From: Greg Kroah-Hartman Date: Mon, 26 Nov 2018 07:50:56 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v3.18.127~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9eaa4e64d5a2124ed07578cf6e4c4832fac5c60e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch alsa-hda-ca0132-call-pci_iounmap-instead-of-iounmap.patch alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch can-kvaser_usb-fix-accessing-freed-memory-in-kvaser_usb_start_xmit.patch can-kvaser_usb-fix-potential-uninitialized-variable-use.patch drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch gnss-serial-fix-synchronous-write-timeout.patch gnss-sirf-fix-synchronous-write-timeout.patch hid-add-quirk-for-microsoft-pixart-oem-mouse.patch hid-add-quirk-for-primax-pixart-oem-mice.patch hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch libceph-fall-back-to-sendmsg-for-slab-pages.patch media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch mips-octeon-cavium_octeon_defconfig-re-enable-octeon-usb-driver.patch misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch mtd-rawnand-atmel-fix-of-child-node-lookup.patch risc-v-fix-raw_copy_-to-from-_user.patch uio-fix-an-oops-on-load.patch usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch usb-misc-appledisplay-add-20-apple-cinema-display.patch usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch usb-wait-for-extra-delay-time-after-usb_port_feat_reset-for-quirky-hub.patch --- diff --git a/queue-4.19/acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch b/queue-4.19/acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch new file mode 100644 index 00000000000..3ab63b3925d --- /dev/null +++ b/queue-4.19/acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch @@ -0,0 +1,105 @@ +From 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 19 Nov 2018 19:06:01 +0100 +Subject: ACPI / platform: Add SMB0001 HID to forbidden_id_list + +From: Hans de Goede + +commit 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa upstream. + +Many HP AMD based laptops contain an SMB0001 device like this: + +Device (SMBD) +{ + Name (_HID, "SMB0001") // _HID: Hardware ID + Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings + { + IO (Decode16, + 0x0B20, // Range Minimum + 0x0B20, // Range Maximum + 0x20, // Alignment + 0x20, // Length + ) + IRQ (Level, ActiveLow, Shared, ) + {7} + }) +} + +The legacy style IRQ resource here causes acpi_dev_get_irqresource() to +be called with legacy=true and this message to show in dmesg: +ACPI: IRQ 7 override to edge, high + +This causes issues when later on the AMD0030 GPIO device gets enumerated: + +Device (GPIO) +{ + Name (_HID, "AMDI0030") // _HID: Hardware ID + Name (_CID, "AMDI0030") // _CID: Compatible ID + Name (_UID, Zero) // _UID: Unique ID + Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings + { + Name (RBUF, ResourceTemplate () + { + Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, ) + { + 0x00000007, + } + Memory32Fixed (ReadWrite, + 0xFED81500, // Address Base + 0x00000400, // Address Length + ) + }) + Return (RBUF) /* \_SB_.GPIO._CRS.RBUF */ + } +} + +Now acpi_dev_get_irqresource() gets called with legacy=false, but because +of the earlier override of the trigger-type acpi_register_gsi() returns +-EBUSY (because we try to register the same interrupt with a different +trigger-type) and we end up setting IORESOURCE_DISABLED in the flags. + +The setting of IORESOURCE_DISABLED causes platform_get_irq() to call +acpi_irq_get() which is not implemented on x86 and returns -EINVAL. +resulting in the following in dmesg: + +amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22 +amd_gpio: probe of AMDI0030:00 failed with error -22 + +The SMB0001 is a "virtual" device in the sense that the only way the OS +interacts with it is through calling a couple of methods to do SMBus +transfers. As such it is weird that it has IO and IRQ resources at all, +because the driver for it is not expected to ever access the hardware +directly. + +The Linux driver for the SMB0001 device directly binds to the acpi_device +through the acpi_bus, so we do not need to instantiate a platform_device +for this ACPI device. This commit adds the SMB0001 HID to the +forbidden_id_list, avoiding the instantiating of a platform_device for it. +Not instantiating a platform_device means we will no longer call +acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of +the AMDI0030 device failing. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523 +Reported-by: Lukas Kahnert +Tested-by: Marc +Cc: All applicable +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_platform.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/acpi/acpi_platform.c ++++ b/drivers/acpi/acpi_platform.c +@@ -30,6 +30,7 @@ static const struct acpi_device_id forbi + {"PNP0200", 0}, /* AT DMA Controller */ + {"ACPI0009", 0}, /* IOxAPIC */ + {"ACPI000A", 0}, /* IOAPIC */ ++ {"SMB0001", 0}, /* ACPI SMBUS virtual device */ + {"", 0}, + }; + diff --git a/queue-4.19/alsa-hda-ca0132-call-pci_iounmap-instead-of-iounmap.patch b/queue-4.19/alsa-hda-ca0132-call-pci_iounmap-instead-of-iounmap.patch new file mode 100644 index 00000000000..f8444452be6 --- /dev/null +++ b/queue-4.19/alsa-hda-ca0132-call-pci_iounmap-instead-of-iounmap.patch @@ -0,0 +1,33 @@ +From d99501b8575dc1248bacf1b58d2241cb4b265d49 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 12 Nov 2018 12:26:57 +0100 +Subject: ALSA: hda/ca0132 - Call pci_iounmap() instead of iounmap() + +From: Takashi Iwai + +commit d99501b8575dc1248bacf1b58d2241cb4b265d49 upstream. + +We need to call pci_iounmap() instead of iounmap() for the regions +obtained via pci_iomap() call for some archs that need special +treatment. + +Fixes: aa31704fd81c ("ALSA: hda/ca0132: Add PCI region2 iomap for SBZ") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -7395,7 +7395,7 @@ static void ca0132_free(struct hda_codec + + snd_hda_power_down(codec); + if (spec->mem_base) +- iounmap(spec->mem_base); ++ pci_iounmap(codec->bus->pci, spec->mem_base); + kfree(spec->spec_init_verbs); + kfree(codec->spec); + } diff --git a/queue-4.19/alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch b/queue-4.19/alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch new file mode 100644 index 00000000000..6752a05f1c7 --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch @@ -0,0 +1,32 @@ +From 563785edfcef02b566e64fb5292c74c1600808aa Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 12 Nov 2018 09:43:12 +0100 +Subject: ALSA: hda/realtek - Add quirk entry for HP Pavilion 15 + +From: Takashi Iwai + +commit 563785edfcef02b566e64fb5292c74c1600808aa upstream. + +HP Pavilion 15 (103c:820d) with ALC295 codec requires the quirk for +the mute LED control over mic3 pin. Added the corresponding quirk +entry. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201653 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6481,6 +6481,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x2336, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x2337, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x221c, "HP EliteBook 755 G2", ALC280_FIXUP_HP_HEADSET_MIC), ++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC), + SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x82bf, "HP", ALC221_FIXUP_HP_MIC_NO_PRESENCE), diff --git a/queue-4.19/can-kvaser_usb-fix-accessing-freed-memory-in-kvaser_usb_start_xmit.patch b/queue-4.19/can-kvaser_usb-fix-accessing-freed-memory-in-kvaser_usb_start_xmit.patch new file mode 100644 index 00000000000..386a141b7d0 --- /dev/null +++ b/queue-4.19/can-kvaser_usb-fix-accessing-freed-memory-in-kvaser_usb_start_xmit.patch @@ -0,0 +1,52 @@ +From e13fb9b37cc00616b90df2d620f30345b5ada6ff Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Mon, 6 Aug 2018 15:14:49 +0200 +Subject: can: kvaser_usb: Fix accessing freed memory in kvaser_usb_start_xmit() + +From: Jimmy Assarsson + +commit e13fb9b37cc00616b90df2d620f30345b5ada6ff upstream. + +The call to can_put_echo_skb() may result in the skb being freed. The skb +is later used in the call to dev->ops->dev_frame_to_cmd(). + +This is avoided by moving the call to can_put_echo_skb() after +dev->ops->dev_frame_to_cmd(). + +Reported-by: Dan Carpenter +Signed-off-by: Jimmy Assarsson +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +@@ -528,7 +528,6 @@ static netdev_tx_t kvaser_usb_start_xmit + context = &priv->tx_contexts[i]; + + context->echo_index = i; +- can_put_echo_skb(skb, netdev, context->echo_index); + ++priv->active_tx_contexts; + if (priv->active_tx_contexts >= (int)dev->max_tx_urbs) + netif_stop_queue(netdev); +@@ -553,7 +552,6 @@ static netdev_tx_t kvaser_usb_start_xmit + dev_kfree_skb(skb); + spin_lock_irqsave(&priv->tx_contexts_lock, flags); + +- can_free_echo_skb(netdev, context->echo_index); + context->echo_index = dev->max_tx_urbs; + --priv->active_tx_contexts; + netif_wake_queue(netdev); +@@ -564,6 +562,8 @@ static netdev_tx_t kvaser_usb_start_xmit + + context->priv = priv; + ++ can_put_echo_skb(skb, netdev, context->echo_index); ++ + usb_fill_bulk_urb(urb, dev->udev, + usb_sndbulkpipe(dev->udev, + dev->bulk_out->bEndpointAddress), diff --git a/queue-4.19/can-kvaser_usb-fix-potential-uninitialized-variable-use.patch b/queue-4.19/can-kvaser_usb-fix-potential-uninitialized-variable-use.patch new file mode 100644 index 00000000000..6fa94050baf --- /dev/null +++ b/queue-4.19/can-kvaser_usb-fix-potential-uninitialized-variable-use.patch @@ -0,0 +1,48 @@ +From 95217260649aa504eb5d4a0d50959ca4e67c8f96 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Mon, 6 Aug 2018 15:14:50 +0200 +Subject: can: kvaser_usb: Fix potential uninitialized variable use + +From: Jimmy Assarsson + +commit 95217260649aa504eb5d4a0d50959ca4e67c8f96 upstream. + +If alloc_can_err_skb() fails, cf is never initialized. +Move assignment of cf inside check. + +Reported-by: Dan Carpenter +Signed-off-by: Jimmy Assarsson +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +@@ -1019,6 +1019,11 @@ kvaser_usb_hydra_error_frame(struct kvas + new_state : CAN_STATE_ERROR_ACTIVE; + + can_change_state(netdev, cf, tx_state, rx_state); ++ ++ if (priv->can.restart_ms && ++ old_state >= CAN_STATE_BUS_OFF && ++ new_state < CAN_STATE_BUS_OFF) ++ cf->can_id |= CAN_ERR_RESTARTED; + } + + if (new_state == CAN_STATE_BUS_OFF) { +@@ -1028,11 +1033,6 @@ kvaser_usb_hydra_error_frame(struct kvas + + can_bus_off(netdev); + } +- +- if (priv->can.restart_ms && +- old_state >= CAN_STATE_BUS_OFF && +- new_state < CAN_STATE_BUS_OFF) +- cf->can_id |= CAN_ERR_RESTARTED; + } + + if (!skb) { diff --git a/queue-4.19/drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch b/queue-4.19/drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..35956a5da82 --- /dev/null +++ b/queue-4.19/drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,54 @@ +From fee05f455ceb5c670cbe48e2f9454ebc4a388554 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 16 Oct 2018 12:59:44 +0200 +Subject: drivers/misc/sgi-gru: fix Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit fee05f455ceb5c670cbe48e2f9454ebc4a388554 upstream. + +req.gid can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +vers/misc/sgi-gru/grukdump.c:200 gru_dump_chiplet_request() warn: +potential spectre issue 'gru_base' [w] + +Fix this by sanitizing req.gid before calling macro GID_TO_GRU, which +uses it to index gru_base. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/sgi-gru/grukdump.