--- /dev/null
+From 9e98e9d7cf6e9d2ec1cce45e8d5ccaf3f9b386f3 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Tue, 9 Dec 2014 16:58:11 +0100
+Subject: blk-mq: Avoid that __bt_get_word() wraps multiple times
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 9e98e9d7cf6e9d2ec1cce45e8d5ccaf3f9b386f3 upstream.
+
+If __bt_get_word() is called with last_tag != 0, if the first
+find_next_zero_bit() fails, if after wrap-around the
+test_and_set_bit() call fails and find_next_zero_bit() succeeds,
+if the next test_and_set_bit() call fails and subsequently
+find_next_zero_bit() does not find a zero bit, then another
+wrap-around will occur. Avoid this by introducing an additional
+local variable.
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Robert Elliott <elliott@hp.com>
+Cc: Ming Lei <ming.lei@canonical.com>
+Cc: Alexander Gordeev <agordeev@redhat.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-tag.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/block/blk-mq-tag.c
++++ b/block/blk-mq-tag.c
+@@ -137,6 +137,7 @@ static inline bool hctx_may_queue(struct
+ static int __bt_get_word(struct blk_align_bitmap *bm, unsigned int last_tag)
+ {
+ int tag, org_last_tag, end;
++ bool wrap = last_tag != 0;
+
+ org_last_tag = last_tag;
+ end = bm->depth;
+@@ -148,8 +149,9 @@ restart:
+ * We started with an offset, start from 0 to
+ * exhaust the map.
+ */
+- if (org_last_tag && last_tag) {
+- end = last_tag;
++ if (wrap) {
++ wrap = false;
++ end = org_last_tag;
+ last_tag = 0;
+ goto restart;
+ }
--- /dev/null
+From c38d185d4af12e8be63ca4b6745d99449c450f12 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Tue, 9 Dec 2014 16:58:35 +0100
+Subject: blk-mq: Fix a race between bt_clear_tag() and bt_get()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit c38d185d4af12e8be63ca4b6745d99449c450f12 upstream.
+
+What we need is the following two guarantees:
+* Any thread that observes the effect of the test_and_set_bit() by
+ __bt_get_word() also observes the preceding addition of 'current'
+ to the appropriate wait list. This is guaranteed by the semantics
+ of the spin_unlock() operation performed by prepare_and_wait().
+ Hence the conversion of test_and_set_bit_lock() into
+ test_and_set_bit().
+* The wait lists are examined by bt_clear() after the tag bit has
+ been cleared. clear_bit_unlock() guarantees that any thread that
+ observes that the bit has been cleared also observes the store
+ operations preceding clear_bit_unlock(). However,
+ clear_bit_unlock() does not prevent that the wait lists are examined
+ before that the tag bit is cleared. Hence the addition of a memory
+ barrier between clear_bit() and the wait list examination.
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Robert Elliott <elliott@hp.com>
+Cc: Ming Lei <ming.lei@canonical.com>
+Cc: Alexander Gordeev <agordeev@redhat.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-tag.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/block/blk-mq-tag.c
++++ b/block/blk-mq-tag.c
+@@ -158,7 +158,7 @@ restart:
+ return -1;
+ }
+ last_tag = tag + 1;
+- } while (test_and_set_bit_lock(tag, &bm->word));
++ } while (test_and_set_bit(tag, &bm->word));
+
+ return tag;
+ }
+@@ -342,11 +342,10 @@ static void bt_clear_tag(struct blk_mq_b
+ struct bt_wait_state *bs;
+ int wait_cnt;
+
+- /*
+- * The unlock memory barrier need to order access to req in free
+- * path and clearing tag bit
+- */
+- clear_bit_unlock(TAG_TO_BIT(bt, tag), &bt->map[index].word);
++ clear_bit(TAG_TO_BIT(bt, tag), &bt->map[index].word);
++
++ /* Ensure that the wait list checks occur after clear_bit(). */
++ smp_mb();
+
+ bs = bt_wake_ptr(bt);
+ if (!bs)
--- /dev/null
+From 45a9c9d909b24c6ad0e28a7946e7486e73010319 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Tue, 9 Dec 2014 16:57:48 +0100
+Subject: blk-mq: Fix a use-after-free
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 45a9c9d909b24c6ad0e28a7946e7486e73010319 upstream.
+
+blk-mq users are allowed to free the memory request_queue.tag_set
+points at after blk_cleanup_queue() has finished but before
+blk_release_queue() has started. This can happen e.g. in the SCSI
+core. The SCSI core namely embeds the tag_set structure in a SCSI
+host structure. The SCSI host structure is freed by
+scsi_host_dev_release(). This function is called after
+blk_cleanup_queue() finished but can be called before
+blk_release_queue().
