--- /dev/null
+From a2f647240998aa49632fb09b01388fdf2b87acfc Mon Sep 17 00:00:00 2001
+From: Wu Bo <wubo40@huawei.com>
+Date: Sun, 26 Apr 2020 21:17:22 +0800
+Subject: ALSA: hda/hdmi: fix without unlocked before return
+
+From: Wu Bo <wubo40@huawei.com>
+
+commit a2f647240998aa49632fb09b01388fdf2b87acfc upstream.
+
+Fix the following coccicheck warning:
+sound/pci/hda/patch_hdmi.c:1852:2-8: preceding lock on line 1846
+
+After add sanity check to pass klockwork check,
+The spdif_mutex should be unlock before return true
+in check_non_pcm_per_cvt().
+
+Fixes: 960a581e22d9 ("ALSA: hda: fix some klockwork scan warnings")
+Signed-off-by: Wu Bo <wubo40@huawei.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1587907042-694161-1-git-send-email-wubo40@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_hdmi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -1934,8 +1934,10 @@ static bool check_non_pcm_per_cvt(struct
+ /* Add sanity check to pass klockwork check.
+ * This should never happen.
+ */
+- if (WARN_ON(spdif == NULL))
++ if (WARN_ON(spdif == NULL)) {
++ mutex_unlock(&codec->spdif_mutex);
+ return true;
++ }
+ non_pcm = !!(spdif->status & IEC958_AES0_NONAUDIO);
+ mutex_unlock(&codec->spdif_mutex);
+ return non_pcm;
--- /dev/null
+From ef0b3203c758b6b8abdb5dca651880347eae6b8c Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 27 Apr 2020 11:00:39 +0800
+Subject: ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit ef0b3203c758b6b8abdb5dca651880347eae6b8c upstream.
+
+This new Lenovo ThinkCenter has two front mics which can't be handled
+by PA so far, so apply the fixup ALC283_FIXUP_HEADSET_MIC to change
+the location for one of the mics.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Link: https://lore.kernel.org/r/20200427030039.10121-1-hui.wang@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7295,6 +7295,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1558, 0x8561, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC233_FIXUP_LENOVO_MULTI_CODECS),
++ SND_PCI_QUIRK(0x17aa, 0x1048, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x20f2, "Thinkpad SL410/510", ALC269_FIXUP_SKU_IGNORE),
+ SND_PCI_QUIRK(0x17aa, 0x215e, "Thinkpad L512", ALC269_FIXUP_SKU_IGNORE),
+ SND_PCI_QUIRK(0x17aa, 0x21b8, "Thinkpad Edge 14", ALC269_FIXUP_SKU_IGNORE),
--- /dev/null
+From cc18b2f4f3f1d7ed3125ac1840794f9feab0325c Mon Sep 17 00:00:00 2001
+From: Vasily Khoruzhick <anarsoul@gmail.com>
+Date: Sat, 25 Apr 2020 13:11:15 -0700
+Subject: ALSA: line6: Fix POD HD500 audio playback
+
+From: Vasily Khoruzhick <anarsoul@gmail.com>
+
+commit cc18b2f4f3f1d7ed3125ac1840794f9feab0325c upstream.
+
+Apparently interface 1 is control interface akin to HD500X,
+setting LINE6_CAP_CONTROL and choosing it as ctrl_if fixes
+audio playback on POD HD500.
