--- /dev/null
+From 08befca40026136c14c3cd84f9e36c4cd20a358e Mon Sep 17 00:00:00 2001
+From: Qiu Wenbo <qiuwenbo@kylinos.com.cn>
+Date: Fri, 2 Oct 2020 20:44:54 +0800
+Subject: ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7
+
+From: Qiu Wenbo <qiuwenbo@kylinos.com.cn>
+
+commit 08befca40026136c14c3cd84f9e36c4cd20a358e upstream.
+
+After installing archlinux, the mute led and micmute led are not working
+at all. This patch fix this issue by applying a fixup from similar
+model. These mute leds are confirmed working on HP Elitebook 845 G7.
+
+Signed-off-by: Qiu Wenbo <qiuwenbo@kylinos.com.cn>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201002124454.7240-1-qiuwenbo@kylinos.com.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7756,6 +7756,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x874e, "HP", ALC274_FIXUP_HP_MIC),
++ SND_PCI_QUIRK(0x103c, 0x8760, "HP", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x877d, "HP", ALC236_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
--- /dev/null
+From ca184355db8e60290fa34bf61c13308e6f4f50d3 Mon Sep 17 00:00:00 2001
+From: Jian-Hong Pan <jhp@endlessos.org>
+Date: Wed, 7 Oct 2020 13:22:25 +0800
+Subject: ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887
+
+From: Jian-Hong Pan <jhp@endlessos.org>
+
+commit ca184355db8e60290fa34bf61c13308e6f4f50d3 upstream.
+
+The ASUS D700SA desktop's audio (1043:2390) with ALC887 cannot detect
+the headset microphone and another headphone jack until
+ALC887_FIXUP_ASUS_HMIC and ALC887_FIXUP_ASUS_AUDIO quirks are applied.
+The NID 0x15 maps as the headset microphone and NID 0x19 maps as another
+headphone jack. Also need the function like alc887_fixup_asus_jack to
+enable the audio jacks.
+
+Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201007052224.22611-1-jhp@endlessos.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -1921,6 +1921,8 @@ enum {
+ ALC1220_FIXUP_CLEVO_P950,
+ ALC1220_FIXUP_CLEVO_PB51ED,
+ ALC1220_FIXUP_CLEVO_PB51ED_PINS,
++ ALC887_FIXUP_ASUS_AUDIO,
++ ALC887_FIXUP_ASUS_HMIC,
+ };
+
+ static void alc889_fixup_coef(struct hda_codec *codec,
+@@ -2133,6 +2135,31 @@ static void alc1220_fixup_clevo_pb51ed(s
+ alc_fixup_headset_mode_no_hp_mic(codec, fix, action);
+ }
+
++static void alc887_asus_hp_automute_hook(struct hda_codec *codec,
++ struct hda_jack_callback *jack)
++{
++ struct alc_spec *spec = codec->spec;
++ unsigned int vref;
++
++ snd_hda_gen_hp_automute(codec, jack);
++
++ if (spec->gen.hp_jack_present)
++ vref = AC_PINCTL_VREF_80;
++ else
++ vref = AC_PINCTL_VREF_HIZ;
++ snd_hda_set_pin_ctl(codec, 0x19, PIN_HP | vref);
++}
++
++static void alc887_fixup_asus_jack(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++ if (action != HDA_FIXUP_ACT_PROBE)
++ return;
++ snd_hda_set_pin_ctl_cache(codec, 0x1b, PIN_HP);
++ spec->gen.hp_automute_hook = alc887_asus_hp_automute_hook;
++}
++
+ static const struct hda_fixup alc882_fixups[] = {
+ [ALC882_FIXUP_ABIT_AW9D_MAX] = {
+ .type = HDA_FIXUP_PINS,
+@@ -2390,6 +2417,20 @@ static const struct hda_fixup alc882_fix
+ .chained = true,
+ .chain_id = ALC1220_FIXUP_CLEVO_PB51ED,
+ },
++ [ALC887_FIXUP_ASUS_AUDIO] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x15, 0x02a14150 }, /* use as headset mic, without its own jack detect */
++ { 0x19, 0x22219420 },
++ {}
++ },
++ },
