--- /dev/null
+From 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 19 Nov 2018 19:06:01 +0100
+Subject: ACPI / platform: Add SMB0001 HID to forbidden_id_list
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa upstream.
+
+Many HP AMD based laptops contain an SMB0001 device like this:
+
+Device (SMBD)
+{
+ Name (_HID, "SMB0001") // _HID: Hardware ID
+ Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings
+ {
+ IO (Decode16,
+ 0x0B20, // Range Minimum
+ 0x0B20, // Range Maximum
+ 0x20, // Alignment
+ 0x20, // Length
+ )
+ IRQ (Level, ActiveLow, Shared, )
+ {7}
+ })
+}
+
+The legacy style IRQ resource here causes acpi_dev_get_irqresource() to
+be called with legacy=true and this message to show in dmesg:
+ACPI: IRQ 7 override to edge, high
+
+This causes issues when later on the AMD0030 GPIO device gets enumerated:
+
+Device (GPIO)
+{
+ Name (_HID, "AMDI0030") // _HID: Hardware ID
+ Name (_CID, "AMDI0030") // _CID: Compatible ID
+ Name (_UID, Zero) // _UID: Unique ID
+ Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings
+ {
+ Name (RBUF, ResourceTemplate ()
+ {
+ Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, )
+ {
+ 0x00000007,
+ }
+ Memory32Fixed (ReadWrite,
+ 0xFED81500, // Address Base
+ 0x00000400, // Address Length
+ )
+ })
+ Return (RBUF) /* \_SB_.GPIO._CRS.RBUF */
+ }
+}
+
+Now acpi_dev_get_irqresource() gets called with legacy=false, but because
+of the earlier override of the trigger-type acpi_register_gsi() returns
+-EBUSY (because we try to register the same interrupt with a different
+trigger-type) and we end up setting IORESOURCE_DISABLED in the flags.
+
+The setting of IORESOURCE_DISABLED causes platform_get_irq() to call
+acpi_irq_get() which is not implemented on x86 and returns -EINVAL.
+resulting in the following in dmesg:
+
+amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22
+amd_gpio: probe of AMDI0030:00 failed with error -22
+
+The SMB0001 is a "virtual" device in the sense that the only way the OS
+interacts with it is through calling a couple of methods to do SMBus
+transfers. As such it is weird that it has IO and IRQ resources at all,
+because the driver for it is not expected to ever access the hardware
+directly.
+
+The Linux driver for the SMB0001 device directly binds to the acpi_device
+through the acpi_bus, so we do not need to instantiate a platform_device
+for this ACPI device. This commit adds the SMB0001 HID to the
+forbidden_id_list, avoiding the instantiating of a platform_device for it.
+Not instantiating a platform_device means we will no longer call
+acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of
+the AMDI0030 device failing.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523
+Reported-by: Lukas Kahnert <openproggerfreak@gmail.com>
+Tested-by: Marc <suaefar@googlemail.com>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpi_platform.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/acpi_platform.c
++++ b/drivers/acpi/acpi_platform.c
+@@ -30,6 +30,7 @@ static const struct acpi_device_id forbi
+ {"PNP0200", 0}, /* AT DMA Controller */
+ {"ACPI0009", 0}, /* IOxAPIC */
+ {"ACPI000A", 0}, /* IOAPIC */
++ {"SMB0001", 0}, /* ACPI SMBUS virtual device */
+ {"", 0},
+ };
+
--- /dev/null
+From 563785edfcef02b566e64fb5292c74c1600808aa Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 12 Nov 2018 09:43:12 +0100
+Subject: ALSA: hda/realtek - Add quirk entry for HP Pavilion 15
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 563785edfcef02b566e64fb5292c74c1600808aa upstream.
+
+HP Pavilion 15 (103c:820d) with ALC295 codec requires the quirk for
+the mute LED control over mic3 pin. Added the corresponding quirk
+entry.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201653
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6360,6 +6360,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x2336, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x2337, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x221c, "HP EliteBook 755 G2", ALC280_FIXUP_HP_HEADSET_MIC),
++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC),
+ SND_PCI_QUIRK(0x103c, 0x82bf, "HP", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x82c0, "HP", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
--- /dev/null
+From fee05f455ceb5c670cbe48e2f9454ebc4a388554 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 12:59:44 +0200
+Subject: drivers/misc/sgi-gru: fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit fee05f455ceb5c670cbe48e2f9454ebc4a388554 upstream.