+
+Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200425201115.3430-1-anarsoul@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/podhd.c | 22 +++++-----------------
+ 1 file changed, 5 insertions(+), 17 deletions(-)
+
+--- a/sound/usb/line6/podhd.c
++++ b/sound/usb/line6/podhd.c
+@@ -21,8 +21,7 @@
+ enum {
+ LINE6_PODHD300,
+ LINE6_PODHD400,
+- LINE6_PODHD500_0,
+- LINE6_PODHD500_1,
++ LINE6_PODHD500,
+ LINE6_PODX3,
+ LINE6_PODX3LIVE,
+ LINE6_PODHD500X,
+@@ -318,8 +317,7 @@ static const struct usb_device_id podhd_
+ /* TODO: no need to alloc data interfaces when only audio is used */
+ { LINE6_DEVICE(0x5057), .driver_info = LINE6_PODHD300 },
+ { LINE6_DEVICE(0x5058), .driver_info = LINE6_PODHD400 },
+- { LINE6_IF_NUM(0x414D, 0), .driver_info = LINE6_PODHD500_0 },
+- { LINE6_IF_NUM(0x414D, 1), .driver_info = LINE6_PODHD500_1 },
++ { LINE6_IF_NUM(0x414D, 0), .driver_info = LINE6_PODHD500 },
+ { LINE6_IF_NUM(0x414A, 0), .driver_info = LINE6_PODX3 },
+ { LINE6_IF_NUM(0x414B, 0), .driver_info = LINE6_PODX3LIVE },
+ { LINE6_IF_NUM(0x4159, 0), .driver_info = LINE6_PODHD500X },
+@@ -352,23 +350,13 @@ static const struct line6_properties pod
+ .ep_audio_r = 0x82,
+ .ep_audio_w = 0x01,
+ },
+- [LINE6_PODHD500_0] = {
++ [LINE6_PODHD500] = {
+ .id = "PODHD500",
+ .name = "POD HD500",
+- .capabilities = LINE6_CAP_PCM
++ .capabilities = LINE6_CAP_PCM | LINE6_CAP_CONTROL
+ | LINE6_CAP_HWMON,
+ .altsetting = 1,
+- .ep_ctrl_r = 0x81,
+- .ep_ctrl_w = 0x01,
+- .ep_audio_r = 0x86,
+- .ep_audio_w = 0x02,
+- },
+- [LINE6_PODHD500_1] = {
+- .id = "PODHD500",
+- .name = "POD HD500",
+- .capabilities = LINE6_CAP_PCM
+- | LINE6_CAP_HWMON,
+- .altsetting = 0,
++ .ctrl_if = 1,
+ .ep_ctrl_r = 0x81,
+ .ep_ctrl_w = 0x01,
+ .ep_audio_r = 0x86,
--- /dev/null
+From 4285de0725b1bf73608abbcd35ad7fd3ddc0b61e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 24 Apr 2020 21:33:50 +0200
+Subject: ALSA: pcm: oss: Place the plugin buffer overflow checks correctly
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4285de0725b1bf73608abbcd35ad7fd3ddc0b61e upstream.
+
+The checks of the plugin buffer overflow in the previous fix by commit
+ f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
+are put in the wrong places mistakenly, which leads to the expected
+(repeated) sound when the rate plugin is involved. Fix in the right
+places.
+
+Also, at those right places, the zero check is needed for the
+termination node, so added there as well, and let's get it done,
+finally.
+
+Fixes: f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200424193350.19678-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_plugin.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/sound/core/oss/pcm_plugin.c
++++ b/sound/core/oss/pcm_plugin.c
+@@ -211,21 +211,23 @@ static snd_pcm_sframes_t plug_client_siz
+ if (stream == SNDRV_PCM_STREAM_PLAYBACK) {
+ plugin = snd_pcm_plug_last(plug);
+ while (plugin && drv_frames > 0) {
+- if (check_size && drv_frames > plugin->buf_frames)
+- drv_frames = plugin->buf_frames;
+ plugin_prev = plugin->prev;
+ if (plugin->src_frames)
+ drv_frames = plugin->src_frames(plugin, drv_frames);
++ if (check_size && plugin->buf_frames &&
++ drv_frames > plugin->buf_frames)
++ drv_frames = plugin->buf_frames;
+ plugin = plugin_prev;
+ }
+ } else if (stream == SNDRV_PCM_STREAM_CAPTURE) {
+ plugin = snd_pcm_plug_first(plug);
+ while (plugin && drv_frames > 0) {
+ plugin_next = plugin->next;
++ if (check_size && plugin->buf_frames &&
++ drv_frames > plugin->buf_frames)
++ drv_frames = plugin->buf_frames;
+ if (plugin->dst_frames)
+ drv_frames = plugin->dst_frames(plugin, drv_frames);
+- if (check_size && drv_frames > plugin->buf_frames)
+- drv_frames = plugin->buf_frames;
+ plugin = plugin_next;
+ }
+ } else
+@@ -251,26 +253,28 @@ static snd_pcm_sframes_t plug_slave_size
+ plugin = snd_pcm_plug_first(plug);
+ while (plugin && frames > 0) {
+ plugin_next = plugin->next;
++ if (check_size && plugin->buf_frames &&
++ frames > plugin->buf_frames)
++ frames = plugin->buf_frames;
+ if (plugin->dst_frames) {
+ frames = plugin->dst_frames(plugin, frames);
+ if (frames < 0)
+ return frames;
+ }
+- if (check_size && frames > plugin->buf_frames)
+- frames = plugin->buf_frames;
+ plugin = plugin_next;
+ }
+ } else if (stream == SNDRV_PCM_STREAM_CAPTURE) {
+ plugin = snd_pcm_plug_last(plug);
+ while (plugin) {
+- if (check_size && frames > plugin->buf_frames)
+- frames = plugin->buf_frames;
+ plugin_prev = plugin->prev;
+ if (plugin->src_frames) {
+ frames = plugin->src_frames(plugin, frames);
+ if (frames < 0)
+ return frames;
+ }
++ if (check_size && plugin->buf_frames &&
++ frames > plugin->buf_frames)
++ frames = plugin->buf_frames;
+ plugin = plugin_prev;
+ }
+ } else
--- /dev/null
+From 547d2c9cf4f1f72adfecacbd5b093681fb0e8b3e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 30 Apr 2020 14:47:55 +0200
+Subject: ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 547d2c9cf4f1f72adfecacbd5b093681fb0e8b3e upstream.
