--- /dev/null
+From 88c54cdf61f508ebcf8da2d819f5dfc03e954d1d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 22 Aug 2017 08:15:13 +0200
+Subject: ALSA: core: Fix unexpected error at replacing user TLV
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 88c54cdf61f508ebcf8da2d819f5dfc03e954d1d upstream.
+
+When user tries to replace the user-defined control TLV, the kernel
+checks the change of its content via memcmp(). The problem is that
+the kernel passes the return value from memcmp() as is. memcmp()
+gives a non-zero negative value depending on the comparison result,
+and this shall be recognized as an error code.
+
+The patch covers that corner-case, return 1 properly for the changed
+TLV.
+
+Fixes: 8aa9b586e420 ("[ALSA] Control API - more robust TLV implementation")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/control.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -1156,7 +1156,7 @@ static int snd_ctl_elem_user_tlv(struct
+ mutex_lock(&ue->card->user_ctl_lock);
+ change = ue->tlv_data_size != size;
+ if (!change)
+- change = memcmp(ue->tlv_data, new_data, size);
++ change = memcmp(ue->tlv_data, new_data, size) != 0;
+ kfree(ue->tlv_data);
+ ue->tlv_data = new_data;
+ ue->tlv_data_size = size;
--- /dev/null
+From 0c264af7be2013266c5b4c644f3f366399ee490a Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 20 Aug 2017 15:54:26 +0900
+Subject: ALSA: firewire: fix NULL pointer dereference when releasing uninitialized data of iso-resource
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 0c264af7be2013266c5b4c644f3f366399ee490a upstream.
+
+When calling 'iso_resource_free()' for uninitialized data, this function
+causes NULL pointer dereference due to its 'unit' member. This occurs when
+unplugging audio and music units on IEEE 1394 bus at failure of card
+registration.
+
+This commit fixes the bug. The bug exists since kernel v4.5.
+
+Fixes: 324540c4e05c ('ALSA: fireface: postpone sound card registration') at v4.12
+Fixes: 8865a31e0fd8 ('ALSA: firewire-motu: postpone sound card registration') at v4.12
+Fixes: b610386c8afb ('ALSA: firewire-tascam: deleyed registration of sound card') at v4.7
+Fixes: 86c8dd7f4da3 ('ALSA: firewire-digi00x: delayed registration of sound card') at v4.7
+Fixes: 6c29230e2a5f ('ALSA: oxfw: delayed registration of sound card') at v4.7
+Fixes: 7d3c1d5901aa ('ALSA: fireworks: delayed registration of sound card') at v4.7
+Fixes: 04a2c73c97eb ('ALSA: bebob: delayed registration of sound card') at v4.7
+Fixes: b59fb1900b4f ('ALSA: dice: postpone card registration') at v4.5
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/iso-resources.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/sound/firewire/iso-resources.c
++++ b/sound/firewire/iso-resources.c
+@@ -210,9 +210,14 @@ EXPORT_SYMBOL(fw_iso_resources_update);
+ */
+ void fw_iso_resources_free(struct fw_iso_resources *r)
+ {
+- struct fw_card *card = fw_parent_device(r->unit)->card;
++ struct fw_card *card;
+ int bandwidth, channel;
+
++ /* Not initialized. */
++ if (r->unit == NULL)
++ return;
++ card = fw_parent_device(r->unit)->card;
++
+ mutex_lock(&r->mutex);
+
+ if (r->allocated) {
--- /dev/null
+From bbba6f9d3da357bbabc6fda81e99ff5584500e76 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 23 Aug 2017 09:30:17 +0200
+Subject: ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit bbba6f9d3da357bbabc6fda81e99ff5584500e76 upstream.
+
+Lenovo G50-70 (17aa:3978) with Conexant codec chip requires the
+similar workaround for the inverted stereo dmic like other Lenovo
+models.
