--- /dev/null
+From 2ba33a4e9e22ac4dda928d3e9b5978a3a2ded4e0 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 12 Feb 2020 17:59:40 +0300
+Subject: ACPI: watchdog: Fix gas->access_width usage
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 2ba33a4e9e22ac4dda928d3e9b5978a3a2ded4e0 upstream.
+
+ACPI Generic Address Structure (GAS) access_width field is not in bytes
+as the driver seems to expect in few places so fix this by using the
+newly introduced macro ACPI_ACCESS_BYTE_WIDTH().
+
+Fixes: b1abf6fc4982 ("ACPI / watchdog: Fix off-by-one error at resource assignment")
+Fixes: 058dfc767008 ("ACPI / watchdog: Add support for WDAT hardware watchdog")
+Reported-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Cc: 4.16+ <stable@vger.kernel.org> # 4.16+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpi_watchdog.c | 3 +--
+ drivers/watchdog/wdat_wdt.c | 2 +-
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/acpi_watchdog.c
++++ b/drivers/acpi/acpi_watchdog.c
+@@ -126,12 +126,11 @@ void __init acpi_watchdog_init(void)
+ gas = &entries[i].register_region;
+
+ res.start = gas->address;
++ res.end = res.start + ACPI_ACCESS_BYTE_WIDTH(gas->access_width) - 1;
+ if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) {
+ res.flags = IORESOURCE_MEM;
+- res.end = res.start + ALIGN(gas->access_width, 4) - 1;
+ } else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) {
+ res.flags = IORESOURCE_IO;
+- res.end = res.start + gas->access_width - 1;
+ } else {
+ pr_warn("Unsupported address space: %u\n",
+ gas->space_id);
+--- a/drivers/watchdog/wdat_wdt.c
++++ b/drivers/watchdog/wdat_wdt.c
+@@ -389,7 +389,7 @@ static int wdat_wdt_probe(struct platfor
+
+ memset(&r, 0, sizeof(r));
+ r.start = gas->address;
+- r.end = r.start + gas->access_width - 1;
++ r.end = r.start + ACPI_ACCESS_BYTE_WIDTH(gas->access_width) - 1;
+ if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) {
+ r.flags = IORESOURCE_MEM;
+ } else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) {
--- /dev/null
+From 1dade3a7048ccfc675650cd2cf13d578b095e5fb Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 12 Feb 2020 17:59:39 +0300
+Subject: ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 1dade3a7048ccfc675650cd2cf13d578b095e5fb upstream.
+
+Sometimes it is useful to find the access_width field value in bytes and
+not in bits so add a helper that can be used for this purpose.
+
+Suggested-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Cc: 4.16+ <stable@vger.kernel.org> # 4.16+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/acpi/actypes.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/acpi/actypes.h
++++ b/include/acpi/actypes.h
+@@ -532,11 +532,12 @@ typedef u64 acpi_integer;
+ strnlen (a, ACPI_NAMESEG_SIZE) == ACPI_NAMESEG_SIZE)
+
+ /*
+- * Algorithm to obtain access bit width.
++ * Algorithm to obtain access bit or byte width.
+ * Can be used with access_width of struct acpi_generic_address and access_size of
+ * struct acpi_resource_generic_register.
+ */
+ #define ACPI_ACCESS_BIT_WIDTH(size) (1 << ((size) + 2))
++#define ACPI_ACCESS_BYTE_WIDTH(size) (1 << ((size) - 1))
+
+ /*******************************************************************************
+ *
--- /dev/null
+From a3ed353cf8015ba84a0407a5dc3ffee038166ab0 Mon Sep 17 00:00:00 2001
+From: Shirish S <shirish.s@amd.com>
+Date: Mon, 27 Jan 2020 16:35:24 +0530
+Subject: amdgpu/gmc_v9: save/restore sdpif regs during S3
+
+From: Shirish S <shirish.s@amd.com>
+
+commit a3ed353cf8015ba84a0407a5dc3ffee038166ab0 upstream.
+
+fixes S3 issue with IOMMU + S/G enabled @ 64M VRAM.
+
+Suggested-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Shirish S <shirish.s@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.h | 1
+ drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 37 ++++++++++++-
+ drivers/gpu/drm/amd/include/asic_reg/dce/dce_12_0_offset.h | 2
+ 3 files changed, 39 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.h
+@@ -157,6 +157,7 @@ struct amdgpu_gmc {
+ uint32_t srbm_soft_reset;
+ bool prt_warning;
+ uint64_t stolen_size;
++ uint32_t sdpif_register;
+ /* apertures */
+ u64 shared_aperture_start;
+ u64 shared_aperture_end;
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
+@@ -1383,6 +1383,19 @@ static void gmc_v9_0_init_golden_registe
+ }
+
+ /**
++ * gmc_v9_0_restore_registers - restores regs
++ *
++ * @adev: amdgpu_device pointer
++ *
++ * This restores register values, saved at suspend.
