--- /dev/null
+From bfc913682464f45bc4d6044084e370f9048de9d5 Mon Sep 17 00:00:00 2001
+From: Meelis Roos <mroos@linux.ee>
+Date: Fri, 12 Oct 2018 12:27:51 +0300
+Subject: alpha: Fix Eiger NR_IRQS to 128
+
+From: Meelis Roos <mroos@linux.ee>
+
+commit bfc913682464f45bc4d6044084e370f9048de9d5 upstream.
+
+Eiger machine vector definition has nr_irqs 128, and working 2.6.26
+boot shows SCSI getting IRQ-s 64 and 65. Current kernel boot fails
+because Symbios SCSI fails to request IRQ-s and does not find the disks.
+It has been broken at least since 3.18 - the earliest I could test with
+my gcc-5.
+
+The headers have moved around and possibly another order of defines has
+worked in the past - but since 128 seems to be correct and used, fix
+arch/alpha/include/asm/irq.h to have NR_IRQS=128 for Eiger.
+
+This fixes 4.19-rc7 boot on my Force Flexor A264 (Eiger subarch).
+
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Meelis Roos <mroos@linux.ee>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/include/asm/irq.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/alpha/include/asm/irq.h
++++ b/arch/alpha/include/asm/irq.h
+@@ -55,15 +55,15 @@
+
+ #elif defined(CONFIG_ALPHA_DP264) || \
+ defined(CONFIG_ALPHA_LYNX) || \
+- defined(CONFIG_ALPHA_SHARK) || \
+- defined(CONFIG_ALPHA_EIGER)
++ defined(CONFIG_ALPHA_SHARK)
+ # define NR_IRQS 64
+
+ #elif defined(CONFIG_ALPHA_TITAN)
+ #define NR_IRQS 80
+
+ #elif defined(CONFIG_ALPHA_RAWHIDE) || \
+- defined(CONFIG_ALPHA_TAKARA)
++ defined(CONFIG_ALPHA_TAKARA) || \
++ defined(CONFIG_ALPHA_EIGER)
+ # define NR_IRQS 128
+
+ #elif defined(CONFIG_ALPHA_WILDFIRE)
--- /dev/null
+From 491af60ffb848b59e82f7c9145833222e0bf27a5 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Mon, 31 Dec 2018 11:53:55 +0000
+Subject: alpha: fix page fault handling for r16-r18 targets
+
+From: Sergei Trofimovich <slyfox@gentoo.org>
+
+commit 491af60ffb848b59e82f7c9145833222e0bf27a5 upstream.
+
+Fix page fault handling code to fixup r16-r18 registers.
+Before the patch code had off-by-two registers bug.
+This bug caused overwriting of ps,pc,gp registers instead
+of fixing intended r16,r17,r18 (see `struct pt_regs`).
+
+More details:
+
+Initially Dmitry noticed a kernel bug as a failure
+on strace test suite. Test passes unmapped userspace
+pointer to io_submit:
+
+```c
+ #include <err.h>
+ #include <unistd.h>
+ #include <sys/mman.h>
+ #include <asm/unistd.h>
+ int main(void)
+ {
+ unsigned long ctx = 0;
+ if (syscall(__NR_io_setup, 1, &ctx))
+ err(1, "io_setup");
+ const size_t page_size = sysconf(_SC_PAGESIZE);
+ const size_t size = page_size * 2;
+ void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+ if (MAP_FAILED == ptr)
+ err(1, "mmap(%zu)", size);
+ if (munmap(ptr, size))
+ err(1, "munmap");
+ syscall(__NR_io_submit, ctx, 1, ptr + page_size);
+ syscall(__NR_io_destroy, ctx);
+ return 0;
+ }
+```
+
+Running this test causes kernel to crash when handling page fault:
+
+```
+ Unable to handle kernel paging request at virtual address ffffffffffff9468
+ CPU 3
+ aio(26027): Oops 0
+ pc = [<fffffc00004eddf8>] ra = [<fffffc00004edd5c>] ps = 0000 Not tainted
+ pc is at sys_io_submit+0x108/0x200
+ ra is at sys_io_submit+0x6c/0x200
+ v0 = fffffc00c58e6300 t0 = fffffffffffffff2 t1 = 000002000025e000
+ t2 = fffffc01f159fef8 t3 = fffffc0001009640 t4 = fffffc0000e0f6e0
+ t5 = 0000020001002e9e t6 = 4c41564e49452031 t7 = fffffc01f159c000
+ s0 = 0000000000000002 s1 = 000002000025e000 s2 = 0000000000000000
+ s3 = 0000000000000000 s4 = 0000000000000000 s5 = fffffffffffffff2
+ s6 = fffffc00c58e6300
+ a0 = fffffc00c58e6300 a1 = 0000000000000000 a2 = 000002000025e000
+ a3 = 00000200001ac260 a4 = 00000200001ac1e8 a5 = 0000000000000001
+ t8 = 0000000000000008 t9 = 000000011f8bce30 t10= 00000200001ac440
+ t11= 0000000000000000 pv = fffffc00006fd320 at = 0000000000000000
+ gp = 0000000000000000 sp = 00000000265fd174
+ Disabling lock debugging due to kernel taint
+ Trace:
+ [<fffffc0000311404>] entSys+0xa4/0xc0
+```
+
+Here `gp` has invalid value. `gp is s overwritten by a fixup for the
+following page fault handler in `io_submit` syscall handler:
+
+```
+ __se_sys_io_submit
+ ...
+ ldq a1,0(t1)
+ bne t0,4280 <__se_sys_io_submit+0x180>
+```
+
+After a page fault `t0` should contain -EFALUT and `a1` is 0.
+Instead `gp` was overwritten in place of `a1`.
+
+This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18`
+(aka `a0-a2`).
+
+I think the bug went unnoticed for a long time as `gp` is one
+of scratch registers. Any kernel function call would re-calculate `gp`.
