From bd8f595fe844d8b06d789893e83c2f6433a6fff0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 22 Apr 2018 11:16:15 +0200 Subject: [PATCH] 4.14-stable patches added patches: alsa-hda-new-via-controller-suppor-no-snoop-path.patch alsa-hda-realtek-adjust-the-location-of-one-mic.patch alsa-hda-realtek-set-pincfg_headset_mic-to-parse_flags.patch alsa-line6-use-correct-endpoint-type-for-midi-output.patch alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch fanotify-fix-logic-of-events-on-child.patch hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch hid-input-fix-battery-level-reporting-on-bt-mice.patch hid-wacom-bluetooth-send-exit-report-for-recent-bluetooth-devices.patch mips-memset.s-eva-fault-support-for-small_memset.patch mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch mmc-sdhci-pci-only-do-amd-tuning-for-hs200.patch powerpc-eeh-fix-enabling-bridge-mmio-windows.patch powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch powerpc-xive-fix-trying-to-push-an-already-active-pool-vp.patch random-add-new-ioctl-rndreseedcrng.patch random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch random-fix-crng_ready-test.patch random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch random-use-a-different-mixing-algorithm-for-add_device_randomness.patch udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch --- ...-via-controller-suppor-no-snoop-path.patch | 35 +++++ ...altek-adjust-the-location-of-one-mic.patch | 35 +++++ ...et-pincfg_headset_mic-to-parse_flags.patch | 39 ++++++ ...orrect-endpoint-type-for-midi-output.patch | 47 +++++++ ...ut-substream-checks-in-compat-ioctls.patch | 93 +++++++++++++ ...anotify-fix-logic-of-events-on-child.patch | 84 ++++++++++++ ...diocgfeature-with-a-destroyed-device.patch | 40 ++++++ ...x-battery-level-reporting-on-bt-mice.patch | 127 ++++++++++++++++++ ...-report-for-recent-bluetooth-devices.patch | 122 +++++++++++++++++ ...s-eva-fault-support-for-small_memset.patch | 65 +++++++++ ...et.s-fix-clobber-of-v1-in-last_fixup.patch | 77 +++++++++++ ...-of-__clear_user-from-lpartial_fixup.patch | 57 ++++++++ ...cromips-clobbers-to-bzero-invocation.patch | 60 +++++++++ ...hci-pci-only-do-amd-tuning-for-hs200.patch | 86 ++++++++++++ ...eeh-fix-enabling-bridge-mmio-windows.patch | 56 ++++++++ ...by-one-in-alternate-feature-patching.patch | 53 ++++++++ ...ng-to-push-an-already-active-pool-vp.patch | 44 ++++++ .../random-add-new-ioctl-rndreseedcrng.patch | 75 +++++++++++ ...e-crng-instance-that-it-is-modifying.patch | 40 ++++++ queue-4.14/random-fix-crng_ready-test.patch | 78 +++++++++++ ...-after-the-crng-is-fully-initialized.patch | 98 ++++++++++++++ ...-algorithm-for-add_device_randomness.patch | 113 ++++++++++++++++ queue-4.14/series | 23 ++++ ...f-16-surrogates-into-encoded-strings.patch | 50 +++++++ 24 files changed, 1597 insertions(+) create mode 100644 queue-4.14/alsa-hda-new-via-controller-suppor-no-snoop-path.patch create mode 100644 queue-4.14/alsa-hda-realtek-adjust-the-location-of-one-mic.patch create mode 100644 queue-4.14/alsa-hda-realtek-set-pincfg_headset_mic-to-parse_flags.patch create mode 100644 queue-4.14/alsa-line6-use-correct-endpoint-type-for-midi-output.patch create mode 100644 queue-4.14/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch create mode 100644 queue-4.14/fanotify-fix-logic-of-events-on-child.patch create mode 100644 queue-4.14/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch create mode 100644 queue-4.14/hid-input-fix-battery-level-reporting-on-bt-mice.patch create mode 100644 queue-4.14/hid-wacom-bluetooth-send-exit-report-for-recent-bluetooth-devices.patch create mode 100644 queue-4.14/mips-memset.s-eva-fault-support-for-small_memset.patch create mode 100644 queue-4.14/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch create mode 100644 queue-4.14/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch create mode 100644 queue-4.14/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch create mode 100644 queue-4.14/mmc-sdhci-pci-only-do-amd-tuning-for-hs200.patch create mode 100644 queue-4.14/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch create mode 100644 queue-4.14/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch create mode 100644 queue-4.14/powerpc-xive-fix-trying-to-push-an-already-active-pool-vp.patch create mode 100644 queue-4.14/random-add-new-ioctl-rndreseedcrng.patch create mode 100644 queue-4.14/random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch create mode 100644 queue-4.14/random-fix-crng_ready-test.patch create mode 100644 queue-4.14/random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch create mode 100644 queue-4.14/random-use-a-different-mixing-algorithm-for-add_device_randomness.patch create mode 100644 queue-4.14/udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch diff --git a/queue-4.14/alsa-hda-new-via-controller-suppor-no-snoop-path.patch b/queue-4.14/alsa-hda-new-via-controller-suppor-no-snoop-path.patch new file mode 100644 index 00000000000..059d580f804 --- /dev/null +++ b/queue-4.14/alsa-hda-new-via-controller-suppor-no-snoop-path.patch @@ -0,0 +1,35 @@ +From af52f9982e410edac21ca4b49563053ffc9da1eb Mon Sep 17 00:00:00 2001 +From: David Wang +Date: Mon, 16 Apr 2018 17:48:09 +0800 +Subject: ALSA: hda - New VIA controller suppor no-snoop path + +From: David Wang + +commit af52f9982e410edac21ca4b49563053ffc9da1eb upstream. + +This patch is used to tell kernel that new VIA HDAC controller also +support no-snoop path. + +[ minor coding style fix by tiwai ] + +Signed-off-by: David Wang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1645,7 +1645,8 @@ static void azx_check_snoop_available(st + */ + u8 val; + pci_read_config_byte(chip->pci, 0x42, &val); +- if (!(val & 0x80) && chip->pci->revision == 0x30) ++ if (!(val & 0x80) && (chip->pci->revision == 0x30 || ++ chip->pci->revision == 0x20)) + snoop = false; + } + diff --git a/queue-4.14/alsa-hda-realtek-adjust-the-location-of-one-mic.patch b/queue-4.14/alsa-hda-realtek-adjust-the-location-of-one-mic.patch new file mode 100644 index 00000000000..9cac62157e4 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-adjust-the-location-of-one-mic.patch @@ -0,0 +1,35 @@ +From a3dafb2200bf3c13905a088e82ae11f1eb275a83 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Thu, 19 Apr 2018 13:29:05 +0800 +Subject: ALSA: hda/realtek - adjust the location of one mic + +From: Hui Wang + +commit a3dafb2200bf3c13905a088e82ae11f1eb275a83 upstream. + +There are two front mics on this machine, if we don't adjust the +location for one of them, they will have the same mixer name, +pulseaudio can't handle this situation. + +After applying this FIXUP, they will have different mixer name, +then pulseaudio can handle them correctly. + +Cc: +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6430,6 +6430,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), ++ SND_PCI_QUIRK(0x17aa, 0x3138, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), diff --git a/queue-4.14/alsa-hda-realtek-set-pincfg_headset_mic-to-parse_flags.patch b/queue-4.14/alsa-hda-realtek-set-pincfg_headset_mic-to-parse_flags.patch new file mode 100644 index 00000000000..39538264ba2 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-set-pincfg_headset_mic-to-parse_flags.patch @@ -0,0 +1,39 @@ +From 3ce0d5aa265bcc0a4b281cb0cabf92491276101b Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Thu, 19 Apr 2018 13:29:04 +0800 +Subject: ALSA: hda/realtek - set PINCFG_HEADSET_MIC to parse_flags + +From: Hui Wang + +commit 