++ */
++static void gmc_v9_0_restore_registers(struct amdgpu_device *adev)
++{
++ if (adev->asic_type == CHIP_RAVEN)
++ WREG32(mmDCHUBBUB_SDPIF_MMIO_CNTRL_0, adev->gmc.sdpif_register);
++}
++
++/**
+ * gmc_v9_0_gart_enable - gart enable
+ *
+ * @adev: amdgpu_device pointer
+@@ -1479,6 +1492,20 @@ static int gmc_v9_0_hw_init(void *handle
+ }
+
+ /**
++ * gmc_v9_0_save_registers - saves regs
++ *
++ * @adev: amdgpu_device pointer
++ *
++ * This saves potential register values that should be
++ * restored upon resume
++ */
++static void gmc_v9_0_save_registers(struct amdgpu_device *adev)
++{
++ if (adev->asic_type == CHIP_RAVEN)
++ adev->gmc.sdpif_register = RREG32(mmDCHUBBUB_SDPIF_MMIO_CNTRL_0);
++}
++
++/**
+ * gmc_v9_0_gart_disable - gart disable
+ *
+ * @adev: amdgpu_device pointer
+@@ -1514,9 +1541,16 @@ static int gmc_v9_0_hw_fini(void *handle
+
+ static int gmc_v9_0_suspend(void *handle)
+ {
++ int r;
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
+- return gmc_v9_0_hw_fini(adev);
++ r = gmc_v9_0_hw_fini(adev);
++ if (r)
++ return r;
++
++ gmc_v9_0_save_registers(adev);
++
++ return 0;
+ }
+
+ static int gmc_v9_0_resume(void *handle)
+@@ -1524,6 +1558,7 @@ static int gmc_v9_0_resume(void *handle)
+ int r;
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
++ gmc_v9_0_restore_registers(adev);
+ r = gmc_v9_0_hw_init(adev);
+ if (r)
+ return r;
+--- a/drivers/gpu/drm/amd/include/asic_reg/dce/dce_12_0_offset.h
++++ b/drivers/gpu/drm/amd/include/asic_reg/dce/dce_12_0_offset.h
+@@ -7376,6 +7376,8 @@
+ #define mmCRTC4_CRTC_DRR_CONTROL 0x0f3e
+ #define mmCRTC4_CRTC_DRR_CONTROL_BASE_IDX 2
+
++#define mmDCHUBBUB_SDPIF_MMIO_CNTRL_0 0x395d
++#define mmDCHUBBUB_SDPIF_MMIO_CNTRL_0_BASE_IDX 2
+
+ // addressBlock: dce_dc_fmt4_dispdec
+ // base address: 0x2000
--- /dev/null
+From 756125289285f6e55a03861bf4b6257aa3d19a93 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Mon, 24 Feb 2020 16:38:57 -0500
+Subject: audit: always check the netlink payload length in audit_receive_msg()
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit 756125289285f6e55a03861bf4b6257aa3d19a93 upstream.
+
+This patch ensures that we always check the netlink payload length
+in audit_receive_msg() before we take any action on the payload
+itself.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com
+Reported-by: syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 40 +++++++++++++++++++++-------------------
+ 1 file changed, 21 insertions(+), 19 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1100,13 +1100,11 @@ static void audit_log_feature_change(int
+ audit_log_end(ab);
+ }
+
+-static int audit_set_feature(struct sk_buff *skb)
++static int audit_set_feature(struct audit_features *uaf)
+ {
+- struct audit_features *uaf;
+ int i;
+
+ BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names));
+- uaf = nlmsg_data(nlmsg_hdr(skb));
+
+ /* if there is ever a version 2 we should handle that here */
+
+@@ -1174,6 +1172,7 @@ static int audit_receive_msg(struct sk_b
+ {
+ u32 seq;
+ void *data;
++ int data_len;
+ int err;
+ struct audit_buffer *ab;
+ u16 msg_type = nlh->nlmsg_type;
+@@ -1187,6 +1186,7 @@ static int audit_receive_msg(struct sk_b
+
+ seq = nlh->nlmsg_seq;
+ data = nlmsg_data(nlh);
++ data_len = nlmsg_len(nlh);
+
+ switch (msg_type) {
+ case AUDIT_GET: {
+@@ -1210,7 +1210,7 @@ static int audit_receive_msg(struct sk_b
+ struct audit_status s;
+ memset(&s, 0, sizeof(s));
+ /* guard against past and future API changes */
+- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
+ if (s.mask & AUDIT_STATUS_ENABLED) {
+ err = audit_set_enabled(s.enabled);
+ if (err < 0)
+@@ -1314,7 +1314,9 @@ static int audit_receive_msg(struct sk_b
+ return err;
+ break;
+ case AUDIT_SET_FEATURE:
+- err = audit_set_feature(skb);
++ if (data_len < sizeof(struct audit_features))
++ return -EINVAL;
++ err = audit_set_feature(data);
+ if (err)
+ return err;
+ break;
+@@ -1326,6 +1328,8 @@ static int audit_receive_msg(struct sk_b
+
+ err = audit_filter(msg_type, AUDIT_FILTER_USER);
+ if (err == 1) { /* match or error */
++ char *str = data;
++
+ err = 0;
+ if (msg_type == AUDIT_USER_TTY) {
+ err = tty_audit_push();
+@@ -1333,26 +1337,24 @@ static int audit_receive_msg(struct sk_b
+ break;
+ }
+ audit_log_user_recv_msg(&ab, msg_type);
+- if (msg_type != AUDIT_USER_TTY)
++ if (msg_type != AUDIT_USER_TTY) {
++ /* ensure NULL termination */
++ str[data_len - 1] = '\0';
+ audit_log_format(ab, " msg='%.*s'",
+ AUDIT_MESSAGE_TEXT_MAX,
+- (char *)data);
+- else {
+- int size;
+-
++ str);
++ } else {
+ audit_log_format(ab, " data=");
+- size = nlmsg_len(nlh);
+- if (size > 0 &&
+- ((unsigned char *)data)[size - 1] == '\0')
+- size--;
+- audit_log_n_untrustedstring(ab, data, size);
++ if (data_len > 0 && str[data_len - 1] == '\0')
++ data_len--;
++ audit_log_n_untrustedstring(ab, str, data_len);
+ }
+ audit_log_end(ab);
+ }
+ break;
+ case AUDIT_ADD_RULE:
+ case AUDIT_DEL_RULE:
+- if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
++ if (data_len < sizeof(struct audit_rule_data))
+ return -EINVAL;
+ if (audit_enabled == AUDIT_LOCKED) {
+ audit_log_common_recv_msg(audit_context(), &ab,
+@@ -1364,7 +1366,7 @@ static int audit_receive_msg(struct sk_b
+ audit_log_end(ab);
+ return -EPERM;
+ }
+- err = audit_rule_change(msg_type, seq, data, nlmsg_len(nlh));
++ err = audit_rule_change(msg_type, seq, data, data_len);
+ break;
+ case AUDIT_LIST_RULES:
+ err = audit_list_rules_send(skb, seq);
+@@ -1379,7 +1381,7 @@ static int audit_receive_msg(struct sk_b
+ case AUDIT_MAKE_EQUIV: {
+ void *bufp = data;
+ u32 sizes[2];
+- size_t msglen = nlmsg_len(nlh);
++ size_t msglen = data_len;
+ char *old, *new;
+
+ err = -EINVAL;
+@@ -1455,7 +1457,7 @@ static int audit_receive_msg(struct sk_b
+
+ memset(&s, 0, sizeof(s));
+ /* guard against past and future API changes */
+- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
+ /* check if new data is valid */
+ if ((s.enabled != 0 && s.enabled != 1) ||
+ (s.log_passwd != 0 && s.log_passwd != 1))
--- /dev/null
+From 2ad3e17ebf94b7b7f3f64c050ff168f9915345eb Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Sat, 22 Feb 2020 20:36:47 -0500
+Subject: audit: fix error handling in audit_data_to_entry()
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit 2ad3e17ebf94b7b7f3f64c050ff168f9915345eb upstream.
