--- /dev/null
+From 871b9066027702e6e6589da0e1edd3b7dede7205 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 14 Aug 2019 12:09:08 +0800
+Subject: ALSA: hda - Add a generic reboot_notify
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 871b9066027702e6e6589da0e1edd3b7dede7205 upstream.
+
+Make codec enter D3 before rebooting or poweroff can fix the noise
+issue on some laptops. And in theory it is harmless for all codecs
+to enter D3 before rebooting or poweroff, let us add a generic
+reboot_notify, then realtek and conexant drivers can call this
+function.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_generic.c | 19 +++++++++++++++++++
+ sound/pci/hda/hda_generic.h | 1 +
+ sound/pci/hda/patch_conexant.c | 6 +-----
+ sound/pci/hda/patch_realtek.c | 11 +----------
+ 4 files changed, 22 insertions(+), 15 deletions(-)
+
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -6051,6 +6051,24 @@ void snd_hda_gen_free(struct hda_codec *
+ }
+ EXPORT_SYMBOL_GPL(snd_hda_gen_free);
+
++/**
++ * snd_hda_gen_reboot_notify - Make codec enter D3 before rebooting
++ * @codec: the HDA codec
++ *
++ * This can be put as patch_ops reboot_notify function.
++ */
++void snd_hda_gen_reboot_notify(struct hda_codec *codec)
++{
++ /* Make the codec enter D3 to avoid spurious noises from the internal
++ * speaker during (and after) reboot
++ */
++ snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
++ snd_hda_codec_write(codec, codec->core.afg, 0,
++ AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
++ msleep(10);
++}
++EXPORT_SYMBOL_GPL(snd_hda_gen_reboot_notify);
++
+ #ifdef CONFIG_PM
+ /**
+ * snd_hda_gen_check_power_status - check the loopback power save state
+@@ -6078,6 +6096,7 @@ static const struct hda_codec_ops generi
+ .init = snd_hda_gen_init,
+ .free = snd_hda_gen_free,
+ .unsol_event = snd_hda_jack_unsol_event,
++ .reboot_notify = snd_hda_gen_reboot_notify,
+ #ifdef CONFIG_PM
+ .check_power_status = snd_hda_gen_check_power_status,
+ #endif
+--- a/sound/pci/hda/hda_generic.h
++++ b/sound/pci/hda/hda_generic.h
+@@ -332,6 +332,7 @@ int snd_hda_gen_parse_auto_config(struct
+ struct auto_pin_cfg *cfg);
+ int snd_hda_gen_build_controls(struct hda_codec *codec);
+ int snd_hda_gen_build_pcms(struct hda_codec *codec);
++void snd_hda_gen_reboot_notify(struct hda_codec *codec);
+
+ /* standard jack event callbacks */
+ void snd_hda_gen_hp_automute(struct hda_codec *codec,
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -175,11 +175,7 @@ static void cx_auto_reboot_notify(struct
+ /* Turn the problematic codec into D3 to avoid spurious noises
+ from the internal speaker during (and after) reboot */
+ cx_auto_turn_eapd(codec, spec->num_eapds, spec->eapds, false);
+-
+- snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
+- snd_hda_codec_write(codec, codec->core.afg, 0,
+- AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
+- msleep(10);
++ snd_hda_gen_reboot_notify(codec);
+ }
+
+ static void cx_auto_free(struct hda_codec *codec)
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -869,15 +869,6 @@ static void alc_reboot_notify(struct hda
+ alc_shutup(codec);
+ }
+
+-/* power down codec to D3 at reboot/shutdown; set as reboot_notify ops */
+-static void alc_d3_at_reboot(struct hda_codec *codec)
+-{
+- snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
+- snd_hda_codec_write(codec, codec->core.afg, 0,
+- AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
+- msleep(10);
+-}
+-
+ #define alc_free snd_hda_gen_free
+
+ #ifdef CONFIG_PM
+@@ -5152,7 +5143,7 @@ static void alc_fixup_tpt440_dock(struct
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+- spec->reboot_notify = alc_d3_at_reboot; /* reduce noise */
++ spec->reboot_notify = snd_hda_gen_reboot_notify; /* reduce noise */
+ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
+ codec->power_save_node = 0; /* avoid click noises */
+ snd_hda_apply_pincfgs(codec, pincfgs);
--- /dev/null
+From de768ce45466f3009809719eb7b1f6f5277d9373 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 9 Aug 2019 11:23:00 +0200
+Subject: ALSA: hda - Apply workaround for another AMD chip 1022:1487
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit de768ce45466f3009809719eb7b1f6f5277d9373 upstream.
