--- /dev/null
+From 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 19 Nov 2018 19:06:01 +0100
+Subject: ACPI / platform: Add SMB0001 HID to forbidden_id_list
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa upstream.
+
+Many HP AMD based laptops contain an SMB0001 device like this:
+
+Device (SMBD)
+{
+ Name (_HID, "SMB0001") // _HID: Hardware ID
+ Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings
+ {
+ IO (Decode16,
+ 0x0B20, // Range Minimum
+ 0x0B20, // Range Maximum
+ 0x20, // Alignment
+ 0x20, // Length
+ )
+ IRQ (Level, ActiveLow, Shared, )
+ {7}
+ })
+}
+
+The legacy style IRQ resource here causes acpi_dev_get_irqresource() to
+be called with legacy=true and this message to show in dmesg:
+ACPI: IRQ 7 override to edge, high
+
+This causes issues when later on the AMD0030 GPIO device gets enumerated:
+
+Device (GPIO)
+{
+ Name (_HID, "AMDI0030") // _HID: Hardware ID
+ Name (_CID, "AMDI0030") // _CID: Compatible ID
+ Name (_UID, Zero) // _UID: Unique ID
+ Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings
+ {
+ Name (RBUF, ResourceTemplate ()
+ {
+ Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, )
+ {
+ 0x00000007,
+ }
+ Memory32Fixed (ReadWrite,
+ 0xFED81500, // Address Base
+ 0x00000400, // Address Length
+ )
+ })
+ Return (RBUF) /* \_SB_.GPIO._CRS.RBUF */
+ }
+}
+
+Now acpi_dev_get_irqresource() gets called with legacy=false, but because
+of the earlier override of the trigger-type acpi_register_gsi() returns
+-EBUSY (because we try to register the same interrupt with a different
+trigger-type) and we end up setting IORESOURCE_DISABLED in the flags.
+
+The setting of IORESOURCE_DISABLED causes platform_get_irq() to call
+acpi_irq_get() which is not implemented on x86 and returns -EINVAL.
+resulting in the following in dmesg:
+
+amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22
+amd_gpio: probe of AMDI0030:00 failed with error -22
+
+The SMB0001 is a "virtual" device in the sense that the only way the OS
+interacts with it is through calling a couple of methods to do SMBus
+transfers. As such it is weird that it has IO and IRQ resources at all,
+because the driver for it is not expected to ever access the hardware
+directly.
+
+The Linux driver for the SMB0001 device directly binds to the acpi_device
+through the acpi_bus, so we do not need to instantiate a platform_device
+for this ACPI device. This commit adds the SMB0001 HID to the
+forbidden_id_list, avoiding the instantiating of a platform_device for it.
+Not instantiating a platform_device means we will no longer call
+acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of
+the AMDI0030 device failing.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523
+Reported-by: Lukas Kahnert <openproggerfreak@gmail.com>
+Tested-by: Marc <suaefar@googlemail.com>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpi_platform.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/acpi_platform.c
++++ b/drivers/acpi/acpi_platform.c
+@@ -30,6 +30,7 @@ static const struct acpi_device_id forbi
+ {"PNP0200", 0}, /* AT DMA Controller */
+ {"ACPI0009", 0}, /* IOxAPIC */
+ {"ACPI000A", 0}, /* IOAPIC */
++ {"SMB0001", 0}, /* ACPI SMBUS virtual device */
+ {"", 0},
+ };
+
--- /dev/null
+From d99501b8575dc1248bacf1b58d2241cb4b265d49 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 12 Nov 2018 12:26:57 +0100
+Subject: ALSA: hda/ca0132 - Call pci_iounmap() instead of iounmap()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d99501b8575dc1248bacf1b58d2241cb4b265d49 upstream.
+
+We need to call pci_iounmap() instead of iounmap() for the regions
+obtained via pci_iomap() call for some archs that need special
+treatment.
+
+Fixes: aa31704fd81c ("ALSA: hda/ca0132: Add PCI region2 iomap for SBZ")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_ca0132.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -7395,7 +7395,7 @@ static void ca0132_free(struct hda_codec
+
+ snd_hda_power_down(codec);
+ if (spec->mem_base)
+- iounmap(spec->mem_base);
++ pci_iounmap(codec->bus->pci, spec->mem_base);
+ kfree(spec->spec_init_verbs);
+ kfree(codec->spec);
+ }
--- /dev/null
+From 563785edfcef02b566e64fb5292c74c1600808aa Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 12 Nov 2018 09:43:12 +0100
+Subject: ALSA: hda/realtek - Add quirk entry for HP Pavilion 15
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 563785edfcef02b566e64fb5292c74c1600808aa upstream.
+
+HP Pavilion 15 (103c:820d) with ALC295 codec requires the quirk for
+the mute LED control over mic3 pin. Added the corresponding quirk
+entry.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201653
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6481,6 +6481,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x2336, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x2337, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x221c, "HP EliteBook 755 G2", ALC280_FIXUP_HP_HEADSET_MIC),
++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC),
+ SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360),
+ SND_PCI_QUIRK(0x103c, 0x82bf, "HP", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
--- /dev/null
+From e13fb9b37cc00616b90df2d620f30345b5ada6ff Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Date: Mon, 6 Aug 2018 15:14:49 +0200
+Subject: can: kvaser_usb: Fix accessing freed memory in kvaser_usb_start_xmit()
+
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+
+commit e13fb9b37cc00616b90df2d620f30345b5ada6ff upstream.