+
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1020657
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -854,6 +854,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC),
++ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo G50-70", CXT_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK_VENDOR(0x17aa, "Thinkpad", CXT_FIXUP_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x1c06, 0x2011, "Lemote A1004", CXT_PINCFG_LEMOTE_A1004),
--- /dev/null
+From 07b3b5e9ed807a0d2077319b8e43a42e941db818 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Tue, 22 Aug 2017 08:33:53 +0200
+Subject: ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit 07b3b5e9ed807a0d2077319b8e43a42e941db818 upstream.
+
+These headsets reports a lot of: cannot set freq 44100 to ep 0x81
+and need a small delay between sample rate settings, just like
+Zoom R16/24. Add both headsets to the Zoom R16/24 quirk for
+a 1 ms delay between control msgs.
+
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1309,10 +1309,13 @@ void snd_usb_ctl_msg_quirk(struct usb_de
+ && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
+ mdelay(20);
+
+- /* Zoom R16/24 needs a tiny delay here, otherwise requests like
+- * get/set frequency return as failed despite actually succeeding.
++ /* Zoom R16/24, Logitech H650e, Jabra 550a needs a tiny delay here,
++ * otherwise requests like get/set frequency return as failed despite
++ * actually succeeding.
+ */
+- if (chip->usb_id == USB_ID(0x1686, 0x00dd) &&
++ if ((chip->usb_id == USB_ID(0x1686, 0x00dd) ||
++ chip->usb_id == USB_ID(0x046d, 0x0a46) ||
++ chip->usb_id == USB_ID(0x0b0e, 0x0349)) &&
+ (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
+ mdelay(1);
+ }
--- /dev/null
+From 7d79cee2c6540ea64dd917a14e2fd63d4ac3d3c0 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
+Date: Tue, 1 Aug 2017 12:58:47 +0300
+Subject: ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses
+
+From: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
+
+commit 7d79cee2c6540ea64dd917a14e2fd63d4ac3d3c0 upstream.
+
+It is necessary to explicitly set both SLC_AUX_RGN_START1 and SLC_AUX_RGN_END1
+which hold MSB bits of the physical address correspondingly of region start
+and end otherwise SLC region operation is executed in unpredictable manner
+
+Without this patch, SLC flushes on HSDK (IOC disabled) were taking
+seconds.
+
+Reported-by: Vladimir Kondratiev <vladimir.kondratiev@intel.com>
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+[vgupta: PAR40 regs only written if PAE40 exist]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/cache.h | 2 ++
+ arch/arc/mm/cache.c | 13 +++++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/arch/arc/include/asm/cache.h
++++ b/arch/arc/include/asm/cache.h
+@@ -89,7 +89,9 @@ extern unsigned long perip_base, perip_e
+ #define ARC_REG_SLC_FLUSH 0x904
+ #define ARC_REG_SLC_INVALIDATE 0x905
