--- /dev/null
+From 42c16da6d684391db83788eb680accd84f6c2083 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Mon, 1 Jul 2019 05:12:46 +0000
+Subject: btrfs: inode: Don't compress if NODATASUM or NODATACOW set
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 42c16da6d684391db83788eb680accd84f6c2083 upstream.
+
+As btrfs(5) specified:
+
+ Note
+ If nodatacow or nodatasum are enabled, compression is disabled.
+
+If NODATASUM or NODATACOW set, we should not compress the extent.
+
+Normally NODATACOW is detected properly in run_delalloc_range() so
+compression won't happen for NODATACOW.
+
+However for NODATASUM we don't have any check, and it can cause
+compressed extent without csum pretty easily, just by:
+ mkfs.btrfs -f $dev
+ mount $dev $mnt -o nodatasum
+ touch $mnt/foobar
+ mount -o remount,datasum,compress $mnt
+ xfs_io -f -c "pwrite 0 128K" $mnt/foobar
+
+And in fact, we have a bug report about corrupted compressed extent
+without proper data checksum so even RAID1 can't recover the corruption.
+(https://bugzilla.kernel.org/show_bug.cgi?id=199707)
+
+Running compression without proper checksum could cause more damage when
+corruption happens, as compressed data could make the whole extent
+unreadable, so there is no need to allow compression for
+NODATACSUM.
+
+The fix will refactor the inode compression check into two parts:
+
+- inode_can_compress()
+ As the hard requirement, checked at btrfs_run_delalloc_range(), so no
+ compression will happen for NODATASUM inode at all.
+
+- inode_need_compress()
+ As the soft requirement, checked at btrfs_run_delalloc_range() and
+ compress_file_range().
+
+Reported-by: James Harvey <jamespharvey20@gmail.com>
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -394,10 +394,31 @@ static noinline int add_async_extent(str
+ return 0;
+ }
+
++/*
++ * Check if the inode has flags compatible with compression
++ */
++static inline bool inode_can_compress(struct inode *inode)
++{
++ if (BTRFS_I(inode)->flags & BTRFS_INODE_NODATACOW ||
++ BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)
++ return false;
++ return true;
++}
++
++/*
++ * Check if the inode needs to be submitted to compression, based on mount
++ * options, defragmentation, properties or heuristics.
++ */
+ static inline int inode_need_compress(struct inode *inode, u64 start, u64 end)
+ {
+ struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
+
++ if (!inode_can_compress(inode)) {
++ WARN(IS_ENABLED(CONFIG_BTRFS_DEBUG),
++ KERN_ERR "BTRFS: unexpected compression for ino %llu\n",
++ btrfs_ino(BTRFS_I(inode)));
++ return 0;
++ }
+ /* force compress */
+ if (btrfs_test_opt(fs_info, FORCE_COMPRESS))
+ return 1;
+@@ -1630,7 +1651,8 @@ int btrfs_run_delalloc_range(struct inod
+ } else if (BTRFS_I(inode)->flags & BTRFS_INODE_PREALLOC && !force_cow) {
+ ret = run_delalloc_nocow(inode, locked_page, start, end,
+ page_started, 0, nr_written);
+- } else if (!inode_need_compress(inode, start, end)) {
++ } else if (!inode_can_compress(inode) ||
++ !inode_need_compress(inode, start, end)) {
+ ret = cow_file_range(inode, locked_page, start, end, end,
+ page_started, nr_written, 1, NULL);
+ } else {
--- /dev/null
+From 63279eeb7f93abb1692573c26f1e038e1a87358b Mon Sep 17 00:00:00 2001
+From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Date: Wed, 3 Jul 2019 11:20:20 +1000
+Subject: KVM: PPC: Book3S HV: Always save guest pmu for guest capable of nesting
+
+From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+
+commit 63279eeb7f93abb1692573c26f1e038e1a87358b upstream.
+
+The performance monitoring unit (PMU) registers are saved on guest
+exit when the guest has set the pmcregs_in_use flag in its lppaca, if
+it exists, or unconditionally if it doesn't. If a nested guest is
+being run then the hypervisor doesn't, and in most cases can't, know
+if the PMU registers are in use since it doesn't know the location of
+the lppaca for the nested guest, although it may have one for its
+immediate guest. This results in the values of these registers being
+lost across nested guest entry and exit in the case where the nested
+guest was making use of the performance monitoring facility while it's
+nested guest hypervisor wasn't.
+
+Further more the hypervisor could interrupt a guest hypervisor between
+when it has loaded up the PMU registers and it calling H_ENTER_NESTED
+or between returning from the nested guest to the guest hypervisor and
+the guest hypervisor reading the PMU registers, in
+kvmhv_p9_guest_entry(). This means that it isn't sufficient to just
+save the PMU registers when entering or exiting a nested guest, but
+that it is necessary to always save the PMU registers whenever a guest
+is capable of running nested guests to ensure the register values
+aren't lost in the context switch.
+
+Ensure the PMU register values are preserved by always saving their
+value into the vcpu struct when a guest is capable of running nested
+guests.
+
+This should have minimal performance impact however any impact can be
+avoided by booting a guest with "-machine pseries,cap-nested-hv=false"
+on the qemu commandline.
