--- /dev/null
+From af52f9982e410edac21ca4b49563053ffc9da1eb Mon Sep 17 00:00:00 2001
+From: David Wang <davidwang@zhaoxin.com>
+Date: Mon, 16 Apr 2018 17:48:09 +0800
+Subject: ALSA: hda - New VIA controller suppor no-snoop path
+
+From: David Wang <davidwang@zhaoxin.com>
+
+commit af52f9982e410edac21ca4b49563053ffc9da1eb upstream.
+
+This patch is used to tell kernel that new VIA HDAC controller also
+support no-snoop path.
+
+[ minor coding style fix by tiwai ]
+
+Signed-off-by: David Wang <davidwang@zhaoxin.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1645,7 +1645,8 @@ static void azx_check_snoop_available(st
+ */
+ u8 val;
+ pci_read_config_byte(chip->pci, 0x42, &val);
+- if (!(val & 0x80) && chip->pci->revision == 0x30)
++ if (!(val & 0x80) && (chip->pci->revision == 0x30 ||
++ chip->pci->revision == 0x20))
+ snoop = false;
+ }
+
--- /dev/null
+From a3dafb2200bf3c13905a088e82ae11f1eb275a83 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 19 Apr 2018 13:29:05 +0800
+Subject: ALSA: hda/realtek - adjust the location of one mic
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit a3dafb2200bf3c13905a088e82ae11f1eb275a83 upstream.
+
+There are two front mics on this machine, if we don't adjust the
+location for one of them, they will have the same mixer name,
+pulseaudio can't handle this situation.
+
+After applying this FIXUP, they will have different mixer name,
+then pulseaudio can handle them correctly.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6430,6 +6430,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
++ SND_PCI_QUIRK(0x17aa, 0x3138, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
--- /dev/null
+From 3ce0d5aa265bcc0a4b281cb0cabf92491276101b Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 19 Apr 2018 13:29:04 +0800
+Subject: ALSA: hda/realtek - set PINCFG_HEADSET_MIC to parse_flags
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 3ce0d5aa265bcc0a4b281cb0cabf92491276101b upstream.
+
+Otherwise, the pin will be regarded as microphone, and the jack name
+is "Mic Phantom", it is always on in the pulseaudio even nothing is
+plugged into the jack. So the UI is confusing to users since the
+microphone always shows up in the UI even there is no microphone
+plugged.
+
+After adding this flag, the jack name is "Headset Mic Phantom", then
+the pulseaudio can handle its detection correctly.
+
+Fixes: f0ba9d699e5c ("ALSA: hda/realtek - Fix Dell headset Mic can't record")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6225,6 +6225,8 @@ static const struct hda_fixup alc269_fix
+ { 0x19, 0x01a1913c }, /* use as headset mic, without its own jack detect */
+ { }
+ },
++ .chained = true,
++ .chain_id = ALC269_FIXUP_HEADSET_MIC
+ },
+ };
+
--- /dev/null
+From 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabi=C3=A1n=20Inostroza?= <soulsonceonfire@gmail.com>
+Date: Thu, 12 Apr 2018 00:37:35 -0300
+Subject: ALSA: line6: Use correct endpoint type for midi output
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabián Inostroza <soulsonceonfire@gmail.com>
+
+commit 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 upstream.
+
+Sending MIDI messages to a PODxt through the USB connection shows
+"usb_submit_urb failed" in dmesg and the message is not received by
+the POD.
+
+The error is caused because in the funcion send_midi_async() in midi.c
+there is a call to usb_sndbulkpipe() for endpoint 3 OUT, but the PODxt
+USB descriptor shows that this endpoint it's an interrupt endpoint.
+
+Patch tested with PODxt only.
+
+[ The bug has been present from the very beginning in the staging
+ driver time, but Fixes below points to the commit moving to sound/
+ directory so that the fix can be cleanly applied -- tiwai ]
+
+Fixes: 61864d844c29 ("ALSA: move line6 usb driver into sound/usb")
+Signed-off-by: Fabián Inostroza <fabianinostroza@udec.cl>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/midi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/line6/midi.c
++++ b/sound/usb/line6/midi.c
+@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_li
+ }
+
+ usb_fill_int_urb(urb, line6->usbdev,
+- usb_sndbulkpipe(line6->usbdev,
++ usb_sndintpipe(line6->usbdev,
+ line6->properties->ep_ctrl_w),
+ transfer_buffer, length, midi_sent, line6,
+ line6->interval);
--- /dev/null
+From 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 19 Apr 2018 18:16:15 +0200
+Subject: ALSA: rawmidi: Fix missing input substream checks in compat ioctls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream.
+
+Some rawmidi compat ioctls lack of the input substream checks
+(although they do check only for rfile->output). This many eventually
+lead to an Oops as NULL substream is passed to the rawmidi core
+functions.
+
+Fix it by adding the proper checks before each function call.
+
+The bug was spotted by syzkaller.
+
+Reported-by: syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi_compat.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/sound/core/rawmidi_compat.c
++++ b/sound/core/rawmidi_compat.c
+@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_comp
+ struct snd_rawmidi_params params;
+ unsigned int val;
+
+- if (rfile->output == NULL)
+- return -EINVAL;
+ if (get_user(params.stream, &src->stream) ||
+ get_user(params.buffer_size, &src->buffer_size) ||
+ get_user(params.avail_min, &src->avail_min) ||
+@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_comp
+ params.no_active_sensing = val;
+ switch (params.stream) {
+ case SNDRV_RAWMIDI_STREAM_OUTPUT:
++ if (!rfile->output)
++ return -EINVAL;
+ return snd_rawmidi_output_params(rfile->output, ¶ms);
+ case SNDRV_RAWMIDI_STREAM_INPUT:
++ if (!rfile->input)
++ return -EINVAL;
+ return snd_rawmidi_input_params(rfile->input, ¶ms);
+ }
+ return -EINVAL;
+@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_comp
+ int err;
+ struct snd_rawmidi_status status;
+
+- if (rfile->output == NULL)
+- return -EINVAL;
+ if (get_user(status.stream, &src->stream))
+ return -EFAULT;
+
+ switch (status.stream) {
+ case SNDRV_RAWMIDI_STREAM_OUTPUT:
++ if (!rfile->output)
++ return -EINVAL;
+ err = snd_rawmidi_output_status(rfile->output, &status);
+ break;
+ case SNDRV_RAWMIDI_STREAM_INPUT:
++ if (!rfile->input)
++ return -EINVAL;
+ err = snd_rawmidi_input_status(rfile->input, &status);
+ break;
+ default:
+@@ -112,16 +116,18 @@ static int snd_rawmidi_ioctl_status_x32(
+ int err;
+ struct snd_rawmidi_status status;
+
+- if (rfile->output == NULL)
+- return -EINVAL;
+ if (get_user(status.stream, &src->stream))
+ return -EFAULT;
+
+ switch (status.stream) {
+ case SNDRV_RAWMIDI_STREAM_OUTPUT:
++ if (!rfile->output)
++ return -EINVAL;
+ err = snd_rawmidi_output_status(rfile->output, &status);
+ break;
+ case SNDRV_RAWMIDI_STREAM_INPUT:
++ if (!rfile->input)
++ return -EINVAL;
+ err = snd_rawmidi_input_status(rfile->input, &status);
+ break;
+ default:
--- /dev/null
+From 54a307ba8d3cd00a3902337ffaae28f436eeb1a4 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Wed, 4 Apr 2018 23:42:18 +0300
+Subject: fanotify: fix logic of events on child
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 54a307ba8d3cd00a3902337ffaae28f436eeb1a4 upstream.