+ #define ARC_REG_SLC_RGN_START 0x914
++#define ARC_REG_SLC_RGN_START1 0x915
+ #define ARC_REG_SLC_RGN_END 0x916
++#define ARC_REG_SLC_RGN_END1 0x917
+
+ /* Bit val in SLC_CONTROL */
+ #define SLC_CTRL_IM 0x040
+--- a/arch/arc/mm/cache.c
++++ b/arch/arc/mm/cache.c
+@@ -562,6 +562,7 @@ noinline void slc_op(phys_addr_t paddr,
+ static DEFINE_SPINLOCK(lock);
+ unsigned long flags;
+ unsigned int ctrl;
++ phys_addr_t end;
+
+ spin_lock_irqsave(&lock, flags);
+
+@@ -591,8 +592,16 @@ noinline void slc_op(phys_addr_t paddr,
+ * END needs to be setup before START (latter triggers the operation)
+ * END can't be same as START, so add (l2_line_sz - 1) to sz
+ */
+- write_aux_reg(ARC_REG_SLC_RGN_END, (paddr + sz + l2_line_sz - 1));
+- write_aux_reg(ARC_REG_SLC_RGN_START, paddr);
++ end = paddr + sz + l2_line_sz - 1;
++ if (is_pae40_enabled())
++ write_aux_reg(ARC_REG_SLC_RGN_END1, upper_32_bits(end));
++
++ write_aux_reg(ARC_REG_SLC_RGN_END, lower_32_bits(end));
++
++ if (is_pae40_enabled())
++ write_aux_reg(ARC_REG_SLC_RGN_START1, upper_32_bits(paddr));
++
++ write_aux_reg(ARC_REG_SLC_RGN_START, lower_32_bits(paddr));
+
+ while (read_aux_reg(ARC_REG_SLC_CTRL) & SLC_CTRL_BUSY);
+
--- /dev/null
+From 4a646580f793d19717f7e034c8d473b509c27d49 Mon Sep 17 00:00:00 2001
+From: Masaki Ota <masaki.ota@jp.alps.com>
+Date: Thu, 24 Aug 2017 15:44:36 -0700
+Subject: Input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad
+
+From: Masaki Ota <masaki.ota@jp.alps.com>
+
+commit 4a646580f793d19717f7e034c8d473b509c27d49 upstream.
+
+Fixed the issue that two finger scroll does not work correctly
+on V8 protocol. The cause is that V8 protocol X-coordinate decode
+is wrong at SS4 PLUS device. I added SS4 PLUS X decode definition.
+
+Mote notes:
+the problem manifests itself by the commit e7348396c6d5 ("Input: ALPS
+- fix V8+ protocol handling (73 03 28)"), where a fix for the V8+
+protocol was applied. Although the culprit must have been present
+beforehand, the two-finger scroll worked casually even with the
+wrongly reported values by some reason. It got broken by the commit
+above just because it changed x_max value, and this made libinput
+correctly figuring the MT events. Since the X coord is reported as
+falsely doubled, the events on the right-half side go outside the
+boundary, thus they are no longer handled. This resulted as a broken
+two-finger scroll.
+
+One finger event is decoded differently, and it didn't suffer from
+this problem. The problem was only about MT events. --tiwai
+
+Fixes: e7348396c6d5 ("Input: ALPS - fix V8+ protocol handling (73 03 28)")
+Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
+Tested-by: Takashi Iwai <tiwai@suse.de>
+Tested-by: Paul Donohue <linux-kernel@PaulSD.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/alps.c | 41 +++++++++++++++++++++++++++++++----------
+ drivers/input/mouse/alps.h | 8 ++++++++