+
+req.gid can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+vers/misc/sgi-gru/grukdump.c:200 gru_dump_chiplet_request() warn:
+potential spectre issue 'gru_base' [w]
+
+Fix this by sanitizing req.gid before calling macro GID_TO_GRU, which
+uses it to index gru_base.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/sgi-gru/grukdump.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/misc/sgi-gru/grukdump.c
++++ b/drivers/misc/sgi-gru/grukdump.c
+@@ -27,6 +27,9 @@
+ #include <linux/delay.h>
+ #include <linux/bitops.h>
+ #include <asm/uv/uv_hub.h>
++
++#include <linux/nospec.h>
++
+ #include "gru.h"
+ #include "grutables.h"
+ #include "gruhandles.h"
+@@ -196,6 +199,7 @@ int gru_dump_chiplet_request(unsigned lo
+ /* Currently, only dump by gid is implemented */
+ if (req.gid >= gru_max_gids)
+ return -EINVAL;
++ req.gid = array_index_nospec(req.gid, gru_max_gids);
+
+ gru = GID_TO_GRU(req.gid);
+ ubuf = req.buf;
--- /dev/null
+From 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 14 Nov 2018 13:55:09 -0800
+Subject: HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 upstream.
+
+When a UHID_CREATE command is written to the uhid char device, a
+copy_from_user() is done from a user pointer embedded in the command.
+When the address limit is KERNEL_DS, e.g. as is the case during
+sys_sendfile(), this can read from kernel memory. Alternatively,
+information can be leaked from a setuid binary that is tricked to write
+to the file descriptor. Therefore, forbid UHID_CREATE in these cases.
+
+No other commands in uhid_char_write() are affected by this bug and
+UHID_CREATE is marked as "obsolete", so apply the restriction to
+UHID_CREATE only rather than to uhid_char_write() entirely.
+
+Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to
+Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess
+helpers fault on kernel addresses"), allowing this bug to be found.
+
+Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
+Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events")
+Cc: <stable@vger.kernel.org> # v3.6+
+Cc: Jann Horn <jannh@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/uhid.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -12,6 +12,7 @@
+
+ #include <linux/atomic.h>
+ #include <linux/compat.h>
++#include <linux/cred.h>
+ #include <linux/device.h>
+ #include <linux/fs.h>
+ #include <linux/hid.h>
+@@ -722,6 +723,17 @@ static ssize_t uhid_char_write(struct fi
+
+ switch (uhid->input_buf.type) {
+ case UHID_CREATE:
++ /*
++ * 'struct uhid_create_req' contains a __user pointer which is
++ * copied from, so it's unsafe to allow this with elevated
++ * privileges (e.g. from a setuid binary) or via kernel_write().
++ */
++ if (file->f_cred != current_cred() || uaccess_kernel()) {
++ pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
++ task_tgid_vnr(current), current->comm);
++ ret = -EACCES;
++ goto unlock;
++ }
+ ret = uhid_dev_create(uhid, &uhid->input_buf);
+ break;
+ case UHID_CREATE2:
--- /dev/null
+From 7e241f647dc7087a0401418a187f3f5b527cc690 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Thu, 8 Nov 2018 15:55:37 +0100
+Subject: libceph: fall back to sendmsg for slab pages
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 7e241f647dc7087a0401418a187f3f5b527cc690 upstream.
+
+skb_can_coalesce() allows coalescing neighboring slab objects into
+a single frag:
+
+ return page == skb_frag_page(frag) &&
+ off == frag->page_offset + skb_frag_size(frag);
+
+ceph_tcp_sendpage() can be handed slab pages. One example of this is
+XFS: it passes down sector sized slab objects for its metadata I/O. If
+the kernel client is co-located on the OSD node, the skb may go through
+loopback and pop on the receive side with the exact same set of frags.