3ce0d5aa265bcc0a4b281cb0cabf92491276101b upstream. + +Otherwise, the pin will be regarded as microphone, and the jack name +is "Mic Phantom", it is always on in the pulseaudio even nothing is +plugged into the jack. So the UI is confusing to users since the +microphone always shows up in the UI even there is no microphone +plugged. + +After adding this flag, the jack name is "Headset Mic Phantom", then +the pulseaudio can handle its detection correctly. + +Fixes: f0ba9d699e5c ("ALSA: hda/realtek - Fix Dell headset Mic can't record") +Cc: +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6225,6 +6225,8 @@ static const struct hda_fixup alc269_fix + { 0x19, 0x01a1913c }, /* use as headset mic, without its own jack detect */ + { } + }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HEADSET_MIC + }, + }; + diff --git a/queue-4.14/alsa-line6-use-correct-endpoint-type-for-midi-output.patch b/queue-4.14/alsa-line6-use-correct-endpoint-type-for-midi-output.patch new file mode 100644 index 00000000000..3f7bcc4e774 --- /dev/null +++ b/queue-4.14/alsa-line6-use-correct-endpoint-type-for-midi-output.patch @@ -0,0 +1,47 @@ +From 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabi=C3=A1n=20Inostroza?= +Date: Thu, 12 Apr 2018 00:37:35 -0300 +Subject: ALSA: line6: Use correct endpoint type for midi output +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabián Inostroza + +commit 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 upstream. + +Sending MIDI messages to a PODxt through the USB connection shows +"usb_submit_urb failed" in dmesg and the message is not received by +the POD. + +The error is caused because in the funcion send_midi_async() in midi.c +there is a call to usb_sndbulkpipe() for endpoint 3 OUT, but the PODxt +USB descriptor shows that this endpoint it's an interrupt endpoint. + +Patch tested with PODxt only. + +[ The bug has been present from the very beginning in the staging + driver time, but Fixes below points to the commit moving to sound/ + directory so that the fix can be cleanly applied -- tiwai ] + +Fixes: 61864d844c29 ("ALSA: move line6 usb driver into sound/usb") +Signed-off-by: Fabián Inostroza +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/midi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/line6/midi.c ++++ b/sound/usb/line6/midi.c +@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_li + } + + usb_fill_int_urb(urb, line6->usbdev, +- usb_sndbulkpipe(line6->usbdev, ++ usb_sndintpipe(line6->usbdev, + line6->properties->ep_ctrl_w), + transfer_buffer, length, midi_sent, line6, + line6->interval); diff --git a/queue-4.14/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch b/queue-4.14/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch new file mode 100644 index 00000000000..e3ed8925ba3 --- /dev/null +++ b/queue-4.14/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch @@ -0,0 +1,93 @@ +From 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 19 Apr 2018 18:16:15 +0200 +Subject: ALSA: rawmidi: Fix missing input substream checks in compat ioctls + +From: Takashi Iwai + +commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream. + +Some rawmidi compat ioctls lack of the input substream checks +(although they do check only for rfile->output). This many eventually +lead to an Oops as NULL substream is passed to the rawmidi core +functions. + +Fix it by adding the proper checks before each function call. + +The bug was spotted by syzkaller. + +Reported-by: syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi_compat.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/sound/core/rawmidi_compat.c ++++ b/sound/core/rawmidi_compat.c +@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_comp + struct snd_rawmidi_params params; + unsigned int val; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(params.stream, &src->stream) || + get_user(params.buffer_size, &src->buffer_size) || + get_user(params.avail_min, &src->avail_min) || +@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_comp + params.no_active_sensing = val; + switch (params.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + return snd_rawmidi_output_params(rfile->output, ¶ms); + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + return snd_rawmidi_input_params(rfile->input, ¶ms); + } + return -EINVAL; +@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_comp + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: +@@ -112,16 +116,18 @@ static int snd_rawmidi_ioctl_status_x32( + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: diff --git a/queue-4.14/fanotify-fix-logic-of-events-on-child.patch b/queue-4.14/fanotify-fix-logic-of-events-on-child.patch new file mode 100644 index 00000000000..b7abac45a7e --- /dev/null +++ b/queue-4.14/fanotify-fix-logic-of-events-on-child.patch @@ -0,0 +1,84 @@ +From 54a307ba8d3cd00a3902337ffaae28f436eeb1a4 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Wed, 4 Apr 2018 23:42:18 +0300 +Subject: fanotify: fix logic of events on child + +From: Amir Goldstein + +commit 54a307ba8d3cd00a3902337ffaae28f436eeb1a4 upstream. + +When event on child inodes are sent to the parent inode mark and +parent inode mark was not marked with FAN_EVENT_ON_CHILD, the event +will not be delivered to the listener process. However, if the same +process also has a mount mark, the event to the parent inode will be +delivered regadless of the mount mark mask. + +This behavior is incorrect in the case where the mount mark mask does +not contain the specific event type. For example, the process adds +a mark on a directory with mask FAN_MODIFY (without FAN_EVENT_ON_CHILD) +and a mount mark with mask FAN_CLOSE_NOWRITE (without FAN_ONDIR). + +A modify event on a file inside that directory (and inside that mount) +should not create a FAN_MODIFY event, because neither of the marks +requested to get that event on the file. + +Fixes: 1968f5eed54c ("fanotify: use both marks when possible") +Cc: stable +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/fanotify/fanotify.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -90,7 +90,7 @@ static bool fanotify_should_send_event(s + u32 event_mask, + const void *data, int data_type) + { +- __u32 marks_mask, marks_ignored_mask; ++ __u32 marks_mask = 0, marks_ignored_mask = 0; + const struct path *path = data; + + pr_debug("%s: inode_mark=%p vfsmnt_mark=%p mask=%x data=%p" +@@ -106,24 +106,20 @@ static bool fanotify_should_send_event(s + !d_can_lookup(path->dentry)) + return false; + +- if (inode_mark && vfsmnt_mark) { +- marks_mask = (vfsmnt_mark->mask | inode_mark->mask); +- marks_ignored_mask = (vfsmnt_mark->ignored_mask | inode_mark->ignored_mask); +- } else if (inode_mark) { +- /* +- * if the event is for a child and this inode doesn't care about +- * events on the child, don't send it! +- */ +- if ((event_mask & FS_EVENT_ON_CHILD) && +- !(inode_mark->mask & FS_EVENT_ON_CHILD)) +- return false; +- marks_mask = inode_mark->mask; +- marks_ignored_mask = inode_mark->ignored_mask; +- } else if (vfsmnt_mark) { +- marks_mask = vfsmnt_mark->mask; +- marks_ignored_mask = vfsmnt_mark->ignored_mask; +- } else { +- BUG(); ++ /* ++ * if the event is for a child and this inode doesn't care about ++ * events on the child, don't send it! ++ */ ++ if (inode_mark && ++ (!