--- /dev/null
+From 3b7bc4cbd0ec0202441f22b8aeead5599d0fd955 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2019 16:12:24 +0100
+Subject: ALSA: hda - Downgrade error message for single-cmd fallback
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 475feec0c41ad71cb7d02f0310e56256606b57c5 ]
+
+We made the error message for the CORB/RIRB communication clearer by
+upgrading to dev_WARN() so that user can notice better. But this
+struck us like a boomerang: now it caught syzbot and reported back as
+a fatal issue although it's not really any too serious bug that worth
+for stopping the whole system.
+
+OK, OK, let's be softy, downgrade it to the standard dev_err() again.
+
+Fixes: dd65f7e19c69 ("ALSA: hda - Show the fatal CORB/RIRB error more clearly")
+Reported-by: syzbot+b3028ac3933f5c466389@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20191216151224.30013-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_controller.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
+index 8fcb421193e0..fa261b27d858 100644
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -883,7 +883,7 @@ static int azx_rirb_get_response(struct hdac_bus *bus, unsigned int addr,
+ return -EAGAIN; /* give a chance to retry */
+ }
+
+- dev_WARN(chip->card->dev,
++ dev_err(chip->card->dev,
+ "azx_get_response timeout, switching to single_cmd mode: last cmd=0x%08x\n",
+ bus->last_cmd[addr]);
+ chip->single_cmd = 1;
+--
+2.20.1
+
--- /dev/null
+From e99b858d9605ff5c590fc360ba029fe106779800 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 15:44:55 -0800
+Subject: bonding: fix active-backup transition after link failure
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit 5d485ed88d48f8101a2067348e267c0aaf4ed486 ]
+
+After the recent fix in commit 1899bb325149 ("bonding: fix state
+transition issue in link monitoring"), the active-backup mode with
+miimon initially come-up fine but after a link-failure, both members
+transition into backup state.
+
+Following steps to reproduce the scenario (eth1 and eth2 are the
+slaves of the bond):
+
+ ip link set eth1 up
+ ip link set eth2 down
+ sleep 1
+ ip link set eth2 up
+ ip link set eth1 down
+ cat /sys/class/net/eth1/bonding_slave/state
+ cat /sys/class/net/eth2/bonding_slave/state
+
+Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring")
+CC: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 5f6602cb191f..fef599eb822b 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2186,9 +2186,6 @@ static void bond_miimon_commit(struct bonding *bond)
+ } else if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
+ /* make it immediately active */
+ bond_set_active_slave(slave);
+- } else if (slave != primary) {
+- /* prevent it from being the active one */
+- bond_set_backup_slave(slave);
+ }
+
+ netdev_info(bond->dev, "link status definitely up for interface %s, %u Mbps %s duplex\n",
+--
+2.20.1
+
--- /dev/null
+From 4e33ab9e5cf63023e13c59e48ea501790481c17c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 12:18:21 +0300
+Subject: net, sysctl: Fix compiler warning when only cBPF is present
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexander Lobakin <alobakin@dlink.ru>
+
+[ Upstream commit 1148f9adbe71415836a18a36c1b4ece999ab0973 ]
+
+proc_dointvec_minmax_bpf_restricted() has been firstly introduced
+in commit 2e4a30983b0f ("bpf: restrict access to core bpf sysctls")
+under CONFIG_HAVE_EBPF_JIT. Then, this ifdef has been removed in
+ede95a63b5e8 ("bpf: add bpf_jit_limit knob to restrict unpriv
+allocations"), because a new sysctl, bpf_jit_limit, made use of it.
+Finally, this parameter has become long instead of integer with
+fdadd04931c2 ("bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K")
+and thus, a new proc_dolongvec_minmax_bpf_restricted() has been
+added.
+
+With this last change, we got back to that
+proc_dointvec_minmax_bpf_restricted() is used only under
+CONFIG_HAVE_EBPF_JIT, but the corresponding ifdef has not been
+brought back.
+
+So, in configurations like CONFIG_BPF_JIT=y && CONFIG_HAVE_EBPF_JIT=n
+since v4.20 we have:
+
+ CC net/core/sysctl_net_core.o
+net/core/sysctl_net_core.c:292:1: warning: ‘proc_dointvec_minmax_bpf_restricted’ defined but not used [-Wunused-function]
+ 292 | proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Suppress this by guarding it with CONFIG_HAVE_EBPF_JIT again.