+ 2 files changed, 39 insertions(+), 10 deletions(-)
+
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -1212,14 +1212,24 @@ static int alps_decode_ss4_v2(struct alp
+
+ case SS4_PACKET_ID_TWO:
+ if (priv->flags & ALPS_BUTTONPAD) {
+- f->mt[0].x = SS4_BTL_MF_X_V2(p, 0);
++ if (IS_SS4PLUS_DEV(priv->dev_id)) {
++ f->mt[0].x = SS4_PLUS_BTL_MF_X_V2(p, 0);
++ f->mt[1].x = SS4_PLUS_BTL_MF_X_V2(p, 1);
++ } else {
++ f->mt[0].x = SS4_BTL_MF_X_V2(p, 0);
++ f->mt[1].x = SS4_BTL_MF_X_V2(p, 1);
++ }
+ f->mt[0].y = SS4_BTL_MF_Y_V2(p, 0);
+- f->mt[1].x = SS4_BTL_MF_X_V2(p, 1);
+ f->mt[1].y = SS4_BTL_MF_Y_V2(p, 1);
+ } else {
+- f->mt[0].x = SS4_STD_MF_X_V2(p, 0);
++ if (IS_SS4PLUS_DEV(priv->dev_id)) {
++ f->mt[0].x = SS4_PLUS_STD_MF_X_V2(p, 0);
++ f->mt[1].x = SS4_PLUS_STD_MF_X_V2(p, 1);
++ } else {
++ f->mt[0].x = SS4_STD_MF_X_V2(p, 0);
++ f->mt[1].x = SS4_STD_MF_X_V2(p, 1);
++ }
+ f->mt[0].y = SS4_STD_MF_Y_V2(p, 0);
+- f->mt[1].x = SS4_STD_MF_X_V2(p, 1);
+ f->mt[1].y = SS4_STD_MF_Y_V2(p, 1);
+ }
+ f->pressure = SS4_MF_Z_V2(p, 0) ? 0x30 : 0;
+@@ -1236,16 +1246,27 @@ static int alps_decode_ss4_v2(struct alp
+
+ case SS4_PACKET_ID_MULTI:
+ if (priv->flags & ALPS_BUTTONPAD) {
+- f->mt[2].x = SS4_BTL_MF_X_V2(p, 0);
++ if (IS_SS4PLUS_DEV(priv->dev_id)) {
++ f->mt[0].x = SS4_PLUS_BTL_MF_X_V2(p, 0);
++ f->mt[1].x = SS4_PLUS_BTL_MF_X_V2(p, 1);
++ } else {
++ f->mt[2].x = SS4_BTL_MF_X_V2(p, 0);
++ f->mt[3].x = SS4_BTL_MF_X_V2(p, 1);
++ }
++
+ f->mt[2].y = SS4_BTL_MF_Y_V2(p, 0);
+- f->mt[3].x = SS4_BTL_MF_X_V2(p, 1);
+ f->mt[3].y = SS4_BTL_MF_Y_V2(p, 1);
+ no_data_x = SS4_MFPACKET_NO_AX_BL;
+ no_data_y = SS4_MFPACKET_NO_AY_BL;
+ } else {
+- f->mt[2].x = SS4_STD_MF_X_V2(p, 0);
++ if (IS_SS4PLUS_DEV(priv->dev_id)) {
++ f->mt[0].x = SS4_PLUS_STD_MF_X_V2(p, 0);
++ f->mt[1].x = SS4_PLUS_STD_MF_X_V2(p, 1);
++ } else {
++ f->mt[0].x = SS4_STD_MF_X_V2(p, 0);
++ f->mt[1].x = SS4_STD_MF_X_V2(p, 1);
++ }
+ f->mt[2].y = SS4_STD_MF_Y_V2(p, 0);
+- f->mt[3].x = SS4_STD_MF_X_V2(p, 1);
+ f->mt[3].y = SS4_STD_MF_Y_V2(p, 1);
+ no_data_x = SS4_MFPACKET_NO_AX;
+ no_data_y = SS4_MFPACKET_NO_AY;
+@@ -2535,8 +2556,8 @@ static int alps_set_defaults_ss4_v2(stru
+
+ memset(otp, 0, sizeof(otp));
+
+- if (alps_get_otp_values_ss4_v2(psmouse, 0, &otp[0][0]) ||
+- alps_get_otp_values_ss4_v2(psmouse, 1, &otp[1][0]))
++ if (alps_get_otp_values_ss4_v2(psmouse, 1, &otp[1][0]) ||
++ alps_get_otp_values_ss4_v2(psmouse, 0, &otp[0][0]))
+ return -1;
+
+ alps_update_device_area_ss4_v2(otp, priv);
+--- a/drivers/input/mouse/alps.h
++++ b/drivers/input/mouse/alps.h
+@@ -91,6 +91,10 @@ enum SS4_PACKET_ID {
+ ((_b[1 + _i * 3] << 5) & 0x1F00) \
+ )
+
++#define SS4_PLUS_STD_MF_X_V2(_b, _i) (((_b[0 + (_i) * 3] << 4) & 0x0070) | \
++ ((_b[1 + (_i) * 3] << 4) & 0x0F80) \
++ )
++
+ #define SS4_STD_MF_Y_V2(_b, _i) (((_b[1 + (_i) * 3] << 3) & 0x0010) | \
+ ((_b[2 + (_i) * 3] << 5) & 0x01E0) | \
+ ((_b[2 + (_i) * 3] << 4) & 0x0E00) \