+
+MSI MPG X570 board is with another AMD HD-audio controller (PCI ID
+1022:1487) and it requires the same workaround applied for X370, etc
+(PCI ID 1022:1457).
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2505,6 +2505,9 @@ static const struct pci_device_id azx_id
+ /* AMD, X370 & co */
+ { PCI_DEVICE(0x1022, 0x1457),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB },
++ /* AMD, X570 & co */
++ { PCI_DEVICE(0x1022, 0x1487),
++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB },
+ /* AMD Stoney */
+ { PCI_DEVICE(0x1022, 0x157a),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |
--- /dev/null
+From cfef67f016e4c00a2f423256fc678a6967a9fc09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Fri, 9 Aug 2019 23:29:48 -0500
+Subject: ALSA: hda - Fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit cfef67f016e4c00a2f423256fc678a6967a9fc09 upstream.
+
+In snd_hda_parse_generic_codec(), 'spec' is allocated through kzalloc().
+Then, the pin widgets in 'codec' are parsed. However, if the parsing
+process fails, 'spec' is not deallocated, leading to a memory leak.
+
+To fix the above issue, free 'spec' before returning the error.
+
+Fixes: 352f7f914ebb ("ALSA: hda - Merge Realtek parser code to generic parser")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -6100,7 +6100,7 @@ static int snd_hda_parse_generic_codec(s
+
+ err = snd_hda_parse_pin_defcfg(codec, &spec->autocfg, NULL, 0);
+ if (err < 0)
+- return err;
++ goto error;
+
+ err = snd_hda_gen_parse_auto_config(codec, &spec->autocfg);
+ if (err < 0)
--- /dev/null
+From 401714d9534aad8c24196b32600da683116bbe09 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 14 Aug 2019 12:09:07 +0800
+Subject: ALSA: hda - Let all conexant codec enter D3 when rebooting
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 401714d9534aad8c24196b32600da683116bbe09 upstream.
+
+We have 3 new lenovo laptops which have conexant codec 0x14f11f86,
+these 3 laptops also have the noise issue when rebooting, after
+letting the codec enter D3 before rebooting or poweroff, the noise
+disappers.
+
+Instead of adding a new ID again in the reboot_notify(), let us make
+this function apply to all conexant codec. In theory make codec enter
+D3 before rebooting or poweroff is harmless, and I tested this change
+on a couple of other Lenovo laptops which have different conexant
+codecs, there is no side effect so far.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -163,15 +163,6 @@ static void cx_auto_reboot_notify(struct
+ {
+ struct conexant_spec *spec = codec->spec;
+
+- switch (codec->core.vendor_id) {
+- case 0x14f12008: /* CX8200 */
+- case 0x14f150f2: /* CX20722 */
+- case 0x14f150f4: /* CX20724 */
+- break;
+- default:
+- return;
+- }
+-
+ /* Turn the problematic codec into D3 to avoid spurious noises
+ from the internal speaker during (and after) reboot */
+ cx_auto_turn_eapd(codec, spec->num_eapds, spec->eapds, false);
--- /dev/null
+From 190d03814eb3b49d4f87ff38fef26d36f3568a60 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 13 Aug 2019 17:39:56 +0200
+Subject: ALSA: hda/realtek - Add quirk for HP Envy x360
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 190d03814eb3b49d4f87ff38fef26d36f3568a60 upstream.
