--- /dev/null
+From 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 19 Nov 2018 19:06:01 +0100
+Subject: ACPI / platform: Add SMB0001 HID to forbidden_id_list
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa upstream.
+
+Many HP AMD based laptops contain an SMB0001 device like this:
+
+Device (SMBD)
+{
+ Name (_HID, "SMB0001") // _HID: Hardware ID
+ Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings
+ {
+ IO (Decode16,
+ 0x0B20, // Range Minimum
+ 0x0B20, // Range Maximum
+ 0x20, // Alignment
+ 0x20, // Length
+ )
+ IRQ (Level, ActiveLow, Shared, )
+ {7}
+ })
+}
+
+The legacy style IRQ resource here causes acpi_dev_get_irqresource() to
+be called with legacy=true and this message to show in dmesg:
+ACPI: IRQ 7 override to edge, high
+
+This causes issues when later on the AMD0030 GPIO device gets enumerated:
+
+Device (GPIO)
+{
+ Name (_HID, "AMDI0030") // _HID: Hardware ID
+ Name (_CID, "AMDI0030") // _CID: Compatible ID
+ Name (_UID, Zero) // _UID: Unique ID
+ Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings
+ {
+ Name (RBUF, ResourceTemplate ()
+ {
+ Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, )
+ {
+ 0x00000007,
+ }
+ Memory32Fixed (ReadWrite,
+ 0xFED81500, // Address Base
+ 0x00000400, // Address Length
+ )
+ })
+ Return (RBUF) /* \_SB_.GPIO._CRS.RBUF */
+ }
+}
+
+Now acpi_dev_get_irqresource() gets called with legacy=false, but because
+of the earlier override of the trigger-type acpi_register_gsi() returns
+-EBUSY (because we try to register the same interrupt with a different
+trigger-type) and we end up setting IORESOURCE_DISABLED in the flags.
+
+The setting of IORESOURCE_DISABLED causes platform_get_irq() to call
+acpi_irq_get() which is not implemented on x86 and returns -EINVAL.
+resulting in the following in dmesg:
+
+amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22
+amd_gpio: probe of AMDI0030:00 failed with error -22
+
+The SMB0001 is a "virtual" device in the sense that the only way the OS
+interacts with it is through calling a couple of methods to do SMBus
+transfers. As such it is weird that it has IO and IRQ resources at all,
+because the driver for it is not expected to ever access the hardware
+directly.
+
+The Linux driver for the SMB0001 device directly binds to the acpi_device
+through the acpi_bus, so we do not need to instantiate a platform_device
+for this ACPI device. This commit adds the SMB0001 HID to the
+forbidden_id_list, avoiding the instantiating of a platform_device for it.
+Not instantiating a platform_device means we will no longer call
+acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of
+the AMDI0030 device failing.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523
+Reported-by: Lukas Kahnert <openproggerfreak@gmail.com>
+Tested-by: Marc <suaefar@googlemail.com>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpi_platform.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/acpi_platform.c
++++ b/drivers/acpi/acpi_platform.c
+@@ -30,6 +30,7 @@ static const struct acpi_device_id forbi
+ {"PNP0200", 0}, /* AT DMA Controller */
+ {"ACPI0009", 0}, /* IOxAPIC */
+ {"ACPI000A", 0}, /* IOAPIC */
++ {"SMB0001", 0}, /* ACPI SMBUS virtual device */
+ {"", 0},
+ };
+
--- /dev/null
+From 563785edfcef02b566e64fb5292c74c1600808aa Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 12 Nov 2018 09:43:12 +0100
+Subject: ALSA: hda/realtek - Add quirk entry for HP Pavilion 15
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 563785edfcef02b566e64fb5292c74c1600808aa upstream.
+
+HP Pavilion 15 (103c:820d) with ALC295 codec requires the quirk for
+the mute LED control over mic3 pin. Added the corresponding quirk
+entry.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201653
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5764,6 +5764,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x2336, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x2337, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x221c, "HP EliteBook 755 G2", ALC280_FIXUP_HP_HEADSET_MIC),
++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC),
+ SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
+ SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--- /dev/null
+From fee05f455ceb5c670cbe48e2f9454ebc4a388554 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 12:59:44 +0200
+Subject: drivers/misc/sgi-gru: fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit fee05f455ceb5c670cbe48e2f9454ebc4a388554 upstream.