+@@ -100,6 +104,10 @@ enum SS4_PACKET_ID {
+ ((_b[0 + (_i) * 3] >> 3) & 0x0010) \
+ )
+
++#define SS4_PLUS_BTL_MF_X_V2(_b, _i) (SS4_PLUS_STD_MF_X_V2(_b, _i) | \
++ ((_b[0 + (_i) * 3] >> 4) & 0x0008) \
++ )
++
+ #define SS4_BTL_MF_Y_V2(_b, _i) (SS4_STD_MF_Y_V2(_b, _i) | \
+ ((_b[0 + (_i) * 3] >> 3) & 0x0008) \
+ )
--- /dev/null
+From 1d2226e45040ed4aee95b633cbd64702bf7fc2a1 Mon Sep 17 00:00:00 2001
+From: KT Liao <kt.liao@emc.com.tw>
+Date: Fri, 18 Aug 2017 16:58:15 -0700
+Subject: Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
+
+From: KT Liao <kt.liao@emc.com.tw>
+
+commit 1d2226e45040ed4aee95b633cbd64702bf7fc2a1 upstream.
+
+Add ELAN0602 to the list of known ACPI IDs to enable support for ELAN
+touchpads found in Lenovo Yoga310.
+
+Signed-off-by: KT Liao <kt.liao@emc.com.tw>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1234,6 +1234,7 @@ static const struct acpi_device_id elan_
+ { "ELAN0000", 0 },
+ { "ELAN0100", 0 },
+ { "ELAN0600", 0 },
++ { "ELAN0602", 0 },
+ { "ELAN0605", 0 },
+ { "ELAN0608", 0 },
+ { "ELAN0605", 0 },
--- /dev/null
+From ec667683c532c93fb41e100e5d61a518971060e2 Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Fri, 18 Aug 2017 12:17:21 -0700
+Subject: Input: trackpoint - add new trackpoint firmware ID
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+commit ec667683c532c93fb41e100e5d61a518971060e2 upstream.
+
+Synaptics add new TP firmware ID: 0x2 and 0x3, for now both lower 2 bits
+are indicated as TP. Change the constant to bitwise values.
+
+This makes trackpoint to be recognized on Lenovo Carbon X1 Gen5 instead
+of it being identified as "PS/2 Generic Mouse".
+
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/trackpoint.c | 3 ++-
+ drivers/input/mouse/trackpoint.h | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/mouse/trackpoint.c
++++ b/drivers/input/mouse/trackpoint.c
+@@ -265,7 +265,8 @@ static int trackpoint_start_protocol(str
+ if (ps2_command(&psmouse->ps2dev, param, MAKE_PS2_CMD(0, 2, TP_READ_ID)))
+ return -1;
+
+- if (param[0] != TP_MAGIC_IDENT)
++ /* add new TP ID. */
++ if (!(param[0] & TP_MAGIC_IDENT))
+ return -1;
+
+ if (firmware_id)
+--- a/drivers/input/mouse/trackpoint.h
++++ b/drivers/input/mouse/trackpoint.h
+@@ -21,8 +21,9 @@
+ #define TP_COMMAND 0xE2 /* Commands start with this */
+
+ #define TP_READ_ID 0xE1 /* Sent for device identification */
+-#define TP_MAGIC_IDENT 0x01 /* Sent after a TP_READ_ID followed */
++#define TP_MAGIC_IDENT 0x03 /* Sent after a TP_READ_ID followed */
+ /* by the firmware ID */
++ /* Firmware ID includes 0x1, 0x2, 0x3 */
+
+
+ /*
--- /dev/null
+From 38cfd5e3df9c4f88e76b547eee2087ee5c042ae2 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 23 Aug 2017 23:16:29 +0200
+Subject: KVM, pkeys: do not use PKRU value in vcpu->arch.guest_fpu.state
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 38cfd5e3df9c4f88e76b547eee2087ee5c042ae2 upstream.