+
+Fixes: 95a6432ce903 ("KVM: PPC: Book3S HV: Streamlined guest entry/exit path on P9 for radix guests")
+Cc: stable@vger.kernel.org # v4.20+
+Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190703012022.15644-1-sjitindarsingh@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -3654,6 +3654,8 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu
+ vcpu->arch.vpa.dirty = 1;
+ save_pmu = lp->pmcregs_in_use;
+ }
++ /* Must save pmu if this guest is capable of running nested guests */
++ save_pmu |= nesting_enabled(vcpu->kvm);
+
+ kvmhv_save_guest_pmu(vcpu, save_pmu);
+
--- /dev/null
+From c8b4083db915dfe5a3b4a755ad2317e0509b43f1 Mon Sep 17 00:00:00 2001
+From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Date: Wed, 3 Jul 2019 11:20:22 +1000
+Subject: KVM: PPC: Book3S HV: Save and restore guest visible PSSCR bits on pseries
+
+From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+
+commit c8b4083db915dfe5a3b4a755ad2317e0509b43f1 upstream.
+
+The Performance Stop Status and Control Register (PSSCR) is used to
+control the power saving facilities of the processor. This register
+has various fields, some of which can be modified only in hypervisor
+state, and others which can be modified in both hypervisor and
+privileged non-hypervisor state. The bits which can be modified in
+privileged non-hypervisor state are referred to as guest visible.
+
+Currently the L0 hypervisor saves and restores both it's own host
+value as well as the guest value of the PSSCR when context switching
+between the hypervisor and guest. However a nested hypervisor running
+it's own nested guests (as indicated by kvmhv_on_pseries()) doesn't
+context switch the PSSCR register. That means if a nested (L2) guest
+modifies the PSSCR then the L1 guest hypervisor will run with that
+modified value, and if the L1 guest hypervisor modifies the PSSCR and
+then goes to run the nested (L2) guest again then the L2 PSSCR value
+will be lost.
+
+Fix this by having the (L1) nested hypervisor save and restore both
+its host and the guest PSSCR value when entering and exiting a
+nested (L2) guest. Note that only the guest visible parts of the PSSCR
+are context switched since this is all the L1 nested hypervisor can
+access, this is fine however as these are the only fields the L0
+hypervisor provides guest control of anyway and so all other fields
+are ignored.
+
+This could also have been implemented by adding the PSSCR register to
+the hv_regs passed to the L0 hypervisor as input to the H_ENTER_NESTED
+hcall, however this would have meant updating the structure layout and
+thus required modifications to both the L0 and L1 kernels. Whereas the
+approach used doesn't require L0 kernel modifications while achieving
+the same result.
+
+Fixes: 95a6432ce903 ("KVM: PPC: Book3S HV: Streamlined guest entry/exit path on P9 for radix guests")
+Cc: stable@vger.kernel.org # v4.20+
+Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190703012022.15644-3-sjitindarsingh@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -3569,9 +3569,18 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu
+ mtspr(SPRN_DEC, vcpu->arch.dec_expires - mftb());
+
+ if (kvmhv_on_pseries()) {
++ /*
++ * We need to save and restore the guest visible part of the
++ * psscr (i.e. using SPRN_PSSCR_PR) since the hypervisor
++ * doesn't do this for us. Note only required if pseries since
++ * this is done in kvmhv_load_hv_regs_and_go() below otherwise.
++ */
++ unsigned long host_psscr;
+ /* call our hypervisor to load up HV regs and go */
+ struct hv_guest_state hvregs;
+
++ host_psscr = mfspr(SPRN_PSSCR_PR);
++ mtspr(SPRN_PSSCR_PR, vcpu->arch.psscr);
+ kvmhv_save_hv_regs(vcpu, &hvregs);
+ hvregs.lpcr = lpcr;
+ vcpu->arch.regs.msr = vcpu->arch.shregs.msr;
+@@ -3590,6 +3599,8 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu
+ vcpu->arch.shregs.msr = vcpu->arch.regs.msr;
+ vcpu->arch.shregs.dar = mfspr(SPRN_DAR);
+ vcpu->arch.shregs.dsisr = mfspr(SPRN_DSISR);
++ vcpu->arch.psscr = mfspr(SPRN_PSSCR_PR);
++ mtspr(SPRN_PSSCR_PR, host_psscr);
+
+ /* H_CEDE has to be handled now, not later */
+ if (trap == BOOK3S_INTERRUPT_SYSCALL && !vcpu->arch.nested &&
--- /dev/null
+From 9798f4ea71eaf8eaad7e688c5b298528089c7bf8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
+Date: Thu, 18 Jul 2019 23:51:54 +0200
+Subject: KVM: PPC: Book3S HV: XIVE: fix rollback when kvmppc_xive_create fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cédric Le Goater <clg@kaod.org>
+
+commit 9798f4ea71eaf8eaad7e688c5b298528089c7bf8 upstream.
+
+The XIVE device structure is now allocated in kvmppc_xive_get_device()
+and kfree'd in kvmppc_core_destroy_vm(). In case of an OPAL error when
+allocating the XIVE VPs, the kfree() call in kvmppc_xive_*create()
+will result in a double free and corrupt the host memory.