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/misc/sgi-gru/grukdump.c ++++ b/drivers/misc/sgi-gru/grukdump.c +@@ -27,6 +27,9 @@ + #include + #include + #include ++ ++#include ++ + #include "gru.h" + #include "grutables.h" + #include "gruhandles.h" +@@ -196,6 +199,7 @@ int gru_dump_chiplet_request(unsigned lo + /* Currently, only dump by gid is implemented */ + if (req.gid >= gru_max_gids) + return -EINVAL; ++ req.gid = array_index_nospec(req.gid, gru_max_gids); + + gru = GID_TO_GRU(req.gid); + ubuf = req.buf; diff --git a/queue-4.19/gnss-serial-fix-synchronous-write-timeout.patch b/queue-4.19/gnss-serial-fix-synchronous-write-timeout.patch new file mode 100644 index 00000000000..8c885ec4bbc --- /dev/null +++ b/queue-4.19/gnss-serial-fix-synchronous-write-timeout.patch @@ -0,0 +1,42 @@ +From 56a6c7268312cba9436b84cac01b3e502c5c511d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 14 Nov 2018 09:33:57 +0100 +Subject: gnss: serial: fix synchronous write timeout + +From: Johan Hovold + +commit 56a6c7268312cba9436b84cac01b3e502c5c511d upstream. + +Passing a timeout of zero to the synchronous serdev_device_write() +helper does currently not imply to wait forever (unlike passing zero to +serdev_device_wait_until_sent()). Instead, if there's insufficient +room in the write buffer, we'd end up with an incomplete write. + +Fixes: 37768b054f20 ("gnss: add generic serial driver") +Cc: stable # 4.19 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gnss/serial.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gnss/serial.c ++++ b/drivers/gnss/serial.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -63,7 +64,7 @@ static int gnss_serial_write_raw(struct + int ret; + + /* write is only buffered synchronously */ +- ret = serdev_device_write(serdev, buf, count, 0); ++ ret = serdev_device_write(serdev, buf, count, MAX_SCHEDULE_TIMEOUT); + if (ret < 0) + return ret; + diff --git a/queue-4.19/gnss-sirf-fix-synchronous-write-timeout.patch b/queue-4.19/gnss-sirf-fix-synchronous-write-timeout.patch new file mode 100644 index 00000000000..aa80751f847 --- /dev/null +++ b/queue-4.19/gnss-sirf-fix-synchronous-write-timeout.patch @@ -0,0 +1,42 @@ +From 1decef370456870bf448a565be95db636428e106 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 14 Nov 2018 09:37:54 +0100 +Subject: gnss: sirf: fix synchronous write timeout + +From: Johan Hovold + +commit 1decef370456870bf448a565be95db636428e106 upstream. + +Passing a timeout of zero to the synchronous serdev_device_write() +helper does currently not imply to wait forever (unlike passing zero to +serdev_device_wait_until_sent()). Instead, if there's insufficient +room in the write buffer, we'd end up with an incomplete write. + +Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers") +Cc: stable # 4.19 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gnss/sirf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gnss/sirf.c ++++ b/drivers/gnss/sirf.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -83,7 +84,7 @@ static int sirf_write_raw(struct gnss_de + int ret; + + /* write is only buffered synchronously */ +- ret = serdev_device_write(serdev, buf, count, 0); ++ ret = serdev_device_write(serdev, buf, count, MAX_SCHEDULE_TIMEOUT); + if (ret < 0) + return ret; + diff --git a/queue-4.19/hid-add-quirk-for-microsoft-pixart-oem-mouse.patch b/queue-4.19/hid-add-quirk-for-microsoft-pixart-oem-mouse.patch new file mode 100644 index 00000000000..244803aeff5 --- /dev/null +++ b/queue-4.19/hid-add-quirk-for-microsoft-pixart-oem-mouse.patch @@ -0,0 +1,47 @@ +From e82e62e390d39c3819641cd721695702180d54fb Mon Sep 17 00:00:00 2001 +From: Sebastian Parschauer +Date: Wed, 7 Nov 2018 13:36:40 +0100 +Subject: HID: Add quirk for Microsoft PIXART OEM mouse + +From: Sebastian Parschauer + +commit e82e62e390d39c3819641cd721695702180d54fb upstream. + +The PixArt OEM mice are known for disconnecting every minute in +runlevel 1 or 3 if they are not always polled. So add quirk +ALWAYS_POLL for this one as well. + +References: +https://www.spinics.net/lists/linux-usb/msg88965.html +http://linet.gr.jp/~kojima/PlamoWeb/ML/htdocs/201808/msg00019.html + +Signed-off-by: Sebastian Parschauer +CC: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -799,6 +799,7 @@ + #define USB_DEVICE_ID_MS_TOUCH_COVER_2 0x07a7 + #define USB_DEVICE_ID_MS_TYPE_COVER_2 0x07a9 + #define USB_DEVICE_ID_MS_POWER_COVER 0x07da ++#define USB_DEVICE_ID_MS_PIXART_MOUSE 0x00cb + + #define USB_VENDOR_ID_MOJO 0x8282 + #define USB_DEVICE_ID_RETRO_ADAPTER 0x3201 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -106,6 +106,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MCS, USB_DEVICE_ID_MCS_GAMEPADBLOCK), HID_QUIRK_MULTI_INPUT }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PIXART_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_SURFACE_PRO_2), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TOUCH_COVER_2), HID_QUIRK_NO_INIT_REPORTS }, diff --git a/queue-4.19/hid-add-quirk-for-primax-pixart-oem-mice.patch b/queue-4.19/hid-add-quirk-for-primax-pixart-oem-mice.patch new file mode 100644 index 00000000000..5f38b4aab52 --- /dev/null +++ b/queue-4.19/hid-add-quirk-for-primax-pixart-oem-mice.patch @@ -0,0 +1,52 @@ +From fb862c3b199d28bee238d52e8270eae8650d6cb0 Mon Sep 17 00:00:00 2001 +From: Sebastian Parschauer +Date: Tue, 20 Nov 2018 07:25:08 +0100 +Subject: HID: Add quirk for Primax PIXART OEM mice + +From: Sebastian Parschauer + +commit fb862c3b199d28bee238d52e8270eae8650d6cb0 upstream. + +The PixArt OEM mice are known for disconnecting every minute in +runlevel 1 or 3 if they are not always polled. So add quirk +ALWAYS_POLL for two Primax mice as well. + +0x4e22 is the Dell MS111-P and 0x4d0f is the unbranded HP Portia +mouse HP 697738-001. Both were built until approx. 2014. +Those were the standard mice from those vendors and are still +around - even as new old stock. + +Reference: https://github.com/sriemer/fix-linux-mouse/issues/11 + +Signed-off-by: Sebastian Parschauer +CC: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 2 ++ + drivers/hid/hid-quirks.