+
+When event on child inodes are sent to the parent inode mark and
+parent inode mark was not marked with FAN_EVENT_ON_CHILD, the event
+will not be delivered to the listener process. However, if the same
+process also has a mount mark, the event to the parent inode will be
+delivered regadless of the mount mark mask.
+
+This behavior is incorrect in the case where the mount mark mask does
+not contain the specific event type. For example, the process adds
+a mark on a directory with mask FAN_MODIFY (without FAN_EVENT_ON_CHILD)
+and a mount mark with mask FAN_CLOSE_NOWRITE (without FAN_ONDIR).
+
+A modify event on a file inside that directory (and inside that mount)
+should not create a FAN_MODIFY event, because neither of the marks
+requested to get that event on the file.
+
+Fixes: 1968f5eed54c ("fanotify: use both marks when possible")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/notify/fanotify/fanotify.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -90,7 +90,7 @@ static bool fanotify_should_send_event(s
+ u32 event_mask,
+ const void *data, int data_type)
+ {
+- __u32 marks_mask, marks_ignored_mask;
++ __u32 marks_mask = 0, marks_ignored_mask = 0;
+ const struct path *path = data;
+
+ pr_debug("%s: inode_mark=%p vfsmnt_mark=%p mask=%x data=%p"
+@@ -106,24 +106,20 @@ static bool fanotify_should_send_event(s
+ !d_can_lookup(path->dentry))
+ return false;
+
+- if (inode_mark && vfsmnt_mark) {
+- marks_mask = (vfsmnt_mark->mask | inode_mark->mask);
+- marks_ignored_mask = (vfsmnt_mark->ignored_mask | inode_mark->ignored_mask);
+- } else if (inode_mark) {
+- /*
+- * if the event is for a child and this inode doesn't care about
+- * events on the child, don't send it!
+- */
+- if ((event_mask & FS_EVENT_ON_CHILD) &&
+- !(inode_mark->mask & FS_EVENT_ON_CHILD))
+- return false;
+- marks_mask = inode_mark->mask;
+- marks_ignored_mask = inode_mark->ignored_mask;
+- } else if (vfsmnt_mark) {
+- marks_mask = vfsmnt_mark->mask;
+- marks_ignored_mask = vfsmnt_mark->ignored_mask;
+- } else {
+- BUG();
++ /*
++ * if the event is for a child and this inode doesn't care about
++ * events on the child, don't send it!
++ */
++ if (inode_mark &&
++ (!(event_mask & FS_EVENT_ON_CHILD) ||
++ (inode_mark->mask & FS_EVENT_ON_CHILD))) {
++ marks_mask |= inode_mark->mask;
++ marks_ignored_mask |= inode_mark->ignored_mask;
++ }
++
++ if (vfsmnt_mark) {
++ marks_mask |= vfsmnt_mark->mask;
++ marks_ignored_mask |= vfsmnt_mark->ignored_mask;
+ }
+
+ if (d_is_dir(path->dentry) &&
--- /dev/null
+From a955358d54695e4ad9f7d6489a7ac4d69a8fc711 Mon Sep 17 00:00:00 2001
+From: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
+Date: Fri, 6 Apr 2018 01:09:36 +0200
+Subject: HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device
+
+From: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
+
+commit a955358d54695e4ad9f7d6489a7ac4d69a8fc711 upstream.
+
+Doing `ioctl(HIDIOCGFEATURE)` in a tight loop on a hidraw device
+and then disconnecting the device, or unloading the driver, can
+cause a NULL pointer dereference.
+
+When a hidraw device is destroyed it sets 0 to `dev->exist`.
+Most functions check 'dev->exist' before doing its work, but
+`hidraw_get_report()` was missing that check.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hidraw.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -192,6 +192,11 @@ static ssize_t hidraw_get_report(struct
+ int ret = 0, len;
+ unsigned char report_number;
+
++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
++ ret = -ENODEV;
++ goto out;
++ }
++
+ dev = hidraw_table[minor]->hid;
+
+ if (!dev->ll_driver->raw_request) {
--- /dev/null
+From 2e210bbb7429cdcf1a1a3ad00c1bf98bd9bf2452 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 3 Apr 2018 10:52:20 -0700
+Subject: HID: input: fix battery level reporting on BT mice
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 2e210bbb7429cdcf1a1a3ad00c1bf98bd9bf2452 upstream.
+
+The commit 581c4484769e ("HID: input: map digitizer battery usage")
+assumed that devices having input (qas opposed to feature) report for
+battery strength would report the data on their own, without the need to
+be polled by the kernel; unfortunately it is not so. Many wireless mice
+do not send unsolicited reports with battery strength data and have to
+be polled explicitly. As a complication, stylus devices on digitizers
+are not normally connected to the base and thus can not be polled - the
+base can only determine battery strength in the stylus when it is in
+proximity.
+
+To solve this issue, we add a special flag that tells the kernel
+to avoid polling the device (and expect unsolicited reports) and set it
+when report field with physical usage of digitizer stylus (HID_DG_STYLUS).
+Unless this flag is set, and we have not seen the unsolicited reports,
+the kernel will attempt to poll the device when userspace attempts to
+read "capacity" and "state" attributes of power_supply object
+corresponding to the devices battery.