(event_mask & FS_EVENT_ON_CHILD) || ++ (inode_mark->mask & FS_EVENT_ON_CHILD))) { ++ marks_mask |= inode_mark->mask; ++ marks_ignored_mask |= inode_mark->ignored_mask; ++ } ++ ++ if (vfsmnt_mark) { ++ marks_mask |= vfsmnt_mark->mask; ++ marks_ignored_mask |= vfsmnt_mark->ignored_mask; + } + + if (d_is_dir(path->dentry) && diff --git a/queue-4.14/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch b/queue-4.14/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch new file mode 100644 index 00000000000..98e30cd5370 --- /dev/null +++ b/queue-4.14/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch @@ -0,0 +1,40 @@ +From a955358d54695e4ad9f7d6489a7ac4d69a8fc711 Mon Sep 17 00:00:00 2001 +From: Rodrigo Rivas Costa +Date: Fri, 6 Apr 2018 01:09:36 +0200 +Subject: HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device + +From: Rodrigo Rivas Costa + +commit a955358d54695e4ad9f7d6489a7ac4d69a8fc711 upstream. + +Doing `ioctl(HIDIOCGFEATURE)` in a tight loop on a hidraw device +and then disconnecting the device, or unloading the driver, can +cause a NULL pointer dereference. + +When a hidraw device is destroyed it sets 0 to `dev->exist`. +Most functions check 'dev->exist' before doing its work, but +`hidraw_get_report()` was missing that check. + +Cc: stable@vger.kernel.org +Signed-off-by: Rodrigo Rivas Costa +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hidraw.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -192,6 +192,11 @@ static ssize_t hidraw_get_report(struct + int ret = 0, len; + unsigned char report_number; + ++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { ++ ret = -ENODEV; ++ goto out; ++ } ++ + dev = hidraw_table[minor]->hid; + + if (!dev->ll_driver->raw_request) { diff --git a/queue-4.14/hid-input-fix-battery-level-reporting-on-bt-mice.patch b/queue-4.14/hid-input-fix-battery-level-reporting-on-bt-mice.patch new file mode 100644 index 00000000000..c1b82089bf8 --- /dev/null +++ b/queue-4.14/hid-input-fix-battery-level-reporting-on-bt-mice.patch @@ -0,0 +1,127 @@ +From 2e210bbb7429cdcf1a1a3ad00c1bf98bd9bf2452 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 3 Apr 2018 10:52:20 -0700 +Subject: HID: input: fix battery level reporting on BT mice + +From: Dmitry Torokhov + +commit 2e210bbb7429cdcf1a1a3ad00c1bf98bd9bf2452 upstream. + +The commit 581c4484769e ("HID: input: map digitizer battery usage") +assumed that devices having input (qas opposed to feature) report for +battery strength would report the data on their own, without the need to +be polled by the kernel; unfortunately it is not so. Many wireless mice +do not send unsolicited reports with battery strength data and have to +be polled explicitly. As a complication, stylus devices on digitizers +are not normally connected to the base and thus can not be polled - the +base can only determine battery strength in the stylus when it is in +proximity. + +To solve this issue, we add a special flag that tells the kernel +to avoid polling the device (and expect unsolicited reports) and set it +when report field with physical usage of digitizer stylus (HID_DG_STYLUS). +Unless this flag is set, and we have not seen the unsolicited reports, +the kernel will attempt to poll the device when userspace attempts to +read "capacity" and "state" attributes of power_supply object +corresponding to the devices battery. + +Fixes: 581c4484769e ("HID: input: map digitizer battery usage") +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=198095 +Cc: stable@vger.kernel.org +Reported-and-tested-by: Martin van Es +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-input.c | 24 +++++++++++++++++------- + include/linux/hid.h | 9 ++++++++- + 2 files changed, 25 insertions(+), 8 deletions(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -387,7 +387,8 @@ static int hidinput_get_battery_property + break; + + case POWER_SUPPLY_PROP_CAPACITY: +- if (dev->battery_report_type == HID_FEATURE_REPORT) { ++ if (dev->battery_status != HID_BATTERY_REPORTED && ++ !dev->battery_avoid_query) { + value = hidinput_query_battery_capacity(dev); + if (value < 0) + return value; +@@ -403,17 +404,17 @@ static int hidinput_get_battery_property + break; + + case POWER_SUPPLY_PROP_STATUS: +- if (!dev->battery_reported && +- dev->battery_report_type == HID_FEATURE_REPORT) { ++ if (dev->battery_status != HID_BATTERY_REPORTED && ++ !dev->battery_avoid_query) { + value = hidinput_query_battery_capacity(dev); + if (value < 0) + return value; + + dev->battery_capacity = value; +- dev->battery_reported = true; ++ dev->battery_status = HID_BATTERY_QUERIED; + } + +- if (!dev->battery_reported) ++ if (dev->battery_status == HID_BATTERY_UNKNOWN) + val->intval = POWER_SUPPLY_STATUS_UNKNOWN; + else if (dev->battery_capacity == 100) + val->intval = POWER_SUPPLY_STATUS_FULL; +@@ -486,6 +487,14 @@ static int hidinput_setup_battery(struct + dev->battery_report_type = report_type; + dev->battery_report_id = field->report->id; + ++ /* ++ * Stylus is normally not connected to the device and thus we ++ * can't query the device and get meaningful battery strength. ++ * We have to wait for the device to report it on its own. ++ */ ++ dev->battery_avoid_query = report_type == HID_INPUT_REPORT && ++ field->physical == HID_DG_STYLUS; ++ + dev->battery = power_supply_register(&dev->dev, psy_desc, &psy_cfg); + if (IS_ERR(dev->battery)) { + error = PTR_ERR(dev->battery); +@@ -530,9 +539,10 @@ static void hidinput_update_battery(stru + + capacity = hidinput_scale_battery_capacity(dev, value); + +- if (!dev->battery_reported || capacity != dev->battery_capacity) { ++ if (dev->battery_status != HID_BATTERY_REPORTED || ++ capacity != dev->battery_capacity) { + dev->battery_capacity = capacity; +- dev->battery_reported = true; ++ dev->battery_status = HID_BATTERY_REPORTED; + power_supply_changed(dev->battery); + } + } +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -512,6 +512,12 @@ enum hid_type { + HID_TYPE_USBNONE + }; + ++enum hid_battery_status { ++ HID_BATTERY_UNKNOWN = 0, ++ HID_BATTERY_QUERIED, /* Kernel explicitly queried battery strength */ ++ HID_BATTERY_REPORTED, /* Device sent unsolicited battery strength report */ ++}; ++ + struct hid_driver; + struct hid_ll_driver; + +@@ -554,7 +560,8 @@ struct hid_device { /* device repo + __s32 battery_max; + __s32 battery_report_type; + __s32 battery_report_id; +- bool battery_reported; ++ enum hid_battery_status battery_status; ++ bool battery_avoid_query; + #endif + + unsigned int status; /* see STAT flags above */ diff --git a/queue-4.14/hid-wacom-bluetooth-send-exit-report-for-recent-bluetooth-devices.patch b/queue-4.14/hid-wacom-bluetooth-send-exit-report-for-recent-bluetooth-devices.patch new file mode 100644 index 00000000000..43b2cf92ecc --- /dev/null +++ b/queue-4.14/hid-wacom-bluetooth-send-exit-report-for-recent-bluetooth-devices.patch @@ -0,0 +1,122 @@ +From 619d3a2922ce623ca2eca443cc936810d328317c Mon Sep 17 00:00:00 2001 +From: Aaron Armstrong Skomra +Date: Wed, 4 Apr 2018 14:24:11 -0700 +Subject: HID: wacom: bluetooth: send exit report for recent Bluetooth devices + +From: Aaron Armstrong Skomra + +commit 619d3a2922ce623ca2eca443cc936810d328317c upstream. + +The code path for recent Bluetooth devices omits an exit report which +resets all the values of the device. + +Fixes: 4922cd26f0 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") +Cc: # 4.11 +Signed-off-by: Aaron Armstrong Skomra +Reviewed-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_wac.c | 76 +++++++++++++++++++++++++++++------------------- + 1 file changed, 46 insertions(+), 30 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -689,6 +689,45 @@ static int wacom_intuos_get_tool_type(in + return tool_type; + } + ++static void wacom_exit_report(struct wacom_wac *wacom) ++{ ++ struct input_dev *input = wacom->pen_input; ++ struct wacom_features *features = &wacom->features; ++ unsigned char *data = wacom->data; ++ int idx = (features->type == INTUOS) ? (data[1] & 0x01) : 0; ++ ++ /* ++ * Reset all states otherwise we lose the initial states ++ * when in-prox next time ++ */ ++ input_report_abs(input, ABS_X, 0); ++ input_report_abs(input, ABS_Y, 0); ++ input_report_abs(input, ABS_DISTANCE, 0); ++ input_report_abs(input, ABS_TILT_X, 0); ++ input_report_abs(input, ABS_TILT_Y, 0); ++ if (wacom->tool[idx] >= BTN_TOOL_MOUSE) { ++ input_report_key(input, BTN_LEFT, 0); ++ input_report_key(input, BTN_MIDDLE, 0); ++ input_report_key(input, BTN_RIGHT, 0); ++ input_report_key(input, BTN_SIDE, 0); ++ input_report_key(input, BTN_EXTRA, 0); ++ input_report_abs(input, ABS_THROTTLE, 0); ++ input_report_abs(input, ABS_RZ, 0); ++ } else { ++ input_report_abs(input, ABS_PRESSURE, 0); ++ input_report_key(input, BTN_STYLUS, 0); ++ input_report_key(input, BTN_STYLUS2, 0); ++ input_report_key(input, BTN_TOUCH, 0); ++ input_report_abs(input, ABS_WHEEL, 0); ++ if (features->type >= INTUOS3S) ++ input_report_abs(input, ABS_Z, 0); ++ } ++ input_report_key(input, wacom->tool[idx], 0); ++ input_report_abs(input, ABS_MISC, 0); /* reset tool id */ ++ input_event(input, EV_MSC, MSC_SERIAL, wacom->serial[idx]); ++ wacom->id[idx] = 0; ++} ++ + static int wacom_intuos_inout(struct wacom_wac *wacom) + { + struct wacom_features *features = &wacom->features; +@@ -741,36 +780,7 @@ static int wacom_intuos_inout(struct wac + if (!wacom->id[idx]) + return 1; + +- /* +- * Reset all states otherwise we lose the initial states +- * when in-prox next time +- */ +- input_report_abs(input, ABS_X, 0); +- input_report_abs(input, ABS_Y, 0); +- input_report_abs(input, ABS_DISTANCE, 0); +- input_report_abs(input, ABS_TILT_X, 0); +- input_report_abs(input, ABS_TILT_Y, 0); +- if (wacom->tool[idx] >= BTN_TOOL_MOUSE) { +- input_report_key(input, BTN_LEFT, 0); +- input_report_key(input, BTN_MIDDLE, 0); +- input_report_key(input, BTN_RIGHT, 0); +- input_report_key(input, BTN_SIDE, 0); +- input_report_key(input, BTN_EXTRA, 0); +- input_report_abs(input, ABS_THROTTLE, 0); +- input_report_abs(input, ABS_RZ, 0); +- } else { +- input_report_abs(input, ABS_PRESSURE, 0); +- input_report_key(input, BTN_STYLUS, 0); +- input_report_key(input, BTN_STYLUS2, 0); +- input_report_key(input, BTN_TOUCH, 0); +- input_report_abs(input, ABS_WHEEL, 0); +- if (features->type >= INTUOS3S) +- input_report_abs(input, ABS_Z, 0); +- } +- input_report_key(input, wacom->tool[idx], 0); +- input_report_abs(input, ABS_MISC, 0); /* reset tool id */ +- input_event(input, EV_MSC, MSC_SERIAL, wacom->serial[idx]); +- wacom->id[idx] = 0; ++ wacom_exit_report(wacom); + return 2; + } + +@@ -1226,6 +1236,12 @@ static void wacom_intuos_pro2_bt_pen(str + if (!valid) + continue; + ++ if (!prox) { ++ wacom->shared->stylus_in_proximity = false; ++ wacom_exit_report(wacom); ++ input_sync(pen_input); ++ return; ++ } + if (range) { + /* Fix rotation alignment: userspace expects zero at left */ + int16_t rotation = (int16_t)get_unaligned_le16(&frame[9]); diff --git a/queue-4.14/mips-memset.s-eva-fault-support-for-small_memset.patch b/queue-4.14/mips-memset.s-eva-fault-support-for-small_memset.patch new file mode 100644 index 00000000000..f6d0d7f821e --- /dev/null +++ b/queue-4.14/mips-memset.s-eva-fault-support-for-small_memset.patch @@ -0,0 +1,65 @@ +From 8a8158c85e1e774a44fbe81106fa41138580dfd1 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Thu, 29 Mar 2018 10:28:23 +0100 +Subject: MIPS: memset.S: EVA & fault support for small_memset + +From: Matt Redfearn + +commit 8a8158c85e1e774a44fbe81106fa41138580dfd1 upstream. + +The MIPS kernel memset / bzero implementation includes a small_memset +branch which is used when the region to be set is smaller than a long (4 +bytes on 32bit, 8 bytes on 64bit). The current small_memset +implementation uses a simple store byte loop to write the destination. +There are 2 issues with this implementation: + +1. When EVA mode is active, user and kernel address spaces may overlap. +Currently the use of the sb instruction means kernel mode addressing is +always used and an intended write to userspace may actually overwrite +some critical kernel data. + +2. If the write triggers a page fault, for example by calling +__clear_user(NULL, 2), instead of gracefully handling the fault, an OOPS +is triggered. + +Fix these issues by replacing the sb instruction with the EX() macro, +which will emit EVA compatible instuctions as required. Additionally +implement a fault fixup for small_memset which sets a2 to the number of +bytes that could not be cleared (as defined by __clear_user). + +Reported-by: Chuanhua Lei +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/18975/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -219,7 +219,7 @@ + 1: PTR_ADDIU a0, 1 /* fill bytewise */ + R10KCBARRIER(0(ra)) + bne t1, a0, 1b +- sb a1, -1(a0) ++ EX(sb, a1, -1(a0), .Lsmall_fixup\@) + + 2: jr ra /* done */ + move a2, zero +@@ -260,6 +260,11 @@ + jr ra + andi v1, a2, STORMASK + ++.Lsmall_fixup\@: ++ PTR_SUBU a2, t1, a0 ++ jr ra ++ PTR_ADDIU a2, 1 ++ + .endm + + /* diff --git a/queue-4.14/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch b/queue-4.14/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch new file mode 100644 index 00000000000..78f22d78a58 --- /dev/null +++ b/queue-4.14/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch @@ -0,0 +1,77 @@ +From c96eebf07692e53bf4dd5987510d8b550e793598 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 17 Apr 2018 16:40:00 +0100 +Subject: MIPS: memset.S: Fix clobber of v1 in last_fixup + +From: Matt Redfearn + +commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream. + +The label .Llast_fixup\@ is jumped to on page fault within the final +byte set loop of memset (on < MIPSR6 architectures). For some reason, in +this fault handler, the v1 register is randomly set to a2 & STORMASK. +This clobbers v1 for the calling function. This can be observed with the +following test code: + +static int __init __attribute__((optimize("O0"))) test_clear_user(void) +{ + register int t asm("v1"); + char *test; + int j, k; + + pr_info("\n\n\nTesting clear_user\n"); + test = vmalloc(PAGE_SIZE); + + for (j = 256; j < 512; j++) { + t = 0xa5a5a5a5; + if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { + pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); + } + if (t != 0xa5a5a5a5) { + pr_err("v1 was clobbered to 0x%x!