+
+The host pkru is restored right after vcpu exit (commit 1be0e61), so
+KVM_GET_XSAVE will return the host PKRU value instead. Fix this by
+using the guest PKRU explicitly in fill_xsave and load_xsave. This
+part is based on a patch by Junkang Fu.
+
+The host PKRU data may also not match the value in vcpu->arch.guest_fpu.state,
+because it could have been changed by userspace since the last time
+it was saved, so skip loading it in kvm_load_guest_fpu.
+
+Reported-by: Junkang Fu <junkang.fjk@alibaba-inc.com>
+Cc: Yang Zhang <zy107165@alibaba-inc.com>
+Fixes: 1be0e61c1f255faaeab04a390e00c8b9b9042870
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/fpu/internal.h | 6 +++---
+ arch/x86/kvm/x86.c | 17 ++++++++++++++---
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/fpu/internal.h
++++ b/arch/x86/include/asm/fpu/internal.h
+@@ -445,10 +445,10 @@ static inline int copy_fpregs_to_fpstate
+ return 0;
+ }
+
+-static inline void __copy_kernel_to_fpregs(union fpregs_state *fpstate)
++static inline void __copy_kernel_to_fpregs(union fpregs_state *fpstate, u64 mask)
+ {
+ if (use_xsave()) {
+- copy_kernel_to_xregs(&fpstate->xsave, -1);
++ copy_kernel_to_xregs(&fpstate->xsave, mask);
+ } else {
+ if (use_fxsr())
+ copy_kernel_to_fxregs(&fpstate->fxsave);
+@@ -472,7 +472,7 @@ static inline void copy_kernel_to_fpregs
+ : : [addr] "m" (fpstate));
+ }
+
+- __copy_kernel_to_fpregs(fpstate);
++ __copy_kernel_to_fpregs(fpstate, -1);
+ }
+
+ extern int copy_fpstate_to_sigframe(void __user *buf, void __user *fp, int size);
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3179,7 +3179,12 @@ static void fill_xsave(u8 *dest, struct
+ u32 size, offset, ecx, edx;
+ cpuid_count(XSTATE_CPUID, index,
+ &size, &offset, &ecx, &edx);
+- memcpy(dest + offset, src, size);
++ if (feature == XFEATURE_MASK_PKRU)
++ memcpy(dest + offset, &vcpu->arch.pkru,
++ sizeof(vcpu->arch.pkru));
++ else
++ memcpy(dest + offset, src, size);
++
+ }
+
+ valid -= feature;
+@@ -3217,7 +3222,11 @@ static void load_xsave(struct kvm_vcpu *
+ u32 size, offset, ecx, edx;
+ cpuid_count(XSTATE_CPUID, index,
+ &size, &offset, &ecx, &edx);
+- memcpy(dest, src + offset, size);
++ if (feature == XFEATURE_MASK_PKRU)
++ memcpy(&vcpu->arch.pkru, src + offset,
++ sizeof(vcpu->arch.pkru));
++ else
++ memcpy(dest, src + offset, size);
+ }
+
+ valid -= feature;
+@@ -7453,7 +7462,9 @@ void kvm_load_guest_fpu(struct kvm_vcpu
+ */
+ vcpu->guest_fpu_loaded = 1;
+ __kernel_fpu_begin();
+- __copy_kernel_to_fpregs(&vcpu->arch.guest_fpu.state);
++ /* PKRU is separately restored in kvm_x86_ops->run. */
++ __copy_kernel_to_fpregs(&vcpu->arch.guest_fpu.state,
++ ~XFEATURE_MASK_PKRU);
+ trace_kvm_fpu(1);
+ }
+
--- /dev/null
+From 857b8de96795646c5891cf44ae6fb19b9ff74bf9 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Thu, 3 Aug 2017 14:27:30 +0200
+Subject: KVM: s390: sthyi: fix specification exception detection
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit 857b8de96795646c5891cf44ae6fb19b9ff74bf9 upstream.