+
+Commit 219ca39427bf ("audit: use union for audit_field values since
+they are mutually exclusive") combined a number of separate fields in
+the audit_field struct into a single union. Generally this worked
+just fine because they are generally mutually exclusive.
+Unfortunately in audit_data_to_entry() the overlap can be a problem
+when a specific error case is triggered that causes the error path
+code to attempt to cleanup an audit_field struct and the cleanup
+involves attempting to free a stored LSM string (the lsm_str field).
+Currently the code always has a non-NULL value in the
+audit_field.lsm_str field as the top of the for-loop transfers a
+value into audit_field.val (both .lsm_str and .val are part of the
+same union); if audit_data_to_entry() fails and the audit_field
+struct is specified to contain a LSM string, but the
+audit_field.lsm_str has not yet been properly set, the error handling
+code will attempt to free the bogus audit_field.lsm_str value that
+was set with audit_field.val at the top of the for-loop.
+
+This patch corrects this by ensuring that the audit_field.val is only
+set when needed (it is cleared when the audit_field struct is
+allocated with kcalloc()). It also corrects a few other issues to
+ensure that in case of error the proper error code is returned.
+
+Cc: stable@vger.kernel.org
+Fixes: 219ca39427bf ("audit: use union for audit_field values since they are mutually exclusive")
+Reported-by: syzbot+1f4d90ead370d72e450b@syzkaller.appspotmail.com
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/auditfilter.c | 71 ++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 39 insertions(+), 32 deletions(-)
+
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -456,6 +456,7 @@ static struct audit_entry *audit_data_to
+ bufp = data->buf;
+ for (i = 0; i < data->field_count; i++) {
+ struct audit_field *f = &entry->rule.fields[i];
++ u32 f_val;
+
+ err = -EINVAL;
+
+@@ -464,12 +465,12 @@ static struct audit_entry *audit_data_to
+ goto exit_free;
+
+ f->type = data->fields[i];
+- f->val = data->values[i];
++ f_val = data->values[i];
+
+ /* Support legacy tests for a valid loginuid */
+- if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
++ if ((f->type == AUDIT_LOGINUID) && (f_val == AUDIT_UID_UNSET)) {
+ f->type = AUDIT_LOGINUID_SET;
+- f->val = 0;
++ f_val = 0;
+ entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
+ }
+
+@@ -485,7 +486,7 @@ static struct audit_entry *audit_data_to
+ case AUDIT_SUID:
+ case AUDIT_FSUID:
+ case AUDIT_OBJ_UID:
+- f->uid = make_kuid(current_user_ns(), f->val);
++ f->uid = make_kuid(current_user_ns(), f_val);
+ if (!uid_valid(f->uid))
+ goto exit_free;
+ break;
+@@ -494,11 +495,12 @@ static struct audit_entry *audit_data_to
+ case AUDIT_SGID:
+ case AUDIT_FSGID:
+ case AUDIT_OBJ_GID:
+- f->gid = make_kgid(current_user_ns(), f->val);
++ f->gid = make_kgid(current_user_ns(), f_val);
+ if (!gid_valid(f->gid))
+ goto exit_free;
+ break;
+ case AUDIT_ARCH:
++ f->val = f_val;
+ entry->rule.arch_f = f;
+ break;
+ case AUDIT_SUBJ_USER:
+@@ -511,11 +513,13 @@ static struct audit_entry *audit_data_to
+ case AUDIT_OBJ_TYPE:
+ case AUDIT_OBJ_LEV_LOW:
+ case AUDIT_OBJ_LEV_HIGH:
+- str = audit_unpack_string(&bufp, &remain, f->val);
+- if (IS_ERR(str))
++ str = audit_unpack_string(&bufp, &remain, f_val);
++ if (IS_ERR(str)) {
++ err = PTR_ERR(str);
+ goto exit_free;
+- entry->rule.buflen += f->val;
+-
++ }
++ entry->rule.buflen += f_val;
++ f->lsm_str = str;
+ err = security_audit_rule_init(f->type, f->op, str,
+ (void **)&f->lsm_rule);
+ /* Keep currently invalid fields around in case they
+@@ -524,68 +528,71 @@ static struct audit_entry *audit_data_to
+ pr_warn("audit rule for LSM \'%s\' is invalid\n",
+ str);
+ err = 0;
+- }
+- if (err) {
+- kfree(str);
++ } else if (err)
+ goto exit_free;
+- } else
+- f->lsm_str = str;
+ break;
+ case AUDIT_WATCH:
+- str = audit_unpack_string(&bufp, &remain, f->val);
+- if (IS_ERR(str))
++ str = audit_unpack_string(&bufp, &remain, f_val);
++ if (IS_ERR(str)) {
++ err = PTR_ERR(str);
+ goto exit_free;
+- entry->rule.buflen += f->val;
+-
+- err = audit_to_watch(&entry->rule, str, f->val, f->op);
++ }
++ err = audit_to_watch(&entry->rule, str, f_val, f->op);
+ if (err) {
+ kfree(str);
+ goto exit_free;
+ }
++ entry->rule.buflen += f_val;
+ break;
+ case AUDIT_DIR:
+- str = audit_unpack_string(&bufp, &remain, f->val);
+- if (IS_ERR(str))
++ str = audit_unpack_string(&bufp, &remain, f_val);
++ if (IS_ERR(str)) {
++ err = PTR_ERR(str);
+ goto exit_free;
+- entry->rule.buflen += f->val;
+-
++ }
+ err = audit_make_tree(&entry->rule, str, f->op);
+ kfree(str);
+ if (err)
+ goto exit_free;
++ entry->rule.buflen += f_val;
+ break;
+ case AUDIT_INODE:
++ f->val = f_val;
+ err = audit_to_inode(&entry->rule, f);
+ if (err)
+ goto exit_free;
+ break;
+ case AUDIT_FILTERKEY:
+- if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
++ if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN)