+
+The call to can_put_echo_skb() may result in the skb being freed. The skb
+is later used in the call to dev->ops->dev_frame_to_cmd().
+
+This is avoided by moving the call to can_put_echo_skb() after
+dev->ops->dev_frame_to_cmd().
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+@@ -528,7 +528,6 @@ static netdev_tx_t kvaser_usb_start_xmit
+ context = &priv->tx_contexts[i];
+
+ context->echo_index = i;
+- can_put_echo_skb(skb, netdev, context->echo_index);
+ ++priv->active_tx_contexts;
+ if (priv->active_tx_contexts >= (int)dev->max_tx_urbs)
+ netif_stop_queue(netdev);
+@@ -553,7 +552,6 @@ static netdev_tx_t kvaser_usb_start_xmit
+ dev_kfree_skb(skb);
+ spin_lock_irqsave(&priv->tx_contexts_lock, flags);
+
+- can_free_echo_skb(netdev, context->echo_index);
+ context->echo_index = dev->max_tx_urbs;
+ --priv->active_tx_contexts;
+ netif_wake_queue(netdev);
+@@ -564,6 +562,8 @@ static netdev_tx_t kvaser_usb_start_xmit
+
+ context->priv = priv;
+
++ can_put_echo_skb(skb, netdev, context->echo_index);
++
+ usb_fill_bulk_urb(urb, dev->udev,
+ usb_sndbulkpipe(dev->udev,
+ dev->bulk_out->bEndpointAddress),
--- /dev/null
+From 95217260649aa504eb5d4a0d50959ca4e67c8f96 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Date: Mon, 6 Aug 2018 15:14:50 +0200
+Subject: can: kvaser_usb: Fix potential uninitialized variable use
+
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+
+commit 95217260649aa504eb5d4a0d50959ca4e67c8f96 upstream.
+
+If alloc_can_err_skb() fails, cf is never initialized.
+Move assignment of cf inside check.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+@@ -1019,6 +1019,11 @@ kvaser_usb_hydra_error_frame(struct kvas
+ new_state : CAN_STATE_ERROR_ACTIVE;
+
+ can_change_state(netdev, cf, tx_state, rx_state);
++
++ if (priv->can.restart_ms &&
++ old_state >= CAN_STATE_BUS_OFF &&
++ new_state < CAN_STATE_BUS_OFF)
++ cf->can_id |= CAN_ERR_RESTARTED;
+ }
+
+ if (new_state == CAN_STATE_BUS_OFF) {
+@@ -1028,11 +1033,6 @@ kvaser_usb_hydra_error_frame(struct kvas
+
+ can_bus_off(netdev);
+ }
+-
+- if (priv->can.restart_ms &&
+- old_state >= CAN_STATE_BUS_OFF &&
+- new_state < CAN_STATE_BUS_OFF)
+- cf->can_id |= CAN_ERR_RESTARTED;
+ }
+
+ if (!skb) {
--- /dev/null
+From fee05f455ceb5c670cbe48e2f9454ebc4a388554 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 12:59:44 +0200
+Subject: drivers/misc/sgi-gru: fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit fee05f455ceb5c670cbe48e2f9454ebc4a388554 upstream.
+
+req.gid can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+vers/misc/sgi-gru/grukdump.c:200 gru_dump_chiplet_request() warn:
+potential spectre issue 'gru_base' [w]
+
+Fix this by sanitizing req.gid before calling macro GID_TO_GRU, which
+uses it to index gru_base.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/sgi-gru/grukdump.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/misc/sgi-gru/grukdump.c
++++ b/drivers/misc/sgi-gru/grukdump.c
+@@ -27,6 +27,9 @@
+ #include <linux/delay.h>
+ #include <linux/bitops.h>
+ #include <asm/uv/uv_hub.h>
++
++#include <linux/nospec.h>
++
+ #include "gru.h"
+ #include "grutables.h"
+ #include "gruhandles.h"
+@@ -196,6 +199,7 @@ int gru_dump_chiplet_request(unsigned lo
+ /* Currently, only dump by gid is implemented */
+ if (req.gid >= gru_max_gids)
+ return -EINVAL;
++ req.gid = array_index_nospec(req.gid, gru_max_gids);
+
+ gru = GID_TO_GRU(req.gid);
+ ubuf = req.buf;
--- /dev/null
+From 56a6c7268312cba9436b84cac01b3e502c5c511d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 14 Nov 2018 09:33:57 +0100
+Subject: gnss: serial: fix synchronous write timeout
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 56a6c7268312cba9436b84cac01b3e502c5c511d upstream.
+
+Passing a timeout of zero to the synchronous serdev_device_write()
+helper does currently not imply to wait forever (unlike passing zero to
+serdev_device_wait_until_sent()). Instead, if there's insufficient
+room in the write buffer, we'd end up with an incomplete write.