+
+req.gid can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+vers/misc/sgi-gru/grukdump.c:200 gru_dump_chiplet_request() warn:
+potential spectre issue 'gru_base' [w]
+
+Fix this by sanitizing req.gid before calling macro GID_TO_GRU, which
+uses it to index gru_base.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/sgi-gru/grukdump.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/misc/sgi-gru/grukdump.c
++++ b/drivers/misc/sgi-gru/grukdump.c
+@@ -27,6 +27,9 @@
+ #include <linux/delay.h>
+ #include <linux/bitops.h>
+ #include <asm/uv/uv_hub.h>
++
++#include <linux/nospec.h>
++
+ #include "gru.h"
+ #include "grutables.h"
+ #include "gruhandles.h"
+@@ -196,6 +199,7 @@ int gru_dump_chiplet_request(unsigned lo
+ /* Currently, only dump by gid is implemented */
+ if (req.gid >= gru_max_gids)
+ return -EINVAL;
++ req.gid = array_index_nospec(req.gid, gru_max_gids);
+
+ gru = GID_TO_GRU(req.gid);
+ ubuf = req.buf;
--- /dev/null
+From 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 14 Nov 2018 13:55:09 -0800
+Subject: HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 upstream.
+
+When a UHID_CREATE command is written to the uhid char device, a
+copy_from_user() is done from a user pointer embedded in the command.
+When the address limit is KERNEL_DS, e.g. as is the case during
+sys_sendfile(), this can read from kernel memory. Alternatively,
+information can be leaked from a setuid binary that is tricked to write
+to the file descriptor. Therefore, forbid UHID_CREATE in these cases.
+
+No other commands in uhid_char_write() are affected by this bug and
+UHID_CREATE is marked as "obsolete", so apply the restriction to
+UHID_CREATE only rather than to uhid_char_write() entirely.
+
+Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to
+Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess
+helpers fault on kernel addresses"), allowing this bug to be found.
+
+Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
+Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events")
+Cc: <stable@vger.kernel.org> # v3.6+
+Cc: Jann Horn <jannh@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/uhid.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -12,6 +12,7 @@
+
+ #include <linux/atomic.h>
+ #include <linux/compat.h>
++#include <linux/cred.h>
+ #include <linux/device.h>
+ #include <linux/fs.h>
+ #include <linux/hid.h>
+@@ -721,6 +722,17 @@ static ssize_t uhid_char_write(struct fi
+
+ switch (uhid->input_buf.type) {
+ case UHID_CREATE:
++ /*
++ * 'struct uhid_create_req' contains a __user pointer which is
++ * copied from, so it's unsafe to allow this with elevated
++ * privileges (e.g. from a setuid binary) or via kernel_write().
++ */
++ if (file->f_cred != current_cred() || uaccess_kernel()) {
++ pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
++ task_tgid_vnr(current), current->comm);
++ ret = -EACCES;
++ goto unlock;
++ }
+ ret = uhid_dev_create(uhid, &uhid->input_buf);
+ break;
+ case UHID_CREATE2:
--- /dev/null
+From 7e241f647dc7087a0401418a187f3f5b527cc690 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Thu, 8 Nov 2018 15:55:37 +0100
+Subject: libceph: fall back to sendmsg for slab pages
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 7e241f647dc7087a0401418a187f3f5b527cc690 upstream.
+
+skb_can_coalesce() allows coalescing neighboring slab objects into
+a single frag:
+
+ return page == skb_frag_page(frag) &&
+ off == frag->page_offset + skb_frag_size(frag);
+
+ceph_tcp_sendpage() can be handed slab pages. One example of this is
+XFS: it passes down sector sized slab objects for its metadata I/O. If
+the kernel client is co-located on the OSD node, the skb may go through
+loopback and pop on the receive side with the exact same set of frags.
+When tcp_recvmsg() attempts to copy out such a frag, hardened usercopy
+complains because the size exceeds the object's allocated size:
+
+ usercopy: kernel memory exposure attempt detected from ffff9ba917f20a00 (kmalloc-512) (1024 bytes)
+
+Although skb_can_coalesce() could be taught to return false if the
+resulting frag would cross a slab object boundary, we already have
+a fallback for non-refcounted pages. Utilize it for slab pages too.
+
+Cc: stable@vger.kernel.org # 4.8+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -588,9 +588,15 @@ static int ceph_tcp_sendpage(struct sock
+ int ret;
+ struct kvec iov;
+
+- /* sendpage cannot properly handle pages with page_count == 0,
+- * we need to fallback to sendmsg if that's the case */
+- if (page_count(page) >= 1)
++ /*
++ * sendpage cannot properly handle pages with page_count == 0,
++ * we need to fall back to sendmsg if that's the case.