+ goto exit_free;
+- str = audit_unpack_string(&bufp, &remain, f->val);
+- if (IS_ERR(str))
++ str = audit_unpack_string(&bufp, &remain, f_val);
++ if (IS_ERR(str)) {
++ err = PTR_ERR(str);
+ goto exit_free;
+- entry->rule.buflen += f->val;
++ }
++ entry->rule.buflen += f_val;
+ entry->rule.filterkey = str;
+ break;
+ case AUDIT_EXE:
+- if (entry->rule.exe || f->val > PATH_MAX)
++ if (entry->rule.exe || f_val > PATH_MAX)
+ goto exit_free;
+- str = audit_unpack_string(&bufp, &remain, f->val);
++ str = audit_unpack_string(&bufp, &remain, f_val);
+ if (IS_ERR(str)) {
+ err = PTR_ERR(str);
+ goto exit_free;
+ }
+- entry->rule.buflen += f->val;
+-
+- audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
++ audit_mark = audit_alloc_mark(&entry->rule, str, f_val);
+ if (IS_ERR(audit_mark)) {
+ kfree(str);
+ err = PTR_ERR(audit_mark);
+ goto exit_free;
+ }
++ entry->rule.buflen += f_val;
+ entry->rule.exe = audit_mark;
+ break;
++ default:
++ f->val = f_val;
++ break;
+ }
+ }
+
--- /dev/null
+From f5739cb0b56590d68d8df8a44659893b6d0084c3 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 26 Feb 2020 22:39:27 +0100
+Subject: cpufreq: Fix policy initialization for internal governor drivers
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit f5739cb0b56590d68d8df8a44659893b6d0084c3 upstream.
+
+Before commit 1e4f63aecb53 ("cpufreq: Avoid creating excessively
+large stack frames") the initial value of the policy field in struct
+cpufreq_policy set by the driver's ->init() callback was implicitly
+passed from cpufreq_init_policy() to cpufreq_set_policy() if the
+default governor was neither "performance" nor "powersave". After
+that commit, however, cpufreq_init_policy() must take that case into
+consideration explicitly and handle it as appropriate, so make that
+happen.
+
+Fixes: 1e4f63aecb53 ("cpufreq: Avoid creating excessively large stack frames")
+Link: https://lore.kernel.org/linux-pm/39fb762880c27da110086741315ca8b111d781cd.camel@gmail.com/
+Reported-by: Artem Bityutskiy <dedekind1@gmail.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1071,9 +1071,17 @@ static int cpufreq_init_policy(struct cp
+ pol = policy->last_policy;
+ } else if (def_gov) {
+ pol = cpufreq_parse_policy(def_gov->name);
+- } else {
+- return -ENODATA;
++ /*
++ * In case the default governor is neiter "performance"
++ * nor "powersave", fall back to the initial policy
++ * value set by the driver.
++ */
++ if (pol == CPUFREQ_POLICY_UNKNOWN)
++ pol = policy->policy;
+ }
++ if (pol != CPUFREQ_POLICY_PERFORMANCE &&
++ pol != CPUFREQ_POLICY_POWERSAVE)
++ return -ENODATA;
+ }
+
+ return cpufreq_set_policy(policy, gov, pol);
--- /dev/null
+From 8a3bddf67ce88b96531fb22c5a75d7f4dc41d155 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Sat, 22 Feb 2020 18:54:31 +0100
+Subject: drm/amdgpu: Drop DRIVER_USE_AGP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 8a3bddf67ce88b96531fb22c5a75d7f4dc41d155 upstream.
+
+This doesn't do anything except auto-init drm_agp support when you
+call drm_get_pci_dev(). Which amdgpu stopped doing with
+
+commit b58c11314a1706bf094c489ef5cb28f76478c704
+Author: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri Jun 2 17:16:31 2017 -0400
+
+ drm/amdgpu: drop deprecated drm_get_pci_dev and drm_put_dev
+
+No idea whether this was intentional or accidental breakage, but I
+guess anyone who manages to boot a this modern gpu behind an agp
+bridge deserves a price. A price I never expect anyone to ever collect
+:-)
+
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: "Christian König" <christian.koenig@amd.com>
+Cc: Hawking Zhang <Hawking.Zhang@amd.com>
+Cc: Xiaojie Yuan <xiaojie.yuan@amd.com>
+Cc: Evan Quan <evan.quan@amd.com>
+Cc: "Tianci.Yin" <tianci.yin@amd.com>
+Cc: "Marek Olšák" <marek.olsak@amd.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -1421,7 +1421,7 @@ amdgpu_get_crtc_scanout_position(struct
+
+ static struct drm_driver kms_driver = {
+ .driver_features =
+- DRIVER_USE_AGP | DRIVER_ATOMIC |
++ DRIVER_ATOMIC |
+ DRIVER_GEM |
+ DRIVER_RENDER | DRIVER_MODESET | DRIVER_SYNCOBJ,
+ .load = amdgpu_driver_load_kms,
--- /dev/null
+From eb12c957735b582607e5842a06d1f4c62e185c1d Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Sat, 22 Feb 2020 18:54:32 +0100
+Subject: drm/radeon: Inline drm_get_pci_dev
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit eb12c957735b582607e5842a06d1f4c62e185c1d upstream.
+
+It's the last user, and more importantly, it's the last non-legacy
+user of anything in drm_pci.c.
+
+The only tricky bit is the agp initialization. But a close look shows
+that radeon does not use the drm_agp midlayer (the main use of that is
+drm_bufs for legacy drivers), and instead could use the agp subsystem
+directly (like nouveau does already). Hence we can just pull this in
+too.
+
+A further step would be to entirely drop the use of drm_device->agp,
+but feels like too much churn just for this patch.