+
+Dmitry tracked down the bug origin back to 2.1.32 kernel version
+where trap_a{0,1,2} fields were inserted into struct pt_regs.
+And even before that `dpf_reg()` contained off-by-one error.
+
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: linux-alpha@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reported-and-reviewed-by: "Dmitry V. Levin" <ldv@altlinux.org>
+Cc: stable@vger.kernel.org # v2.1.32+
+Bug: https://bugs.gentoo.org/672040
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/mm/fault.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/alpha/mm/fault.c
++++ b/arch/alpha/mm/fault.c
+@@ -77,7 +77,7 @@ __load_new_mm_context(struct mm_struct *
+ /* Macro for exception fixup code to access integer registers. */
+ #define dpf_reg(r) \
+ (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \
+- (r) <= 18 ? (r)+8 : (r)-10])
++ (r) <= 18 ? (r)+10 : (r)-10])
+
+ asmlinkage void
+ do_page_fault(unsigned long address, unsigned long mmcsr,
--- /dev/null
+From 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e Mon Sep 17 00:00:00 2001
+From: Jurica Vukadin <jurica.vukadin@rt-rk.com>
+Date: Thu, 7 Feb 2019 16:29:37 +0100
+Subject: ALSA: hda - Add quirk for HP EliteBook 840 G5
+
+From: Jurica Vukadin <jurica.vukadin@rt-rk.com>
+
+commit 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e upstream.
+
+This enables mute LED support and fixes switching jacks when the laptop
+is docked.
+
+Signed-off-by: Jurica Vukadin <jurica.vukadin@rt-rk.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -854,6 +854,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
++ SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
--- /dev/null
+From 2bc16b9f3223d049b57202ee702fcb5b9b507019 Mon Sep 17 00:00:00 2001
+From: Manuel Reinhardt <manuel.rhdt@gmail.com>
+Date: Thu, 31 Jan 2019 15:32:35 +0100
+Subject: ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
+
+From: Manuel Reinhardt <manuel.rhdt@gmail.com>
+
+commit 2bc16b9f3223d049b57202ee702fcb5b9b507019 upstream.
+
+The commit a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to
+separate function") introduced an error in the handling of quirks for
+implicit feedback endpoints. This commit fixes this.
+
+If a quirk successfully sets up an implicit feedback endpoint, usb-audio
+no longer tries to find the implicit fb endpoint itself.
+
+Fixes: a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to separate function")
+Signed-off-by: Manuel Reinhardt <manuel.rhdt@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/pcm.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -313,6 +313,9 @@ static int search_roland_implicit_fb(str
+ return 0;
+ }
+
++/* Setup an implicit feedback endpoint from a quirk. Returns 0 if no quirk
++ * applies. Returns 1 if a quirk was found.
++ */
+ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs,
+ struct usb_device *dev,
+ struct usb_interface_descriptor *altsd,
+@@ -391,7 +394,7 @@ add_sync_ep:
+
+ subs->data_endpoint->sync_master = subs->sync_endpoint;
+
+- return 0;
++ return 1;
+ }
+
+ static int set_sync_endpoint(struct snd_usb_substream *subs,
+@@ -430,6 +433,10 @@ static int set_sync_endpoint(struct snd_
+ if (err < 0)
+ return err;
+
++ /* endpoint set by quirk */
++ if (err > 0)
++ return 0;
++
+ if (altsd->bNumEndpoints < 2)
+ return 0;
+
--- /dev/null
+From 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 Mon Sep 17 00:00:00 2001
+From: Nikos Tsironis <ntsironis@arrikto.com>
+Date: Thu, 14 Feb 2019 20:38:47 +0200
+Subject: dm thin: fix bug where bio that overwrites thin block ignores FUA
+
+From: Nikos Tsironis <ntsironis@arrikto.com>
+
+commit 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 upstream.
+
+When provisioning a new data block for a virtual block, either because
+the block was previously unallocated or because we are breaking sharing,
+if the whole block of data is being overwritten the bio that triggered
+the provisioning is issued immediately, skipping copying or zeroing of
+the data block.
+
+When this bio completes the new mapping is inserted in to the pool's
+metadata by process_prepared_mapping(), where the bio completion is
+signaled to the upper layers.
+
+This completion is signaled without first committing the metadata. If
+the bio in question has the REQ_FUA flag set and the system crashes
+right after its completion and before the next metadata commit, then the
+write is lost despite the REQ_FUA flag requiring that I/O completion for
+this request must only be signaled after the data has been committed to
+non-volatile storage.
+
+Fix this by deferring the completion of overwrite bios, with the REQ_FUA
+flag set, until after the metadata has been committed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com>
+Acked-by: Joe Thornber <ejt@redhat.com>
+Acked-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-thin.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 50 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -257,6 +257,7 @@ struct pool {
+
+ spinlock_t lock;
+ struct bio_list deferred_flush_bios;
++ struct bio_list deferred_flush_completions;
+ struct list_head prepared_mappings;
+ struct list_head prepared_discards;
+ struct list_head prepared_discards_pt2;
+@@ -925,6 +926,39 @@ static void process_prepared_mapping_fai
+ mempool_free(m, m->tc->pool->mapping_pool);
+ }
+
++static void complete_overwrite_bio(struct thin_c *tc, struct bio *bio)
++{
++ struct pool *pool = tc->pool;
++ unsigned long flags;
++
++ /*
++ * If the bio has the REQ_FUA flag set we must commit the metadata
++ * before signaling its completion.
++ */
++ if (!bio_triggers_commit(tc, bio)) {
++ bio_endio(bio);
++ return;
++ }
++
++ /*
++ * Complete bio with an error if earlier I/O caused changes to the
++ * metadata that can't be committed, e.g, due to I/O errors on the
++ * metadata device.