\n", t); + } + } + + return 0; +} +late_initcall(test_clear_user); + +Which demonstrates that v1 is indeed clobbered (MIPS64): + +Testing clear_user +v1 was clobbered to 0x1! +v1 was clobbered to 0x2! +v1 was clobbered to 0x3! +v1 was clobbered to 0x4! +v1 was clobbered to 0x5! +v1 was clobbered to 0x6! +v1 was clobbered to 0x7! + +Since the number of bytes that could not be set is already contained in +a2, the andi placing a value in v1 is not necessary and actively +harmful in clobbering v1. + +Reported-by: James Hogan +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19109/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -258,7 +258,7 @@ + + .Llast_fixup\@: + jr ra +- andi v1, a2, STORMASK ++ nop + + .Lsmall_fixup\@: + PTR_SUBU a2, t1, a0 diff --git a/queue-4.14/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch b/queue-4.14/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch new file mode 100644 index 00000000000..17e6d99b551 --- /dev/null +++ b/queue-4.14/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch @@ -0,0 +1,57 @@ +From daf70d89f80c6e1772233da9e020114b1254e7e0 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 17 Apr 2018 15:52:21 +0100 +Subject: MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup + +From: Matt Redfearn + +commit daf70d89f80c6e1772233da9e020114b1254e7e0 upstream. + +The __clear_user function is defined to return the number of bytes that +could not be cleared. From the underlying memset / bzero implementation +this means setting register a2 to that number on return. Currently if a +page fault is triggered within the memset_partial block, the value +loaded into a2 on return is meaningless. + +The label .Lpartial_fixup\@ is jumped to on page fault. In order to work +out how many bytes failed to copy, the exception handler should find how +many bytes left in the partial block (andi a2, STORMASK), add that to +the partial block end address (a2), and subtract the faulting address to +get the remainder. Currently it incorrectly subtracts the partial block +start address (t1), which has additionally been clobbered to generate a +jump target in memset_partial. Fix this by adding the block end address +instead. + +This issue was found with the following test code: + int j, k; + for (j = 0; j < 512; j++) { + if ((k = clear_user(NULL, j)) != j) { + pr_err("clear_user (NULL %d) returned %d\n", j, k); + } + } +Which now passes on Creator Ci40 (MIPS32) and Cavium Octeon II (MIPS64). + +Suggested-by: James Hogan +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19108/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -252,7 +252,7 @@ + PTR_L t0, TI_TASK($28) + andi a2, STORMASK + LONG_L t0, THREAD_BUADDR(t0) +- LONG_ADDU a2, t1 ++ LONG_ADDU a2, a0 + jr ra + LONG_SUBU a2, t0 + diff --git a/queue-4.14/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch b/queue-4.14/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch new file mode 100644 index 00000000000..204ccc8ece6 --- /dev/null +++ b/queue-4.14/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch @@ -0,0 +1,60 @@ +From b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 17 Apr 2018 16:40:01 +0100 +Subject: MIPS: uaccess: Add micromips clobbers to bzero invocation + +From: Matt Redfearn + +commit b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 upstream. + +The micromips implementation of bzero additionally clobbers registers t7 +& t8. Specify this in the clobbers list when invoking bzero. + +Fixes: 26c5e07d1478 ("MIPS: microMIPS: Optimise 'memset' core library function.") +Reported-by: James Hogan +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: # 3.10+ +Patchwork: https://patchwork.linux-mips.org/patch/19110/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/uaccess.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/mips/include/asm/uaccess.h ++++ b/arch/mips/include/asm/uaccess.h +@@ -654,6 +654,13 @@ __clear_user(void __user *addr, __kernel + { + __kernel_size_t res; + ++#ifdef CONFIG_CPU_MICROMIPS ++/* micromips memset / bzero also clobbers t7 & t8 */ ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31" ++#else ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31" ++#endif /* CONFIG_CPU_MICROMIPS */ ++ + if (eva_kernel_access()) { + __asm__ __volatile__( + "move\t$4, %1\n\t" +@@ -663,7 +670,7 @@ __clear_user(void __user *addr, __kernel + "move\t%0, $6" + : "=r" (res) + : "r" (addr), "r" (size) +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); ++ : bzero_clobbers); + } else { + might_fault(); + __asm__ __volatile__( +@@ -674,7 +681,7 @@ __clear_user(void __user *addr, __kernel + "move\t%0, $6" + : "=r" (res) + : "r" (addr), "r" (size) +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); ++ : bzero_clobbers); + } + + return res; diff --git a/queue-4.14/mmc-sdhci-pci-only-do-amd-tuning-for-hs200.patch b/queue-4.14/mmc-sdhci-pci-only-do-amd-tuning-for-hs200.patch new file mode 100644 index 00000000000..3c46a5b7527 --- /dev/null +++ b/queue-4.14/mmc-sdhci-pci-only-do-amd-tuning-for-hs200.patch @@ -0,0 +1,86 @@ +From 300ad8992913025b4294d4fc37b6bfff4a8b7ad1 Mon Sep 17 00:00:00 2001 +From: Daniel Kurtz +Date: Fri, 6 Apr 2018 16:07:59 -0600 +Subject: mmc: sdhci-pci: Only do AMD tuning for HS200 + +From: Daniel Kurtz + +commit 300ad8992913025b4294d4fc37b6bfff4a8b7ad1 upstream. + +Commit c31165d7400b ("mmc: sdhci-pci: Add support for HS200 tuning mode +on AMD, eMMC-4.5.1") added a HS200 tuning method for use with AMD SDHCI +controllers. As described in the commit subject, this tuning is specific +for HS200. However, as implemented, this method is used for all host +timings, because platform_execute_tuning, if it exists, is called +unconditionally by sdhci_execute_tuning(). This breaks tuning when using +the AMD controller with, for example, a DDR50 SD card. + +Instead, we can implement an amd execute_tuning wrapper callback, and +then conditionally do the HS200 specific tuning for HS200, and otherwise +call back to the standard sdhci_execute_tuning(). + +Signed-off-by: Daniel Kurtz +Acked-by: Shyam Sundar S K +Acked-by: Adrian Hunter +Fixes: c31165d7400b ("mmc: sdhci-pci: Add support for HS200 tuning mode on AMD, eMMC-4.5.1") +Cc: stable@vger.kernel.org # v4.11+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-pci-core.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -1192,7 +1192,7 @@ static void amd_enable_manual_tuning(str + pci_write_config_dword(pdev, AMD_SD_MISC_CONTROL, val); + } + +-static int amd_execute_tuning(struct sdhci_host *host, u32 opcode) ++static int amd_execute_tuning_hs200(struct sdhci_host *host, u32 opcode) + { + struct sdhci_pci_slot *slot = sdhci_priv(host); + struct pci_dev *pdev = slot->chip->pdev; +@@ -1231,6 +1231,27 @@ static int amd_execute_tuning(struct sdh + return 0; + } + ++static int amd_execute_tuning(struct mmc_host *mmc, u32 opcode) ++{ ++ struct sdhci_host *host = mmc_priv(mmc); ++ ++ /* AMD requires custom HS200 tuning */ ++ if (host->timing == MMC_TIMING_MMC_HS200) ++ return amd_execute_tuning_hs200(host, opcode); ++ ++ /* Otherwise perform standard SDHCI tuning */ ++ return sdhci_execute_tuning(mmc, opcode); ++} ++ ++static int amd_probe_slot(struct sdhci_pci_slot *slot) ++{ ++ struct mmc_host_ops *ops = &slot->host->mmc_host_ops; ++ ++ ops->execute_tuning = amd_execute_tuning; ++ ++ return 0; ++} ++ + static int amd_probe(struct sdhci_pci_chip *chip) + { + struct pci_dev *smbus_dev; +@@ -1265,12 +1286,12 @@ static const struct sdhci_ops amd_sdhci_ + .set_bus_width = sdhci_set_bus_width, + .reset = sdhci_reset, + .set_uhs_signaling = sdhci_set_uhs_signaling, +- .platform_execute_tuning = amd_execute_tuning, + }; + + static const struct sdhci_pci_fixes sdhci_amd = { + .probe = amd_probe, + .ops = &amd_sdhci_pci_ops, ++ .probe_slot = amd_probe_slot, + }; + + static const struct pci_device_id pci_ids[] = { diff --git a/queue-4.14/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch b/queue-4.14/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch new file mode 100644 index 00000000000..6a0361f697b --- /dev/null +++ b/queue-4.14/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch @@ -0,0 +1,56 @@ +From 13a83eac373c49c0a081cbcd137e79210fe78acd Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Wed, 11 Apr 2018 13:37:58 +1000 +Subject: powerpc/eeh: Fix enabling bridge MMIO windows + +From: Michael Neuling + +commit 13a83eac373c49c0a081cbcd137e79210fe78acd upstream. + +On boot we save the configuration space of PCIe bridges. We do this so +when we get an EEH event and everything gets reset that we can restore +them. + +Unfortunately we