+
+This means that it is not safe to access request_queue.tag_set from
+inside blk_release_queue(). Hence remove the blk_sync_queue() call
+from blk_release_queue(). This call is not necessary - outstanding
+requests must have finished before blk_release_queue() is
+called. Additionally, move the blk_mq_free_queue() call from
+blk_release_queue() to blk_cleanup_queue() to avoid that struct
+request_queue.tag_set gets accessed after it has been freed.
+
+This patch avoids that the following kernel oops can be triggered
+when deleting a SCSI host for which scsi-mq was enabled:
+
+Call Trace:
+ [<ffffffff8109a7c4>] lock_acquire+0xc4/0x270
+ [<ffffffff814ce111>] mutex_lock_nested+0x61/0x380
+ [<ffffffff812575f0>] blk_mq_free_queue+0x30/0x180
+ [<ffffffff8124d654>] blk_release_queue+0x84/0xd0
+ [<ffffffff8126c29b>] kobject_cleanup+0x7b/0x1a0
+ [<ffffffff8126c140>] kobject_put+0x30/0x70
+ [<ffffffff81245895>] blk_put_queue+0x15/0x20
+ [<ffffffff8125c409>] disk_release+0x99/0xd0
+ [<ffffffff8133d056>] device_release+0x36/0xb0
+ [<ffffffff8126c29b>] kobject_cleanup+0x7b/0x1a0
+ [<ffffffff8126c140>] kobject_put+0x30/0x70
+ [<ffffffff8125a78a>] put_disk+0x1a/0x20
+ [<ffffffff811d4cb5>] __blkdev_put+0x135/0x1b0
+ [<ffffffff811d56a0>] blkdev_put+0x50/0x160
+ [<ffffffff81199eb4>] kill_block_super+0x44/0x70
+ [<ffffffff8119a2a4>] deactivate_locked_super+0x44/0x60
+ [<ffffffff8119a87e>] deactivate_super+0x4e/0x70
+ [<ffffffff811b9833>] cleanup_mnt+0x43/0x90
+ [<ffffffff811b98d2>] __cleanup_mnt+0x12/0x20
+ [<ffffffff8107252c>] task_work_run+0xac/0xe0
+ [<ffffffff81002c01>] do_notify_resume+0x61/0xa0
+ [<ffffffff814d2c58>] int_signal+0x12/0x17
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Robert Elliott <elliott@hp.com>
+Cc: Ming Lei <ming.lei@canonical.com>
+Cc: Alexander Gordeev <agordeev@redhat.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-core.c | 3 +++
+ block/blk-sysfs.c | 12 ++++--------
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -525,6 +525,9 @@ void blk_cleanup_queue(struct request_qu
+ del_timer_sync(&q->backing_dev_info.laptop_mode_wb_timer);
+ blk_sync_queue(q);
+
++ if (q->mq_ops)
++ blk_mq_free_queue(q);
++
+ spin_lock_irq(lock);
+ if (q->queue_lock != &q->__queue_lock)
+ q->queue_lock = &q->__queue_lock;
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -492,17 +492,15 @@ static void blk_free_queue_rcu(struct rc
+ * Currently, its primary task it to free all the &struct request
+ * structures that were allocated to the queue and the queue itself.
+ *
+- * Caveat:
+- * Hopefully the low level driver will have finished any
+- * outstanding requests first...
++ * Note:
++ * The low level driver must have finished any outstanding requests first
++ * via blk_cleanup_queue().
+ **/
+ static void blk_release_queue(struct kobject *kobj)
+ {
+ struct request_queue *q =
+ container_of(kobj, struct request_queue, kobj);
+
+- blk_sync_queue(q);
+-
+ blkcg_exit_queue(q);
+
+ if (q->elevator) {
+@@ -517,9 +515,7 @@ static void blk_release_queue(struct kob
+ if (q->queue_tags)
+ __blk_queue_free_tags(q);
+
+- if (q->mq_ops)
+- blk_mq_free_queue(q);
+- else
++ if (!q->mq_ops)
+ blk_free_flush_queue(q->fq);
+
+ blk_trace_shutdown(q);
--- /dev/null
+From 06a41a99d13d8e919e9a00a4849e6b85ae492592 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Dec 2014 16:38:30 +0100
+Subject: blk-mq: Fix uninitialized kobject at CPU hotplugging
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 06a41a99d13d8e919e9a00a4849e6b85ae492592 upstream.
+
+When a CPU is hotplugged, the current blk-mq spews a warning like:
+
+ kobject '(null)' (ffffe8ffffc8b5d8): tried to add an uninitialized object, something is seriously wrong.