+
+Fixes: 581c4484769e ("HID: input: map digitizer battery usage")
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=198095
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: Martin van Es <martin@mrvanes.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 24 +++++++++++++++++-------
+ include/linux/hid.h | 9 ++++++++-
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -387,7 +387,8 @@ static int hidinput_get_battery_property
+ break;
+
+ case POWER_SUPPLY_PROP_CAPACITY:
+- if (dev->battery_report_type == HID_FEATURE_REPORT) {
++ if (dev->battery_status != HID_BATTERY_REPORTED &&
++ !dev->battery_avoid_query) {
+ value = hidinput_query_battery_capacity(dev);
+ if (value < 0)
+ return value;
+@@ -403,17 +404,17 @@ static int hidinput_get_battery_property
+ break;
+
+ case POWER_SUPPLY_PROP_STATUS:
+- if (!dev->battery_reported &&
+- dev->battery_report_type == HID_FEATURE_REPORT) {
++ if (dev->battery_status != HID_BATTERY_REPORTED &&
++ !dev->battery_avoid_query) {
+ value = hidinput_query_battery_capacity(dev);
+ if (value < 0)
+ return value;
+
+ dev->battery_capacity = value;
+- dev->battery_reported = true;
++ dev->battery_status = HID_BATTERY_QUERIED;
+ }
+
+- if (!dev->battery_reported)
++ if (dev->battery_status == HID_BATTERY_UNKNOWN)
+ val->intval = POWER_SUPPLY_STATUS_UNKNOWN;
+ else if (dev->battery_capacity == 100)
+ val->intval = POWER_SUPPLY_STATUS_FULL;
+@@ -486,6 +487,14 @@ static int hidinput_setup_battery(struct
+ dev->battery_report_type = report_type;
+ dev->battery_report_id = field->report->id;
+
++ /*
++ * Stylus is normally not connected to the device and thus we
++ * can't query the device and get meaningful battery strength.
++ * We have to wait for the device to report it on its own.
++ */
++ dev->battery_avoid_query = report_type == HID_INPUT_REPORT &&
++ field->physical == HID_DG_STYLUS;
++
+ dev->battery = power_supply_register(&dev->dev, psy_desc, &psy_cfg);
+ if (IS_ERR(dev->battery)) {
+ error = PTR_ERR(dev->battery);
+@@ -530,9 +539,10 @@ static void hidinput_update_battery(stru
+
+ capacity = hidinput_scale_battery_capacity(dev, value);
+
+- if (!dev->battery_reported || capacity != dev->battery_capacity) {
++ if (dev->battery_status != HID_BATTERY_REPORTED ||
++ capacity != dev->battery_capacity) {
+ dev->battery_capacity = capacity;
+- dev->battery_reported = true;
++ dev->battery_status = HID_BATTERY_REPORTED;
+ power_supply_changed(dev->battery);
+ }
+ }
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -512,6 +512,12 @@ enum hid_type {
+ HID_TYPE_USBNONE
+ };
+
++enum hid_battery_status {
++ HID_BATTERY_UNKNOWN = 0,
++ HID_BATTERY_QUERIED, /* Kernel explicitly queried battery strength */
++ HID_BATTERY_REPORTED, /* Device sent unsolicited battery strength report */
++};
++
+ struct hid_driver;
+ struct hid_ll_driver;
+
+@@ -554,7 +560,8 @@ struct hid_device { /* device repo
+ __s32 battery_max;
+ __s32 battery_report_type;
+ __s32 battery_report_id;
+- bool battery_reported;
++ enum hid_battery_status battery_status;
++ bool battery_avoid_query;
+ #endif
+
+ unsigned int status; /* see STAT flags above */
--- /dev/null
+From 619d3a2922ce623ca2eca443cc936810d328317c Mon Sep 17 00:00:00 2001
+From: Aaron Armstrong Skomra <skomra@gmail.com>
+Date: Wed, 4 Apr 2018 14:24:11 -0700
+Subject: HID: wacom: bluetooth: send exit report for recent Bluetooth devices
+
+From: Aaron Armstrong Skomra <skomra@gmail.com>
+
+commit 619d3a2922ce623ca2eca443cc936810d328317c upstream.
+
+The code path for recent Bluetooth devices omits an exit report which
+resets all the values of the device.
+
+Fixes: 4922cd26f0 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
+Cc: <stable@vger.kernel.org> # 4.11
+Signed-off-by: Aaron Armstrong Skomra <aaron.skomra@wacom.com>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 76 +++++++++++++++++++++++++++++-------------------
+ 1 file changed, 46 insertions(+), 30 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -689,6 +689,45 @@ static int wacom_intuos_get_tool_type(in
+ return tool_type;
+ }
+
++static void wacom_exit_report(struct wacom_wac *wacom)
++{
++ struct input_dev *input = wacom->pen_input;
++ struct wacom_features *features = &wacom->features;
++ unsigned char *data = wacom->data;
++ int idx = (features->type == INTUOS) ? (data[1] & 0x01) : 0;
++
++ /*
++ * Reset all states otherwise we lose the initial states
++ * when in-prox next time
++ */
++ input_report_abs(input, ABS_X, 0);
++ input_report_abs(input, ABS_Y, 0);
++ input_report_abs(input, ABS_DISTANCE, 0);
++ input_report_abs(input, ABS_TILT_X, 0);
++ input_report_abs(input, ABS_TILT_Y, 0);
++ if (wacom->tool[idx] >= BTN_TOOL_MOUSE) {
++ input_report_key(input, BTN_LEFT, 0);
++ input_report_key(input, BTN_MIDDLE, 0);
++ input_report_key(input, BTN_RIGHT, 0);
++ input_report_key(input, BTN_SIDE, 0);
++ input_report_key(input, BTN_EXTRA, 0);
++ input_report_abs(input, ABS_THROTTLE, 0);
++ input_report_abs(input, ABS_RZ, 0);
++ } else {
++ input_report_abs(input, ABS_PRESSURE, 0);
++ input_report_key(input, BTN_STYLUS, 0);
++ input_report_key(input, BTN_STYLUS2, 0);
++ input_report_key(input, BTN_TOUCH, 0);
++ input_report_abs(input, ABS_WHEEL, 0);
++ if (features->type >= INTUOS3S)
++ input_report_abs(input, ABS_Z, 0);
++ }
++ input_report_key(input, wacom->tool[idx], 0);
++ input_report_abs(input, ABS_MISC, 0); /* reset tool id */
++ input_event(input, EV_MSC, MSC_SERIAL, wacom->serial[idx]);
++ wacom->id[idx] = 0;
++}
++
+ static int wacom_intuos_inout(struct wacom_wac *wacom)
+ {
+ struct wacom_features *features = &wacom->features;
+@@ -741,36 +780,7 @@ static int wacom_intuos_inout(struct wac
+ if (!wacom->id[idx])
+ return 1;
+
+- /*
+- * Reset all states otherwise we lose the initial states
+- * when in-prox next time
+- */
+- input_report_abs(input, ABS_X, 0);
+- input_report_abs(input, ABS_Y, 0);
+- input_report_abs(input, ABS_DISTANCE, 0);
+- input_report_abs(input, ABS_TILT_X, 0);
+- input_report_abs(input, ABS_TILT_Y, 0);
+- if (wacom->tool[idx] >= BTN_TOOL_MOUSE) {
+- input_report_key(input, BTN_LEFT, 0);
+- input_report_key(input, BTN_MIDDLE, 0);
+- input_report_key(input, BTN_RIGHT, 0);
+- input_report_key(input, BTN_SIDE, 0);
+- input_report_key(input, BTN_EXTRA, 0);
+- input_report_abs(input, ABS_THROTTLE, 0);
+- input_report_abs(input, ABS_RZ, 0);
+- } else {
+- input_report_abs(input, ABS_PRESSURE, 0);
+- input_report_key(input, BTN_STYLUS, 0);
+- input_report_key(input, BTN_STYLUS2, 0);
+- input_report_key(input, BTN_TOUCH, 0);
+- input_report_abs(input, ABS_WHEEL, 0);
+- if (features->type >= INTUOS3S)
+- input_report_abs(input, ABS_Z, 0);
+- }
+- input_report_key(input, wacom->tool[idx], 0);
+- input_report_abs(input, ABS_MISC, 0); /* reset tool id */
+- input_event(input, EV_MSC, MSC_SERIAL, wacom->serial[idx]);
+- wacom->id[idx] = 0;
++ wacom_exit_report(wacom);
+ return 2;
+ }
+
+@@ -1226,6 +1236,12 @@ static void wacom_intuos_pro2_bt_pen(str
+ if (!valid)
+ continue;
+
++ if (!prox) {
++ wacom->shared->stylus_in_proximity = false;
++ wacom_exit_report(wacom);
++ input_sync(pen_input);
++ return;
++ }
+ if (range) {
+ /* Fix rotation alignment: userspace expects zero at left */
+ int16_t rotation = (int16_t)get_unaligned_le16(&frame[9]);
--- /dev/null
+From 8a8158c85e1e774a44fbe81106fa41138580dfd1 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@mips.com>
+Date: Thu, 29 Mar 2018 10:28:23 +0100
+Subject: MIPS: memset.S: EVA & fault support for small_memset
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+commit 8a8158c85e1e774a44fbe81106fa41138580dfd1 upstream.
