--- /dev/null
+From d3a84a8d0dde4e26bc084b36ffcbdc5932ac85e2 Mon Sep 17 00:00:00 2001
+From: Max Staudt <max@enpas.org>
+Date: Thu, 27 Aug 2020 17:49:00 +0200
+Subject: affs: fix basic permission bits to actually work
+
+From: Max Staudt <max@enpas.org>
+
+commit d3a84a8d0dde4e26bc084b36ffcbdc5932ac85e2 upstream.
+
+The basic permission bits (protection bits in AmigaOS) have been broken
+in Linux' AFFS - it would only set bits, but never delete them.
+Also, contrary to the documentation, the Archived bit was not handled.
+
+Let's fix this for good, and set the bits such that Linux and classic
+AmigaOS can coexist in the most peaceful manner.
+
+Also, update the documentation to represent the current state of things.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Staudt <max@enpas.org>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/filesystems/affs.txt | 16 ++++++++++------
+ fs/affs/amigaffs.c | 27 +++++++++++++++++++++++++++
+ fs/affs/file.c | 26 +++++++++++++++++++++++++-
+ 3 files changed, 62 insertions(+), 7 deletions(-)
+
+--- a/Documentation/filesystems/affs.txt
++++ b/Documentation/filesystems/affs.txt
+@@ -93,13 +93,15 @@ The Amiga protection flags RWEDRWEDHSPAR
+
+ - R maps to r for user, group and others. On directories, R implies x.
+
+- - If both W and D are allowed, w will be set.
++ - W maps to w.
+
+ - E maps to x.
+
+- - H and P are always retained and ignored under Linux.
++ - D is ignored.
+
+- - A is always reset when a file is written to.
++ - H, S and P are always retained and ignored under Linux.
++
++ - A is cleared when a file is written to.
+
+ User id and group id will be used unless set[gu]id are given as mount
+ options. Since most of the Amiga file systems are single user systems
+@@ -111,11 +113,13 @@ Linux -> Amiga:
+
+ The Linux rwxrwxrwx file mode is handled as follows:
+
+- - r permission will set R for user, group and others.
++ - r permission will allow R for user, group and others.
++
++ - w permission will allow W for user, group and others.
+
+- - w permission will set W and D for user, group and others.
++ - x permission of the user will allow E for plain files.
+
+- - x permission of the user will set E for plain files.
++ - D will be allowed for user, group and others.
+
+ - All other flags (suid, sgid, ...) are ignored and will
+ not be retained.
+--- a/fs/affs/amigaffs.c
++++ b/fs/affs/amigaffs.c
+@@ -420,24 +420,51 @@ affs_mode_to_prot(struct inode *inode)
+ u32 prot = AFFS_I(inode)->i_protect;
+ umode_t mode = inode->i_mode;
+
++ /*
++ * First, clear all RWED bits for owner, group, other.
++ * Then, recalculate them afresh.
++ *
++ * We'll always clear the delete-inhibit bit for the owner, as that is
++ * the classic single-user mode AmigaOS protection bit and we need to
++ * stay compatible with all scenarios.
++ *
++ * Since multi-user AmigaOS is an extension, we'll only set the
++ * delete-allow bit if any of the other bits in the same user class
++ * (group/other) are used.
