev_info(&hdev->dev, -+ "Ignoring the extra HID_DG_INPUTMODE\n"); -+ } - - break; - case HID_DG_CONTACTMAX: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/floppy-fix-lock_fdc-signal-handling.patch new/patches.fixes/floppy-fix-lock_fdc-signal-handling.patch --- old/patches.fixes/floppy-fix-lock_fdc-signal-handling.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/floppy-fix-lock_fdc-signal-handling.patch 2016-02-18 13:50:02.000000000 +0100 @@ -0,0 +1,179 @@ +From: Jiri Kosina <[email protected]> +Date: Mon, 1 Feb 2016 11:19:17 +0100 +Subject: floppy: fix lock_fdc() signal handling +Patch-mainline: 4.5-rc5 +Git-commit: a0c80efe5956ccce9fe7ae5c78542578c07bc20a +References: bnc#966880 + +floppy_revalidate() doesn't perform any error handling on lock_fdc() +result. lock_fdc() might actually be interrupted by a signal (it waits for +fdc becoming non-busy interruptibly). In such case, floppy_revalidate() +proceeds as if it had claimed the lock, but it fact it doesn't. + +In case of multiple threads trying to open("/dev/fdX"), this leads to +serious corruptions all over the place, because all of a sudden there is +no critical section protection (that'd otherwise be guaranteed by locked +fd) whatsoever. + +While at this, fix the fact that the 'interruptible' parameter to +lock_fdc() doesn't make any sense whatsoever, because we always wait +interruptibly anyway. + +Most of the lock_fdc() callsites do properly handle error (and propagate +EINTR), but floppy_revalidate() and floppy_check_events() don't. Fix this. + +Spotted by 'syzkaller' tool. + +Reported-by: Dmitry Vyukov <[email protected]> +Tested-by: Dmitry Vyukov <[email protected]> +Signed-off-by: Jiri Kosina <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/block/floppy.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index fa9bb742df6e..c1aacca88c8f 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -866,7 +866,7 @@ static void set_fdc(int drive) + } + + /* locks the driver */ +-static int lock_fdc(int drive, bool interruptible) ++static int lock_fdc(int drive) + { + if (WARN(atomic_read(&usage_count) == 0, + "Trying to lock fdc while usage count=0\n")) +@@ -2173,7 +2173,7 @@ static int do_format(int drive, struct format_descr *tmp_format_req) + { + int ret; + +- if (lock_fdc(drive, true)) ++ if (lock_fdc(drive)) + return -EINTR; + + set_floppy(drive); +@@ -2960,7 +2960,7 @@ static int user_reset_fdc(int drive, int arg, bool interruptible) + { + int ret; + +- if (lock_fdc(drive, interruptible)) ++ if (lock_fdc(drive)) + return -EINTR; + + if (arg == FD_RESET_ALWAYS) +@@ -3243,7 +3243,7 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + mutex_lock(&open_lock); +- if (lock_fdc(drive, true)) { ++ if (lock_fdc(drive)) { + mutex_unlock(&open_lock); + return -EINTR; + } +@@ -3263,7 +3263,7 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + } else { + int oldStretch; + +- if (lock_fdc(drive, true)) ++ if (lock_fdc(drive)) + return -EINTR; + if (cmd != FDDEFPRM) { + /* notice a disk change immediately, else +@@ -3349,7 +3349,7 @@ static int get_floppy_geometry(int drive, int type, struct floppy_struct **g) + if (type) + *g = &floppy_type[type]; + else { +- if (lock_fdc(drive, false)) ++ if (lock_fdc(drive)) + return -EINTR; + if (poll_drive(false, 0) == -EINTR) + return -EINTR; +@@ -3433,7 +3433,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + if (UDRS->fd_ref != 1) + /* somebody else has this drive open */ + return -EBUSY; +- if (lock_fdc(drive, true)) ++ if (lock_fdc(drive)) + return -EINTR; + + /* do the actual eject. Fails on +@@ -3445,7 +3445,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + process_fd_request(); + return ret; + case FDCLRPRM: +- if (lock_fdc(drive, true)) ++ if (lock_fdc(drive)) + return -EINTR; + current_type[drive] = NULL; + floppy_sizes[drive] = MAX_DISK_SIZE << 1; +@@ -3467,7 +3467,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + UDP->flags &= ~FTD_MSG; + return 0; + case FDFMTBEG: +- if (lock_fdc(drive, true)) ++ if (lock_fdc(drive)) + return -EINTR; + if (poll_drive(true, FD_RAW_NEED_DISK) == -EINTR) + return -EINTR; +@@ -3484,7 +3484,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + return do_format(drive, &inparam.f); + case FDFMTEND: + case FDFLUSH: +- if (lock_fdc(drive, true)) ++ if (lock_fdc(drive)) + return -EINTR; + return invalidate_drive(bdev); + case FDSETEMSGTRESH: +@@ -3507,7 +3507,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + outparam = UDP; + break; + case FDPOLLDRVSTAT: +- if (lock_fdc(drive, true)) ++ if (lock_fdc(drive)) + return -EINTR; + if (poll_drive(true, FD_RAW_NEED_DISK) == -EINTR) + return -EINTR; +@@ -3530,7 +3530,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + case FDRAWCMD: + if (type) + return -EINVAL; +- if (lock_fdc(drive, true)) ++ if (lock_fdc(drive)) + return -EINTR; + set_floppy(drive); + i = raw_cmd_ioctl(cmd, (void __user *)param); +@@ -3539,7 +3539,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + process_fd_request(); + return i; + case FDTWADDLE: +- if (lock_fdc(drive, true)) ++ if (lock_fdc(drive)) + return -EINTR; + twaddle(); + process_fd_request(); +@@ -3747,7 +3747,8 @@ static unsigned int floppy_check_events(struct gendisk *disk, + return DISK_EVENT_MEDIA_CHANGE; + + if (time_after(jiffies, UDRS->last_checked + UDP->checkfreq)) { +- lock_fdc(drive, false); ++ if (lock_fdc(drive)) ++ return -EINTR; + poll_drive(false, 0); + process_fd_request(); + } +@@ -3845,7 +3846,9 @@ static int floppy_revalidate(struct gendisk *disk) + "VFS: revalidate called on non-open device.\n")) + return -EFAULT; + +- lock_fdc(drive, false); ++ res = lock_fdc(drive); ++ if (res) ++ return res; + cf = (test_bit(FD_DISK_CHANGED_BIT, &UDRS->flags) || + test_bit(FD_VERIFY_BIT, &UDRS->flags)); + if (!(cf || test_bit(drive, &fake_change) || drive_no_geom(drive))) { +-- +2.7.1 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/floppy-refactor-open-flags-handling.patch new/patches.fixes/floppy-refactor-open-flags-handling.patch --- old/patches.fixes/floppy-refactor-open-flags-handling.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/floppy-refactor-open-flags-handling.patch 2016-02-18 13:50:02.000000000 +0100 @@ -0,0 +1,96 @@ +From: Jiri Kosina <[email protected]> +Date: Sat, 6 Feb 2016 23:00:22 +0100 +Subject: floppy: refactor open() flags handling +Patch-mainline: 4.5-rc5 +Git-commit: 09954bad448791ef01202351d437abdd9497a804 +References: bnc#966880 + +In case /dev/fdX is open with O_NDELAY / O_NONBLOCK, floppy_open() immediately +succeeds, without performing any further media / controller preparations. +That's "correct" wrt. the NODELAY flag, but is hardly correct wrt. the rest +of the floppy driver, that is not really O_NONBLOCK ready, at all. Therefore +it's not too surprising, that subsequent attempts to work with the +filedescriptor produce bad results. Namely, syzkaller tool has been able +to livelock mmap() on the returned fd to keep waiting on the page unlock +bit forever. + +Quite frankly, I have trouble defining what non-blocking behavior would be for +floppies. Is waiting ages for the driver to actually succeed reading a sector +blocking operation? Is waiting for drive motor to start blocking operation? How +about in case of virtualized floppies? + +One option would be returning EWOULDBLOCK in case O_NDLEAY / O_NONBLOCK is +being passed to open(). That has a theoretical potential of breaking some +arcane and archaic userspace though. + +Let's take a more conservative aproach, and accept the O_NDLEAY flag, and let +the driver behave as usual. + +While at it, clean up a bit handling of !