+
+Fixes: 5422e95103cf ("KVM: PPC: Book3S HV: XIVE: Replace the 'destroy' method by a 'release' method")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/6ea6998b-a890-2511-01d1-747d7621eb19@kaod.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_xive.c | 4 +---
+ arch/powerpc/kvm/book3s_xive_native.c | 4 ++--
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_xive.c
++++ b/arch/powerpc/kvm/book3s_xive.c
+@@ -1986,10 +1986,8 @@ static int kvmppc_xive_create(struct kvm
+
+ xive->single_escalation = xive_native_has_single_escalation();
+
+- if (ret) {
+- kfree(xive);
++ if (ret)
+ return ret;
+- }
+
+ return 0;
+ }
+--- a/arch/powerpc/kvm/book3s_xive_native.c
++++ b/arch/powerpc/kvm/book3s_xive_native.c
+@@ -1090,9 +1090,9 @@ static int kvmppc_xive_native_create(str
+ xive->ops = &kvmppc_xive_native_ops;
+
+ if (ret)
+- kfree(xive);
++ return ret;
+
+- return ret;
++ return 0;
+ }
+
+ /*
--- /dev/null
+From e751732486eb3f159089a64d1901992b1357e7cc Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Mon, 22 Jul 2019 12:26:20 +0800
+Subject: KVM: X86: Fix fpu state crash in kvm guest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpengli@tencent.com>
+
+commit e751732486eb3f159089a64d1901992b1357e7cc upstream.
+
+The idea before commit 240c35a37 (which has just been reverted)
+was that we have the following FPU states:
+
+ userspace (QEMU) guest
+---------------------------------------------------------------------------
+ processor vcpu->arch.guest_fpu
+>>> KVM_RUN: kvm_load_guest_fpu
+ vcpu->arch.user_fpu processor
+>>> preempt out
+ vcpu->arch.user_fpu current->thread.fpu
+>>> preempt in
+ vcpu->arch.user_fpu processor
+>>> back to userspace
+>>> kvm_put_guest_fpu
+ processor vcpu->arch.guest_fpu
+---------------------------------------------------------------------------
+
+With the new lazy model we want to get the state back to the processor
+when schedule in from current->thread.fpu.
+
+Reported-by: Thomas Lambertz <mail@thomaslambertz.de>
+Reported-by: anthony <antdev66@gmail.com>
+Tested-by: anthony <antdev66@gmail.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Thomas Lambertz <mail@thomaslambertz.de>
+Cc: anthony <antdev66@gmail.com>
+Cc: stable@vger.kernel.org
+Fixes: 5f409e20b (x86/fpu: Defer FPU state load until return to userspace)
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+[Add a comment in front of the warning. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3264,6 +3264,10 @@ void kvm_arch_vcpu_load(struct kvm_vcpu
+
+ kvm_x86_ops->vcpu_load(vcpu, cpu);
+
++ fpregs_assert_state_consistent();
++ if (test_thread_flag(TIF_NEED_FPU_LOAD))
++ switch_fpu_return();
++
+ /* Apply any externally detected TSC adjustments (due to suspend) */
+ if (unlikely(vcpu->arch.tsc_offset_adjustment)) {
+ adjust_tsc_offset_host(vcpu, vcpu->arch.tsc_offset_adjustment);
+@@ -7955,9 +7959,8 @@ static int vcpu_enter_guest(struct kvm_v
+ wait_lapic_expire(vcpu);
+ guest_enter_irqoff();
+
+- fpregs_assert_state_consistent();
+- if (test_thread_flag(TIF_NEED_FPU_LOAD))
+- switch_fpu_return();
++ /* The preempt notifier should have taken care of the FPU already. */
++ WARN_ON_ONCE(test_thread_flag(TIF_NEED_FPU_LOAD));
+
+ if (unlikely(vcpu->arch.switch_db_regs)) {
+ set_debugreg(0, 7);
--- /dev/null
+From 22be8233b34f4f468934c5fefcbe6151766fb8f2 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Thu, 11 Jul 2019 04:53:25 -0400
+Subject: media: videodev2.h: change V4L2_PIX_FMT_BGRA444 define: fourcc was already in use
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit 22be8233b34f4f468934c5fefcbe6151766fb8f2 upstream.
+
+The V4L2_PIX_FMT_BGRA444 define clashed with the pre-existing V4L2_PIX_FMT_SGRBG12
+which strangely enough used the same fourcc, even though that fourcc made no sense
+for a Bayer format. In any case, you can't have duplicates, so change the fourcc of
+V4L2_PIX_FMT_BGRA444.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Cc: <stable@vger.kernel.org> # for v5.2 and up
+Fixes: 6c84f9b1d2900 ("media: v4l: Add definitions for missing 16-bit RGB4444 formats")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h
+index 9d9705ceda76..2427bc4d8eba 100644
+--- a/include/uapi/linux/videodev2.h
++++ b/include/uapi/linux/videodev2.h
+@@ -518,7 +518,13 @@ struct v4l2_pix_format {
+ #define V4L2_PIX_FMT_RGBX444 v4l2_fourcc('R', 'X', '1', '2') /* 16 rrrrgggg bbbbxxxx */
+ #define V4L2_PIX_FMT_ABGR444 v4l2_fourcc('A', 'B', '1', '2') /* 16 aaaabbbb ggggrrrr */
+ #define V4L2_PIX_FMT_XBGR444 v4l2_fourcc('X', 'B', '1', '2') /* 16 xxxxbbbb ggggrrrr */
+-#define V4L2_PIX_FMT_BGRA444 v4l2_fourcc('B', 'A', '1', '2') /* 16 bbbbgggg rrrraaaa */
++
++/*
++ * Originally this had 'BA12' as fourcc, but this clashed with the older
++ * V4L2_PIX_FMT_SGRBG12 which inexplicably used that same fourcc.
++ * So use 'GA12' instead for V4L2_PIX_FMT_BGRA444.