++ */
++ prot &= ~(FIBF_NOEXECUTE | FIBF_NOREAD
++ | FIBF_NOWRITE | FIBF_NODELETE
++ | FIBF_GRP_EXECUTE | FIBF_GRP_READ
++ | FIBF_GRP_WRITE | FIBF_GRP_DELETE
++ | FIBF_OTR_EXECUTE | FIBF_OTR_READ
++ | FIBF_OTR_WRITE | FIBF_OTR_DELETE);
++
++ /* Classic single-user AmigaOS flags. These are inverted. */
+ if (!(mode & 0100))
+ prot |= FIBF_NOEXECUTE;
+ if (!(mode & 0400))
+ prot |= FIBF_NOREAD;
+ if (!(mode & 0200))
+ prot |= FIBF_NOWRITE;
++
++ /* Multi-user extended flags. Not inverted. */
+ if (mode & 0010)
+ prot |= FIBF_GRP_EXECUTE;
+ if (mode & 0040)
+ prot |= FIBF_GRP_READ;
+ if (mode & 0020)
+ prot |= FIBF_GRP_WRITE;
++ if (mode & 0070)
++ prot |= FIBF_GRP_DELETE;
++
+ if (mode & 0001)
+ prot |= FIBF_OTR_EXECUTE;
+ if (mode & 0004)
+ prot |= FIBF_OTR_READ;
+ if (mode & 0002)
+ prot |= FIBF_OTR_WRITE;
++ if (mode & 0007)
++ prot |= FIBF_OTR_DELETE;
+
+ AFFS_I(inode)->i_protect = prot;
+ }
+--- a/fs/affs/file.c
++++ b/fs/affs/file.c
+@@ -428,6 +428,24 @@ static int affs_write_begin(struct file
+ return ret;
+ }
+
++static int affs_write_end(struct file *file, struct address_space *mapping,
++ loff_t pos, unsigned int len, unsigned int copied,
++ struct page *page, void *fsdata)
++{
++ struct inode *inode = mapping->host;
++ int ret;
++
++ ret = generic_write_end(file, mapping, pos, len, copied, page, fsdata);
++
++ /* Clear Archived bit on file writes, as AmigaOS would do */
++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) {
++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED;
++ mark_inode_dirty(inode);
++ }
++
++ return ret;
++}
++
+ static sector_t _affs_bmap(struct address_space *mapping, sector_t block)
+ {
+ return generic_block_bmap(mapping,block,affs_get_block);
+@@ -437,7 +455,7 @@ const struct address_space_operations af
+ .readpage = affs_readpage,
+ .writepage = affs_writepage,
+ .write_begin = affs_write_begin,
+- .write_end = generic_write_end,
++ .write_end = affs_write_end,
+ .direct_IO = affs_direct_IO,
+ .bmap = _affs_bmap
+ };
+@@ -794,6 +812,12 @@ done:
+ if (tmp > inode->i_size)
+ inode->i_size = AFFS_I(inode)->mmu_private = tmp;
+
++ /* Clear Archived bit on file writes, as AmigaOS would do */
++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) {
++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED;
++ mark_inode_dirty(inode);
++ }
++
+ err_first_bh:
+ unlock_page(page);
+ put_page(page);
--- /dev/null
+From ee0761d1d8222bcc5c86bf10849dc86cf008557c Mon Sep 17 00:00:00 2001
+From: Tong Zhang <ztong0001@gmail.com>
+Date: Mon, 24 Aug 2020 18:45:41 -0400
+Subject: ALSA: ca0106: fix error code handling
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+commit ee0761d1d8222bcc5c86bf10849dc86cf008557c upstream.
+
+snd_ca0106_spi_write() returns 1 on error, snd_ca0106_pcm_power_dac()
+is returning the error code directly, and the caller is expecting an
+negative error code
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200824224541.1260307-1-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/ca0106/ca0106_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/ca0106/ca0106_main.c
++++ b/sound/pci/ca0106/ca0106_main.c
+@@ -551,7 +551,8 @@ static int snd_ca0106_pcm_power_dac(stru
+ else
+ /* Power down */
+ chip->spi_dac_reg[reg] |= bit;
+- return snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]);
++ if (snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]) != 0)
++ return -ENXIO;
+ }
+ return 0;
+ }
--- /dev/null
+From acd46a6b6de88569654567810acad2b0a0a25cea Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 23 Aug 2020 16:55:45 +0900
+Subject: ALSA: firewire-digi00x: exclude Avid Adrenaline from detection
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit acd46a6b6de88569654567810acad2b0a0a25cea upstream.
+
+Avid Adrenaline is reported that ALSA firewire-digi00x driver is bound to.
+However, as long as he investigated, the design of this model is hardly
+similar to the one of Digi 00x family. It's better to exclude the model
+from modalias of ALSA firewire-digi00x driver.
+
+This commit changes device entries so that the model is excluded.
