--- /dev/null
+From ca184355db8e60290fa34bf61c13308e6f4f50d3 Mon Sep 17 00:00:00 2001
+From: Jian-Hong Pan <jhp@endlessos.org>
+Date: Wed, 7 Oct 2020 13:22:25 +0800
+Subject: ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887
+
+From: Jian-Hong Pan <jhp@endlessos.org>
+
+commit ca184355db8e60290fa34bf61c13308e6f4f50d3 upstream.
+
+The ASUS D700SA desktop's audio (1043:2390) with ALC887 cannot detect
+the headset microphone and another headphone jack until
+ALC887_FIXUP_ASUS_HMIC and ALC887_FIXUP_ASUS_AUDIO quirks are applied.
+The NID 0x15 maps as the headset microphone and NID 0x19 maps as another
+headphone jack. Also need the function like alc887_fixup_asus_jack to
+enable the audio jacks.
+
+Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201007052224.22611-1-jhp@endlessos.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -1906,6 +1906,8 @@ enum {
+ ALC1220_FIXUP_CLEVO_P950,
+ ALC1220_FIXUP_CLEVO_PB51ED,
+ ALC1220_FIXUP_CLEVO_PB51ED_PINS,
++ ALC887_FIXUP_ASUS_AUDIO,
++ ALC887_FIXUP_ASUS_HMIC,
+ };
+
+ static void alc889_fixup_coef(struct hda_codec *codec,
+@@ -2118,6 +2120,31 @@ static void alc1220_fixup_clevo_pb51ed(s
+ alc_fixup_headset_mode_no_hp_mic(codec, fix, action);
+ }
+
++static void alc887_asus_hp_automute_hook(struct hda_codec *codec,
++ struct hda_jack_callback *jack)
++{
++ struct alc_spec *spec = codec->spec;
++ unsigned int vref;
++
++ snd_hda_gen_hp_automute(codec, jack);
++
++ if (spec->gen.hp_jack_present)
++ vref = AC_PINCTL_VREF_80;
++ else
++ vref = AC_PINCTL_VREF_HIZ;
++ snd_hda_set_pin_ctl(codec, 0x19, PIN_HP | vref);
++}
++
++static void alc887_fixup_asus_jack(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++ if (action != HDA_FIXUP_ACT_PROBE)
++ return;
++ snd_hda_set_pin_ctl_cache(codec, 0x1b, PIN_HP);
++ spec->gen.hp_automute_hook = alc887_asus_hp_automute_hook;
++}
++
+ static const struct hda_fixup alc882_fixups[] = {
+ [ALC882_FIXUP_ABIT_AW9D_MAX] = {
+ .type = HDA_FIXUP_PINS,
+@@ -2375,6 +2402,20 @@ static const struct hda_fixup alc882_fix
+ .chained = true,
+ .chain_id = ALC1220_FIXUP_CLEVO_PB51ED,
+ },
++ [ALC887_FIXUP_ASUS_AUDIO] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x15, 0x02a14150 }, /* use as headset mic, without its own jack detect */
++ { 0x19, 0x22219420 },
++ {}
++ },
++ },
++ [ALC887_FIXUP_ASUS_HMIC] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc887_fixup_asus_jack,
++ .chained = true,
++ .chain_id = ALC887_FIXUP_ASUS_AUDIO,
++ },
+ };
+
+ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
+@@ -2408,6 +2449,7 @@ static const struct snd_pci_quirk alc882
+ SND_PCI_QUIRK(0x1043, 0x13c2, "Asus A7M", ALC882_FIXUP_EAPD),
+ SND_PCI_QUIRK(0x1043, 0x1873, "ASUS W90V", ALC882_FIXUP_ASUS_W90V),
+ SND_PCI_QUIRK(0x1043, 0x1971, "Asus W2JC", ALC882_FIXUP_ASUS_W2JC),
++ SND_PCI_QUIRK(0x1043, 0x2390, "Asus D700SA", ALC887_FIXUP_ASUS_HMIC),
+ SND_PCI_QUIRK(0x1043, 0x835f, "Asus Eee 1601", ALC888_FIXUP_EEE1601),
+ SND_PCI_QUIRK(0x1043, 0x84bc, "ASUS ET2700", ALC887_FIXUP_ASUS_BASS),
+ SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3),
--- /dev/null
+From d367cb960ce88914898cbfa43645c2e43ede9465 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 16 Sep 2020 23:18:21 +0300
+Subject: cifs: remove bogus debug code
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d367cb960ce88914898cbfa43645c2e43ede9465 upstream.