++ *
++ * Same goes for slab pages: skb_can_coalesce() allows
++ * coalescing neighboring slab objects into a single frag which
++ * triggers one of hardened usercopy checks.
++ */
++ if (page_count(page) >= 1 && !PageSlab(page))
+ return __ceph_tcp_sendpage(sock, page, offset, size, more);
+
+ iov.iov_base = kmap(page) + offset;
--- /dev/null
+From 92539d3eda2c090b382699bbb896d4b54e9bdece Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Mon, 5 Nov 2018 09:35:44 -0500
+Subject: media: v4l: event: Add subscription to list before calling "add" operation
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 92539d3eda2c090b382699bbb896d4b54e9bdece upstream.
+
+Patch ad608fbcf166 changed how events were subscribed to address an issue
+elsewhere. As a side effect of that change, the "add" callback was called
+before the event subscription was added to the list of subscribed events,
+causing the first event queued by the add callback (and possibly other
+events arriving soon afterwards) to be lost.
+
+Fix this by adding the subscription to the list before calling the "add"
+callback, and clean up afterwards if that fails.
+
+Fixes: ad608fbcf166 ("media: v4l: event: Prevent freeing event subscriptions while accessed")
+
+Reported-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Tested-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Tested-by: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: stable@vger.kernel.org (for 4.14 and up)
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+[Sakari Ailus: Backported to v4.9 stable]
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-event.c | 43 +++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 19 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-event.c
++++ b/drivers/media/v4l2-core/v4l2-event.c
+@@ -197,6 +197,22 @@ int v4l2_event_pending(struct v4l2_fh *f
+ }
+ EXPORT_SYMBOL_GPL(v4l2_event_pending);
+
++static void __v4l2_event_unsubscribe(struct v4l2_subscribed_event *sev)
++{
++ struct v4l2_fh *fh = sev->fh;
++ unsigned int i;
++
++ lockdep_assert_held(&fh->subscribe_lock);
++ assert_spin_locked(&fh->vdev->fh_lock);
++
++ /* Remove any pending events for this subscription */
++ for (i = 0; i < sev->in_use; i++) {
++ list_del(&sev->events[sev_pos(sev, i)].list);
++ fh->navailable--;
++ }
++ list_del(&sev->list);
++}
++
+ int v4l2_event_subscribe(struct v4l2_fh *fh,
+ const struct v4l2_event_subscription *sub, unsigned elems,
+ const struct v4l2_subscribed_event_ops *ops)
+@@ -228,27 +244,23 @@ int v4l2_event_subscribe(struct v4l2_fh
+
+ spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+ found_ev = v4l2_event_subscribed(fh, sub->type, sub->id);
++ if (!found_ev)
++ list_add(&sev->list, &fh->subscribed);
+ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+
+ if (found_ev) {
+ /* Already listening */
+ kfree(sev);
+- goto out_unlock;
+- }
+-
+- if (sev->ops && sev->ops->add) {
++ } else if (sev->ops && sev->ops->add) {
+ ret = sev->ops->add(sev, elems);
+ if (ret) {
++ spin_lock_irqsave(&fh->vdev->fh_lock, flags);
++ __v4l2_event_unsubscribe(sev);
++ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+ kfree(sev);
+- goto out_unlock;
+ }
+ }
+
+- spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+- list_add(&sev->list, &fh->subscribed);
+- spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+-
+-out_unlock:
+ mutex_unlock(&fh->subscribe_lock);
+
+ return ret;
+@@ -283,7 +295,6 @@ int v4l2_event_unsubscribe(struct v4l2_f
+ {
+ struct v4l2_subscribed_event *sev;
+ unsigned long flags;
+- int i;
+
+ if (sub->type == V4L2_EVENT_ALL) {
+ v4l2_event_unsubscribe_all(fh);
+@@ -295,14 +306,8 @@ int v4l2_event_unsubscribe(struct v4l2_f
+ spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+
+ sev = v4l2_event_subscribed(fh, sub->type, sub->id);
+- if (sev != NULL) {
+- /* Remove any pending events for this subscription */
+- for (i = 0; i < sev->in_use; i++) {
+- list_del(&sev->events[sev_pos(sev, i)].list);
+- fh->navailable--;
+- }
+- list_del(&sev->list);
+- }
++ if (sev != NULL)
++ __v4l2_event_unsubscribe(sev);
+
+ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+
--- /dev/null
+From 7c97301285b62a41d6bceded7d964085fc8cc50f Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 17 Oct 2018 10:09:02 -0700
+Subject: misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit 7c97301285b62a41d6bceded7d964085fc8cc50f upstream.