+
+$ python3 crpp < ~/git/am-config-rom/misc/avid-adrenaline.img
+ ROM header and bus information block
+ -----------------------------------------------------------------
+400 04203a9c bus_info_length 4, crc_length 32, crc 15004
+404 31333934 bus_name "1394"
+408 e064a002 irmc 1, cmc 1, isc 1, bmc 0, cyc_clk_acc 100, max_rec 10 (2048)
+40c 00a07e01 company_id 00a07e |
+410 00085257 device_id 0100085257 | EUI-64 00a07e0100085257
+
+ root directory
+ -----------------------------------------------------------------
+414 0005d08c directory_length 5, crc 53388
+418 0300a07e vendor
+41c 8100000c --> descriptor leaf at 44c
+420 0c008380 node capabilities
+424 8d000002 --> eui-64 leaf at 42c
+428 d1000004 --> unit directory at 438
+
+ eui-64 leaf at 42c
+ -----------------------------------------------------------------
+42c 0002410f leaf_length 2, crc 16655
+430 00a07e01 company_id 00a07e |
+434 00085257 device_id 0100085257 | EUI-64 00a07e0100085257
+
+ unit directory at 438
+ -----------------------------------------------------------------
+438 0004d6c9 directory_length 4, crc 54985
+43c 1200a02d specifier id: 1394 TA
+440 13014001 version: Vender Unique and AV/C
+444 17000001 model
+448 81000009 --> descriptor leaf at 46c
+
+ descriptor leaf at 44c
+ -----------------------------------------------------------------
+44c 00077205 leaf_length 7, crc 29189
+450 00000000 textual descriptor
+454 00000000 minimal ASCII
+458 41766964 "Avid"
+45c 20546563 " Tec"
+460 686e6f6c "hnol"
+464 6f677900 "ogy"
+468 00000000
+
+ descriptor leaf at 46c
+ -----------------------------------------------------------------
+46c 000599a5 leaf_length 5, crc 39333
+470 00000000 textual descriptor
+474 00000000 minimal ASCII
+478 41647265 "Adre"
+47c 6e616c69 "nali"
+480 6e650000 "ne"
+
+Reported-by: Simon Wood <simon@mungewell.org>
+Fixes: 9edf723fd858 ("ALSA: firewire-digi00x: add skeleton for Digi 002/003 family")
+Cc: <stable@vger.kernel.org> # 4.4+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20200823075545.56305-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/digi00x/digi00x.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/firewire/digi00x/digi00x.c
++++ b/sound/firewire/digi00x/digi00x.c
+@@ -15,6 +15,7 @@ MODULE_LICENSE("GPL v2");
+ #define VENDOR_DIGIDESIGN 0x00a07e
+ #define MODEL_CONSOLE 0x000001
+ #define MODEL_RACK 0x000002
++#define SPEC_VERSION 0x000001
+
+ static int name_card(struct snd_dg00x *dg00x)
+ {
+@@ -185,14 +186,18 @@ static const struct ieee1394_device_id s
+ /* Both of 002/003 use the same ID. */
+ {
+ .match_flags = IEEE1394_MATCH_VENDOR_ID |
++ IEEE1394_MATCH_VERSION |
+ IEEE1394_MATCH_MODEL_ID,
+ .vendor_id = VENDOR_DIGIDESIGN,
++ .version = SPEC_VERSION,
+ .model_id = MODEL_CONSOLE,
+ },
+ {
+ .match_flags = IEEE1394_MATCH_VENDOR_ID |
++ IEEE1394_MATCH_VERSION |
+ IEEE1394_MATCH_MODEL_ID,
+ .vendor_id = VENDOR_DIGIDESIGN,
++ .version = SPEC_VERSION,
+ .model_id = MODEL_RACK,
+ },
+ {}
--- /dev/null
+From 15cbff3fbbc631952c346744f862fb294504b5e2 Mon Sep 17 00:00:00 2001
+From: Dan Crawford <dnlcrwfrd@gmail.com>
+Date: Sat, 29 Aug 2020 12:49:46 +1000
+Subject: ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO
+
+From: Dan Crawford <dnlcrwfrd@gmail.com>
+
+commit 15cbff3fbbc631952c346744f862fb294504b5e2 upstream.