+When tcp_recvmsg() attempts to copy out such a frag, hardened usercopy
+complains because the size exceeds the object's allocated size:
+
+ usercopy: kernel memory exposure attempt detected from ffff9ba917f20a00 (kmalloc-512) (1024 bytes)
+
+Although skb_can_coalesce() could be taught to return false if the
+resulting frag would cross a slab object boundary, we already have
+a fallback for non-refcounted pages. Utilize it for slab pages too.
+
+Cc: stable@vger.kernel.org # 4.8+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -594,9 +594,15 @@ static int ceph_tcp_sendpage(struct sock
+ struct bio_vec bvec;
+ int ret;
+
+- /* sendpage cannot properly handle pages with page_count == 0,
+- * we need to fallback to sendmsg if that's the case */
+- if (page_count(page) >= 1)
++ /*
++ * sendpage cannot properly handle pages with page_count == 0,
++ * we need to fall back to sendmsg if that's the case.
++ *
++ * Same goes for slab pages: skb_can_coalesce() allows
++ * coalescing neighboring slab objects into a single frag which
++ * triggers one of hardened usercopy checks.
++ */
++ if (page_count(page) >= 1 && !PageSlab(page))
+ return __ceph_tcp_sendpage(sock, page, offset, size, more);
+
+ bvec.bv_page = page;
--- /dev/null
+From 92539d3eda2c090b382699bbb896d4b54e9bdece Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Mon, 5 Nov 2018 09:35:44 -0500
+Subject: media: v4l: event: Add subscription to list before calling "add" operation
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 92539d3eda2c090b382699bbb896d4b54e9bdece upstream.
+
+Patch ad608fbcf166 changed how events were subscribed to address an issue
+elsewhere. As a side effect of that change, the "add" callback was called
+before the event subscription was added to the list of subscribed events,
+causing the first event queued by the add callback (and possibly other
+events arriving soon afterwards) to be lost.
+
+Fix this by adding the subscription to the list before calling the "add"
+callback, and clean up afterwards if that fails.
+
+Fixes: ad608fbcf166 ("media: v4l: event: Prevent freeing event subscriptions while accessed")
+
+Reported-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Tested-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Tested-by: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: stable@vger.kernel.org (for 4.14 and up)
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-event.c | 43 +++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 19 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-event.c
++++ b/drivers/media/v4l2-core/v4l2-event.c
+@@ -193,6 +193,22 @@ int v4l2_event_pending(struct v4l2_fh *f
+ }
+ EXPORT_SYMBOL_GPL(v4l2_event_pending);
+
++static void __v4l2_event_unsubscribe(struct v4l2_subscribed_event *sev)
++{
++ struct v4l2_fh *fh = sev->fh;
++ unsigned int i;
++
++ lockdep_assert_held(&fh->subscribe_lock);
++ assert_spin_locked(&fh->vdev->fh_lock);
++
++ /* Remove any pending events for this subscription */
++ for (i = 0; i < sev->in_use; i++) {
++ list_del(&sev->events[sev_pos(sev, i)].list);
++ fh->navailable--;
++ }
++ list_del(&sev->list);
++}
++
+ int v4l2_event_subscribe(struct v4l2_fh *fh,
+ const struct v4l2_event_subscription *sub, unsigned elems,
+ const struct v4l2_subscribed_event_ops *ops)
+@@ -225,27 +241,23 @@ int v4l2_event_subscribe(struct v4l2_fh
+
+ spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+ found_ev = v4l2_event_subscribed(fh, sub->type, sub->id);
++ if (!found_ev)
++ list_add(&sev->list, &fh->subscribed);
+ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+
+ if (found_ev) {
+ /* Already listening */
+ kvfree(sev);
+- goto out_unlock;
+- }
+-
+- if (sev->ops && sev->ops->add) {
++ } else if (sev->ops && sev->ops->add) {
+ ret = sev->ops->add(sev, elems);
+ if (ret) {
++ spin_lock_irqsave(&fh->vdev->fh_lock, flags);
++ __v4l2_event_unsubscribe(sev);
++ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+ kvfree(sev);
+- goto out_unlock;
+ }
+ }
+
+- spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+- list_add(&sev->list, &fh->subscribed);
+- spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+-
+-out_unlock:
+ mutex_unlock(&fh->subscribe_lock);
+
+ return ret;
+@@ -280,7 +292,6 @@ int v4l2_event_unsubscribe(struct v4l2_f
+ {
+ struct v4l2_subscribed_event *sev;
+ unsigned long flags;
+- int i;
+
+ if (sub->type == V4L2_EVENT_ALL) {
+ v4l2_event_unsubscribe_all(fh);
+@@ -292,14 +303,8 @@ int v4l2_event_unsubscribe(struct v4l2_f
+ spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+
+ sev = v4l2_event_subscribed(fh, sub->type, sub->id);
+- if (sev != NULL) {
+- /* Remove any pending events for this subscription */
+- for (i = 0; i < sev->in_use; i++) {
+- list_del(&sev->events[sev_pos(sev, i)].list);
+- fh->navailable--;
+- }
+- list_del(&sev->list);
+- }
++ if (sev != NULL)
++ __v4l2_event_unsubscribe(sev);
+
+ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+
--- /dev/null
+From 82fba2df7f7c019627f24c5036dc99f41731d770 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 11 Nov 2018 00:06:12 +0200
+Subject: MIPS: OCTEON: cavium_octeon_defconfig: re-enable OCTEON USB driver
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit 82fba2df7f7c019627f24c5036dc99f41731d770 upstream.
