--- /dev/null
+From 2ca371d847511f97ef991ef612a2ce805489840e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Rekowski?= <p.rekowski@gmail.com>
+Date: Mon, 19 Aug 2019 22:40:07 +0200
+Subject: ALSA: hda/ca0132 - Add new SBZ quirk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paweł Rekowski <p.rekowski@gmail.com>
+
+commit 2ca371d847511f97ef991ef612a2ce805489840e upstream.
+
+This patch adds a new PCI subsys ID for the SBZ, as found and tested by
+me and some reddit users.
+
+Link: https://lore.kernel.org/lkml/20190819204008.14426-1-p.rekowski@gmail.com
+Signed-off-by: Paweł Rekowski <p.rekowski@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_ca0132.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -1175,6 +1175,7 @@ static const struct snd_pci_quirk ca0132
+ SND_PCI_QUIRK(0x1028, 0x0708, "Alienware 15 R2 2016", QUIRK_ALIENWARE),
+ SND_PCI_QUIRK(0x1102, 0x0010, "Sound Blaster Z", QUIRK_SBZ),
+ SND_PCI_QUIRK(0x1102, 0x0023, "Sound Blaster Z", QUIRK_SBZ),
++ SND_PCI_QUIRK(0x1102, 0x0027, "Sound Blaster Z", QUIRK_SBZ),
+ SND_PCI_QUIRK(0x1102, 0x0033, "Sound Blaster ZxR", QUIRK_SBZ),
+ SND_PCI_QUIRK(0x1458, 0xA016, "Recon3Di", QUIRK_R3DI),
+ SND_PCI_QUIRK(0x1458, 0xA026, "Gigabyte G1.Sniper Z97", QUIRK_R3DI),
--- /dev/null
+From f9ef724d4896763479f3921afd1ee61552fc9836 Mon Sep 17 00:00:00 2001
+From: Jeronimo Borque <jeronimo@borque.com.ar>
+Date: Sun, 18 Aug 2019 22:35:38 -0300
+Subject: ALSA: hda - Fixes inverted Conexant GPIO mic mute led
+
+From: Jeronimo Borque <jeronimo@borque.com.ar>
+
+commit f9ef724d4896763479f3921afd1ee61552fc9836 upstream.
+
+"enabled" parameter historically referred to the device input or
+output, not to the led indicator. After the changes added with the led
+helper functions the mic mute led logic refers to the led and not to
+the mic input which caused led indicator to be negated.
+Fixing logic in cxt_update_gpio_led and updated
+cxt_fixup_gpio_mute_hook
+Also updated debug messages to ease further debugging if necessary.
+
+Fixes: 184e302b46c9 ("ALSA: hda/conexant - Use the mic-mute LED helper")
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jeronimo Borque <jeronimo@borque.com.ar>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -611,18 +611,20 @@ static void cxt_fixup_hp_gate_mic_jack(s
+
+ /* update LED status via GPIO */
+ static void cxt_update_gpio_led(struct hda_codec *codec, unsigned int mask,
+- bool enabled)
++ bool led_on)
+ {
+ struct conexant_spec *spec = codec->spec;
+ unsigned int oldval = spec->gpio_led;
+
+ if (spec->mute_led_polarity)
+- enabled = !enabled;
++ led_on = !led_on;
+
+- if (enabled)
+- spec->gpio_led &= ~mask;
+- else
++ if (led_on)
+ spec->gpio_led |= mask;
++ else
++ spec->gpio_led &= ~mask;
++ codec_dbg(codec, "mask:%d enabled:%d gpio_led:%d\n",
++ mask, led_on, spec->gpio_led);
+ if (spec->gpio_led != oldval)
+ snd_hda_codec_write(codec, 0x01, 0, AC_VERB_SET_GPIO_DATA,
+ spec->gpio_led);
+@@ -633,8 +635,8 @@ static void cxt_fixup_gpio_mute_hook(voi
+ {
+ struct hda_codec *codec = private_data;
+ struct conexant_spec *spec = codec->spec;
+-
+- cxt_update_gpio_led(codec, spec->gpio_mute_led_mask, enabled);
++ /* muted -> LED on */
++ cxt_update_gpio_led(codec, spec->gpio_mute_led_mask, !enabled);
+ }
+
+ /* turn on/off mic-mute LED via GPIO per capture hook */
+@@ -656,7 +658,6 @@ static void cxt_fixup_mute_led_gpio(stru
+ { 0x01, AC_VERB_SET_GPIO_DIRECTION, 0x03 },
+ {}
+ };
+- codec_info(codec, "action: %d gpio_led: %d\n", action, spec->gpio_led);
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+ spec->gen.vmaster_mute.hook = cxt_fixup_gpio_mute_hook;
--- /dev/null
+From 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 21 Aug 2019 20:00:02 +0200
+Subject: ALSA: line6: Fix memory leak at line6_init_pcm() error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 upstream.