++ */
++ if (dm_thin_aborted_changes(tc->td)) {
++ bio_io_error(bio);
++ return;
++ }
++
++ /*
++ * Batch together any bios that trigger commits and then issue a
++ * single commit for them in process_deferred_bios().
++ */
++ spin_lock_irqsave(&pool->lock, flags);
++ bio_list_add(&pool->deferred_flush_completions, bio);
++ spin_unlock_irqrestore(&pool->lock, flags);
++}
++
+ static void process_prepared_mapping(struct dm_thin_new_mapping *m)
+ {
+ struct thin_c *tc = m->tc;
+@@ -957,7 +991,7 @@ static void process_prepared_mapping(str
+ */
+ if (bio) {
+ inc_remap_and_issue_cell(tc, m->cell, m->data_block);
+- bio_endio(bio);
++ complete_overwrite_bio(tc, bio);
+ } else {
+ inc_all_io_entry(tc->pool, m->cell->holder);
+ remap_and_issue(tc, m->cell->holder, m->data_block);
+@@ -2303,7 +2337,7 @@ static void process_deferred_bios(struct
+ {
+ unsigned long flags;
+ struct bio *bio;
+- struct bio_list bios;
++ struct bio_list bios, bio_completions;
+ struct thin_c *tc;
+
+ tc = get_first_thin(pool);
+@@ -2314,26 +2348,36 @@ static void process_deferred_bios(struct
+ }
+
+ /*
+- * If there are any deferred flush bios, we must commit
+- * the metadata before issuing them.
++ * If there are any deferred flush bios, we must commit the metadata
++ * before issuing them or signaling their completion.
+ */
+ bio_list_init(&bios);
++ bio_list_init(&bio_completions);
++
+ spin_lock_irqsave(&pool->lock, flags);
+ bio_list_merge(&bios, &pool->deferred_flush_bios);
+ bio_list_init(&pool->deferred_flush_bios);
++
++ bio_list_merge(&bio_completions, &pool->deferred_flush_completions);
++ bio_list_init(&pool->deferred_flush_completions);
+ spin_unlock_irqrestore(&pool->lock, flags);
+
+- if (bio_list_empty(&bios) &&
++ if (bio_list_empty(&bios) && bio_list_empty(&bio_completions) &&
+ !(dm_pool_changed_this_transaction(pool->pmd) && need_commit_due_to_time(pool)))
+ return;
+
+ if (commit(pool)) {
++ bio_list_merge(&bios, &bio_completions);
++
+ while ((bio = bio_list_pop(&bios)))
+ bio_io_error(bio);
+ return;
+ }
+ pool->last_commit_jiffies = jiffies;
+
++ while ((bio = bio_list_pop(&bio_completions)))
++ bio_endio(bio);
++
+ while ((bio = bio_list_pop(&bios)))
+ generic_make_request(bio);
+ }
+@@ -2968,6 +3012,7 @@ static struct pool *pool_create(struct m
+ INIT_DELAYED_WORK(&pool->no_space_timeout, do_no_space_timeout);
+ spin_lock_init(&pool->lock);
+ bio_list_init(&pool->deferred_flush_bios);
++ bio_list_init(&pool->deferred_flush_completions);
+ INIT_LIST_HEAD(&pool->prepared_mappings);
+ INIT_LIST_HEAD(&pool->prepared_discards);
+ INIT_LIST_HEAD(&pool->prepared_discards_pt2);
--- /dev/null
+From 2e7bd10e05afb866b5fb13eda25095c35d7a27cc Mon Sep 17 00:00:00 2001
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Date: Thu, 7 Feb 2019 10:54:53 +0200
+Subject: drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
+
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+
+commit 2e7bd10e05afb866b5fb13eda25095c35d7a27cc upstream.
+
+Make sure the underlying VMA in the process address space is the
+same as it was during vm_mmap to avoid applying WC to wrong VMA.
+
+A more long-term solution would be to have vm_mmap_locked variant
+in linux/mmap.h for when caller wants to hold mmap_sem for an
+extended duration.
+
+v2:
+- Refactor the compare function
+
+Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects")
+Reported-by: Adam Zabrocki <adamza@microsoft.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v4.0+
+Cc: Akash Goel <akash.goel@intel.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
+Cc: Adam Zabrocki <adamza@microsoft.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> #v1
+Link: https://patchwork.freedesktop.org/patch/msgid/20190207085454.10598-1-joonas.lahtinen@linux.intel.com
+(cherry picked from commit 5c4604e757ba9b193b09768d75a7d2105a5b883f)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -1593,6 +1593,16 @@ i915_gem_sw_finish_ioctl(struct drm_devi
+ return err;
+ }
+
++static inline bool
++__vma_matches(struct vm_area_struct *vma, struct file *filp,
++ unsigned long addr, unsigned long size)
++{
++ if (vma->vm_file != filp)
++ return false;
++
++ return vma->vm_start == addr && (vma->vm_end - vma->vm_start) == size;
++}
++
+ /**
+ * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
+ * it is mapped to.
+@@ -1651,7 +1661,7 @@ i915_gem_mmap_ioctl(struct drm_device *d
+ return -EINTR;
+ }
+ vma = find_vma(mm, addr);
+- if (vma)
++ if (vma && __vma_matches(vma, obj->base.filp, addr, args->size))
+ vma->vm_page_prot =
+ pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
+ else
--- /dev/null
+From 90cc55f067f6ca0e64e5e52883ece47d8af7b67b Mon Sep 17 00:00:00 2001
+From: Jonathan Bakker <xc-racer2@live.ca>
+Date: Wed, 6 Feb 2019 10:45:37 -0800
+Subject: Input: bma150 - register input device after setting private data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Bakker <xc-racer2@live.ca>
+
+commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream.