+
+Re-enable OCTEON USB driver which is needed on older hardware
+(e.g. EdgeRouter Lite) for mass storage etc. This got accidentally
+deleted when config options were changed for OCTEON2/3 USB.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: f922bc0ad08b ("MIPS: Octeon: cavium_octeon_defconfig: Enable more drivers")
+Patchwork: https://patchwork.linux-mips.org/patch/21077/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # 4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/configs/cavium_octeon_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/configs/cavium_octeon_defconfig
++++ b/arch/mips/configs/cavium_octeon_defconfig
+@@ -140,6 +140,7 @@ CONFIG_RTC_CLASS=y
+ CONFIG_RTC_DRV_DS1307=y
+ CONFIG_STAGING=y
+ CONFIG_OCTEON_ETHERNET=y
++CONFIG_OCTEON_USB=y
+ # CONFIG_IOMMU_SUPPORT is not set
+ CONFIG_RAS=y
+ CONFIG_EXT4_FS=y
--- /dev/null
+From 7c97301285b62a41d6bceded7d964085fc8cc50f Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 17 Oct 2018 10:09:02 -0700
+Subject: misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit 7c97301285b62a41d6bceded7d964085fc8cc50f upstream.
+
+After building the kernel with Clang, the following section mismatch
+warning appears:
+
+WARNING: vmlinux.o(.text+0x3bf19a6): Section mismatch in reference from
+the function ssc_probe() to the function
+.init.text:atmel_ssc_get_driver_data()
+The function ssc_probe() references
+the function __init atmel_ssc_get_driver_data().
+This is often because ssc_probe lacks a __init
+annotation or the annotation of atmel_ssc_get_driver_data is wrong.
+
+Remove __init from atmel_ssc_get_driver_data to get rid of the mismatch.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/atmel-ssc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/atmel-ssc.c
++++ b/drivers/misc/atmel-ssc.c
+@@ -132,7 +132,7 @@ static const struct of_device_id atmel_s
+ MODULE_DEVICE_TABLE(of, atmel_ssc_dt_ids);
+ #endif
+
+-static inline const struct atmel_ssc_platform_data * __init
++static inline const struct atmel_ssc_platform_data *
+ atmel_ssc_get_driver_data(struct platform_device *pdev)
+ {
+ if (pdev->dev.of_node) {
--- /dev/null
+From 5d1e9c2212ea6b4dd735e4fc3dd6279a365d5d10 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:49 +0200
+Subject: mtd: rawnand: atmel: fix OF child-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5d1e9c2212ea6b4dd735e4fc3dd6279a365d5d10 upstream.
+
+Use the new of_get_compatible_child() helper to lookup the nfc child
+node instead of using of_find_compatible_node(), which searches the
+entire tree from a given start node and thus can return an unrelated
+(i.e. non-child) node.
+
+This also addresses a potential use-after-free (e.g. after probe
+deferral) as the tree-wide helper drops a reference to its first
+argument (i.e. the node of the device being probed).
