From: Greg Kroah-Hartman Date: Mon, 26 Nov 2018 07:51:29 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.127~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7f6d71b652fdb9a99d501235e6aa9a3fe534a99e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch libceph-fall-back-to-sendmsg-for-slab-pages.patch media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch revert-bluetooth-h5-fix-missing-dependency-on.patch uio-fix-an-oops-on-load.patch usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch usb-misc-appledisplay-add-20-apple-cinema-display.patch usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch --- diff --git a/queue-4.9/acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch b/queue-4.9/acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch new file mode 100644 index 00000000000..3ab63b3925d --- /dev/null +++ b/queue-4.9/acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch @@ -0,0 +1,105 @@ +From 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 19 Nov 2018 19:06:01 +0100 +Subject: ACPI / platform: Add SMB0001 HID to forbidden_id_list + +From: Hans de Goede + +commit 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa upstream. + +Many HP AMD based laptops contain an SMB0001 device like this: + +Device (SMBD) +{ + Name (_HID, "SMB0001") // _HID: Hardware ID + Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings + { + IO (Decode16, + 0x0B20, // Range Minimum + 0x0B20, // Range Maximum + 0x20, // Alignment + 0x20, // Length + ) + IRQ (Level, ActiveLow, Shared, ) + {7} + }) +} + +The legacy style IRQ resource here causes acpi_dev_get_irqresource() to +be called with legacy=true and this message to show in dmesg: +ACPI: IRQ 7 override to edge, high + +This causes issues when later on the AMD0030 GPIO device gets enumerated: + +Device (GPIO) +{ + Name (_HID, "AMDI0030") // _HID: Hardware ID + Name (_CID, "AMDI0030") // _CID: Compatible ID + Name (_UID, Zero) // _UID: Unique ID + Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings + { + Name (RBUF, ResourceTemplate () + { + Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, ) + { + 0x00000007, + } + Memory32Fixed (ReadWrite, + 0xFED81500, // Address Base + 0x00000400, // Address Length + ) + }) + Return (RBUF) /* \_SB_.GPIO._CRS.RBUF */ + } +} + +Now acpi_dev_get_irqresource() gets called with legacy=false, but because +of the earlier override of the trigger-type acpi_register_gsi() returns +-EBUSY (because we try to register the same interrupt with a different +trigger-type) and we end up setting IORESOURCE_DISABLED in the flags. + +The setting of IORESOURCE_DISABLED causes platform_get_irq() to call +acpi_irq_get() which is not implemented on x86 and returns -EINVAL. +resulting in the following in dmesg: + +amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22 +amd_gpio: probe of AMDI0030:00 failed with error -22 + +The SMB0001 is a "virtual" device in the sense that the only way the OS +interacts with it is through calling a couple of methods to do SMBus +transfers. As such it is weird that it has IO and IRQ resources at all, +because the driver for it is not expected to ever access the hardware +directly. + +The Linux driver for the SMB0001 device directly binds to the acpi_device +through the acpi_bus, so we do not need to instantiate a platform_device +for this ACPI device. This commit adds the SMB0001 HID to the +forbidden_id_list, avoiding the instantiating of a platform_device for it. +Not instantiating a platform_device means we will no longer call +acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of +the AMDI0030 device failing. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523 +Reported-by: Lukas Kahnert +Tested-by: Marc +Cc: All applicable +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_platform.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/acpi/acpi_platform.c ++++ b/drivers/acpi/acpi_platform.c +@@ -30,6 +30,7 @@ static const struct acpi_device_id forbi + {"PNP0200", 0}, /* AT DMA Controller */ + {"ACPI0009", 0}, /* IOxAPIC */ + {"ACPI000A", 0}, /* IOAPIC */ ++ {"SMB0001", 0}, /* ACPI SMBUS virtual device */ + {"", 0}, + }; + diff --git a/queue-4.9/alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch b/queue-4.9/alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch new file mode 100644 index 00000000000..e00ea43ffca --- /dev/null +++ b/queue-4.9/alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch @@ -0,0 +1,32 @@ +From 563785edfcef02b566e64fb5292c74c1600808aa Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 12 Nov 2018 09:43:12 +0100 +Subject: ALSA: hda/realtek - Add quirk entry for HP Pavilion 15 + +From: Takashi Iwai + +commit 563785edfcef02b566e64fb5292c74c1600808aa upstream. + +HP Pavilion 15 (103c:820d) with ALC295 codec requires the quirk for +the mute LED control over mic3 pin. Added the corresponding quirk +entry. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201653 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5764,6 +5764,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x2336, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x2337, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x221c, "HP EliteBook 755 G2", ALC280_FIXUP_HP_HEADSET_MIC), ++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-4.9/drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch b/queue-4.9/drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..35956a5da82 --- /dev/null +++ b/queue-4.9/drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,54 @@ +From fee05f455ceb5c670cbe48e2f9454ebc4a388554 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 16 Oct 2018 12:59:44 +0200 +Subject: drivers/misc/sgi-gru: fix Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit fee05f455ceb5c670cbe48e2f9454ebc4a388554 upstream. + +req.gid can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +vers/misc/sgi-gru/grukdump.c:200 gru_dump_chiplet_request() warn: +potential spectre issue 'gru_base' [w] + +Fix this by sanitizing req.gid before calling macro GID_TO_GRU, which +uses it to index gru_base. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/sgi-gru/grukdump.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/misc/sgi-gru/grukdump.c ++++ b/drivers/misc/sgi-gru/grukdump.c +@@ -27,6 +27,9 @@ + #include + #include + #include ++ ++#include ++ + #include "gru.h" + #include "grutables.h" + #include "gruhandles.h" +@@ -196,6 +199,7 @@ int gru_dump_chiplet_request(unsigned lo + /* Currently, only dump by gid is implemented */ + if (req.gid >= gru_max_gids) + return -EINVAL; ++ req.gid = array_index_nospec(req.gid, gru_max_gids); + + gru = GID_TO_GRU(req.gid); + ubuf = req.buf; diff --git a/queue-4.9/hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch b/queue-4.9/hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch new file mode 100644 index 00000000000..d0c253ab242 --- /dev/null +++ b/queue-4.9/hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch @@ -0,0 +1,66 @@ +From 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 14 Nov 2018 13:55:09 -0800 +Subject: HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges + +From: Eric Biggers + +commit 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 upstream. + +When a UHID_CREATE command is written to the uhid char device, a +copy_from_user() is done from a user pointer embedded in the command. +When the address limit is KERNEL_DS, e.g. as is the case during +sys_sendfile(), this can read from kernel memory. Alternatively, +information can be leaked from a setuid binary that is tricked to write +to the file descriptor. Therefore, forbid UHID_CREATE in these cases. + +No other commands in uhid_char_write() are affected by this bug and +UHID_CREATE is marked as "obsolete", so apply the restriction to +UHID_CREATE only rather than to uhid_char_write() entirely. + +Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to +Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess +helpers fault on kernel addresses"), allowing this bug to be found. + +Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com +Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events") +Cc: # v3.6+ +Cc: Jann Horn +Cc: Andy Lutomirski +Signed-off-by: Eric Biggers +Reviewed-by: Jann Horn +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/uhid.