--- /dev/null
+From ef4d764c99f792b725d4754a3628830f094f5c58 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Wed, 13 Jan 2021 02:11:25 +0800
+Subject: ASoC: SOF: Intel: hda: Avoid checking jack on system suspend
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit ef4d764c99f792b725d4754a3628830f094f5c58 upstream.
+
+System takes a very long time to suspend after commit 215a22ed31a1
+("ALSA: hda: Refactor codec PM to use direct-complete optimization"):
+[ 90.065964] PM: suspend entry (s2idle)
+[ 90.067337] Filesystems sync: 0.001 seconds
+[ 90.185758] Freezing user space processes ... (elapsed 0.002 seconds) done.
+[ 90.188713] OOM killer disabled.
+[ 90.188714] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
+[ 90.190024] printk: Suspending console(s) (use no_console_suspend to debug)
+[ 90.904912] intel_pch_thermal 0000:00:12.0: CPU-PCH is cool [49C], continue to suspend
+[ 321.262505] snd_hda_codec_realtek ehdaudio0D0: Unable to sync register 0x2b8000. -5
+[ 328.426919] snd_hda_codec_realtek ehdaudio0D0: Unable to sync register 0x2b8000. -5
+[ 329.490933] ACPI: EC: interrupt blocked
+
+That commit keeps the codec suspended during the system suspend. However,
+mute/micmute LED will clear codec's direct-complete flag by
+dpm_clear_superiors_direct_complete().
+
+This doesn't play well with SOF driver. When its runtime resume is
+called for system suspend, hda_codec_jack_check() schedules
+jackpoll_work which uses snd_hdac_is_power_on() to check whether codec
+is suspended. Because the direct-complete path isn't taken,
+pm_runtime_disable() isn't called so snd_hdac_is_power_on() returns
+false and jackpoll continues to run, and snd_hda_power_up_pm() cannot
+power up an already suspended codec in multiple attempts, causes the
+long delay on system suspend:
+
+if (dev->power.direct_complete) {
+ if (pm_runtime_status_suspended(dev)) {
+ pm_runtime_disable(dev);
+ if (pm_runtime_status_suspended(dev)) {
+ pm_dev_dbg(dev, state, "direct-complete ");
+ goto Complete;
+ }
+
+ pm_runtime_enable(dev);
+ }
+ dev->power.direct_complete = false;
+}
+
+When direct-complete path is taken, snd_hdac_is_power_on() returns true
+and hda_jackpoll_work() is skipped by accident. So this is still not
+correct.
+
+If we were to use snd_hdac_is_power_on() in system PM path,
+pm_runtime_status_suspended() should be used instead of
+pm_runtime_suspended(), otherwise pm_runtime_{enable,disable}() may
+change the outcome of snd_hdac_is_power_on().
+
+Because devices suspend in reverse order (i.e. child first), it doesn't
+make much sense to resume an already suspended codec from audio
+controller. So avoid the issue by making sure jackpoll isn't used in
+system PM process.
+
+Fixes: 215a22ed31a1 ("ALSA: hda: Refactor codec PM to use direct-complete optimization")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://lore.kernel.org/r/20210112181128.1229827-3-kai.heng.feng@canonical.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/intel/hda-dsp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/sof/intel/hda-dsp.c
++++ b/sound/soc/sof/intel/hda-dsp.c
+@@ -683,8 +683,10 @@ static int hda_resume(struct snd_sof_dev
+
+ #if IS_ENABLED(CONFIG_SND_SOC_SOF_HDA)
+ /* check jack status */
+- if (runtime_resume)
+- hda_codec_jack_check(sdev);
++ if (runtime_resume) {
++ if (sdev->system_suspend_target == SOF_SUSPEND_NONE)
++ hda_codec_jack_check(sdev);
++ }
+
+ /* turn off the links that were off before suspend */
+ list_for_each_entry(hlink, &bus->hlink_list, list) {
--- /dev/null
+From 1a9c72ad4c26821e215a396167c14959cf24a7f1 Mon Sep 17 00:00:00 2001
+From: KP Singh <kpsingh@kernel.org>
+Date: Tue, 12 Jan 2021 07:55:24 +0000
+Subject: bpf: Local storage helpers should check nullness of owner ptr passed
+
+From: KP Singh <kpsingh@kernel.org>
+
+commit 1a9c72ad4c26821e215a396167c14959cf24a7f1 upstream.
+
+The verifier allows ARG_PTR_TO_BTF_ID helper arguments to be NULL, so
+helper implementations need to check this before dereferencing them.