+
+While at it, also fix a related nfc-node reference leak.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Cc: stable <stable@vger.kernel.org> # 4.11
+Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: Josh Wu <rainyfeeling@outlook.com>
+Cc: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/atmel/nand-controller.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/atmel/nand-controller.c
++++ b/drivers/mtd/nand/atmel/nand-controller.c
+@@ -2077,8 +2077,7 @@ atmel_hsmc_nand_controller_legacy_init(s
+ int ret;
+
+ nand_np = dev->of_node;
+- nfc_np = of_find_compatible_node(dev->of_node, NULL,
+- "atmel,sama5d3-nfc");
++ nfc_np = of_get_compatible_child(dev->of_node, "atmel,sama5d3-nfc");
+ if (!nfc_np) {
+ dev_err(dev, "Could not find device node for sama5d3-nfc\n");
+ return -ENODEV;
+@@ -2492,15 +2491,19 @@ static int atmel_nand_controller_probe(s
+ }
+
+ if (caps->legacy_of_bindings) {
++ struct device_node *nfc_node;
+ u32 ale_offs = 21;
+
+ /*
+ * If we are parsing legacy DT props and the DT contains a
+ * valid NFC node, forward the request to the sama5 logic.
+ */
+- if (of_find_compatible_node(pdev->dev.of_node, NULL,
+- "atmel,sama5d3-nfc"))
++ nfc_node = of_get_compatible_child(pdev->dev.of_node,
++ "atmel,sama5d3-nfc");
++ if (nfc_node) {
+ caps = &atmel_sama5_nand_caps;
++ of_node_put(nfc_node);
++ }
+
+ /*
+ * Even if the compatible says we are dealing with an
perf-test-code-reading-fix-perf_env-setup-for-pti-en.patch
x86-mm-move-ldt-remap-out-of-kaslr-region-on-5-level.patch
x86-ldt-unmap-ptes-for-the-slot-before-freeing-ldt-p.patch
+media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch
+mips-octeon-cavium_octeon_defconfig-re-enable-octeon-usb-driver.patch
+uio-fix-an-oops-on-load.patch
+alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch
+usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch
+usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch
+usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch
+misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch
+usb-misc-appledisplay-add-20-apple-cinema-display.patch
+mtd-rawnand-atmel-fix-of-child-node-lookup.patch
+drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch
+acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch
+hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch
+libceph-fall-back-to-sendmsg-for-slab-pages.patch
--- /dev/null
+From 432798195bbce1f8cd33d1c0284d0538835e25fb Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 26 Oct 2018 10:19:51 +0300
+Subject: uio: Fix an Oops on load
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream.
+
+I was trying to solve a double free but I introduced a more serious
+NULL dereference bug. The problem is that if there is an IRQ which
+triggers immediately, then we need "info->uio_dev" but it's not set yet.
+
+This patch puts the original initialization back to how it was and just
+sets info->uio_dev to NULL on the error path so it should solve both
+the Oops and the double free.
+
+Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails")
+Reported-by: Mathias Thore <Mathias.Thore@infinera.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Tested-by: Mathias Thore <Mathias.Thore@infinera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -850,6 +850,8 @@ int __uio_register_device(struct module
+ if (ret)
+ goto err_uio_dev_add_attributes;
+
++ info->uio_dev = idev;
++
+ if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
+ /*
+ * Note that we deliberately don't use devm_request_irq
+@@ -861,11 +863,12 @@ int __uio_register_device(struct module
+ */
+ ret = request_irq(info->irq, uio_interrupt,
+ info->irq_flags, info->name, idev);
+- if (ret)
++ if (ret) {
++ info->uio_dev = NULL;
+ goto err_request_irq;
++ }
+ }
+
+- info->uio_dev = idev;
+ return 0;
+
+ err_request_irq:
--- /dev/null
+From 63529eaa6164ef7ab4b907b25ac3648177e5e78f Mon Sep 17 00:00:00 2001
+From: Maarten Jacobs <maarten256@outlook.com>
+Date: Mon, 19 Nov 2018 23:18:49 +0000
+Subject: usb: cdc-acm: add entry for Hiro (Conexant) modem
+
+From: Maarten Jacobs <maarten256@outlook.com>
+
+commit 63529eaa6164ef7ab4b907b25ac3648177e5e78f upstream.
