Resolution/pressure fixes and new device support for hid-elan

New device support for hid-cougar

Cougar 500k Gaming Keyboard have some special function keys that
make the keyboard stop responding once pressed. Implement the custom
vendor interface that deals with the extended keypresses to fix.

The bug can be reproduced by plugging in the keyboard, then pressing the
rightmost part of the spacebar.

Signed-off-by: Daniel M. Lambea <dmlambea@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

The function compare_device_paths from wacom_sys.c is generic
and useful for other drivers. Move the function to hid-core and
rename it as hid_compare_device_paths.

Signed-off-by: Daniel M. Lambea <dmlambea@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

The Toshiba Click Mini L9W keyboard dock has a single i2c-hid Elan device
for both the keyboard and the touchpad. Add support for the touchpad to
the hid-elan driver, rather then relying on mouse emulation.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Now that we query all the parameters, adding support for new hardware
is easy. This commit adds support for the touchpad found on the
HP x2 10-n000nd touchpad 2-in-1.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Note all Elan touchpads have a LED make this configurable using
a flag in hi_id.driver_data.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Query the resolution from the touchpad and report it to userspace

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Query the device's max_x and max_y value from the touchpad rather then
hardcoding it. This makes adding support for other USB ids a lot easier.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

There is no need to have these configurable.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Elan has given me a (GPL-ed) Android driver for their non HID-mt touchpads
to help improve the upstream support.

Acoording to Elan what we are currently reporting as tool-width
really is a per-touch pressure. This always has a maximum of 255, so there
is no need to make the max configurable.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

We never report MT_TOUCH_MAJOR, so lets not claim that we do.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

max_area_x and max_area_y are initialized but never used anywhere,
drop them.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Pull HID fixes from Jiri Kosina:

 - spectrev1 pattern fix in hiddev from Gustavo A. R. Silva

 - bounds check fix for hid-debug from Daniel Rosenberg

 - regression fix for HID autobinding from Benjamin Tissoires

 - removal of excessive logging from i2c-hid driver from Jason Andryuk

 - fix specific to 2nd generation of Wacom Intuos devices from Jason
   Gerecke

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: hiddev: fix potential Spectre v1
  HID: i2c-hid: Fix "incomplete report" noise
  HID: wacom: Correct touch maximum XY of 2nd-gen Intuos
  HID: debug: check length before copy_to_user()
  HID: core: allow concurrent registration of drivers

Update my TDA998x HDMI encoder MAINTAINERS entry to include the
dt-bindings header, and a keyword pattern to catch patches containing
the DT compatible.  Also change the status to "maintained" rather than
"supported".

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be
indirectly controlled by user-space, hence leading to a potential exploitation
of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap)
drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap)
drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap)
drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap)

Fix this by sanitizing such structure fields before using them to index
report->field, field->usage and hid->collection

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2



Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Commit ac75a041 ("HID: i2c-hid: fix size check and type usage") started
writing messages when the ret_size is <= 2 from i2c_master_recv.  However, my
device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop
moving the pointing stick or touchpad.  It varies, but you get ~50 messages
each time which spams the log hard.

[  95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2)

This has also been observed with a i2c-ALP0017.

[ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2)

Only print the message when ret_size is totally invalid and less than 2 to cut
down on the log spam.

Fixes: ac75a041

 ("HID: i2c-hid: fix size check and type usage")
Reported-by: John Smith <john-s-84@gmx.net>
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Pull ARM SoC fixes from Olof Johansson:
 "A small collection of fixes, sort of the usual at this point, all for
  i.MX or OMAP:

   - Enable ULPI drivers on i.MX to avoid a hang

   - Pinctrl fix for touchscreen on i.MX51 ZII RDU1

   - Fixes for ethernet clock references on am3517

   - mmc0 write protect detection fix for am335x

   - kzalloc->kcalloc conversion in an OMAP driver

   - USB metastability fix for USB on dra7

   - Fix touchscreen wakeup on am437x"

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: imx_v4_v5_defconfig: Select ULPI support
  ARM: imx_v6_v7_defconfig: Select ULPI support
  ARM: dts: omap3: Fix am3517 mdio and emac clock references
  ARM: dts: am335x-bone-common: Fix mmc0 Write Protect
  bus: ti-sysc: Use 2-factor allocator arguments
  ARM: dts: dra7: Disable metastability workaround for USB2
  ARM: dts: imx51-zii-rdu1: fix touchscreen pinctrl
  ARM: dts: am437x: make edt-ft5x06 a wakeup source

Pull x86/pti updates from Thomas Gleixner:
 "Two small fixes correcting the handling of SSB mitigations on AMD
  processors"

* 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
  x86/bugs: Update when to check for the LS_CFG SSBD mitigation

Pull x86 fixes from Thomas Gleixner:

 - Prevent an out-of-bounds access in mtrr_write()

 - Break a circular dependency in the new hyperv IPI acceleration code

 - Address the build breakage related to inline functions by enforcing
   gnu_inline and explicitly bringing native_save_fl() out of line,
   which also adds a set of _ARM_ARG macros which provide 32/64bit
   safety.