+
+Following Christian Lachner's patch for Gigabyte X570-based motherboards,
+also patch the MSI X570-A PRO motherboard; the ALC1220 codec requires the
+same workaround for Clevo laptops to enforce the DAC/mixer connection
+path. Set up a quirk entry for that.
+
+I suspect most if all X570 motherboards will require similar patches.
+
+[ The entries reordered in the SSID order -- tiwai ]
+
+Related buglink: https://bugzilla.kernel.org/show_bug.cgi?id=205275
+Signed-off-by: Dan Crawford <dnlcrwfrd@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200829024946.5691-1-dnlcrwfrd@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2452,6 +2452,7 @@ static const struct snd_pci_quirk alc882
+ SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950),
+ SND_PCI_QUIRK(0x1462, 0x1293, "MSI-GP65", ALC1220_FIXUP_CLEVO_P950),
+ SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD),
++ SND_PCI_QUIRK(0x1462, 0x9c37, "MSI X570-A PRO", ALC1220_FIXUP_CLEVO_P950),
+ SND_PCI_QUIRK(0x1462, 0xda57, "MSI Z270-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS),
+ SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3),
+ SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX),
--- /dev/null
+From 858e0ad9301d1270c02b5aca97537d2d6ee9dd68 Mon Sep 17 00:00:00 2001
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Date: Wed, 26 Aug 2020 20:03:06 +0300
+Subject: ALSA: hda/hdmi: always check pin power status in i915 pin fixup
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+commit 858e0ad9301d1270c02b5aca97537d2d6ee9dd68 upstream.
+
+When system is suspended with active audio playback to HDMI/DP, two
+alternative sequences can happen at resume:
+ a) monitor is detected first and ALSA prepare follows normal
+ stream setup sequence, or
+ b) ALSA prepare is called first, but monitor is not yet detected,
+ so PCM is restarted without a pin,
+
+In case of (b), on i915 systems, haswell_verify_D0() is not called at
+resume and the pin power state may be incorrect. Result is lack of audio
+after resume with no error reported back to user-space.
+
+Fix the problem by always verifying converter and pin state in the
+i915_pin_cvt_fixup().
+
+BugLink: https://github.com/thesofproject/linux/issues/2388
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200826170306.701566-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_hdmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -2574,6 +2574,7 @@ static void i915_pin_cvt_fixup(struct hd
+ hda_nid_t cvt_nid)
+ {
+ if (per_pin) {
++ haswell_verify_D0(codec, per_pin->cvt_nid, per_pin->pin_nid);
+ snd_hda_set_dev_select(codec, per_pin->pin_nid,
+ per_pin->dev_id);
+ intel_verify_pin_cvt_connect(codec, per_pin);
--- /dev/null
+From 949a1ebe8cea7b342085cb6a4946b498306b9493 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 1 Sep 2020 15:18:02 +0200
+Subject: ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 949a1ebe8cea7b342085cb6a4946b498306b9493 upstream.
+
+The PCM OSS mulaw plugin has a check of the format of the counter part
+whether it's a linear format. The check is with snd_BUG_ON() that
+emits WARN_ON() when the debug config is set, and it confuses
+syzkaller as if it were a serious issue. Let's drop snd_BUG_ON() for
+avoiding that.
+
+While we're at it, correct the error code to a more suitable, EINVAL.
+
+Reported-by: syzbot+23b22dc2e0b81cbfcc95@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200901131802.18157-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/mulaw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/oss/mulaw.c
++++ b/sound/core/oss/mulaw.c
+@@ -329,8 +329,8 @@ int snd_pcm_plugin_build_mulaw(struct sn
+ snd_BUG();
+ return -EINVAL;
+ }
+- if (snd_BUG_ON(!snd_pcm_format_linear(format->format)))
+- return -ENXIO;
++ if (!snd_pcm_format_linear(format->format))
++ return -EINVAL;
+
+ err = snd_pcm_plugin_build(plug, "Mu-Law<->linear conversion",
+ src_format, dst_format,
--- /dev/null
+From 7e24969022cbd61ddc586f14824fc205661bb124 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 17 Aug 2020 18:00:55 +0800
+Subject: block: allow for_each_bvec to support zero len bvec
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 7e24969022cbd61ddc586f14824fc205661bb124 upstream.