+
+I forgot to release the allocated object at the early error path in
+line6_init_pcm(). For addressing it, slightly shuffle the code so
+that the PCM destructor (pcm->private_free) is assigned properly
+before all error paths.
+
+Fixes: 3450121997ce ("ALSA: line6: Fix write on zero-sized buffer")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/pcm.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/sound/usb/line6/pcm.c
++++ b/sound/usb/line6/pcm.c
+@@ -550,6 +550,15 @@ int line6_init_pcm(struct usb_line6 *lin
+ line6pcm->volume_monitor = 255;
+ line6pcm->line6 = line6;
+
++ spin_lock_init(&line6pcm->out.lock);
++ spin_lock_init(&line6pcm->in.lock);
++ line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD;
++
++ line6->line6pcm = line6pcm;
++
++ pcm->private_data = line6pcm;
++ pcm->private_free = line6_cleanup_pcm;
++
+ line6pcm->max_packet_size_in =
+ usb_maxpacket(line6->usbdev,
+ usb_rcvisocpipe(line6->usbdev, ep_read), 0);
+@@ -562,15 +571,6 @@ int line6_init_pcm(struct usb_line6 *lin
+ return -EINVAL;
+ }
+
+- spin_lock_init(&line6pcm->out.lock);
+- spin_lock_init(&line6pcm->in.lock);
+- line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD;
+-
+- line6->line6pcm = line6pcm;
+-
+- pcm->private_data = line6pcm;
+- pcm->private_free = line6_cleanup_pcm;
+-
+ err = line6_create_audio_out_urbs(line6pcm);
+ if (err < 0)
+ return err;
--- /dev/null
+From 75545304eba6a3d282f923b96a466dc25a81e359 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 25 Aug 2019 09:21:44 +0200
+Subject: ALSA: seq: Fix potential concurrent access to the deleted pool
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 75545304eba6a3d282f923b96a466dc25a81e359 upstream.
+
+The input pool of a client might be deleted via the resize ioctl, the
+the access to it should be covered by the proper locks. Currently the
+only missing place is the call in snd_seq_ioctl_get_client_pool(), and
+this patch papers over it.
+
+Reported-by: syzbot+4a75454b9ca2777f35c7@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 3 +--
+ sound/core/seq/seq_fifo.c | 17 +++++++++++++++++
+ sound/core/seq/seq_fifo.h | 2 ++
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1835,8 +1835,7 @@ static int snd_seq_ioctl_get_client_pool
+ if (cptr->type == USER_CLIENT) {
+ info->input_pool = cptr->data.user.fifo_pool_size;
+ info->input_free = info->input_pool;
+- if (cptr->data.user.fifo)
+- info->input_free = snd_seq_unused_cells(cptr->data.user.fifo->pool);
++ info->input_free = snd_seq_fifo_unused_cells(cptr->data.user.fifo);
+ } else {
+ info->input_pool = 0;
+ info->input_free = 0;
+--- a/sound/core/seq/seq_fifo.c
++++ b/sound/core/seq/seq_fifo.c
+@@ -263,3 +263,20 @@ int snd_seq_fifo_resize(struct snd_seq_f
+
+ return 0;
+ }
++
++/* get the number of unused cells safely */
++int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f)
++{
++ unsigned long flags;
++ int cells;
++
++ if (!f)
++ return 0;
++
++ snd_use_lock_use(&f->use_lock);
++ spin_lock_irqsave(&f->lock, flags);
++ cells = snd_seq_unused_cells(f->pool);
++ spin_unlock_irqrestore(&f->lock, flags);
++ snd_use_lock_free(&f->use_lock);
++ return cells;
++}
+--- a/sound/core/seq/seq_fifo.h
++++ b/sound/core/seq/seq_fifo.h
+@@ -53,5 +53,7 @@ int snd_seq_fifo_poll_wait(struct snd_se
+ /* resize pool in fifo */
+ int snd_seq_fifo_resize(struct snd_seq_fifo *f, int poolsize);
+
++/* get the number of unused cells safely */
++int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f);
+
+ #endif
--- /dev/null
+From 1a15718b41df026cffd0e42cfdc38a1384ce19f9 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 20 Aug 2019 08:58:12 +0200
+Subject: ALSA: usb-audio: Add implicit fb quirk for Behringer UFX1604
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1a15718b41df026cffd0e42cfdc38a1384ce19f9 upstream.
+
+Behringer UFX1604 requires the similar quirk to apply implicit fb like
+another Behringer model UFX1204 in order to fix the noisy playback.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204631
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/pcm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -339,6 +339,7 @@ static int set_sync_ep_implicit_fb_quirk
+ ep = 0x81;
+ ifnum = 2;
+ goto add_sync_ep_from_ifnum;
++ case USB_ID(0x1397, 0x0001): /* Behringer UFX1604 */
+ case USB_ID(0x1397, 0x0002): /* Behringer UFX1204 */
+ ep = 0x81;
+ ifnum = 1;
--- /dev/null
+From f9f0e9ed350e15d51ad07364b4cf910de50c472a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 20 Aug 2019 21:43:42 +0200
+Subject: ALSA: usb-audio: Check mixer unit bitmap yet more strictly
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f9f0e9ed350e15d51ad07364b4cf910de50c472a upstream.