save this state before we've enabled the MMIO space +on the bridges. Hence if we have to reset the bridge when we come back +MMIO is not enabled and we end up taking an PE freeze when the driver +starts accessing again. + +This patch forces the memory/MMIO and bus mastering on when restoring +bridges on EEH. Ideally we'd do this correctly by saving the +configuration space writes later, but that will have to come later in +a larger EEH rewrite. For now we have this simple fix. + +The original bug can be triggered on a boston machine by doing: + echo 0x8000000000000000 > /sys/kernel/debug/powerpc/PCI0001/err_injct_outbound +On boston, this PHB has a PCIe switch on it. Without this patch, +you'll see two EEH events, 1 expected and 1 the failure we are fixing +here. The second EEH event causes the anything under the PHB to +disappear (i.e. the i40e eth). + +With this patch, only 1 EEH event occurs and devices properly recover. + +Fixes: 652defed4875 ("powerpc/eeh: Check PCIe link after reset") +Cc: stable@vger.kernel.org # v3.11+ +Reported-by: Pridhiviraj Paidipeddi +Signed-off-by: Michael Neuling +Acked-by: Russell Currey +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh_pe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -807,7 +807,8 @@ static void eeh_restore_bridge_bars(stru + eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]); + + /* PCI Command: 0x4 */ +- eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]); ++ eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] | ++ PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER); + + /* Check the PCIe link is ready */ + eeh_bridge_check_link(edev); diff --git a/queue-4.14/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch b/queue-4.14/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch new file mode 100644 index 00000000000..bed780fe095 --- /dev/null +++ b/queue-4.14/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch @@ -0,0 +1,53 @@ +From b8858581febb050688e276b956796bc4a78299ed Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Mon, 16 Apr 2018 23:25:19 +1000 +Subject: powerpc/lib: Fix off-by-one in alternate feature patching + +From: Michael Ellerman + +commit b8858581febb050688e276b956796bc4a78299ed upstream. + +When we patch an alternate feature section, we have to adjust any +relative branches that branch out of the alternate section. + +But currently we have a bug if we have a branch that points to past +the last instruction of the alternate section, eg: + + FTR_SECTION_ELSE + 1: b 2f + or 6,6,6 + 2: + ALT_FTR_SECTION_END(...) + nop + +This will result in a relative branch at 1 with a target that equals +the end of the alternate section. + +That branch does not need adjusting when it's moved to the non-else +location. Currently we do adjust it, resulting in a branch that goes +off into the link-time location of the else section, which is junk. + +The fix is to not patch branches that have a target == end of the +alternate section. + +Fixes: d20fe50a7b3c ("KVM: PPC: Book3S HV: Branch inside feature section") +Fixes: 9b1a735de64c ("powerpc: Add logic to patch alternative feature sections") +Cc: stable@vger.kernel.org # v2.6.27+ +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/feature-fixups.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/lib/feature-fixups.c ++++ b/arch/powerpc/lib/feature-fixups.c +@@ -55,7 +55,7 @@ static int patch_alt_instruction(unsigne + unsigned int *target = (unsigned int *)branch_target(src); + + /* Branch within the section doesn't need translating */ +- if (target < alt_start || target >= alt_end) { ++ if (target < alt_start || target > alt_end) { + instr = translate_branch(dest, src); + if (!instr) + return 1; diff --git a/queue-4.14/powerpc-xive-fix-trying-to-push-an-already-active-pool-vp.patch b/queue-4.14/powerpc-xive-fix-trying-to-push-an-already-active-pool-vp.patch new file mode 100644 index 00000000000..76eafa23572 --- /dev/null +++ b/queue-4.14/powerpc-xive-fix-trying-to-push-an-already-active-pool-vp.patch @@ -0,0 +1,44 @@ +From b32e56e5a87a1f9243db92bc7a5df0ffb4627cfb Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Wed, 11 Apr 2018 15:17:59 +1000 +Subject: powerpc/xive: Fix trying to "push" an already active pool VP + +From: Benjamin Herrenschmidt + +commit b32e56e5a87a1f9243db92bc7a5df0ffb4627cfb upstream. + +When setting up a CPU, we "push" (activate) a pool VP for it. + +However it's an error to do so if it already has an active +pool VP. + +This happens when doing soft CPU hotplug on powernv since we +don't tear down the CPU on unplug. The HW flags the error which +gets captured by the diagnostics. + +Fix this by making sure to "pull" out any already active pool +first. + +Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller") +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/sysdev/xive/native.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/sysdev/xive/native.c ++++ b/arch/powerpc/sysdev/xive/native.c +@@ -388,6 +388,10 @@ static void xive_native_setup_cpu(unsign + if (xive_pool_vps == XIVE_INVALID_VP) + return; + ++ /* Check if pool VP already active, if it is, pull it */ ++ if (in_be32(xive_tima + TM_QW2_HV_POOL + TM_WORD2) & TM_QW2W2_VP) ++ in_be64(xive_tima + TM_SPC_PULL_POOL_CTX); ++ + /* Enable the pool VP */ + vp = xive_pool_vps + cpu; + pr_debug("CPU %d setting up pool VP 0x%x\n", cpu, vp); diff --git a/queue-4.14/random-add-new-ioctl-rndreseedcrng.patch b/queue-4.14/random-add-new-ioctl-rndreseedcrng.patch new file mode 100644 index 00000000000..13e6f1e2bdc --- /dev/null +++ b/queue-4.14/random-add-new-ioctl-rndreseedcrng.patch @@ -0,0 +1,75 @@ +From d848e5f8e1ebdb227d045db55fe4f825e82965fa Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 11 Apr 2018 16:32:17 -0400 +Subject: random: add new ioctl RNDRESEEDCRNG + +From: Theodore Ts'o + +commit d848e5f8e1ebdb227d045db55fe4f825e82965fa upstream. + +Add a new ioctl which forces the the crng to be reseeded. + +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 13 ++++++++++++- + include/uapi/linux/random.h | 3 +++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -429,6 +429,7 @@ struct crng_state primary_crng = { + static int crng_init = 0; + #define crng_ready() (likely(crng_init > 1)) + static int crng_init_cnt = 0; ++static unsigned long crng_global_init_time = 0; + #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE) + static void _extract_crng(struct crng_state *crng, + __u8 out[CHACHA20_BLOCK_SIZE]); +@@ -932,7 +933,8 @@ static void _extract_crng(struct crng_st + unsigned long v, flags; + + if (crng_ready() && +- time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)) ++ (time_after(crng_global_init_time, crng->init_time) || ++ time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))) + crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); + spin_lock_irqsave(&crng->lock, flags); + if (arch_get_random_long(&v)) +@@ -1759,6 +1761,7 @@ static int rand_initialize(void) + init_std_data(&input_pool); + init_std_data(&blocking_pool); + crng_initialize(&primary_crng); ++ crng_global_init_time = jiffies; + return 0; + } + early_initcall(rand_initialize); +@@ -1932,6 +1935,14 @@ static long random_ioctl(struct file *f, + input_pool.entropy_count = 0; + blocking_pool.entropy_count = 0; + return 0; ++ case RNDRESEEDCRNG: ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ if (crng_init < 2) ++ return -ENODATA; ++ crng_reseed(&primary_crng, NULL); ++ crng_global_init_time = jiffies - 1; ++ return 0; + default: + return -EINVAL; + } +--- a/include/uapi/linux/random.h ++++ b/include/uapi/linux/random.h +@@ -35,6 +35,9 @@ + /* Clear the entropy pool and associated counters. (Superuser only.) */ + #define RNDCLEARPOOL _IO( 'R', 0x06 ) + ++/* Reseed CRNG. (Superuser only.) */ ++#define RNDRESEEDCRNG _IO( 'R', 0x07 ) ++ + struct rand_pool_info { + int entropy_count; + int buf_size; diff --git a/queue-4.14/random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch b/queue-4.14/random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch new file mode 100644 index 00000000000..e76e60c046f --- /dev/null +++ b/queue-4.14/random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch @@ -0,0 +1,40 @@ +From 0bb29a849a6433b72e249eea7695477b02056e94 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 12 Apr 2018 00:50:45 -0400 +Subject: random: crng_reseed() should lock the crng instance that it is modifying + +From: Theodore Ts'o + +commit 0bb29a849a6433b72e249eea7695477b02056e94 upstream. + +Reported-by: Jann Horn +Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...") +Cc: stable@kernel.org # 4.8+ +Signed-off-by: Theodore Ts'o +Reviewed-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -905,7 +905,7 @@ static void crng_reseed(struct crng_stat + _crng_backtrack_protect(&primary_crng, buf.block, + CHACHA20_KEY_SIZE); + } +- spin_lock_irqsave(&primary_crng.lock, flags); ++ spin_lock_irqsave(&crng->lock, flags); + for (i = 0; i < 8; i++) { + unsigned long rv; + if (!arch_get_random_seed_long(&rv) && +@@ -915,7 +915,7 @@ static void crng_reseed(struct crng_stat + } + memzero_explicit(&buf, sizeof(buf)); + crng->init_time = jiffies; +- spin_unlock_irqrestore(&primary_crng.lock, flags); ++ spin_unlock_irqrestore(&crng->lock, flags); + if (crng == &primary_crng && crng_init < 2) { + invalidate_batched_entropy(); + numa_crng_init(); diff --git a/queue-4.14/random-fix-crng_ready-test.patch b/queue-4.14/random-fix-crng_ready-test.patch new file mode 100644 index 00000000000..be7ae165df9 --- /dev/null +++ b/queue-4.14/random-fix-crng_ready-test.patch @@ -0,0 +1,78 @@ +From 43838a23a05fbd13e47d750d3dfd77001536dd33 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 11 Apr 2018 13:27:52 -0400 +Subject: random: fix crng_ready() test + +From: Theodore Ts'o + +commit 43838a23a05fbd13e47d750d3dfd77001536dd33 upstream. + +The crng_init variable has three states: + +0: The CRNG is not initialized at all +1: The CRNG has a small amount of entropy, hopefully good enough for + early-boot, non-cryptographical use cases +2: The CRNG is fully initialized and we are sure it is safe for + cryptographic use cases. + +The crng_ready() function should only return true once we are in the +last state. This addresses CVE-2018-1108. + +Reported-by: Jann Horn +Fixes: e192be9d9a30 ("random: replace non-blocking pool...") +Cc: stable@kernel.org # 4.8+ +Signed-off-by: Theodore Ts'o +Reviewed-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -427,7 +427,7 @@ struct crng_state primary_crng = { + * its value (from 0->1->2). + */ + static int crng_init = 0; +-#define crng_ready() (likely(crng_init > 0)) ++#define crng_ready() (likely(crng_init > 1)) + static int crng_init_cnt = 0; + #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE) + static void _extract_crng(struct crng_state *crng, +@@ -793,7 +793,7 @@ static int crng_fast_load(const char *cp + + if (!spin_trylock_irqsave(&primary_crng.lock, flags)) + return 0; +- if (crng_ready()) { ++ if (crng_init != 0) { + spin_unlock_irqrestore(&primary_crng.lock, flags); + return 0; + } +@@ -855,7 +855,7 @@ static void _extract_crng(struct crng_st + { + unsigned long v, flags; + +- if (crng_init > 1 && ++ if (crng_ready() && + time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)) + crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); + spin_lock_irqsave(&crng->lock, flags); +@@ -1141,7 +1141,7 @@ void add_interrupt_randomness(int irq, i + fast_mix(fast_pool); + add_interrupt_bench(cycles); + +- if (!crng_ready()) { ++ if (unlikely(crng_init == 0)) { + if ((fast_pool->count >= 64) && + crng_fast_load((char *) fast_pool->pool, + sizeof(fast_pool->pool))) { +@@ -2214,7 +2214,7 @@ void add_hwgenerator_randomness(const ch + { + struct entropy_store *poolp = &input_pool; + +- if (!crng_ready()) { ++ if (unlikely(crng_init == 0)) { + crng_fast_load(buffer, count); + return; + } diff --git a/queue-4.14/random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch b/queue-4.14/random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch new file mode 100644 index 00000000000..b9998090a6b --- /dev/null +++ b/queue-4.14/random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch @@ -0,0 +1,98 @@ +From 8ef35c866f8862df074a49a93b0309725812dea8 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 11 Apr 2018 15:23:56 -0400 +Subject: random: set up the NUMA crng instances after the CRNG is fully initialized + +From: Theodore Ts'o + +commit 8ef35c866f8862df074a49a93b0309725812dea8 upstream. + +Until the primary_crng is fully initialized, don't initialize the NUMA +crng nodes. Otherwise users of /dev/urandom on NUMA systems before +the CRNG is fully initialized can get very bad quality randomness. Of +course everyone should move to getrandom(2) where this won't be an +issue, but there's a lot of legacy code out there. This related to +CVE-2018-1108. + +Reported-by: Jann Horn +Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...") +Cc: stable@kernel.org # 4.8+ +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 46 +++++++++++++++++++++++++++------------------- + 1 file changed, 27 insertions(+), 19 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -786,6 +786,32 @@ static void crng_initialize(struct crng_ + crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; + } + ++#ifdef CONFIG_NUMA ++static void numa_crng_init(void) ++{ ++ int i; ++ struct crng_state *crng; ++ struct crng_state **pool; ++ ++ pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL); ++ for_each_online_node(i) { ++ crng = kmalloc_node(sizeof(struct crng_state), ++ GFP_KERNEL | __GFP_NOFAIL, i); ++ spin_lock_init(&crng->lock); ++ crng_initialize(crng); ++ pool[i] = crng; ++ } ++ mb(); ++ if (cmpxchg(&crng_node_pool, NULL, pool)) { ++ for_each_node(i) ++ kfree(pool[i]); ++ kfree(pool); ++ } ++} ++#else ++static void numa_crng_init(void) {} ++#endif ++ + /* + * crng_fast_load() can be called by code in the interrupt service + * path. So we can't afford to dilly-dally. +@@ -892,6 +918,7 @@ static void crng_reseed(struct crng_stat + spin_unlock_irqrestore(&primary_crng.lock, flags); + if (crng == &primary_crng && crng_init < 2) { + invalidate_batched_entropy(); ++ numa_crng_init(); + crng_init = 2; + process_random_ready_list(); + wake_up_interruptible(&crng_init_wait); +@@ -1729,28 +1756,9 @@ static void init_std_data(struct entropy + */ + static int rand_initialize(void) + { +-#ifdef CONFIG_NUMA +- int i; +- struct crng_state *crng; +- struct crng_state **pool; +-#endif +- + init_std_data(&input_pool); + init_std_data(&blocking_pool); + crng_initialize(&primary_crng); +- +-#ifdef CONFIG_NUMA +- pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL); +- for_each_online_node(i) { +- crng = kmalloc_node(sizeof(struct crng_state), +- GFP_KERNEL | __GFP_NOFAIL, i); +- spin_lock_init(&crng->lock); +- crng_initialize(crng); +- pool[i] = crng; +- } +- mb(); +- crng_node_pool = pool; +-#endif + return 0; + } + early_initcall(rand_initialize); diff --git a/queue-4.14/random-use-a-different-mixing-algorithm-for-add_device_randomness.patch