+
+Fixes: fdadd04931c2 ("bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K")
+Signed-off-by: Alexander Lobakin <alobakin@dlink.ru>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20191218091821.7080-1-alobakin@dlink.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sysctl_net_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
+index 144cd1acd7e3..069e3c4fcc44 100644
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -274,6 +274,7 @@ static int proc_dointvec_minmax_bpf_enable(struct ctl_table *table, int write,
+ return ret;
+ }
+
++# ifdef CONFIG_HAVE_EBPF_JIT
+ static int
+ proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+@@ -284,6 +285,7 @@ proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
+
+ return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ }
++# endif /* CONFIG_HAVE_EBPF_JIT */
+
+ static int
+ proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write,
+--
+2.20.1
+
--- /dev/null
+From ccf3b83c96d067206cca0dd12c52309cca376b9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 19:54:30 +0100
+Subject: netfilter: nf_queue: enqueue skbs with NULL dst
+
+From: Marco Oliverio <marco.oliverio@tanaza.com>
+
+[ Upstream commit 0b9173f4688dfa7c5d723426be1d979c24ce3d51 ]
+
+Bridge packets that are forwarded have skb->dst == NULL and get
+dropped by the check introduced by
+b60a77386b1d4868f72f6353d35dabe5fbe981f2 (net: make skb_dst_force
+return true when dst is refcounted).
+
+To fix this we check skb_dst() before skb_dst_force(), so we don't
+drop skb packet with dst == NULL. This holds also for skb at the
+PRE_ROUTING hook so we remove the second check.
+
+Fixes: b60a77386b1d ("net: make skb_dst_force return true when dst is refcounted")
+Signed-off-by: Marco Oliverio <marco.oliverio@tanaza.com>
+Signed-off-by: Rocco Folino <rocco.folino@tanaza.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
+index 37efcc1c8887..b06ef4c62522 100644
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -138,7 +138,7 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
+ goto err;
+ }
+
+- if (!skb_dst_force(skb) && state->hook != NF_INET_PRE_ROUTING) {
++ if (skb_dst(skb) && !skb_dst_force(skb)) {
+ status = -ENETDOWN;
+ goto err;
+ }
+--
+2.20.1
+
ocfs2-fix-passing-zero-to-ptr_err-warning.patch
kernel-sysctl-make-drop_caches-write-only.patch
userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch
+x86-mce-fix-possibly-incorrect-severity-calculation-.patch
+net-sysctl-fix-compiler-warning-when-only-cbpf-is-pr.patch
+netfilter-nf_queue-enqueue-skbs-with-null-dst.patch
+alsa-hda-downgrade-error-message-for-single-cmd-fall.patch
+bonding-fix-active-backup-transition-after-link-fail.patch
--- /dev/null
+From ef211f780ffd95ace7f42297f77d04f2710a51f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 01:07:30 +0100
+Subject: x86/mce: Fix possibly incorrect severity calculation on AMD
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jan H. Schönherr <jschoenh@amazon.de>
+
+[ Upstream commit a3a57ddad061acc90bef39635caf2b2330ce8f21 ]
+
+The function mce_severity_amd_smca() requires m->bank to be initialized
+for correct operation. Fix the one case, where mce_severity() is called
+without doing so.
+
+Fixes: 6bda529ec42e ("x86/mce: Grade uncorrected errors for SMCA-enabled systems")
+Fixes: d28af26faa0b ("x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out()")
+Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: <stable@vger.kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Cc: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Link: https://lkml.kernel.org/r/20191210000733.17979-4-jschoenh@amazon.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
+index c7bd2e549a6a..0b0e44f85393 100644
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -802,8 +802,8 @@ static int mce_no_way_out(struct mce *m, char **msg, unsigned long *validp,
+ if (quirk_no_way_out)
+ quirk_no_way_out(i, m, regs);
+
++ m->bank = i;
+ if (mce_severity(m, mca_cfg.tolerant, &tmp, true) >= MCE_PANIC_SEVERITY) {
+- m->bank = i;
+ mce_read_aux(m, i);
+ *msg = tmp;
+ return 1;
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