+
+HP Envy x360 (AMD Ryzen-based model) with 103c:8497 needs the same
+quirk like HP Spectre x360 for enabling the mute LED over Mic3 pin.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204373
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6987,6 +6987,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x82bf, "HP G3 mini", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x82c0, "HP G3 mini premium", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x83b9, "HP Spectre x360", ALC269_FIXUP_HP_MUTE_LED_MIC3),
++ SND_PCI_QUIRK(0x103c, 0x8497, "HP Envy x360", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
+ SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--- /dev/null
+From 19bce474c45be69a284ecee660aa12d8f1e88f18 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Thu, 15 Aug 2019 00:31:34 -0400
+Subject: ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
+
+From: Hui Peng <benquike@gmail.com>
+
+commit 19bce474c45be69a284ecee660aa12d8f1e88f18 upstream.
+
+`check_input_term` recursively calls itself with input from
+device side (e.g., uac_input_terminal_descriptor.bCSourceID)
+as argument (id). In `check_input_term`, if `check_input_term`
+is called with the same `id` argument as the caller, it triggers
+endless recursive call, resulting kernel space stack overflow.
+
+This patch fixes the bug by adding a bitmap to `struct mixer_build`
+to keep track of the checked ids and stop the execution if some id
+has been checked (similar to how parse_audio_unit handles unitid
+argument).
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 35 +++++++++++++++++++++++++++--------
+ 1 file changed, 27 insertions(+), 8 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -68,6 +68,7 @@ struct mixer_build {
+ unsigned char *buffer;
+ unsigned int buflen;
+ DECLARE_BITMAP(unitbitmap, MAX_ID_ELEMS);
++ DECLARE_BITMAP(termbitmap, MAX_ID_ELEMS);
+ struct usb_audio_term oterm;
+ const struct usbmix_name_map *map;
+ const struct usbmix_selector_map *selector_map;
+@@ -773,16 +774,25 @@ static int uac_mixer_unit_get_channels(s
+ * parse the source unit recursively until it reaches to a terminal
+ * or a branched unit.
+ */
+-static int check_input_term(struct mixer_build *state, int id,
++static int __check_input_term(struct mixer_build *state, int id,
+ struct usb_audio_term *term)
+ {
+ int protocol = state->mixer->protocol;
+ int err;
+ void *p1;
++ unsigned char *hdr;
+
+ memset(term, 0, sizeof(*term));
+- while ((p1 = find_audio_control_unit(state, id)) != NULL) {
+- unsigned char *hdr = p1;
++ for (;;) {
++ /* a loop in the terminal chain? */
++ if (test_and_set_bit(id, state->termbitmap))
++ return -EINVAL;
++
++ p1 = find_audio_control_unit(state, id);
++ if (!p1)
++ break;
++
++ hdr = p1;
+ term->id = id;
+
+ if (protocol == UAC_VERSION_1 || protocol == UAC_VERSION_2) {
+@@ -800,7 +810,7 @@ static int check_input_term(struct mixer
+
+ /* call recursively to verify that the
+ * referenced clock entity is valid */
+- err = check_input_term(state, d->bCSourceID, term);
++ err = __check_input_term(state, d->bCSourceID, term);
+ if (err < 0)
+ return err;
+
+@@ -834,7 +844,7 @@ static int check_input_term(struct mixer
+ case UAC2_CLOCK_SELECTOR: {
+ struct uac_selector_unit_descriptor *d = p1;
+ /* call recursively to retrieve the channel info */
+- err = check_input_term(state, d->baSourceID[0], term);
++ err = __check_input_term(state, d->baSourceID[0], term);
+ if (err < 0)
+ return err;
+ term->type = UAC3_SELECTOR_UNIT << 16; /* virtual type */
+@@ -897,7 +907,7 @@ static int check_input_term(struct mixer
+
+ /* call recursively to verify that the
+ * referenced clock entity is valid */
+- err = check_input_term(state, d->bCSourceID, term);
++ err = __check_input_term(state, d->bCSourceID, term);
+ if (err < 0)
+ return err;
+
+@@ -948,7 +958,7 @@ static int check_input_term(struct mixer
+ case UAC3_CLOCK_SELECTOR: {
+ struct uac_selector_unit_descriptor *d = p1;
+ /* call recursively to retrieve the channel info */
+- err = check_input_term(state, d->baSourceID[0], term);
++ err = __check_input_term(state, d->baSourceID[0], term);
+ if (err < 0)
+ return err;
+ term->type = UAC3_SELECTOR_UNIT << 16; /* virtual type */
+@@ -964,7 +974,7 @@ static int check_input_term(struct mixer
+ return -EINVAL;
+
+ /* call recursively to retrieve the channel info */
+- err = check_input_term(state, d->baSourceID[0], term);
++ err = __check_input_term(state, d->baSourceID[0], term);
+ if (err < 0)
+ return err;
+
+@@ -982,6 +992,15 @@ static int check_input_term(struct mixer
+ return -ENODEV;
+ }
+
++
++static int check_input_term(struct mixer_build *state, int id,
++ struct usb_audio_term *term)
++{
++ memset(term, 0, sizeof(*term));
++ memset(state->termbitmap, 0, sizeof(state->termbitmap));
++ return __check_input_term(state, id, term);
++}
++
+ /*
+ * Feature Unit
+ */
--- /dev/null
+From daac07156b330b18eb5071aec4b3ddca1c377f2c Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Tue, 13 Aug 2019 22:34:04 -0400
+Subject: ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
+
+From: Hui Peng <benquike@gmail.com>
+
+commit daac07156b330b18eb5071aec4b3ddca1c377f2c upstream.