+
+The USB vendor ID of NuPrime DAC-10 is not 16b0 but 16d0.
+
+Fixes: f656891c6619 ("ALSA: usb-audio: add more quirks for DSD interfaces")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200430124755.15940-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1643,7 +1643,7 @@ u64 snd_usb_interface_dsd_format_quirks(
+
+ case USB_ID(0x0d8c, 0x0316): /* Hegel HD12 DSD */
+ case USB_ID(0x10cb, 0x0103): /* The Bit Opus #3; with fp->dsd_raw */
+- case USB_ID(0x16b0, 0x06b2): /* NuPrime DAC-10 */
++ case USB_ID(0x16d0, 0x06b2): /* NuPrime DAC-10 */
+ case USB_ID(0x16d0, 0x09dd): /* Encore mDSD */
+ case USB_ID(0x16d0, 0x0733): /* Furutech ADL Stratos */
+ case USB_ID(0x16d0, 0x09db): /* NuPrime Audio DAC-9 */
--- /dev/null
+From b7dc7205b2ae6b6c9d9cfc3e47d6f08da8647b10 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 27 Feb 2020 12:18:51 +0000
+Subject: ARM: dts: imx6qdl-sr-som-ti: indicate powering off wifi is safe
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit b7dc7205b2ae6b6c9d9cfc3e47d6f08da8647b10 upstream.
+
+We need to indicate that powering off the TI WiFi is safe, to avoid:
+
+wl18xx_driver wl18xx.2.auto: Unbalanced pm_runtime_enable!
+wl1271_sdio mmc0:0001:2: wl12xx_sdio_power_on: failed to get_sync(-13)
+
+which prevents the WiFi being functional.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Cc: Miguel Borges de Freitas <miguelborgesdefreitas@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx6qdl-sr-som-ti.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/imx6qdl-sr-som-ti.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-sr-som-ti.dtsi
+@@ -153,6 +153,7 @@
+ bus-width = <4>;
+ keep-power-in-suspend;
+ mmc-pwrseq = <&pwrseq_ti_wifi>;
++ cap-power-off-card;
+ non-removable;
+ vmmc-supply = <&vcc_3v3>;
+ /* vqmmc-supply = <&nvcc_sd1>; - MMC layer doesn't like it! */
--- /dev/null
+From 3815f1be546e752327b5868af103ccdddcc4db77 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 23 Apr 2020 13:45:27 -0400
+Subject: dlmfs_file_write(): fix the bogosity in handling non-zero *ppos
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 3815f1be546e752327b5868af103ccdddcc4db77 upstream.
+
+'count' is how much you want written, not the final position.
+Moreover, it can legitimately be less than the current position...