++ */
++#define V4L2_PIX_FMT_BGRA444 v4l2_fourcc('G', 'A', '1', '2') /* 16 bbbbgggg rrrraaaa */
+ #define V4L2_PIX_FMT_BGRX444 v4l2_fourcc('B', 'X', '1', '2') /* 16 bbbbgggg rrrrxxxx */
+ #define V4L2_PIX_FMT_RGB555 v4l2_fourcc('R', 'G', 'B', 'O') /* 16 RGB-5-5-5 */
+ #define V4L2_PIX_FMT_ARGB555 v4l2_fourcc('A', 'R', '1', '5') /* 16 ARGB-1-5-5-5 */
--- /dev/null
+From bafe64e5f0edaa689e72e2f8dc236641da37fed4 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 19 Jul 2019 10:44:05 +0200
+Subject: Revert "usb: usb251xb: Add US lanes inversion dts-bindings"
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit bafe64e5f0edaa689e72e2f8dc236641da37fed4 upstream.
+
+This reverts commit 3342ce35a1, as there is no need for this separate
+property and it breaks compatibility with existing devicetree files
+(arch/arm64/boot/dts/freescale/imx8mq.dtsi).
+
+CC: stable@vger.kernel.org #5.2
+Fixes: 3342ce35a183 ("usb: usb251xb: Add US lanes inversion dts-bindings")
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Link: https://lore.kernel.org/r/20190719084407.28041-1-l.stach@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/devicetree/bindings/usb/usb251xb.txt | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/Documentation/devicetree/bindings/usb/usb251xb.txt
++++ b/Documentation/devicetree/bindings/usb/usb251xb.txt
+@@ -64,10 +64,8 @@ Optional properties :
+ - power-on-time-ms : Specifies the time it takes from the time the host
+ initiates the power-on sequence to a port until the port has adequate
+ power. The value is given in ms in a 0 - 510 range (default is 100ms).
+- - swap-dx-lanes : Specifies the downstream ports which will swap the
+- differential-pair (D+/D-), default is not-swapped.
+- - swap-us-lanes : Selects the upstream port differential-pair (D+/D-)
+- swapping (boolean, default is not-swapped)
++ - swap-dx-lanes : Specifies the ports which will swap the differential-pair
++ (D+/D-), default is not-swapped.
+
+ Examples:
+ usb2512b@2c {
--- /dev/null
+From 79f6fafad4e2a874015cb67d735f9f87f1834367 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 19 Jul 2019 10:44:06 +0200
+Subject: Revert "usb: usb251xb: Add US port lanes inversion property"
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit 79f6fafad4e2a874015cb67d735f9f87f1834367 upstream.
+
+This property isn't needed and not yet used anywhere. The swap-dx-lanes
+property is perfectly fine for doing the swap on the upstream port
+lanes.
+
+CC: stable@vger.kernel.org #5.2
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Link: https://lore.kernel.org/r/20190719084407.28041-2-l.stach@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/usb251xb.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/misc/usb251xb.c
++++ b/drivers/usb/misc/usb251xb.c
+@@ -574,8 +574,6 @@ static int usb251xb_get_ofdata(struct us
+ hub->port_swap = USB251XB_DEF_PORT_SWAP;
+ usb251xb_get_ports_field(hub, "swap-dx-lanes", data->port_cnt,
+ &hub->port_swap);
+- if (of_get_property(np, "swap-us-lanes", NULL))
+- hub->port_swap |= BIT(0);
+
+ /* The following parameters are currently not exposed to devicetree, but
+ * may be as soon as needed.
--- /dev/null
+From acbc372e6109c803cbee4733769d02008381740f Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 23 Jul 2019 08:50:59 +0200
+Subject: selinux: check sidtab limit before adding a new entry
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit acbc372e6109c803cbee4733769d02008381740f upstream.
+
+We need to error out when trying to add an entry above SIDTAB_MAX in
+sidtab_reverse_lookup() to avoid overflow on the odd chance that this
+happens.
+
+Cc: stable@vger.kernel.org
+Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/sidtab.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/security/selinux/ss/sidtab.c
++++ b/security/selinux/ss/sidtab.c
+@@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct
+ ++count;
+ }
+
++ /* bail out if we already reached max entries */
++ rc = -EOVERFLOW;
++ if (count >= SIDTAB_MAX)
++ goto out_unlock;
++
+ /* insert context into new entry */
+ rc = -ENOMEM;
+ dst = sidtab_do_lookup(s, count, 1);
mm-use-down_read_killable-for-locking-mmap_sem-in-ac.patch
mm-swap-fix-race-between-swapoff-and-some-swap-opera.patch
locking-lockdep-hide-unused-class-variable.patch
+xhci-fix-crash-if-scatter-gather-is-used-with-immediate-data-transfer-idt.patch
+usb-storage-add-a-limitation-for-blk_queue_max_hw_sectors.patch
+usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch
+usb-pci-quirks-correct-amd-pll-quirk-detection.patch
+revert-usb-usb251xb-add-us-lanes-inversion-dts-bindings.patch
+revert-usb-usb251xb-add-us-port-lanes-inversion-property.patch
+usb-usb251xb-reallow-swap-dx-lanes-to-apply-to-the-upstream-port.patch
+kvm-x86-fix-fpu-state-crash-in-kvm-guest.patch
+kvm-ppc-book3s-hv-always-save-guest-pmu-for-guest-capable-of-nesting.patch
+kvm-ppc-book3s-hv-save-and-restore-guest-visible-psscr-bits-on-pseries.patch
+kvm-ppc-book3s-hv-xive-fix-rollback-when-kvmppc_xive_create-fails.patch
+media-videodev2.h-change-v4l2_pix_fmt_bgra444-define-fourcc-was-already-in-use.patch
+btrfs-inode-don-t-compress-if-nodatasum-or-nodatacow-set.patch
+selinux-check-sidtab-limit-before-adding-a-new-entry.patch
+x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch
+x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
+x86-stacktrace-prevent-access_ok-warnings-in-arch_stack_walk_user.patch
--- /dev/null
+From f3dccdaade4118070a3a47bef6b18321431f9ac6 Mon Sep 17 00:00:00 2001
+From: Ryan Kennedy <ryan5544@gmail.com>
+Date: Thu, 4 Jul 2019 11:35:28 -0400
+Subject: usb: pci-quirks: Correct AMD PLL quirk detection
+
+From: Ryan Kennedy <ryan5544@gmail.com>
+
+commit f3dccdaade4118070a3a47bef6b18321431f9ac6 upstream.