+This was already fixed for the socket storage helpers but not for task
+and inode.
+
+The issue can be reproduced by attaching an LSM program to
+inode_rename hook (called when moving files) which tries to get the
+inode of the new file without checking for its nullness and then trying
+to move an existing file to a new path:
+
+ mv existing_file new_file_does_not_exist
+
+The report including the sample program and the steps for reproducing
+the bug:
+
+ https://lore.kernel.org/bpf/CANaYP3HWkH91SN=wTNO9FL_2ztHfqcXKX38SSE-JJ2voh+vssw@mail.gmail.com
+
+Fixes: 4cf1bc1f1045 ("bpf: Implement task local storage")
+Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
+Reported-by: Gilad Reti <gilad.reti@gmail.com>
+Signed-off-by: KP Singh <kpsingh@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210112075525.256820-3-kpsingh@kernel.org
+[ just take 1/2 of this patch for 5.10.y - gregkh ]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/bpf_inode_storage.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/bpf/bpf_inode_storage.c
++++ b/kernel/bpf/bpf_inode_storage.c
+@@ -176,7 +176,7 @@ BPF_CALL_4(bpf_inode_storage_get, struct
+ * bpf_local_storage_update expects the owner to have a
+ * valid storage pointer.
+ */
+- if (!inode_storage_ptr(inode))
++ if (!inode || !inode_storage_ptr(inode))
+ return (unsigned long)NULL;
+
+ sdata = inode_storage_lookup(inode, map, true);
+@@ -200,6 +200,9 @@ BPF_CALL_4(bpf_inode_storage_get, struct
+ BPF_CALL_2(bpf_inode_storage_delete,
+ struct bpf_map *, map, struct inode *, inode)
+ {
++ if (!inode)
++ return -EINVAL;
++
+ /* This helper must only called from where the inode is gurranteed
+ * to have a refcount and cannot be freed.
+ */
--- /dev/null
+From 8662e1119a7d1baa1b2001689b2923e9050754bd Mon Sep 17 00:00:00 2001
+From: Anshuman Gupta <anshuman.gupta@intel.com>
+Date: Mon, 11 Jan 2021 13:41:03 +0530
+Subject: drm/i915/hdcp: Get conn while content_type changed
+
+From: Anshuman Gupta <anshuman.gupta@intel.com>
+
+commit 8662e1119a7d1baa1b2001689b2923e9050754bd upstream.
+
+Get DRM connector reference count while scheduling a prop work
+to avoid any possible destroy of DRM connector when it is in
+DRM_CONNECTOR_REGISTERED state.
+
+Fixes: a6597faa2d59 ("drm/i915: Protect workers against disappearing connectors")
+Cc: Sean Paul <seanpaul@chromium.org>
+Cc: Ramalingam C <ramalingam.c@intel.com>
+Reviewed-by: Uma Shankar <uma.shankar@intel.com>
+Reviewed-by: Ramalingam C <ramalingam.c@intel.com>
+Tested-by: Karthik B S <karthik.b.s@intel.com>
+Signed-off-by: Anshuman Gupta <anshuman.gupta@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210111081120.28417-3-anshuman.gupta@intel.com
+(cherry picked from commit b3c6661aad979ec3d4f5675cf3e6a35828607d6a)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_hdcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_hdcp.c
++++ b/drivers/gpu/drm/i915/display/intel_hdcp.c
+@@ -2187,6 +2187,7 @@ void intel_hdcp_update_pipe(struct intel
+ if (content_protection_type_changed) {
+ mutex_lock(&hdcp->mutex);
+ hdcp->value = DRM_MODE_CONTENT_PROTECTION_DESIRED;
++ drm_connector_get(&connector->base);
+ schedule_work(&hdcp->prop_work);
+ mutex_unlock(&hdcp->mutex);
+ }
--- /dev/null
+From 67288f74d4837b82ef937170da3389b0779c17be Mon Sep 17 00:00:00 2001
+From: Martin Kepplinger <martink@posteo.de>
+Date: Mon, 28 Dec 2020 14:03:02 +0200
+Subject: interconnect: imx8mq: Use icc_sync_state
+
+From: Martin Kepplinger <martin.kepplinger@puri.sm>
+
+commit 67288f74d4837b82ef937170da3389b0779c17be upstream.
+
+Add the icc_sync_state callback to notify the framework when consumers
+are probed and the bandwidth doesn't have to be kept at maximum anymore.