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/dlmfs/dlmfs.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+--- a/fs/ocfs2/dlmfs/dlmfs.c
++++ b/fs/ocfs2/dlmfs/dlmfs.c
+@@ -275,7 +275,6 @@ static ssize_t dlmfs_file_write(struct f
+ loff_t *ppos)
+ {
+ int bytes_left;
+- ssize_t writelen;
+ char *lvb_buf;
+ struct inode *inode = file_inode(filp);
+
+@@ -285,32 +284,30 @@ static ssize_t dlmfs_file_write(struct f
+ if (*ppos >= i_size_read(inode))
+ return -ENOSPC;
+
++ /* don't write past the lvb */
++ if (count > i_size_read(inode) - *ppos)
++ count = i_size_read(inode) - *ppos;
++
+ if (!count)
+ return 0;
+
+ if (!access_ok(buf, count))
+ return -EFAULT;
+
+- /* don't write past the lvb */
+- if ((count + *ppos) > i_size_read(inode))
+- writelen = i_size_read(inode) - *ppos;
+- else
+- writelen = count - *ppos;
+-
+- lvb_buf = kmalloc(writelen, GFP_NOFS);
++ lvb_buf = kmalloc(count, GFP_NOFS);
+ if (!lvb_buf)
+ return -ENOMEM;
+
+- bytes_left = copy_from_user(lvb_buf, buf, writelen);
+- writelen -= bytes_left;
+- if (writelen)
+- user_dlm_write_lvb(inode, lvb_buf, writelen);
++ bytes_left = copy_from_user(lvb_buf, buf, count);
++ count -= bytes_left;
++ if (count)
++ user_dlm_write_lvb(inode, lvb_buf, count);
+
+ kfree(lvb_buf);
+
+- *ppos = *ppos + writelen;
+- mlog(0, "wrote %zd bytes\n", writelen);
+- return writelen;
++ *ppos = *ppos + count;
++ mlog(0, "wrote %zu bytes\n", count);
++ return count;
+ }
+
+ static void dlmfs_init_once(void *foo)
--- /dev/null
+From 5686dee34dbfe0238c0274e0454fa0174ac0a57a Mon Sep 17 00:00:00 2001
+From: Gabriel Krisman Bertazi <krisman@collabora.com>
+Date: Mon, 27 Apr 2020 20:39:11 -0400
+Subject: dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath
+
+From: Gabriel Krisman Bertazi <krisman@collabora.com>
+
+commit 5686dee34dbfe0238c0274e0454fa0174ac0a57a upstream.
+
+When adding devices that don't have a scsi_dh on a BIO based multipath,
+I was able to consistently hit the warning below and lock-up the system.
+
+The problem is that __map_bio reads the flag before it potentially being
+modified by choose_pgpath, and ends up using the older value.
+
+The WARN_ON below is not trivially linked to the issue. It goes like
+this: The activate_path delayed_work is not initialized for non-scsi_dh
+devices, but we always set MPATHF_QUEUE_IO, asking for initialization.
+That is fine, since MPATHF_QUEUE_IO would be cleared in choose_pgpath.
+Nevertheless, only for BIO-based mpath, we cache the flag before calling
+choose_pgpath, and use the older version when deciding if we should
+initialize the path. Therefore, we end up trying to initialize the
+paths, and calling the non-initialized activate_path work.
+
+[ 82.437100] ------------[ cut here ]------------
+[ 82.437659] WARNING: CPU: 3 PID: 602 at kernel/workqueue.c:1624
+ __queue_delayed_work+0x71/0x90
+[ 82.438436] Modules linked in:
+[ 82.438911] CPU: 3 PID: 602 Comm: systemd-udevd Not tainted 5.6.0-rc6+ #339
+[ 82.439680] RIP: 0010:__queue_delayed_work+0x71/0x90
+[ 82.440287] Code: c1 48 89 4a 50 81 ff 00 02 00 00 75 2a 4c 89 cf e9
+94 d6 07 00 e9 7f e9 ff ff 0f 0b eb c7 0f 0b 48 81 7a 58 40 74 a8 94 74
+a7 <0f> 0b 48 83 7a 48 00 74 a5 0f 0b eb a1 89 fe 4c 89 cf e9 c8 c4 07
+[ 82.441719] RSP: 0018:ffffb738803977c0 EFLAGS: 00010007
+[ 82.442121] RAX: ffffa086389f9740 RBX: 0000000000000002 RCX: 0000000000000000
+[ 82.442718] RDX: ffffa086350dd930 RSI: ffffa0863d76f600 RDI: 0000000000000200
+[ 82.443484] RBP: 0000000000000200 R08: 0000000000000000 R09: ffffa086350dd970
+[ 82.444128] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa086350dd930
+[ 82.444773] R13: ffffa0863d76f600 R14: 0000000000000000 R15: ffffa08636738008
+[ 82.445427] FS: 00007f6abfe9dd40(0000) GS:ffffa0863dd80000(0000) knlGS:00000
+[ 82.446040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 82.446478] CR2: 0000557d288db4e8 CR3: 0000000078b36000 CR4: 00000000000006e0