++ [ALC887_FIXUP_ASUS_HMIC] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc887_fixup_asus_jack,
++ .chained = true,
++ .chain_id = ALC887_FIXUP_ASUS_AUDIO,
++ },
+ };
+
+ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
+@@ -2423,6 +2464,7 @@ static const struct snd_pci_quirk alc882
+ SND_PCI_QUIRK(0x1043, 0x13c2, "Asus A7M", ALC882_FIXUP_EAPD),
+ SND_PCI_QUIRK(0x1043, 0x1873, "ASUS W90V", ALC882_FIXUP_ASUS_W90V),
+ SND_PCI_QUIRK(0x1043, 0x1971, "Asus W2JC", ALC882_FIXUP_ASUS_W2JC),
++ SND_PCI_QUIRK(0x1043, 0x2390, "Asus D700SA", ALC887_FIXUP_ASUS_HMIC),
+ SND_PCI_QUIRK(0x1043, 0x835f, "Asus Eee 1601", ALC888_FIXUP_EEE1601),
+ SND_PCI_QUIRK(0x1043, 0x84bc, "ASUS ET2700", ALC887_FIXUP_ASUS_BASS),
+ SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3),
--- /dev/null
+From 13468bfa8c58731dc9ecda1cd9b22a191114f944 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 28 Sep 2020 16:01:17 +0800
+Subject: ALSA: hda/realtek - set mic to auto detect on a HP AIO machine
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 13468bfa8c58731dc9ecda1cd9b22a191114f944 upstream.
+
+Recently we enabled a HP AIO machine, we found the mic on the machine
+couldn't record any sound and it couldn't detect plugging and
+unplugging as well.
+
+Through debugging we found the mic is set to manual detect mode, after
+setting it to auto detect mode, it could detect plugging and
+unplugging and could record sound.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Link: https://lore.kernel.org/r/20200928080117.12435-1-hui.wang@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6216,6 +6216,7 @@ enum {
+ ALC269_FIXUP_LEMOTE_A190X,
+ ALC256_FIXUP_INTEL_NUC8_RUGGED,
+ ALC255_FIXUP_XIAOMI_HEADSET_MIC,
++ ALC274_FIXUP_HP_MIC,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -7595,6 +7596,14 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC289_FIXUP_ASUS_GA401
+ },
++ [ALC274_FIXUP_HP_MIC] = {
++ .type = HDA_FIXUP_VERBS,
++ .v.verbs = (const struct hda_verb[]) {
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x45 },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0x5089 },
++ { }
++ },
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -7746,6 +7755,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
++ SND_PCI_QUIRK(0x103c, 0x874e, "HP", ALC274_FIXUP_HP_MIC),
+ SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x877d, "HP", ALC236_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+@@ -8071,6 +8081,7 @@ static const struct hda_model_fixup alc2
+ {.id = ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE, .name = "alc256-medion-headset"},
+ {.id = ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, .name = "alc298-samsung-headphone"},
+ {.id = ALC255_FIXUP_XIAOMI_HEADSET_MIC, .name = "alc255-xiaomi-headset"},
++ {.id = ALC274_FIXUP_HP_MIC, .name = "alc274-hp-mic-detect"},
+ {}
+ };
+ #define ALC225_STANDARD_PINS \
--- /dev/null
+From 148ebf548a1af366fc797fcc7d03f0bb92b12a79 Mon Sep 17 00:00:00 2001
+From: Jeremy Szu <jeremy.szu@canonical.com>
+Date: Thu, 8 Oct 2020 18:56:44 +0800
+Subject: ALSA: hda/realtek - The front Mic on a HP machine doesn't work
+
+From: Jeremy Szu <jeremy.szu@canonical.com>
+
+commit 148ebf548a1af366fc797fcc7d03f0bb92b12a79 upstream.
+
+On a HP ZCentral, the front Mic could not be detected.
+
+The codec of the HP ZCentrol is alc671 and it needs to override the pin
+configuration to enable the headset mic.