+
+Fixes: 37768b054f20 ("gnss: add generic serial driver")
+Cc: stable <stable@vger.kernel.org> # 4.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gnss/serial.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gnss/serial.c
++++ b/drivers/gnss/serial.c
+@@ -13,6 +13,7 @@
+ #include <linux/of.h>
+ #include <linux/pm.h>
+ #include <linux/pm_runtime.h>
++#include <linux/sched.h>
+ #include <linux/serdev.h>
+ #include <linux/slab.h>
+
+@@ -63,7 +64,7 @@ static int gnss_serial_write_raw(struct
+ int ret;
+
+ /* write is only buffered synchronously */
+- ret = serdev_device_write(serdev, buf, count, 0);
++ ret = serdev_device_write(serdev, buf, count, MAX_SCHEDULE_TIMEOUT);
+ if (ret < 0)
+ return ret;
+
--- /dev/null
+From 1decef370456870bf448a565be95db636428e106 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 14 Nov 2018 09:37:54 +0100
+Subject: gnss: sirf: fix synchronous write timeout
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1decef370456870bf448a565be95db636428e106 upstream.
+
+Passing a timeout of zero to the synchronous serdev_device_write()
+helper does currently not imply to wait forever (unlike passing zero to
+serdev_device_wait_until_sent()). Instead, if there's insufficient
+room in the write buffer, we'd end up with an incomplete write.
+
+Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers")
+Cc: stable <stable@vger.kernel.org> # 4.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gnss/sirf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gnss/sirf.c
++++ b/drivers/gnss/sirf.c
+@@ -16,6 +16,7 @@
+ #include <linux/pm.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/regulator/consumer.h>
++#include <linux/sched.h>
+ #include <linux/serdev.h>
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+@@ -83,7 +84,7 @@ static int sirf_write_raw(struct gnss_de
+ int ret;
+
+ /* write is only buffered synchronously */
+- ret = serdev_device_write(serdev, buf, count, 0);
++ ret = serdev_device_write(serdev, buf, count, MAX_SCHEDULE_TIMEOUT);
+ if (ret < 0)
+ return ret;
+
--- /dev/null
+From e82e62e390d39c3819641cd721695702180d54fb Mon Sep 17 00:00:00 2001
+From: Sebastian Parschauer <sparschauer@suse.de>
+Date: Wed, 7 Nov 2018 13:36:40 +0100
+Subject: HID: Add quirk for Microsoft PIXART OEM mouse
+
+From: Sebastian Parschauer <sparschauer@suse.de>
+
+commit e82e62e390d39c3819641cd721695702180d54fb upstream.
+
+The PixArt OEM mice are known for disconnecting every minute in
+runlevel 1 or 3 if they are not always polled. So add quirk
+ALWAYS_POLL for this one as well.
+
+References:
+https://www.spinics.net/lists/linux-usb/msg88965.html
+http://linet.gr.jp/~kojima/PlamoWeb/ML/htdocs/201808/msg00019.html
+
+Signed-off-by: Sebastian Parschauer <sparschauer@suse.de>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -799,6 +799,7 @@
+ #define USB_DEVICE_ID_MS_TOUCH_COVER_2 0x07a7
+ #define USB_DEVICE_ID_MS_TYPE_COVER_2 0x07a9
+ #define USB_DEVICE_ID_MS_POWER_COVER 0x07da
++#define USB_DEVICE_ID_MS_PIXART_MOUSE 0x00cb
+
+ #define USB_VENDOR_ID_MOJO 0x8282
+ #define USB_DEVICE_ID_RETRO_ADAPTER 0x3201
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -106,6 +106,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MCS, USB_DEVICE_ID_MCS_GAMEPADBLOCK), HID_QUIRK_MULTI_INPUT },
++ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PIXART_MOUSE), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_SURFACE_PRO_2), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TOUCH_COVER_2), HID_QUIRK_NO_INIT_REPORTS },
--- /dev/null
+From fb862c3b199d28bee238d52e8270eae8650d6cb0 Mon Sep 17 00:00:00 2001
+From: Sebastian Parschauer <sparschauer@suse.de>
+Date: Tue, 20 Nov 2018 07:25:08 +0100
+Subject: HID: Add quirk for Primax PIXART OEM mice
+
+From: Sebastian Parschauer <sparschauer@suse.de>
+
+commit fb862c3b199d28bee238d52e8270eae8650d6cb0 upstream.
+
+The PixArt OEM mice are known for disconnecting every minute in
+runlevel 1 or 3 if they are not always polled. So add quirk
+ALWAYS_POLL for two Primax mice as well.
+
+0x4e22 is the Dell MS111-P and 0x4d0f is the unbranded HP Portia
+mouse HP 697738-001. Both were built until approx. 2014.
+Those were the standard mice from those vendors and are still
+around - even as new old stock.
+
+Reference: https://github.com/sriemer/fix-linux-mouse/issues/11
+
+Signed-off-by: Sebastian Parschauer <sparschauer@suse.de>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ids.h | 2 ++
+ drivers/hid/hid-quirks.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1198,6 +1198,8 @@
+ #define USB_DEVICE_ID_PRIMAX_MOUSE_4D22 0x4d22
+ #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05
+ #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72
++#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f
++#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22 0x4e22
+
+
+ #define USB_VENDOR_ID_RISO_KAGAKU 0x1294 /* Riso Kagaku Corp. */
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -128,6 +128,8 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL },
++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL },
++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3003), HID_QUIRK_NOGET },
--- /dev/null
+From 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 14 Nov 2018 13:55:09 -0800
+Subject: HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 upstream.