+
+The MIPS kernel memset / bzero implementation includes a small_memset
+branch which is used when the region to be set is smaller than a long (4
+bytes on 32bit, 8 bytes on 64bit). The current small_memset
+implementation uses a simple store byte loop to write the destination.
+There are 2 issues with this implementation:
+
+1. When EVA mode is active, user and kernel address spaces may overlap.
+Currently the use of the sb instruction means kernel mode addressing is
+always used and an intended write to userspace may actually overwrite
+some critical kernel data.
+
+2. If the write triggers a page fault, for example by calling
+__clear_user(NULL, 2), instead of gracefully handling the fault, an OOPS
+is triggered.
+
+Fix these issues by replacing the sb instruction with the EX() macro,
+which will emit EVA compatible instuctions as required. Additionally
+implement a fault fixup for small_memset which sets a2 to the number of
+bytes that could not be cleared (as defined by __clear_user).
+
+Reported-by: Chuanhua Lei <chuanhua.lei@intel.com>
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/18975/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/lib/memset.S | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/lib/memset.S
++++ b/arch/mips/lib/memset.S
+@@ -219,7 +219,7 @@
+ 1: PTR_ADDIU a0, 1 /* fill bytewise */
+ R10KCBARRIER(0(ra))
+ bne t1, a0, 1b
+- sb a1, -1(a0)
++ EX(sb, a1, -1(a0), .Lsmall_fixup\@)
+
+ 2: jr ra /* done */
+ move a2, zero
+@@ -260,6 +260,11 @@
+ jr ra
+ andi v1, a2, STORMASK
+
++.Lsmall_fixup\@:
++ PTR_SUBU a2, t1, a0
++ jr ra
++ PTR_ADDIU a2, 1
++
+ .endm
+
+ /*
--- /dev/null
+From c96eebf07692e53bf4dd5987510d8b550e793598 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@mips.com>
+Date: Tue, 17 Apr 2018 16:40:00 +0100
+Subject: MIPS: memset.S: Fix clobber of v1 in last_fixup
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream.
+
+The label .Llast_fixup\@ is jumped to on page fault within the final
+byte set loop of memset (on < MIPSR6 architectures). For some reason, in
+this fault handler, the v1 register is randomly set to a2 & STORMASK.
+This clobbers v1 for the calling function. This can be observed with the
+following test code:
+
+static int __init __attribute__((optimize("O0"))) test_clear_user(void)
+{
+ register int t asm("v1");
+ char *test;
+ int j, k;
+
+ pr_info("\n\n\nTesting clear_user\n");
+ test = vmalloc(PAGE_SIZE);
+
+ for (j = 256; j < 512; j++) {
+ t = 0xa5a5a5a5;
+ if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) {
+ pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k);
+ }
+ if (t != 0xa5a5a5a5) {
+ pr_err("v1 was clobbered to 0x%x!\n", t);
+ }
+ }
+
+ return 0;
+}
+late_initcall(test_clear_user);
+
+Which demonstrates that v1 is indeed clobbered (MIPS64):
+
+Testing clear_user
+v1 was clobbered to 0x1!
+v1 was clobbered to 0x2!
+v1 was clobbered to 0x3!
+v1 was clobbered to 0x4!
+v1 was clobbered to 0x5!
+v1 was clobbered to 0x6!
+v1 was clobbered to 0x7!
+
+Since the number of bytes that could not be set is already contained in
+a2, the andi placing a value in v1 is not necessary and actively
+harmful in clobbering v1.
+
+Reported-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/19109/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/lib/memset.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/lib/memset.S
++++ b/arch/mips/lib/memset.S
+@@ -258,7 +258,7 @@
+
+ .Llast_fixup\@:
+ jr ra
+- andi v1, a2, STORMASK
++ nop
+
+ .Lsmall_fixup\@:
+ PTR_SUBU a2, t1, a0
--- /dev/null
+From daf70d89f80c6e1772233da9e020114b1254e7e0 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@mips.com>
+Date: Tue, 17 Apr 2018 15:52:21 +0100
+Subject: MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+commit daf70d89f80c6e1772233da9e020114b1254e7e0 upstream.
+
+The __clear_user function is defined to return the number of bytes that
+could not be cleared. From the underlying memset / bzero implementation
+this means setting register a2 to that number on return. Currently if a
+page fault is triggered within the memset_partial block, the value
+loaded into a2 on return is meaningless.
+
+The label .Lpartial_fixup\@ is jumped to on page fault. In order to work
+out how many bytes failed to copy, the exception handler should find how
+many bytes left in the partial block (andi a2, STORMASK), add that to
+the partial block end address (a2), and subtract the faulting address to
+get the remainder. Currently it incorrectly subtracts the partial block
+start address (t1), which has additionally been clobbered to generate a
+jump target in memset_partial. Fix this by adding the block end address
+instead.
+
+This issue was found with the following test code:
+ int j, k;
+ for (j = 0; j < 512; j++) {
+ if ((k = clear_user(NULL, j)) != j) {
+ pr_err("clear_user (NULL %d) returned %d\n", j, k);
+ }
+ }
+Which now passes on Creator Ci40 (MIPS32) and Cavium Octeon II (MIPS64).