+
+The bmControls (for UAC1) or bmMixerControls (for UAC2/3) bitmap has a
+variable size depending on both input and output pins. Its size is to
+fit with input * output bits. The problem is that the input size
+can't be determined simply from the unit descriptor itself but it
+needs to parse the whole connected sources. Although the
+uac_mixer_unit_get_channels() tries to check some possible overflow of
+this bitmap, it's incomplete due to the lack of the evaluation of
+input pins.
+
+For covering possible overflows, this patch adds the bitmap overflow
+check in the loop of input pins in parse_audio_mixer_unit().
+
+Fixes: 0bfe5e434e66 ("ALSA: usb-audio: Check mixer unit descriptors more strictly")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -739,7 +739,6 @@ static int uac_mixer_unit_get_channels(s
+ struct uac_mixer_unit_descriptor *desc)
+ {
+ int mu_channels;
+- void *c;
+
+ if (desc->bLength < sizeof(*desc))
+ return -EINVAL;
+@@ -762,13 +761,6 @@ static int uac_mixer_unit_get_channels(s
+ break;
+ }
+
+- if (!mu_channels)
+- return 0;
+-
+- c = uac_mixer_unit_bmControls(desc, state->mixer->protocol);
+- if (c - (void *)desc + (mu_channels - 1) / 8 >= desc->bLength)
+- return 0; /* no bmControls -> skip */
+-
+ return mu_channels;
+ }
+
+@@ -2009,6 +2001,31 @@ static int parse_audio_feature_unit(stru
+ * Mixer Unit
+ */
+
++/* check whether the given in/out overflows bmMixerControls matrix */
++static bool mixer_bitmap_overflow(struct uac_mixer_unit_descriptor *desc,
++ int protocol, int num_ins, int num_outs)
++{
++ u8 *hdr = (u8 *)desc;
++ u8 *c = uac_mixer_unit_bmControls(desc, protocol);
++ size_t rest; /* remaining bytes after bmMixerControls */
++
++ switch (protocol) {
++ case UAC_VERSION_1:
++ default:
++ rest = 1; /* iMixer */
++ break;
++ case UAC_VERSION_2:
++ rest = 2; /* bmControls + iMixer */
++ break;
++ case UAC_VERSION_3:
++ rest = 6; /* bmControls + wMixerDescrStr */
++ break;
++ }
++
++ /* overflow? */
++ return c + (num_ins * num_outs + 7) / 8 + rest > hdr + hdr[0];
++}
++
+ /*
+ * build a mixer unit control
+ *
+@@ -2137,6 +2154,9 @@ static int parse_audio_mixer_unit(struct
+ if (err < 0)
+ return err;
+ num_ins += iterm.channels;
++ if (mixer_bitmap_overflow(desc, state->mixer->protocol,
++ num_ins, num_outs))
++ break;
+ for (; ich < num_ins; ich++) {
+ int och, ich_has_controls = 0;
+
--- /dev/null
+From 6de3c9e3f6b3eaf66859e1379b3f35dda781416b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 15 Aug 2019 11:41:06 +0200
+Subject: ALSA: usb-audio: Fix invalid NULL check in snd_emuusb_set_samplerate()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6de3c9e3f6b3eaf66859e1379b3f35dda781416b upstream.
+
+The quirk function snd_emuusb_set_samplerate() has a NULL check for
+the mixer element, but this is useless in the current code. It used
+to be a check against mixer->id_elems[unitid] but it was changed later
+to the value after mixer_eleme_list_to_info() which is always non-NULL
+due to the container_of() usage.
+
+This patch fixes the check before the conversion.
+
+While we're at it, correct a typo in the comment in the function,
+too.
+
+Fixes: 8c558076c740 ("ALSA: usb-audio: Clean up mixer element list traverse")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer_quirks.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -1155,17 +1155,17 @@ void snd_emuusb_set_samplerate(struct sn
+ {
+ struct usb_mixer_interface *mixer;
+ struct usb_mixer_elem_info *cval;
+- int unitid = 12; /* SamleRate ExtensionUnit ID */
++ int unitid = 12; /* SampleRate ExtensionUnit ID */
+
+ list_for_each_entry(mixer, &chip->mixer_list, list) {
+- cval = mixer_elem_list_to_info(mixer->id_elems[unitid]);
+- if (cval) {
++ if (mixer->id_elems[unitid]) {
++ cval = mixer_elem_list_to_info(mixer->id_elems[unitid]);
+ snd_usb_mixer_set_ctl_value(cval, UAC_SET_CUR,
+ cval->control << 8,
+ samplerate_id);
+ snd_usb_mixer_notify_id(mixer, unitid);
++ break;
+ }
+- break;
+ }
+ }
+
--- /dev/null
+From 75ee23b30dc712d80d2421a9a547e7ab6e379b44 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Fri, 23 Aug 2019 13:55:44 -0700
+Subject: KVM: x86: Don't update RIP or do single-step on faulting emulation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 75ee23b30dc712d80d2421a9a547e7ab6e379b44 upstream.
