--- /dev/null
+From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 May 2019 17:32:26 +0200
+Subject: apparmor: enforce nullbyte at end of tag string
+
+From: Jann Horn <jannh@google.com>
+
+commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
+
+A packed AppArmor policy contains null-terminated tag strings that are read
+by unpack_nameX(). However, unpack_nameX() uses string functions on them
+without ensuring that they are actually null-terminated, potentially
+leading to out-of-bounds accesses.
+
+Make sure that the tag string is null-terminated before passing it to
+strcmp().
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/policy_unpack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -276,7 +276,7 @@ static bool unpack_nameX(struct aa_ext *
+ char *tag = NULL;
+ size_t size = unpack_u16_chunk(e, &tag);
+ /* if a name is specified it must match. otherwise skip tag */
+- if (name && (!size || strcmp(name, tag)))
++ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
+ goto fail;
+ } else if (name) {
+ /* if a name is specified and there is no name tag fail */
--- /dev/null
+From 23375b13f98c5464c2b4d15f983cc062940f1f4e Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Sun, 26 May 2019 06:42:23 -0700
+Subject: apparmor: fix PROFILE_MEDIATES for untrusted input
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 23375b13f98c5464c2b4d15f983cc062940f1f4e upstream.
+
+While commit 11c236b89d7c2 ("apparmor: add a default null dfa") ensure
+every profile has a policy.dfa it does not resize the policy.start[]
+to have entries for every possible start value. Which means
+PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately
+commit b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") did not
+take into account the start value usage.
+
+The input string in profile_query_cb() is user controlled and is not
+properly checked to be within the limited start[] entries, even worse
+it can't be as userspace policy is allowed to make us of entries types
+the kernel does not know about. This mean usespace can currently cause
+the kernel to access memory up to 240 entries beyond the start array
+bounds.
+
+Cc: stable@vger.kernel.org
+Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/include/policy.h | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -214,7 +214,16 @@ static inline struct aa_profile *aa_get_
+ return labels_profile(aa_get_newest_label(&p->label));
+ }
+
+-#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)])
++static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
++ unsigned char class)
++{
++ if (class <= AA_CLASS_LAST)
++ return profile->policy.start[class];
++ else
++ return aa_dfa_match_len(profile->policy.dfa,
++ profile->policy.start[0], &class, 1);
++}
++
+ static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
+ u16 AF) {
+ unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
--- /dev/null
+From 2de0b42da263c97d330d276f5ccf7c4470e3324f Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:51 -0700
+Subject: brcmfmac: sdio: Disable auto-tuning around commands expected to fail
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 2de0b42da263c97d330d276f5ccf7c4470e3324f upstream.
+
+There are certain cases, notably when transitioning between sleep and
+active state, when Broadcom SDIO WiFi cards will produce errors on the
+SDIO bus. This is evident from the source code where you can see that
+we try commands in a loop until we either get success or we've tried
+too many times. The comment in the code reinforces this by saying
+"just one write attempt may fail"
+
+Unfortunately these failures sometimes end up causing an "-EILSEQ"
+back to the core which triggers a retuning of the SDIO card and that
+blocks all traffic to the card until it's done.
+
+Let's disable retuning around the commands we expect might fail.
+
+Cc: stable@vger.kernel.org #v4.18+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -667,6 +667,8 @@ brcmf_sdio_kso_control(struct brcmf_sdio
+
+ brcmf_dbg(TRACE, "Enter: on=%d\n", on);
+
++ sdio_retune_crc_disable(bus->sdiodev->func1);
++
+ wr_val = (on << SBSDIO_FUNC1_SLEEPCSR_KSO_SHIFT);
+ /* 1st KSO write goes to AOS wake up core if device is asleep */
+ brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_SLEEPCSR, wr_val, &err);
+@@ -719,6 +721,8 @@ brcmf_sdio_kso_control(struct brcmf_sdio
+ if (try_cnt > MAX_KSO_ATTEMPTS)
+ brcmf_err("max tries: rd_val=0x%x err=%d\n", rd_val, err);
+
++ sdio_retune_crc_enable(bus->sdiodev->func1);
++
+ return err;
+ }
+
--- /dev/null
+From 65dade6044079a5c206fd1803642ff420061417a Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:53 -0700
+Subject: brcmfmac: sdio: Don't tune while the card is off
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 65dade6044079a5c206fd1803642ff420061417a upstream.