+
+Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
+Suggested-by: Georgi Djakov <georgi.djakov@linaro.org>
+Fixes: 7d3b0b0d8184 ("interconnect: qcom: Use icc_sync_state")
+Link: https://lore.kernel.org/r/20201210100906.18205-6-martin.kepplinger@puri.sm
+Signed-off-by: Georgi Djakov <georgi.djakov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/interconnect/imx/imx8mq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/interconnect/imx/imx8mq.c
++++ b/drivers/interconnect/imx/imx8mq.c
+@@ -7,6 +7,7 @@
+
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
++#include <linux/interconnect-provider.h>
+ #include <dt-bindings/interconnect/imx8mq.h>
+
+ #include "imx.h"
+@@ -94,6 +95,7 @@ static struct platform_driver imx8mq_icc
+ .remove = imx8mq_icc_remove,
+ .driver = {
+ .name = "imx8mq-interconnect",
++ .sync_state = icc_sync_state,
+ },
+ };
+
--- /dev/null
+From 4eaad21a6ac9865df7f31983232ed5928450458d Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 20 Jan 2021 21:46:29 +0100
+Subject: kernfs: implement ->read_iter
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 4eaad21a6ac9865df7f31983232ed5928450458d upstream.
+
+Switch kernfs to implement the read_iter method instead of plain old
+read to prepare to supporting splice and sendfile again.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20210120204631.274206-2-hch@lst.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/kernfs/file.c | 35 ++++++++++++-----------------------
+ 1 file changed, 12 insertions(+), 23 deletions(-)
+
+--- a/fs/kernfs/file.c
++++ b/fs/kernfs/file.c
+@@ -14,6 +14,7 @@
+ #include <linux/pagemap.h>
+ #include <linux/sched/mm.h>
+ #include <linux/fsnotify.h>
++#include <linux/uio.h>
+
+ #include "kernfs-internal.h"
+
+@@ -180,11 +181,10 @@ static const struct seq_operations kernf
+ * it difficult to use seq_file. Implement simplistic custom buffering for
+ * bin files.
+ */
+-static ssize_t kernfs_file_direct_read(struct kernfs_open_file *of,
+- char __user *user_buf, size_t count,
+- loff_t *ppos)
++static ssize_t kernfs_file_read_iter(struct kiocb *iocb, struct iov_iter *iter)
+ {
+- ssize_t len = min_t(size_t, count, PAGE_SIZE);
++ struct kernfs_open_file *of = kernfs_of(iocb->ki_filp);
++ ssize_t len = min_t(size_t, iov_iter_count(iter), PAGE_SIZE);
+ const struct kernfs_ops *ops;
+ char *buf;
+
+@@ -210,7 +210,7 @@ static ssize_t kernfs_file_direct_read(s
+ of->event = atomic_read(&of->kn->attr.open->event);
+ ops = kernfs_ops(of->kn);
+ if (ops->read)
+- len = ops->read(of, buf, len, *ppos);
++ len = ops->read(of, buf, len, iocb->ki_pos);
+ else
+ len = -EINVAL;
+
+@@ -220,12 +220,12 @@ static ssize_t kernfs_file_direct_read(s
+ if (len < 0)
+ goto out_free;
+
+- if (copy_to_user(user_buf, buf, len)) {
++ if (copy_to_iter(buf, len, iter) != len) {
+ len = -EFAULT;
+ goto out_free;
+ }
+
+- *ppos += len;
++ iocb->ki_pos += len;
+
+ out_free:
+ if (buf == of->prealloc_buf)
+@@ -235,22 +235,11 @@ static ssize_t kernfs_file_direct_read(s
+ return len;
+ }
+
+-/**
+- * kernfs_fop_read - kernfs vfs read callback
+- * @file: file pointer
+- * @user_buf: data to write
+- * @count: number of bytes
+- * @ppos: starting offset
+- */
+-static ssize_t kernfs_fop_read(struct file *file, char __user *user_buf,
+- size_t count, loff_t *ppos)
++static ssize_t kernfs_fop_read_iter(struct kiocb *iocb, struct iov_iter *iter)
+ {
+- struct kernfs_open_file *of = kernfs_of(file);
+-
+- if (of->kn->flags & KERNFS_HAS_SEQ_SHOW)
+- return seq_read(file, user_buf, count, ppos);
+- else
+- return kernfs_file_direct_read(of, user_buf, count, ppos);
++ if (kernfs_of(iocb->ki_filp)->kn->flags & KERNFS_HAS_SEQ_SHOW)
++ return seq_read_iter(iocb, iter);
++ return kernfs_file_read_iter(iocb, iter);
+ }
+
+ /**
+@@ -960,7 +949,7 @@ void kernfs_notify(struct kernfs_node *k
+ EXPORT_SYMBOL_GPL(kernfs_notify);
+
+ const struct file_operations kernfs_file_fops = {
+- .read = kernfs_fop_read,
++ .read_iter = kernfs_fop_read_iter,
+ .write = kernfs_fop_write,
+ .llseek = generic_file_llseek,
+ .mmap = kernfs_fop_mmap,
--- /dev/null
+From cc099e0b399889c6485c88368b19824b087c9f8c Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 20 Jan 2021 21:46:30 +0100
+Subject: kernfs: implement ->write_iter
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit cc099e0b399889c6485c88368b19824b087c9f8c upstream.