+
+Suggested-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/19108/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/lib/memset.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/lib/memset.S
++++ b/arch/mips/lib/memset.S
+@@ -252,7 +252,7 @@
+ PTR_L t0, TI_TASK($28)
+ andi a2, STORMASK
+ LONG_L t0, THREAD_BUADDR(t0)
+- LONG_ADDU a2, t1
++ LONG_ADDU a2, a0
+ jr ra
+ LONG_SUBU a2, t0
+
--- /dev/null
+From b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@mips.com>
+Date: Tue, 17 Apr 2018 16:40:01 +0100
+Subject: MIPS: uaccess: Add micromips clobbers to bzero invocation
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+commit b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 upstream.
+
+The micromips implementation of bzero additionally clobbers registers t7
+& t8. Specify this in the clobbers list when invoking bzero.
+
+Fixes: 26c5e07d1478 ("MIPS: microMIPS: Optimise 'memset' core library function.")
+Reported-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # 3.10+
+Patchwork: https://patchwork.linux-mips.org/patch/19110/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/uaccess.h | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/include/asm/uaccess.h
++++ b/arch/mips/include/asm/uaccess.h
+@@ -654,6 +654,13 @@ __clear_user(void __user *addr, __kernel
+ {
+ __kernel_size_t res;
+
++#ifdef CONFIG_CPU_MICROMIPS
++/* micromips memset / bzero also clobbers t7 & t8 */
++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31"
++#else
++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"
++#endif /* CONFIG_CPU_MICROMIPS */
++
+ if (eva_kernel_access()) {
+ __asm__ __volatile__(
+ "move\t$4, %1\n\t"
+@@ -663,7 +670,7 @@ __clear_user(void __user *addr, __kernel
+ "move\t%0, $6"
+ : "=r" (res)
+ : "r" (addr), "r" (size)
+- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31");
++ : bzero_clobbers);
+ } else {
+ might_fault();
+ __asm__ __volatile__(
+@@ -674,7 +681,7 @@ __clear_user(void __user *addr, __kernel
+ "move\t%0, $6"
+ : "=r" (res)
+ : "r" (addr), "r" (size)
+- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31");
++ : bzero_clobbers);
+ }
+
+ return res;
--- /dev/null
+From 300ad8992913025b4294d4fc37b6bfff4a8b7ad1 Mon Sep 17 00:00:00 2001
+From: Daniel Kurtz <djkurtz@chromium.org>
+Date: Fri, 6 Apr 2018 16:07:59 -0600
+Subject: mmc: sdhci-pci: Only do AMD tuning for HS200
+
+From: Daniel Kurtz <djkurtz@chromium.org>
+
+commit 300ad8992913025b4294d4fc37b6bfff4a8b7ad1 upstream.
+
+Commit c31165d7400b ("mmc: sdhci-pci: Add support for HS200 tuning mode
+on AMD, eMMC-4.5.1") added a HS200 tuning method for use with AMD SDHCI
+controllers. As described in the commit subject, this tuning is specific
+for HS200. However, as implemented, this method is used for all host
+timings, because platform_execute_tuning, if it exists, is called
+unconditionally by sdhci_execute_tuning(). This breaks tuning when using
+the AMD controller with, for example, a DDR50 SD card.
+
+Instead, we can implement an amd execute_tuning wrapper callback, and
+then conditionally do the HS200 specific tuning for HS200, and otherwise
+call back to the standard sdhci_execute_tuning().
+
+Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: c31165d7400b ("mmc: sdhci-pci: Add support for HS200 tuning mode on AMD, eMMC-4.5.1")
+Cc: stable@vger.kernel.org # v4.11+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-pci-core.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -1192,7 +1192,7 @@ static void amd_enable_manual_tuning(str
+ pci_write_config_dword(pdev, AMD_SD_MISC_CONTROL, val);
+ }
+
+-static int amd_execute_tuning(struct sdhci_host *host, u32 opcode)
++static int amd_execute_tuning_hs200(struct sdhci_host *host, u32 opcode)
+ {
+ struct sdhci_pci_slot *slot = sdhci_priv(host);
+ struct pci_dev *pdev = slot->chip->pdev;
+@@ -1231,6 +1231,27 @@ static int amd_execute_tuning(struct sdh
+ return 0;
+ }
+
++static int amd_execute_tuning(struct mmc_host *mmc, u32 opcode)
++{
++ struct sdhci_host *host = mmc_priv(mmc);
++
++ /* AMD requires custom HS200 tuning */
++ if (host->timing == MMC_TIMING_MMC_HS200)
++ return amd_execute_tuning_hs200(host, opcode);
++
++ /* Otherwise perform standard SDHCI tuning */
++ return sdhci_execute_tuning(mmc, opcode);
++}
++
++static int amd_probe_slot(struct sdhci_pci_slot *slot)
++{
++ struct mmc_host_ops *ops = &slot->host->mmc_host_ops;
++
++ ops->execute_tuning = amd_execute_tuning;
++
++ return 0;
++}
++
+ static int amd_probe(struct sdhci_pci_chip *chip)
+ {
+ struct pci_dev *smbus_dev;
+@@ -1265,12 +1286,12 @@ static const struct sdhci_ops amd_sdhci_
+ .set_bus_width = sdhci_set_bus_width,
+ .reset = sdhci_reset,
+ .set_uhs_signaling = sdhci_set_uhs_signaling,
+- .platform_execute_tuning = amd_execute_tuning,
+ };
+
+ static const struct sdhci_pci_fixes sdhci_amd = {
+ .probe = amd_probe,
+ .ops = &amd_sdhci_pci_ops,
++ .probe_slot = amd_probe_slot,
+ };
+
+ static const struct pci_device_id pci_ids[] = {
--- /dev/null
+From 13a83eac373c49c0a081cbcd137e79210fe78acd Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Wed, 11 Apr 2018 13:37:58 +1000
+Subject: powerpc/eeh: Fix enabling bridge MMIO windows
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 13a83eac373c49c0a081cbcd137e79210fe78acd upstream.
+
+On boot we save the configuration space of PCIe bridges. We do this so
+when we get an EEH event and everything gets reset that we can restore
+them.
+
+Unfortunately we save this state before we've enabled the MMIO space
+on the bridges. Hence if we have to reset the bridge when we come back
+MMIO is not enabled and we end up taking an PE freeze when the driver
+starts accessing again.
+
+This patch forces the memory/MMIO and bus mastering on when restoring
+bridges on EEH. Ideally we'd do this correctly by saving the
+configuration space writes later, but that will have to come later in
+a larger EEH rewrite. For now we have this simple fix.