+
+When Broadcom SDIO cards are idled they go to sleep and a whole
+separate subsystem takes over their SDIO communication. This is the
+Always-On-Subsystem (AOS) and it can't handle tuning requests.
+
+Specifically, as tested on rk3288-veyron-minnie (which reports having
+BCM4354/1 in dmesg), if I force a retune in brcmf_sdio_kso_control()
+when "on = 1" (aka we're transition from sleep to wake) by whacking:
+ bus->sdiodev->func1->card->host->need_retune = 1
+...then I can often see tuning fail. In this case dw_mmc reports "All
+phases bad!"). Note that I don't get 100% failure, presumably because
+sometimes the card itself has already transitioned away from the AOS
+itself by the time we try to wake it up. If I force retuning when "on
+= 0" (AKA force retuning right before sending the command to go to
+sleep) then retuning is always OK.
+
+NOTE: we need _both_ this patch and the patch to avoid triggering
+tuning due to CRC errors in the sleep/wake transition, AKA ("brcmfmac:
+sdio: Disable auto-tuning around commands expected to fail"). Though
+both patches handle issues with Broadcom's AOS, the problems are
+distinct:
+1. We want to defer (but not ignore) asynchronous (like
+ timer-requested) tuning requests till the card is awake. However,
+ we want to ignore CRC errors during the transition, we don't want
+ to queue deferred tuning request.
+2. You could imagine that the AOS could implement retuning but we
+ could still get errors while transitioning in and out of the AOS.
+ Similarly you could imagine a seamless transition into and out of
+ the AOS (with no CRC errors) even if the AOS couldn't handle
+ tuning.
+
+ALSO NOTE: presumably there is never a desperate need to retune in
+order to wake up the card, since doing so is impossible. Luckily the
+only way the card can get into sleep state is if we had a good enough
+tuning to send it the command to put it into sleep, so presumably that
+"good enough" tuning is enough to wake us up, at least with a few
+retries.
+
+Cc: stable@vger.kernel.org #v4.18+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -669,6 +669,10 @@ brcmf_sdio_kso_control(struct brcmf_sdio
+
+ sdio_retune_crc_disable(bus->sdiodev->func1);
+
++ /* Cannot re-tune if device is asleep; defer till we're awake */
++ if (on)
++ sdio_retune_hold_now(bus->sdiodev->func1);
++
+ wr_val = (on << SBSDIO_FUNC1_SLEEPCSR_KSO_SHIFT);
+ /* 1st KSO write goes to AOS wake up core if device is asleep */
+ brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_SLEEPCSR, wr_val, &err);
+@@ -721,6 +725,9 @@ brcmf_sdio_kso_control(struct brcmf_sdio
+ if (try_cnt > MAX_KSO_ATTEMPTS)
+ brcmf_err("max tries: rd_val=0x%x err=%d\n", rd_val, err);
+
++ if (on)
++ sdio_retune_release(bus->sdiodev->func1);
++
+ sdio_retune_crc_enable(bus->sdiodev->func1);
+
+ return err;
--- /dev/null
+From 0ff2b018b02f89da26a616e0148582321a00fd99 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 5 Jun 2019 10:15:34 +1000
+Subject: cifs: fix panic in smb2_reconnect
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit 0ff2b018b02f89da26a616e0148582321a00fd99 upstream.
+
+RH Bugzilla: 1702264
+
+We need to protect so that the call to smb2_reconnect() in
+smb2_reconnect_server() does not end up freeing the session
+because it can lead to a use after free and crash.
+
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -2869,9 +2869,14 @@ void smb2_reconnect_server(struct work_s
+ tcon_exist = true;
+ }
+ }
++ /*
++ * IPC has the same lifetime as its session and uses its
++ * refcount.
++ */
+ if (ses->tcon_ipc && ses->tcon_ipc->need_reconnect) {
+ list_add_tail(&ses->tcon_ipc->rlist, &tmp_list);
+ tcon_exist = true;
++ ses->ses_count++;
+ }
+ }
+ /*
+@@ -2890,7 +2895,10 @@ void smb2_reconnect_server(struct work_s
+ else
+ resched = true;
+ list_del_init(&tcon->rlist);
+- cifs_put_tcon(tcon);
++ if (tcon->ipc)
++ cifs_put_smb_ses(tcon->ses);
++ else
++ cifs_put_tcon(tcon);
+ }
+
+ cifs_dbg(FYI, "Reconnecting tcons finished\n");
--- /dev/null
+From 3230f4a8d44e4a0bb7afea814b280b5129521f52 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:32 -0400
+Subject: IB/hfi1: Silence txreq allocation warnings
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 3230f4a8d44e4a0bb7afea814b280b5129521f52 upstream.