+
+The AMD PLL USB quirk is incorrectly enabled on newer Ryzen
+chipsets. The logic in usb_amd_find_chipset_info currently checks
+for unaffected chipsets rather than affected ones. This broke
+once a new chipset was added in e788787ef. It makes more sense
+to reverse the logic so it won't need to be updated as new
+chipsets are added. Note that the core of the workaround in
+usb_amd_quirk_pll does correctly check the chipset.
+
+Signed-off-by: Ryan Kennedy <ryan5544@gmail.com>
+Fixes: e788787ef4f9 ("usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20190704153529.9429-2-ryan5544@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/pci-quirks.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/host/pci-quirks.c
++++ b/drivers/usb/host/pci-quirks.c
+@@ -205,7 +205,7 @@ int usb_amd_find_chipset_info(void)
+ {
+ unsigned long flags;
+ struct amd_chipset_info info;
+- int ret;
++ int need_pll_quirk = 0;
+
+ spin_lock_irqsave(&amd_lock, flags);
+
+@@ -219,21 +219,28 @@ int usb_amd_find_chipset_info(void)
+ spin_unlock_irqrestore(&amd_lock, flags);
+
+ if (!amd_chipset_sb_type_init(&info)) {
+- ret = 0;
+ goto commit;
+ }
+
+- /* Below chipset generations needn't enable AMD PLL quirk */
+- if (info.sb_type.gen == AMD_CHIPSET_UNKNOWN ||
+- info.sb_type.gen == AMD_CHIPSET_SB600 ||
+- info.sb_type.gen == AMD_CHIPSET_YANGTZE ||
+- (info.sb_type.gen == AMD_CHIPSET_SB700 &&
+- info.sb_type.rev > 0x3b)) {
++ switch (info.sb_type.gen) {
++ case AMD_CHIPSET_SB700:
++ need_pll_quirk = info.sb_type.rev <= 0x3B;
++ break;
++ case AMD_CHIPSET_SB800:
++ case AMD_CHIPSET_HUDSON2:
++ case AMD_CHIPSET_BOLTON:
++ need_pll_quirk = 1;
++ break;
++ default:
++ need_pll_quirk = 0;
++ break;
++ }
++
++ if (!need_pll_quirk) {
+ if (info.smbus_dev) {
+ pci_dev_put(info.smbus_dev);
+ info.smbus_dev = NULL;
+ }
+- ret = 0;
+ goto commit;
+ }
+
+@@ -252,7 +259,7 @@ int usb_amd_find_chipset_info(void)
+ }
+ }
+
+- ret = info.probe_result = 1;
++ need_pll_quirk = info.probe_result = 1;
+ printk(KERN_DEBUG "QUIRK: Enable AMD PLL fix\n");
+
+ commit:
+@@ -263,7 +270,7 @@ commit:
+
+ /* Mark that we where here */
+ amd_chipset.probe_count++;
+- ret = amd_chipset.probe_result;
++ need_pll_quirk = amd_chipset.probe_result;
+
+ spin_unlock_irqrestore(&amd_lock, flags);
+
+@@ -277,7 +284,7 @@ commit:
+ spin_unlock_irqrestore(&amd_lock, flags);
+ }
+
+- return ret;
++ return need_pll_quirk;
+ }
+ EXPORT_SYMBOL_GPL(usb_amd_find_chipset_info);
+
--- /dev/null
+From d74ffae8b8dd17eaa8b82fc163e6aa2076dc8fb1 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 22 Jul 2019 19:58:25 +0900
+Subject: usb-storage: Add a limitation for blk_queue_max_hw_sectors()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit d74ffae8b8dd17eaa8b82fc163e6aa2076dc8fb1 upstream.
+
+This patch fixes an issue that the following error happens on
+swiotlb environment:
+
+ xhci-hcd ee000000.usb: swiotlb buffer is full (sz: 524288 bytes), total 32768 (slots), used 1338 (slots)
+
+On the kernel v5.1, block settings of a usb-storage with SuperSpeed
+were the following so that the block layer will allocate buffers
+up to 64 KiB, and then the issue didn't happen.