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -12,6 +12,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -721,6 +722,17 @@ static ssize_t uhid_char_write(struct fi + + switch (uhid->input_buf.type) { + case UHID_CREATE: ++ /* ++ * 'struct uhid_create_req' contains a __user pointer which is ++ * copied from, so it's unsafe to allow this with elevated ++ * privileges (e.g. from a setuid binary) or via kernel_write(). ++ */ ++ if (file->f_cred != current_cred() || uaccess_kernel()) { ++ pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n", ++ task_tgid_vnr(current), current->comm); ++ ret = -EACCES; ++ goto unlock; ++ } + ret = uhid_dev_create(uhid, &uhid->input_buf); + break; + case UHID_CREATE2: diff --git a/queue-4.9/libceph-fall-back-to-sendmsg-for-slab-pages.patch b/queue-4.9/libceph-fall-back-to-sendmsg-for-slab-pages.patch new file mode 100644 index 00000000000..5da57a41825 --- /dev/null +++ b/queue-4.9/libceph-fall-back-to-sendmsg-for-slab-pages.patch @@ -0,0 +1,57 @@ +From 7e241f647dc7087a0401418a187f3f5b527cc690 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 8 Nov 2018 15:55:37 +0100 +Subject: libceph: fall back to sendmsg for slab pages + +From: Ilya Dryomov + +commit 7e241f647dc7087a0401418a187f3f5b527cc690 upstream. + +skb_can_coalesce() allows coalescing neighboring slab objects into +a single frag: + + return page == skb_frag_page(frag) && + off == frag->page_offset + skb_frag_size(frag); + +ceph_tcp_sendpage() can be handed slab pages. One example of this is +XFS: it passes down sector sized slab objects for its metadata I/O. If +the kernel client is co-located on the OSD node, the skb may go through +loopback and pop on the receive side with the exact same set of frags. +When tcp_recvmsg() attempts to copy out such a frag, hardened usercopy +complains because the size exceeds the object's allocated size: + + usercopy: kernel memory exposure attempt detected from ffff9ba917f20a00 (kmalloc-512) (1024 bytes) + +Although skb_can_coalesce() could be taught to return false if the +resulting frag would cross a slab object boundary, we already have +a fallback for non-refcounted pages. Utilize it for slab pages too. + +Cc: stable@vger.kernel.org # 4.8+ +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/messenger.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -588,9 +588,15 @@ static int ceph_tcp_sendpage(struct sock + int ret; + struct kvec iov; + +- /* sendpage cannot properly handle pages with page_count == 0, +- * we need to fallback to sendmsg if that's the case */ +- if (page_count(page) >= 1) ++ /* ++ * sendpage cannot properly handle pages with page_count == 0, ++ * we need to fall back to sendmsg if that's the case. ++ * ++ * Same goes for slab pages: skb_can_coalesce() allows ++ * coalescing neighboring slab objects into a single frag which ++ * triggers one of hardened usercopy checks. ++ */ ++ if (page_count(page) >= 1 && !PageSlab(page)) + return __ceph_tcp_sendpage(sock, page, offset, size, more); + + iov.iov_base = kmap(page) + offset; diff --git a/queue-4.9/media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch b/queue-4.9/media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch new file mode 100644 index 00000000000..6acfd8cd46b --- /dev/null +++ b/queue-4.9/media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch @@ -0,0 +1,119 @@ +From 92539d3eda2c090b382699bbb896d4b54e9bdece Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Mon, 5 Nov 2018 09:35:44 -0500 +Subject: media: v4l: event: Add subscription to list before calling "add" operation + +From: Sakari Ailus + +commit 92539d3eda2c090b382699bbb896d4b54e9bdece upstream. + +Patch ad608fbcf166 changed how events were subscribed to address an issue +elsewhere. As a side effect of that change, the "add" callback was called +before the event subscription was added to the list of subscribed events, +causing the first event queued by the add callback (and possibly other +events arriving soon afterwards) to be lost. + +Fix this by adding the subscription to the list before calling the "add" +callback, and clean up afterwards if that fails. + +Fixes: ad608fbcf166 ("media: v4l: event: Prevent freeing event subscriptions while accessed") + +Reported-by: Dave Stevenson +Signed-off-by: Sakari Ailus +Tested-by: Dave Stevenson +Reviewed-by: Hans Verkuil +Tested-by: Hans Verkuil +Cc: stable@vger.kernel.org (for 4.14 and up) +Signed-off-by: Mauro Carvalho Chehab +[Sakari Ailus: Backported to v4.9 stable] +Signed-off-by: Sakari Ailus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-event.c | 43 +++++++++++++++++++---------------- + 1 file changed, 24 insertions(+), 19 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-event.c ++++ b/drivers/media/v4l2-core/v4l2-event.c +@@ -197,6 +197,22 @@ int v4l2_event_pending(struct v4l2_fh *f + } + EXPORT_SYMBOL_GPL(v4l2_event_pending); + ++static void __v4l2_event_unsubscribe(struct v4l2_subscribed_event *sev) ++{ ++ struct v4l2_fh *fh = sev->fh; ++ unsigned int i; ++ ++ lockdep_assert_held(&fh->subscribe_lock); ++ assert_spin_locked(&fh->vdev->fh_lock); ++ ++ /* Remove any pending events for this subscription */ ++ for (i = 0; i < sev->in_use; i++) { ++ list_del(&sev->events[sev_pos(sev, i)].list); ++ fh->navailable--; ++ } ++ list_del(&sev->list); ++} ++ + int v4l2_event_subscribe(struct v4l2_fh *fh, + const struct v4l2_event_subscription *sub, unsigned elems, + const struct v4l2_subscribed_event_ops *ops) +@@ -228,27 +244,23 @@ int v4l2_event_subscribe(struct v4l2_fh + + spin_lock_irqsave(&fh->vdev->fh_lock, flags); + found_ev = v4l2_event_subscribed(fh, sub->type, sub->id); ++ if (!found_ev) ++ list_add(&sev->list, &fh->subscribed); + spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); + + if (found_ev) { + /* Already listening */ + kfree(sev); +- goto out_unlock; +- } +- +- if (sev->ops && sev->ops->add) { ++ } else if (sev->ops && sev->ops->add) { + ret = sev->ops->add(sev, elems); + if (ret) { ++ spin_lock_irqsave(&fh->vdev->fh_lock, flags); ++ __v4l2_event_unsubscribe(sev); ++ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); + kfree(sev); +- goto out_unlock; + } + } + +- spin_lock_irqsave(&fh->vdev->fh_lock, flags); +- list_add(&sev->list, &fh->subscribed); +- spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); +- +-out_unlock: + mutex_unlock(&fh->subscribe_lock); + + return ret; +@@ -283,7 +295,6 @@ int v4l2_event_unsubscribe(struct v4l2_f + { + struct v4l2_subscribed_event *sev; + unsigned long flags; +- int i; + + if (sub->type == V4L2_EVENT_ALL) { + v4l2_event_unsubscribe_all(fh); +@@ -295,14 +306,8 @@ int v4l2_event_unsubscribe(struct v4l2_f + spin_lock_irqsave(&fh->vdev->fh_lock, flags); + + sev = v4l2_event_subscribed(fh, sub->type, sub->id); +- if (sev != NULL) { +- /* Remove any pending events for this subscription */ +- for (i = 0; i < sev->in_use; i++) { +- list_del(&sev->events[sev_pos(sev, i)].list); +- fh->navailable--; +- } +- list_del(&sev->list); +- } ++ if (sev != NULL) ++ __v4l2_event_unsubscribe(sev); + + spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); + diff --git a/queue-4.9/misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch b/queue-4.9/misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch new file mode 100644 index 00000000000..a8359fbb4fc --- /dev/null +++ b/queue-4.9/misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch @@ -0,0 +1,41 @@ +From 7c97301285b62a41d6bceded7d964085fc8cc50f Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 10:09:02 -0700 +Subject: misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data + +From: Nathan Chancellor + +commit 7c97301285b62a41d6bceded7d964085fc8cc50f upstream. + +After building the kernel with Clang, the following section mismatch +warning appears: + +WARNING: vmlinux.o(.text+0x3bf19a6): Section mismatch in reference from +the function ssc_probe() to the function +.init.text:atmel_ssc_get_driver_data() +The function ssc_probe() references +the function __init atmel_ssc_get_driver_data(). +This is often because ssc_probe lacks a __init +annotation or the annotation of atmel_ssc_get_driver_data is wrong. + +Remove __init from atmel_ssc_get_driver_data to get rid of the mismatch. + +Signed-off-by: Nathan Chancellor +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/atmel-ssc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/atmel-ssc.c ++++ b/drivers/misc/atmel-ssc.c +@@ -130,7 +130,7 @@ static const struct of_device_id atmel_s + MODULE_DEVICE_TABLE(of, atmel_ssc_dt_ids); + #endif + +-static inline const struct atmel_ssc_platform_data * __init ++static inline const struct atmel_ssc_platform_data * + atmel_ssc_get_driver_data(struct platform_device *pdev) + { + if (pdev->dev.of_node) { diff --git a/queue-4.9/revert-bluetooth-h5-fix-missing-dependency-on.patch b/queue-4.9/revert-bluetooth-h5-fix-missing-dependency-on.patch new file mode 100644 index 00000000000..d41402f2077 --- /dev/null +++ b/queue-4.9/revert-bluetooth-h5-fix-missing-dependency-on.patch @@ -0,0 +1,33 @@ +From 1598dc4f7416892f82ed2a8ca798478f25ce4ca0 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 26 Nov 2018 08:22:30 +0100 +Subject: Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV" + +From: Greg Kroah-Hartman + +This reverts commit b5c98d8ca8f93a4f73e9cbb53c7e6b8c78ed3f80 which is +commit 6c3711ec64fd23a9abc8aaf59a9429569a6282df upstream. + +You Ling writes that this config option isn't