+
+Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201008105645.65505-1-jeremy.szu@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9634,6 +9634,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1028, 0x0698, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
++ SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2),
+ SND_PCI_QUIRK(0x1043, 0x1080, "Asus UX501VW", ALC668_FIXUP_HEADSET_MODE),
+ SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50),
+ SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A),
--- /dev/null
+From d367cb960ce88914898cbfa43645c2e43ede9465 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 16 Sep 2020 23:18:21 +0300
+Subject: cifs: remove bogus debug code
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d367cb960ce88914898cbfa43645c2e43ede9465 upstream.
+
+The "end" pointer is either NULL or it points to the next byte to parse.
+If there isn't a next byte then dereferencing "end" is an off-by-one out
+of bounds error. And, of course, if it's NULL that leads to an Oops.
+Printing "*end" doesn't seem very useful so let's delete this code.
+
+Also for the last debug statement, I noticed that it should be printing
+"sequence_end" instead of "end" so fix that as well.
+
+Reported-by: Dominik Maier <dmaier@sect.tu-berlin.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/asn1.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/cifs/asn1.c
++++ b/fs/cifs/asn1.c
+@@ -530,8 +530,8 @@ decode_negTokenInit(unsigned char *secur
+ return 0;
+ } else if ((cls != ASN1_CTX) || (con != ASN1_CON)
+ || (tag != ASN1_EOC)) {
+- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n",
+- cls, con, tag, end, *end);
++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n",
++ cls, con, tag, end);
+ return 0;
+ }
+
+@@ -541,8 +541,8 @@ decode_negTokenInit(unsigned char *secur
+ return 0;
+ } else if ((cls != ASN1_UNI) || (con != ASN1_CON)
+ || (tag != ASN1_SEQ)) {
+- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n",
+- cls, con, tag, end, *end);
++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 1\n",
++ cls, con, tag, end);
+ return 0;
+ }
+
+@@ -552,8 +552,8 @@ decode_negTokenInit(unsigned char *secur
+ return 0;
+ } else if ((cls != ASN1_CTX) || (con != ASN1_CON)
+ || (tag != ASN1_EOC)) {
+- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n",
+- cls, con, tag, end, *end);
++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n",
++ cls, con, tag, end);
+ return 0;
+ }
+
+@@ -564,8 +564,8 @@ decode_negTokenInit(unsigned char *secur
+ return 0;
+ } else if ((cls != ASN1_UNI) || (con != ASN1_CON)
+ || (tag != ASN1_SEQ)) {
+- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n",
+- cls, con, tag, end, *end);
++ cifs_dbg(FYI, "cls = %d con = %d tag = %d sequence_end = %p exit 1\n",
++ cls, con, tag, sequence_end);
+ return 0;
+ }
+
--- /dev/null
+From 0bd294b55a5de442370c29fa53bab17aef3ff318 Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Thu, 15 Oct 2020 10:41:31 -0700
+Subject: cifs: Return the error from crypt_message when enc/dec key not found.
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit 0bd294b55a5de442370c29fa53bab17aef3ff318 upstream.
+
+In crypt_message, when smb2_get_enc_key returns error, we need to
+return the error back to the caller. If not, we end up processing
+the message further, causing a kernel oops due to unwarranted access
+of memory.
+
+Call Trace:
+smb3_receive_transform+0x120/0x870 [cifs]
+cifs_demultiplex_thread+0xb53/0xc20 [cifs]
+? cifs_handle_standard+0x190/0x190 [cifs]
+kthread+0x116/0x130
+? kthread_park+0x80/0x80
+ret_from_fork+0x1f/0x30
+
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3707,7 +3707,7 @@ crypt_message(struct TCP_Server_Info *se
+ if (rc) {
+ cifs_server_dbg(VFS, "%s: Could not get %scryption key\n", __func__,
+ enc ? "en" : "de");
+- return 0;
++ return rc;
+ }
+
+ rc = smb3_crypto_aead_allocate(server);
--- /dev/null
+From b89d5ad00e789967a5e2c5335f75c48755bebd88 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 23 Sep 2020 11:44:47 -0700
+Subject: KVM: nVMX: Reload vmcs01 if getting vmcs12's pages fails
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit b89d5ad00e789967a5e2c5335f75c48755bebd88 upstream.
+
+Reload vmcs01 when bailing from nested_vmx_enter_non_root_mode() as KVM
+expects vmcs01 to be loaded when is_guest_mode() is false.
