--- /dev/null
+From af52f9982e410edac21ca4b49563053ffc9da1eb Mon Sep 17 00:00:00 2001
+From: David Wang <davidwang@zhaoxin.com>
+Date: Mon, 16 Apr 2018 17:48:09 +0800
+Subject: ALSA: hda - New VIA controller suppor no-snoop path
+
+From: David Wang <davidwang@zhaoxin.com>
+
+commit af52f9982e410edac21ca4b49563053ffc9da1eb upstream.
+
+This patch is used to tell kernel that new VIA HDAC controller also
+support no-snoop path.
+
+[ minor coding style fix by tiwai ]
+
+Signed-off-by: David Wang <davidwang@zhaoxin.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1514,7 +1514,8 @@ static void azx_check_snoop_available(st
+ */
+ u8 val;
+ pci_read_config_byte(chip->pci, 0x42, &val);
+- if (!(val & 0x80) && chip->pci->revision == 0x30)
++ if (!(val & 0x80) && (chip->pci->revision == 0x30 ||
++ chip->pci->revision == 0x20))
+ snoop = false;
+ }
+
--- /dev/null
+From 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabi=C3=A1n=20Inostroza?= <soulsonceonfire@gmail.com>
+Date: Thu, 12 Apr 2018 00:37:35 -0300
+Subject: ALSA: line6: Use correct endpoint type for midi output
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabián Inostroza <soulsonceonfire@gmail.com>
+
+commit 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 upstream.
+
+Sending MIDI messages to a PODxt through the USB connection shows
+"usb_submit_urb failed" in dmesg and the message is not received by
+the POD.
+
+The error is caused because in the funcion send_midi_async() in midi.c
+there is a call to usb_sndbulkpipe() for endpoint 3 OUT, but the PODxt
+USB descriptor shows that this endpoint it's an interrupt endpoint.
+
+Patch tested with PODxt only.
+
+[ The bug has been present from the very beginning in the staging
+ driver time, but Fixes below points to the commit moving to sound/
+ directory so that the fix can be cleanly applied -- tiwai ]
+
+Fixes: 61864d844c29 ("ALSA: move line6 usb driver into sound/usb")
+Signed-off-by: Fabián Inostroza <fabianinostroza@udec.cl>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/midi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/line6/midi.c
++++ b/sound/usb/line6/midi.c
+@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_li
+ }
+
+ usb_fill_int_urb(urb, line6->usbdev,
+- usb_sndbulkpipe(line6->usbdev,
++ usb_sndintpipe(line6->usbdev,
+ line6->properties->ep_ctrl_w),
+ transfer_buffer, length, midi_sent, line6,
+ line6->interval);
--- /dev/null
+From 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 19 Apr 2018 18:16:15 +0200
+Subject: ALSA: rawmidi: Fix missing input substream checks in compat ioctls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream.
+
+Some rawmidi compat ioctls lack of the input substream checks
+(although they do check only for rfile->output). This many eventually
+lead to an Oops as NULL substream is passed to the rawmidi core
+functions.
+
+Fix it by adding the proper checks before each function call.
+
+The bug was spotted by syzkaller.