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1198,6 +1198,8 @@ + #define USB_DEVICE_ID_PRIMAX_MOUSE_4D22 0x4d22 + #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05 + #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72 ++#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f ++#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22 0x4e22 + + + #define USB_VENDOR_ID_RISO_KAGAKU 0x1294 /* Riso Kagaku Corp. */ +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -128,6 +128,8 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3003), HID_QUIRK_NOGET }, diff --git a/queue-4.19/hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch b/queue-4.19/hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch new file mode 100644 index 00000000000..2acaf023fa0 --- /dev/null +++ b/queue-4.19/hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch @@ -0,0 +1,66 @@ +From 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 14 Nov 2018 13:55:09 -0800 +Subject: HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges + +From: Eric Biggers + +commit 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 upstream. + +When a UHID_CREATE command is written to the uhid char device, a +copy_from_user() is done from a user pointer embedded in the command. +When the address limit is KERNEL_DS, e.g. as is the case during +sys_sendfile(), this can read from kernel memory. Alternatively, +information can be leaked from a setuid binary that is tricked to write +to the file descriptor. Therefore, forbid UHID_CREATE in these cases. + +No other commands in uhid_char_write() are affected by this bug and +UHID_CREATE is marked as "obsolete", so apply the restriction to +UHID_CREATE only rather than to uhid_char_write() entirely. + +Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to +Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess +helpers fault on kernel addresses"), allowing this bug to be found. + +Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com +Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events") +Cc: # v3.6+ +Cc: Jann Horn +Cc: Andy Lutomirski +Signed-off-by: Eric Biggers +Reviewed-by: Jann Horn +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/uhid.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -12,6 +12,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -722,6 +723,17 @@ static ssize_t uhid_char_write(struct fi + + switch (uhid->input_buf.type) { + case UHID_CREATE: ++ /* ++ * 'struct uhid_create_req' contains a __user pointer which is ++ * copied from, so it's unsafe to allow this with elevated ++ * privileges (e.g. from a setuid binary) or via kernel_write(). ++ */ ++ if (file->f_cred != current_cred() || uaccess_kernel()) { ++ pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n", ++ task_tgid_vnr(current), current->comm); ++ ret = -EACCES; ++ goto unlock; ++ } + ret = uhid_dev_create(uhid, &uhid->input_buf); + break; + case UHID_CREATE2: diff --git a/queue-4.19/libceph-fall-back-to-sendmsg-for-slab-pages.patch b/queue-4.19/libceph-fall-back-to-sendmsg-for-slab-pages.patch new file mode 100644 index 00000000000..21071b91520 --- /dev/null +++ b/queue-4.19/libceph-fall-back-to-sendmsg-for-slab-pages.patch @@ -0,0 +1,57 @@ +From 7e241f647dc7087a0401418a187f3f5b527cc690 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 8 Nov 2018 15:55:37 +0100 +Subject: libceph: fall back to sendmsg for slab pages + +From: Ilya Dryomov + +commit 7e241f647dc7087a0401418a187f3f5b527cc690 upstream. + +skb_can_coalesce() allows coalescing neighboring slab objects into +a single frag: + + return page == skb_frag_page(frag) && + off == frag->page_offset + skb_frag_size(frag); + +ceph_tcp_sendpage() can be handed slab pages. One example of this is +XFS: it passes down sector sized slab objects for its metadata I/O. If +the kernel client is co-located on the OSD node, the skb may go through +loopback and pop on the receive side with the exact same set of frags. +When tcp_recvmsg() attempts to copy out such a frag, hardened usercopy +complains because the size exceeds the object's allocated size: + + usercopy: kernel memory exposure attempt detected from ffff9ba917f20a00 (kmalloc-512) (1024 bytes) + +Although skb_can_coalesce() could be taught to return false if the +resulting frag would cross a slab object boundary, we already have +a fallback for non-refcounted pages. Utilize it for slab pages too. + +Cc: stable@vger.kernel.org # 4.8+ +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/messenger.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -593,9 +593,15 @@ static int ceph_tcp_sendpage(struct sock + struct bio_vec bvec; + int ret; + +- /* sendpage cannot properly handle pages with page_count == 0, +- * we need to fallback to sendmsg if that's the case */ +- if (page_count(page) >= 1) ++ /* ++ * sendpage cannot properly handle pages with page_count == 0, ++ * we need to fall back to sendmsg if that's the case. ++ * ++ * Same goes for slab pages: skb_can_coalesce() allows ++ * coalescing neighboring slab objects into a single frag which ++ * triggers one of hardened usercopy checks. ++ */ ++ if (page_count(page) >= 1 && !PageSlab(page)) + return __ceph_tcp_sendpage(sock, page, offset, size, more); + + bvec.bv_page = page; diff --git a/queue-4.19/media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch b/queue-4.19/media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch new file mode 100644 index 00000000000..c926c62a45f --- /dev/null +++ b/queue-4.19/media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch @@ -0,0 +1,117 @@ +From 92539d3eda2c090b382699bbb896d4b54e9bdece Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Mon, 5 Nov 2018 09:35:44 -0500 +Subject: media: v4l: event: Add subscription to list before calling "add" operation + +From: Sakari Ailus + +commit 92539d3eda2c090b382699bbb896d4b54e9bdece