+
+Fixes: 671ddc700fd08 ("KVM: nVMX: Don't leak L1 MMIO regions to L2")
+Cc: stable@vger.kernel.org
+Cc: Dan Cross <dcross@google.com>
+Cc: Jim Mattson <jmattson@google.com>
+Cc: Peter Shier <pshier@google.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200923184452.980-3-sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx/nested.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -3096,8 +3096,10 @@ enum nvmx_vmentry_status nested_vmx_ente
+ prepare_vmcs02_early(vmx, vmcs12);
+
+ if (from_vmentry) {
+- if (unlikely(!nested_get_vmcs12_pages(vcpu)))
++ if (unlikely(!nested_get_vmcs12_pages(vcpu))) {
++ vmx_switch_vmcs(vcpu, &vmx->vmcs01);
+ return NVMX_VMENTRY_KVM_INTERNAL_ERROR;
++ }
+
+ if (nested_vmx_check_vmentry_hw(vcpu)) {
+ vmx_switch_vmcs(vcpu, &vmx->vmcs01);
--- /dev/null
+From fc387d8daf3960c5e1bc18fa353768056f4fd394 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 23 Sep 2020 11:44:46 -0700
+Subject: KVM: nVMX: Reset the segment cache when stuffing guest segs
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit fc387d8daf3960c5e1bc18fa353768056f4fd394 upstream.
+
+Explicitly reset the segment cache after stuffing guest segment regs in
+prepare_vmcs02_rare(). Although the cache is reset when switching to
+vmcs02, there is nothing that prevents KVM from re-populating the cache
+prior to writing vmcs02 with vmcs12's values. E.g. if the vCPU is
+preempted after switching to vmcs02 but before prepare_vmcs02_rare(),
+kvm_arch_vcpu_put() will dereference GUEST_SS_AR_BYTES via .get_cpl()
+and cache the stale vmcs02 value. While the current code base only
+caches stale data in the preemption case, it's theoretically possible
+future code could read a segment register during the nested flow itself,
+i.e. this isn't technically illegal behavior in kvm_arch_vcpu_put(),
+although it did introduce the bug.
+
+This manifests as an unexpected nested VM-Enter failure when running
+with unrestricted guest disabled if the above preemption case coincides
+with L1 switching L2's CPL, e.g. when switching from a L2 vCPU at CPL3
+to to a L2 vCPU at CPL0. stack_segment_valid() will see the new SS_SEL
+but the old SS_AR_BYTES and incorrectly mark the guest state as invalid
+due to SS.dpl != SS.rpl.
+
+Don't bother updating the cache even though prepare_vmcs02_rare() writes
+every segment. With unrestricted guest, guest segments are almost never
+read, let alone L2 guest segments. On the other hand, populating the
+cache requires a large number of memory writes, i.e. it's unlikely to be
+a net win. Updating the cache would be a win when unrestricted guest is
+not supported, as guest_state_valid() will immediately cache all segment
+registers. But, nested virtualization without unrestricted guest is
+dirt slow, saving some VMREADs won't change that, and every CPU
+manufactured in the last decade supports unrestricted guest. In other
+words, the extra (minor) complexity isn't worth the trouble.
+
+Note, kvm_arch_vcpu_put() may see stale data when querying guest CPL
+depending on when preemption occurs. This is "ok" in that the usage is
+imperfect by nature, i.e. it's used heuristically to improve performance
+but doesn't affect functionality. kvm_arch_vcpu_put() could be "fixed"
+by also disabling preemption while loading segments, but that's
+pointless and misleading as reading state from kvm_sched_{in,out}() is
+guaranteed to see stale data in one form or another. E.g. even if all
+the usage of regs_avail is fixed to call kvm_register_mark_available()
+after the associated state is set, the individual state might still be
+stale with respect to the overall vCPU state. I.e. making functional
+decisions in an asynchronous hook is doomed from the get go. Thankfully
+KVM doesn't do that.