+
+Reported-by: syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi_compat.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/sound/core/rawmidi_compat.c
++++ b/sound/core/rawmidi_compat.c
+@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_comp
+ struct snd_rawmidi_params params;
+ unsigned int val;
+
+- if (rfile->output == NULL)
+- return -EINVAL;
+ if (get_user(params.stream, &src->stream) ||
+ get_user(params.buffer_size, &src->buffer_size) ||
+ get_user(params.avail_min, &src->avail_min) ||
+@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_comp
+ params.no_active_sensing = val;
+ switch (params.stream) {
+ case SNDRV_RAWMIDI_STREAM_OUTPUT:
++ if (!rfile->output)
++ return -EINVAL;
+ return snd_rawmidi_output_params(rfile->output, ¶ms);
+ case SNDRV_RAWMIDI_STREAM_INPUT:
++ if (!rfile->input)
++ return -EINVAL;
+ return snd_rawmidi_input_params(rfile->input, ¶ms);
+ }
+ return -EINVAL;
+@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_comp
+ int err;
+ struct snd_rawmidi_status status;
+
+- if (rfile->output == NULL)
+- return -EINVAL;
+ if (get_user(status.stream, &src->stream))
+ return -EFAULT;
+
+ switch (status.stream) {
+ case SNDRV_RAWMIDI_STREAM_OUTPUT:
++ if (!rfile->output)
++ return -EINVAL;
+ err = snd_rawmidi_output_status(rfile->output, &status);
+ break;
+ case SNDRV_RAWMIDI_STREAM_INPUT:
++ if (!rfile->input)
++ return -EINVAL;
+ err = snd_rawmidi_input_status(rfile->input, &status);
+ break;
+ default:
+@@ -112,16 +116,18 @@ static int snd_rawmidi_ioctl_status_x32(
+ int err;
+ struct snd_rawmidi_status status;
+
+- if (rfile->output == NULL)
+- return -EINVAL;
+ if (get_user(status.stream, &src->stream))
+ return -EFAULT;
+
+ switch (status.stream) {
+ case SNDRV_RAWMIDI_STREAM_OUTPUT:
++ if (!rfile->output)
++ return -EINVAL;
+ err = snd_rawmidi_output_status(rfile->output, &status);
+ break;
+ case SNDRV_RAWMIDI_STREAM_INPUT:
++ if (!rfile->input)
++ return -EINVAL;
+ err = snd_rawmidi_input_status(rfile->input, &status);
+ break;
+ default:
--- /dev/null
+From a955358d54695e4ad9f7d6489a7ac4d69a8fc711 Mon Sep 17 00:00:00 2001
+From: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
+Date: Fri, 6 Apr 2018 01:09:36 +0200
+Subject: HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device
+
+From: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
+
+commit a955358d54695e4ad9f7d6489a7ac4d69a8fc711 upstream.
+
+Doing `ioctl(HIDIOCGFEATURE)` in a tight loop on a hidraw device
+and then disconnecting the device, or unloading the driver, can
+cause a NULL pointer dereference.
+
+When a hidraw device is destroyed it sets 0 to `dev->exist`.
+Most functions check 'dev->exist' before doing its work, but
+`hidraw_get_report()` was missing that check.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hidraw.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -192,6 +192,11 @@ static ssize_t hidraw_get_report(struct
+ int ret = 0, len;
+ unsigned char report_number;
+
++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
++ ret = -ENODEV;
++ goto out;
++ }
++
+ dev = hidraw_table[minor]->hid;
+
+ if (!dev->ll_driver->raw_request) {
--- /dev/null
+From 8a8158c85e1e774a44fbe81106fa41138580dfd1 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@mips.com>
+Date: Thu, 29 Mar 2018 10:28:23 +0100
+Subject: MIPS: memset.S: EVA & fault support for small_memset
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+commit 8a8158c85e1e774a44fbe81106fa41138580dfd1 upstream.
+
+The MIPS kernel memset / bzero implementation includes a small_memset
+branch which is used when the region to be set is smaller than a long (4
+bytes on 32bit, 8 bytes on 64bit). The current small_memset
+implementation uses a simple store byte loop to write the destination.
+There are 2 issues with this implementation:
+
+1. When EVA mode is active, user and kernel address spaces may overlap.
+Currently the use of the sb instruction means kernel mode addressing is
+always used and an intended write to userspace may actually overwrite
+some critical kernel data.
+
+2. If the write triggers a page fault, for example by calling
+__clear_user(NULL, 2), instead of gracefully handling the fault, an OOPS
+is triggered.
+
+Fix these issues by replacing the sb instruction with the EX() macro,
+which will emit EVA compatible instuctions as required. Additionally
+implement a fault fixup for small_memset which sets a2 to the number of
+bytes that could not be cleared (as defined by __clear_user).
+
+Reported-by: Chuanhua Lei <chuanhua.lei@intel.com>
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/18975/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/lib/memset.S | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/lib/memset.S
++++ b/arch/mips/lib/memset.S
+@@ -218,7 +218,7 @@
+ 1: PTR_ADDIU a0, 1 /* fill bytewise */
+ R10KCBARRIER(0(ra))
+ bne t1, a0, 1b
+- sb a1, -1(a0)
++ EX(sb, a1, -1(a0), .Lsmall_fixup\@)
+
+ 2: jr ra /* done */
+ move a2, zero
+@@ -259,6 +259,11 @@
+ jr ra
+ andi v1, a2, STORMASK
+
++.Lsmall_fixup\@:
++ PTR_SUBU a2, t1, a0
++ jr ra
++ PTR_ADDIU a2, 1
++
+ .endm
+
+ /*
--- /dev/null
+From c96eebf07692e53bf4dd5987510d8b550e793598 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@mips.com>
+Date: Tue, 17 Apr 2018 16:40:00 +0100
+Subject: MIPS: memset.S: Fix clobber of v1 in last_fixup
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream.