+ CPU: 1 PID: 1386 Comm: systemd-udevd Not tainted 3.18.0-rc7-2.g088d59b-default #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_171129-lamiak 04/01/2014
+ 0000000000000000 0000000000000002 ffffffff81605f07 ffffe8ffffc8b5d8
+ ffffffff8132c7a0 ffff88023341d370 0000000000000020 ffff8800bb05bd58
+ ffff8800bb05bd08 000000000000a0a0 000000003f441940 0000000000000007
+ Call Trace:
+ [<ffffffff81005306>] dump_trace+0x86/0x330
+ [<ffffffff81005644>] show_stack_log_lvl+0x94/0x170
+ [<ffffffff81006d21>] show_stack+0x21/0x50
+ [<ffffffff81605f07>] dump_stack+0x41/0x51
+ [<ffffffff8132c7a0>] kobject_add+0xa0/0xb0
+ [<ffffffff8130aee1>] blk_mq_register_hctx+0x91/0xb0
+ [<ffffffff8130b82e>] blk_mq_sysfs_register+0x3e/0x60
+ [<ffffffff81309298>] blk_mq_queue_reinit_notify+0xf8/0x190
+ [<ffffffff8107cfdc>] notifier_call_chain+0x4c/0x70
+ [<ffffffff8105fd23>] cpu_notify+0x23/0x50
+ [<ffffffff81060037>] _cpu_up+0x157/0x170
+ [<ffffffff810600d9>] cpu_up+0x89/0xb0
+ [<ffffffff815fa5b5>] cpu_subsys_online+0x35/0x80
+ [<ffffffff814323cd>] device_online+0x5d/0xa0
+ [<ffffffff81432485>] online_store+0x75/0x80
+ [<ffffffff81236a5a>] kernfs_fop_write+0xda/0x150
+ [<ffffffff811c5532>] vfs_write+0xb2/0x1f0
+ [<ffffffff811c5f42>] SyS_write+0x42/0xb0
+ [<ffffffff8160c4ed>] system_call_fastpath+0x16/0x1b
+ [<00007f0132fb24e0>] 0x7f0132fb24e0
+
+This is indeed because of an uninitialized kobject for blk_mq_ctx.
+The blk_mq_ctx kobjects are initialized in blk_mq_sysfs_init(), but it
+goes loop over hctx_for_each_ctx(), i.e. it initializes only for
+online CPUs. Thus, when a CPU is hotplugged, the ctx for the newly
+onlined CPU is registered without initialization.
+
+This patch fixes the issue by initializing the all ctx kobjects
+belonging to each queue.
+
+Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=908794
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-sysfs.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -390,16 +390,15 @@ static void blk_mq_sysfs_init(struct req
+ {
+ struct blk_mq_hw_ctx *hctx;
+ struct blk_mq_ctx *ctx;
+- int i, j;
++ int i;
+
+ kobject_init(&q->mq_kobj, &blk_mq_ktype);
+
+- queue_for_each_hw_ctx(q, hctx, i) {
++ queue_for_each_hw_ctx(q, hctx, i)
+ kobject_init(&hctx->kobj, &blk_mq_hw_ktype);
+
+- hctx_for_each_ctx(hctx, ctx, j)
+- kobject_init(&ctx->kobj, &blk_mq_ctx_ktype);
+- }
++ queue_for_each_ctx(q, ctx, i)
++ kobject_init(&ctx->kobj, &blk_mq_ctx_ktype);
+ }
+
+ /* see blk_register_queue() */
--- /dev/null
+From a33c1ba2913802b6fb23e974bb2f6a4e73c8b7ce Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@fb.com>
+Date: Mon, 24 Nov 2014 15:02:42 -0700
+Subject: blk-mq: use 'nr_cpu_ids' as highest CPU ID count for hwq <-> cpu map
+
+From: Jens Axboe <axboe@fb.com>
+
+commit a33c1ba2913802b6fb23e974bb2f6a4e73c8b7ce upstream.
+
+We currently use num_possible_cpus(), but that breaks on sparc64 where
+the CPU ID space is discontig. Use nr_cpu_ids as the highest CPU ID
+instead, so we don't end up reading from invalid memory.
+
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-cpumap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/blk-mq-cpumap.c
++++ b/block/blk-mq-cpumap.c
+@@ -90,7 +90,7 @@ unsigned int *blk_mq_make_queue_map(stru
+ unsigned int *map;
+
+ /* If cpus are offline, map them to first hctx */
+- map = kzalloc_node(sizeof(*map) * num_possible_cpus(), GFP_KERNEL,
++ map = kzalloc_node(sizeof(*map) * nr_cpu_ids, GFP_KERNEL,
+ set->numa_node);
+ if (!map)
+ return NULL;
--- /dev/null
+From 2bacedada682d5485424f5227f27a3d5d6eb551c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Giedrius=20Statkevi=C4=8Dius?=
+ <giedrius.statkevicius@gmail.com>
+Date: Sat, 27 Dec 2014 00:28:30 +0200
+Subject: HID: Add a new id 0x501a for Genius MousePen i608X
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Giedrius=20Statkevi=C4=8Dius?=
+
+commit 2bacedada682d5485424f5227f27a3d5d6eb551c upstream.