+
+Otherwise we introduce a race condition where userspace can request input
+before we're ready leading to null pointer dereference such as
+
+input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3
+Unable to handle kernel NULL pointer dereference at virtual address 00000018
+pgd = (ptrval)
+[00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000
+Internal error: Oops: 17 [#1] PREEMPT ARM
+Modules linked in: bma150 input_polldev [last unloaded: bma150]
+CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46
+Hardware name: Samsung S5PC110/S5PV210-based board
+PC is at input_event+0x8/0x60
+LR is at bma150_report_xyz+0x9c/0xe0 [bma150]
+pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013
+sp : a4c1fd78 ip : 00000081 fp : 00020000
+r10: 00000000 r9 : a5e2944c r8 : a7455000
+r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048
+r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000
+Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 54e34019 DAC: 00000051
+Process accelerometer (pid: 2870, stack limit = 0x(ptrval))
+Stackck: (0xa4c1fd78 to 0xa4c20000)
+fd60: fffffff3 fc813f6c
+fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324
+fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10
+fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0
+fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c
+fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000
+fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041
+fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8
+fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001
+fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048
+fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8
+fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720
+fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00
+ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3
+ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002
+ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c
+ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100
+ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000
+ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000
+ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038
+ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000
+[<80450f70>] (input_event) from [<a5e2817c>] (0xa5e2817c)
+Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018)
+---[ end trace 1c691ee85f2ff243 ]---
+
+Signed-off-by: Jonathan Bakker <xc-racer2@live.ca>
+Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/bma150.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/misc/bma150.c
++++ b/drivers/input/misc/bma150.c
+@@ -482,13 +482,14 @@ static int bma150_register_input_device(
+ idev->close = bma150_irq_close;
+ input_set_drvdata(idev, bma150);
+
++ bma150->input = idev;
++
+ error = input_register_device(idev);
+ if (error) {
+ input_free_device(idev);
+ return error;
+ }
+
+- bma150->input = idev;
+ return 0;
+ }
+
+@@ -511,15 +512,15 @@ static int bma150_register_polled_device
+
+ bma150_init_input_device(bma150, ipoll_dev->input);
+
++ bma150->input_polled = ipoll_dev;
++ bma150->input = ipoll_dev->input;
++
+ error = input_register_polled_device(ipoll_dev);
+ if (error) {
+ input_free_polled_device(ipoll_dev);
+ return error;
+ }
+
+- bma150->input_polled = ipoll_dev;
+- bma150->input = ipoll_dev->input;
+-
+ return 0;
+ }
+
--- /dev/null
+From 7ad222b3aed350adfc27ee7eec4587ffe55dfdce Mon Sep 17 00:00:00 2001
+From: Mauro Ciancio <mauro@acadeu.com>
+Date: Mon, 14 Jan 2019 10:24:53 -0300
+Subject: Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK
+
+From: Mauro Ciancio <mauro@acadeu.com>
+
+commit 7ad222b3aed350adfc27ee7eec4587ffe55dfdce upstream.
+
+This adds ELAN0617 to the ACPI table to support Elan touchpad found in
+Lenovo V330-15ISK.
+
+Signed-off-by: Mauro Ciancio <mauro@acadeu.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1250,6 +1250,7 @@ static const struct acpi_device_id elan_
+ { "ELAN060C", 0 },
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
++ { "ELAN0617", 0 },
+ { "ELAN0618", 0 },
+ { "ELAN061C", 0 },
+ { "ELAN061D", 0 },
--- /dev/null
+From e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 Mon Sep 17 00:00:00 2001
+From: Matti Kurkela <Matti.Kurkela@iki.fi>
+Date: Thu, 7 Feb 2019 23:49:23 -0800
+Subject: Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780
+
+From: Matti Kurkela <Matti.Kurkela@iki.fi>
+
+commit e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 upstream.
+
+Like Fujitsu CELSIUS H760, the H780 also has a three-button Elantech
+touchpad, but the driver needs to be told so to enable the middle touchpad
+button.
+
+The elantech_dmi_force_crc_enabled quirk was not necessary with the H780.
+
+Also document the fw_version and caps values detected for both H760 and
+H780 models.
+
+Signed-off-by: Matti Kurkela <Matti.Kurkela@iki.fi>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1117,6 +1117,8 @@ static int elantech_get_resolution_v4(st
+ * Asus UX31 0x361f00 20, 15, 0e clickpad
+ * Asus UX32VD 0x361f02 00, 15, 0e clickpad
+ * Avatar AVIU-145A2 0x361f00 ? clickpad
++ * Fujitsu CELSIUS H760 0x570f02 40, 14, 0c 3 hw buttons (**)
++ * Fujitsu CELSIUS H780 0x5d0f02 41, 16, 0d 3 hw buttons (**)
+ * Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons
+ * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons
+ * Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons
+@@ -1169,6 +1171,13 @@ static const struct dmi_system_id elante
+ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"),
+ },
+ },
++ {
++ /* Fujitsu H780 also has a middle button */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H780"),
++ },
++ },
+ #endif
+ { }
+ };
--- /dev/null
+From 98ae70cc476e833332a2c6bb72f941a25f0de226 Mon Sep 17 00:00:00 2001
+From: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+Date: Thu, 14 Feb 2019 12:08:58 +0800
+Subject: kvm: vmx: Fix entry number check for add_atomic_switch_msr()
+
+From: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+
+commit 98ae70cc476e833332a2c6bb72f941a25f0de226 upstream.
+
+Commit ca83b4a7f2d068da79a0 ("x86/KVM/VMX: Add find_msr() helper function")
+introduces the helper function find_msr(), which returns -ENOENT when
+not find the msr in vmx->msr_autoload.guest/host. Correct checking contion
+of no more available entry in vmx->msr_autoload.