+
+The label .Llast_fixup\@ is jumped to on page fault within the final
+byte set loop of memset (on < MIPSR6 architectures). For some reason, in
+this fault handler, the v1 register is randomly set to a2 & STORMASK.
+This clobbers v1 for the calling function. This can be observed with the
+following test code:
+
+static int __init __attribute__((optimize("O0"))) test_clear_user(void)
+{
+ register int t asm("v1");
+ char *test;
+ int j, k;
+
+ pr_info("\n\n\nTesting clear_user\n");
+ test = vmalloc(PAGE_SIZE);
+
+ for (j = 256; j < 512; j++) {
+ t = 0xa5a5a5a5;
+ if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) {
+ pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k);
+ }
+ if (t != 0xa5a5a5a5) {
+ pr_err("v1 was clobbered to 0x%x!\n", t);
+ }
+ }
+
+ return 0;
+}
+late_initcall(test_clear_user);
+
+Which demonstrates that v1 is indeed clobbered (MIPS64):
+
+Testing clear_user
+v1 was clobbered to 0x1!
+v1 was clobbered to 0x2!
+v1 was clobbered to 0x3!
+v1 was clobbered to 0x4!
+v1 was clobbered to 0x5!
+v1 was clobbered to 0x6!
+v1 was clobbered to 0x7!
+
+Since the number of bytes that could not be set is already contained in
+a2, the andi placing a value in v1 is not necessary and actively
+harmful in clobbering v1.
+
+Reported-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/19109/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/lib/memset.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/lib/memset.S
++++ b/arch/mips/lib/memset.S
+@@ -257,7 +257,7 @@
+
+ .Llast_fixup\@:
+ jr ra
+- andi v1, a2, STORMASK
++ nop
+
+ .Lsmall_fixup\@:
+ PTR_SUBU a2, t1, a0
--- /dev/null
+From daf70d89f80c6e1772233da9e020114b1254e7e0 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@mips.com>
+Date: Tue, 17 Apr 2018 15:52:21 +0100
+Subject: MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+commit daf70d89f80c6e1772233da9e020114b1254e7e0 upstream.
+
+The __clear_user function is defined to return the number of bytes that
+could not be cleared. From the underlying memset / bzero implementation
+this means setting register a2 to that number on return. Currently if a
+page fault is triggered within the memset_partial block, the value
+loaded into a2 on return is meaningless.
+
+The label .Lpartial_fixup\@ is jumped to on page fault. In order to work
+out how many bytes failed to copy, the exception handler should find how
+many bytes left in the partial block (andi a2, STORMASK), add that to
+the partial block end address (a2), and subtract the faulting address to
+get the remainder. Currently it incorrectly subtracts the partial block
+start address (t1), which has additionally been clobbered to generate a
+jump target in memset_partial. Fix this by adding the block end address
+instead.
+
+This issue was found with the following test code:
+ int j, k;
+ for (j = 0; j < 512; j++) {
+ if ((k = clear_user(NULL, j)) != j) {
+ pr_err("clear_user (NULL %d) returned %d\n", j, k);
+ }
+ }
+Which now passes on Creator Ci40 (MIPS32) and Cavium Octeon II (MIPS64).
+
+Suggested-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/19108/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/lib/memset.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/lib/memset.S
++++ b/arch/mips/lib/memset.S
+@@ -251,7 +251,7 @@
+ PTR_L t0, TI_TASK($28)
+ andi a2, STORMASK
+ LONG_L t0, THREAD_BUADDR(t0)
+- LONG_ADDU a2, t1
++ LONG_ADDU a2, a0
+ jr ra
+ LONG_SUBU a2, t0
+
--- /dev/null
+From b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@mips.com>
+Date: Tue, 17 Apr 2018 16:40:01 +0100
+Subject: MIPS: uaccess: Add micromips clobbers to bzero invocation
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+commit b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 upstream.