 - Initialize the shadow CR4 per cpu variable before using it.

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/mtrr: Don't copy out-of-bounds data in mtrr_write
  x86/hyper-v: Fix the circular dependency in IPI enlightenment
  x86/paravirt: Make native_save_fl() extern inline
  x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h>
  compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations
  x86/mm/32: Initialize the CR4 shadow before __flush_tlb_all()

Pull scheduler fixes from Thomas Gleixner:

 - The hopefully final fix for the reported race problems in
   kthread_parkme(). The previous attempt still left a hole and was
   partially wrong.

 - Plug a race in the remote tick mechanism which triggers a warning
   about updates not being done correctly. That's a false positive if
   the race condition is hit as the remote CPU is idle. Plug it by
   checking the condition again when holding run queue lock.

 - Fix a bug in the utilization estimation of a run queue which causes
   the estimation to be 0 when a run queue is throttled.

 - Advance the global expiration of the period timer when the timer is
   restarted after a idle period. Otherwise the expiry time is stale and
   the timer fires prematurely.

 - Cure the drift between the bandwidth timer and the runqueue
   accounting, which leads to bogus throttling of runqueues

 - Place the call to cpufreq_update_util() correctly so the function
   will observe the correct number of running RT tasks and not a stale
   one.

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  kthread, sched/core: Fix kthread_parkme() (again...)
  sched/util_est: Fix util_est_dequeue() for throttled cfs_rq
  sched/fair: Advance global expiration when period timer is restarted
  sched/fair: Fix bandwidth timer clock drift condition
  sched/rt: Fix call to cpufreq_update_util()
  sched/nohz: Skip remote tick on idle task entirely

Pull objtool fix from Thomas Gleixner:
 "A single fix for objtool to address a bug in handling the cold
  subfunction detection for aliased functions which was added recently.
  The bug causes objtool to enter an infinite loop"

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  objtool: Support GCC 8 '-fnoreorder-functions'

Pull crypto fixes from Herbert Xu:

 - add missing RETs in x86 aegis/morus

 - fix build error in arm speck

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: x86 - Add missing RETs
  crypto: arm/speck - fix building in Thumb2 mode

Pull ext4 bugfixes from Ted Ts'o:
 "Bug fixes for ext4; most of which relate to vulnerabilities where a
  maliciously crafted file system image can result in a kernel OOPS or
  hang.

  At least one fix addresses an inline data bug could be triggered by
  userspace without the need of a crafted file system (although it does
  require that the inline data feature be enabled)"

* tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
  ext4: check superblock mapped prior to committing
  ext4: add more mount time checks of the superblock
  ext4: add more inode number paranoia checks
  ext4: avoid running out of journal credits when appending to an inline file
  jbd2: don't mark block as modified if the handle is out of credits
  ext4: never move the system.data xattr out of the inode body
  ext4: clear i_data in ext4_inode_info when removing inline data
  ext4: include the illegal physical block in the bad map ext4_error msg
  ext4: verify the depth of extent tree in ext4_find_extent()
  ext4: only look at the bg_flags field if it is valid
  ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
  ext4: always check block group bounds in ext4_init_block_bitmap()
  ext4: always verify the magic number in xattr blocks
  ext4: add corruption check in ext4_xattr_set_entry()
  ext4: add warn_on_error mount option

Pull PCI fixes from Bjorn Helgaas:

 - Fix a use-after-free in the endpoint code (Dan Carpenter)

 - Stop defaulting CONFIG_PCIE_DW_PLAT_HOST to yes (Geert Uytterhoeven)

 - Fix an nfp regression caused by a change in how we limit the number
   of VFs we can enable (Jakub Kicinski)

 - Fix failure path cleanup issues in the new R-Car gen3 PHY support
   (Marek Vasut)

 - Fix leaks of OF nodes in faraday, xilinx-nwl, xilinx (Nicholas Mc
   Guire)

* tag 'pci-v4.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  nfp: stop limiting VFs to 0
  PCI/IOV: Reset total_VFs limit after detaching PF driver
  PCI: faraday: Add missing of_node_put()
  PCI: xilinx-nwl: Add missing of_node_put()
  PCI: xilinx: Add missing of_node_put()
  PCI: endpoint: Use after free in pci_epf_unregister_driver()
  PCI: controller: dwc: Do not let PCIE_DW_PLAT_HOST default to yes
  PCI: rcar: Clean up PHY init on failure
  PCI: rcar: Shut the PHY down in failpath

Pull cifs fixes from Steve French:
 "Five smb3/cifs fixes for stable (including for some leaks and memory
  overwrites) and also a few fixes for recent regressions in packet
  signing.