+
+Fixes: ca83b4a7f2d0 ("x86/KVM/VMX: Add find_msr() helper function")
+Cc: stable@vger.kernel.org
+Signed-off-by: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2178,7 +2178,8 @@ static void add_atomic_switch_msr(struct
+ if (!entry_only)
+ j = find_msr(&m->host, msr);
+
+- if (i == NR_AUTOLOAD_MSRS || j == NR_AUTOLOAD_MSRS) {
++ if ((i < 0 && m->guest.nr == NR_AUTOLOAD_MSRS) ||
++ (j < 0 && m->host.nr == NR_AUTOLOAD_MSRS)) {
+ printk_once(KERN_WARNING "Not enough msr switch entries. "
+ "Can't add msr %x\n", msr);
+ return;
--- /dev/null
+From 528871b456026e6127d95b1b2bd8e3a003dc1614 Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@kernel.org>
+Date: Wed, 13 Feb 2019 07:57:02 +0100
+Subject: perf/core: Fix impossible ring-buffer sizes warning
+
+From: Ingo Molnar <mingo@kernel.org>
+
+commit 528871b456026e6127d95b1b2bd8e3a003dc1614 upstream.
+
+The following commit:
+
+ 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes")
+
+results in perf recording failures with larger mmap areas:
+
+ root@skl:/tmp# perf record -g -a
+ failed to mmap with 12 (Cannot allocate memory)
+
+The root cause is that the following condition is buggy:
+
+ if (order_base_2(size) >= MAX_ORDER)
+ goto fail;
+
+The problem is that @size is in bytes and MAX_ORDER is in pages,
+so the right test is:
+
+ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
+ goto fail;
+
+Fix it.
+
+Reported-by: "Jin, Yao" <yao.jin@linux.intel.com>
+Bisected-by: Borislav Petkov <bp@alien8.de>
+Analyzed-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Julien Thierry <julien.thierry@arm.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Fixes: 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -700,7 +700,7 @@ struct ring_buffer *rb_alloc(int nr_page
+ size = sizeof(struct ring_buffer);
+ size += nr_pages * sizeof(void *);
+
+- if (order_base_2(size) >= MAX_ORDER)
++ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
+ goto fail;
+
+ rb = kzalloc(size, GFP_KERNEL);
--- /dev/null
+From 81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Mon, 4 Feb 2019 13:35:32 +0100
+Subject: perf/x86: Add check_period PMU callback
+
+From: Jiri Olsa <jolsa@redhat.com>
+
+commit 81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb upstream.
+
+Vince (and later on Ravi) reported crashes in the BTS code during
+fuzzing with the following backtrace:
+
+ general protection fault: 0000 [#1] SMP PTI
+ ...
+ RIP: 0010:perf_prepare_sample+0x8f/0x510
+ ...
+ Call Trace:
+ <IRQ>
+ ? intel_pmu_drain_bts_buffer+0x194/0x230
+ intel_pmu_drain_bts_buffer+0x160/0x230
+ ? tick_nohz_irq_exit+0x31/0x40
+ ? smp_call_function_single_interrupt+0x48/0xe0
+ ? call_function_single_interrupt+0xf/0x20
+ ? call_function_single_interrupt+0xa/0x20
+ ? x86_schedule_events+0x1a0/0x2f0
+ ? x86_pmu_commit_txn+0xb4/0x100
+ ? find_busiest_group+0x47/0x5d0
+ ? perf_event_set_state.part.42+0x12/0x50
+ ? perf_mux_hrtimer_restart+0x40/0xb0
+ intel_pmu_disable_event+0xae/0x100
+ ? intel_pmu_disable_event+0xae/0x100
+ x86_pmu_stop+0x7a/0xb0
+ x86_pmu_del+0x57/0x120
+ event_sched_out.isra.101+0x83/0x180
+ group_sched_out.part.103+0x57/0xe0
+ ctx_sched_out+0x188/0x240
+ ctx_resched+0xa8/0xd0
+ __perf_event_enable+0x193/0x1e0
+ event_function+0x8e/0xc0
+ remote_function+0x41/0x50
+ flush_smp_call_function_queue+0x68/0x100
+ generic_smp_call_function_single_interrupt+0x13/0x30
+ smp_call_function_single_interrupt+0x3e/0xe0
+ call_function_single_interrupt+0xf/0x20
+ </IRQ>
+
+The reason is that while event init code does several checks
+for BTS events and prevents several unwanted config bits for
+BTS event (like precise_ip), the PERF_EVENT_IOC_PERIOD allows
+to create BTS event without those checks being done.
+
+Following sequence will cause the crash:
+
+If we create an 'almost' BTS event with precise_ip and callchains,
+and it into a BTS event it will crash the perf_prepare_sample()
+function because precise_ip events are expected to come
+in with callchain data initialized, but that's not the
+case for intel_pmu_drain_bts_buffer() caller.
+
+Adding a check_period callback to be called before the period
+is changed via PERF_EVENT_IOC_PERIOD. It will deny the change
+if the event would become BTS. Plus adding also the limit_period
+check as well.