+
+The original bug can be triggered on a boston machine by doing:
+ echo 0x8000000000000000 > /sys/kernel/debug/powerpc/PCI0001/err_injct_outbound
+On boston, this PHB has a PCIe switch on it. Without this patch,
+you'll see two EEH events, 1 expected and 1 the failure we are fixing
+here. The second EEH event causes the anything under the PHB to
+disappear (i.e. the i40e eth).
+
+With this patch, only 1 EEH event occurs and devices properly recover.
+
+Fixes: 652defed4875 ("powerpc/eeh: Check PCIe link after reset")
+Cc: stable@vger.kernel.org # v3.11+
+Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Acked-by: Russell Currey <ruscur@russell.cc>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/eeh_pe.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/eeh_pe.c
++++ b/arch/powerpc/kernel/eeh_pe.c
+@@ -807,7 +807,8 @@ static void eeh_restore_bridge_bars(stru
+ eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]);
+
+ /* PCI Command: 0x4 */
+- eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]);
++ eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] |
++ PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
+
+ /* Check the PCIe link is ready */
+ eeh_bridge_check_link(edev);
--- /dev/null
+From b8858581febb050688e276b956796bc4a78299ed Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 16 Apr 2018 23:25:19 +1000
+Subject: powerpc/lib: Fix off-by-one in alternate feature patching
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit b8858581febb050688e276b956796bc4a78299ed upstream.
+
+When we patch an alternate feature section, we have to adjust any
+relative branches that branch out of the alternate section.
+
+But currently we have a bug if we have a branch that points to past
+the last instruction of the alternate section, eg:
+
+ FTR_SECTION_ELSE
+ 1: b 2f
+ or 6,6,6
+ 2:
+ ALT_FTR_SECTION_END(...)
+ nop
+
+This will result in a relative branch at 1 with a target that equals
+the end of the alternate section.
+
+That branch does not need adjusting when it's moved to the non-else
+location. Currently we do adjust it, resulting in a branch that goes
+off into the link-time location of the else section, which is junk.
+
+The fix is to not patch branches that have a target == end of the
+alternate section.
+
+Fixes: d20fe50a7b3c ("KVM: PPC: Book3S HV: Branch inside feature section")
+Fixes: 9b1a735de64c ("powerpc: Add logic to patch alternative feature sections")
+Cc: stable@vger.kernel.org # v2.6.27+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/feature-fixups.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/lib/feature-fixups.c
++++ b/arch/powerpc/lib/feature-fixups.c
+@@ -55,7 +55,7 @@ static int patch_alt_instruction(unsigne
+ unsigned int *target = (unsigned int *)branch_target(src);
+
+ /* Branch within the section doesn't need translating */
+- if (target < alt_start || target >= alt_end) {
++ if (target < alt_start || target > alt_end) {
+ instr = translate_branch(dest, src);
+ if (!instr)
+ return 1;
--- /dev/null
+From b32e56e5a87a1f9243db92bc7a5df0ffb4627cfb Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Wed, 11 Apr 2018 15:17:59 +1000
+Subject: powerpc/xive: Fix trying to "push" an already active pool VP
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit b32e56e5a87a1f9243db92bc7a5df0ffb4627cfb upstream.
+
+When setting up a CPU, we "push" (activate) a pool VP for it.
+
+However it's an error to do so if it already has an active
+pool VP.
+
+This happens when doing soft CPU hotplug on powernv since we
+don't tear down the CPU on unplug. The HW flags the error which
+gets captured by the diagnostics.
+
+Fix this by making sure to "pull" out any already active pool
+first.
+
+Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller")
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/sysdev/xive/native.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/powerpc/sysdev/xive/native.c
++++ b/arch/powerpc/sysdev/xive/native.c
+@@ -388,6 +388,10 @@ static void xive_native_setup_cpu(unsign
+ if (xive_pool_vps == XIVE_INVALID_VP)
+ return;
+
++ /* Check if pool VP already active, if it is, pull it */
++ if (in_be32(xive_tima + TM_QW2_HV_POOL + TM_WORD2) & TM_QW2W2_VP)
++ in_be64(xive_tima + TM_SPC_PULL_POOL_CTX);
++
+ /* Enable the pool VP */
+ vp = xive_pool_vps + cpu;
+ pr_debug("CPU %d setting up pool VP 0x%x\n", cpu, vp);
--- /dev/null
+From d848e5f8e1ebdb227d045db55fe4f825e82965fa Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 11 Apr 2018 16:32:17 -0400
+Subject: random: add new ioctl RNDRESEEDCRNG
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit d848e5f8e1ebdb227d045db55fe4f825e82965fa upstream.
+
+Add a new ioctl which forces the the crng to be reseeded.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 13 ++++++++++++-
+ include/uapi/linux/random.h | 3 +++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -429,6 +429,7 @@ struct crng_state primary_crng = {
+ static int crng_init = 0;
+ #define crng_ready() (likely(crng_init > 1))
+ static int crng_init_cnt = 0;
++static unsigned long crng_global_init_time = 0;
+ #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
+ static void _extract_crng(struct crng_state *crng,
+ __u8 out[CHACHA20_BLOCK_SIZE]);
+@@ -932,7 +933,8 @@ static void _extract_crng(struct crng_st
+ unsigned long v, flags;
+
+ if (crng_ready() &&
+- time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))
++ (time_after(crng_global_init_time, crng->init_time) ||
++ time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)))
+ crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL);
+ spin_lock_irqsave(&crng->lock, flags);
+ if (arch_get_random_long(&v))
+@@ -1759,6 +1761,7 @@ static int rand_initialize(void)
+ init_std_data(&input_pool);
+ init_std_data(&blocking_pool);
+ crng_initialize(&primary_crng);
++ crng_global_init_time = jiffies;
+ return 0;
+ }
+ early_initcall(rand_initialize);
+@@ -1932,6 +1935,14 @@ static long random_ioctl(struct file *f,
+ input_pool.entropy_count = 0;
+ blocking_pool.entropy_count = 0;
+ return 0;
++ case RNDRESEEDCRNG:
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++ if (crng_init < 2)
++ return -ENODATA;
++ crng_reseed(&primary_crng, NULL);
++ crng_global_init_time = jiffies - 1;
++ return 0;
+ default:
+ return -EINVAL;
+ }
+--- a/include/uapi/linux/random.h
++++ b/include/uapi/linux/random.h
+@@ -35,6 +35,9 @@
+ /* Clear the entropy pool and associated counters. (Superuser only.) */
+ #define RNDCLEARPOOL _IO( 'R', 0x06 )
+
++/* Reseed CRNG. (Superuser only.) */
++#define RNDRESEEDCRNG _IO( 'R', 0x07 )
++
+ struct rand_pool_info {
+ int entropy_count;
+ int buf_size;
--- /dev/null
+From 0bb29a849a6433b72e249eea7695477b02056e94 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 12 Apr 2018 00:50:45 -0400
+Subject: random: crng_reseed() should lock the crng instance that it is modifying
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 0bb29a849a6433b72e249eea7695477b02056e94 upstream.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...")