+
+ max_segment_size = 65536
+ max_hw_sectors_kb = 1024
+
+After the commit 09324d32d2a0 ("block: force an unlimited segment
+size on queues with a virt boundary") is applied, the block settings
+are the following. So, the block layer will allocate buffers up to
+1024 KiB, and then the issue happens:
+
+ max_segment_size = 4294967295
+ max_hw_sectors_kb = 1024
+
+To fix the issue, the usb-storage driver checks the maximum size of
+a mapping for the device and then adjusts the max_hw_sectors_kb
+if required. After this patch is applied, the block settings will
+be the following, and then the issue doesn't happen.
+
+ max_segment_size = 4294967295
+ max_hw_sectors_kb = 256
+
+Fixes: 09324d32d2a0 ("block: force an unlimited segment size on queues with a virt boundary")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/1563793105-20597-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/scsiglue.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -28,6 +28,8 @@
+ * status of a command.
+ */
+
++#include <linux/blkdev.h>
++#include <linux/dma-mapping.h>
+ #include <linux/module.h>
+ #include <linux/mutex.h>
+
+@@ -99,6 +101,7 @@ static int slave_alloc (struct scsi_devi
+ static int slave_configure(struct scsi_device *sdev)
+ {
+ struct us_data *us = host_to_us(sdev->host);
++ struct device *dev = us->pusb_dev->bus->sysdev;
+
+ /*
+ * Many devices have trouble transferring more than 32KB at a time,
+@@ -129,6 +132,14 @@ static int slave_configure(struct scsi_d
+ }
+
+ /*
++ * The max_hw_sectors should be up to maximum size of a mapping for
++ * the device. Otherwise, a DMA API might fail on swiotlb environment.
++ */
++ blk_queue_max_hw_sectors(sdev->request_queue,
++ min_t(size_t, queue_max_hw_sectors(sdev->request_queue),
++ dma_max_mapping_size(dev) >> SECTOR_SHIFT));
++
++ /*
+ * Some USB host controllers can't do DMA; they have to use PIO.
+ * They indicate this by setting their dma_mask to NULL. For
+ * such controllers we need to make sure the block layer sets
--- /dev/null
+From 4849ee6129702dcb05d36f9c7c61b4661fcd751f Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 19 Jul 2019 10:44:07 +0200
+Subject: usb: usb251xb: Reallow swap-dx-lanes to apply to the upstream port
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit 4849ee6129702dcb05d36f9c7c61b4661fcd751f upstream.
+
+This is a partial revert of 73d31def1aab "usb: usb251xb: Create a ports
+field collector method", which broke a existing devicetree
+(arch/arm64/boot/dts/freescale/imx8mq.dtsi).
+
+There is no reason why the swap-dx-lanes property should not apply to
+the upstream port. The reason given in the breaking commit was that it's
+inconsitent with respect to other port properties, but in fact it is not.
+All other properties which only apply to the downstream ports explicitly
+reject port 0, so there is pretty strong precedence that the driver
+referred to the upstream port as port 0. So there is no inconsistency in
+this property at all, other than the swapping being also applicable to
+the upstream port.
+
+CC: stable@vger.kernel.org #5.2
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Link: https://lore.kernel.org/r/20190719084407.28041-3-l.stach@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/usb251xb.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/misc/usb251xb.c
++++ b/drivers/usb/misc/usb251xb.c
+@@ -375,7 +375,8 @@ out_err:
+
+ #ifdef CONFIG_OF
+ static void usb251xb_get_ports_field(struct usb251xb *hub,
+- const char *prop_name, u8 port_cnt, u8 *fld)
++ const char *prop_name, u8 port_cnt,
++ bool ds_only, u8 *fld)
+ {
+ struct device *dev = hub->dev;
+ struct property *prop;
+@@ -383,7 +384,7 @@ static void usb251xb_get_ports_field(str
+ u32 port;
+
+ of_property_for_each_u32(dev->of_node, prop_name, prop, p, port) {
+- if ((port >= 1) && (port <= port_cnt))
++ if ((port >= ds_only ? 1 : 0) && (port <= port_cnt))
+ *fld |= BIT(port);
+ else
+ dev_warn(dev, "port %u doesn't exist\n", port);
+@@ -501,15 +502,15 @@ static int usb251xb_get_ofdata(struct us
+
+ hub->non_rem_dev = USB251XB_DEF_NON_REMOVABLE_DEVICES;
+ usb251xb_get_ports_field(hub, "non-removable-ports", data->port_cnt,
+- &hub->non_rem_dev);
++ true, &hub->non_rem_dev);
+
+ hub->port_disable_sp = USB251XB_DEF_PORT_DISABLE_SELF;
+ usb251xb_get_ports_field(hub, "sp-disabled-ports", data->port_cnt,
+- &hub->port_disable_sp);
++ true, &hub->port_disable_sp);
+
+ hub->port_disable_bp = USB251XB_DEF_PORT_DISABLE_BUS;
+ usb251xb_get_ports_field(hub, "bp-disabled-ports", data->port_cnt,
+- &hub->port_disable_bp);
++ true, &hub->port_disable_bp);
+
+ hub->max_power_sp = USB251XB_DEF_MAX_POWER_SELF;
+ if (!of_property_read_u32(np, "sp-max-total-current-microamp",
+@@ -573,7 +574,7 @@ static int usb251xb_get_ofdata(struct us
+ */
+ hub->port_swap = USB251XB_DEF_PORT_SWAP;
+ usb251xb_get_ports_field(hub, "swap-dx-lanes", data->port_cnt,
+- &hub->port_swap);
++ false, &hub->port_swap);
+
+ /* The following parameters are currently not exposed to devicetree, but
+ * may be as soon as needed.