+
+Don't advance RIP or inject a single-step #DB if emulation signals a
+fault. This logic applies to all state updates that are conditional on
+clean retirement of the emulation instruction, e.g. updating RFLAGS was
+previously handled by commit 38827dbd3fb85 ("KVM: x86: Do not update
+EFLAGS on faulting emulation").
+
+Not advancing RIP is likely a nop, i.e. ctxt->eip isn't updated with
+ctxt->_eip until emulation "retires" anyways. Skipping #DB injection
+fixes a bug reported by Andy Lutomirski where a #UD on SYSCALL due to
+invalid state with EFLAGS.TF=1 would loop indefinitely due to emulation
+overwriting the #UD with #DB and thus restarting the bad SYSCALL over
+and over.
+
+Cc: Nadav Amit <nadav.amit@gmail.com>
+Cc: stable@vger.kernel.org
+Reported-by: Andy Lutomirski <luto@kernel.org>
+Fixes: 663f4c61b803 ("KVM: x86: handle singlestep during emulation")
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6547,12 +6547,13 @@ restart:
+ unsigned long rflags = kvm_x86_ops->get_rflags(vcpu);
+ toggle_interruptibility(vcpu, ctxt->interruptibility);
+ vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
+- kvm_rip_write(vcpu, ctxt->eip);
+- if (r == EMULATE_DONE && ctxt->tf)
+- kvm_vcpu_do_singlestep(vcpu, &r);
+ if (!ctxt->have_exception ||
+- exception_type(ctxt->exception.vector) == EXCPT_TRAP)
++ exception_type(ctxt->exception.vector) == EXCPT_TRAP) {
++ kvm_rip_write(vcpu, ctxt->eip);
++ if (r == EMULATE_DONE && ctxt->tf)
++ kvm_vcpu_do_singlestep(vcpu, &r);
+ __kvm_set_rflags(vcpu, ctxt->eflags);
++ }
+
+ /*
+ * For STI, interrupts are shadowed; so KVM_REQ_EVENT will
--- /dev/null
+From ea1529873ab18c204688cf31746df851c098cbea Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Tue, 27 Aug 2019 18:04:02 +0200
+Subject: KVM: x86: hyper-v: don't crash on KVM_GET_SUPPORTED_HV_CPUID when kvm_intel.nested is disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+commit ea1529873ab18c204688cf31746df851c098cbea upstream.
+
+If kvm_intel is loaded with nested=0 parameter an attempt to perform
+KVM_GET_SUPPORTED_HV_CPUID results in OOPS as nested_get_evmcs_version hook
+in kvm_x86_ops is NULL (we assign it in nested_vmx_hardware_setup() and
+this only happens in case nested is enabled).
+
+Check that kvm_x86_ops->nested_get_evmcs_version is not NULL before
+calling it. With this, we can remove the stub from svm as it is no
+longer needed.
+
+Cc: <stable@vger.kernel.org>
+Fixes: e2e871ab2f02 ("x86/kvm/hyper-v: Introduce nested_get_evmcs_version() helper")
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/hyperv.c | 5 ++++-
+ arch/x86/kvm/svm.c | 8 +-------
+ arch/x86/kvm/vmx/vmx.c | 1 +
+ 3 files changed, 6 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -1783,7 +1783,7 @@ int kvm_vm_ioctl_hv_eventfd(struct kvm *
+ int kvm_vcpu_ioctl_get_hv_cpuid(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid,
+ struct kvm_cpuid_entry2 __user *entries)
+ {
+- uint16_t evmcs_ver = kvm_x86_ops->nested_get_evmcs_version(vcpu);
++ uint16_t evmcs_ver = 0;
+ struct kvm_cpuid_entry2 cpuid_entries[] = {
+ { .function = HYPERV_CPUID_VENDOR_AND_MAX_FUNCTIONS },
+ { .function = HYPERV_CPUID_INTERFACE },
+@@ -1795,6 +1795,9 @@ int kvm_vcpu_ioctl_get_hv_cpuid(struct k
+ };
+ int i, nent = ARRAY_SIZE(cpuid_entries);
+
++ if (kvm_x86_ops->nested_get_evmcs_version)
++ evmcs_ver = kvm_x86_ops->nested_get_evmcs_version(vcpu);
++
+ /* Skip NESTED_FEATURES if eVMCS is not supported */
+ if (!evmcs_ver)
+ --nent;
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -7107,12 +7107,6 @@ failed:
+ return ret;
+ }
+
+-static uint16_t nested_get_evmcs_version(struct kvm_vcpu *vcpu)
+-{
+- /* Not supported */
+- return 0;
+-}
+-
+ static int nested_enable_evmcs(struct kvm_vcpu *vcpu,
+ uint16_t *vmcs_version)
+ {
+@@ -7283,7 +7277,7 @@ static struct kvm_x86_ops svm_x86_ops __
+ .mem_enc_unreg_region = svm_unregister_enc_region,
+
+ .nested_enable_evmcs = nested_enable_evmcs,
+- .nested_get_evmcs_version = nested_get_evmcs_version,
++ .nested_get_evmcs_version = NULL,
+
+ .need_emulation_on_page_fault = svm_need_emulation_on_page_fault,
+ };
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -7733,6 +7733,7 @@ static struct kvm_x86_ops vmx_x86_ops __
+ .set_nested_state = NULL,
+ .get_vmcs12_pages = NULL,
+ .nested_enable_evmcs = NULL,
++ .nested_get_evmcs_version = NULL,
+ .need_emulation_on_page_fault = vmx_need_emulation_on_page_fault,
+ };
+
--- /dev/null
+From b14c876b994f208b6b95c222056e1deb0a45de0e Mon Sep 17 00:00:00 2001
+From: Radim Krcmar <rkrcmar@redhat.com>
+Date: Tue, 13 Aug 2019 23:37:37 -0400
+Subject: kvm: x86: skip populating logical dest map if apic is not sw enabled
+
+From: Radim Krcmar <rkrcmar@redhat.com>
+
+commit b14c876b994f208b6b95c222056e1deb0a45de0e upstream.