+
+The micromips implementation of bzero additionally clobbers registers t7
+& t8. Specify this in the clobbers list when invoking bzero.
+
+Fixes: 26c5e07d1478 ("MIPS: microMIPS: Optimise 'memset' core library function.")
+Reported-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # 3.10+
+Patchwork: https://patchwork.linux-mips.org/patch/19110/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/uaccess.h | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/include/asm/uaccess.h
++++ b/arch/mips/include/asm/uaccess.h
+@@ -1257,6 +1257,13 @@ __clear_user(void __user *addr, __kernel
+ {
+ __kernel_size_t res;
+
++#ifdef CONFIG_CPU_MICROMIPS
++/* micromips memset / bzero also clobbers t7 & t8 */
++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31"
++#else
++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"
++#endif /* CONFIG_CPU_MICROMIPS */
++
+ if (eva_kernel_access()) {
+ __asm__ __volatile__(
+ "move\t$4, %1\n\t"
+@@ -1266,7 +1273,7 @@ __clear_user(void __user *addr, __kernel
+ "move\t%0, $6"
+ : "=r" (res)
+ : "r" (addr), "r" (size)
+- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31");
++ : bzero_clobbers);
+ } else {
+ might_fault();
+ __asm__ __volatile__(
+@@ -1277,7 +1284,7 @@ __clear_user(void __user *addr, __kernel
+ "move\t%0, $6"
+ : "=r" (res)
+ : "r" (addr), "r" (size)
+- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31");
++ : bzero_clobbers);
+ }
+
+ return res;
--- /dev/null
+From 13a83eac373c49c0a081cbcd137e79210fe78acd Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Wed, 11 Apr 2018 13:37:58 +1000
+Subject: powerpc/eeh: Fix enabling bridge MMIO windows
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 13a83eac373c49c0a081cbcd137e79210fe78acd upstream.
+
+On boot we save the configuration space of PCIe bridges. We do this so
+when we get an EEH event and everything gets reset that we can restore
+them.
+
+Unfortunately we save this state before we've enabled the MMIO space
+on the bridges. Hence if we have to reset the bridge when we come back
+MMIO is not enabled and we end up taking an PE freeze when the driver
+starts accessing again.
+
+This patch forces the memory/MMIO and bus mastering on when restoring
+bridges on EEH. Ideally we'd do this correctly by saving the
+configuration space writes later, but that will have to come later in
+a larger EEH rewrite. For now we have this simple fix.
+
+The original bug can be triggered on a boston machine by doing:
+ echo 0x8000000000000000 > /sys/kernel/debug/powerpc/PCI0001/err_injct_outbound
+On boston, this PHB has a PCIe switch on it. Without this patch,
+you'll see two EEH events, 1 expected and 1 the failure we are fixing
+here. The second EEH event causes the anything under the PHB to
+disappear (i.e. the i40e eth).
+
+With this patch, only 1 EEH event occurs and devices properly recover.
+
+Fixes: 652defed4875 ("powerpc/eeh: Check PCIe link after reset")
+Cc: stable@vger.kernel.org # v3.11+
+Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Acked-by: Russell Currey <ruscur@russell.cc>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/eeh_pe.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/eeh_pe.c
++++ b/arch/powerpc/kernel/eeh_pe.c
+@@ -795,7 +795,8 @@ static void eeh_restore_bridge_bars(stru
+ eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]);
+
+ /* PCI Command: 0x4 */
+- eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]);
++ eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] |
++ PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
+
+ /* Check the PCIe link is ready */
+ eeh_bridge_check_link(edev);
--- /dev/null
+From b8858581febb050688e276b956796bc4a78299ed Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 16 Apr 2018 23:25:19 +1000
+Subject: powerpc/lib: Fix off-by-one in alternate feature patching
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit b8858581febb050688e276b956796bc4a78299ed upstream.
+
+When we patch an alternate feature section, we have to adjust any
+relative branches that branch out of the alternate section.
+
+But currently we have a bug if we have a branch that points to past
+the last instruction of the alternate section, eg:
+
+ FTR_SECTION_ELSE
+ 1: b 2f
+ or 6,6,6
+ 2:
+ ALT_FTR_SECTION_END(...)
+ nop
+
+This will result in a relative branch at 1 with a target that equals
+the end of the alternate section.