+
+New Genius MousePen i608X devices have a new id 0x501a instead of the
+old 0x5011 so add a new #define with "_2" appended and change required
+places.
+
+The remaining two checkpatch warnings about line length
+being over 80 characters are present in the original files too and this
+patch was made in the same style (no line break).
+
+Just adding a new id and changing the required places should make the
+new device work without any issues according to the bug report in the
+following url.
+
+This patch was made according to and fixes:
+https://bugzilla.kernel.org/show_bug.cgi?id=67111
+
+Signed-off-by: Giedrius Statkevičius <giedrius.statkevicius@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 1 +
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-kye.c | 4 ++++
+ drivers/hid/usbhid/hid-quirks.c | 1 +
+ 4 files changed, 7 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1809,6 +1809,7 @@ static const struct hid_device_id hid_ha
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M610X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LABTEC, USB_DEVICE_ID_LABTEC_WIRELESS_KEYBOARD) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LCPOWER, USB_DEVICE_ID_LCPOWER_LC1000 ) },
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -526,6 +526,7 @@
+ #define USB_DEVICE_ID_KYE_GPEN_560 0x5003
+ #define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010
+ #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011
++#define USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2 0x501a
+ #define USB_DEVICE_ID_KYE_EASYPEN_M610X 0x5013
+
+ #define USB_VENDOR_ID_LABTEC 0x1020
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -323,6 +323,7 @@ static __u8 *kye_report_fixup(struct hid
+ }
+ break;
+ case USB_DEVICE_ID_KYE_MOUSEPEN_I608X:
++ case USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2:
+ if (*rsize == MOUSEPEN_I608X_RDESC_ORIG_SIZE) {
+ rdesc = mousepen_i608x_rdesc_fixed;
+ *rsize = sizeof(mousepen_i608x_rdesc_fixed);
+@@ -415,6 +416,7 @@ static int kye_probe(struct hid_device *
+ switch (id->product) {
+ case USB_DEVICE_ID_KYE_EASYPEN_I405X:
+ case USB_DEVICE_ID_KYE_MOUSEPEN_I608X:
++ case USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2:
+ case USB_DEVICE_ID_KYE_EASYPEN_M610X:
+ ret = kye_tablet_enable(hdev);
+ if (ret) {
+@@ -446,6 +448,8 @@ static const struct hid_device_id kye_de
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
+ USB_DEVICE_ID_KYE_MOUSEPEN_I608X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
++ USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
+ USB_DEVICE_ID_KYE_EASYPEN_M610X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
+ USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) },
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -123,6 +123,7 @@ static const struct hid_blacklist {
+ { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X, HID_QUIRK_MULTI_INPUT },
++ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M610X, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD, HID_QUIRK_NO_INIT_REPORTS },
--- /dev/null
+From da940db41dcf8c04166f711646df2f35376010aa Mon Sep 17 00:00:00 2001
+From: Karl Relton <karllinuxtest.relton@ntlworld.com>
+Date: Tue, 16 Dec 2014 15:37:22 +0000
+Subject: HID: add battery quirk for USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO keyboard
+
+From: Karl Relton <karllinuxtest.relton@ntlworld.com>
+
+commit da940db41dcf8c04166f711646df2f35376010aa upstream.
+
+Apple bluetooth wireless keyboard (sold in UK) has always reported zero
+for battery strength no matter what condition the batteries are actually
+in. With this patch applied (applying same quirk as other Apple
+keyboards), the battery strength is now correctly reported.
+
+Signed-off-by: Karl Relton <karllinuxtest.relton@ntlworld.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -312,6 +312,9 @@ static const struct hid_device_id hid_ba
+ USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ANSI),
+ HID_BATTERY_QUIRK_PERCENT | HID_BATTERY_QUIRK_FEATURE },
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE,
++ USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO),
++ HID_BATTERY_QUIRK_PERCENT | HID_BATTERY_QUIRK_FEATURE },
++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE,
+ USB_DEVICE_ID_APPLE_ALU_WIRELESS_ANSI),
+ HID_BATTERY_QUIRK_PERCENT | HID_BATTERY_QUIRK_FEATURE },
+ {}
--- /dev/null
+From 5b44c53aeb791757072be4a267255cedfff594fd Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Fri, 12 Dec 2014 14:01:49 +0200
+Subject: HID: i2c-hid: Do not free buffers in i2c_hid_stop()
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 5b44c53aeb791757072be4a267255cedfff594fd upstream.