+
+Block layer usually doesn't support or allow zero-length bvec. Since
+commit 1bdc76aea115 ("iov_iter: use bvec iterator to implement
+iterate_bvec()"), iterate_bvec() switches to bvec iterator. However,
+Al mentioned that 'Zero-length segments are not disallowed' in iov_iter.
+
+Fixes for_each_bvec() so that it can move on after seeing one zero
+length bvec.
+
+Fixes: 1bdc76aea115 ("iov_iter: use bvec iterator to implement iterate_bvec()")
+Reported-by: syzbot <syzbot+61acc40a49a3e46e25ea@syzkaller.appspotmail.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Tested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: <stable@vger.kernel.org>
+Link: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2262077.html
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/bvec.h | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/include/linux/bvec.h
++++ b/include/linux/bvec.h
+@@ -119,11 +119,18 @@ static inline bool bvec_iter_rewind(cons
+ return true;
+ }
+
++static inline void bvec_iter_skip_zero_bvec(struct bvec_iter *iter)
++{
++ iter->bi_bvec_done = 0;
++ iter->bi_idx++;
++}
++
+ #define for_each_bvec(bvl, bio_vec, iter, start) \
+ for (iter = (start); \
+ (iter).bi_size && \
+ ((bvl = bvec_iter_bvec((bio_vec), (iter))), 1); \
+- bvec_iter_advance((bio_vec), &(iter), (bvl).bv_len))
++ (bvl).bv_len ? (void)bvec_iter_advance((bio_vec), &(iter), \
++ (bvl).bv_len) : bvec_iter_skip_zero_bvec(&(iter)))
+
+ /* for iterating one bio from start to end */
+ #define BVEC_ITER_ALL_INIT (struct bvec_iter) \
--- /dev/null
+From d16ff19e69ab57e08bf908faaacbceaf660249de Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Tue, 1 Sep 2020 14:25:42 +0800
+Subject: dm cache metadata: Avoid returning cmd->bm wild pointer on error
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit d16ff19e69ab57e08bf908faaacbceaf660249de upstream.
+
+Maybe __create_persistent_data_objects() caller will use PTR_ERR as a
+pointer, it will lead to some strange things.
+
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-cache-metadata.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-cache-metadata.c
++++ b/drivers/md/dm-cache-metadata.c
+@@ -537,12 +537,16 @@ static int __create_persistent_data_obje
+ CACHE_MAX_CONCURRENT_LOCKS);
+ if (IS_ERR(cmd->bm)) {
+ DMERR("could not create block manager");
+- return PTR_ERR(cmd->bm);
++ r = PTR_ERR(cmd->bm);
++ cmd->bm = NULL;
++ return r;
+ }
+
+ r = __open_or_format_metadata(cmd, may_format_device);
+- if (r)
++ if (r) {
+ dm_block_manager_destroy(cmd->bm);
++ cmd->bm = NULL;
++ }
+
+ return r;
+ }
--- /dev/null
+From 219403d7e56f9b716ad80ab87db85d29547ee73e Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Tue, 1 Sep 2020 14:25:43 +0800
+Subject: dm thin metadata: Avoid returning cmd->bm wild pointer on error
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit 219403d7e56f9b716ad80ab87db85d29547ee73e upstream.
+
+Maybe __create_persistent_data_objects() caller will use PTR_ERR as a
+pointer, it will lead to some strange things.
+
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-thin-metadata.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-thin-metadata.c
++++ b/drivers/md/dm-thin-metadata.c
+@@ -698,12 +698,16 @@ static int __create_persistent_data_obje
+ THIN_MAX_CONCURRENT_LOCKS);
+ if (IS_ERR(pmd->bm)) {
+ DMERR("could not create block manager");
+- return PTR_ERR(pmd->bm);
++ r = PTR_ERR(pmd->bm);
++ pmd->bm = NULL;
++ return r;
+ }
+
+ r = __open_or_format_metadata(pmd, format_device);
+- if (r)
++ if (r) {
+ dm_block_manager_destroy(pmd->bm);
++ pmd->bm = NULL;
++ }
+
+ return r;
+ }
--- /dev/null
+From f9e040efcc28309e5c592f7e79085a9a52e31f58 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 24 Aug 2020 11:09:47 -0400
+Subject: dm writecache: handle DAX to partitions on persistent memory correctly
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit f9e040efcc28309e5c592f7e79085a9a52e31f58 upstream.