+Cc: stable@kernel.org # 4.8+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -905,7 +905,7 @@ static void crng_reseed(struct crng_stat
+ _crng_backtrack_protect(&primary_crng, buf.block,
+ CHACHA20_KEY_SIZE);
+ }
+- spin_lock_irqsave(&primary_crng.lock, flags);
++ spin_lock_irqsave(&crng->lock, flags);
+ for (i = 0; i < 8; i++) {
+ unsigned long rv;
+ if (!arch_get_random_seed_long(&rv) &&
+@@ -915,7 +915,7 @@ static void crng_reseed(struct crng_stat
+ }
+ memzero_explicit(&buf, sizeof(buf));
+ crng->init_time = jiffies;
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
++ spin_unlock_irqrestore(&crng->lock, flags);
+ if (crng == &primary_crng && crng_init < 2) {
+ invalidate_batched_entropy();
+ numa_crng_init();
--- /dev/null
+From 43838a23a05fbd13e47d750d3dfd77001536dd33 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 11 Apr 2018 13:27:52 -0400
+Subject: random: fix crng_ready() test
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 43838a23a05fbd13e47d750d3dfd77001536dd33 upstream.
+
+The crng_init variable has three states:
+
+0: The CRNG is not initialized at all
+1: The CRNG has a small amount of entropy, hopefully good enough for
+ early-boot, non-cryptographical use cases
+2: The CRNG is fully initialized and we are sure it is safe for
+ cryptographic use cases.
+
+The crng_ready() function should only return true once we are in the
+last state. This addresses CVE-2018-1108.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: e192be9d9a30 ("random: replace non-blocking pool...")
+Cc: stable@kernel.org # 4.8+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -427,7 +427,7 @@ struct crng_state primary_crng = {
+ * its value (from 0->1->2).
+ */
+ static int crng_init = 0;
+-#define crng_ready() (likely(crng_init > 0))
++#define crng_ready() (likely(crng_init > 1))
+ static int crng_init_cnt = 0;
+ #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
+ static void _extract_crng(struct crng_state *crng,
+@@ -793,7 +793,7 @@ static int crng_fast_load(const char *cp
+
+ if (!spin_trylock_irqsave(&primary_crng.lock, flags))
+ return 0;
+- if (crng_ready()) {
++ if (crng_init != 0) {
+ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ return 0;
+ }
+@@ -855,7 +855,7 @@ static void _extract_crng(struct crng_st
+ {
+ unsigned long v, flags;
+
+- if (crng_init > 1 &&
++ if (crng_ready() &&
+ time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))
+ crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL);
+ spin_lock_irqsave(&crng->lock, flags);
+@@ -1141,7 +1141,7 @@ void add_interrupt_randomness(int irq, i
+ fast_mix(fast_pool);
+ add_interrupt_bench(cycles);
+
+- if (!crng_ready()) {
++ if (unlikely(crng_init == 0)) {
+ if ((fast_pool->count >= 64) &&
+ crng_fast_load((char *) fast_pool->pool,
+ sizeof(fast_pool->pool))) {
+@@ -2214,7 +2214,7 @@ void add_hwgenerator_randomness(const ch
+ {
+ struct entropy_store *poolp = &input_pool;
+
+- if (!crng_ready()) {
++ if (unlikely(crng_init == 0)) {
+ crng_fast_load(buffer, count);
+ return;
+ }
--- /dev/null
+From 8ef35c866f8862df074a49a93b0309725812dea8 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 11 Apr 2018 15:23:56 -0400
+Subject: random: set up the NUMA crng instances after the CRNG is fully initialized
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 8ef35c866f8862df074a49a93b0309725812dea8 upstream.
+
+Until the primary_crng is fully initialized, don't initialize the NUMA
+crng nodes. Otherwise users of /dev/urandom on NUMA systems before
+the CRNG is fully initialized can get very bad quality randomness. Of
+course everyone should move to getrandom(2) where this won't be an
+issue, but there's a lot of legacy code out there. This related to
+CVE-2018-1108.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...")
+Cc: stable@kernel.org # 4.8+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 46 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 27 insertions(+), 19 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -786,6 +786,32 @@ static void crng_initialize(struct crng_
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
++#ifdef CONFIG_NUMA
++static void numa_crng_init(void)
++{
++ int i;
++ struct crng_state *crng;
++ struct crng_state **pool;
++
++ pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL);
++ for_each_online_node(i) {
++ crng = kmalloc_node(sizeof(struct crng_state),
++ GFP_KERNEL | __GFP_NOFAIL, i);
++ spin_lock_init(&crng->lock);
++ crng_initialize(crng);
++ pool[i] = crng;
++ }
++ mb();
++ if (cmpxchg(&crng_node_pool, NULL, pool)) {
++ for_each_node(i)
++ kfree(pool[i]);
++ kfree(pool);
++ }
++}
++#else
++static void numa_crng_init(void) {}
++#endif
++
+ /*
+ * crng_fast_load() can be called by code in the interrupt service
+ * path. So we can't afford to dilly-dally.
+@@ -892,6 +918,7 @@ static void crng_reseed(struct crng_stat
+ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ if (crng == &primary_crng && crng_init < 2) {
+ invalidate_batched_entropy();
++ numa_crng_init();
+ crng_init = 2;
+ process_random_ready_list();
+ wake_up_interruptible(&crng_init_wait);
+@@ -1729,28 +1756,9 @@ static void init_std_data(struct entropy
+ */
+ static int rand_initialize(void)
+ {
+-#ifdef CONFIG_NUMA
+- int i;
+- struct crng_state *crng;
+- struct crng_state **pool;
+-#endif
+-
+ init_std_data(&input_pool);
+ init_std_data(&blocking_pool);
+ crng_initialize(&primary_crng);
+-
+-#ifdef CONFIG_NUMA
+- pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL);
+- for_each_online_node(i) {
+- crng = kmalloc_node(sizeof(struct crng_state),
+- GFP_KERNEL | __GFP_NOFAIL, i);
+- spin_lock_init(&crng->lock);
+- crng_initialize(crng);
+- pool[i] = crng;
+- }
+- mb();
+- crng_node_pool = pool;
+-#endif
+ return 0;
+ }
+ early_initcall(rand_initialize);
--- /dev/null
+From dc12baacb95f205948f64dc936a47d89ee110117 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 11 Apr 2018 14:58:27 -0400
+Subject: random: use a different mixing algorithm for add_device_randomness()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit dc12baacb95f205948f64dc936a47d89ee110117 upstream.