+
+The `uac_mixer_unit_descriptor` shown as below is read from the
+device side. In `parse_audio_mixer_unit`, `baSourceID` field is
+accessed from index 0 to `bNrInPins` - 1, the current implementation
+assumes that descriptor is always valid (the length of descriptor
+is no shorter than 5 + `bNrInPins`). If a descriptor read from
+the device side is invalid, it may trigger out-of-bound memory
+access.
+
+```
+struct uac_mixer_unit_descriptor {
+ __u8 bLength;
+ __u8 bDescriptorType;
+ __u8 bDescriptorSubtype;
+ __u8 bUnitID;
+ __u8 bNrInPins;
+ __u8 baSourceID[];
+}
+```
+
+This patch fixes the bug by add a sanity check on the length of
+the descriptor.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -745,6 +745,8 @@ static int uac_mixer_unit_get_channels(s
+ return -EINVAL;
+ if (!desc->bNrInPins)
+ return -EINVAL;
++ if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
++ return -EINVAL;
+
+ switch (state->mixer->protocol) {
+ case UAC_VERSION_1:
--- /dev/null
+From b6143d10d23ebb4a77af311e8b8b7f019d0163e6 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 16 Aug 2019 14:57:43 +0100
+Subject: arm64: ftrace: Ensure module ftrace trampoline is coherent with I-side
+
+From: Will Deacon <will@kernel.org>
+
+commit b6143d10d23ebb4a77af311e8b8b7f019d0163e6 upstream.
+
+The initial support for dynamic ftrace trampolines in modules made use
+of an indirect branch which loaded its target from the beginning of
+a special section (e71a4e1bebaf7 ("arm64: ftrace: add support for far
+branches to dynamic ftrace")). Since no instructions were being patched,
+no cache maintenance was needed. However, later in be0f272bfc83 ("arm64:
+ftrace: emit ftrace-mod.o contents through code") this code was reworked
+to output the trampoline instructions directly into the PLT entry but,
+unfortunately, the necessary cache maintenance was overlooked.
+
+Add a call to __flush_icache_range() after writing the new trampoline
+instructions but before patching in the branch to the trampoline.
+
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: <stable@vger.kernel.org>
+Fixes: be0f272bfc83 ("arm64: ftrace: emit ftrace-mod.o contents through code")
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ftrace.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/arch/arm64/kernel/ftrace.c
++++ b/arch/arm64/kernel/ftrace.c
+@@ -73,7 +73,7 @@ int ftrace_make_call(struct dyn_ftrace *
+
+ if (offset < -SZ_128M || offset >= SZ_128M) {
+ #ifdef CONFIG_ARM64_MODULE_PLTS
+- struct plt_entry trampoline;
++ struct plt_entry trampoline, *dst;
+ struct module *mod;
+
+ /*
+@@ -106,23 +106,27 @@ int ftrace_make_call(struct dyn_ftrace *
+ * to check if the actual opcodes are in fact identical,
+ * regardless of the offset in memory so use memcmp() instead.