+
+When a UHID_CREATE command is written to the uhid char device, a
+copy_from_user() is done from a user pointer embedded in the command.
+When the address limit is KERNEL_DS, e.g. as is the case during
+sys_sendfile(), this can read from kernel memory. Alternatively,
+information can be leaked from a setuid binary that is tricked to write
+to the file descriptor. Therefore, forbid UHID_CREATE in these cases.
+
+No other commands in uhid_char_write() are affected by this bug and
+UHID_CREATE is marked as "obsolete", so apply the restriction to
+UHID_CREATE only rather than to uhid_char_write() entirely.
+
+Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to
+Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess
+helpers fault on kernel addresses"), allowing this bug to be found.
+
+Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
+Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events")
+Cc: <stable@vger.kernel.org> # v3.6+
+Cc: Jann Horn <jannh@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/uhid.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -12,6 +12,7 @@
+
+ #include <linux/atomic.h>
+ #include <linux/compat.h>
++#include <linux/cred.h>
+ #include <linux/device.h>
+ #include <linux/fs.h>
+ #include <linux/hid.h>
+@@ -722,6 +723,17 @@ static ssize_t uhid_char_write(struct fi
+
+ switch (uhid->input_buf.type) {
+ case UHID_CREATE:
++ /*
++ * 'struct uhid_create_req' contains a __user pointer which is
++ * copied from, so it's unsafe to allow this with elevated
++ * privileges (e.g. from a setuid binary) or via kernel_write().
++ */
++ if (file->f_cred != current_cred() || uaccess_kernel()) {
++ pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
++ task_tgid_vnr(current), current->comm);
++ ret = -EACCES;
++ goto unlock;
++ }
+ ret = uhid_dev_create(uhid, &uhid->input_buf);
+ break;
+ case UHID_CREATE2:
--- /dev/null
+From 7e241f647dc7087a0401418a187f3f5b527cc690 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Thu, 8 Nov 2018 15:55:37 +0100
+Subject: libceph: fall back to sendmsg for slab pages
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 7e241f647dc7087a0401418a187f3f5b527cc690 upstream.
+
+skb_can_coalesce() allows coalescing neighboring slab objects into
+a single frag:
+
+ return page == skb_frag_page(frag) &&
+ off == frag->page_offset + skb_frag_size(frag);
+
+ceph_tcp_sendpage() can be handed slab pages. One example of this is
+XFS: it passes down sector sized slab objects for its metadata I/O. If
+the kernel client is co-located on the OSD node, the skb may go through
+loopback and pop on the receive side with the exact same set of frags.
+When tcp_recvmsg() attempts to copy out such a frag, hardened usercopy
+complains because the size exceeds the object's allocated size:
+
+ usercopy: kernel memory exposure attempt detected from ffff9ba917f20a00 (kmalloc-512) (1024 bytes)
+
+Although skb_can_coalesce() could be taught to return false if the
+resulting frag would cross a slab object boundary, we already have
+a fallback for non-refcounted pages. Utilize it for slab pages too.
+
+Cc: stable@vger.kernel.org # 4.8+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -593,9 +593,15 @@ static int ceph_tcp_sendpage(struct sock
+ struct bio_vec bvec;
+ int ret;
+
+- /* sendpage cannot properly handle pages with page_count == 0,
+- * we need to fallback to sendmsg if that's the case */
+- if (page_count(page) >= 1)
++ /*
++ * sendpage cannot properly handle pages with page_count == 0,
++ * we need to fall back to sendmsg if that's the case.
++ *
++ * Same goes for slab pages: skb_can_coalesce() allows
++ * coalescing neighboring slab objects into a single frag which
++ * triggers one of hardened usercopy checks.
++ */
++ if (page_count(page) >= 1 && !PageSlab(page))
+ return __ceph_tcp_sendpage(sock, page, offset, size, more);
+
+ bvec.bv_page = page;
--- /dev/null
+From 92539d3eda2c090b382699bbb896d4b54e9bdece Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Mon, 5 Nov 2018 09:35:44 -0500
+Subject: media: v4l: event: Add subscription to list before calling "add" operation
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 92539d3eda2c090b382699bbb896d4b54e9bdece upstream.
+
+Patch ad608fbcf166 changed how events were subscribed to address an issue
+elsewhere. As a side effect of that change, the "add" callback was called
+before the event subscription was added to the list of subscribed events,
+causing the first event queued by the add callback (and possibly other
+events arriving soon afterwards) to be lost.
+
+Fix this by adding the subscription to the list before calling the "add"
+callback, and clean up afterwards if that fails.