+
+add_device_randomness() use of crng_fast_load() was highly
+problematic. Some callers of add_device_randomness() can pass in a
+large amount of static information. This would immediately promote
+the crng_init state from 0 to 1, without really doing much to
+initialize the primary_crng's internal state with something even
+vaguely unpredictable.
+
+Since we don't have the speed constraints of add_interrupt_randomness(),
+we can do a better job mixing in the what unpredictability a device
+driver or architecture maintainer might see fit to give us, and do it
+in a way which does not bump the crng_init_cnt variable.
+
+Also, since add_device_randomness() doesn't bump any entropy
+accounting in crng_init state 0, mix the device randomness into the
+input_pool entropy pool as well. This is related to CVE-2018-1108.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: ee7998c50c26 ("random: do not ignore early device randomness")
+Cc: stable@kernel.org # 4.13+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 51 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -786,6 +786,10 @@ static void crng_initialize(struct crng_
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
++/*
++ * crng_fast_load() can be called by code in the interrupt service
++ * path. So we can't afford to dilly-dally.
++ */
+ static int crng_fast_load(const char *cp, size_t len)
+ {
+ unsigned long flags;
+@@ -812,6 +816,51 @@ static int crng_fast_load(const char *cp
+ return 1;
+ }
+
++/*
++ * crng_slow_load() is called by add_device_randomness, which has two
++ * attributes. (1) We can't trust the buffer passed to it is
++ * guaranteed to be unpredictable (so it might not have any entropy at
++ * all), and (2) it doesn't have the performance constraints of
++ * crng_fast_load().
++ *
++ * So we do something more comprehensive which is guaranteed to touch
++ * all of the primary_crng's state, and which uses a LFSR with a
++ * period of 255 as part of the mixing algorithm. Finally, we do
++ * *not* advance crng_init_cnt since buffer we may get may be something
++ * like a fixed DMI table (for example), which might very well be
++ * unique to the machine, but is otherwise unvarying.
++ */
++static int crng_slow_load(const char *cp, size_t len)
++{
++ unsigned long flags;
++ static unsigned char lfsr = 1;
++ unsigned char tmp;
++ unsigned i, max = CHACHA20_KEY_SIZE;
++ const char * src_buf = cp;
++ char * dest_buf = (char *) &primary_crng.state[4];
++
++ if (!spin_trylock_irqsave(&primary_crng.lock, flags))
++ return 0;
++ if (crng_init != 0) {
++ spin_unlock_irqrestore(&primary_crng.lock, flags);
++ return 0;
++ }
++ if (len > max)
++ max = len;
++
++ for (i = 0; i < max ; i++) {
++ tmp = lfsr;
++ lfsr >>= 1;
++ if (tmp & 1)
++ lfsr ^= 0xE1;
++ tmp = dest_buf[i % CHACHA20_KEY_SIZE];
++ dest_buf[i % CHACHA20_KEY_SIZE] ^= src_buf[i % len] ^ lfsr;
++ lfsr += (tmp << 3) | (tmp >> 5);
++ }
++ spin_unlock_irqrestore(&primary_crng.lock, flags);
++ return 1;
++}
++
+ static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
+ {
+ unsigned long flags;
+@@ -981,10 +1030,8 @@ void add_device_randomness(const void *b
+ unsigned long time = random_get_entropy() ^ jiffies;
+ unsigned long flags;
+
+- if (!crng_ready()) {
+- crng_fast_load(buf, size);
+- return;
+- }
++ if (!crng_ready() && size)
++ crng_slow_load(buf, size);
+
+ trace_add_device_randomness(size, _RET_IP_);
+ spin_lock_irqsave(&input_pool.lock, flags);
drm-rockchip-clear-all-interrupts-before-requesting-the-irq.patch
drm-radeon-add-px-quirk-for-asus-k73tk.patch
drm-radeon-fix-pcie-lane-width-calculation.patch
+alsa-line6-use-correct-endpoint-type-for-midi-output.patch
+alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch
+alsa-hda-new-via-controller-suppor-no-snoop-path.patch
+alsa-hda-realtek-set-pincfg_headset_mic-to-parse_flags.patch
+alsa-hda-realtek-adjust-the-location-of-one-mic.patch
+random-fix-crng_ready-test.patch
+random-use-a-different-mixing-algorithm-for-add_device_randomness.patch
+random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch
+random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch
+random-add-new-ioctl-rndreseedcrng.patch
+hid-input-fix-battery-level-reporting-on-bt-mice.patch
+hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch
+hid-wacom-bluetooth-send-exit-report-for-recent-bluetooth-devices.patch
+mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch
+mips-memset.s-eva-fault-support-for-small_memset.patch
+mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch
+mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch
+powerpc-eeh-fix-enabling-bridge-mmio-windows.patch
+powerpc-xive-fix-trying-to-push-an-already-active-pool-vp.patch
+powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch
+udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch
+fanotify-fix-logic-of-events-on-child.patch
+mmc-sdhci-pci-only-do-amd-tuning-for-hs200.patch
--- /dev/null
+From 44f06ba8297c7e9dfd0e49b40cbe119113cca094 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 12 Apr 2018 17:22:23 +0200
+Subject: udf: Fix leak of UTF-16 surrogates into encoded strings
+
+From: Jan Kara <jack@suse.cz>
+
+commit 44f06ba8297c7e9dfd0e49b40cbe119113cca094 upstream.
+
+OSTA UDF specification does not mention whether the CS0 charset in case
+of two bytes per character encoding should be treated in UTF-16 or
+UCS-2. The sample code in the standard does not treat UTF-16 surrogates
+in any special way but on systems such as Windows which work in UTF-16
+internally, filenames would be treated as being in UTF-16 effectively.
+In Linux it is more difficult to handle characters outside of Base
+Multilingual plane (beyond 0xffff) as NLS framework works with 2-byte
+characters only. Just make sure we don't leak UTF-16 surrogates into the
+resulting string when loading names from the filesystem for now.
+
+CC: stable@vger.kernel.org # >= v4.6
+Reported-by: Mingye Wang <arthur200126@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/unicode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/udf/unicode.c
++++ b/fs/udf/unicode.c
+@@ -28,6 +28,9 @@
+
+ #include "udf_sb.h"
+
++#define SURROGATE_MASK 0xfffff800
++#define SURROGATE_PAIR 0x0000d800
++
+ static int udf_uni2char_utf8(wchar_t uni,
+ unsigned char *out,
+ int boundlen)
+@@ -37,6 +40,9 @@ static int udf_uni2char_utf8(wchar_t uni
+ if (boundlen <= 0)
+ return -ENAMETOOLONG;
+
++ if ((uni & SURROGATE_MASK) == SURROGATE_PAIR)
++ return -EINVAL;
++
+ if (uni < 0x80) {
+ out[u_len++] = (unsigned char)uni;
+ } else if (uni < 0x800) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