+
+recalculate_apic_map does not santize ldr and it's possible that
+multiple bits are set. In that case, a previous valid entry
+can potentially be overwritten by an invalid one.
+
+This condition is hit when booting a 32 bit, >8 CPU, RHEL6 guest and then
+triggering a crash to boot a kdump kernel. This is the sequence of
+events:
+1. Linux boots in bigsmp mode and enables PhysFlat, however, it still
+writes to the LDR which probably will never be used.
+2. However, when booting into kdump, the stale LDR values remain as
+they are not cleared by the guest and there isn't a apic reset.
+3. kdump boots with 1 cpu, and uses Logical Destination Mode but the
+logical map has been overwritten and points to an inactive vcpu.
+
+Signed-off-by: Radim Krcmar <rkrcmar@redhat.com>
+Signed-off-by: Bandan Das <bsd@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -212,6 +212,9 @@ static void recalculate_apic_map(struct
+ if (!apic_x2apic_mode(apic) && !new->phys_map[xapic_id])
+ new->phys_map[xapic_id] = apic;
+
++ if (!kvm_apic_sw_enabled(apic))
++ continue;
++
+ ldr = kvm_lapic_get_reg(apic, APIC_LDR);
+
+ if (apic_x2apic_mode(apic)) {
+@@ -254,6 +257,8 @@ static inline void apic_set_spiv(struct
+ static_key_slow_dec_deferred(&apic_sw_disabled);
+ else
+ static_key_slow_inc(&apic_sw_disabled.key);
++
++ recalculate_apic_map(apic->vcpu->kvm);
+ }
+ }
+
--- /dev/null
+From 441e254cd40dc03beec3c650ce6ce6074bc6517f Mon Sep 17 00:00:00 2001
+From: Andrew Morton <akpm@linux-foundation.org>
+Date: Fri, 30 Aug 2019 16:04:35 -0700
+Subject: mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+commit 441e254cd40dc03beec3c650ce6ce6074bc6517f upstream.
+
+Fixes: 701d678599d0c1 ("mm/zsmalloc.c: fix race condition in zs_destroy_pool")
+Link: http://lkml.kernel.org/r/201908251039.5oSbEEUT%25lkp@intel.com
+Reported-by: kbuild test robot <lkp@intel.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Henry Burns <henrywolfeburns@gmail.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Jonathan Adams <jwadams@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/zsmalloc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -2432,7 +2432,9 @@ struct zs_pool *zs_create_pool(const cha
+ if (!pool->name)
+ goto err;
+
++#ifdef CONFIG_COMPACTION
+ init_waitqueue_head(&pool->migration_wait);
++#endif
+
+ if (create_cache(pool))
+ goto err;
openvswitch-fix-conntrack-cache-with-timeout.patch
ipv4-icmp-fix-rt-dst-dev-null-pointer-dereference.patch
xfrm-xfrm_policy-fix-dst-dev-null-pointer-dereference-in-collect_md-mode.patch
+mm-zsmalloc.c-fix-build-when-config_compaction-n.patch
+alsa-usb-audio-check-mixer-unit-bitmap-yet-more-strictly.patch
+alsa-hda-ca0132-add-new-sbz-quirk.patch
+alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch
+alsa-hda-fixes-inverted-conexant-gpio-mic-mute-led.patch
+alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch
+alsa-usb-audio-fix-invalid-null-check-in-snd_emuusb_set_samplerate.patch
+alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1604.patch
+kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch
+kvm-x86-hyper-v-don-t-crash-on-kvm_get_supported_hv_cpuid-when-kvm_intel.nested-is-disabled.patch
+kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch
+uprobes-x86-fix-detection-of-32-bit-user-mode.patch
+x86-mm-cpa-prevent-large-page-split-when-ftrace-flips-rw-on-kernel-text.patch
+x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch
+x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch
--- /dev/null
+From 9212ec7d8357ea630031e89d0d399c761421c83b Mon Sep 17 00:00:00 2001
+From: Sebastian Mayr <me@sam.st>
+Date: Sun, 28 Jul 2019 17:26:17 +0200
+Subject: uprobes/x86: Fix detection of 32-bit user mode
+
+From: Sebastian Mayr <me@sam.st>
+
+commit 9212ec7d8357ea630031e89d0d399c761421c83b upstream.