upstream. + +Patch ad608fbcf166 changed how events were subscribed to address an issue +elsewhere. As a side effect of that change, the "add" callback was called +before the event subscription was added to the list of subscribed events, +causing the first event queued by the add callback (and possibly other +events arriving soon afterwards) to be lost. + +Fix this by adding the subscription to the list before calling the "add" +callback, and clean up afterwards if that fails. + +Fixes: ad608fbcf166 ("media: v4l: event: Prevent freeing event subscriptions while accessed") + +Reported-by: Dave Stevenson +Signed-off-by: Sakari Ailus +Tested-by: Dave Stevenson +Reviewed-by: Hans Verkuil +Tested-by: Hans Verkuil +Cc: stable@vger.kernel.org (for 4.14 and up) +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-event.c | 43 +++++++++++++++++++---------------- + 1 file changed, 24 insertions(+), 19 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-event.c ++++ b/drivers/media/v4l2-core/v4l2-event.c +@@ -193,6 +193,22 @@ int v4l2_event_pending(struct v4l2_fh *f + } + EXPORT_SYMBOL_GPL(v4l2_event_pending); + ++static void __v4l2_event_unsubscribe(struct v4l2_subscribed_event *sev) ++{ ++ struct v4l2_fh *fh = sev->fh; ++ unsigned int i; ++ ++ lockdep_assert_held(&fh->subscribe_lock); ++ assert_spin_locked(&fh->vdev->fh_lock); ++ ++ /* Remove any pending events for this subscription */ ++ for (i = 0; i < sev->in_use; i++) { ++ list_del(&sev->events[sev_pos(sev, i)].list); ++ fh->navailable--; ++ } ++ list_del(&sev->list); ++} ++ + int v4l2_event_subscribe(struct v4l2_fh *fh, + const struct v4l2_event_subscription *sub, unsigned elems, + const struct v4l2_subscribed_event_ops *ops) +@@ -224,27 +240,23 @@ int v4l2_event_subscribe(struct v4l2_fh + + spin_lock_irqsave(&fh->vdev->fh_lock, flags); + found_ev = v4l2_event_subscribed(fh, sub->type, sub->id); ++ if (!found_ev) ++ list_add(&sev->list, &fh->subscribed); + spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); + + if (found_ev) { + /* Already listening */ + kvfree(sev); +- goto out_unlock; +- } +- +- if (sev->ops && sev->ops->add) { ++ } else if (sev->ops && sev->ops->add) { + ret = sev->ops->add(sev, elems); + if (ret) { ++ spin_lock_irqsave(&fh->vdev->fh_lock, flags); ++ __v4l2_event_unsubscribe(sev); ++ spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); + kvfree(sev); +- goto out_unlock; + } + } + +- spin_lock_irqsave(&fh->vdev->fh_lock, flags); +- list_add(&sev->list, &fh->subscribed); +- spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); +- +-out_unlock: + mutex_unlock(&fh->subscribe_lock); + + return ret; +@@ -279,7 +291,6 @@ int v4l2_event_unsubscribe(struct v4l2_f + { + struct v4l2_subscribed_event *sev; + unsigned long flags; +- int i; + + if (sub->type == V4L2_EVENT_ALL) { + v4l2_event_unsubscribe_all(fh); +@@ -291,14 +302,8 @@ int v4l2_event_unsubscribe(struct v4l2_f + spin_lock_irqsave(&fh->vdev->fh_lock, flags); + + sev = v4l2_event_subscribed(fh, sub->type, sub->id); +- if (sev != NULL) { +- /* Remove any pending events for this subscription */ +- for (i = 0; i < sev->in_use; i++) { +- list_del(&sev->events[sev_pos(sev, i)].list); +- fh->navailable--; +- } +- list_del(&sev->list); +- } ++ if (sev != NULL) ++ __v4l2_event_unsubscribe(sev); + + spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); + diff --git a/queue-4.19/mips-octeon-cavium_octeon_defconfig-re-enable-octeon-usb-driver.patch b/queue-4.19/mips-octeon-cavium_octeon_defconfig-re-enable-octeon-usb-driver.patch new file mode 100644 index 00000000000..419cffce14a --- /dev/null +++ b/queue-4.19/mips-octeon-cavium_octeon_defconfig-re-enable-octeon-usb-driver.patch @@ -0,0 +1,38 @@ +From 82fba2df7f7c019627f24c5036dc99f41731d770 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 11 Nov 2018 00:06:12 +0200 +Subject: MIPS: OCTEON: cavium_octeon_defconfig: re-enable OCTEON USB driver + +From: Aaro Koskinen + +commit 82fba2df7f7c019627f24c5036dc99f41731d770 upstream. + +Re-enable OCTEON USB driver which is needed on older hardware +(e.g. EdgeRouter Lite) for mass storage etc. This got accidentally +deleted when config options were changed for OCTEON2/3 USB. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Paul Burton +Fixes: f922bc0ad08b ("MIPS: Octeon: cavium_octeon_defconfig: Enable more drivers") +Patchwork: https://patchwork.linux-mips.org/patch/21077/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # 4.14+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/configs/cavium_octeon_defconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/configs/cavium_octeon_defconfig ++++ b/arch/mips/configs/cavium_octeon_defconfig +@@ -140,6 +140,7 @@ CONFIG_RTC_CLASS=y + CONFIG_RTC_DRV_DS1307=y + CONFIG_STAGING=y + CONFIG_OCTEON_ETHERNET=y ++CONFIG_OCTEON_USB=y + # CONFIG_IOMMU_SUPPORT is not set + CONFIG_RAS=y + CONFIG_EXT4_FS=y diff --git a/queue-4.19/misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch b/queue-4.19/misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch new file mode 100644 index 00000000000..66cf422be21 --- /dev/null +++ b/queue-4.19/misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch @@ -0,0 +1,39 @@ +From 7c97301285b62a41d6bceded7d964085fc8cc50f Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 10:09:02 -0700 +Subject: misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data + +From: Nathan Chancellor + +commit 7c97301285b62a41d6bceded7d964085fc8cc50f upstream. + +After building the kernel with Clang, the following section mismatch +warning appears: + +WARNING: vmlinux.o(.text+0x3bf19a6): Section mismatch in reference from +the function ssc_probe() to the function +.init.text:atmel_ssc_get_driver_data() +The function ssc_probe() references +the function __init atmel_ssc_get_driver_data(). +This is often because ssc_probe lacks a __init +annotation or the