+
+That branch does not need adjusting when it's moved to the non-else
+location. Currently we do adjust it, resulting in a branch that goes
+off into the link-time location of the else section, which is junk.
+
+The fix is to not patch branches that have a target == end of the
+alternate section.
+
+Fixes: d20fe50a7b3c ("KVM: PPC: Book3S HV: Branch inside feature section")
+Fixes: 9b1a735de64c ("powerpc: Add logic to patch alternative feature sections")
+Cc: stable@vger.kernel.org # v2.6.27+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/feature-fixups.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/lib/feature-fixups.c
++++ b/arch/powerpc/lib/feature-fixups.c
+@@ -55,7 +55,7 @@ static int patch_alt_instruction(unsigne
+ unsigned int *target = (unsigned int *)branch_target(src);
+
+ /* Branch within the section doesn't need translating */
+- if (target < alt_start || target >= alt_end) {
++ if (target < alt_start || target > alt_end) {
+ instr = translate_branch(dest, src);
+ if (!instr)
+ return 1;
--- /dev/null
+From d848e5f8e1ebdb227d045db55fe4f825e82965fa Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 11 Apr 2018 16:32:17 -0400
+Subject: random: add new ioctl RNDRESEEDCRNG
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit d848e5f8e1ebdb227d045db55fe4f825e82965fa upstream.
+
+Add a new ioctl which forces the the crng to be reseeded.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 13 ++++++++++++-
+ include/uapi/linux/random.h | 3 +++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -436,6 +436,7 @@ struct crng_state primary_crng = {
+ static int crng_init = 0;
+ #define crng_ready() (likely(crng_init > 1))
+ static int crng_init_cnt = 0;
++static unsigned long crng_global_init_time = 0;
+ #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
+ static void _extract_crng(struct crng_state *crng,
+ __u8 out[CHACHA20_BLOCK_SIZE]);
+@@ -874,7 +875,8 @@ static void _extract_crng(struct crng_st
+ unsigned long v, flags;
+
+ if (crng_ready() &&
+- time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))
++ (time_after(crng_global_init_time, crng->init_time) ||
++ time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)))
+ crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL);
+ spin_lock_irqsave(&crng->lock, flags);
+ if (arch_get_random_long(&v))
+@@ -1689,6 +1691,7 @@ static int rand_initialize(void)
+ init_std_data(&input_pool);
+ init_std_data(&blocking_pool);
+ crng_initialize(&primary_crng);
++ crng_global_init_time = jiffies;
+ return 0;
+ }
+ early_initcall(rand_initialize);
+@@ -1862,6 +1865,14 @@ static long random_ioctl(struct file *f,
+ input_pool.entropy_count = 0;
+ blocking_pool.entropy_count = 0;
+ return 0;
++ case RNDRESEEDCRNG:
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++ if (crng_init < 2)
++ return -ENODATA;
++ crng_reseed(&primary_crng, NULL);
++ crng_global_init_time = jiffies - 1;
++ return 0;
+ default:
+ return -EINVAL;
+ }
+--- a/include/uapi/linux/random.h
++++ b/include/uapi/linux/random.h
+@@ -34,6 +34,9 @@
+ /* Clear the entropy pool and associated counters. (Superuser only.) */
+ #define RNDCLEARPOOL _IO( 'R', 0x06 )
+
++/* Reseed CRNG. (Superuser only.) */
++#define RNDRESEEDCRNG _IO( 'R', 0x07 )
++
+ struct rand_pool_info {
+ int entropy_count;
+ int buf_size;
--- /dev/null
+From 0bb29a849a6433b72e249eea7695477b02056e94 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 12 Apr 2018 00:50:45 -0400
+Subject: random: crng_reseed() should lock the crng instance that it is modifying
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 0bb29a849a6433b72e249eea7695477b02056e94 upstream.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...")