b/queue-4.14/random-use-a-different-mixing-algorithm-for-add_device_randomness.patch new file mode 100644 index 00000000000..600747d3bd8 --- /dev/null +++ b/queue-4.14/random-use-a-different-mixing-algorithm-for-add_device_randomness.patch @@ -0,0 +1,113 @@ +From dc12baacb95f205948f64dc936a47d89ee110117 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 11 Apr 2018 14:58:27 -0400 +Subject: random: use a different mixing algorithm for add_device_randomness() + +From: Theodore Ts'o + +commit dc12baacb95f205948f64dc936a47d89ee110117 upstream. + +add_device_randomness() use of crng_fast_load() was highly +problematic. Some callers of add_device_randomness() can pass in a +large amount of static information. This would immediately promote +the crng_init state from 0 to 1, without really doing much to +initialize the primary_crng's internal state with something even +vaguely unpredictable. + +Since we don't have the speed constraints of add_interrupt_randomness(), +we can do a better job mixing in the what unpredictability a device +driver or architecture maintainer might see fit to give us, and do it +in a way which does not bump the crng_init_cnt variable. + +Also, since add_device_randomness() doesn't bump any entropy +accounting in crng_init state 0, mix the device randomness into the +input_pool entropy pool as well. This is related to CVE-2018-1108. + +Reported-by: Jann Horn +Fixes: ee7998c50c26 ("random: do not ignore early device randomness") +Cc: stable@kernel.org # 4.13+ +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 51 insertions(+), 4 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -786,6 +786,10 @@ static void crng_initialize(struct crng_ + crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; + } + ++/* ++ * crng_fast_load() can be called by code in the interrupt service ++ * path. So we can't afford to dilly-dally. ++ */ + static int crng_fast_load(const char *cp, size_t len) + { + unsigned long flags; +@@ -812,6 +816,51 @@ static int crng_fast_load(const char *cp + return 1; + } + ++/* ++ * crng_slow_load() is called by add_device_randomness, which has two ++ * attributes. (1) We can't trust the buffer passed to it is ++ * guaranteed to be unpredictable (so it might not have any entropy at ++ * all), and (2) it doesn't have the performance constraints of ++ * crng_fast_load(). ++ * ++ * So we do something more comprehensive which is guaranteed to touch ++ * all of the primary_crng's state, and which uses a LFSR with a ++ * period of 255 as part of the mixing algorithm. Finally, we do ++ * *not* advance crng_init_cnt since buffer we may get may be something ++ * like a fixed DMI table (for example), which might very well be ++ * unique to the machine, but is otherwise unvarying. ++ */ ++static int crng_slow_load(const char *cp, size_t len) ++{ ++ unsigned long flags; ++ static unsigned char lfsr = 1; ++ unsigned char tmp; ++ unsigned i, max = CHACHA20_KEY_SIZE; ++ const char * src_buf = cp; ++ char * dest_buf = (char *) &primary_crng.state[4]; ++ ++ if (!spin_trylock_irqsave(&primary_crng.lock, flags)) ++ return 0; ++ if (crng_init != 0) { ++ spin_unlock_irqrestore(&primary_crng.lock, flags); ++ return 0; ++ } ++ if (len > max) ++ max = len; ++ ++ for (i = 0; i < max ; i++) { ++ tmp = lfsr; ++ lfsr >>= 1; ++ if (tmp & 1) ++ lfsr ^= 0xE1; ++ tmp = dest_buf[i % CHACHA20_KEY_SIZE]; ++ dest_buf[i % CHACHA20_KEY_SIZE] ^= src_buf[i % len] ^ lfsr; ++ lfsr += (tmp << 3) | (tmp >> 5); ++ } ++ spin_unlock_irqrestore(&primary_crng.lock, flags); ++ return 1; ++} ++ + static void crng_reseed(struct crng_state *crng, struct entropy_store *r) + { + unsigned long flags; +@@ -981,10 +1030,8 @@ void add_device_randomness(const void *b + unsigned long time = random_get_entropy() ^ jiffies; + unsigned long flags; + +- if (!crng_ready()) { +- crng_fast_load(buf, size); +- return; +- } ++ if (!crng_ready() && size) ++ crng_slow_load(buf, size); + + trace_add_device_randomness(size, _RET_IP_); + spin_lock_irqsave(&input_pool.lock, flags); diff --git a/queue-4.14/series b/queue-4.14/series index bb51b120c32..a120ad0cbd7 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -125,3 +125,26 @@ drm-amdgpu-si-implement-get-set-pcie_lanes-asic-callback.patch drm-rockchip-clear-all-interrupts-before-requesting-the-irq.patch drm-radeon-add-px-quirk-for-asus-k73tk.patch drm-radeon-fix-pcie-lane-width-calculation.patch +alsa-line6-use-correct-endpoint-type-for-midi-output.patch +alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch +alsa-hda-new-via-controller-suppor-no-snoop-path.patch +alsa-hda-realtek-set-pincfg_headset_mic-to-parse_flags.patch +alsa-hda-realtek-adjust-the-location-of-one-mic.patch +random-fix-crng_ready-test.patch +random-use-a-different-mixing-algorithm-for-add_device_randomness.patch +random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch +random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch +random-add-new-ioctl-rndreseedcrng.patch +hid-input-fix-battery-level-reporting-on-bt-mice.patch +hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch +hid-wacom-bluetooth-send-exit-report-for-recent-bluetooth-devices.patch +mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch +mips-memset.s-eva-fault-support-for-small_memset.patch +mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch +mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch +powerpc-eeh-fix-enabling-bridge-mmio-windows.patch +powerpc-xive-fix-trying-to-push-an-already-active-pool-vp.patch +powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch +udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch +fanotify-fix-logic-of-events-on-child.patch +mmc-sdhci-pci-only-do-amd-tuning-for-hs200.patch diff --git a/queue-4.14/udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch b/queue-4.14/udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch new file mode 100644 index 00000000000..c324f95d588 --- /dev/null +++ b/queue-4.14/udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch @@ -0,0 +1,50 @@ +From 44f06ba8297c7e9dfd0e49b40cbe119113cca094 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 12 Apr 2018 17:22:23 +0200 +Subject: udf: Fix leak of UTF-16 surrogates into encoded strings + +From: Jan Kara + +commit 44f06ba8297c7e9dfd0e49b40cbe119113cca094 upstream. + +OSTA UDF specification does not mention whether the CS0 charset in case +of two bytes per character encoding should be treated in UTF-16 or +UCS-2. The sample code in the standard does not treat UTF-16 surrogates +in any special way but on systems such as Windows which work in UTF-16 +internally, filenames would be treated as being in UTF-16 effectively. +In Linux it is more difficult to handle characters outside of Base +Multilingual plane (beyond 0xffff) as NLS framework works with 2-byte +characters only. Just make sure we don't leak UTF-16 surrogates into the +resulting string when loading names from the filesystem for now. + +CC: stable@vger.kernel.org # >= v4.6 +Reported-by: Mingye Wang +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/unicode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -28,6 +28,9 @@ + + #include "udf_sb.h" + ++#define SURROGATE_MASK 0xfffff800 ++#define SURROGATE_PAIR 0x0000d800 ++ + static int udf_uni2char_utf8(wchar_t uni, + unsigned char *out, + int boundlen) +@@ -37,6 +40,9 @@ static int udf_uni2char_utf8(wchar_t uni + if (boundlen <= 0) + return -ENAMETOOLONG; + ++ if ((uni & SURROGATE_MASK) == SURROGATE_PAIR) ++ return -EINVAL; ++ + if (uni < 0x80) { + out[u_len++] = (unsigned char)uni; + } else if (uni < 0x800) { -- 2.47.3