+
+sthyi should only generate a specification exception if the function
+code is zero and the response buffer is not on a 4k boundary.
+
+The current code would also test for unknown function codes if the
+response buffer, that is currently only defined for function code 0,
+is not on a 4k boundary and incorrectly inject a specification
+exception instead of returning with condition code 3 and return code 4
+(unsupported function code).
+
+Fix this by moving the boundary check.
+
+Fixes: 95ca2cb57985 ("KVM: s390: Add sthyi emulation")
+Reviewed-by: Janosch Frank <frankja@linux.vnet.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/sthyi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/sthyi.c
++++ b/arch/s390/kvm/sthyi.c
+@@ -422,7 +422,7 @@ int handle_sthyi(struct kvm_vcpu *vcpu)
+ VCPU_EVENT(vcpu, 3, "STHYI: fc: %llu addr: 0x%016llx", code, addr);
+ trace_kvm_s390_handle_sthyi(vcpu, code, addr);
+
+- if (reg1 == reg2 || reg1 & 1 || reg2 & 1 || addr & ~PAGE_MASK)
++ if (reg1 == reg2 || reg1 & 1 || reg2 & 1)
+ return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION);
+
+ if (code & 0xffff) {
+@@ -430,6 +430,9 @@ int handle_sthyi(struct kvm_vcpu *vcpu)
+ goto out;
+ }
+
++ if (addr & ~PAGE_MASK)
++ return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION);
++
+ /*
+ * If the page has not yet been faulted in, we want to do that
+ * now and not after all the expensive calculations.
--- /dev/null
+From 4a4eefcd0e49f9f339933324c1bde431186a0a7d Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Thu, 3 Aug 2017 13:05:11 +0200
+Subject: KVM: s390: sthyi: fix sthyi inline assembly
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit 4a4eefcd0e49f9f339933324c1bde431186a0a7d upstream.
+
+The sthyi inline assembly misses register r3 within the clobber
+list. The sthyi instruction will always write a return code to
+register "R2+1", which in this case would be r3. Due to that we may
+have register corruption and see host crashes or data corruption
+depending on how gcc decided to allocate and use registers during
+compile time.
+
+Fixes: 95ca2cb57985 ("KVM: s390: Add sthyi emulation")
+Reviewed-by: Janosch Frank <frankja@linux.vnet.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/sthyi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/sthyi.c
++++ b/arch/s390/kvm/sthyi.c
+@@ -394,7 +394,7 @@ static int sthyi(u64 vaddr)
+ "srl %[cc],28\n"
+ : [cc] "=d" (cc)
+ : [code] "d" (code), [addr] "a" (addr)
+- : "memory", "cc");
++ : "3", "memory", "cc");
+ return cc;
+ }
+
--- /dev/null
+From c469268cd523245cc58255f6696e0c295485cb0b Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 24 Aug 2017 11:59:31 +0200
+Subject: KVM: x86: block guest protection keys unless the host has them enabled
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit c469268cd523245cc58255f6696e0c295485cb0b upstream.
+
+If the host has protection keys disabled, we cannot read and write the
+guest PKRU---RDPKRU and WRPKRU fail with #GP(0) if CR4.PKE=0. Block
+the PKU cpuid bit in that case.
+
+This ensures that guest_CR4.PKE=1 implies host_CR4.PKE=1.