  Additional testing at the recent SMB3 test event, and some good work
  by Paulo and others spotted the issues fixed here. In addition to my
  xfstest runs on these, Aurelien and Stefano did additional test runs
  to verify this set"

* tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
  cifs: Fix infinite loop when using hard mount option
  cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
  cifs: Fix memory leak in smb2_set_ea()
  cifs: fix SMB1 breakage
  cifs: Fix validation of signed data in smb2
  cifs: Fix validation of signed data in smb3+
  cifs: Fix use after free of a mid_q_entry

Pull dma-mapping fix from Christoph Hellwig:
 "Revert an incorrect dma-mapping commit for 4.18-rc"

* tag 'dma-mapping-4.18-3' of git://git.infradead.org/users/hch/dma-mapping:
  Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and clean up intel_{alloc,free}_coherent()"

Pull dmaengine fixes from Vinod Koul:
 "We have few odd driver fixes and one email update change for you this
  time:

   - Driver fixes for k3dma (off by one), pl330 (burst residue
     granularity) and omap-dma (incorrect residue_granularity)

   - Sinan's email update"

* tag 'dmaengine-fix-4.18-rc4' of git://git.infradead.org/users/vkoul/slave-dma:
  dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
  dmaengine: pl330: report BURST residue granularity
  MAINTAINERS: Update email-id of Sinan Kaya
  dmaengine: ti: omap-dma: Fix OMAP1510 incorrect residue_granularity

Pull IPMI fixes from Corey Minyard:
 "A couple of small fixes: one to the BMC side of things that fixes an
  interrupt issue, and one oops fix if init fails in a certain way on
  the client driver"

* tag 'for-linus-4.18-2' of git://github.com/cminyard/linux-ipmi:
  ipmi: kcs_bmc: fix IRQ exception if the channel is not open
  ipmi: Cleanup oops on initialization failure

Pull arm64 LDFLAGS clean-up from Catalin Marinas:

 - use aarch64elf instead of aarch64linux

 - move endianness options to LDFLAGS instead from LD

 - remove no-op '-p' linker flag

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: remove no-op -p linker flag
  arm64: add endianness option to LDFLAGS instead of LD
  arm64: Use aarch64elf and aarch64elfb emulation mode variants

Don't access the provided buffer out of bounds - this can cause a kernel
out-of-bounds read when invoked through sys_splice() or other things that
use kernel_write()/__kernel_write().

Fixes: 7f8ec5a4

 ("x86/mtrr: Convert to use strncpy_from_user() helper")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180706215003.156702-1-jannh@google.com

Pull SCSI fixes from James Bottomley:
 "This is two minor bug fixes (aacraid, target) and a fix for a
  potential exploit in the way sg handles teardown"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: sg: mitigate read/write abuse
  scsi: aacraid: Fix PD performance regression over incorrect qd being set
  scsi: target: Fix truncated PR-in ReadKeys response

Pull block fixes from Jens Axboe:
 "Two minor fixes for this series:

   - add LOOP_SET_BLOCK_SIZE as compat ioctl (Evan Green)

   - drbd use-after-free fix (Lars Ellenberg)"

* tag 'for-linus-20180706' of git://git.kernel.dk/linux-block:
  loop: Add LOOP_SET_BLOCK_SIZE in compat ioctl
  drbd: fix access after free

Pull clk fixes from Stephen Boyd:
 "The usual collection of driver fixlets:

   - build cleanup/fix for the sunxi makefile that tried to save size
     but failed and prevented dead code elimination from working

   - two Davinci clk driver fixes for a typo causing build failures in
     different configurations and an error check that checks the wrong
     variable.

   - undo the DT ABI breaking imx6ul binding header shuffle that got
     merged this cycle"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  dt-bindings: clock: imx6ul: Do not change the clock definition order
  clk: davinci: fix a typo (which leads to build failures)
  clk: davinci: cfgchip: testing the wrong variable
  clk: sunxi-ng: replace lib-y with obj-y

Pull VFIO fixes from Alex Williamson:

 - Make vfio-pci IGD extensions optional via Kconfig (Alex Williamson)

 - Remove unused and soon to be removed map_atomic callback from mbochs
   sample driver, add unmap callback to avoid dmabuf leaks (Gerd
   Hoffmann)

 - Fix usage of get_user_pages_longterm() (Jason Gunthorpe)

 - Fix sample mbochs driver vm_operations_struct.fault return type
   (Souptick Joarder)