--- /dev/null
+From f90bf1ece48a736097ea224430578fe586a9544c Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Wed, 24 Jul 2019 09:06:01 +0700
+Subject: usb: wusbcore: fix unbalanced get/put cluster_id
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+commit f90bf1ece48a736097ea224430578fe586a9544c upstream.
+
+syzboot reported that
+https://syzkaller.appspot.com/bug?extid=fd2bd7df88c606eea4ef
+
+There is not consitency parameter in cluste_id_get/put calling.
+In case of getting the id with result is failure, the wusbhc->cluster_id
+will not be updated and this can not be used for wusb_cluster_id_put().
+
+Tested report
+https://groups.google.com/d/msg/syzkaller-bugs/0znZopp3-9k/oxOrhLkLEgAJ
+
+Reproduce and gdb got the details:
+
+139 addr = wusb_cluster_id_get();
+(gdb) n
+140 if (addr == 0)
+(gdb) print addr
+$1 = 254 '\376'
+(gdb) n
+142 result = __hwahc_set_cluster_id(hwahc, addr);
+(gdb) print result
+$2 = -71
+(gdb) break wusb_cluster_id_put
+Breakpoint 3 at 0xffffffff836e3f20: file drivers/usb/wusbcore/wusbhc.c, line 384.
+(gdb) s
+Thread 2 hit Breakpoint 3, wusb_cluster_id_put (id=0 '\000') at drivers/usb/wusbcore/wusbhc.c:384
+384 id = 0xff - id;
+(gdb) n
+385 BUG_ON(id >= CLUSTER_IDS);
+(gdb) print id
+$3 = 255 '\377'
+
+Reported-by: syzbot+fd2bd7df88c606eea4ef@syzkaller.appspotmail.com
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190724020601.15257-1-tranmanphong@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/hwa-hc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/hwa-hc.c
++++ b/drivers/usb/host/hwa-hc.c
+@@ -159,7 +159,7 @@ out:
+ return result;
+
+ error_set_cluster_id:
+- wusb_cluster_id_put(wusbhc->cluster_id);
++ wusb_cluster_id_put(addr);
+ error_cluster_id_get:
+ goto out;
+
--- /dev/null
+From 517c3ba00916383af6411aec99442c307c23f684 Mon Sep 17 00:00:00 2001
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Date: Thu, 25 Jul 2019 10:39:09 +0800
+Subject: x86/speculation/mds: Apply more accurate check on hypervisor platform
+
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+
+commit 517c3ba00916383af6411aec99442c307c23f684 upstream.
+
+X86_HYPER_NATIVE isn't accurate for checking if running on native platform,
+e.g. CONFIG_HYPERVISOR_GUEST isn't set or "nopv" is enabled.
+
+Checking the CPU feature bit X86_FEATURE_HYPERVISOR to determine if it's
+running on native platform is more accurate.
+
+This still doesn't cover the platforms on which X86_FEATURE_HYPERVISOR is
+unsupported, e.g. VMware, but there is nothing which can be done about this
+scenario.
+
+Fixes: 8a4b06d391b0 ("x86/speculation/mds: Add sysfs reporting for MDS")
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1564022349-17338-1-git-send-email-zhenzhong.duan@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/bugs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1226,7 +1226,7 @@ static ssize_t l1tf_show_state(char *buf
+
+ static ssize_t mds_show_state(char *buf)
+ {
+- if (!hypervisor_is_type(X86_HYPER_NATIVE)) {
++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
+ return sprintf(buf, "%s; SMT Host state unknown\n",
+ mds_strings[mds_mitigation]);
+ }
--- /dev/null
+From 2af7c85714d8cafadf925d55441458eae312cd6b Mon Sep 17 00:00:00 2001
+From: Eiichi Tsukata <devel@etsukata.com>
+Date: Mon, 22 Jul 2019 17:32:16 +0900
+Subject: x86/stacktrace: Prevent access_ok() warnings in arch_stack_walk_user()
+
+From: Eiichi Tsukata <devel@etsukata.com>
+
+commit 2af7c85714d8cafadf925d55441458eae312cd6b upstream.
+
+When arch_stack_walk_user() is called from atomic contexts, access_ok() can
+trigger the following warning if compiled with CONFIG_DEBUG_ATOMIC_SLEEP=y.
+
+Reproducer:
+
+ // CONFIG_DEBUG_ATOMIC_SLEEP=y
+ # cd /sys/kernel/debug/tracing
+ # echo 1 > options/userstacktrace
+ # echo 1 > events/irq/irq_handler_entry/enable
+
+ WARNING: CPU: 0 PID: 2649 at arch/x86/kernel/stacktrace.c:103 arch_stack_walk_user+0x6e/0xf6
+ CPU: 0 PID: 2649 Comm: bash Not tainted 5.3.0-rc1+ #99
+ RIP: 0010:arch_stack_walk_user+0x6e/0xf6
+ Call Trace:
+ <IRQ>
+ stack_trace_save_user+0x10a/0x16d
+ trace_buffer_unlock_commit_regs+0x185/0x240
+ trace_event_buffer_commit+0xec/0x330
+ trace_event_raw_event_irq_handler_entry+0x159/0x1e0
+ __handle_irq_event_percpu+0x22d/0x440
+ handle_irq_event_percpu+0x70/0x100
+ handle_irq_event+0x5a/0x8b
+ handle_edge_irq+0x12f/0x3f0
+ handle_irq+0x34/0x40
+ do_IRQ+0xa6/0x1f0
+ common_interrupt+0xf/0xf
+ </IRQ>
+
+Fix it by calling __range_not_ok() directly instead of access_ok() as
+copy_from_user_nmi() does. This is fine here because the actual copy is
+inside a pagefault disabled region.