+
+When a hid driver that uses i2c-hid as transport is unloaded, the hid core
+will call i2c_hid_stop() which releases all the buffers associated with the
+device. This includes also the command buffer.
+
+Now, when the i2c-hid driver itself is unloaded it tries to power down the
+device by sending it PWR_SLEEP command. Since the command buffer is already
+released we get following crash:
+
+ [ 79.691459] BUG: unable to handle kernel NULL pointer dereference at (null)
+ [ 79.691532] IP: [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
+ ...
+ [ 79.693467] Call Trace:
+ [ 79.693494] [<ffffffff810424e1>] ? __unmask_ioapic+0x21/0x30
+ [ 79.693537] [<ffffffff81042855>] ? unmask_ioapic+0x25/0x40
+ [ 79.693581] [<ffffffffa05bc35b>] ? i2c_hid_set_power+0x4b/0xa0 [i2c_hid]
+ [ 79.693632] [<ffffffffa05bc3cf>] ? i2c_hid_runtime_resume+0x1f/0x30 [i2c_hid]
+ [ 79.693689] [<ffffffff814c08fb>] ? __rpm_callback+0x2b/0x70
+ [ 79.693733] [<ffffffff814c0961>] ? rpm_callback+0x21/0x90
+ [ 79.693776] [<ffffffff814c0dec>] ? rpm_resume+0x41c/0x600
+ [ 79.693820] [<ffffffff814c1e1c>] ? __pm_runtime_resume+0x4c/0x80
+ [ 79.693868] [<ffffffff814b8588>] ? __device_release_driver+0x28/0x100
+ [ 79.693917] [<ffffffff814b8d90>] ? driver_detach+0xa0/0xb0
+ [ 79.693959] [<ffffffff814b82cc>] ? bus_remove_driver+0x4c/0xb0
+ [ 79.694006] [<ffffffff810d1cfd>] ? SyS_delete_module+0x11d/0x1d0
+ [ 79.694054] [<ffffffff8165f107>] ? int_signal+0x12/0x17
+ [ 79.694095] [<ffffffff8165ee69>] ? system_call_fastpath+0x12/0x17
+
+Fix this so that we only free buffers when the i2c-hid driver itself is
+removed.
+
+Fixes: 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
+Reported-by: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -706,12 +706,7 @@ static int i2c_hid_start(struct hid_devi
+
+ static void i2c_hid_stop(struct hid_device *hid)
+ {
+- struct i2c_client *client = hid->driver_data;
+- struct i2c_hid *ihid = i2c_get_clientdata(client);
+-
+ hid->claimed = 0;
+-
+- i2c_hid_free_buffers(ihid);
+ }
+
+ static int i2c_hid_open(struct hid_device *hid)
--- /dev/null
+From 6296f4a8eb86f9abcc370fb7a1a116b8441c17fd Mon Sep 17 00:00:00 2001
+From: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+Date: Thu, 20 Nov 2014 00:46:37 +0800
+Subject: HID: i2c-hid: fix race condition reading reports
+
+From: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+
+commit 6296f4a8eb86f9abcc370fb7a1a116b8441c17fd upstream.
+
+Current driver uses a common buffer for reading reports either
+synchronously in i2c_hid_get_raw_report() and asynchronously in
+the interrupt handler.
+There is race condition if an interrupt arrives immediately after
+the report is received in i2c_hid_get_raw_report(); the common
+buffer is modified by the interrupt handler with the new report
+and then i2c_hid_get_raw_report() proceed using wrong data.
+
+Fix it by using a separate buffers for synchronous reports.