+
+Fixes: ad608fbcf166 ("media: v4l: event: Prevent freeing event subscriptions while accessed")
+
+Reported-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Tested-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Tested-by: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: stable@vger.kernel.org (for 4.14 and up)
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-event.c | 43 +++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 19 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-event.c
++++ b/drivers/media/v4l2-core/v4l2-event.c
+@@ -193,6 +193,22 @@ int v4l2_event_pending(struct v4l2_fh *f
+ }
+ EXPORT_SYMBOL_GPL(v4l2_event_pending);
+
++static void __v4l2_event_unsubscribe(struct v4l2_subscribed_event *sev)
++{
++ struct v4l2_fh *fh = sev->fh;
++ unsigned int i;
++
++ lockdep_assert_held(&fh->subscribe_lock);
++ assert_spin_locked(&fh->vdev->fh_lock);
++
++ /* Remove any pending events for this subscription */
++ for (i = 0; i < sev->in_use; i++) {
++ list_del(&sev->events[sev_pos(sev, i)].list);
++ fh->navailable--;
++ }
++ list_del(&sev->list);
++}
++
+ int v4l2_event_subscribe(struct v4l2_fh *fh,
+ const struct v4l2_event_subscription *sub, unsigned elems,
+ const struct v4l2_subscribed_event_ops *ops)
+@@ -224,27 +240,23 @@ int v4l2_event_subscribe(struct v4l2_fh
+
+ spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+ found_ev = v4l2_event_subscribed(fh, sub->type, sub->id);
++ if (!found_ev)
++ list_add(&sev->list, &fh->subscribed);
+ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+
+ if (found_ev) {
+ /* Already listening */
+ kvfree(sev);
+- goto out_unlock;
+- }
+-
+- if (sev->ops && sev->ops->add) {
++ } else if (sev->ops && sev->ops->add) {
+ ret = sev->ops->add(sev, elems);
+ if (ret) {
++ spin_lock_irqsave(&fh->vdev->fh_lock, flags);
++ __v4l2_event_unsubscribe(sev);
++ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+ kvfree(sev);
+- goto out_unlock;
+ }
+ }
+
+- spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+- list_add(&sev->list, &fh->subscribed);
+- spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+-
+-out_unlock:
+ mutex_unlock(&fh->subscribe_lock);
+
+ return ret;
+@@ -279,7 +291,6 @@ int v4l2_event_unsubscribe(struct v4l2_f
+ {
+ struct v4l2_subscribed_event *sev;
+ unsigned long flags;
+- int i;
+
+ if (sub->type == V4L2_EVENT_ALL) {
+ v4l2_event_unsubscribe_all(fh);
+@@ -291,14 +302,8 @@ int v4l2_event_unsubscribe(struct v4l2_f
+ spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+
+ sev = v4l2_event_subscribed(fh, sub->type, sub->id);
+- if (sev != NULL) {
+- /* Remove any pending events for this subscription */
+- for (i = 0; i < sev->in_use; i++) {
+- list_del(&sev->events[sev_pos(sev, i)].list);
+- fh->navailable--;
+- }
+- list_del(&sev->list);
+- }
++ if (sev != NULL)
++ __v4l2_event_unsubscribe(sev);
+
+ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+
--- /dev/null
+From 82fba2df7f7c019627f24c5036dc99f41731d770 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 11 Nov 2018 00:06:12 +0200
+Subject: MIPS: OCTEON: cavium_octeon_defconfig: re-enable OCTEON USB driver
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit 82fba2df7f7c019627f24c5036dc99f41731d770 upstream.
+
+Re-enable OCTEON USB driver which is needed on older hardware
+(e.g. EdgeRouter Lite) for mass storage etc. This got accidentally
+deleted when config options were changed for OCTEON2/3 USB.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: f922bc0ad08b ("MIPS: Octeon: cavium_octeon_defconfig: Enable more drivers")
+Patchwork: https://patchwork.linux-mips.org/patch/21077/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # 4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/configs/cavium_octeon_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/configs/cavium_octeon_defconfig
++++ b/arch/mips/configs/cavium_octeon_defconfig
+@@ -140,6 +140,7 @@ CONFIG_RTC_CLASS=y
+ CONFIG_RTC_DRV_DS1307=y
+ CONFIG_STAGING=y
+ CONFIG_OCTEON_ETHERNET=y
++CONFIG_OCTEON_USB=y
+ # CONFIG_IOMMU_SUPPORT is not set
+ CONFIG_RAS=y
+ CONFIG_EXT4_FS=y
--- /dev/null
+From 7c97301285b62a41d6bceded7d964085fc8cc50f Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 17 Oct 2018 10:09:02 -0700
+Subject: misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit 7c97301285b62a41d6bceded7d964085fc8cc50f upstream.
+
+After building the kernel with Clang, the following section mismatch
+warning appears:
+
+WARNING: vmlinux.o(.text+0x3bf19a6): Section mismatch in reference from
+the function ssc_probe() to the function
+.init.text:atmel_ssc_get_driver_data()
+The function ssc_probe() references
+the function __init atmel_ssc_get_driver_data().
+This is often because ssc_probe lacks a __init
+annotation or the annotation of atmel_ssc_get_driver_data is wrong.
+
+Remove __init from atmel_ssc_get_driver_data to get rid of the mismatch.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/drivers/misc/atmel-ssc.c b/drivers/misc/atmel-ssc.c
+index b2a0340f277e..d8e3cc2dc747 100644
+--- a/drivers/misc/atmel-ssc.c
++++ b/drivers/misc/atmel-ssc.c
+@@ -132,7 +132,7 @@ static const struct of_device_id atmel_ssc_dt_ids[] = {
+ MODULE_DEVICE_TABLE(of, atmel_ssc_dt_ids);
+ #endif
+
+-static inline const struct atmel_ssc_platform_data * __init
++static inline const struct atmel_ssc_platform_data *
+ atmel_ssc_get_driver_data(struct platform_device *pdev)
+ {
+ if (pdev->dev.of_node) {
--- /dev/null
+From 5d1e9c2212ea6b4dd735e4fc3dd6279a365d5d10 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:49 +0200
+Subject: mtd: rawnand: atmel: fix OF child-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5d1e9c2212ea6b4dd735e4fc3dd6279a365d5d10 upstream.