+
+The following warning can happen when a memory shortage
+occurs during txreq allocation:
+
+[10220.939246] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+[10220.939246] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016
+[10220.939247] cache: mnt_cache, object size: 384, buffer size: 384, default order: 2, min order: 0
+[10220.939260] Workqueue: hfi0_0 _hfi1_do_send [hfi1]
+[10220.939261] node 0: slabs: 1026568, objs: 43115856, free: 0
+[10220.939262] Call Trace:
+[10220.939262] node 1: slabs: 820872, objs: 34476624, free: 0
+[10220.939263] dump_stack+0x5a/0x73
+[10220.939265] warn_alloc+0x103/0x190
+[10220.939267] ? wake_all_kswapds+0x54/0x8b
+[10220.939268] __alloc_pages_slowpath+0x86c/0xa2e
+[10220.939270] ? __alloc_pages_nodemask+0x2fe/0x320
+[10220.939271] __alloc_pages_nodemask+0x2fe/0x320
+[10220.939273] new_slab+0x475/0x550
+[10220.939275] ___slab_alloc+0x36c/0x520
+[10220.939287] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939299] ? __get_txreq+0x54/0x160 [hfi1]
+[10220.939310] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939312] __slab_alloc+0x40/0x61
+[10220.939323] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939325] kmem_cache_alloc+0x181/0x1b0
+[10220.939336] hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939348] ? hfi1_verbs_send_dma+0x386/0xa10 [hfi1]
+[10220.939359] ? find_prev_entry+0xb0/0xb0 [hfi1]
+[10220.939371] hfi1_do_send+0x1d9/0x3f0 [hfi1]
+[10220.939372] process_one_work+0x171/0x380
+[10220.939374] worker_thread+0x49/0x3f0
+[10220.939375] kthread+0xf8/0x130
+[10220.939377] ? max_active_store+0x80/0x80
+[10220.939378] ? kthread_bind+0x10/0x10
+[10220.939379] ret_from_fork+0x35/0x40
+[10220.939381] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+
+The shortage is handled properly so the message isn't needed. Silence by
+adding the no warn option to the slab allocation.
+
+Fixes: 45842abbb292 ("staging/rdma/hfi1: move txreq header code")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/verbs_txreq.c | 2 +-
+ drivers/infiniband/hw/hfi1/verbs_txreq.h | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.c
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.c
+@@ -100,7 +100,7 @@ struct verbs_txreq *__get_txreq(struct h
+ if (ib_rvt_state_ops[qp->state] & RVT_PROCESS_RECV_OK) {
+ struct hfi1_qp_priv *priv;
+
+- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ if (tx)
+ goto out;
+ priv = qp->priv;
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.h
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.h
+@@ -72,6 +72,7 @@ struct hfi1_ibdev;
+ struct verbs_txreq *__get_txreq(struct hfi1_ibdev *dev,
+ struct rvt_qp *qp);
+
++#define VERBS_TXREQ_GFP (GFP_ATOMIC | __GFP_NOWARN)
+ static inline struct verbs_txreq *get_txreq(struct hfi1_ibdev *dev,
+ struct rvt_qp *qp)
+ __must_hold(&qp->slock)
+@@ -79,7 +80,7 @@ static inline struct verbs_txreq *get_tx
+ struct verbs_txreq *tx;
+ struct hfi1_qp_priv *priv = qp->priv;
+
+- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ if (unlikely(!tx)) {
+ /* call slow path to get the lock */
+ tx = __get_txreq(dev, qp);
--- /dev/null
+From 5f90677ed31963abb184ee08ebee4a4a68225dd8 Mon Sep 17 00:00:00 2001
+From: Kaike Wan <kaike.wan@intel.com>
+Date: Fri, 7 Jun 2019 08:25:25 -0400
+Subject: IB/hfi1: Validate fault injection opcode user input
+
+From: Kaike Wan <kaike.wan@intel.com>
+
+commit 5f90677ed31963abb184ee08ebee4a4a68225dd8 upstream.