+
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: <stable@vger.kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20190204123532.GA4794@krava
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/core.c | 14 ++++++++++++++
+ arch/x86/events/intel/core.c | 9 +++++++++
+ arch/x86/events/perf_event.h | 16 ++++++++++++++--
+ include/linux/perf_event.h | 5 +++++
+ kernel/events/core.c | 16 ++++++++++++++++
+ 5 files changed, 58 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -2196,6 +2196,19 @@ void perf_check_microcode(void)
+ }
+ EXPORT_SYMBOL_GPL(perf_check_microcode);
+
++static int x86_pmu_check_period(struct perf_event *event, u64 value)
++{
++ if (x86_pmu.check_period && x86_pmu.check_period(event, value))
++ return -EINVAL;
++
++ if (value && x86_pmu.limit_period) {
++ if (x86_pmu.limit_period(event, value) > value)
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ static struct pmu pmu = {
+ .pmu_enable = x86_pmu_enable,
+ .pmu_disable = x86_pmu_disable,
+@@ -2220,6 +2233,7 @@ static struct pmu pmu = {
+ .event_idx = x86_pmu_event_idx,
+ .sched_task = x86_pmu_sched_task,
+ .task_ctx_size = sizeof(struct x86_perf_task_context),
++ .check_period = x86_pmu_check_period,
+ };
+
+ void arch_perf_update_userpage(struct perf_event *event,
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -3262,6 +3262,11 @@ static void intel_pmu_sched_task(struct
+ intel_pmu_lbr_sched_task(ctx, sched_in);
+ }
+
++static int intel_pmu_check_period(struct perf_event *event, u64 value)
++{
++ return intel_pmu_has_bts_period(event, value) ? -EINVAL : 0;
++}
++
+ PMU_FORMAT_ATTR(offcore_rsp, "config1:0-63");
+
+ PMU_FORMAT_ATTR(ldlat, "config1:0-15");
+@@ -3328,6 +3333,8 @@ static __initconst const struct x86_pmu
+ .cpu_starting = intel_pmu_cpu_starting,
+ .cpu_dying = intel_pmu_cpu_dying,
+ .cpu_dead = intel_pmu_cpu_dead,
++
++ .check_period = intel_pmu_check_period,
+ };
+
+ static __initconst const struct x86_pmu intel_pmu = {
+@@ -3367,6 +3374,8 @@ static __initconst const struct x86_pmu
+
+ .guest_get_msrs = intel_guest_get_msrs,
+ .sched_task = intel_pmu_sched_task,
++
++ .check_period = intel_pmu_check_period,
+ };
+
+ static __init void intel_clovertown_quirk(void)
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -626,6 +626,11 @@ struct x86_pmu {
+ * Intel host/guest support (KVM)
+ */
+ struct perf_guest_switch_msr *(*guest_get_msrs)(int *nr);
++
++ /*
++ * Check period value for PERF_EVENT_IOC_PERIOD ioctl.
++ */
++ int (*check_period) (struct perf_event *event, u64 period);
+ };
+
+ struct x86_perf_task_context {
+@@ -833,7 +838,7 @@ static inline int amd_pmu_init(void)
+
+ #ifdef CONFIG_CPU_SUP_INTEL
+
+-static inline bool intel_pmu_has_bts(struct perf_event *event)
++static inline bool intel_pmu_has_bts_period(struct perf_event *event, u64 period)
+ {
+ struct hw_perf_event *hwc = &event->hw;
+ unsigned int hw_event, bts_event;
+@@ -844,7 +849,14 @@ static inline bool intel_pmu_has_bts(str
+ hw_event = hwc->config & INTEL_ARCH_EVENT_MASK;
+ bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS);
+
+- return hw_event == bts_event && hwc->sample_period == 1;
++ return hw_event == bts_event && period == 1;
++}
++
++static inline bool intel_pmu_has_bts(struct perf_event *event)
++{
++ struct hw_perf_event *hwc = &event->hw;
++
++ return intel_pmu_has_bts_period(event, hwc->sample_period);
+ }
+
+ int intel_pmu_save_and_restart(struct perf_event *event);
+--- a/include/linux/perf_event.h
++++ b/include/linux/perf_event.h
+@@ -455,6 +455,11 @@ struct pmu {
+ * Filter events for PMU-specific reasons.
+ */
+ int (*filter_match) (struct perf_event *event); /* optional */
++
++ /*
++ * Check period value for PERF_EVENT_IOC_PERIOD ioctl.
++ */
++ int (*check_period) (struct perf_event *event, u64 value); /* optional */
+ };
+
+ /**
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -4600,6 +4600,11 @@ static void __perf_event_period(struct p
+ }
+ }
+
++static int perf_event_check_period(struct perf_event *event, u64 value)
++{
++ return event->pmu->check_period(event, value);
++}
++
+ static int perf_event_period(struct perf_event *event, u64 __user *arg)
+ {
+ u64 value;
+@@ -4616,6 +4621,9 @@ static int perf_event_period(struct perf
+ if (event->attr.freq && value > sysctl_perf_event_sample_rate)
+ return -EINVAL;
+
++ if (perf_event_check_period(event, value))
++ return -EINVAL;
++
+ event_function_call(event, __perf_event_period, &value);
+
+ return 0;
+@@ -8622,6 +8630,11 @@ static int perf_pmu_nop_int(struct pmu *
+ return 0;
+ }
+
++static int perf_event_nop_int(struct perf_event *event, u64 value)
++{
++ return 0;
++}
++
+ static DEFINE_PER_CPU(unsigned int, nop_txn_flags);
+
+ static void perf_pmu_start_txn(struct pmu *pmu, unsigned int flags)
+@@ -8944,6 +8957,9 @@ got_cpu_context:
+ pmu->pmu_disable = perf_pmu_nop_void;
+ }
+
++ if (!pmu->check_period)
++ pmu->check_period = perf_event_nop_int;
++
+ if (!pmu->event_idx)
+ pmu->event_idx = perf_event_idx_default;
+
--- /dev/null
+From f420c54e4b12c1361c6ed313002ee7bd7ac58362 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 11 Feb 2019 14:32:40 -0800
+Subject: Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G"
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit f420c54e4b12c1361c6ed313002ee7bd7ac58362 upstream.
+
+This reverts commit 7db54c89f0b30a101584e09d3729144e6170059d as it
+breaks Acer Aspire V-371 and other devices. According to Elan:
+
+"Acer Aspire F5-573G is MS Precision touchpad which should use hid
+ multitouch driver. ELAN0501 should not be added in elan_i2c."