+
+Use the new of_get_compatible_child() helper to lookup the nfc child
+node instead of using of_find_compatible_node(), which searches the
+entire tree from a given start node and thus can return an unrelated
+(i.e. non-child) node.
+
+This also addresses a potential use-after-free (e.g. after probe
+deferral) as the tree-wide helper drops a reference to its first
+argument (i.e. the node of the device being probed).
+
+While at it, also fix a related nfc-node reference leak.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Cc: stable <stable@vger.kernel.org> # 4.11
+Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: Josh Wu <rainyfeeling@outlook.com>
+Cc: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
+@@ -2061,8 +2061,7 @@ atmel_hsmc_nand_controller_legacy_init(s
+ int ret;
+
+ nand_np = dev->of_node;
+- nfc_np = of_find_compatible_node(dev->of_node, NULL,
+- "atmel,sama5d3-nfc");
++ nfc_np = of_get_compatible_child(dev->of_node, "atmel,sama5d3-nfc");
+ if (!nfc_np) {
+ dev_err(dev, "Could not find device node for sama5d3-nfc\n");
+ return -ENODEV;
+@@ -2476,15 +2475,19 @@ static int atmel_nand_controller_probe(s
+ }
+
+ if (caps->legacy_of_bindings) {
++ struct device_node *nfc_node;
+ u32 ale_offs = 21;
+
+ /*
+ * If we are parsing legacy DT props and the DT contains a
+ * valid NFC node, forward the request to the sama5 logic.
+ */
+- if (of_find_compatible_node(pdev->dev.of_node, NULL,
+- "atmel,sama5d3-nfc"))
++ nfc_node = of_get_compatible_child(pdev->dev.of_node,
++ "atmel,sama5d3-nfc");
++ if (nfc_node) {
+ caps = &atmel_sama5_nand_caps;
++ of_node_put(nfc_node);
++ }
+
+ /*
+ * Even if the compatible says we are dealing with an
--- /dev/null
+From 21f70d4abf9e17c2e3d7e64b7bfa3424e017f176 Mon Sep 17 00:00:00 2001
+From: Olof Johansson <olof@lixom.net>
+Date: Wed, 14 Nov 2018 16:27:55 -0800
+Subject: RISC-V: Fix raw_copy_{to,from}_user()
+
+From: Olof Johansson <olof@lixom.net>
+
+commit 21f70d4abf9e17c2e3d7e64b7bfa3424e017f176 upstream.
+
+Sparse highlighted it, and appears to be a pure bug (from vs to).
+
+./arch/riscv/include/asm/uaccess.h:403:35: warning: incorrect type in argument 1 (different address spaces)
+./arch/riscv/include/asm/uaccess.h:403:39: warning: incorrect type in argument 2 (different address spaces)
+./arch/riscv/include/asm/uaccess.h:409:37: warning: incorrect type in argument 1 (different address spaces)
+./arch/riscv/include/asm/uaccess.h:409:41: warning: incorrect type in argument 2 (different address spaces)
+
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/riscv/include/asm/uaccess.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/include/asm/uaccess.h
++++ b/arch/riscv/include/asm/uaccess.h
+@@ -400,13 +400,13 @@ extern unsigned long __must_check __asm_
+ static inline unsigned long
+ raw_copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+- return __asm_copy_to_user(to, from, n);
++ return __asm_copy_from_user(to, from, n);
+ }
+
+ static inline unsigned long
+ raw_copy_to_user(void __user *to, const void *from, unsigned long n)
+ {
+- return __asm_copy_from_user(to, from, n);
++ return __asm_copy_to_user(to, from, n);
+ }
+
+ extern long strncpy_from_user(char *dest, const char __user *src, long count);
x86-mm-move-ldt-remap-out-of-kaslr-region-on-5-level.patch
x86-ldt-unmap-ptes-for-the-slot-before-freeing-ldt-p.patch
x86-ldt-remove-unused-variable-in-map_ldt_struct.patch
+media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch
+mips-octeon-cavium_octeon_defconfig-re-enable-octeon-usb-driver.patch
+risc-v-fix-raw_copy_-to-from-_user.patch
+uio-fix-an-oops-on-load.patch
+alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch
+alsa-hda-ca0132-call-pci_iounmap-instead-of-iounmap.patch
+can-kvaser_usb-fix-accessing-freed-memory-in-kvaser_usb_start_xmit.patch
+can-kvaser_usb-fix-potential-uninitialized-variable-use.patch
+usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch
+usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch
+usb-wait-for-extra-delay-time-after-usb_port_feat_reset-for-quirky-hub.patch
+usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch
+misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch
+usb-misc-appledisplay-add-20-apple-cinema-display.patch
+gnss-serial-fix-synchronous-write-timeout.patch
+gnss-sirf-fix-synchronous-write-timeout.patch
+mtd-rawnand-atmel-fix-of-child-node-lookup.patch
+drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch
+acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch
+hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch
+hid-add-quirk-for-primax-pixart-oem-mice.patch
+hid-add-quirk-for-microsoft-pixart-oem-mouse.patch
+libceph-fall-back-to-sendmsg-for-slab-pages.patch
--- /dev/null
+From 432798195bbce1f8cd33d1c0284d0538835e25fb Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 26 Oct 2018 10:19:51 +0300
+Subject: uio: Fix an Oops on load
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream.