+
+After building the kernel with Clang, the following section mismatch
+warning appears:
+
+WARNING: vmlinux.o(.text+0x3bf19a6): Section mismatch in reference from
+the function ssc_probe() to the function
+.init.text:atmel_ssc_get_driver_data()
+The function ssc_probe() references
+the function __init atmel_ssc_get_driver_data().
+This is often because ssc_probe lacks a __init
+annotation or the annotation of atmel_ssc_get_driver_data is wrong.
+
+Remove __init from atmel_ssc_get_driver_data to get rid of the mismatch.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/atmel-ssc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/atmel-ssc.c
++++ b/drivers/misc/atmel-ssc.c
+@@ -130,7 +130,7 @@ static const struct of_device_id atmel_s
+ MODULE_DEVICE_TABLE(of, atmel_ssc_dt_ids);
+ #endif
+
+-static inline const struct atmel_ssc_platform_data * __init
++static inline const struct atmel_ssc_platform_data *
+ atmel_ssc_get_driver_data(struct platform_device *pdev)
+ {
+ if (pdev->dev.of_node) {
--- /dev/null
+From 1598dc4f7416892f82ed2a8ca798478f25ce4ca0 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 26 Nov 2018 08:22:30 +0100
+Subject: Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit b5c98d8ca8f93a4f73e9cbb53c7e6b8c78ed3f80 which is
+commit 6c3711ec64fd23a9abc8aaf59a9429569a6282df upstream.
+
+You Ling writes that this config option isn't even in 4.9.y yet, so it
+causes a regression. Revert the patch because of this.
+
+Reported-by: youling 257 <youling257@gmail.com>
+Cc: Johan Hedberg <johan.hedberg@intel.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/bluetooth/Kconfig
++++ b/drivers/bluetooth/Kconfig
+@@ -125,7 +125,6 @@ config BT_HCIUART_LL
+ config BT_HCIUART_3WIRE
+ bool "Three-wire UART (H5) protocol support"
+ depends on BT_HCIUART
+- depends on BT_HCIUART_SERDEV
+ help
+ The HCI Three-wire UART Transport Layer makes it possible to
+ user the Bluetooth HCI over a serial port interface. The HCI
btrfs-ensure-btrfs_trim_fs-can-trim-the-whole-filesy.patch
btrfs-fix-pinned-underflow-after-transaction-aborted.patch
revert-media-videobuf2-core-don-t-call-memop-finish-.patch
+revert-bluetooth-h5-fix-missing-dependency-on.patch
+media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch
+uio-fix-an-oops-on-load.patch
+alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch
+usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch
+usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch
+usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch
+misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch
+usb-misc-appledisplay-add-20-apple-cinema-display.patch
+drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch
+acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch
+hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch
+libceph-fall-back-to-sendmsg-for-slab-pages.patch
--- /dev/null
+From 432798195bbce1f8cd33d1c0284d0538835e25fb Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 26 Oct 2018 10:19:51 +0300
+Subject: uio: Fix an Oops on load
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream.
+
+I was trying to solve a double free but I introduced a more serious
+NULL dereference bug. The problem is that if there is an IRQ which
+triggers immediately, then we need "info->uio_dev" but it's not set yet.
+
+This patch puts the original initialization back to how it was and just
+sets info->uio_dev to NULL on the error path so it should solve both
+the Oops and the double free.
+
+Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails")
+Reported-by: Mathias Thore <Mathias.Thore@infinera.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Tested-by: Mathias Thore <Mathias.Thore@infinera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -850,6 +850,8 @@ int __uio_register_device(struct module
+ if (ret)
+ goto err_uio_dev_add_attributes;
+
++ info->uio_dev = idev;
++
+ if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
+ /*
+ * Note that we deliberately don't use devm_request_irq
+@@ -861,11 +863,12 @@ int __uio_register_device(struct module
+ */
+ ret = request_irq(info->irq, uio_interrupt,
+ info->irq_flags, info->name, idev);
+- if (ret)
++ if (ret) {
++ info->uio_dev = NULL;
+ goto err_request_irq;
++ }
+ }
+
+- info->uio_dev = idev;
+ return 0;
+
+ err_request_irq:
--- /dev/null
+From 63529eaa6164ef7ab4b907b25ac3648177e5e78f Mon Sep 17 00:00:00 2001
+From: Maarten Jacobs <maarten256@outlook.com>
+Date: Mon, 19 Nov 2018 23:18:49 +0000
+Subject: usb: cdc-acm: add entry for Hiro (Conexant) modem
+
+From: Maarten Jacobs <maarten256@outlook.com>
+
+commit 63529eaa6164ef7ab4b907b25ac3648177e5e78f upstream.