+
+Switch kernfs to implement the write_iter method instead of plain old
+write to prepare to supporting splice and sendfile again.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20210120204631.274206-3-hch@lst.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/kernfs/file.c | 28 ++++++++++------------------
+ 1 file changed, 10 insertions(+), 18 deletions(-)
+
+--- a/fs/kernfs/file.c
++++ b/fs/kernfs/file.c
+@@ -242,13 +242,7 @@ static ssize_t kernfs_fop_read_iter(stru
+ return kernfs_file_read_iter(iocb, iter);
+ }
+
+-/**
+- * kernfs_fop_write - kernfs vfs write callback
+- * @file: file pointer
+- * @user_buf: data to write
+- * @count: number of bytes
+- * @ppos: starting offset
+- *
++/*
+ * Copy data in from userland and pass it to the matching kernfs write
+ * operation.
+ *
+@@ -258,20 +252,18 @@ static ssize_t kernfs_fop_read_iter(stru
+ * modify only the the value you're changing, then write entire buffer
+ * back.
+ */
+-static ssize_t kernfs_fop_write(struct file *file, const char __user *user_buf,
+- size_t count, loff_t *ppos)
++static ssize_t kernfs_fop_write_iter(struct kiocb *iocb, struct iov_iter *iter)
+ {
+- struct kernfs_open_file *of = kernfs_of(file);
++ struct kernfs_open_file *of = kernfs_of(iocb->ki_filp);
++ ssize_t len = iov_iter_count(iter);
+ const struct kernfs_ops *ops;
+- ssize_t len;
+ char *buf;
+
+ if (of->atomic_write_len) {
+- len = count;
+ if (len > of->atomic_write_len)
+ return -E2BIG;
+ } else {
+- len = min_t(size_t, count, PAGE_SIZE);
++ len = min_t(size_t, len, PAGE_SIZE);
+ }
+
+ buf = of->prealloc_buf;
+@@ -282,7 +274,7 @@ static ssize_t kernfs_fop_write(struct f
+ if (!buf)
+ return -ENOMEM;
+
+- if (copy_from_user(buf, user_buf, len)) {
++ if (copy_from_iter(buf, len, iter) != len) {
+ len = -EFAULT;
+ goto out_free;
+ }
+@@ -301,7 +293,7 @@ static ssize_t kernfs_fop_write(struct f
+
+ ops = kernfs_ops(of->kn);
+ if (ops->write)
+- len = ops->write(of, buf, len, *ppos);
++ len = ops->write(of, buf, len, iocb->ki_pos);
+ else
+ len = -EINVAL;
+
+@@ -309,7 +301,7 @@ static ssize_t kernfs_fop_write(struct f
+ mutex_unlock(&of->mutex);
+
+ if (len > 0)
+- *ppos += len;
++ iocb->ki_pos += len;
+
+ out_free:
+ if (buf == of->prealloc_buf)
+@@ -662,7 +654,7 @@ static int kernfs_fop_open(struct inode
+
+ /*
+ * Write path needs to atomic_write_len outside active reference.
+- * Cache it in open_file. See kernfs_fop_write() for details.
++ * Cache it in open_file. See kernfs_fop_write_iter() for details.
+ */
+ of->atomic_write_len = ops->atomic_write_len;
+
+@@ -950,7 +942,7 @@ EXPORT_SYMBOL_GPL(kernfs_notify);
+
+ const struct file_operations kernfs_file_fops = {
+ .read_iter = kernfs_fop_read_iter,
+- .write = kernfs_fop_write,
++ .write_iter = kernfs_fop_write_iter,
+ .llseek = generic_file_llseek,
+ .mmap = kernfs_fop_mmap,
+ .open = kernfs_fop_open,
--- /dev/null
+From f2d6c2708bd84ca953fa6b6ca5717e79eb0140c7 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 20 Jan 2021 21:46:31 +0100
+Subject: kernfs: wire up ->splice_read and ->splice_write
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit f2d6c2708bd84ca953fa6b6ca5717e79eb0140c7 upstream.