+
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: "Christian König" <christian.koenig@amd.com>
+Cc: "David (ChunMing) Zhou" <David1.Zhou@amd.com>
+Cc: amd-gfx@lists.freedesktop.org
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_drv.c | 43 ++++++++++++++++++++++++++++++++++--
+ drivers/gpu/drm/radeon/radeon_kms.c | 6 +++++
+ 2 files changed, 47 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_drv.c
++++ b/drivers/gpu/drm/radeon/radeon_drv.c
+@@ -37,6 +37,7 @@
+ #include <linux/vga_switcheroo.h>
+ #include <linux/mmu_notifier.h>
+
++#include <drm/drm_agpsupport.h>
+ #include <drm/drm_crtc_helper.h>
+ #include <drm/drm_drv.h>
+ #include <drm/drm_fb_helper.h>
+@@ -325,6 +326,7 @@ static int radeon_pci_probe(struct pci_d
+ const struct pci_device_id *ent)
+ {
+ unsigned long flags = 0;
++ struct drm_device *dev;
+ int ret;
+
+ if (!ent)
+@@ -365,7 +367,44 @@ static int radeon_pci_probe(struct pci_d
+ if (ret)
+ return ret;
+
+- return drm_get_pci_dev(pdev, ent, &kms_driver);
++ dev = drm_dev_alloc(&kms_driver, &pdev->dev);
++ if (IS_ERR(dev))
++ return PTR_ERR(dev);
++
++ ret = pci_enable_device(pdev);
++ if (ret)
++ goto err_free;
++
++ dev->pdev = pdev;
++#ifdef __alpha__
++ dev->hose = pdev->sysdata;
++#endif
++
++ pci_set_drvdata(pdev, dev);
++
++ if (pci_find_capability(dev->pdev, PCI_CAP_ID_AGP))
++ dev->agp = drm_agp_init(dev);
++ if (dev->agp) {
++ dev->agp->agp_mtrr = arch_phys_wc_add(
++ dev->agp->agp_info.aper_base,
++ dev->agp->agp_info.aper_size *
++ 1024 * 1024);
++ }
++
++ ret = drm_dev_register(dev, ent->driver_data);
++ if (ret)
++ goto err_agp;
++
++ return 0;
++
++err_agp:
++ if (dev->agp)
++ arch_phys_wc_del(dev->agp->agp_mtrr);
++ kfree(dev->agp);
++ pci_disable_device(pdev);
++err_free:
++ drm_dev_put(dev);
++ return ret;
+ }
+
+ static void
+@@ -578,7 +617,7 @@ radeon_get_crtc_scanout_position(struct
+
+ static struct drm_driver kms_driver = {
+ .driver_features =
+- DRIVER_USE_AGP | DRIVER_GEM | DRIVER_RENDER,
++ DRIVER_GEM | DRIVER_RENDER,
+ .load = radeon_driver_load_kms,
+ .open = radeon_driver_open_kms,
+ .postclose = radeon_driver_postclose_kms,
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -31,6 +31,7 @@
+ #include <linux/uaccess.h>
+ #include <linux/vga_switcheroo.h>
+
++#include <drm/drm_agpsupport.h>
+ #include <drm/drm_fb_helper.h>
+ #include <drm/drm_file.h>
+ #include <drm/drm_ioctl.h>
+@@ -77,6 +78,11 @@ void radeon_driver_unload_kms(struct drm
+ radeon_modeset_fini(rdev);
+ radeon_device_fini(rdev);
+
++ if (dev->agp)
++ arch_phys_wc_del(dev->agp->agp_mtrr);
++ kfree(dev->agp);
++ dev->agp = NULL;
++
+ done_free:
+ kfree(rdev);
+ dev->dev_private = NULL;
--- /dev/null
+From 37b0b6b8b99c0e1c1f11abbe7cf49b6d03795b3f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 28 Feb 2020 12:22:56 +0300
+Subject: ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 37b0b6b8b99c0e1c1f11abbe7cf49b6d03795b3f upstream.
+
+If sbi->s_flex_groups_allocated is zero and the first allocation fails
+then this code will crash. The problem is that "i--" will set "i" to
+-1 but when we compare "i >= sbi->s_flex_groups_allocated" then the -1
+is type promoted to unsigned and becomes UINT_MAX. Since UINT_MAX
+is more than zero, the condition is true so we call kvfree(new_groups[-1]).
+The loop will carry on freeing invalid memory until it crashes.
+
+Fixes: 7c990728b99e ("ext4: fix potential race between s_flex_groups online resizing and access")
+Reviewed-by: Suraj Jitindar Singh <surajjs@amazon.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20200228092142.7irbc44yaz3by7nb@kili.mountain
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2343,7 +2343,7 @@ int ext4_alloc_flex_bg_array(struct supe
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct flex_groups **old_groups, **new_groups;
+- int size, i;
++ int size, i, j;
+
+ if (!sbi->s_log_groups_per_flex)
+ return 0;
+@@ -2364,8 +2364,8 @@ int ext4_alloc_flex_bg_array(struct supe
+ sizeof(struct flex_groups)),
+ GFP_KERNEL);
+ if (!new_groups[i]) {
+- for (i--; i >= sbi->s_flex_groups_allocated; i--)
+- kvfree(new_groups[i]);
++ for (j = sbi->s_flex_groups_allocated; j < i; j++)
++ kvfree(new_groups[j]);
+ kvfree(new_groups);
+ ext4_msg(sb, KERN_ERR,
+ "not enough memory for %d flex groups", size);
--- /dev/null
+From 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f Mon Sep 17 00:00:00 2001
+From: Johan Korsnes <jkorsnes@cisco.com>
+Date: Fri, 17 Jan 2020 13:08:35 +0100
+Subject: HID: core: fix off-by-one memset in hid_report_raw_event()
+
+From: Johan Korsnes <jkorsnes@cisco.com>
+
+commit 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f upstream.
+
+In case a report is greater than HID_MAX_BUFFER_SIZE, it is truncated,
+but the report-number byte is not correctly handled. This results in a
+off-by-one in the following memset, causing a kernel Oops and ensuing
+system crash.