+
+I was trying to solve a double free but I introduced a more serious
+NULL dereference bug. The problem is that if there is an IRQ which
+triggers immediately, then we need "info->uio_dev" but it's not set yet.
+
+This patch puts the original initialization back to how it was and just
+sets info->uio_dev to NULL on the error path so it should solve both
+the Oops and the double free.
+
+Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails")
+Reported-by: Mathias Thore <Mathias.Thore@infinera.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Tested-by: Mathias Thore <Mathias.Thore@infinera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -959,6 +959,8 @@ int __uio_register_device(struct module
+ if (ret)
+ goto err_uio_dev_add_attributes;
+
++ info->uio_dev = idev;
++
+ if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
+ /*
+ * Note that we deliberately don't use devm_request_irq
+@@ -970,11 +972,12 @@ int __uio_register_device(struct module
+ */
+ ret = request_irq(info->irq, uio_interrupt,
+ info->irq_flags, info->name, idev);
+- if (ret)
++ if (ret) {
++ info->uio_dev = NULL;
+ goto err_request_irq;
++ }
+ }
+
+- info->uio_dev = idev;
+ return 0;
+
+ err_request_irq:
--- /dev/null
+From 63529eaa6164ef7ab4b907b25ac3648177e5e78f Mon Sep 17 00:00:00 2001
+From: Maarten Jacobs <maarten256@outlook.com>
+Date: Mon, 19 Nov 2018 23:18:49 +0000
+Subject: usb: cdc-acm: add entry for Hiro (Conexant) modem
+
+From: Maarten Jacobs <maarten256@outlook.com>
+
+commit 63529eaa6164ef7ab4b907b25ac3648177e5e78f upstream.
+
+The cdc-acm kernel module currently does not support the Hiro (Conexant)
+H05228 USB modem. The patch below adds the device specific information:
+ idVendor 0x0572
+ idProduct 0x1349
+
+Signed-off-by: Maarten Jacobs <maarten256@outlook.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1711,6 +1711,9 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
++ { USB_DEVICE(0x0572, 0x1349), /* Hiro (Conexant) USB MODEM H50228 */
++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
++ },
+ { USB_DEVICE(0x20df, 0x0001), /* Simtec Electronics Entropy Key */
+ .driver_info = QUIRK_CONTROL_LINE_STATE, },
+ { USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */
--- /dev/null
+From f6501f49199097b99e4e263644d88c90d1ec1060 Mon Sep 17 00:00:00 2001
+From: Mattias Jacobsson <2pi@mok.nu>
+Date: Sun, 21 Oct 2018 11:25:37 +0200
+Subject: USB: misc: appledisplay: add 20" Apple Cinema Display
+
+From: Mattias Jacobsson <2pi@mok.nu>
+
+commit f6501f49199097b99e4e263644d88c90d1ec1060 upstream.
+
+Add another Apple Cinema Display to the list of supported displays
+
+Signed-off-by: Mattias Jacobsson <2pi@mok.nu>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/appledisplay.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/appledisplay.c
++++ b/drivers/usb/misc/appledisplay.c
+@@ -50,6 +50,7 @@ static const struct usb_device_id appled
+ { APPLEDISPLAY_DEVICE(0x9219) },
+ { APPLEDISPLAY_DEVICE(0x921c) },
+ { APPLEDISPLAY_DEVICE(0x921d) },
++ { APPLEDISPLAY_DEVICE(0x9222) },
+ { APPLEDISPLAY_DEVICE(0x9236) },
+
+ /* Terminating entry */
--- /dev/null
+From a77112577667cbda7c6292c52d909636aef31fd9 Mon Sep 17 00:00:00 2001
+From: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
+Date: Fri, 26 Oct 2018 14:48:09 +0200
+Subject: usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
+
+From: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
+
+commit a77112577667cbda7c6292c52d909636aef31fd9 upstream.
+
+Following on from this patch: https://lkml.org/lkml/2017/11/3/516,
+Corsair K70 LUX RGB keyboards also require the DELAY_INIT quirk to
+start correctly at boot.
+
+Dmesg output:
+usb 1-6: string descriptor 0 read error: -110
+usb 1-6: New USB device found, idVendor=1b1c, idProduct=1b33
+usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+usb 1-6: can't set config #1, error -110
+
+Signed-off-by: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -397,6 +397,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
+ USB_QUIRK_DELAY_CTRL_MSG },
+
++ /* Corsair K70 LUX RGB */
++ { USB_DEVICE(0x1b1c, 0x1b33), .driver_info = USB_QUIRK_DELAY_INIT },
++
+ /* Corsair K70 LUX */
+ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
+
--- /dev/null
+From deefd24228a172d1b27d4a9adbfd2cdacd60ae64 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Fri, 26 Oct 2018 13:33:15 +0800
+Subject: USB: quirks: Add no-lpm quirk for Raydium touchscreens
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit deefd24228a172d1b27d4a9adbfd2cdacd60ae64 upstream.