annotation of atmel_ssc_get_driver_data is wrong. + +Remove __init from atmel_ssc_get_driver_data to get rid of the mismatch. + +Signed-off-by: Nathan Chancellor +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/misc/atmel-ssc.c b/drivers/misc/atmel-ssc.c +index b2a0340f277e..d8e3cc2dc747 100644 +--- a/drivers/misc/atmel-ssc.c ++++ b/drivers/misc/atmel-ssc.c +@@ -132,7 +132,7 @@ static const struct of_device_id atmel_ssc_dt_ids[] = { + MODULE_DEVICE_TABLE(of, atmel_ssc_dt_ids); + #endif + +-static inline const struct atmel_ssc_platform_data * __init ++static inline const struct atmel_ssc_platform_data * + atmel_ssc_get_driver_data(struct platform_device *pdev) + { + if (pdev->dev.of_node) { diff --git a/queue-4.19/mtd-rawnand-atmel-fix-of-child-node-lookup.patch b/queue-4.19/mtd-rawnand-atmel-fix-of-child-node-lookup.patch new file mode 100644 index 00000000000..841d22dd251 --- /dev/null +++ b/queue-4.19/mtd-rawnand-atmel-fix-of-child-node-lookup.patch @@ -0,0 +1,67 @@ +From 5d1e9c2212ea6b4dd735e4fc3dd6279a365d5d10 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:49 +0200 +Subject: mtd: rawnand: atmel: fix OF child-node lookup + +From: Johan Hovold + +commit 5d1e9c2212ea6b4dd735e4fc3dd6279a365d5d10 upstream. + +Use the new of_get_compatible_child() helper to lookup the nfc child +node instead of using of_find_compatible_node(), which searches the +entire tree from a given start node and thus can return an unrelated +(i.e. non-child) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the node of the device being probed). + +While at it, also fix a related nfc-node reference leak. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Cc: stable # 4.11 +Cc: Nicolas Ferre +Cc: Josh Wu +Cc: Boris Brezillon +Signed-off-by: Johan Hovold +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/nand/raw/atmel/nand-controller.c ++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c +@@ -2061,8 +2061,7 @@ atmel_hsmc_nand_controller_legacy_init(s + int ret; + + nand_np = dev->of_node; +- nfc_np = of_find_compatible_node(dev->of_node, NULL, +- "atmel,sama5d3-nfc"); ++ nfc_np = of_get_compatible_child(dev->of_node, "atmel,sama5d3-nfc"); + if (!nfc_np) { + dev_err(dev, "Could not find device node for sama5d3-nfc\n"); + return -ENODEV; +@@ -2476,15 +2475,19 @@ static int atmel_nand_controller_probe(s + } + + if (caps->legacy_of_bindings) { ++ struct device_node *nfc_node; + u32 ale_offs = 21; + + /* + * If we are parsing legacy DT props and the DT contains a + * valid NFC node, forward the request to the sama5 logic. + */ +- if (of_find_compatible_node(pdev->dev.of_node, NULL, +- "atmel,sama5d3-nfc")) ++ nfc_node = of_get_compatible_child(pdev->dev.of_node, ++ "atmel,sama5d3-nfc"); ++ if (nfc_node) { + caps = &atmel_sama5_nand_caps; ++ of_node_put(nfc_node); ++ } + + /* + * Even if the compatible says we are dealing with an diff --git a/queue-4.19/risc-v-fix-raw_copy_-to-from-_user.patch b/queue-4.19/risc-v-fix-raw_copy_-to-from-_user.patch new file mode 100644 index 00000000000..7b9c7575c3d --- /dev/null +++ b/queue-4.19/risc-v-fix-raw_copy_-to-from-_user.patch @@ -0,0 +1,43 @@ +From 21f70d4abf9e17c2e3d7e64b7bfa3424e017f176 Mon Sep 17 00:00:00 2001 +From: Olof Johansson +Date: Wed, 14 Nov 2018 16:27:55 -0800 +Subject: RISC-V: Fix raw_copy_{to,from}_user() + +From: Olof Johansson + +commit 21f70d4abf9e17c2e3d7e64b7bfa3424e017f176 upstream. + +Sparse highlighted it, and appears to be a pure bug (from vs to). + +./arch/riscv/include/asm/uaccess.h:403:35: warning: incorrect type in argument 1 (different address spaces) +./arch/riscv/include/asm/uaccess.h:403:39: warning: incorrect type in argument 2 (different address spaces) +./arch/riscv/include/asm/uaccess.h:409:37: warning: incorrect type in argument 1 (different address spaces) +./arch/riscv/include/asm/uaccess.h:409:41: warning: incorrect type in argument 2 (different address spaces) + +Signed-off-by: Olof Johansson +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/riscv/include/asm/uaccess.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/uaccess.h ++++ b/arch/riscv/include/asm/uaccess.h +@@ -400,13 +400,13 @@ extern unsigned long __must_check __asm_ + static inline unsigned long + raw_copy_from_user(void *to, const void __user *from, unsigned long n) + { +- return __asm_copy_to_user(to, from, n); ++ return __asm_copy_from_user(to, from, n); + } + + static inline unsigned long + raw_copy_to_user(void __user *to, const void *from, unsigned long n) + { +- return __asm_copy_from_user(to, from, n); ++ return __asm_copy_to_user(to, from, n); + } + + extern long strncpy_from_user(char *dest, const char __user *src, long count); diff --git a/queue-4.19/series b/queue-4.19/series index 1e6075961ea..b3cdac811db 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -92,3 +92,26 @@ sunrpc-drop-pointless-static-qualifier-in-xdr_get_ne.patch x86-mm-move-ldt-remap-out-of-kaslr-region-on-5-level.patch x86-ldt-unmap-ptes-for-the-slot-before-freeing-ldt-p.patch x86-ldt-remove-unused-variable-in-map_ldt_struct.patch +media-v4l-event-add-subscription-to-list-before-calling-add-operation.patch +mips-octeon-cavium_octeon_defconfig-re-enable-octeon-usb-driver.patch +risc-v-fix-raw_copy_-to-from-_user.patch +uio-fix-an-oops-on-load.patch +alsa-hda-realtek-add-quirk-entry-for-hp-pavilion-15.patch +alsa-hda-ca0132-call-pci_iounmap-instead-of-iounmap.patch +can-kvaser_usb-fix-accessing-freed-memory-in-kvaser_usb_start_xmit.patch +can-kvaser_usb-fix-potential-uninitialized-variable-use.patch +usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch +usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch +usb-wait-for-extra-delay-time-after-usb_port_feat_reset-for-quirky-hub.patch +usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch +misc-atmel-ssc-fix-section-annotation-on-atmel_ssc_get_driver_data.patch +usb-misc-appledisplay-add-20-apple-cinema-display.patch +gnss-serial-fix-synchronous-write-timeout.patch +gnss-sirf-fix-synchronous-write-timeout.patch +mtd-rawnand-atmel-fix-of-child-node-lookup.patch +drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch +acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch +hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch +hid-add-quirk-for-primax-pixart-oem-mice.patch +hid-add-quirk-for-microsoft-pixart-oem-mouse.patch +libceph-fall-back-to-sendmsg-for-slab-pages.patch diff --git a/queue-4.19/uio-fix-an-oops-on-load.patch b/queue-4.19/uio-fix-an-oops-on-load.patch new file mode 100644 index 00000000000..40a242258e3 --- /dev/null +++ b/queue-4.19/uio-fix-an-oops-on-load.patch @@ -0,0 +1,54 @@ +From 432798195bbce1f8cd33d1c0284d0538835e25fb Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 26 Oct 2018 10:19:51 +0300 +Subject: uio: Fix an Oops on load + +From: Dan Carpenter + +commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream. + +I was trying to solve a double free but I introduced a more serious +NULL dereference bug. The problem is that if there is an IRQ which +triggers immediately, then we need "info->uio_dev" but it's not set yet. + +This patch puts the original initialization back to how it was and just +sets info->uio_dev to NULL on the error path so it should solve both +the Oops and the double free. + +Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails") +Reported-by: Mathias Thore +Signed-off-by: Dan Carpenter +Cc: stable +Tested-by: Mathias Thore +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uio/uio.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -959,6 +959,8 @@ int __uio_register_device(struct module + if (ret) + goto err_uio_dev_add_attributes; + ++ info->uio_dev = idev; ++ + if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) { + /* + * Note that we deliberately don't use devm_request_irq +@@ -970,11 +972,12 @@ int __uio_register_device(struct module + */ + ret = request_irq(info->irq, uio_interrupt, + info->irq_flags, info->name, idev); +- if (ret) ++ if (ret) { ++ info->uio_dev = NULL; + goto err_request_irq; ++ } + } + +- info->uio_dev = idev; + return 0; + + err_request_irq: diff --git a/queue-4.19/usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch b/queue-4.19/usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch new file mode 100644 index 00000000000..a6c807bc65f --- /dev/null +++ b/queue-4.19/usb-cdc-acm-add-entry-for-hiro-conexant-modem.patch @@ -0,0 +1,35 @@ +From 63529eaa6164ef7ab4b907b25ac3648177e5e78f Mon Sep 17 00:00:00 2001 +From: Maarten Jacobs +Date: Mon, 19 Nov 2018 23:18:49 +0000 +Subject: usb: cdc-acm: add entry for Hiro (Conexant) modem + +From: Maarten Jacobs + +commit 63529eaa6164ef7ab4b907b25ac3648177e5e78f upstream. + +The cdc-acm kernel module currently does not support the Hiro (Conexant) +H05228 USB modem. The patch below adds the device specific information: + idVendor 0x0572 + idProduct 0x1349 + +Signed-off-by: Maarten Jacobs +Acked-by: Oliver Neukum +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1711,6 +1711,9 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x0572, 0x1349), /* Hiro (Conexant) USB MODEM H50228 */ ++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ ++ }, + { USB_DEVICE(0x20df, 0x0001), /* Simtec Electronics Entropy Key */ + .driver_info = QUIRK_CONTROL_LINE_STATE, }, + { USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */ diff --git a/queue-4.19/usb-misc-appledisplay-add-20-apple-cinema-display.patch b/queue-4.19/usb-misc-appledisplay-add-20-apple-cinema-display.patch new file mode 100644 index 00000000000..f6524306700 --- /dev/null +++ b/queue-4.19/usb-misc-appledisplay-add-20-apple-cinema-display.patch @@ -0,0 +1,29 @@ +From f6501f49199097b99e4e263644d88c90d1ec1060 Mon Sep 17 00:00:00 2001 +From: Mattias Jacobsson <2pi@mok.nu> +Date: Sun, 21 Oct 2018 11:25:37 +0200 +Subject: USB: misc: appledisplay: add 20" Apple Cinema Display + +From: Mattias Jacobsson <2pi@mok.nu> + +commit f6501f49199097b99e4e263644d88c90d1ec1060 upstream. + +Add another Apple Cinema Display to the list of supported displays + +Signed-off-by: Mattias Jacobsson <2pi@mok.nu> +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/appledisplay.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/appledisplay.c ++++ b/drivers/usb/misc/appledisplay.c +@@ -50,6 +50,7 @@ static const struct usb_device_id appled + { APPLEDISPLAY_DEVICE(0x9219) }, + { APPLEDISPLAY_DEVICE(0x921c) }, + { APPLEDISPLAY_DEVICE(0x921d) }, ++ { APPLEDISPLAY_DEVICE(0x9222) }, + { APPLEDISPLAY_DEVICE(0x9236) }, + + /* Terminating entry */ diff --git a/queue-4.19/usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch b/queue-4.19/usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch new file mode 100644 index 00000000000..1daf3142e98 --- /dev/null +++ b/queue-4.19/usb-quirks-add-delay-init-quirk-for-corsair-k70-lux-rgb.patch @@ -0,0 +1,39 @@ +From a77112577667cbda7c6292c52d909636aef31fd9 Mon Sep 17 00:00:00 2001 +From: Emmanuel Pescosta +Date: Fri, 26 Oct 2018 14:48:09 +0200 +Subject: usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB + +From: Emmanuel Pescosta + +commit a77112577667cbda7c6292c52d909636aef31fd9 upstream. + +Following on from this patch: https://lkml.org/lkml/2017/11/3/516, +Corsair K70 LUX RGB keyboards also require the DELAY_INIT quirk to +start correctly at boot. + +Dmesg output: +usb 1-6: string descriptor 0 read error: -110 +usb 1-6: New USB device found, idVendor=1b1c, idProduct=1b33 +usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +usb 1-6: can't set config #1, error -110 + +Signed-off-by: Emmanuel Pescosta +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -397,6 +397,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | + USB_QUIRK_DELAY_CTRL_MSG }, + ++ /* Corsair