+
+Wire up the splice_read and splice_write methods to the default
+helpers using ->read_iter and ->write_iter now that those are
+implemented for kernfs. This restores support to use splice and
+sendfile on kernfs files.
+
+Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops")
+Reported-by: Siddharth Gupta <sidgup@codeaurora.org>
+Tested-by: Siddharth Gupta <sidgup@codeaurora.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20210120204631.274206-4-hch@lst.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/kernfs/file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/kernfs/file.c
++++ b/fs/kernfs/file.c
+@@ -949,6 +949,8 @@ const struct file_operations kernfs_file
+ .release = kernfs_fop_release,
+ .poll = kernfs_fop_poll,
+ .fsync = noop_fsync,
++ .splice_read = generic_file_splice_read,
++ .splice_write = iter_file_splice_write,
+ };
+
+ /**
--- /dev/null
+From 0c630a66bf10991b0ef13d27c93d7545e692ef5b Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Tue, 19 Jan 2021 20:44:23 -0800
+Subject: net: systemport: free dev before on error path
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 0c630a66bf10991b0ef13d27c93d7545e692ef5b upstream.
+
+On the error path, it should goto the error handling label to free
+allocated memory rather than directly return.
+
+Fixes: 31bc72d97656 ("net: systemport: fetch and use clock resources")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20210120044423.1704-1-bianpan2016@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -2503,8 +2503,10 @@ static int bcm_sysport_probe(struct plat
+ priv = netdev_priv(dev);
+
+ priv->clk = devm_clk_get_optional(&pdev->dev, "sw_sysport");
+- if (IS_ERR(priv->clk))
+- return PTR_ERR(priv->clk);
++ if (IS_ERR(priv->clk)) {
++ ret = PTR_ERR(priv->clk);
++ goto err_free_netdev;
++ }
+
+ /* Allocate number of TX rings */
+ priv->tx_rings = devm_kcalloc(&pdev->dev, txq,
pinctrl-qcom-no-need-to-read-modify-write-the-interrupt-status.patch
pinctrl-qcom-properly-clear-intr_ack_high-interrupts-when-unmasking.patch
pinctrl-qcom-don-t-clear-pending-interrupts-when-enabling.patch
+x86-sev-fix-nonistr-violation.patch
+tty-implement-write_iter.patch
+tty-fix-up-hung_up_tty_write-conversion.patch
+net-systemport-free-dev-before-on-error-path.patch
+x86-sev-es-handle-string-port-io-to-kernel-memory-properly.patch
+tcp-fix-potential-use-after-free-due-to-double-kfree.patch
+asoc-sof-intel-hda-avoid-checking-jack-on-system-suspend.patch
+drm-i915-hdcp-get-conn-while-content_type-changed.patch
+bpf-local-storage-helpers-should-check-nullness-of-owner-ptr-passed.patch
+kernfs-implement-read_iter.patch
+kernfs-implement-write_iter.patch
+kernfs-wire-up-splice_read-and-splice_write.patch
+interconnect-imx8mq-use-icc_sync_state.patch
--- /dev/null
+From c89dffc70b340780e5b933832d8c3e045ef3791e Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Date: Mon, 18 Jan 2021 14:59:20 +0900
+Subject: tcp: Fix potential use-after-free due to double kfree()
+
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+
+commit c89dffc70b340780e5b933832d8c3e045ef3791e upstream.
+
+Receiving ACK with a valid SYN cookie, cookie_v4_check() allocates struct
+request_sock and then can allocate inet_rsk(req)->ireq_opt. After that,
+tcp_v4_syn_recv_sock() allocates struct sock and copies ireq_opt to
+inet_sk(sk)->inet_opt. Normally, tcp_v4_syn_recv_sock() inserts the full
+socket into ehash and sets NULL to ireq_opt. Otherwise,
+tcp_v4_syn_recv_sock() has to reset inet_opt by NULL and free the full
+socket.