+
+32-bit processes running on a 64-bit kernel are not always detected
+correctly, causing the process to crash when uretprobes are installed.
+
+The reason for the crash is that in_ia32_syscall() is used to determine the
+process's mode, which only works correctly when called from a syscall.
+
+In the case of uretprobes, however, the function is called from a exception
+and always returns 'false' on a 64-bit kernel. In consequence this leads to
+corruption of the process's return address.
+
+Fix this by using user_64bit_mode() instead of in_ia32_syscall(), which
+is correct in any situation.
+
+[ tglx: Add a comment and the following historical info ]
+
+This should have been detected by the rename which happened in commit
+
+ abfb9498ee13 ("x86/entry: Rename is_{ia32,x32}_task() to in_{ia32,x32}_syscall()")
+
+which states in the changelog:
+
+ The is_ia32_task()/is_x32_task() function names are a big misnomer: they
+ suggests that the compat-ness of a system call is a task property, which
+ is not true, the compatness of a system call purely depends on how it
+ was invoked through the system call layer.
+ .....
+
+and then it went and blindly renamed every call site.
+
+Sadly enough this was already mentioned here:
+
+ 8faaed1b9f50 ("uprobes/x86: Introduce sizeof_long(), cleanup adjust_ret_addr() and
+arch_uretprobe_hijack_return_addr()")
+
+where the changelog says:
+
+ TODO: is_ia32_task() is not what we actually want, TS_COMPAT does
+ not necessarily mean 32bit. Fortunately syscall-like insns can't be
+ probed so it actually works, but it would be better to rename and
+ use is_ia32_frame().
+
+and goes all the way back to:
+
+ 0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions")
+
+Oh well. 7+ years until someone actually tried a uretprobe on a 32bit
+process on a 64bit kernel....
+
+Fixes: 0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions")
+Signed-off-by: Sebastian Mayr <me@sam.st>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190728152617.7308-1-me@sam.st
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/uprobes.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/uprobes.c
++++ b/arch/x86/kernel/uprobes.c
+@@ -508,9 +508,12 @@ struct uprobe_xol_ops {
+ void (*abort)(struct arch_uprobe *, struct pt_regs *);
+ };
+
+-static inline int sizeof_long(void)
++static inline int sizeof_long(struct pt_regs *regs)
+ {
+- return in_ia32_syscall() ? 4 : 8;
++ /*
++ * Check registers for mode as in_xxx_syscall() does not apply here.
++ */
++ return user_64bit_mode(regs) ? 8 : 4;
+ }
+
+ static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
+@@ -521,9 +524,9 @@ static int default_pre_xol_op(struct arc
+
+ static int emulate_push_stack(struct pt_regs *regs, unsigned long val)
+ {
+- unsigned long new_sp = regs->sp - sizeof_long();
++ unsigned long new_sp = regs->sp - sizeof_long(regs);
+
+- if (copy_to_user((void __user *)new_sp, &val, sizeof_long()))
++ if (copy_to_user((void __user *)new_sp, &val, sizeof_long(regs)))
+ return -EFAULT;
+
+ regs->sp = new_sp;
+@@ -556,7 +559,7 @@ static int default_post_xol_op(struct ar
+ long correction = utask->vaddr - utask->xol_vaddr;
+ regs->ip += correction;
+ } else if (auprobe->defparam.fixups & UPROBE_FIX_CALL) {
+- regs->sp += sizeof_long(); /* Pop incorrect return address */
++ regs->sp += sizeof_long(regs); /* Pop incorrect return address */
+ if (emulate_push_stack(regs, utask->vaddr + auprobe->defparam.ilen))
+ return -ERESTART;
+ }
+@@ -675,7 +678,7 @@ static int branch_post_xol_op(struct arc
+ * "call" insn was executed out-of-line. Just restore ->sp and restart.
+ * We could also restore ->ip and try to call branch_emulate_op() again.
+ */
+- regs->sp += sizeof_long();
++ regs->sp += sizeof_long(regs);
+ return -ERESTART;
+ }
+
+@@ -1056,7 +1059,7 @@ bool arch_uprobe_skip_sstep(struct arch_
+ unsigned long
+ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs)
+ {
+- int rasize = sizeof_long(), nleft;
++ int rasize = sizeof_long(regs), nleft;
+ unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */
+
+ if (copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize))
--- /dev/null
+From bae3a8d3308ee69a7dbdf145911b18dfda8ade0d Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Mon, 26 Aug 2019 06:15:12 -0400
+Subject: x86/apic: Do not initialize LDR and DFR for bigsmp
+
+From: Bandan Das <bsd@redhat.com>
+
+commit bae3a8d3308ee69a7dbdf145911b18dfda8ade0d upstream.