+
+The cdc-acm kernel module currently does not support the Hiro (Conexant)
+H05228 USB modem. The patch below adds the device specific information:
+ idVendor 0x0572
+ idProduct 0x1349
+
+Signed-off-by: Maarten Jacobs <maarten256@outlook.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1724,6 +1724,9 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
++ { USB_DEVICE(0x0572, 0x1349), /* Hiro (Conexant) USB MODEM H50228 */
++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
++ },
+ { USB_DEVICE(0x20df, 0x0001), /* Simtec Electronics Entropy Key */
+ .driver_info = QUIRK_CONTROL_LINE_STATE, },
+ { USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */
--- /dev/null
+From f6501f49199097b99e4e263644d88c90d1ec1060 Mon Sep 17 00:00:00 2001
+From: Mattias Jacobsson <2pi@mok.nu>
+Date: Sun, 21 Oct 2018 11:25:37 +0200
+Subject: USB: misc: appledisplay: add 20" Apple Cinema Display
+
+From: Mattias Jacobsson <2pi@mok.nu>
+
+commit f6501f49199097b99e4e263644d88c90d1ec1060 upstream.
+
+Add another Apple Cinema Display to the list of supported displays
+
+Signed-off-by: Mattias Jacobsson <2pi@mok.nu>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/appledisplay.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/appledisplay.c
++++ b/drivers/usb/misc/appledisplay.c
+@@ -63,6 +63,7 @@ static const struct usb_device_id appled
+ { APPLEDISPLAY_DEVICE(0x9219) },
+ { APPLEDISPLAY_DEVICE(0x921c) },
+ { APPLEDISPLAY_DEVICE(0x921d) },
++ { APPLEDISPLAY_DEVICE(0x9222) },
+ { APPLEDISPLAY_DEVICE(0x9236) },
+
+ /* Terminating entry */
--- /dev/null
+From a77112577667cbda7c6292c52d909636aef31fd9 Mon Sep 17 00:00:00 2001
+From: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
+Date: Fri, 26 Oct 2018 14:48:09 +0200
+Subject: usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
+
+From: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
+
+commit a77112577667cbda7c6292c52d909636aef31fd9 upstream.
+
+Following on from this patch: https://lkml.org/lkml/2017/11/3/516,
+Corsair K70 LUX RGB keyboards also require the DELAY_INIT quirk to
+start correctly at boot.
+
+Dmesg output:
+usb 1-6: string descriptor 0 read error: -110
+usb 1-6: New USB device found, idVendor=1b1c, idProduct=1b33
+usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+usb 1-6: can't set config #1, error -110
+
+Signed-off-by: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -243,6 +243,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
+ USB_QUIRK_DELAY_CTRL_MSG },
+
++ /* Corsair K70 LUX RGB */
++ { USB_DEVICE(0x1b1c, 0x1b33), .driver_info = USB_QUIRK_DELAY_INIT },
++
+ /* Corsair K70 LUX */
+ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
+
--- /dev/null
+From deefd24228a172d1b27d4a9adbfd2cdacd60ae64 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Fri, 26 Oct 2018 13:33:15 +0800
+Subject: USB: quirks: Add no-lpm quirk for Raydium touchscreens
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit deefd24228a172d1b27d4a9adbfd2cdacd60ae64 upstream.
+
+Raydium USB touchscreen fails to set config if LPM is enabled:
+[ 2.030658] usb 1-8: New USB device found, idVendor=2386, idProduct=3119
+[ 2.030659] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
+[ 2.030660] usb 1-8: Product: Raydium Touch System
+[ 2.030661] usb 1-8: Manufacturer: Raydium Corporation
+[ 7.132209] usb 1-8: can't set config #1, error -110
+
+Same behavior can be observed on 2386:3114.
+
+Raydium claims the touchscreen supports LPM under Windows, so I used
+Microsoft USB Test Tools (MUTT) [1] to check its LPM status. MUTT shows
+that the LPM doesn't work under Windows, either. So let's just disable LPM
+for Raydium touchscreens.
+
+[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-test-tools
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -263,6 +263,11 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x2040, 0x7200), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
++ /* Raydium Touchscreen */
++ { USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM },
++
++ { USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* DJI CineSSD */
+ { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