+
+The cdc-acm kernel module currently does not support the Hiro (Conexant)
+H05228 USB modem. The patch below adds the device specific information:
+ idVendor 0x0572
+ idProduct 0x1349
+
+Signed-off-by: Maarten Jacobs <maarten256@outlook.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1659,6 +1659,9 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
++ { USB_DEVICE(0x0572, 0x1349), /* Hiro (Conexant) USB MODEM H50228 */
++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
++ },
+ { USB_DEVICE(0x20df, 0x0001), /* Simtec Electronics Entropy Key */
+ .driver_info = QUIRK_CONTROL_LINE_STATE, },
+ { USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */
--- /dev/null
+From f6501f49199097b99e4e263644d88c90d1ec1060 Mon Sep 17 00:00:00 2001
+From: Mattias Jacobsson <2pi@mok.nu>
+Date: Sun, 21 Oct 2018 11:25:37 +0200
+Subject: USB: misc: appledisplay: add 20" Apple Cinema Display
+
+From: Mattias Jacobsson <2pi@mok.nu>
+
+commit f6501f49199097b99e4e263644d88c90d1ec1060 upstream.
+
+Add another Apple Cinema Display to the list of supported displays
+
+Signed-off-by: Mattias Jacobsson <2pi@mok.nu>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/appledisplay.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/appledisplay.c
++++ b/drivers/usb/misc/appledisplay.c
+@@ -63,6 +63,7 @@ static const struct usb_device_id appled
+ { APPLEDISPLAY_DEVICE(0x9219) },
+ { APPLEDISPLAY_DEVICE(0x921c) },
+ { APPLEDISPLAY_DEVICE(0x921d) },
++ { APPLEDISPLAY_DEVICE(0x9222) },
+ { APPLEDISPLAY_DEVICE(0x9236) },
+
+ /* Terminating entry */
--- /dev/null
+From a77112577667cbda7c6292c52d909636aef31fd9 Mon Sep 17 00:00:00 2001
+From: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
+Date: Fri, 26 Oct 2018 14:48:09 +0200
+Subject: usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
+
+From: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
+
+commit a77112577667cbda7c6292c52d909636aef31fd9 upstream.
+
+Following on from this patch: https://lkml.org/lkml/2017/11/3/516,
+Corsair K70 LUX RGB keyboards also require the DELAY_INIT quirk to
+start correctly at boot.
+
+Dmesg output:
+usb 1-6: string descriptor 0 read error: -110
+usb 1-6: New USB device found, idVendor=1b1c, idProduct=1b33
+usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+usb 1-6: can't set config #1, error -110
+
+Signed-off-by: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -243,6 +243,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
+ USB_QUIRK_DELAY_CTRL_MSG },
+
++ /* Corsair K70 LUX RGB */
++ { USB_DEVICE(0x1b1c, 0x1b33), .driver_info = USB_QUIRK_DELAY_INIT },
++
+ /* Corsair K70 LUX */
+ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
+
--- /dev/null
+From deefd24228a172d1b27d4a9adbfd2cdacd60ae64 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Fri, 26 Oct 2018 13:33:15 +0800
+Subject: USB: quirks: Add no-lpm quirk for Raydium touchscreens
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit deefd24228a172d1b27d4a9adbfd2cdacd60ae64 upstream.
+
+Raydium USB touchscreen fails to set config if LPM is enabled:
+[ 2.030658] usb 1-8: New USB device found, idVendor=2386, idProduct=3119
+[ 2.030659] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
+[ 2.030660] usb 1-8: Product: Raydium Touch System
+[ 2.030661] usb 1-8: Manufacturer: Raydium Corporation
+[ 7.132209] usb 1-8: can't set config #1, error -110
+
+Same behavior can be observed on 2386:3114.
+
+Raydium claims the touchscreen supports LPM under Windows, so I used
+Microsoft USB Test Tools (MUTT) [1] to check its LPM status. MUTT shows
+that the LPM doesn't work under Windows, either. So let's just disable LPM
+for Raydium touchscreens.
+
+[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-test-tools
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -263,6 +263,11 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x2040, 0x7200), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
++ /* Raydium Touchscreen */
++ { USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM },
++
++ { USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* DJI CineSSD */
+ { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