+
+Note: With commit 8ec321e96e05 ("HID: Fix slab-out-of-bounds read in
+hid_field_extract") I no longer hit the kernel Oops as we instead fail
+"controlled" at probe if there is a report too long in the HID
+report-descriptor. hid_report_raw_event() is an exported symbol, so
+presumabely we cannot always rely on this being the case.
+
+Fixes: 966922f26c7f ("HID: fix a crash in hid_report_raw_event()
+ function.")
+Signed-off-by: Johan Korsnes <jkorsnes@cisco.com>
+Cc: Armando Visconti <armando.visconti@st.com>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1741,7 +1741,9 @@ int hid_report_raw_event(struct hid_devi
+
+ rsize = ((report->size - 1) >> 3) + 1;
+
+- if (rsize > HID_MAX_BUFFER_SIZE)
++ if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
++ rsize = HID_MAX_BUFFER_SIZE - 1;
++ else if (rsize > HID_MAX_BUFFER_SIZE)
+ rsize = HID_MAX_BUFFER_SIZE;
+
+ if (csize < rsize) {
--- /dev/null
+From 84a4062632462c4320704fcdf8e99e89e94c0aba Mon Sep 17 00:00:00 2001
+From: Johan Korsnes <jkorsnes@cisco.com>
+Date: Fri, 17 Jan 2020 13:08:36 +0100
+Subject: HID: core: increase HID report buffer size to 8KiB
+
+From: Johan Korsnes <jkorsnes@cisco.com>
+
+commit 84a4062632462c4320704fcdf8e99e89e94c0aba upstream.
+
+We have a HID touch device that reports its opens and shorts test
+results in HID buffers of size 8184 bytes. The maximum size of the HID
+buffer is currently set to 4096 bytes, causing probe of this device to
+fail. With this patch we increase the maximum size of the HID buffer to
+8192 bytes, making device probe and acquisition of said buffers succeed.
+
+Signed-off-by: Johan Korsnes <jkorsnes@cisco.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: Armando Visconti <armando.visconti@st.com>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/hid.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -492,7 +492,7 @@ struct hid_report_enum {
+ };
+
+ #define HID_MIN_BUFFER_SIZE 64 /* make sure there is at least a packet size of space */
+-#define HID_MAX_BUFFER_SIZE 4096 /* 4kb */
++#define HID_MAX_BUFFER_SIZE 8192 /* 8kb */
+ #define HID_CONTROL_FIFO_SIZE 256 /* to init devices with >100 reports */
+ #define HID_OUTPUT_FIFO_SIZE 64
+
--- /dev/null
+From beae56192a2570578ae45050e73c5ff9254f63e6 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 1 Feb 2020 12:56:48 +0100
+Subject: HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit beae56192a2570578ae45050e73c5ff9254f63e6 upstream.
+
+Commit 8f18eca9ebc5 ("HID: ite: Add USB id match for Acer SW5-012 keyboard
+dock") added the USB id for the Acer SW5-012's keyboard dock to the
+hid-ite driver to fix the rfkill driver not working.
+
+Most keyboard docks with an ITE 8595 keyboard/touchpad controller have the
+"Wireless Radio Control" bits which need the special hid-ite driver on the
+second USB interface (the mouse interface) and their touchpad only supports
+mouse emulation, so using generic hid-input handling for anything but
+the "Wireless Radio Control" bits is fine. On these devices we simply bind
+to all USB interfaces.
+
+But unlike other ITE8595 using keyboard docks, the Acer Aspire Switch 10
+(SW5-012)'s touchpad not only does mouse emulation it also supports
+HID-multitouch and all the keys including the "Wireless Radio Control"
+bits have been moved to the first USB interface (the keyboard intf).
+
+So we need hid-ite to handle the first (keyboard) USB interface and have
+it NOT bind to the second (mouse) USB interface so that that can be
+handled by hid-multitouch.c and we get proper multi-touch support.
+
+This commit changes the hid_device_id for the SW5-012 keyboard dock to
+only match on hid devices from the HID_GROUP_GENERIC group, this way
+hid-ite will not bind the the mouse/multi-touch interface which has
+HID_GROUP_MULTITOUCH_WIN_8 as group.
+This fixes the regression to mouse-emulation mode introduced by adding
+the keyboard dock USB id.
+
+Cc: stable@vger.kernel.org
+Fixes: 8f18eca9ebc5 ("HID: ite: Add USB id match for Acer SW5-012 keyboard dock")
+Reported-by: Zdeněk Rampas <zdenda.rampas@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ite.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-ite.c
++++ b/drivers/hid/hid-ite.c
+@@ -41,8 +41,9 @@ static const struct hid_device_id ite_de
+ { HID_USB_DEVICE(USB_VENDOR_ID_ITE, USB_DEVICE_ID_ITE8595) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_258A, USB_DEVICE_ID_258A_6A88) },
+ /* ITE8595 USB kbd ctlr, with Synaptics touchpad connected to it. */
+- { HID_USB_DEVICE(USB_VENDOR_ID_SYNAPTICS,
+- USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) },
++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
++ USB_VENDOR_ID_SYNAPTICS,
++ USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) },
+ { }
+ };
+ MODULE_DEVICE_TABLE(hid, ite_devices);
--- /dev/null
+From d876836204897b6d7d911f942084f69a1e9d5c4d Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 27 Feb 2020 14:17:49 -0700
+Subject: io_uring: fix 32-bit compatability with sendmsg/recvmsg
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit d876836204897b6d7d911f942084f69a1e9d5c4d upstream.
+
+We must set MSG_CMSG_COMPAT if we're in compatability mode, otherwise
+the iovec import for these commands will not do the right thing and fail
+the command with -EINVAL.
+
+Found by running the test suite compiled as 32-bit.