even in 4.9.y yet, so it +causes a regression. Revert the patch because of this. + +Reported-by: youling 257 +Cc: Johan Hedberg +Cc: Marcel Holtmann +Cc: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/bluetooth/Kconfig ++++ b/drivers/bluetooth/Kconfig +@@ -125,7 +125,6 @@ config BT_HCIUART_LL + config BT_HCIUART_3WIRE + bool "Three-wire UART (H5) protocol support" + depends on BT_HCIUART +- depends on BT_HCIUART_SERDEV + help + The HCI Three-wire UART Transport Layer makes it possible to + user the Bluetooth HCI over a serial port interface. The HCI diff --git a/queue-4.9/series b/queue-4.9/series index b494767749c..43f956d260d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -31,3 +31,16 @@ btrfs-enhance-btrfs_trim_fs-function-to-handle-error.patch btrfs-ensure-btrfs_trim_fs-can-trim-the-whole-filesy.patch btrfs-fix-pinned-underflow-after-transaction-aborted.patch revert-media-videobuf2-core-don-t-call-memop-finish-.patch +revert-bluetooth-h5-fix-missing-dependency-on.patch +media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch +uio-fix-an-oops-on-load.patch +alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch +usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch +usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch +usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch +misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch +usb-misc-appledisplay-add-20-apple-cinema-display.patch +drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch +acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch +hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch +libceph-fall-back-to-sendmsg-for-slab-pages.patch diff --git a/queue-4.9/uio-fix-an-oops-on-load.patch b/queue-4.9/uio-fix-an-oops-on-load.patch new file mode 100644 index 00000000000..aa3684c1eee --- /dev/null +++ b/queue-4.9/uio-fix-an-oops-on-load.patch @@ -0,0 +1,54 @@ +From 432798195bbce1f8cd33d1c0284d0538835e25fb Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 26 Oct 2018 10:19:51 +0300 +Subject: uio: Fix an Oops on load + +From: Dan Carpenter + +commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream. + +I was trying to solve a double free but I introduced a more serious +NULL dereference bug. The problem is that if there is an IRQ which +triggers immediately, then we need "info->uio_dev" but it's not set yet. + +This patch puts the original initialization back to how it was and just +sets info->uio_dev to NULL on the error path so it should solve both +the Oops and the double free. + +Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails") +Reported-by: Mathias Thore +Signed-off-by: Dan Carpenter +Cc: stable +Tested-by: Mathias Thore +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uio/uio.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -850,6 +850,8 @@ int __uio_register_device(struct module + if (ret) + goto err_uio_dev_add_attributes; + ++ info->uio_dev = idev; ++ + if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) { + /* + * Note that we deliberately don't use devm_request_irq +@@ -861,11 +863,12 @@ int __uio_register_device(struct module + */ + ret = request_irq(info->irq, uio_interrupt, + info->irq_flags, info->name, idev); +- if (ret) ++ if (ret) { ++ info->uio_dev = NULL; + goto err_request_irq; ++ } + } + +- info->uio_dev = idev; + return 0; + + err_request_irq: diff --git a/queue-4.9/usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch b/queue-4.9/usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch new file mode 100644 index 00000000000..c86085830e8 --- /dev/null +++ b/queue-4.9/usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch @@ -0,0 +1,35 @@ +From 63529eaa6164ef7ab4b907b25ac3648177e5e78f Mon Sep 17 00:00:00 2001 +From: Maarten Jacobs +Date: Mon, 19 Nov 2018 23:18:49 +0000 +Subject: usb: cdc-acm: add entry for Hiro (Conexant) modem + +From: Maarten Jacobs + +commit 63529eaa6164ef7ab4b907b25ac3648177e5e78f upstream. + +The cdc-acm kernel module currently does not support the Hiro (Conexant) +H05228 USB modem. The patch below adds the device specific information: + idVendor 0x0572 + idProduct 0x1349 + +Signed-off-by: Maarten Jacobs +Acked-by: Oliver Neukum +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1659,6 +1659,9 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x0572, 0x1349), /* Hiro (Conexant) USB MODEM H50228 */ ++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ ++ }, + { USB_DEVICE(0x20df, 0x0001), /* Simtec Electronics Entropy Key */ + .driver_info = QUIRK_CONTROL_LINE_STATE, }, + { USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */ diff --git a/queue-4.9/usb-misc-appledisplay-add-20-apple-cinema-display.patch b/queue-4.9/usb-misc-appledisplay-add-20-apple-cinema-display.patch new file mode 100644 index 00000000000..d309dfc47d9 --- /dev/null +++ b/queue-4.9/usb-misc-appledisplay-add-20-apple-cinema-display.patch @@ -0,0 +1,29 @@ +From f6501f49199097b99e4e263644d88c90d1ec1060 Mon Sep 17 00:00:00 2001 +From: Mattias Jacobsson <2pi@mok.nu> +Date: Sun, 21 Oct 2018 11:25:37 +0200 +Subject: USB: misc: appledisplay: add 20" Apple Cinema Display + +From: Mattias Jacobsson <2pi@mok.nu> + +commit f6501f49199097b99e4e263644d88c90d1ec1060 upstream. + +Add another Apple Cinema Display to the list of supported displays + +Signed-off-by: Mattias Jacobsson <2pi@mok.nu> +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/appledisplay.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/appledisplay.c ++++ b/drivers/usb/misc/appledisplay.c +@@ -63,6 +63,7 @@ static const struct usb_device_id appled + { APPLEDISPLAY_DEVICE(0x9219) }, + { APPLEDISPLAY_DEVICE(0x921c) }, + { APPLEDISPLAY_DEVICE(0x921d) }, ++ { APPLEDISPLAY_DEVICE(0x9222) }, + { APPLEDISPLAY_DEVICE(0x9236) }, + + /* Terminating entry */ diff --git a/queue-4.9/usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch b/queue-4.9/usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch new file mode 100644 index 00000000000..582e26b23ad --- /dev/null +++ b/queue-4.9/usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch @@ -0,0 +1,39 @@ +From a77112577667cbda7c6292c52d909636aef31fd9 Mon Sep 17 00:00:00 2001 +From: Emmanuel Pescosta +Date: Fri, 26 Oct 2018 14:48:09 +0200 +Subject: usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB + +From: Emmanuel Pescosta + +commit a77112577667cbda7c6292c52d909636aef31fd9 upstream. + +Following on from this patch: https://lkml.org/lkml/2017/11/3/516, +Corsair K70 LUX RGB keyboards also require the DELAY_INIT quirk to +start correctly at boot. + +Dmesg output: +usb 1-6: string descriptor 0 read error: -110 +usb 1-6: New USB device found, idVendor=1b1c, idProduct=1b33 +usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +usb 1-6: can't set config #1, error -110 + +Signed-off-by: Emmanuel Pescosta +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -243,6 +243,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | + USB_QUIRK_DELAY_CTRL_MSG }, + ++ /* Corsair K70 LUX RGB */ ++ { USB_DEVICE(0x1b1c, 0x1b33), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Corsair K70 LUX */ + { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, + diff --git a/queue-4.9/usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch b/queue-4.9/usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch new file mode 100644 index 00000000000..4a3a16f2bf7 --- /dev/null +++ b/queue-4.9/usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch @@ -0,0 +1,48 @@ +From deefd24228a172d1b27d4a9adbfd2cdacd60ae64 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 26 Oct 2018 13:33:15 +0800 +Subject: USB: quirks: Add no-lpm quirk for Raydium touchscreens + +From: Kai-Heng Feng + +commit deefd24228a172d1b27d4a9adbfd2cdacd60ae64 upstream. + +Raydium USB touchscreen fails to set config if LPM is enabled: +[ 2.030658] usb 1-8: New USB device found, idVendor=2386, idProduct=3119 +[ 2.030659] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0 +[ 2.030660] usb 1-8: Product: Raydium Touch System +[ 2.030661] usb 1-8: Manufacturer: Raydium Corporation +[ 7.132209] usb 1-8: can't set config #1, error -110 + +Same behavior can be observed on 2386:3114. + +Raydium claims the touchscreen supports LPM under Windows, so I used +Microsoft USB Test Tools (MUTT) [1] to check its LPM status. MUTT shows +that the LPM doesn't work under Windows, either. So let's just disable LPM +for Raydium touchscreens. + +[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-test-tools + +Signed-off-by: Kai-Heng Feng +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -263,6 +263,11 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x2040, 0x7200), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, + ++ /* Raydium Touchscreen */ ++ { USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM }, ++ ++ { USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, +