+Cc: stable@kernel.org # 4.8+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -836,7 +836,7 @@ static void crng_reseed(struct crng_stat
+ _crng_backtrack_protect(&primary_crng, buf.block,
+ CHACHA20_KEY_SIZE);
+ }
+- spin_lock_irqsave(&primary_crng.lock, flags);
++ spin_lock_irqsave(&crng->lock, flags);
+ for (i = 0; i < 8; i++) {
+ unsigned long rv;
+ if (!arch_get_random_seed_long(&rv) &&
+@@ -853,7 +853,7 @@ static void crng_reseed(struct crng_stat
+ wake_up_interruptible(&crng_init_wait);
+ pr_notice("random: crng init done\n");
+ }
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
++ spin_unlock_irqrestore(&crng->lock, flags);
+ }
+
+ static inline void maybe_reseed_primary_crng(void)
--- /dev/null
+From 43838a23a05fbd13e47d750d3dfd77001536dd33 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 11 Apr 2018 13:27:52 -0400
+Subject: random: fix crng_ready() test
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 43838a23a05fbd13e47d750d3dfd77001536dd33 upstream.
+
+The crng_init variable has three states:
+
+0: The CRNG is not initialized at all
+1: The CRNG has a small amount of entropy, hopefully good enough for
+ early-boot, non-cryptographical use cases
+2: The CRNG is fully initialized and we are sure it is safe for
+ cryptographic use cases.
+
+The crng_ready() function should only return true once we are in the
+last state. This addresses CVE-2018-1108.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: e192be9d9a30 ("random: replace non-blocking pool...")
+Cc: stable@kernel.org # 4.8+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -434,7 +434,7 @@ struct crng_state primary_crng = {
+ * its value (from 0->1->2).
+ */
+ static int crng_init = 0;
+-#define crng_ready() (likely(crng_init > 0))
++#define crng_ready() (likely(crng_init > 1))
+ static int crng_init_cnt = 0;
+ #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
+ static void _extract_crng(struct crng_state *crng,
+@@ -800,7 +800,7 @@ static int crng_fast_load(const char *cp
+
+ if (!spin_trylock_irqsave(&primary_crng.lock, flags))
+ return 0;
+- if (crng_ready()) {
++ if (crng_init != 0) {
+ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ return 0;
+ }
+@@ -872,7 +872,7 @@ static void _extract_crng(struct crng_st
+ {
+ unsigned long v, flags;
+
+- if (crng_init > 1 &&
++ if (crng_ready() &&
+ time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))
+ crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL);
+ spin_lock_irqsave(&crng->lock, flags);
+@@ -1153,7 +1153,7 @@ void add_interrupt_randomness(int irq, i
+ fast_mix(fast_pool);
+ add_interrupt_bench(cycles);
+
+- if (!crng_ready()) {
++ if (unlikely(crng_init == 0)) {
+ if ((fast_pool->count >= 64) &&
+ crng_fast_load((char *) fast_pool->pool,
+ sizeof(fast_pool->pool))) {
+@@ -2148,7 +2148,7 @@ void add_hwgenerator_randomness(const ch
+ {
+ struct entropy_store *poolp = &input_pool;
+
+- if (!crng_ready()) {
++ if (unlikely(crng_init == 0)) {
+ crng_fast_load(buffer, count);
+ return;
+ }
--- /dev/null
+From 8ef35c866f8862df074a49a93b0309725812dea8 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 11 Apr 2018 15:23:56 -0400
+Subject: random: set up the NUMA crng instances after the CRNG is fully initialized
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 8ef35c866f8862df074a49a93b0309725812dea8 upstream.
+
+Until the primary_crng is fully initialized, don't initialize the NUMA
+crng nodes. Otherwise users of /dev/urandom on NUMA systems before
+the CRNG is fully initialized can get very bad quality randomness. Of
+course everyone should move to getrandom(2) where this won't be an
+issue, but there's a lot of legacy code out there. This related to
+CVE-2018-1108.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...")
+Cc: stable@kernel.org # 4.8+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 46 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 27 insertions(+), 19 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -847,6 +847,7 @@ static void crng_reseed(struct crng_stat
+ memzero_explicit(&buf, sizeof(buf));
+ crng->init_time = jiffies;
+ if (crng == &primary_crng && crng_init < 2) {
++ numa_crng_init();
+ crng_init = 2;
+ process_random_ready_list();
+ wake_up_interruptible(&crng_init_wait);
+@@ -897,6 +898,32 @@ static void extract_crng(__u8 out[CHACHA
+ _extract_crng(crng, out);
+ }
+
++#ifdef CONFIG_NUMA
++static void numa_crng_init(void)
++{
++ int i;
++ struct crng_state *crng;
++ struct crng_state **pool;
++
++ pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL);
++ for_each_online_node(i) {
++ crng = kmalloc_node(sizeof(struct crng_state),
++ GFP_KERNEL | __GFP_NOFAIL, i);
++ spin_lock_init(&crng->lock);
++ crng_initialize(crng);
++ pool[i] = crng;
++ }
++ mb();
++ if (cmpxchg(&crng_node_pool, NULL, pool)) {
++ for_each_node(i)
++ kfree(pool[i]);
++ kfree(pool);
++ }
++}
++#else
++static void numa_crng_init(void) {}
++#endif
++
+ /*
+ * Use the leftover bytes from the CRNG block output (if there is
+ * enough) to mutate the CRNG key to provide backtracking protection.