+
+Fixes: de63ad4cf4973 ("KVM: X86: implement the logic for spinlock optimization")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200923184452.980-2-sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx/nested.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -2231,6 +2231,8 @@ static void prepare_vmcs02_rare(struct v
+ vmcs_writel(GUEST_TR_BASE, vmcs12->guest_tr_base);
+ vmcs_writel(GUEST_GDTR_BASE, vmcs12->guest_gdtr_base);
+ vmcs_writel(GUEST_IDTR_BASE, vmcs12->guest_idtr_base);
++
++ vmx->segment_cache.bitmask = 0;
+ }
+
+ if (!hv_evmcs || !(hv_evmcs->hv_clean_fields &
--- /dev/null
+From f6426ab9c957e97418ac5b0466538792767b1738 Mon Sep 17 00:00:00 2001
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date: Sat, 3 Oct 2020 23:27:07 +0000
+Subject: KVM: SVM: Initialize prev_ga_tag before use
+
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+commit f6426ab9c957e97418ac5b0466538792767b1738 upstream.
+
+The function amd_ir_set_vcpu_affinity makes use of the parameter struct
+amd_iommu_pi_data.prev_ga_tag to determine if it should delete struct
+amd_iommu_pi_data from a list when not running in AVIC mode.
+
+However, prev_ga_tag is initialized only when AVIC is enabled. The non-zero
+uninitialized value can cause unintended code path, which ends up making
+use of the struct vcpu_svm.ir_list and ir_list_lock without being
+initialized (since they are intended only for the AVIC case).
+
+This triggers NULL pointer dereference bug in the function vm_ir_list_del
+with the following call trace:
+
+ svm_update_pi_irte+0x3c2/0x550 [kvm_amd]
+ ? proc_create_single_data+0x41/0x50
+ kvm_arch_irq_bypass_add_producer+0x40/0x60 [kvm]
+ __connect+0x5f/0xb0 [irqbypass]
+ irq_bypass_register_producer+0xf8/0x120 [irqbypass]
+ vfio_msi_set_vector_signal+0x1de/0x2d0 [vfio_pci]
+ vfio_msi_set_block+0x77/0xe0 [vfio_pci]
+ vfio_pci_set_msi_trigger+0x25c/0x2f0 [vfio_pci]
+ vfio_pci_set_irqs_ioctl+0x88/0xb0 [vfio_pci]
+ vfio_pci_ioctl+0x2ea/0xed0 [vfio_pci]
+ ? alloc_file_pseudo+0xa5/0x100
+ vfio_device_fops_unl_ioctl+0x26/0x30 [vfio]
+ ? vfio_device_fops_unl_ioctl+0x26/0x30 [vfio]
+ __x64_sys_ioctl+0x96/0xd0
+ do_syscall_64+0x37/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Therefore, initialize prev_ga_tag to zero before use. This should be safe
+because ga_tag value 0 is invalid (see function avic_vm_init).
+
+Fixes: dfa20099e26e ("KVM: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu()")
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Message-Id: <20201003232707.4662-1-suravee.suthikulpanit@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -5383,6 +5383,7 @@ static int svm_update_pi_irte(struct kvm
+ * - Tell IOMMU to use legacy mode for this interrupt.
+ * - Retrieve ga_tag of prior interrupt remapping data.
+ */
++ pi.prev_ga_tag = 0;
+ pi.is_guest_mode = false;
+ ret = irq_set_vcpu_affinity(host_irq, &pi);
+
--- /dev/null
+From e89505698c9f70125651060547da4ff5046124fc Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 23 Sep 2020 11:37:28 -0700
+Subject: KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit e89505698c9f70125651060547da4ff5046124fc upstream.
+
+Call kvm_mmu_commit_zap_page() after exiting the "prepare zap" loop in
+kvm_recover_nx_lpages() to finish zapping pages in the unlikely event
+that the loop exited due to lpage_disallowed_mmu_pages being empty.
+Because the recovery thread drops mmu_lock() when rescheduling, it's
+possible that lpage_disallowed_mmu_pages could be emptied by a different
+thread without to_zap reaching zero despite to_zap being derived from
+the number of disallowed lpages.