* tag 'vfio-v4.18-rc4' of git://github.com/awilliam/linux-vfio:
  sample/vfio-mdev: Change return type to vm_fault_t
  vfio: Use get_user_pages_longterm correctly
  sample/mdev/mbochs: add mbochs_kunmap_dmabuf
  sample/mdev/mbochs: remove mbochs_kmap_atomic_dmabuf
  vfio/pci: Make IGD support a configurable option

Pull s390 fixes from Martin Schwidefsky:
 "A few more changes for v4.18:

   - wire up the two new system calls io_pgetevents and rseq

   - fix a register corruption in the expolines code for machines
     without EXRL

   - drastically reduce the memory utilization of the dasd driver

   - fix reference counting for KVM page table pages"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390: wire up rseq system call
  s390: wire up io_pgetevents system call
  s390/mm: fix refcount usage for 4K pgste
  s390/dasd: reduce the default queue depth and nr of hardware queues
  s390: Correct register corruption in critical section cleanup

The IPI hypercalls depend on being able to map the Linux notion of CPU ID
to the hypervisor's notion of the CPU ID. The array hv_vp_index[] provides
this mapping. Code for populating this array depends on the IPI functionality.
Break this circular dependency.

[ tglx: Use a proper define instead of '-1' with a u32 variable as pointed
  	out by Vitaly ]

Fixes: 68bb7bfb

 ("X86/Hyper-V: Enable IPI enlightenments")
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Michael Kelley <mikelley@microsoft.com>
Cc: gregkh@linuxfoundation.org
Cc: devel@linuxdriverproject.org
Cc: olaf@aepfle.de
Cc: apw@canonical.com
Cc: jasowang@redhat.com
Cc: hpa@zytor.com
Cc: sthemmin@microsoft.com
Cc: Michael.H.Kelley@microsoft.com
Cc: vkuznets@redhat.com
Link: https://lkml.kernel.org/r/20180703230155.15160-1-kys@linuxonhyperv.com

Pull drm fixes from Dave Airlie:
 "This is the drm fixes for rc4.

  It's a bit larger than I'd like but the exynos cleanups are pretty
  mechanical, and I'd rather have them in sooner rather than later so we
  can avoid too much conflicts around them. The non-mechanincal exynos
  changes are mostly fixes for new feature recently introduced.

  Apart from the exynos updates, we have:

  i915:
   - GVT and GGTT mapping fixes

  amdgpu:
   - fix HDMI2.0 4K@60 Hz regression
   - Hotplug fixes for dual-GPU laptops to make power management better
   - misc vega12 bios fixes, a race fix and some typos.

  sii8620 bridge:
   - small fixes around mode setting

  core:
   - use kvzalloc to allocate blob property memory"

* tag 'drm-fixes-2018-07-06' of git://anongit.freedesktop.org/drm/drm: (34 commits)
  drm/amd/display: add a check for display depth validity
  drm/amd/display: adding ycbcr420 pixel encoding for hdmi
  drm/udl: fix display corruption of the last line
  drm/bridge/sii8620: Fix link mode selection
  drm/bridge/sii8620: Fix display of packed pixel modes
  drm/bridge/sii8620: Send AVI infoframe in all MHL versions
  drm/amdgpu: fix user fence write race condition
  drm/i915: Try GGTT mmapping whole object as partial
  drm/amdgpu/pm: fix display count in non-DC path
  drm/amdgpu: fix swapped emit_ib_size in vce3
  drm: Use kvzalloc for allocating blob property memory
  drm/i915/gvt: changed DDI mode emulation type
  drm/i915/gvt: fix a bug of partially write ggtt enties
  drm/exynos: Replace drm_dev_unref with drm_dev_put
  drm/exynos: Replace drm_gem_object_unreference_unlocked with put function
  drm/exynos: Replace drm_framebuffer_{un/reference} with put,get functions
  drm/exynos: ipp: use correct enum type
  drm/exynos: decon5433: Fix WINCONx reset value
  drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes
  drm/exynos: fimc: Use real buffer width for configuring the hardware
  ...

Pull tracing fixes and cleanups from Steven Rostedt:
 "While cleaning out my INBOX, I found a few patches that were lost in
  the noise. These are minor bug fixes and clean ups. Those include:

   - avoid a string overflow

   - code that didn't match the comment (but should)

   - a small code optimization (use of a conditional)

   - quiet printf warnings

   - nuke unused code

   - fix function graph interrupt annotation"

* tag 'trace-v4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  tracing: Fix missing return symbol in function_graph output
  ftrace: Nuke clear_ftrace_function
  tracing: Use __printf markup to silence compiler
  tracing: Optimize trace_buffer_iter() logic
  tracing: Make create_filter() code match the comments
  tracing: Avoid string overflow