(mode & (FMODE_READ|FMODE_WRITE)) +case and return EINVAL instead of succeeding as well. + +Spotted by syzkaller tool. + +Reported-by: Dmitry Vyukov <[email protected]> +Tested-by: Dmitry Vyukov <[email protected]> +Signed-off-by: Jiri Kosina <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/block/floppy.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index b206115d761c..84708a5f8c52 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3663,6 +3663,11 @@ static int floppy_open(struct block_device *bdev, fmode_t mode) + + opened_bdev[drive] = bdev; + ++ if (!(mode & (FMODE_READ|FMODE_WRITE))) { ++ res = -EINVAL; ++ goto out; ++ } ++ + res = -ENXIO; + + if (!floppy_track_buffer) { +@@ -3706,21 +3711,20 @@ static int floppy_open(struct block_device *bdev, fmode_t mode) + if (UFDCS->rawcmd == 1) + UFDCS->rawcmd = 2; + +- if (!(mode & FMODE_NDELAY)) { +- if (mode & (FMODE_READ|FMODE_WRITE)) { +- UDRS->last_checked = 0; +- clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags); +- check_disk_change(bdev); +- if (test_bit(FD_DISK_CHANGED_BIT, &UDRS->flags)) +- goto out; +- if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags)) +- goto out; +- } +- res = -EROFS; +- if ((mode & FMODE_WRITE) && +- !test_bit(FD_DISK_WRITABLE_BIT, &UDRS->flags)) +- goto out; +- } ++ UDRS->last_checked = 0; ++ clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags); ++ check_disk_change(bdev); ++ if (test_bit(FD_DISK_CHANGED_BIT, &UDRS->flags)) ++ goto out; ++ if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags)) ++ goto out; ++ ++ res = -EROFS; ++ ++ if ((mode & FMODE_WRITE) && ++ !test_bit(FD_DISK_WRITABLE_BIT, &UDRS->flags)) ++ goto out; ++ + mutex_unlock(&open_lock); + mutex_unlock(&floppy_mutex); + return 0; +-- +2.7.1 + ++++++ patches.kernel.org.tar.bz2 ++++++ ++++ 5450 lines of diff (skipped) ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:29.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:29.000000000 +0100 @@ -28,6 +28,7 @@ # Send separate patches upstream if you find a problem... ######################################################## patches.kernel.org/patch-4.4.1 + patches.kernel.org/patch-4.4.1-2 ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -332,6 +333,9 @@ patches.fixes/scsi-ignore-errors-from-scsi_dh_add_device patches.fixes/sd-Optimal-I-O-size-is-in-bytes-not-sectors + patches.fixes/floppy-refactor-open-flags-handling.patch + patches.fixes/floppy-fix-lock_fdc-signal-handling.patch + ######################################################## # DRM/Video ######################################################## @@ -385,18 +389,15 @@ ######################################################## # patches.suse/SUSE-bootsplash # patches.suse/SUSE-bootsplash-mgadrmfb-workaround - patches.fixes/HID-multitouch-fix-input-mode-switching-on-some-Elan ########################################################## # Sound ########################################################## - patches.drivers/ALSA-usb-audio-avoid-freeing-umidi-object-twice + patches.drivers/ALSA-hda-Apply-clock-gate-workaround-to-Skylake-too ######################################################## # Char / serial ######################################################## - patches.fixes/0001-tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch - patches.fixes/0002-n_tty-Fix-unsafe-reference-to-other-ldisc.patch ######################################################## # Other driver fixes ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.7Y5KUe/_old 2016-02-26 22:18:29.000000000 +0100 +++ /var/tmp/diff_new_pack.7Y5KUe/_new 2016-02-26 22:18:29.000000000 +0100 @@ -1,3 +1,3 @@ -2016-02-15 12:03:27 +0100 -GIT Revision: 6398c2df356e9052b52ba35e636955cf7a7154d9 +2016-02-23 11:30:49 +0100 +GIT Revision: c601f8d968ebc6e67356f602591365adcf716273 GIT Branch: stable