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202503
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1240,7 +1240,6 @@ MODULE_DEVICE_TABLE(i2c, elan_id);
+ static const struct acpi_device_id elan_acpi_id[] = {
+ { "ELAN0000", 0 },
+ { "ELAN0100", 0 },
+- { "ELAN0501", 0 },
+ { "ELAN0600", 0 },
+ { "ELAN0602", 0 },
+ { "ELAN0605", 0 },
gpio-pl061-handle-failed-allocations.patch
cifs-limit-memory-used-by-lock-request-calls-to-a-pa.patch
perf-report-include-partial-stacks-unwound-with-libd.patch
+revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch
+input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch
+perf-core-fix-impossible-ring-buffer-sizes-warning.patch
+perf-x86-add-check_period-pmu-callback.patch
+alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch
+alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch
+kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch
+input-bma150-register-input-device-after-setting-private-data.patch
+input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch
+alpha-fix-page-fault-handling-for-r16-r18-targets.patch
+alpha-fix-eiger-nr_irqs-to-128.patch
+tracing-uprobes-fix-output-for-multiple-string-arguments.patch
+x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch
+signal-restore-the-stop-ptrace_event_exit.patch
+x86-a.out-clear-the-dump-structure-initially.patch
+dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch
+drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch
--- /dev/null
+From cf43a757fd49442bc38f76088b70c2299eed2c2f Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 11 Feb 2019 23:27:42 -0600
+Subject: signal: Restore the stop PTRACE_EVENT_EXIT
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit cf43a757fd49442bc38f76088b70c2299eed2c2f upstream.
+
+In the middle of do_exit() there is there is a call
+"ptrace_event(PTRACE_EVENT_EXIT, code);" That call places the process
+in TACKED_TRACED aka "(TASK_WAKEKILL | __TASK_TRACED)" and waits for
+for the debugger to release the task or SIGKILL to be delivered.
+
+Skipping past dequeue_signal when we know a fatal signal has already
+been delivered resulted in SIGKILL remaining pending and
+TIF_SIGPENDING remaining set. This in turn caused the
+scheduler to not sleep in PTACE_EVENT_EXIT as it figured
+a fatal signal was pending. This also caused ptrace_freeze_traced
+in ptrace_check_attach to fail because it left a per thread
+SIGKILL pending which is what fatal_signal_pending tests for.
+
+This difference in signal state caused strace to report
+strace: Exit of unknown pid NNNNN ignored
+
+Therefore update the signal handling state like dequeue_signal
+would when removing a per thread SIGKILL, by removing SIGKILL
+from the per thread signal mask and clearing TIF_SIGPENDING.
+
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Reported-by: Ivan Delalande <colona@arista.com>
+Cc: stable@vger.kernel.org
+Fixes: 35634ffa1751 ("signal: Always notice exiting tasks")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/signal.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2241,9 +2241,12 @@ relock:
+ }
+
+ /* Has this task already been marked for death? */
+- ksig->info.si_signo = signr = SIGKILL;
+- if (signal_group_exit(signal))
++ if (signal_group_exit(signal)) {
++ ksig->info.si_signo = signr = SIGKILL;
++ sigdelset(¤t->pending.signal, SIGKILL);
++ recalc_sigpending();
+ goto fatal;
++ }
+
+ for (;;) {
+ struct k_sigaction *ka;
--- /dev/null
+From 0722069a5374b904ec1a67f91249f90e1cfae259 Mon Sep 17 00:00:00 2001
+From: Andreas Ziegler <andreas.ziegler@fau.de>
+Date: Wed, 16 Jan 2019 15:16:29 +0100
+Subject: tracing/uprobes: Fix output for multiple string arguments
+
+From: Andreas Ziegler <andreas.ziegler@fau.de>
+
+commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream.
+
+When printing multiple uprobe arguments as strings the output for the
+earlier arguments would also include all later string arguments.
+
+This is best explained in an example:
+
+Consider adding a uprobe to a function receiving two strings as
+parameters which is at offset 0xa0 in strlib.so and we want to print
+both parameters when the uprobe is hit (on x86_64):
+
+$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \
+ /sys/kernel/debug/tracing/uprobe_events
+
+When the function is called as func("foo", "bar") and we hit the probe,
+the trace file shows a line like the following:
+
+ [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar"
+
+Note the extra "bar" printed as part of arg1. This behaviour stacks up
+for additional string arguments.
+
+The strings are stored in a dynamically growing part of the uprobe
+buffer by fetch_store_string() after copying them from userspace via
+strncpy_from_user(). The return value of strncpy_from_user() is then
+directly used as the required size for the string. However, this does
+not take the terminating null byte into account as the documentation
+for strncpy_from_user() cleary states that it "[...] returns the
+length of the string (not including the trailing NUL)" even though the
+null byte will be copied to the destination.
+
+Therefore, subsequent calls to fetch_store_string() will overwrite
+the terminating null byte of the most recently fetched string with
+the first character of the current string, leading to the
+"accumulation" of strings in earlier arguments in the output.
+
+Fix this by incrementing the return value of strncpy_from_user() by
+one if we did not hit the maximum buffer size.
+
+Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Andreas Ziegler <andreas.ziegler@fau.de>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_uprobe.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -150,7 +150,14 @@ static void FETCH_FUNC_NAME(memory, stri
+
+ ret = strncpy_from_user(dst, src, maxlen);
+ if (ret == maxlen)
+- dst[--ret] = '\0';
++ dst[ret - 1] = '\0';
++ else if (ret >= 0)
++ /*
++ * Include the terminating null byte. In this case it
++ * was copied by strncpy_from_user but not accounted
++ * for in ret.
++ */
++ ret++;
+
+ if (ret < 0) { /* Failed to fetch string */
+ ((u8 *)get_rloc_data(dest))[0] = '\0';
--- /dev/null
+From 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 12 Feb 2019 14:28:03 +0100
+Subject: x86/a.out: Clear the dump structure initially
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c upstream.
+
+dump_thread32() in aout_core_dump() does not clear the user32 structure
+allocated on the stack as the first thing on function entry.
+
+As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get
+assigned before the clearing, get overwritten.
+
+Rename that function to fill_dump() to make it clear what it does and
+call it first thing.