+
+Legacy apic init uses bigsmp for smp systems with 8 and more CPUs. The
+bigsmp APIC implementation uses physical destination mode, but it
+nevertheless initializes LDR and DFR. The LDR even ends up incorrectly with
+multiple bit being set.
+
+This does not cause a functional problem because LDR and DFR are ignored
+when physical destination mode is active, but it triggered a problem on a
+32-bit KVM guest which jumps into a kdump kernel.
+
+The multiple bits set unearthed a bug in the KVM APIC implementation. The
+code which creates the logical destination map for VCPUs ignores the
+disabled state of the APIC and ends up overwriting an existing valid entry
+and as a result, APIC calibration hangs in the guest during kdump
+initialization.
+
+Remove the bogus LDR/DFR initialization.
+
+This is not intended to work around the KVM APIC bug. The LDR/DFR
+ininitalization is wrong on its own.
+
+The issue goes back into the pre git history. The fixes tag is the commit
+in the bitkeeper import which introduced bigsmp support in 2003.
+
+ git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+
+Fixes: db7b9e9f26b8 ("[PATCH] Clustered APIC setup for >8 CPU systems")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Bandan Das <bsd@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190826101513.5080-2-bsd@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/bigsmp_32.c | 24 ++----------------------
+ 1 file changed, 2 insertions(+), 22 deletions(-)
+
+--- a/arch/x86/kernel/apic/bigsmp_32.c
++++ b/arch/x86/kernel/apic/bigsmp_32.c
+@@ -38,32 +38,12 @@ static int bigsmp_early_logical_apicid(i
+ return early_per_cpu(x86_cpu_to_apicid, cpu);
+ }
+
+-static inline unsigned long calculate_ldr(int cpu)
+-{
+- unsigned long val, id;
+-
+- val = apic_read(APIC_LDR) & ~APIC_LDR_MASK;
+- id = per_cpu(x86_bios_cpu_apicid, cpu);
+- val |= SET_APIC_LOGICAL_ID(id);
+-
+- return val;
+-}
+-
+ /*
+- * Set up the logical destination ID.
+- *
+- * Intel recommends to set DFR, LDR and TPR before enabling
+- * an APIC. See e.g. "AP-388 82489DX User's Manual" (Intel
+- * document number 292116). So here it goes...
++ * bigsmp enables physical destination mode
++ * and doesn't use LDR and DFR
+ */
+ static void bigsmp_init_apic_ldr(void)
+ {
+- unsigned long val;
+- int cpu = smp_processor_id();
+-
+- apic_write(APIC_DFR, APIC_DFR_FLAT);
+- val = calculate_ldr(cpu);
+- apic_write(APIC_LDR, val);
+ }
+
+ static void bigsmp_setup_apic_routing(void)
--- /dev/null
+From 558682b5291937a70748d36fd9ba757fb25b99ae Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Mon, 26 Aug 2019 06:15:13 -0400
+Subject: x86/apic: Include the LDR when clearing out APIC registers
+
+From: Bandan Das <bsd@redhat.com>
+
+commit 558682b5291937a70748d36fd9ba757fb25b99ae upstream.
+
+Although APIC initialization will typically clear out the LDR before
+setting it, the APIC cleanup code should reset the LDR.
+
+This was discovered with a 32-bit KVM guest jumping into a kdump
+kernel. The stale bits in the LDR triggered a bug in the KVM APIC
+implementation which caused the destination mapping for VCPUs to be
+corrupted.
+
+Note that this isn't intended to paper over the KVM APIC bug. The kernel
+has to clear the LDR when resetting the APIC registers except when X2APIC
+is enabled.
+
+This lacks a Fixes tag because missing to clear LDR goes way back into pre
+git history.
+
+[ tglx: Made x2apic_enabled a function call as required ]
+
+Signed-off-by: Bandan Das <bsd@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190826101513.5080-3-bsd@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/apic.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1152,6 +1152,10 @@ void clear_local_APIC(void)
+ apic_write(APIC_LVT0, v | APIC_LVT_MASKED);
+ v = apic_read(APIC_LVT1);
+ apic_write(APIC_LVT1, v | APIC_LVT_MASKED);
++ if (!x2apic_enabled()) {
++ v = apic_read(APIC_LDR) & ~APIC_LDR_MASK;
++ apic_write(APIC_LDR, v);
++ }
+ if (maxlvt >= 4) {
+ v = apic_read(APIC_LVTPC);
+ apic_write(APIC_LVTPC, v | APIC_LVT_MASKED);
--- /dev/null
+From 7af0145067bc429a09ac4047b167c0971c9f0dc7 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Thu, 29 Aug 2019 00:31:34 +0200
+Subject: x86/mm/cpa: Prevent large page split when ftrace flips RW on kernel text
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 7af0145067bc429a09ac4047b167c0971c9f0dc7 upstream.