K70 LUX RGB */ ++ { USB_DEVICE(0x1b1c, 0x1b33), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Corsair K70 LUX */ + { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, + diff --git a/queue-4.19/usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch b/queue-4.19/usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch new file mode 100644 index 00000000000..76c50f8f92b --- /dev/null +++ b/queue-4.19/usb-quirks-add-no-lpm-quirk-for-raydium-touchscreens.patch @@ -0,0 +1,48 @@ +From deefd24228a172d1b27d4a9adbfd2cdacd60ae64 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 26 Oct 2018 13:33:15 +0800 +Subject: USB: quirks: Add no-lpm quirk for Raydium touchscreens + +From: Kai-Heng Feng + +commit deefd24228a172d1b27d4a9adbfd2cdacd60ae64 upstream. + +Raydium USB touchscreen fails to set config if LPM is enabled: +[ 2.030658] usb 1-8: New USB device found, idVendor=2386, idProduct=3119 +[ 2.030659] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0 +[ 2.030660] usb 1-8: Product: Raydium Touch System +[ 2.030661] usb 1-8: Manufacturer: Raydium Corporation +[ 7.132209] usb 1-8: can't set config #1, error -110 + +Same behavior can be observed on 2386:3114. + +Raydium claims the touchscreen supports LPM under Windows, so I used +Microsoft USB Test Tools (MUTT) [1] to check its LPM status. MUTT shows +that the LPM doesn't work under Windows, either. So let's just disable LPM +for Raydium touchscreens. + +[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-test-tools + +Signed-off-by: Kai-Heng Feng +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -411,6 +411,11 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x2040, 0x7200), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, + ++ /* Raydium Touchscreen */ ++ { USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM }, ++ ++ { USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, + diff --git a/queue-4.19/usb-wait-for-extra-delay-time-after-usb_port_feat_reset-for-quirky-hub.patch b/queue-4.19/usb-wait-for-extra-delay-time-after-usb_port_feat_reset-for-quirky-hub.patch new file mode 100644 index 00000000000..460e5d88ee0 --- /dev/null +++ b/queue-4.19/usb-wait-for-extra-delay-time-after-usb_port_feat_reset-for-quirky-hub.patch @@ -0,0 +1,117 @@ +From 781f0766cc41a9dd2e5d118ef4b1d5d89430257b Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 19 Oct 2018 16:14:50 +0800 +Subject: USB: Wait for extra delay time after USB_PORT_FEAT_RESET for quirky hub + +From: Kai-Heng Feng + +commit 781f0766cc41a9dd2e5d118ef4b1d5d89430257b upstream. + +Devices connected under Terminus Technology Inc. Hub (1a40:0101) may +fail to work after the system resumes from suspend: +[ 206.063325] usb 3-2.4: reset full-speed USB device number 4 using xhci_hcd +[ 206.143691] usb 3-2.4: device descriptor read/64, error -32 +[ 206.351671] usb 3-2.4: device descriptor read/64, error -32 + +Info for this hub: +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=480 MxCh= 4 +D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1a40 ProdID=0101 Rev=01.11 +S: Product=USB 2.0 Hub +C: #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub + +Some expirements indicate that the USB devices connected to the hub are +innocent, it's the hub itself is to blame. The hub needs extra delay +time after it resets its port. + +Hence wait for extra delay, if the device is connected to this quirky +hub. + +Signed-off-by: Kai-Heng Feng +Cc: stable +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/admin-guide/kernel-parameters.txt | 2 ++ + drivers/usb/core/hub.c | 14 +++++++++++--- + drivers/usb/core/quirks.c | 6 ++++++ + include/linux/usb/quirks.h | 3 +++ + 4 files changed, 22 insertions(+), 3 deletions(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4687,6 +4687,8 @@ + prevent spurious wakeup); + n = USB_QUIRK_DELAY_CTRL_MSG (Device needs a + pause after every control message); ++ o = USB_QUIRK_HUB_SLOW_RESET (Hub needs extra ++ delay after resetting its port); + Example: quirks=0781:5580:bk,0a5c:5834:gij + + usbhid.mousepoll= +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2791,6 +2791,7 @@ static int hub_port_reset(struct usb_hub + int i, status; + u16 portchange, portstatus; + struct usb_port *port_dev = hub->ports[port1 - 1]; ++ int reset_recovery_time; + + if (!hub_is_superspeed(hub->hdev)) { + if (warm) { +@@ -2882,11 +2883,18 @@ static int hub_port_reset(struct usb_hub + + done: + if (status == 0) { +- /* TRSTRCY = 10 ms; plus some extra */ + if (port_dev->quirks & USB_PORT_QUIRK_FAST_ENUM) + usleep_range(10000, 12000); +- else +- msleep(10 + 40); ++ else { ++ /* TRSTRCY = 10 ms; plus some extra */ ++ reset_recovery_time = 10 + 40; ++ ++ /* Hub needs extra delay after resetting its port. */ ++ if (hub->hdev->quirks & USB_QUIRK_HUB_SLOW_RESET) ++ reset_recovery_time += 100; ++ ++ msleep(reset_recovery_time); ++ } + + if (udev) { + struct usb_hcd *hcd = bus_to_hcd(udev->bus); +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -128,6 +128,9 @@ static int quirks_param_set(const char * + case 'n': + flags |= USB_QUIRK_DELAY_CTRL_MSG; + break; ++ case 'o': ++ flags |= USB_QUIRK_HUB_SLOW_RESET; ++ break; + /* Ignore unrecognized flag characters */ + } + } +@@ -380,6 +383,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x1a0a, 0x0200), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Terminus Technology Inc. Hub */ ++ { USB_DEVICE(0x1a40, 0x0101), .driver_info = USB_QUIRK_HUB_SLOW_RESET }, ++ + /* Corsair K70 RGB */ + { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, + +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -66,4 +66,7 @@ + /* Device needs a pause after every control message. */ + #define USB_QUIRK_DELAY_CTRL_MSG BIT(13) + ++/* Hub needs extra delay after resetting its port. */ ++#define USB_QUIRK_HUB_SLOW_RESET BIT(14) ++ + #endif /* __LINUX_USB_QUIRKS_H */