+ */
+- trampoline = get_plt_entry(addr, mod->arch.ftrace_trampoline);
+- if (memcmp(mod->arch.ftrace_trampoline, &trampoline,
+- sizeof(trampoline))) {
+- if (plt_entry_is_initialized(mod->arch.ftrace_trampoline)) {
++ dst = mod->arch.ftrace_trampoline;
++ trampoline = get_plt_entry(addr, dst);
++ if (memcmp(dst, &trampoline, sizeof(trampoline))) {
++ if (plt_entry_is_initialized(dst)) {
+ pr_err("ftrace: far branches to multiple entry points unsupported inside a single module\n");
+ return -EINVAL;
+ }
+
+ /* point the trampoline to our ftrace entry point */
+ module_disable_ro(mod);
+- *mod->arch.ftrace_trampoline = trampoline;
++ *dst = trampoline;
+ module_enable_ro(mod, true);
+
+- /* update trampoline before patching in the branch */
+- smp_wmb();
++ /*
++ * Ensure updated trampoline is visible to instruction
++ * fetch before we patch in the branch.
++ */
++ __flush_icache_range((unsigned long)&dst[0],
++ (unsigned long)&dst[1]);
+ }
+- addr = (unsigned long)(void *)mod->arch.ftrace_trampoline;
++ addr = (unsigned long)dst;
+ #else /* CONFIG_ARM64_MODULE_PLTS */
+ return -EINVAL;
+ #endif /* CONFIG_ARM64_MODULE_PLTS */
--- /dev/null
+From 600f5badb78c316146d062cfd7af4a2cfb655baa Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Wed, 7 Aug 2019 12:36:01 +0530
+Subject: cpufreq: schedutil: Don't skip freq update when limits change
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 600f5badb78c316146d062cfd7af4a2cfb655baa upstream.
+
+To avoid reducing the frequency of a CPU prematurely, we skip reducing
+the frequency if the CPU had been busy recently.
+
+This should not be done when the limits of the policy are changed, for
+example due to thermal throttling. We should always get the frequency
+within the new limits as soon as possible.
+
+Trying to fix this by using only one flag, i.e. need_freq_update, can
+lead to a race condition where the flag gets cleared without forcing us
+to change the frequency at least once. And so this patch introduces
+another flag to avoid that race condition.
+
+Fixes: ecd288429126 ("cpufreq: schedutil: Don't set next_freq to UINT_MAX")
+Cc: v4.18+ <stable@vger.kernel.org> # v4.18+
+Reported-by: Doug Smythies <dsmythies@telus.net>
+Tested-by: Doug Smythies <dsmythies@telus.net>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/cpufreq_schedutil.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/cpufreq_schedutil.c
++++ b/kernel/sched/cpufreq_schedutil.c
+@@ -40,6 +40,7 @@ struct sugov_policy {
+ struct task_struct *thread;
+ bool work_in_progress;
+
++ bool limits_changed;
+ bool need_freq_update;
+ };
+
+@@ -89,8 +90,11 @@ static bool sugov_should_update_freq(str
+ !cpufreq_this_cpu_can_update(sg_policy->policy))
+ return false;
+
+- if (unlikely(sg_policy->need_freq_update))
++ if (unlikely(sg_policy->limits_changed)) {
++ sg_policy->limits_changed = false;
++ sg_policy->need_freq_update = true;
+ return true;
++ }
+
+ delta_ns = time - sg_policy->last_freq_update_time;
+
+@@ -427,7 +431,7 @@ static inline bool sugov_cpu_is_busy(str
+ static inline void ignore_dl_rate_limit(struct sugov_cpu *sg_cpu, struct sugov_policy *sg_policy)
+ {
+ if (cpu_bw_dl(cpu_rq(sg_cpu->cpu)) > sg_cpu->bw_dl)
+- sg_policy->need_freq_update = true;
++ sg_policy->limits_changed = true;
+ }
+