+
+The commit 01770a1661657 ("tcp: fix race condition when creating child
+sockets from syncookies") added a new path, in which more than one cores
+create full sockets for the same SYN cookie. Currently, the core which
+loses the race frees the full socket without resetting inet_opt, resulting
+in that both sock_put() and reqsk_put() call kfree() for the same memory:
+
+ sock_put
+ sk_free
+ __sk_free
+ sk_destruct
+ __sk_destruct
+ sk->sk_destruct/inet_sock_destruct
+ kfree(rcu_dereference_protected(inet->inet_opt, 1));
+
+ reqsk_put
+ reqsk_free
+ __reqsk_free
+ req->rsk_ops->destructor/tcp_v4_reqsk_destructor
+ kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1));
+
+Calling kmalloc() between the double kfree() can lead to use-after-free, so
+this patch fixes it by setting NULL to inet_opt before sock_put().
+
+As a side note, this kind of issue does not happen for IPv6. This is
+because tcp_v6_syn_recv_sock() clones both ipv6_opt and pktopts which
+correspond to ireq_opt in IPv4.
+
+Fixes: 01770a166165 ("tcp: fix race condition when creating child sockets from syncookies")
+CC: Ricardo Dias <rdias@singlestore.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Reviewed-by: Benjamin Herrenschmidt <benh@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210118055920.82516-1-kuniyu@amazon.co.jp
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ipv4.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1590,6 +1590,8 @@ struct sock *tcp_v4_syn_recv_sock(const
+ tcp_move_syn(newtp, req);
+ ireq->ireq_opt = NULL;
+ } else {
++ newinet->inet_opt = NULL;
++
+ if (!req_unhash && found_dup_sk) {
+ /* This code path should only be executed in the
+ * syncookie case only
+@@ -1597,8 +1599,6 @@ struct sock *tcp_v4_syn_recv_sock(const
+ bh_unlock_sock(newsk);
+ sock_put(newsk);
+ newsk = NULL;
+- } else {
+- newinet->inet_opt = NULL;
+ }
+ }
+ return newsk;
--- /dev/null
+From 17749851eb9ca2298e7c3b81aae4228961b36f28 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 21 Jan 2021 10:04:27 -0800
+Subject: tty: fix up hung_up_tty_write() conversion
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 17749851eb9ca2298e7c3b81aae4228961b36f28 upstream.
+
+In commit "tty: implement write_iter", I left the write_iter conversion
+of the hung up tty case alone, because I incorrectly thought it didn't
+matter.
+
+Jiri showed me the errors of my ways, and pointed out the problems with
+that incomplete conversion. Fix it all up.
+
+Reported-by: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/CAHk-=wh+-rGsa=xruEWdg_fJViFG8rN9bpLrfLz=_yBYh2tBhA@mail.gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_io.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -437,8 +437,7 @@ static ssize_t hung_up_tty_read(struct f
+ return 0;
+ }
+
+-static ssize_t hung_up_tty_write(struct file *file, const char __user *buf,
+- size_t count, loff_t *ppos)
++static ssize_t hung_up_tty_write(struct kiocb *iocb, struct iov_iter *from)
+ {
+ return -EIO;
+ }
+@@ -504,7 +503,7 @@ static const struct file_operations cons
+ static const struct file_operations hung_up_tty_fops = {
+ .llseek = no_llseek,
+ .read = hung_up_tty_read,
+- .write = hung_up_tty_write,
++ .write_iter = hung_up_tty_write,
+ .poll = hung_up_tty_poll,
+ .unlocked_ioctl = hung_up_tty_ioctl,
+ .compat_ioctl = hung_up_tty_compat_ioctl,
+@@ -1045,7 +1044,9 @@ static ssize_t tty_write(struct kiocb *i
+ if (tty->ops->write_room == NULL)
+ tty_err(tty, "missing write_room method\n");
+ ld = tty_ldisc_ref_wait(tty);
+- if (!ld || !ld->ops->write)
++ if (!ld)
++ return hung_up_tty_write(iocb, from);
++ if (!ld->ops->write)
+ ret = -EIO;
+ else
+ ret = do_tty_write(ld->ops->write, tty, file, from);
--- /dev/null
+From 9bb48c82aced07698a2d08ee0f1475a6c4f6b266 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 19 Jan 2021 11:41:16 -0800
+Subject: tty: implement write_iter
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9bb48c82aced07698a2d08ee0f1475a6c4f6b266 upstream.
+
+This makes the tty layer use the .write_iter() function instead of the
+traditional .write() functionality.
+
+That allows writev(), but more importantly also makes it possible to
+enable .splice_write() for ttys, reinstating the "splice to tty"
+functionality that was lost in commit 36e2c7421f02 ("fs: don't allow
+splice read/write without explicit ops").