+
+The function dax_direct_access doesn't take partitions into account,
+it always maps pages from the beginning of the device. Therefore,
+persistent_memory_claim() must get the partition offset using
+get_start_sect() and add it to the page offsets passed to
+dax_direct_access().
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Fixes: 48debafe4f2f ("dm: add writecache target")
+Cc: stable@vger.kernel.org # 4.18+
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-writecache.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -226,6 +226,7 @@ static int persistent_memory_claim(struc
+ pfn_t pfn;
+ int id;
+ struct page **pages;
++ sector_t offset;
+
+ wc->memory_vmapped = false;
+
+@@ -244,9 +245,16 @@ static int persistent_memory_claim(struc
+ goto err1;
+ }
+
++ offset = get_start_sect(wc->ssd_dev->bdev);
++ if (offset & (PAGE_SIZE / 512 - 1)) {
++ r = -EINVAL;
++ goto err1;
++ }
++ offset >>= PAGE_SHIFT - 9;
++
+ id = dax_read_lock();
+
+- da = dax_direct_access(wc->ssd_dev->dax_dev, 0, p, &wc->memory_map, &pfn);
++ da = dax_direct_access(wc->ssd_dev->dax_dev, offset, p, &wc->memory_map, &pfn);
+ if (da < 0) {
+ wc->memory_map = NULL;
+ r = da;
+@@ -268,7 +276,7 @@ static int persistent_memory_claim(struc
+ i = 0;
+ do {
+ long daa;
+- daa = dax_direct_access(wc->ssd_dev->dax_dev, i, p - i,
++ daa = dax_direct_access(wc->ssd_dev->dax_dev, offset + i, p - i,
+ NULL, &pfn);
+ if (daa <= 0) {
+ r = daa ? daa : -EINVAL;
--- /dev/null
+From 3b5455636fe26ea21b4189d135a424a6da016418 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 2 Sep 2020 12:32:45 -0400
+Subject: libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 3b5455636fe26ea21b4189d135a424a6da016418 upstream.
+
+All three generations of Sandisk SSDs lock up hard intermittently.
+Experiments showed that disabling NCQ lowered the failure rate significantly
+and the kernel has been disabling NCQ for some models of SD7's and 8's,
+which is obviously undesirable.
+
+Karthik worked with Sandisk to root cause the hard lockups to trim commands
+larger than 128M. This patch implements ATA_HORKAGE_MAX_TRIM_128M which
+limits max trim size to 128M and applies it to all three generations of
+Sandisk SSDs.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Karthik Shivaram <karthikgs@fb.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 5 ++---
+ drivers/ata/libata-scsi.c | 8 +++++++-
+ include/linux/libata.h | 1 +
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4492,9 +4492,8 @@ static const struct ata_blacklist_entry
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */
+ { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, },
+
+- /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on
+- SD7SN6S256G and SD8SN8U256G */
+- { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, },
++ /* Sandisk SD7/8/9s lock up hard on large trims */
++ { "SanDisk SD[789]*", NULL, ATA_HORKAGE_MAX_TRIM_128M, },
+
+ /* devices which puke on READ_NATIVE_MAX */
+ { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, },
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -2391,6 +2391,7 @@ static unsigned int ata_scsiop_inq_89(st
+
+ static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf)
+ {
++ struct ata_device *dev = args->dev;
+ u16 min_io_sectors;
+
+ rbuf[1] = 0xb0;
+@@ -2416,7 +2417,12 @@ static unsigned int ata_scsiop_inq_b0(st
+ * with the unmap bit set.