+ static void sugov_update_single(struct update_util_data *hook, u64 time,
+@@ -447,7 +451,8 @@ static void sugov_update_single(struct u
+ if (!sugov_should_update_freq(sg_policy, time))
+ return;
+
+- busy = sugov_cpu_is_busy(sg_cpu);
++ /* Limits may have changed, don't skip frequency update */
++ busy = !sg_policy->need_freq_update && sugov_cpu_is_busy(sg_cpu);
+
+ util = sugov_get_util(sg_cpu);
+ max = sg_cpu->max;
+@@ -821,6 +826,7 @@ static int sugov_start(struct cpufreq_po
+ sg_policy->last_freq_update_time = 0;
+ sg_policy->next_freq = 0;
+ sg_policy->work_in_progress = false;
++ sg_policy->limits_changed = false;
+ sg_policy->need_freq_update = false;
+ sg_policy->cached_raw_freq = 0;
+
+@@ -869,7 +875,7 @@ static void sugov_limits(struct cpufreq_
+ mutex_unlock(&sg_policy->work_lock);
+ }
+
+- sg_policy->need_freq_update = true;
++ sg_policy->limits_changed = true;
+ }
+
+ struct cpufreq_governor schedutil_gov = {
--- /dev/null
+From 17b6d2d528542bc60ad400add35728b2259b3cc1 Mon Sep 17 00:00:00 2001
+From: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
+Date: Tue, 6 Aug 2019 18:27:26 +0200
+Subject: drm/amdgpu: fix gfx9 soft recovery
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
+
+commit 17b6d2d528542bc60ad400add35728b2259b3cc1 upstream.
+
+The SOC15_REG_OFFSET() macro wasn't used, making the soft recovery fail.
+
+v2: use WREG32_SOC15 instead of WREG32 + SOC15_REG_OFFSET
+
+Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -4553,7 +4553,7 @@ static void gfx_v9_0_ring_soft_recovery(
+ value = REG_SET_FIELD(value, SQ_CMD, MODE, 0x01);
+ value = REG_SET_FIELD(value, SQ_CMD, CHECK_VMID, 1);
+ value = REG_SET_FIELD(value, SQ_CMD, VM_ID, vmid);
+- WREG32(mmSQ_CMD, value);
++ WREG32_SOC15(GC, 0, mmSQ_CMD, value);
+ }
+
+ static void gfx_v9_0_set_gfx_eop_interrupt_state(struct amdgpu_device *adev,
--- /dev/null
+From db1231ddc04682f60d56ff42447f13099c6c4a4c Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Thu, 8 Aug 2019 20:53:05 -0400
+Subject: drm/nouveau: Only recalculate PBN/VCPI on mode/connector changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit db1231ddc04682f60d56ff42447f13099c6c4a4c upstream.
+
+I -thought- I had fixed this entirely, but it looks like that I didn't
+test this thoroughly enough as we apparently still make one big mistake
+with nv50_msto_atomic_check() - we don't handle the following scenario:
+
+* CRTC #1 has n VCPI allocated to it, is attached to connector DP-4
+ which is attached to encoder #1. enabled=y active=n
+* CRTC #1 is changed from DP-4 to DP-5, causing:
+ * DP-4 crtc=#1→NULL (VCPI n→0)
+ * DP-5 crtc=NULL→#1
+ * CRTC #1 steals encoder #1 back from DP-4 and gives it to DP-5
+ * CRTC #1 maintains the same mode as before, just with a different
+ connector
+* mode_changed=n connectors_changed=y
+ (we _SHOULD_ do VCPI 0→n here, but don't)
+
+Once the above scenario is repeated once, we'll attempt freeing VCPI
+from the connector that we didn't allocate due to the connectors
+changing, but the mode staying the same. Sigh.
+
+Since nv50_msto_atomic_check() has broken a few times now, let's rethink
+things a bit to be more careful: limit both VCPI/PBN allocations to
+mode_changed || connectors_changed, since neither VCPI or PBN should
+ever need to change outside of routing and mode changes.