+
+The "end" pointer is either NULL or it points to the next byte to parse.
+If there isn't a next byte then dereferencing "end" is an off-by-one out
+of bounds error. And, of course, if it's NULL that leads to an Oops.
+Printing "*end" doesn't seem very useful so let's delete this code.
+
+Also for the last debug statement, I noticed that it should be printing
+"sequence_end" instead of "end" so fix that as well.
+
+Reported-by: Dominik Maier <dmaier@sect.tu-berlin.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/asn1.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/cifs/asn1.c
++++ b/fs/cifs/asn1.c
+@@ -541,8 +541,8 @@ decode_negTokenInit(unsigned char *secur
+ return 0;
+ } else if ((cls != ASN1_CTX) || (con != ASN1_CON)
+ || (tag != ASN1_EOC)) {
+- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n",
+- cls, con, tag, end, *end);
++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n",
++ cls, con, tag, end);
+ return 0;
+ }
+
+@@ -552,8 +552,8 @@ decode_negTokenInit(unsigned char *secur
+ return 0;
+ } else if ((cls != ASN1_UNI) || (con != ASN1_CON)
+ || (tag != ASN1_SEQ)) {
+- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n",
+- cls, con, tag, end, *end);
++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 1\n",
++ cls, con, tag, end);
+ return 0;
+ }
+
+@@ -563,8 +563,8 @@ decode_negTokenInit(unsigned char *secur
+ return 0;
+ } else if ((cls != ASN1_CTX) || (con != ASN1_CON)
+ || (tag != ASN1_EOC)) {
+- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n",
+- cls, con, tag, end, *end);
++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n",
++ cls, con, tag, end);
+ return 0;
+ }
+
+@@ -575,8 +575,8 @@ decode_negTokenInit(unsigned char *secur
+ return 0;
+ } else if ((cls != ASN1_UNI) || (con != ASN1_CON)
+ || (tag != ASN1_SEQ)) {
+- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n",
+- cls, con, tag, end, *end);
++ cifs_dbg(FYI, "cls = %d con = %d tag = %d sequence_end = %p exit 1\n",
++ cls, con, tag, sequence_end);
+ return 0;
+ }
+
--- /dev/null
+From 0bd294b55a5de442370c29fa53bab17aef3ff318 Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Thu, 15 Oct 2020 10:41:31 -0700
+Subject: cifs: Return the error from crypt_message when enc/dec key not found.
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit 0bd294b55a5de442370c29fa53bab17aef3ff318 upstream.
+
+In crypt_message, when smb2_get_enc_key returns error, we need to
+return the error back to the caller. If not, we end up processing
+the message further, causing a kernel oops due to unwarranted access
+of memory.
+
+Call Trace:
+smb3_receive_transform+0x120/0x870 [cifs]
+cifs_demultiplex_thread+0xb53/0xc20 [cifs]
+? cifs_handle_standard+0x190/0x190 [cifs]
+kthread+0x116/0x130
+? kthread_park+0x80/0x80
+ret_from_fork+0x1f/0x30
+
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -2730,7 +2730,7 @@ crypt_message(struct TCP_Server_Info *se
+ if (rc) {
+ cifs_dbg(VFS, "%s: Could not get %scryption key\n", __func__,
+ enc ? "en" : "de");
+- return 0;
++ return rc;
+ }
+
+ rc = smb3_crypto_aead_allocate(server);
--- /dev/null
+From f6426ab9c957e97418ac5b0466538792767b1738 Mon Sep 17 00:00:00 2001
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date: Sat, 3 Oct 2020 23:27:07 +0000
+Subject: KVM: SVM: Initialize prev_ga_tag before use
+
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+commit f6426ab9c957e97418ac5b0466538792767b1738 upstream.