+
+Raydium USB touchscreen fails to set config if LPM is enabled:
+[ 2.030658] usb 1-8: New USB device found, idVendor=2386, idProduct=3119
+[ 2.030659] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
+[ 2.030660] usb 1-8: Product: Raydium Touch System
+[ 2.030661] usb 1-8: Manufacturer: Raydium Corporation
+[ 7.132209] usb 1-8: can't set config #1, error -110
+
+Same behavior can be observed on 2386:3114.
+
+Raydium claims the touchscreen supports LPM under Windows, so I used
+Microsoft USB Test Tools (MUTT) [1] to check its LPM status. MUTT shows
+that the LPM doesn't work under Windows, either. So let's just disable LPM
+for Raydium touchscreens.
+
+[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-test-tools
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -411,6 +411,11 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x2040, 0x7200), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
++ /* Raydium Touchscreen */
++ { USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM },
++
++ { USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* DJI CineSSD */
+ { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
+
--- /dev/null
+From 781f0766cc41a9dd2e5d118ef4b1d5d89430257b Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Fri, 19 Oct 2018 16:14:50 +0800
+Subject: USB: Wait for extra delay time after USB_PORT_FEAT_RESET for quirky hub
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 781f0766cc41a9dd2e5d118ef4b1d5d89430257b upstream.
+
+Devices connected under Terminus Technology Inc. Hub (1a40:0101) may
+fail to work after the system resumes from suspend:
+[ 206.063325] usb 3-2.4: reset full-speed USB device number 4 using xhci_hcd
+[ 206.143691] usb 3-2.4: device descriptor read/64, error -32
+[ 206.351671] usb 3-2.4: device descriptor read/64, error -32
+
+Info for this hub:
+T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=480 MxCh= 4
+D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=1a40 ProdID=0101 Rev=01.11
+S: Product=USB 2.0 Hub
+C: #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub
+
+Some expirements indicate that the USB devices connected to the hub are
+innocent, it's the hub itself is to blame. The hub needs extra delay
+time after it resets its port.
+
+Hence wait for extra delay, if the device is connected to this quirky
+hub.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/admin-guide/kernel-parameters.txt | 2 ++
+ drivers/usb/core/hub.c | 14 +++++++++++---
+ drivers/usb/core/quirks.c | 6 ++++++
+ include/linux/usb/quirks.h | 3 +++
+ 4 files changed, 22 insertions(+), 3 deletions(-)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -4687,6 +4687,8 @@
+ prevent spurious wakeup);
+ n = USB_QUIRK_DELAY_CTRL_MSG (Device needs a
+ pause after every control message);
++ o = USB_QUIRK_HUB_SLOW_RESET (Hub needs extra
++ delay after resetting its port);
+ Example: quirks=0781:5580:bk,0a5c:5834:gij
+
+ usbhid.mousepoll=
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2791,6 +2791,7 @@ static int hub_port_reset(struct usb_hub
+ int i, status;
+ u16 portchange, portstatus;
+ struct usb_port *port_dev = hub->ports[port1 - 1];
++ int reset_recovery_time;
+
+ if (!hub_is_superspeed(hub->hdev)) {
+ if (warm) {
+@@ -2882,11 +2883,18 @@ static int hub_port_reset(struct usb_hub
+
+ done:
+ if (status == 0) {
+- /* TRSTRCY = 10 ms; plus some extra */
+ if (port_dev->quirks & USB_PORT_QUIRK_FAST_ENUM)
+ usleep_range(10000, 12000);
+- else
+- msleep(10 + 40);
++ else {
++ /* TRSTRCY = 10 ms; plus some extra */
++ reset_recovery_time = 10 + 40;
++
++ /* Hub needs extra delay after resetting its port. */
++ if (hub->hdev->quirks & USB_QUIRK_HUB_SLOW_RESET)
++ reset_recovery_time += 100;
++
++ msleep(reset_recovery_time);
++ }
+
+ if (udev) {
+ struct usb_hcd *hcd = bus_to_hcd(udev->bus);
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -128,6 +128,9 @@ static int quirks_param_set(const char *
+ case 'n':
+ flags |= USB_QUIRK_DELAY_CTRL_MSG;
+ break;
++ case 'o':
++ flags |= USB_QUIRK_HUB_SLOW_RESET;
++ break;
+ /* Ignore unrecognized flag characters */
+ }
+ }
+@@ -380,6 +383,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+
++ /* Terminus Technology Inc. Hub */
++ { USB_DEVICE(0x1a40, 0x0101), .driver_info = USB_QUIRK_HUB_SLOW_RESET },
++
+ /* Corsair K70 RGB */
+ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
+
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -66,4 +66,7 @@
+ /* Device needs a pause after every control message. */
+ #define USB_QUIRK_DELAY_CTRL_MSG BIT(13)
+
++/* Hub needs extra delay after resetting its port. */
++#define USB_QUIRK_HUB_SLOW_RESET BIT(14)
++
+ #endif /* __LINUX_USB_QUIRKS_H */
projects / thirdparty / kernel / stable-queue.git / commitdiff