+
+Fixes: 1aa9b9572b105 ("kvm: x86: mmu: Recovery of shattered NX large pages")
+Cc: Junaid Shahid <junaids@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200923183735.584-2-sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -6453,6 +6453,7 @@ static void kvm_recover_nx_lpages(struct
+ cond_resched_lock(&kvm->mmu_lock);
+ }
+ }
++ kvm_mmu_commit_zap_page(kvm, &invalid_list);
+
+ spin_unlock(&kvm->mmu_lock);
+ srcu_read_unlock(&kvm->srcu, rcu_idx);
selftests-rtnetlink-load-fou-module-for-kci_test_encap_fou-test.patch
tcp-fix-to-update-snd_wl1-in-bulk-receiver-fast-path.patch
icmp-randomize-the-global-rate-limiter.patch
+alsa-hda-realtek-the-front-mic-on-a-hp-machine-doesn-t-work.patch
+alsa-hda-realtek-set-mic-to-auto-detect-on-a-hp-aio-machine.patch
+alsa-hda-realtek-add-mute-led-support-for-hp-elitebook-845-g7.patch
+alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch
+cifs-remove-bogus-debug-code.patch
+cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch
+smb3-resolve-data-corruption-of-tcp-server-info-fields.patch
+kvm-nvmx-reset-the-segment-cache-when-stuffing-guest-segs.patch
+kvm-nvmx-reload-vmcs01-if-getting-vmcs12-s-pages-fails.patch
+kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch
+kvm-svm-initialize-prev_ga_tag-before-use.patch
--- /dev/null
+From 62593011247c8a8cfeb0c86aff84688b196727c2 Mon Sep 17 00:00:00 2001
+From: Rohith Surabattula <rohiths@microsoft.com>
+Date: Thu, 8 Oct 2020 09:58:41 +0000
+Subject: SMB3: Resolve data corruption of TCP server info fields
+
+From: Rohith Surabattula <rohiths@microsoft.com>
+
+commit 62593011247c8a8cfeb0c86aff84688b196727c2 upstream.
+
+TCP server info field server->total_read is modified in parallel by
+demultiplex thread and decrypt offload worker thread. server->total_read
+is used in calculation to discard the remaining data of PDU which is
+not read into memory.
+
+Because of parallel modification, server->total_read can get corrupted
+and can result in discarding the valid data of next PDU.
+
+Signed-off-by: Rohith Surabattula <rohiths@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org> #5.4+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3886,7 +3886,8 @@ smb3_is_transform_hdr(void *buf)
+ static int
+ decrypt_raw_data(struct TCP_Server_Info *server, char *buf,
+ unsigned int buf_data_size, struct page **pages,
+- unsigned int npages, unsigned int page_data_size)
++ unsigned int npages, unsigned int page_data_size,
++ bool is_offloaded)
+ {
+ struct kvec iov[2];
+ struct smb_rqst rqst = {NULL};
+@@ -3912,7 +3913,8 @@ decrypt_raw_data(struct TCP_Server_Info
+
+ memmove(buf, iov[1].iov_base, buf_data_size);
+
+- server->total_read = buf_data_size + page_data_size;
++ if (!is_offloaded)
++ server->total_read = buf_data_size + page_data_size;
+
+ return rc;
+ }
+@@ -4126,7 +4128,7 @@ static void smb2_decrypt_offload(struct
+ struct mid_q_entry *mid;
+
+ rc = decrypt_raw_data(dw->server, dw->buf, dw->server->vals->read_rsp_size,
+- dw->ppages, dw->npages, dw->len);
++ dw->ppages, dw->npages, dw->len, true);
+ if (rc) {
+ cifs_dbg(VFS, "error decrypting rc=%d\n", rc);
+ goto free_pages;
+@@ -4232,7 +4234,7 @@ receive_encrypted_read(struct TCP_Server
+
+ non_offloaded_decrypt:
+ rc = decrypt_raw_data(server, buf, server->vals->read_rsp_size,
+- pages, npages, len);
++ pages, npages, len, false);
+ if (rc)
+ goto free_pages;
+
+@@ -4288,7 +4290,7 @@ receive_encrypted_standard(struct TCP_Se
+ server->total_read += length;
+
+ buf_size = pdu_length - sizeof(struct smb2_transform_hdr);
+- length = decrypt_raw_data(server, buf, buf_size, NULL, 0, 0);
++ length = decrypt_raw_data(server, buf, buf_size, NULL, 0, 0, false);
+ if (length)
+ return length;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