+
+Reported-by: Juri Lelli <juri.lelli@gmail.com>
+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190722083216.16192-2-devel@etsukata.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/stacktrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/stacktrace.c
++++ b/arch/x86/kernel/stacktrace.c
+@@ -100,7 +100,7 @@ copy_stack_frame(const void __user *fp,
+ {
+ int ret;
+
+- if (!access_ok(fp, sizeof(*frame)))
++ if (__range_not_ok(fp, sizeof(*frame), TASK_SIZE))
+ return 0;
+
+ ret = 1;
--- /dev/null
+From d02f1aa39189e0619c3525d5cd03254e61bf606a Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 21 Jul 2019 17:24:18 +0200
+Subject: x86/sysfb_efi: Add quirks for some devices with swapped width and height
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit d02f1aa39189e0619c3525d5cd03254e61bf606a upstream.
+
+Some Lenovo 2-in-1s with a detachable keyboard have a portrait screen but
+advertise a landscape resolution and pitch, resulting in a messed up
+display if the kernel tries to show anything on the efifb (because of the
+wrong pitch).
+
+Fix this by adding a new DMI match table for devices which need to have
+their width and height swapped.
+
+At first it was tried to use the existing table for overriding some of the
+efifb parameters, but some of the affected devices have variants with
+different LCD resolutions which will not work with hardcoded override
+values.
+
+Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1730783
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190721152418.11644-1-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/sysfb_efi.c | 46 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+--- a/arch/x86/kernel/sysfb_efi.c
++++ b/arch/x86/kernel/sysfb_efi.c
+@@ -230,9 +230,55 @@ static const struct dmi_system_id efifb_
+ {},
+ };
+
++/*
++ * Some devices have a portrait LCD but advertise a landscape resolution (and
++ * pitch). We simply swap width and height for these devices so that we can
++ * correctly deal with some of them coming with multiple resolutions.
++ */
++static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = {
++ {
++ /*
++ * Lenovo MIIX310-10ICR, only some batches have the troublesome
++ * 800x1280 portrait screen. Luckily the portrait version has
++ * its own BIOS version, so we match on that.
++ */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "MIIX 310-10ICR"),
++ DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1HCN44WW"),
++ },
++ },
++ {
++ /* Lenovo MIIX 320-10ICR with 800x1280 portrait screen */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
++ "Lenovo MIIX 320-10ICR"),
++ },
++ },
++ {
++ /* Lenovo D330 with 800x1280 or 1200x1920 portrait screen */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
++ "Lenovo ideapad D330-10IGM"),
++ },
++ },
++ {},
++};
++
+ __init void sysfb_apply_efi_quirks(void)
+ {
+ if (screen_info.orig_video_isVGA != VIDEO_TYPE_EFI ||
+ !(screen_info.capabilities & VIDEO_CAPABILITY_SKIP_QUIRKS))
+ dmi_check_system(efifb_dmi_system_table);
++
++ if (screen_info.orig_video_isVGA == VIDEO_TYPE_EFI &&
++ dmi_check_system(efifb_dmi_swap_width_height)) {
++ u16 temp = screen_info.lfb_width;
++
++ screen_info.lfb_width = screen_info.lfb_height;
++ screen_info.lfb_height = temp;
++ screen_info.lfb_linelength = 4 * screen_info.lfb_width;
++ }
+ }
--- /dev/null
+From d39b5bad8658d6d94cb2d98a44a7e159db4f5030 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 25 Jul 2019 11:54:21 +0300
+Subject: xhci: Fix crash if scatter gather is used with Immediate Data Transfer (IDT).
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit d39b5bad8658d6d94cb2d98a44a7e159db4f5030 upstream.
+
+A second regression was found in the immediate data transfer (IDT)
+support which was added to 5.2 kernel
+
+IDT is used to transfer small amounts of data (up to 8 bytes) in the
+field normally used for data dma address, thus avoiding dma mapping.
+
+If the data was not already dma mapped, then IDT support assumed data was
+in urb->transfer_buffer, and did not take into accound that even
+small amounts of data (8 bytes) can be in a scatterlist instead.
+
+This caused a NULL pointer dereference when sg_dma_len() was used
+with non-dma mapped data.
+
+Solve this by not using IDT if scatter gather buffer list is used.
+
+Fixes: 33e39350ebd2 ("usb: xhci: add Immediate Data Transfer support")
+Cc: <stable@vger.kernel.org> # v5.2
+Reported-by: Maik Stohn <maik.stohn@seal-one.com>
+Tested-by: Maik Stohn <maik.stohn@seal-one.com>
+CC: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/1564044861-1445-1-git-send-email-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -2170,7 +2170,8 @@ static inline bool xhci_urb_suitable_for
+ if (!usb_endpoint_xfer_isoc(&urb->ep->desc) && usb_urb_dir_out(urb) &&
+ usb_endpoint_maxp(&urb->ep->desc) >= TRB_IDT_MAX_SIZE &&
+ urb->transfer_buffer_length <= TRB_IDT_MAX_SIZE &&
+- !(urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP))
++ !(urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP) &&
++ !urb->num_sgs)
+ return true;
+
+ return false;
projects / thirdparty / kernel / stable-queue.git / commitdiff