+
+The opcode range for fault injection from user should be validated before
+it is applied to the fault->opcodes[] bitmap to avoid out-of-bound
+error.
+
+Cc: <stable@vger.kernel.org>
+Fixes: a74d5307caba ("IB/hfi1: Rework fault injection machinery")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/fault.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/infiniband/hw/hfi1/fault.c
++++ b/drivers/infiniband/hw/hfi1/fault.c
+@@ -153,6 +153,7 @@ static ssize_t fault_opcodes_write(struc
+ char *dash;
+ unsigned long range_start, range_end, i;
+ bool remove = false;
++ unsigned long bound = 1U << BITS_PER_BYTE;
+
+ end = strchr(ptr, ',');
+ if (end)
+@@ -178,6 +179,10 @@ static ssize_t fault_opcodes_write(struc
+ BITS_PER_BYTE);
+ break;
+ }
++ /* Check the inputs */
++ if (range_start >= bound || range_end >= bound)
++ break;
++
+ for (i = range_start; i <= range_end; i++) {
+ if (remove)
+ clear_bit(i, fault->opcodes);
--- /dev/null
+From 389fc70b60f534d679aea9a3f05146040ce20d77 Mon Sep 17 00:00:00 2001
+From: Crt Mori <cmo@melexis.com>
+Date: Thu, 23 May 2019 14:07:22 +0200
+Subject: iio: temperature: mlx90632 Relax the compatibility check
+
+From: Crt Mori <cmo@melexis.com>
+
+commit 389fc70b60f534d679aea9a3f05146040ce20d77 upstream.
+
+Register EE_VERSION contains mixture of calibration information and DSP
+version. So far, because calibrations were definite, the driver
+compatibility depended on whole contents, but in the newer production
+process the calibration part changes. Because of that, value in EE_VERSION
+will be changed and to avoid that calibration value is same as DSP version
+the MSB in calibration part was fixed to 1.
+That means existing calibrations (medical and consumer) will now have
+hex values (bits 8 to 15) of 83 and 84 respectively. Driver compatibility
+should be based only on DSP version part of the EE_VERSION (bits 0 to 7)
+register.
+
+Signed-off-by: Crt Mori <cmo@melexis.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/temperature/mlx90632.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/temperature/mlx90632.c
++++ b/drivers/iio/temperature/mlx90632.c
+@@ -81,6 +81,8 @@
+ /* Magic constants */
+ #define MLX90632_ID_MEDICAL 0x0105 /* EEPROM DSPv5 Medical device id */
+ #define MLX90632_ID_CONSUMER 0x0205 /* EEPROM DSPv5 Consumer device id */
++#define MLX90632_DSP_VERSION 5 /* DSP version */
++#define MLX90632_DSP_MASK GENMASK(7, 0) /* DSP version in EE_VERSION */
+ #define MLX90632_RESET_CMD 0x0006 /* Reset sensor (address or global) */
+ #define MLX90632_REF_12 12LL /**< ResCtrlRef value of Ch 1 or Ch 2 */
+ #define MLX90632_REF_3 12LL /**< ResCtrlRef value of Channel 3 */
+@@ -666,10 +668,13 @@ static int mlx90632_probe(struct i2c_cli
+ } else if (read == MLX90632_ID_CONSUMER) {
+ dev_dbg(&client->dev,
+ "Detected Consumer EEPROM calibration %x\n", read);
++ } else if ((read & MLX90632_DSP_MASK) == MLX90632_DSP_VERSION) {
++ dev_dbg(&client->dev,
++ "Detected Unknown EEPROM calibration %x\n", read);
+ } else {
+ dev_err(&client->dev,
+- "EEPROM version mismatch %x (expected %x or %x)\n",
+- read, MLX90632_ID_CONSUMER, MLX90632_ID_MEDICAL);
++ "Wrong DSP version %x (expected %x)\n",
++ read, MLX90632_DSP_VERSION);
+ return -EPROTONOSUPPORT;
+ }
+
--- /dev/null
+From 0e658060e5fc50dc282885dc424a94b5d95547e5 Mon Sep 17 00:00:00 2001
+From: Daniel Smith <danct12@disroot.org>
+Date: Thu, 23 May 2019 12:54:18 -0700
+Subject: Input: silead - add MSSL0017 to acpi_device_id
+
+From: Daniel Smith <danct12@disroot.org>
+
+commit 0e658060e5fc50dc282885dc424a94b5d95547e5 upstream.