+
+Signed-off-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+[Antonio Borneo: cleanup, rebase to v3.17, submit mainline]
+Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -137,6 +137,7 @@ struct i2c_hid {
+ * descriptor. */
+ unsigned int bufsize; /* i2c buffer size */
+ char *inbuf; /* Input buffer */
++ char *rawbuf; /* Raw Input buffer */
+ char *cmdbuf; /* Command buffer */
+ char *argsbuf; /* Command arguments buffer */
+
+@@ -504,9 +505,11 @@ static void i2c_hid_find_max_report(stru
+ static void i2c_hid_free_buffers(struct i2c_hid *ihid)
+ {
+ kfree(ihid->inbuf);
++ kfree(ihid->rawbuf);
+ kfree(ihid->argsbuf);
+ kfree(ihid->cmdbuf);
+ ihid->inbuf = NULL;
++ ihid->rawbuf = NULL;
+ ihid->cmdbuf = NULL;
+ ihid->argsbuf = NULL;
+ ihid->bufsize = 0;
+@@ -522,10 +525,11 @@ static int i2c_hid_alloc_buffers(struct
+ report_size; /* report */
+
+ ihid->inbuf = kzalloc(report_size, GFP_KERNEL);
++ ihid->rawbuf = kzalloc(report_size, GFP_KERNEL);
+ ihid->argsbuf = kzalloc(args_len, GFP_KERNEL);
+ ihid->cmdbuf = kzalloc(sizeof(union command) + args_len, GFP_KERNEL);
+
+- if (!ihid->inbuf || !ihid->argsbuf || !ihid->cmdbuf) {
++ if (!ihid->inbuf || !ihid->rawbuf || !ihid->argsbuf || !ihid->cmdbuf) {
+ i2c_hid_free_buffers(ihid);
+ return -ENOMEM;
+ }
+@@ -552,12 +556,12 @@ static int i2c_hid_get_raw_report(struct
+
+ ret = i2c_hid_get_report(client,
+ report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,
+- report_number, ihid->inbuf, ask_count);
++ report_number, ihid->rawbuf, ask_count);
+
+ if (ret < 0)
+ return ret;
+
+- ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);
++ ret_count = ihid->rawbuf[0] | (ihid->rawbuf[1] << 8);
+
+ if (ret_count <= 2)
+ return 0;
+@@ -566,7 +570,7 @@ static int i2c_hid_get_raw_report(struct
+
+ /* The query buffer contains the size, dropping it in the reply */
+ count = min(count, ret_count - 2);
+- memcpy(buf, ihid->inbuf + 2, count);
++ memcpy(buf, ihid->rawbuf + 2, count);
+
+ return count;
+ }
--- /dev/null
+From d1c7e29e8d276c669e8790bb8be9f505ddc48888 Mon Sep 17 00:00:00 2001
+From: Gwendal Grignou <gwendal@chromium.org>
+Date: Thu, 11 Dec 2014 16:02:45 -0800
+Subject: HID: i2c-hid: prevent buffer overflow in early IRQ
+
+From: Gwendal Grignou <gwendal@chromium.org>
+
+commit d1c7e29e8d276c669e8790bb8be9f505ddc48888 upstream.
+
+Before ->start() is called, bufsize size is set to HID_MIN_BUFFER_SIZE,
+64 bytes. While processing the IRQ, we were asking to receive up to
+wMaxInputLength bytes, which can be bigger than 64 bytes.
+
+Later, when ->start is run, a proper bufsize will be calculated.
+
+Given wMaxInputLength is said to be unreliable in other part of the
+code, set to receive only what we can even if it results in truncated
+reports.
+
+Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -370,7 +370,7 @@ static int i2c_hid_hwreset(struct i2c_cl
+ static void i2c_hid_get_input(struct i2c_hid *ihid)
+ {
+ int ret, ret_size;
+- int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
++ int size = ihid->bufsize;
+
+ ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
+ if (ret != size) {
--- /dev/null
+From 606185b20caf4c57d7e41e5a5ea4aff460aef2ab Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 9 Jan 2015 15:32:31 +0300
+Subject: HID: roccat: potential out of bounds in pyra_sysfs_write_settings()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 606185b20caf4c57d7e41e5a5ea4aff460aef2ab upstream.
+
+This is a static checker fix. We write some binary settings to the
+sysfs file. One of the settings is the "->startup_profile". There
+isn't any checking to make sure it fits into the
+pyra->profile_settings[] array in the profile_activated() function.
+
+I added a check to pyra_sysfs_write_settings() in both places because
+I wasn't positive that the other callers were correct.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-roccat-pyra.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-roccat-pyra.c
++++ b/drivers/hid/hid-roccat-pyra.c
+@@ -35,6 +35,8 @@ static struct class *pyra_class;
+ static void profile_activated(struct pyra_device *pyra,
+ unsigned int new_profile)
+ {
++ if (new_profile >= ARRAY_SIZE(pyra->profile_settings))
++ return;
+ pyra->actual_profile = new_profile;
+ pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi;
+ }
+@@ -257,9 +259,11 @@ static ssize_t pyra_sysfs_write_settings
+ if (off != 0 || count != PYRA_SIZE_SETTINGS)
+ return -EINVAL;
+
+- mutex_lock(&pyra->pyra_lock);
+-
+ settings = (struct pyra_settings const *)buf;
++ if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings))
++ return -EINVAL;
++
++ mutex_lock(&pyra->pyra_lock);
+
+ retval = pyra_set_settings(usb_dev, settings);
+ if (retval) {
--- /dev/null
+From dff674168878fe7b6d8b9ad60d62295ec517de79 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Mon, 1 Dec 2014 11:52:40 -0500
+Subject: HID: wacom: fix freeze on open when autosuspend is on
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit dff674168878fe7b6d8b9ad60d62295ec517de79 upstream.