+
+Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops")
+Reported-by: Oliver Giles <ohw.giles@gmail.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_io.c | 48 ++++++++++++++++++++++++++----------------------
+ 1 file changed, 26 insertions(+), 22 deletions(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -143,9 +143,8 @@ LIST_HEAD(tty_drivers); /* linked list
+ DEFINE_MUTEX(tty_mutex);
+
+ static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
+-static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
+-ssize_t redirected_tty_write(struct file *, const char __user *,
+- size_t, loff_t *);
++static ssize_t tty_write(struct kiocb *, struct iov_iter *);
++ssize_t redirected_tty_write(struct kiocb *, struct iov_iter *);
+ static __poll_t tty_poll(struct file *, poll_table *);
+ static int tty_open(struct inode *, struct file *);
+ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+@@ -478,7 +477,8 @@ static void tty_show_fdinfo(struct seq_f
+ static const struct file_operations tty_fops = {
+ .llseek = no_llseek,
+ .read = tty_read,
+- .write = tty_write,
++ .write_iter = tty_write,
++ .splice_write = iter_file_splice_write,
+ .poll = tty_poll,
+ .unlocked_ioctl = tty_ioctl,
+ .compat_ioctl = tty_compat_ioctl,
+@@ -491,7 +491,8 @@ static const struct file_operations tty_
+ static const struct file_operations console_fops = {
+ .llseek = no_llseek,
+ .read = tty_read,
+- .write = redirected_tty_write,
++ .write_iter = redirected_tty_write,
++ .splice_write = iter_file_splice_write,
+ .poll = tty_poll,
+ .unlocked_ioctl = tty_ioctl,
+ .compat_ioctl = tty_compat_ioctl,
+@@ -607,9 +608,9 @@ static void __tty_hangup(struct tty_stru
+ /* This breaks for file handles being sent over AF_UNIX sockets ? */
+ list_for_each_entry(priv, &tty->tty_files, list) {
+ filp = priv->file;
+- if (filp->f_op->write == redirected_tty_write)
++ if (filp->f_op->write_iter == redirected_tty_write)
+ cons_filp = filp;
+- if (filp->f_op->write != tty_write)
++ if (filp->f_op->write_iter != tty_write)
+ continue;
+ closecount++;
+ __tty_fasync(-1, filp, 0); /* can't block */
+@@ -902,9 +903,9 @@ static inline ssize_t do_tty_write(
+ ssize_t (*write)(struct tty_struct *, struct file *, const unsigned char *, size_t),
+ struct tty_struct *tty,
+ struct file *file,
+- const char __user *buf,
+- size_t count)
++ struct iov_iter *from)
+ {
++ size_t count = iov_iter_count(from);
+ ssize_t ret, written = 0;
+ unsigned int chunk;
+
+@@ -956,14 +957,20 @@ static inline ssize_t do_tty_write(
+ size_t size = count;
+ if (size > chunk)
+ size = chunk;
++
+ ret = -EFAULT;
+- if (copy_from_user(tty->write_buf, buf, size))
++ if (copy_from_iter(tty->write_buf, size, from) != size)
+ break;
++
+ ret = write(tty, file, tty->write_buf, size);
+ if (ret <= 0)
+ break;
++
++ /* FIXME! Have Al check this! */
++ if (ret != size)
++ iov_iter_revert(from, size-ret);
++
+ written += ret;
+- buf += ret;
+ count -= ret;
+ if (!count)
+ break;
+@@ -1023,9 +1030,9 @@ void tty_write_message(struct tty_struct
+ * write method will not be invoked in parallel for each device.