+ */
+ if (ata_id_has_trim(args->id)) {
+- put_unaligned_be64(65535 * ATA_MAX_TRIM_RNUM, &rbuf[36]);
++ u64 max_blocks = 65535 * ATA_MAX_TRIM_RNUM;
++
++ if (dev->horkage & ATA_HORKAGE_MAX_TRIM_128M)
++ max_blocks = 128 << (20 - SECTOR_SHIFT);
++
++ put_unaligned_be64(max_blocks, &rbuf[36]);
+ put_unaligned_be32(1, &rbuf[28]);
+ }
+
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -439,6 +439,7 @@ enum {
+ ATA_HORKAGE_NO_DMA_LOG = (1 << 23), /* don't use DMA for log read */
+ ATA_HORKAGE_NOTRIM = (1 << 24), /* don't use TRIM */
+ ATA_HORKAGE_MAX_SEC_1024 = (1 << 25), /* Limit max sects to 1024 */
++ ATA_HORKAGE_MAX_TRIM_128M = (1 << 26), /* Limit max trim size to 128M */
+
+ /* DMA mask for user DMA control: User visible values; DO NOT
+ renumber */
--- /dev/null
+From a2e2d73fa28136598e84db9d021091f1b98cbb1a Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sat, 8 Aug 2020 13:38:02 +0200
+Subject: media: rc: do not access device via sysfs after rc_unregister_device()
+
+From: Sean Young <sean@mess.org>
+
+commit a2e2d73fa28136598e84db9d021091f1b98cbb1a upstream.
+
+Device drivers do not expect to have change_protocol or wakeup
+re-programming to be accesed after rc_unregister_device(). This can
+cause the device driver to access deallocated resources.
+
+Cc: <stable@vger.kernel.org> # 4.16+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/rc-main.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -1245,6 +1245,10 @@ static ssize_t store_protocols(struct de
+ }
+
+ mutex_lock(&dev->lock);
++ if (!dev->registered) {
++ mutex_unlock(&dev->lock);
++ return -ENODEV;
++ }
+
+ old_protocols = *current_protocols;
+ new_protocols = old_protocols;
+@@ -1383,6 +1387,10 @@ static ssize_t store_filter(struct devic
+ return -EINVAL;
+
+ mutex_lock(&dev->lock);
++ if (!dev->registered) {
++ mutex_unlock(&dev->lock);
++ return -ENODEV;
++ }
+
+ new_filter = *filter;
+ if (fattr->mask)
+@@ -1497,6 +1505,10 @@ static ssize_t store_wakeup_protocols(st
+ int i;
+
+ mutex_lock(&dev->lock);
++ if (!dev->registered) {
++ mutex_unlock(&dev->lock);
++ return -ENODEV;
++ }
+
+ allowed = dev->allowed_wakeup_protocols;
+
--- /dev/null
+From 4f0835d6677dc69263f90f976524cb92b257d9f4 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sat, 8 Aug 2020 13:19:12 +0200
+Subject: media: rc: uevent sysfs file races with rc_unregister_device()
+
+From: Sean Young <sean@mess.org>
+
+commit 4f0835d6677dc69263f90f976524cb92b257d9f4 upstream.
+
+Only report uevent file contents if device still registered, else we
+might read freed memory.
+
+Reported-by: syzbot+ceef16277388d6f24898@syzkaller.appspotmail.com
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: <stable@vger.kernel.org> # 4.16+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/rc-main.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -1568,25 +1568,25 @@ static void rc_dev_release(struct device
+ kfree(dev);
+ }
+
+-#define ADD_HOTPLUG_VAR(fmt, val...) \
+- do { \
+- int err = add_uevent_var(env, fmt, val); \
+- if (err) \
+- return err; \
+- } while (0)
+-
+ static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env)
+ {
+ struct rc_dev *dev = to_rc_dev(device);
++ int ret = 0;
+
+- if (dev->rc_map.name)
+- ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name);
+- if (dev->driver_name)
+- ADD_HOTPLUG_VAR("DRV_NAME=%s", dev->driver_name);
+- if (dev->device_name)
+- ADD_HOTPLUG_VAR("DEV_NAME=%s", dev->device_name);
++ mutex_lock(&dev->lock);
+
+- return 0;
++ if (!dev->registered)
++ ret = -ENODEV;
++ if (ret == 0 && dev->rc_map.name)
++ ret = add_uevent_var(env, "NAME=%s", dev->rc_map.name);
++ if (ret == 0 && dev->driver_name)
++ ret = add_uevent_var(env, "DRV_NAME=%s", dev->driver_name);
++ if (ret == 0 && dev->device_name)
++ ret = add_uevent_var(env, "DEV_NAME=%s", dev->device_name);
++
++ mutex_unlock(&dev->lock);
++
++ return ret;
+ }
+
+ /*
+@@ -1970,14 +1970,14 @@ void rc_unregister_device(struct rc_dev
+ del_timer_sync(&dev->timer_keyup);
+ del_timer_sync(&dev->timer_repeat);
+
+- rc_free_rx_device(dev);
+-
+ mutex_lock(&dev->lock);
+ if (dev->users && dev->close)
+ dev->close(dev);
+ dev->registered = false;
+ mutex_unlock(&dev->lock);
+
++ rc_free_rx_device(dev);
++
+ /*
+ * lirc device should be freed with dev->registered = false, so
+ * that userspace polling will get notified.