+
+Fixes: 1be0e61c1f255faaeab04a390e00c8b9b9042870
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/cpuid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -456,7 +456,7 @@ static inline int __do_cpuid_ent(struct
+ entry->ecx &= kvm_cpuid_7_0_ecx_x86_features;
+ cpuid_mask(&entry->ecx, CPUID_7_ECX);
+ /* PKU is not yet implemented for shadow paging. */
+- if (!tdp_enabled)
++ if (!tdp_enabled || !boot_cpu_has(X86_FEATURE_OSPKE))
+ entry->ecx &= ~F(PKU);
+ } else {
+ entry->ebx = 0;
--- /dev/null
+From 435c0b87d661da83771c30ed775f7c37eed193fb Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Fri, 25 Aug 2017 15:55:33 -0700
+Subject: mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit 435c0b87d661da83771c30ed775f7c37eed193fb upstream.
+
+/sys/kernel/mm/transparent_hugepage/shmem_enabled controls if we want
+to allocate huge pages when allocate pages for private in-kernel shmem
+mount.
+
+Unfortunately, as Dan noticed, I've screwed it up and the only way to
+make kernel allocate huge page for the mount is to use "force" there.
+All other values will be effectively ignored.
+
+Link: http://lkml.kernel.org/r/20170822144254.66431-1-kirill.shutemov@linux.intel.com
+Fixes: 5a6e75f8110c ("shmem: prepare huge= mount option and sysfs knob")
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shmem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -3810,7 +3810,7 @@ int __init shmem_init(void)
+ }
+
+ #ifdef CONFIG_TRANSPARENT_HUGE_PAGECACHE
+- if (has_transparent_hugepage() && shmem_huge < SHMEM_HUGE_DENY)
++ if (has_transparent_hugepage() && shmem_huge > SHMEM_HUGE_DENY)
+ SHMEM_SB(shm_mnt->mnt_sb)->huge = shmem_huge;
+ else
+ shmem_huge = 0; /* just in case it was patched */
+@@ -3871,7 +3871,7 @@ static ssize_t shmem_enabled_store(struc
+ return -EINVAL;
+
+ shmem_huge = huge;
+- if (shmem_huge < SHMEM_HUGE_DENY)
++ if (shmem_huge > SHMEM_HUGE_DENY)
+ SHMEM_SB(shm_mnt->mnt_sb)->huge = shmem_huge;
+ return count;
+ }
bpf-verifier-fix-alu-ops-against-map_value-_adj-register-types.patch
bpf-fix-mixed-signed-unsigned-derived-min-max-value-bounds.patch
bpf-verifier-fix-min-max-handling-in-bpf_sub.patch
+input-trackpoint-add-new-trackpoint-firmware-id.patch
+input-elan_i2c-add-elan0602-acpi-id-to-support-lenovo-yoga310.patch
+input-alps-fix-two-finger-scroll-breakage-in-right-side-on-alps-touchpad.patch
+kvm-s390-sthyi-fix-sthyi-inline-assembly.patch
+kvm-s390-sthyi-fix-specification-exception-detection.patch
+kvm-pkeys-do-not-use-pkru-value-in-vcpu-arch.guest_fpu.state.patch
+kvm-x86-block-guest-protection-keys-unless-the-host-has-them-enabled.patch
+alsa-usb-audio-add-delay-quirk-for-h650e-jabra-550a-usb-headsets.patch
+alsa-core-fix-unexpected-error-at-replacing-user-tlv.patch
+alsa-hda-add-stereo-mic-quirk-for-lenovo-g50-70-17aa-3978.patch
+alsa-firewire-fix-null-pointer-dereference-when-releasing-uninitialized-data-of-iso-resource.patch
+arcv2-pae40-explicitly-set-msb-counterpart-of-slc-region-ops-addresses.patch
+mm-shmem-fix-handling-sys-kernel-mm-transparent_hugepage-shmem_enabled.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