+ */
+
+-static ssize_t tty_write(struct file *file, const char __user *buf,
+- size_t count, loff_t *ppos)
++static ssize_t tty_write(struct kiocb *iocb, struct iov_iter *from)
+ {
++ struct file *file = iocb->ki_filp;
+ struct tty_struct *tty = file_tty(file);
+ struct tty_ldisc *ld;
+ ssize_t ret;
+@@ -1038,18 +1045,15 @@ static ssize_t tty_write(struct file *fi
+ if (tty->ops->write_room == NULL)
+ tty_err(tty, "missing write_room method\n");
+ ld = tty_ldisc_ref_wait(tty);
+- if (!ld)
+- return hung_up_tty_write(file, buf, count, ppos);
+- if (!ld->ops->write)
++ if (!ld || !ld->ops->write)
+ ret = -EIO;
+ else
+- ret = do_tty_write(ld->ops->write, tty, file, buf, count);
++ ret = do_tty_write(ld->ops->write, tty, file, from);
+ tty_ldisc_deref(ld);
+ return ret;
+ }
+
+-ssize_t redirected_tty_write(struct file *file, const char __user *buf,
+- size_t count, loff_t *ppos)
++ssize_t redirected_tty_write(struct kiocb *iocb, struct iov_iter *iter)
+ {
+ struct file *p = NULL;
+
+@@ -1060,11 +1064,11 @@ ssize_t redirected_tty_write(struct file
+
+ if (p) {
+ ssize_t res;
+- res = vfs_write(p, buf, count, &p->f_pos);
++ res = vfs_iocb_iter_write(p, iocb, iter);
+ fput(p);
+ return res;
+ }
+- return tty_write(file, buf, count, ppos);
++ return tty_write(iocb, iter);
+ }
+
+ /**
+@@ -2293,7 +2297,7 @@ static int tioccons(struct file *file)
+ {
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+- if (file->f_op->write == redirected_tty_write) {
++ if (file->f_op->write_iter == redirected_tty_write) {
+ struct file *f;
+ spin_lock(&redirect_lock);
+ f = redirect;
--- /dev/null
+From 7024f60d655272bd2ca1d3a4c9e0a63319b1eea1 Mon Sep 17 00:00:00 2001
+From: "Hyunwook (Wooky) Baek" <baekhw@google.com>
+Date: Sat, 9 Jan 2021 23:11:02 -0800
+Subject: x86/sev-es: Handle string port IO to kernel memory properly
+
+From: Hyunwook (Wooky) Baek <baekhw@google.com>
+
+commit 7024f60d655272bd2ca1d3a4c9e0a63319b1eea1 upstream.
+
+Don't assume dest/source buffers are userspace addresses when manually
+copying data for string I/O or MOVS MMIO, as {get,put}_user() will fail
+if handed a kernel address and ultimately lead to a kernel panic.
+
+When invoking INSB/OUTSB instructions in kernel space in a
+SEV-ES-enabled VM, the kernel crashes with the following message:
+
+ "SEV-ES: Unsupported exception in #VC instruction emulation - can't continue"
+
+Handle that case properly.
+
+ [ bp: Massage commit message. ]
+
+Fixes: f980f9c31a92 ("x86/sev-es: Compile early handler code into kernel image")
+Signed-off-by: Hyunwook (Wooky) Baek <baekhw@google.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: David Rientjes <rientjes@google.com>
+Link: https://lkml.kernel.org/r/20210110071102.2576186-1-baekhw@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/sev-es.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/x86/kernel/sev-es.c
++++ b/arch/x86/kernel/sev-es.c
+@@ -286,6 +286,12 @@ static enum es_result vc_write_mem(struc
+ u16 d2;
+ u8 d1;
+
++ /* If instruction ran in kernel mode and the I/O buffer is in kernel space */
++ if (!user_mode(ctxt->regs) && !access_ok(target, size)) {
++ memcpy(dst, buf, size);
++ return ES_OK;
++ }
++
+ switch (size) {
+ case 1:
+ memcpy(&d1, buf, 1);
+@@ -335,6 +341,12 @@ static enum es_result vc_read_mem(struct
+ u16 d2;
+ u8 d1;
+
++ /* If instruction ran in kernel mode and the I/O buffer is in kernel space */
++ if (!user_mode(ctxt->regs) && !access_ok(s, size)) {
++ memcpy(buf, src, size);
++ return ES_OK;
++ }
++
+ switch (size) {
+ case 1:
+ if (get_user(d1, s))
--- /dev/null
+From a1d5c98aac33a5a0004ecf88905dcc261c52f988 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 6 Jan 2021 15:36:21 +0100
+Subject: x86/sev: Fix nonistr violation
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit a1d5c98aac33a5a0004ecf88905dcc261c52f988 upstream.
+
+When the compiler fails to inline, it violates nonisntr:
+
+ vmlinux.o: warning: objtool: __sev_es_nmi_complete()+0xc7: call to sev_es_wr_ghcb_msr() leaves .noinstr.text section
+
+Fixes: 4ca68e023b11 ("x86/sev-es: Handle NMI State")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20210106144017.532902065@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/sev-es.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/sev-es.c
++++ b/arch/x86/kernel/sev-es.c
+@@ -225,7 +225,7 @@ static inline u64 sev_es_rd_ghcb_msr(voi
+ return __rdmsr(MSR_AMD64_SEV_ES_GHCB);
+ }
+
+-static inline void sev_es_wr_ghcb_msr(u64 val)
++static __always_inline void sev_es_wr_ghcb_msr(u64 val)
+ {
+ u32 low, high;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