--- /dev/null
+From dc07a728d49cf025f5da2c31add438d839d076c0 Mon Sep 17 00:00:00 2001
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+Date: Fri, 4 Sep 2020 16:35:30 -0700
+Subject: mm: slub: fix conversion of freelist_corrupted()
+
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+
+commit dc07a728d49cf025f5da2c31add438d839d076c0 upstream.
+
+Commit 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in
+deactivate_slab()") suffered an update when picked up from LKML [1].
+
+Specifically, relocating 'freelist = NULL' into 'freelist_corrupted()'
+created a no-op statement. Fix it by sticking to the behavior intended
+in the original patch [1]. In addition, make freelist_corrupted()
+immune to passing NULL instead of &freelist.
+
+The issue has been spotted via static analysis and code review.
+
+[1] https://lore.kernel.org/linux-mm/20200331031450.12182-1-dongli.zhang@oracle.com/
+
+Fixes: 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in deactivate_slab()")
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dongli Zhang <dongli.zhang@oracle.com>
+Cc: Joe Jin <joe.jin@oracle.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20200824130643.10291-1-erosca@de.adit-jv.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -646,12 +646,12 @@ static void slab_fix(struct kmem_cache *
+ }
+
+ static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
+- void *freelist, void *nextfree)
++ void **freelist, void *nextfree)
+ {
+ if ((s->flags & SLAB_CONSISTENCY_CHECKS) &&
+- !check_valid_pointer(s, page, nextfree)) {
+- object_err(s, page, freelist, "Freechain corrupt");
+- freelist = NULL;
++ !check_valid_pointer(s, page, nextfree) && freelist) {
++ object_err(s, page, *freelist, "Freechain corrupt");
++ *freelist = NULL;
+ slab_fix(s, "Isolate corrupted freechain");
+ return true;
+ }
+@@ -1343,7 +1343,7 @@ static inline void dec_slabs_node(struct
+ int objects) {}
+
+ static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
+- void *freelist, void *nextfree)
++ void **freelist, void *nextfree)
+ {
+ return false;
+ }
+@@ -2037,7 +2037,7 @@ static void deactivate_slab(struct kmem_
+ * 'freelist' is already corrupted. So isolate all objects
+ * starting at 'freelist'.
+ */
+- if (freelist_corrupted(s, page, freelist, nextfree))
++ if (freelist_corrupted(s, page, &freelist, nextfree))
+ break;
+
+ do {
btrfs-fix-potential-deadlock-in-the-search-ioctl.patch
net-usb-qmi_wwan-add-telit-0x1050-composition.patch
usb-qmi_wwan-add-d-link-dwm-222-a2-device-id.patch
+alsa-ca0106-fix-error-code-handling.patch
+alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch
+alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch
+alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch
+alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch
+media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch
+media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch
+affs-fix-basic-permission-bits-to-actually-work.patch
+block-allow-for_each_bvec-to-support-zero-len-bvec.patch
+libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch
+dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch
+dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch
+dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch
+mm-slub-fix-conversion-of-freelist_corrupted.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