+
+On Chuwi Hi10 Plus, the Silead device id is MSSL0017.
+
+Signed-off-by: Daniel Smith <danct12@disroot.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/silead.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/touchscreen/silead.c
++++ b/drivers/input/touchscreen/silead.c
+@@ -604,6 +604,7 @@ static const struct acpi_device_id silea
+ { "MSSL1680", 0 },
+ { "MSSL0001", 0 },
+ { "MSSL0002", 0 },
++ { "MSSL0017", 0 },
+ { }
+ };
+ MODULE_DEVICE_TABLE(acpi, silead_ts_acpi_match);
--- /dev/null
+From 9843f3e08e2144724be7148e08d77a195dea257a Mon Sep 17 00:00:00 2001
+From: Alexander Mikhaylenko <exalm7659@gmail.com>
+Date: Wed, 12 Jun 2019 14:59:46 -0700
+Subject: Input: synaptics - enable SMBus on ThinkPad E480 and E580
+
+From: Alexander Mikhaylenko <exalm7659@gmail.com>
+
+commit 9843f3e08e2144724be7148e08d77a195dea257a upstream.
+
+They are capable of using intertouch and it works well with
+psmouse.synaptics_intertouch=1, so add them to the list.
+
+Without it, scrolling and gestures are jumpy, three-finger pinch gesture
+doesn't work and three- or four-finger swipes sometimes get stuck.
+
+Signed-off-by: Alexander Mikhaylenko <exalm7659@gmail.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/synaptics.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -179,6 +179,8 @@ static const char * const smbus_pnp_ids[
+ "LEN0096", /* X280 */
+ "LEN0097", /* X280 -> ALPS trackpoint */
+ "LEN200f", /* T450s */
++ "LEN2054", /* E480 */
++ "LEN2055", /* E580 */
+ "SYN3052", /* HP EliteBook 840 G4 */
+ "SYN3221", /* HP 15-ay000 */
+ NULL
--- /dev/null
+From 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 Mon Sep 17 00:00:00 2001
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Thu, 23 May 2019 12:55:26 -0700
+Subject: Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
+
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+
+commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream.
+
+In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and
+UI_END_FF_UPLOAD need to be adjusted before being passed on
+uinput_ioctl_handler() since code built with -m32 will be passing
+slightly different values. Extend the code already covering
+UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well.
+
+Reported-by: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/uinput.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -1051,13 +1051,31 @@ static long uinput_ioctl(struct file *fi
+
+ #ifdef CONFIG_COMPAT
+
+-#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++/*
++ * These IOCTLs change their size and thus their numbers between
++ * 32 and 64 bits.
++ */
++#define UI_SET_PHYS_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++#define UI_BEGIN_FF_UPLOAD_COMPAT \
++ _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
++#define UI_END_FF_UPLOAD_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
+
+ static long uinput_compat_ioctl(struct file *file,
+ unsigned int cmd, unsigned long arg)
+ {
+- if (cmd == UI_SET_PHYS_COMPAT)
++ switch (cmd) {
++ case UI_SET_PHYS_COMPAT:
+ cmd = UI_SET_PHYS;
++ break;
++ case UI_BEGIN_FF_UPLOAD_COMPAT:
++ cmd = UI_BEGIN_FF_UPLOAD;
++ break;
++ case UI_END_FF_UPLOAD_COMPAT:
++ cmd = UI_END_FF_UPLOAD;
++ break;
++ }
+
+ return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
+ }
usb-chipidea-udc-workaround-for-endpoint-conflict-issue.patch
xhci-detect-usb-3.2-capable-host-controllers-correctly.patch
usb-xhci-don-t-try-to-recover-an-endpoint-if-port-is-in-error-state.patch
+cifs-fix-panic-in-smb2_reconnect.patch
+ib-hfi1-validate-fault-injection-opcode-user-input.patch
+ib-hfi1-silence-txreq-allocation-warnings.patch
+iio-temperature-mlx90632-relax-the-compatibility-check.patch
+input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch
+input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
+input-silead-add-mssl0017-to-acpi_device_id.patch
+apparmor-fix-profile_mediates-for-untrusted-input.patch
+apparmor-enforce-nullbyte-at-end-of-tag-string.patch
+brcmfmac-sdio-disable-auto-tuning-around-commands-expected-to-fail.patch
+brcmfmac-sdio-don-t-tune-while-the-card-is-off.patch