+
+Changes since v1:
+* Fix accidental reversal of clock and bpp arguments in
+ drm_dp_calc_pbn_mode() - William Lewis
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Reported-by: Bohdan Milar <bmilar@redhat.com>
+Tested-by: Bohdan Milar <bmilar@redhat.com>
+Fixes: 232c9eec417a ("drm/nouveau: Use atomic VCPI helpers for MST")
+References: 412e85b60531 ("drm/nouveau: Only release VCPI slots on mode changes")
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Ben Skeggs <bskeggs@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: David Airlie <airlied@redhat.com>
+Cc: Jerry Zuo <Jerry.Zuo@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Cc: Juston Li <juston.li@intel.com>
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: Karol Herbst <karolherbst@gmail.com>
+Cc: Ilia Mirkin <imirkin@alum.mit.edu>
+Cc: <stable@vger.kernel.org> # v5.1+
+Acked-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190809005307.18391-1-lyude@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/dispnv50/disp.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c
++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c
+@@ -766,16 +766,20 @@ nv50_msto_atomic_check(struct drm_encode
+ struct nv50_head_atom *asyh = nv50_head_atom(crtc_state);
+ int slots;
+
+- /* When restoring duplicated states, we need to make sure that the
+- * bw remains the same and avoid recalculating it, as the connector's
+- * bpc may have changed after the state was duplicated
+- */
+- if (!state->duplicated)
+- asyh->dp.pbn =
+- drm_dp_calc_pbn_mode(crtc_state->adjusted_mode.clock,
+- connector->display_info.bpc * 3);
++ if (crtc_state->mode_changed || crtc_state->connectors_changed) {
++ /*
++ * When restoring duplicated states, we need to make sure that
++ * the bw remains the same and avoid recalculating it, as the
++ * connector's bpc may have changed after the state was
++ * duplicated
++ */
++ if (!state->duplicated) {
++ const int bpp = connector->display_info.bpc * 3;
++ const int clock = crtc_state->adjusted_mode.clock;
++
++ asyh->dp.pbn = drm_dp_calc_pbn_mode(clock, bpp);
++ }
+
+- if (crtc_state->mode_changed) {
+ slots = drm_dp_atomic_find_vcpi_slots(state, &mstm->mgr,
+ mstc->port,
+ asyh->dp.pbn);
mm-memcontrol.c-fix-use-after-free-in-mem_cgroup_iter.patch
mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch
mm-vmscan-do-not-special-case-slab-reclaim-when-watermarks-are-boosted.patch
+cpufreq-schedutil-don-t-skip-freq-update-when-limits-change.patch
+drm-amdgpu-fix-gfx9-soft-recovery.patch
+drm-nouveau-only-recalculate-pbn-vcpi-on-mode-connector-changes.patch
+xtensa-add-missing-isync-to-the-cpu_reset-tlb-code.patch
+arm64-ftrace-ensure-module-ftrace-trampoline-is-coherent-with-i-side.patch
+alsa-hda-realtek-add-quirk-for-hp-envy-x360.patch
+alsa-usb-audio-fix-a-stack-buffer-overflow-bug-in-check_input_term.patch
+alsa-usb-audio-fix-an-oob-bug-in-parse_audio_mixer_unit.patch
+alsa-hda-apply-workaround-for-another-amd-chip-1022-1487.patch
+alsa-hda-fix-a-memory-leak-bug.patch
+alsa-hda-add-a-generic-reboot_notify.patch
+alsa-hda-let-all-conexant-codec-enter-d3-when-rebooting.patch
--- /dev/null
+From cd8869f4cb257f22b89495ca40f5281e58ba359c Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Mon, 12 Aug 2019 15:01:30 -0700
+Subject: xtensa: add missing isync to the cpu_reset TLB code
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit cd8869f4cb257f22b89495ca40f5281e58ba359c upstream.
+
+ITLB entry modifications must be followed by the isync instruction
+before the new entries are possibly used. cpu_reset lacks one isync
+between ITLB way 6 initialization and jump to the identity mapping.
+Add missing isync to xtensa cpu_reset.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/kernel/setup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/xtensa/kernel/setup.c
++++ b/arch/xtensa/kernel/setup.c
+@@ -515,6 +515,7 @@ void cpu_reset(void)
+ "add %2, %2, %7\n\t"
+ "addi %0, %0, -1\n\t"
+ "bnez %0, 1b\n\t"
++ "isync\n\t"
+ /* Jump to identity mapping */
+ "jx %3\n"
+ "2:\n\t"
projects / thirdparty / kernel / stable-queue.git / commitdiff