+
+The function amd_ir_set_vcpu_affinity makes use of the parameter struct
+amd_iommu_pi_data.prev_ga_tag to determine if it should delete struct
+amd_iommu_pi_data from a list when not running in AVIC mode.
+
+However, prev_ga_tag is initialized only when AVIC is enabled. The non-zero
+uninitialized value can cause unintended code path, which ends up making
+use of the struct vcpu_svm.ir_list and ir_list_lock without being
+initialized (since they are intended only for the AVIC case).
+
+This triggers NULL pointer dereference bug in the function vm_ir_list_del
+with the following call trace:
+
+ svm_update_pi_irte+0x3c2/0x550 [kvm_amd]
+ ? proc_create_single_data+0x41/0x50
+ kvm_arch_irq_bypass_add_producer+0x40/0x60 [kvm]
+ __connect+0x5f/0xb0 [irqbypass]
+ irq_bypass_register_producer+0xf8/0x120 [irqbypass]
+ vfio_msi_set_vector_signal+0x1de/0x2d0 [vfio_pci]
+ vfio_msi_set_block+0x77/0xe0 [vfio_pci]
+ vfio_pci_set_msi_trigger+0x25c/0x2f0 [vfio_pci]
+ vfio_pci_set_irqs_ioctl+0x88/0xb0 [vfio_pci]
+ vfio_pci_ioctl+0x2ea/0xed0 [vfio_pci]
+ ? alloc_file_pseudo+0xa5/0x100
+ vfio_device_fops_unl_ioctl+0x26/0x30 [vfio]
+ ? vfio_device_fops_unl_ioctl+0x26/0x30 [vfio]
+ __x64_sys_ioctl+0x96/0xd0
+ do_syscall_64+0x37/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Therefore, initialize prev_ga_tag to zero before use. This should be safe
+because ga_tag value 0 is invalid (see function avic_vm_init).
+
+Fixes: dfa20099e26e ("KVM: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu()")
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Message-Id: <20201003232707.4662-1-suravee.suthikulpanit@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -5380,6 +5380,7 @@ static int svm_update_pi_irte(struct kvm
+ * - Tell IOMMU to use legacy mode for this interrupt.
+ * - Retrieve ga_tag of prior interrupt remapping data.
+ */
++ pi.prev_ga_tag = 0;
+ pi.is_guest_mode = false;
+ ret = irq_set_vcpu_affinity(host_irq, &pi);
+
--- /dev/null
+From e89505698c9f70125651060547da4ff5046124fc Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 23 Sep 2020 11:37:28 -0700
+Subject: KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit e89505698c9f70125651060547da4ff5046124fc upstream.
+
+Call kvm_mmu_commit_zap_page() after exiting the "prepare zap" loop in
+kvm_recover_nx_lpages() to finish zapping pages in the unlikely event
+that the loop exited due to lpage_disallowed_mmu_pages being empty.
+Because the recovery thread drops mmu_lock() when rescheduling, it's
+possible that lpage_disallowed_mmu_pages could be emptied by a different
+thread without to_zap reaching zero despite to_zap being derived from
+the number of disallowed lpages.
+
+Fixes: 1aa9b9572b105 ("kvm: x86: mmu: Recovery of shattered NX large pages")
+Cc: Junaid Shahid <junaids@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200923183735.584-2-sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -6225,6 +6225,7 @@ static void kvm_recover_nx_lpages(struct
+ cond_resched_lock(&kvm->mmu_lock);
+ }
+ }
++ kvm_mmu_commit_zap_page(kvm, &invalid_list);
+
+ spin_unlock(&kvm->mmu_lock);
+ srcu_read_unlock(&kvm->srcu, rcu_idx);
tcp-fix-to-update-snd_wl1-in-bulk-receiver-fast-path.patch
r8169-fix-operation-under-forced-interrupt-threading.patch
icmp-randomize-the-global-rate-limiter.patch
+alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch
+cifs-remove-bogus-debug-code.patch
+cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch
+kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch
+kvm-svm-initialize-prev_ga_tag-before-use.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