+
+Cc: stable@vger.kernel.org
+Fixes: aa1fa28fc73e ("io_uring: add support for recvmsg()")
+Fixes: 0fa03c624d8f ("io_uring: add support for sendmsg()")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -1657,6 +1657,11 @@ static int io_send_recvmsg(struct io_kio
+ else if (force_nonblock)
+ flags |= MSG_DONTWAIT;
+
++#ifdef CONFIG_COMPAT
++ if (req->ctx->compat)
++ flags |= MSG_CMSG_COMPAT;
++#endif
++
+ msg = (struct user_msghdr __user *) (unsigned long)
+ READ_ONCE(sqe->addr);
+
--- /dev/null
+From 86f7e90ce840aa1db407d3ea6e9b3a52b2ce923c Mon Sep 17 00:00:00 2001
+From: Oliver Upton <oupton@google.com>
+Date: Sat, 29 Feb 2020 11:30:14 -0800
+Subject: KVM: VMX: check descriptor table exits on instruction emulation
+
+From: Oliver Upton <oupton@google.com>
+
+commit 86f7e90ce840aa1db407d3ea6e9b3a52b2ce923c upstream.
+
+KVM emulates UMIP on hardware that doesn't support it by setting the
+'descriptor table exiting' VM-execution control and performing
+instruction emulation. When running nested, this emulation is broken as
+KVM refuses to emulate L2 instructions by default.
+
+Correct this regression by allowing the emulation of descriptor table
+instructions if L1 hasn't requested 'descriptor table exiting'.
+
+Fixes: 07721feee46b ("KVM: nVMX: Don't emulate instructions in guest mode")
+Reported-by: Jan Kiszka <jan.kiszka@web.de>
+Cc: stable@vger.kernel.org
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Jim Mattson <jmattson@google.com>
+Signed-off-by: Oliver Upton <oupton@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx/vmx.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -7165,6 +7165,7 @@ static int vmx_check_intercept_io(struct
+ else
+ intercept = nested_vmx_check_io_bitmaps(vcpu, port, size);
+
++ /* FIXME: produce nested vmexit and return X86EMUL_INTERCEPTED. */
+ return intercept ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE;
+ }
+
+@@ -7194,6 +7195,20 @@ static int vmx_check_intercept(struct kv
+ case x86_intercept_outs:
+ return vmx_check_intercept_io(vcpu, info);
+
++ case x86_intercept_lgdt:
++ case x86_intercept_lidt:
++ case x86_intercept_lldt:
++ case x86_intercept_ltr:
++ case x86_intercept_sgdt:
++ case x86_intercept_sidt:
++ case x86_intercept_sldt:
++ case x86_intercept_str:
++ if (!nested_cpu_has2(vmcs12, SECONDARY_EXEC_DESC))
++ return X86EMUL_CONTINUE;
++
++ /* FIXME: produce nested vmexit and return X86EMUL_INTERCEPTED. */
++ break;
++
+ /* TODO: check more intercepts... */
+ default:
+ break;
--- /dev/null
+From 38b17afb0ebb9ecd41418d3c08bcf9198af4349d Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa@the-dreams.de>
+Date: Tue, 25 Feb 2020 15:12:29 +0100
+Subject: macintosh: therm_windtunnel: fix regression when instantiating devices
+
+From: Wolfram Sang <wsa@the-dreams.de>
+
+commit 38b17afb0ebb9ecd41418d3c08bcf9198af4349d upstream.
+
+Removing attach_adapter from this driver caused a regression for at
+least some machines. Those machines had the sensors described in their
+DT, too, so they didn't need manual creation of the sensor devices. The
+old code worked, though, because manual creation came first. Creation of
+DT devices then failed later and caused error logs, but the sensors
+worked nonetheless because of the manually created devices.
+
+When removing attach_adaper, manual creation now comes later and loses
+the race. The sensor devices were already registered via DT, yet with
+another binding, so the driver could not be bound to it.
+
+This fix refactors the code to remove the race and only manually creates
+devices if there are no DT nodes present. Also, the DT binding is updated
+to match both, the DT and manually created devices. Because we don't
+know which device creation will be used at runtime, the code to start
+the kthread is moved to do_probe() which will be called by both methods.
+
+Fixes: 3e7bed52719d ("macintosh: therm_windtunnel: drop using attach_adapter")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=201723
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Tested-by: Erhard Furtner <erhard_f@mailbox.org>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org # v4.19+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/macintosh/therm_windtunnel.c | 52 ++++++++++++++++++++---------------
+ 1 file changed, 31 insertions(+), 21 deletions(-)
+
+--- a/drivers/macintosh/therm_windtunnel.c
++++ b/drivers/macintosh/therm_windtunnel.c
+@@ -300,9 +300,11 @@ static int control_loop(void *dummy)
+ /* i2c probing and setup */
+ /************************************************************************/
+
+-static int
+-do_attach( struct i2c_adapter *adapter )
++static void do_attach(struct i2c_adapter *adapter)
+ {
++ struct i2c_board_info info = { };
++ struct device_node *np;
++
+ /* scan 0x48-0x4f (DS1775) and 0x2c-2x2f (ADM1030) */
+ static const unsigned short scan_ds1775[] = {
+ 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+@@ -313,25 +315,24 @@ do_attach( struct i2c_adapter *adapter )
+ I2C_CLIENT_END
+ };
+
+- if( strncmp(adapter->name, "uni-n", 5) )
+- return 0;
+-
+- if( !x.running ) {
+- struct i2c_board_info info;
++ if (x.running || strncmp(adapter->name, "uni-n", 5))
++ return;
+
+- memset(&info, 0, sizeof(struct i2c_board_info));
+- strlcpy(info.type, "therm_ds1775", I2C_NAME_SIZE);
++ np = of_find_compatible_node(adapter->dev.of_node, NULL, "MAC,ds1775");
++ if (np) {
++ of_node_put(np);
++ } else {
++ strlcpy(info.type, "MAC,ds1775", I2C_NAME_SIZE);
+ i2c_new_probed_device(adapter, &info, scan_ds1775, NULL);
++ }
+
+- strlcpy(info.type, "therm_adm1030", I2C_NAME_SIZE);
++ np = of_find_compatible_node(adapter->dev.of_node, NULL, "MAC,adm1030");
++ if (np) {
++ of_node_put(np);
++ } else {
++ strlcpy(info.type, "MAC,adm1030", I2C_NAME_SIZE);
+ i2c_new_probed_device(adapter, &info, scan_adm1030, NULL);
+-