+
+This was caught while staring at a patch by Derek Robson
+<robsonde@gmail.com>.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Derek Robson <robsonde@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Matz <matz@suse.de>
+Cc: x86@kernel.org
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/ia32/ia32_aout.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/ia32/ia32_aout.c
++++ b/arch/x86/ia32/ia32_aout.c
+@@ -50,7 +50,7 @@ static unsigned long get_dr(int n)
+ /*
+ * fill in the user structure for a core dump..
+ */
+-static void dump_thread32(struct pt_regs *regs, struct user32 *dump)
++static void fill_dump(struct pt_regs *regs, struct user32 *dump)
+ {
+ u32 fs, gs;
+ memset(dump, 0, sizeof(*dump));
+@@ -156,10 +156,12 @@ static int aout_core_dump(struct coredum
+ fs = get_fs();
+ set_fs(KERNEL_DS);
+ has_dumped = 1;
++
++ fill_dump(cprm->regs, &dump);
++
+ strncpy(dump.u_comm, current->comm, sizeof(current->comm));
+ dump.u_ar0 = offsetof(struct user32, regs);
+ dump.signal = cprm->siginfo->si_signo;
+- dump_thread32(cprm->regs, &dump);
+
+ /*
+ * If the size of the dump file exceeds the rlimit, then see
--- /dev/null
+From f331e766c4be33f4338574f3c9f7f77e98ab4571 Mon Sep 17 00:00:00 2001
+From: Hedi Berriche <hedi.berriche@hpe.com>
+Date: Wed, 13 Feb 2019 19:34:13 +0000
+Subject: x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
+
+From: Hedi Berriche <hedi.berriche@hpe.com>
+
+commit f331e766c4be33f4338574f3c9f7f77e98ab4571 upstream.
+
+Calls into UV firmware must be protected against concurrency, expose the
+efi_runtime_lock to the UV platform, and use it to serialise UV BIOS
+calls.
+
+Signed-off-by: Hedi Berriche <hedi.berriche@hpe.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Russ Anderson <rja@hpe.com>
+Reviewed-by: Dimitri Sivanich <sivanich@hpe.com>
+Reviewed-by: Mike Travis <mike.travis@hpe.com>
+Cc: Andy Shevchenko <andy@infradead.org>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Darren Hart <dvhart@infradead.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-efi <linux-efi@vger.kernel.org>
+Cc: platform-driver-x86@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.9+
+Cc: Steve Wahl <steve.wahl@hpe.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190213193413.25560-5-hedi.berriche@hpe.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/uv/bios.h | 8 +++++++-
+ arch/x86/platform/uv/bios_uv.c | 23 +++++++++++++++++++++--
+ drivers/firmware/efi/runtime-wrappers.c | 7 +++++++
+ 3 files changed, 35 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/uv/bios.h
++++ b/arch/x86/include/asm/uv/bios.h
+@@ -48,7 +48,8 @@ enum {
+ BIOS_STATUS_SUCCESS = 0,
+ BIOS_STATUS_UNIMPLEMENTED = -ENOSYS,
+ BIOS_STATUS_EINVAL = -EINVAL,
+- BIOS_STATUS_UNAVAIL = -EBUSY
++ BIOS_STATUS_UNAVAIL = -EBUSY,
++ BIOS_STATUS_ABORT = -EINTR,
+ };
+
+ /* Address map parameters */
+@@ -167,4 +168,9 @@ extern long system_serial_number;
+
+ extern struct kobject *sgi_uv_kobj; /* /sys/firmware/sgi_uv */
+
++/*
++ * EFI runtime lock; cf. firmware/efi/runtime-wrappers.c for details
++ */
++extern struct semaphore __efi_uv_runtime_lock;
++
+ #endif /* _ASM_X86_UV_BIOS_H */
+--- a/arch/x86/platform/uv/bios_uv.c
++++ b/arch/x86/platform/uv/bios_uv.c
+@@ -29,7 +29,8 @@
+
+ struct uv_systab *uv_systab;
+
+-s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
++static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
++ u64 a4, u64 a5)
+ {
+ struct uv_systab *tab = uv_systab;
+ s64 ret;
+@@ -51,6 +52,19 @@ s64 uv_bios_call(enum uv_bios_cmd which,
+
+ return ret;
+ }
++
++s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
++{
++ s64 ret;
++
++ if (down_interruptible(&__efi_uv_runtime_lock))
++ return BIOS_STATUS_ABORT;
++
++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5);
++ up(&__efi_uv_runtime_lock);
++
++ return ret;
++}
+ EXPORT_SYMBOL_GPL(uv_bios_call);
+
+ s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
+@@ -59,10 +73,15 @@ s64 uv_bios_call_irqsave(enum uv_bios_cm
+ unsigned long bios_flags;
+ s64 ret;
+
++ if (down_interruptible(&__efi_uv_runtime_lock))
++ return BIOS_STATUS_ABORT;
++
+ local_irq_save(bios_flags);
+- ret = uv_bios_call(which, a1, a2, a3, a4, a5);
++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5);
+ local_irq_restore(bios_flags);
+
++ up(&__efi_uv_runtime_lock);
++
+ return ret;
+ }
+
+--- a/drivers/firmware/efi/runtime-wrappers.c
++++ b/drivers/firmware/efi/runtime-wrappers.c
+@@ -50,6 +50,13 @@ void efi_call_virt_check_flags(unsigned
+ }
+
+ /*
++ * Expose the EFI runtime lock to the UV platform
++ */
++#ifdef CONFIG_X86_UV
++extern struct semaphore __efi_uv_runtime_lock __alias(efi_runtime_lock);
++#endif
++
++/*
+ * According to section 7.1 of the UEFI spec, Runtime Services are not fully
+ * reentrant, and there are particular combinations of calls that need to be
+ * serialized. (source: UEFI Specification v2.4A)
projects / thirdparty / kernel / stable-queue.git / commitdiff