+@@ -1659,28 +1686,9 @@ static void init_std_data(struct entropy
+ */
+ static int rand_initialize(void)
+ {
+-#ifdef CONFIG_NUMA
+- int i;
+- struct crng_state *crng;
+- struct crng_state **pool;
+-#endif
+-
+ init_std_data(&input_pool);
+ init_std_data(&blocking_pool);
+ crng_initialize(&primary_crng);
+-
+-#ifdef CONFIG_NUMA
+- pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL);
+- for_each_online_node(i) {
+- crng = kmalloc_node(sizeof(struct crng_state),
+- GFP_KERNEL | __GFP_NOFAIL, i);
+- spin_lock_init(&crng->lock);
+- crng_initialize(crng);
+- pool[i] = crng;
+- }
+- mb();
+- crng_node_pool = pool;
+-#endif
+ return 0;
+ }
+ early_initcall(rand_initialize);
drm-amdgpu-fix-pcie-lane-width-calculation.patch
drm-rockchip-clear-all-interrupts-before-requesting-the-irq.patch
drm-radeon-fix-pcie-lane-width-calculation.patch
+alsa-line6-use-correct-endpoint-type-for-midi-output.patch
+alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch
+alsa-hda-new-via-controller-suppor-no-snoop-path.patch
+random-fix-crng_ready-test.patch
+random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch
+random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch
+random-add-new-ioctl-rndreseedcrng.patch
+hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch
+mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch
+mips-memset.s-eva-fault-support-for-small_memset.patch
+mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch
+mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch
+powerpc-eeh-fix-enabling-bridge-mmio-windows.patch
+powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch
+udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch
--- /dev/null
+From 44f06ba8297c7e9dfd0e49b40cbe119113cca094 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 12 Apr 2018 17:22:23 +0200
+Subject: udf: Fix leak of UTF-16 surrogates into encoded strings
+
+From: Jan Kara <jack@suse.cz>
+
+commit 44f06ba8297c7e9dfd0e49b40cbe119113cca094 upstream.
+
+OSTA UDF specification does not mention whether the CS0 charset in case
+of two bytes per character encoding should be treated in UTF-16 or
+UCS-2. The sample code in the standard does not treat UTF-16 surrogates
+in any special way but on systems such as Windows which work in UTF-16
+internally, filenames would be treated as being in UTF-16 effectively.
+In Linux it is more difficult to handle characters outside of Base
+Multilingual plane (beyond 0xffff) as NLS framework works with 2-byte
+characters only. Just make sure we don't leak UTF-16 surrogates into the
+resulting string when loading names from the filesystem for now.
+
+CC: stable@vger.kernel.org # >= v4.6
+Reported-by: Mingye Wang <arthur200126@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/unicode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/udf/unicode.c
++++ b/fs/udf/unicode.c
+@@ -28,6 +28,9 @@
+
+ #include "udf_sb.h"
+
++#define SURROGATE_MASK 0xfffff800
++#define SURROGATE_PAIR 0x0000d800
++
+ static int udf_uni2char_utf8(wchar_t uni,
+ unsigned char *out,
+ int boundlen)
+@@ -37,6 +40,9 @@ static int udf_uni2char_utf8(wchar_t uni
+ if (boundlen <= 0)
+ return -ENAMETOOLONG;
+
++ if ((uni & SURROGATE_MASK) == SURROGATE_PAIR)
++ return -EINVAL;
++
+ if (uni < 0x80) {
+ out[u_len++] = (unsigned char)uni;
+ } else if (uni < 0x800) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