+
+Since the conversion from USB to HID (in v3.17), some people reported a
+freeze on boot with the wacom driver. Hans managed to get a stacktrace:
+
+[ 240.272331] Call Trace:
+[ 240.272338] [<ffffffff813de7b9>] ? usb_hcd_submit_urb+0xa9/0xb10
+[ 240.272347] [<ffffffff81555579>] schedule+0x29/0x70
+[ 240.272355] [<ffffffff815559e6>] schedule_preempt_disabled+0x16/0x20
+[ 240.272363] [<ffffffff81557365>] __mutex_lock_slowpath+0xe5/0x230
+[ 240.272372] [<ffffffff815574c7>] mutex_lock+0x17/0x30
+[ 240.272380] [<ffffffffa063c1d2>] wacom_resume+0x22/0x50 [wacom]
+[ 240.272396] [<ffffffffa01aea8a>] hid_resume_common+0xba/0x110 [usbhid]
+[ 240.272404] [<ffffffff813e5890>] ? usb_runtime_suspend+0x80/0x80
+[ 240.272417] [<ffffffffa01aeb1d>] hid_resume+0x3d/0x70 [usbhid]
+[ 240.272425] [<ffffffff813e44a6>] usb_resume_interface.isra.6+0xb6/0x120
+[ 240.272432] [<ffffffff813e4774>] usb_resume_both+0x74/0x140
+[ 240.272439] [<ffffffff813e58aa>] usb_runtime_resume+0x1a/0x20
+[ 240.272446] [<ffffffff813b1912>] __rpm_callback+0x32/0x70
+[ 240.272453] [<ffffffff813b1976>] rpm_callback+0x26/0xa0
+[ 240.272460] [<ffffffff813b2d71>] rpm_resume+0x4b1/0x690
+[ 240.272468] [<ffffffff812ab992>] ? radix_tree_lookup_slot+0x22/0x50
+[ 240.272475] [<ffffffff813b2c1a>] rpm_resume+0x35a/0x690
+[ 240.272482] [<ffffffff8116e9c9>] ? zone_statistics+0x89/0xa0
+[ 240.272489] [<ffffffff813b2f90>] __pm_runtime_resume+0x40/0x60
+[ 240.272497] [<ffffffff813e4272>] usb_autopm_get_interface+0x22/0x60
+[ 240.272509] [<ffffffffa01ae8d9>] usbhid_open+0x59/0xe0 [usbhid]
+[ 240.272517] [<ffffffffa063ac85>] wacom_open+0x35/0x50 [wacom]
+[ 240.272525] [<ffffffff813f37b9>] input_open_device+0x79/0xa0
+[ 240.272534] [<ffffffffa048d1c1>] evdev_open+0x1b1/0x200 [evdev]
+[ 240.272543] [<ffffffff811c899e>] chrdev_open+0xae/0x1f0
+[ 240.272549] [<ffffffff811c88f0>] ? cdev_put+0x30/0x30
+[ 240.272556] [<ffffffff811c17e2>] do_dentry_open+0x1d2/0x320
+[ 240.272562] [<ffffffff811c1cd1>] finish_open+0x31/0x50
+[ 240.272571] [<ffffffff811d2202>] do_last.isra.36+0x652/0xe50
+[ 240.272579] [<ffffffff811d2ac7>] path_openat+0xc7/0x6f0
+[ 240.272586] [<ffffffff811cf012>] ? final_putname+0x22/0x50
+[ 240.272594] [<ffffffff811d42d2>] ? user_path_at_empty+0x72/0xd0
+[ 240.272602] [<ffffffff811d43fd>] do_filp_open+0x4d/0xc0
+[...]
+
+So here, wacom_open is called, and then wacom_resume is called by the
+PM system. However, wacom_open already took the lock when wacom_resume
+tries to get it. Freeze.
+
+A little bit of history shows that this already happened in the past
+- commit f6cd378372bf ("Input: wacom - fix runtime PM related deadlock"),
+and the solution was to call first the PM function before taking the lock.
+
+The lock was introduced in commit commit e722409445fb ("Input: wacom -
+implement suspend and autosuspend") when the autosuspend feature has
+been added. Given that usbhid already takes care of this very same
+locking between suspend/resume, I think we can simply kill the lock
+in open/close.
+
+The lock is now used also with LEDs, so we can not remove it completely.