+- if( x.thermostat && x.fan ) {
+- x.running = 1;
+- x.poll_task = kthread_run(control_loop, NULL, "g4fand");
+- }
+ }
+- return 0;
+ }
+
+ static int
+@@ -404,8 +405,8 @@ out:
+ enum chip { ds1775, adm1030 };
+
+ static const struct i2c_device_id therm_windtunnel_id[] = {
+- { "therm_ds1775", ds1775 },
+- { "therm_adm1030", adm1030 },
++ { "MAC,ds1775", ds1775 },
++ { "MAC,adm1030", adm1030 },
+ { }
+ };
+ MODULE_DEVICE_TABLE(i2c, therm_windtunnel_id);
+@@ -414,6 +415,7 @@ static int
+ do_probe(struct i2c_client *cl, const struct i2c_device_id *id)
+ {
+ struct i2c_adapter *adapter = cl->adapter;
++ int ret = 0;
+
+ if( !i2c_check_functionality(adapter, I2C_FUNC_SMBUS_WORD_DATA
+ | I2C_FUNC_SMBUS_WRITE_BYTE) )
+@@ -421,11 +423,19 @@ do_probe(struct i2c_client *cl, const st
+
+ switch (id->driver_data) {
+ case adm1030:
+- return attach_fan( cl );
++ ret = attach_fan(cl);
++ break;
+ case ds1775:
+- return attach_thermostat(cl);
++ ret = attach_thermostat(cl);
++ break;
+ }
+- return 0;
++
++ if (!x.running && x.thermostat && x.fan) {
++ x.running = 1;
++ x.poll_task = kthread_run(control_loop, NULL, "g4fand");
++ }
++
++ return ret;
+ }
+
+ static struct i2c_driver g4fan_driver = {
--- /dev/null
+From 66d0e797bf095d407479c89952d42b1d96ef0a7f Mon Sep 17 00:00:00 2001
+From: Orson Zhai <orson.unisoc@gmail.com>
+Date: Fri, 21 Feb 2020 01:37:04 +0800
+Subject: Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs"
+
+From: Orson Zhai <orson.unisoc@gmail.com>
+
+commit 66d0e797bf095d407479c89952d42b1d96ef0a7f upstream.
+
+This reverts commit 4585fbcb5331fc910b7e553ad3efd0dd7b320d14.
+
+The name changing as devfreq(X) breaks some user space applications,
+such as Android HAL from Unisoc and Hikey [1].
+The device name will be changed unexpectly after every boot depending
+on module init sequence. It will make trouble to setup some system
+configuration like selinux for Android.
+
+So we'd like to revert it back to old naming rule before any better
+way being found.
+
+[1] https://lkml.org/lkml/2018/5/8/1042
+
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Orson Zhai <orson.unisoc@gmail.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/devfreq/devfreq.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -613,7 +613,6 @@ struct devfreq *devfreq_add_device(struc
+ {
+ struct devfreq *devfreq;
+ struct devfreq_governor *governor;
+- static atomic_t devfreq_no = ATOMIC_INIT(-1);
+ int err = 0;
+
+ if (!dev || !profile || !governor_name) {
+@@ -677,8 +676,7 @@ struct devfreq *devfreq_add_device(struc
+ devfreq->suspend_freq = dev_pm_opp_get_suspend_opp_freq(dev);
+ atomic_set(&devfreq->suspend_count, 0);
+
+- dev_set_name(&devfreq->dev, "devfreq%d",
+- atomic_inc_return(&devfreq_no));
++ dev_set_name(&devfreq->dev, "%s", dev_name(dev));
+ err = device_register(&devfreq->dev);
+ if (err) {
+ mutex_unlock(&devfreq->lock);
nvme-tcp-fix-bug-on-double-requeue-when-send-fails.patch
nvme-prevent-warning-triggered-by-nvme_stop_keep_ali.patch
nvme-pci-move-cqe-check-after-device-shutdown.patch
+ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch
+audit-fix-error-handling-in-audit_data_to_entry.patch
+audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch
+acpica-introduce-acpi_access_byte_width-macro.patch
+acpi-watchdog-fix-gas-access_width-usage.patch
+kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch
+hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch
+hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch
+hid-core-increase-hid-report-buffer-size-to-8kib.patch
+drm-amdgpu-drop-driver_use_agp.patch
+drm-radeon-inline-drm_get_pci_dev.patch
+macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch
+tracing-disable-trace_printk-on-post-poned-tests.patch
+revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch
+amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch
+cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch
+io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch
--- /dev/null
+From 78041c0c9e935d9ce4086feeff6c569ed88ddfd4 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 20 Feb 2020 15:38:01 -0500
+Subject: tracing: Disable trace_printk() on post poned tests
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 78041c0c9e935d9ce4086feeff6c569ed88ddfd4 upstream.
+
+The tracing seftests checks various aspects of the tracing infrastructure,
+and one is filtering. If trace_printk() is active during a self test, it can
+cause the filtering to fail, which will disable that part of the trace.
+
+To keep the selftests from failing because of trace_printk() calls,
+trace_printk() checks the variable tracing_selftest_running, and if set, it
+does not write to the tracing buffer.
+
+As some tracers were registered earlier in boot, the selftest they triggered
+would fail because not all the infrastructure was set up for the full
+selftest. Thus, some of the tests were post poned to when their
+infrastructure was ready (namely file system code). The postpone code did
+not set the tracing_seftest_running variable, and could fail if a
+trace_printk() was added and executed during their run.
+
+Cc: stable@vger.kernel.org
+Fixes: 9afecfbb95198 ("tracing: Postpone tracer start-up tests till the system is more robust")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -1743,6 +1743,7 @@ static __init int init_trace_selftests(v
+
+ pr_info("Running postponed tracer tests:\n");
+
++ tracing_selftest_running = true;
+ list_for_each_entry_safe(p, n, &postponed_selftests, list) {
+ /* This loop can take minutes when sanitizers are enabled, so
+ * lets make sure we allow RCU processing.
+@@ -1765,6 +1766,7 @@ static __init int init_trace_selftests(v
+ list_del(&p->list);
+ kfree(p);
+ }
++ tracing_selftest_running = false;
+
+ out:
+ mutex_unlock(&trace_types_lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