+
+ftrace does not use text_poke() for enabling trace functionality. It uses
+its own mechanism and flips the whole kernel text to RW and back to RO.
+
+The CPA rework removed a loop based check of 4k pages which tried to
+preserve a large page by checking each 4k page whether the change would
+actually cover all pages in the large page.
+
+This resulted in endless loops for nothing as in testing it turned out that
+it actually never preserved anything. Of course testing missed to include
+ftrace, which is the one and only case which benefitted from the 4k loop.
+
+As a consequence enabling function tracing or ftrace based kprobes results
+in a full 4k split of the kernel text, which affects iTLB performance.
+
+The kernel RO protection is the only valid case where this can actually
+preserve large pages.
+
+All other static protections (RO data, data NX, PCI, BIOS) are truly
+static. So a conflict with those protections which results in a split
+should only ever happen when a change of memory next to a protected region
+is attempted. But these conflicts are rightfully splitting the large page
+to preserve the protected regions. In fact a change to the protected
+regions itself is a bug and is warned about.
+
+Add an exception for the static protection check for kernel text RO when
+the to be changed region spawns a full large page which allows to preserve
+the large mappings. This also prevents the syslog to be spammed about CPA
+violations when ftrace is used.
+
+The exception needs to be removed once ftrace switched over to text_poke()
+which avoids the whole issue.
+
+Fixes: 585948f4f695 ("x86/mm/cpa: Avoid the 4k pages check completely")
+Reported-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Song Liu <songliubraving@fb.com>
+Reviewed-by: Song Liu <songliubraving@fb.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1908282355340.1938@nanos.tec.linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/pageattr.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -516,7 +516,7 @@ static inline void check_conflict(int wa
+ */
+ static inline pgprot_t static_protections(pgprot_t prot, unsigned long start,
+ unsigned long pfn, unsigned long npg,
+- int warnlvl)
++ unsigned long lpsize, int warnlvl)
+ {
+ pgprotval_t forbidden, res;
+ unsigned long end;
+@@ -535,9 +535,17 @@ static inline pgprot_t static_protection
+ check_conflict(warnlvl, prot, res, start, end, pfn, "Text NX");
+ forbidden = res;
+
+- res = protect_kernel_text_ro(start, end);
+- check_conflict(warnlvl, prot, res, start, end, pfn, "Text RO");
+- forbidden |= res;
++ /*
++ * Special case to preserve a large page. If the change spawns the
++ * full large page mapping then there is no point to split it
++ * up. Happens with ftrace and is going to be removed once ftrace
++ * switched to text_poke().
++ */
++ if (lpsize != (npg * PAGE_SIZE) || (start & (lpsize - 1))) {
++ res = protect_kernel_text_ro(start, end);
++ check_conflict(warnlvl, prot, res, start, end, pfn, "Text RO");
++ forbidden |= res;
++ }
+
+ /* Check the PFN directly */
+ res = protect_pci_bios(pfn, pfn + npg - 1);
+@@ -819,7 +827,7 @@ static int __should_split_large_page(pte
+ * extra conditional required here.
+ */
+ chk_prot = static_protections(old_prot, lpaddr, old_pfn, numpages,
+- CPA_CONFLICT);
++ psize, CPA_CONFLICT);
+
+ if (WARN_ON_ONCE(pgprot_val(chk_prot) != pgprot_val(old_prot))) {
+ /*
+@@ -855,7 +863,7 @@ static int __should_split_large_page(pte
+ * protection requirement in the large page.
+ */
+ new_prot = static_protections(req_prot, lpaddr, old_pfn, numpages,
+- CPA_DETECT);
++ psize, CPA_DETECT);
+
+ /*
+ * If there is a conflict, split the large page.
+@@ -906,7 +914,8 @@ static void split_set_pte(struct cpa_dat
+ if (!cpa->force_static_prot)
+ goto set;
+
+- prot = static_protections(ref_prot, address, pfn, npg, CPA_PROTECT);
++ /* Hand in lpsize = 0 to enforce the protection mechanism */
++ prot = static_protections(ref_prot, address, pfn, npg, 0, CPA_PROTECT);
+
+ if (pgprot_val(prot) == pgprot_val(ref_prot))
+ goto set;
+@@ -1503,7 +1512,8 @@ repeat:
+ pgprot_val(new_prot) |= pgprot_val(cpa->mask_set);
+
+ cpa_inc_4k_install();
+- new_prot = static_protections(new_prot, address, pfn, 1,
++ /* Hand in lpsize = 0 to enforce the protection mechanism */
++ new_prot = static_protections(new_prot, address, pfn, 1, 0,
+ CPA_PROTECT);
+
+ new_prot = pgprot_clear_protnone_bits(new_prot);
projects / thirdparty / kernel / stable-queue.git / commitdiff