+
+Reported-by: Hans Spath <inbox-546@hans-spath.de>
+Tested-by: Hans Spath <inbox-546@hans-spath.de>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_sys.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -70,22 +70,15 @@ static int wacom_raw_event(struct hid_de
+ static int wacom_open(struct input_dev *dev)
+ {
+ struct wacom *wacom = input_get_drvdata(dev);
+- int retval;
+
+- mutex_lock(&wacom->lock);
+- retval = hid_hw_open(wacom->hdev);
+- mutex_unlock(&wacom->lock);
+-
+- return retval;
++ return hid_hw_open(wacom->hdev);
+ }
+
+ static void wacom_close(struct input_dev *dev)
+ {
+ struct wacom *wacom = input_get_drvdata(dev);
+
+- mutex_lock(&wacom->lock);
+ hid_hw_close(wacom->hdev);
+- mutex_unlock(&wacom->lock);
+ }
+
+ /*
--- /dev/null
+From 00d6f227a5905be47006abcc1f417d069ecc3711 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Mon, 1 Dec 2014 11:52:39 -0500
+Subject: HID: wacom: re-add accidentally dropped Lenovo PID
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 00d6f227a5905be47006abcc1f417d069ecc3711 upstream.
+
+Dropped in the following commit:
+
+commit a3e6f6543d19 ("Input: wacom - keep wacom_ids ordered")
+
+Reported-by: Hans Spath <inbox-546@hans-spath.de>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -3026,6 +3026,7 @@ const struct hid_device_id wacom_ids[] =
+ { USB_DEVICE_WACOM(0x4004) },
+ { USB_DEVICE_WACOM(0x5000) },
+ { USB_DEVICE_WACOM(0x5002) },
++ { USB_DEVICE_LENOVO(0x6004) },
+
+ { USB_DEVICE_WACOM(HID_ANY_ID) },
+ { }
--- /dev/null
+From a32c99e7ab8410bae7c276a7e94ca84d108de034 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.de>
+Date: Mon, 17 Nov 2014 17:11:42 +0100
+Subject: HID: yet another buggy ELAN touchscreen
+
+From: Oliver Neukum <oneukum@suse.de>
+
+commit a32c99e7ab8410bae7c276a7e94ca84d108de034 upstream.
+
+The touchscreen needs the same quirk as the other models.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Reported-by: Bryan Poling <poli0048@umn.edu>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/usbhid/hid-quirks.c | 1 +
+ drivers/usb/core/quirks.c | 3 +++
+ 3 files changed, 5 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -300,6 +300,7 @@
+ #define USB_DEVICE_ID_ELAN_TOUCHSCREEN 0x0089
+ #define USB_DEVICE_ID_ELAN_TOUCHSCREEN_009B 0x009b
+ #define USB_DEVICE_ID_ELAN_TOUCHSCREEN_0103 0x0103
++#define USB_DEVICE_ID_ELAN_TOUCHSCREEN_010c 0x010c
+ #define USB_DEVICE_ID_ELAN_TOUCHSCREEN_016F 0x016f
+
+ #define USB_VENDOR_ID_ELECOM 0x056e
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -73,6 +73,7 @@ static const struct hid_blacklist {
+ { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_009B, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_0103, HID_QUIRK_ALWAYS_POLL },
++ { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_010c, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_016F, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS },
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -103,6 +103,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x04f3, 0x009b), .driver_info =
+ USB_QUIRK_DEVICE_QUALIFIER },
+
++ { USB_DEVICE(0x04f3, 0x010c), .driver_info =
++ USB_QUIRK_DEVICE_QUALIFIER },
++
+ { USB_DEVICE(0x04f3, 0x016f), .driver_info =
+ USB_QUIRK_DEVICE_QUALIFIER },
+
ubi-fix-double-free-after-do_sync_erase.patch
iommu-vt-d-fix-an-off-by-one-bug-in-__domain_mapping.patch
iommu-vt-d-fix-dmar_domain-leak-in-iommu_attach_device.patch
+blk-mq-use-nr_cpu_ids-as-highest-cpu-id-count-for-hwq-cpu-map.patch
+blk-mq-fix-a-use-after-free.patch
+blk-mq-avoid-that-__bt_get_word-wraps-multiple-times.patch
+blk-mq-fix-a-race-between-bt_clear_tag-and-bt_get.patch
+blk-mq-fix-uninitialized-kobject-at-cpu-hotplugging.patch
+hid-yet-another-buggy-elan-touchscreen.patch
+hid-wacom-re-add-accidentally-dropped-lenovo-pid.patch
+hid-wacom-fix-freeze-on-open-when-autosuspend-is-on.patch
+hid-i2c-hid-fix-race-condition-reading-reports.patch
+hid-i2c-hid-prevent-buffer-overflow-in-early-irq.patch
+hid-roccat-potential-out-of-bounds-in-pyra_sysfs_write_settings.patch
+hid-i2c-hid-do-not-free-buffers-in-i2c_hid_stop.patch
+hid-add-battery-quirk-for-usb_device_id_apple_alu_wireless_2011_iso-keyboard.patch
+hid-add-a-new-id-0x501a-for-genius-mousepen-i608x.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