+[ 82.447104] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 82.447561] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 82.448012] Call Trace:
+[ 82.448164] queue_delayed_work_on+0x6d/0x80
+[ 82.448472] __pg_init_all_paths+0x7b/0xf0
+[ 82.448714] pg_init_all_paths+0x26/0x40
+[ 82.448980] __multipath_map_bio.isra.0+0x84/0x210
+[ 82.449267] __map_bio+0x3c/0x1f0
+[ 82.449468] __split_and_process_non_flush+0x14a/0x1b0
+[ 82.449775] __split_and_process_bio+0xde/0x340
+[ 82.450045] ? dm_get_live_table+0x5/0xb0
+[ 82.450278] dm_process_bio+0x98/0x290
+[ 82.450518] dm_make_request+0x54/0x120
+[ 82.450778] generic_make_request+0xd2/0x3e0
+[ 82.451038] ? submit_bio+0x3c/0x150
+[ 82.451278] submit_bio+0x3c/0x150
+[ 82.451492] mpage_readpages+0x129/0x160
+[ 82.451756] ? bdev_evict_inode+0x1d0/0x1d0
+[ 82.452033] read_pages+0x72/0x170
+[ 82.452260] __do_page_cache_readahead+0x1ba/0x1d0
+[ 82.452624] force_page_cache_readahead+0x96/0x110
+[ 82.452903] generic_file_read_iter+0x84f/0xae0
+[ 82.453192] ? __seccomp_filter+0x7c/0x670
+[ 82.453547] new_sync_read+0x10e/0x190
+[ 82.453883] vfs_read+0x9d/0x150
+[ 82.454172] ksys_read+0x65/0xe0
+[ 82.454466] do_syscall_64+0x4e/0x210
+[ 82.454828] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[...]
+[ 82.462501] ---[ end trace bb39975e9cf45daa ]---
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-mpath.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-mpath.c
++++ b/drivers/md/dm-mpath.c
+@@ -585,10 +585,12 @@ static struct pgpath *__map_bio(struct m
+
+ /* Do we need to select a new pgpath? */
+ pgpath = READ_ONCE(m->current_pgpath);
+- queue_io = test_bit(MPATHF_QUEUE_IO, &m->flags);
+- if (!pgpath || !queue_io)
++ if (!pgpath || !test_bit(MPATHF_QUEUE_IO, &m->flags))
+ pgpath = choose_pgpath(m, bio->bi_iter.bi_size);
+
++ /* MPATHF_QUEUE_IO might have been cleared by choose_pgpath. */
++ queue_io = test_bit(MPATHF_QUEUE_IO, &m->flags);
++
+ if ((pgpath && queue_io) ||
+ (!pgpath && test_bit(MPATHF_QUEUE_IF_NO_PATH, &m->flags))) {
+ /* Queue for the daemon to resubmit */
--- /dev/null
+From ad4e80a639fc61d5ecebb03caa5cdbfb91fcebfc Mon Sep 17 00:00:00 2001
+From: Sunwook Eom <speed.eom@samsung.com>
+Date: Fri, 10 Apr 2020 12:54:19 +0900
+Subject: dm verity fec: fix hash block number in verity_fec_decode
+
+From: Sunwook Eom <speed.eom@samsung.com>
+
+commit ad4e80a639fc61d5ecebb03caa5cdbfb91fcebfc upstream.
+
+The error correction data is computed as if data and hash blocks
+were concatenated. But hash block number starts from v->hash_start.
+So, we have to calculate hash block number based on that.
+
+Fixes: a739ff3f543af ("dm verity: add support for forward error correction")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sunwook Eom <speed.eom@samsung.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-verity-fec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -435,7 +435,7 @@ int verity_fec_decode(struct dm_verity *
+ fio->level++;
+
+ if (type == DM_VERITY_BLOCK_TYPE_METADATA)
+- block += v->data_blocks;
++ block = block - v->hash_start + v->data_blocks;
+
+ /*
+ * For RS(M, N), the continuous FEC data is divided into blocks of N
--- /dev/null
+From 31b22120194b5c0d460f59e0c98504de1d3f1f14 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 15 Apr 2020 11:01:38 -0400
+Subject: dm writecache: fix data corruption when reloading the target
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 31b22120194b5c0d460f59e0c98504de1d3f1f14 upstream.
+
+The dm-writecache reads metadata in the target constructor. However, when
+we reload the target, there could be another active instance running on
+the same device. This is the sequence of operations when doing a reload:
+
+1. construct new target
+2. suspend old target
+3. resume new target
+4. destroy old target
+
+Metadata that were written by the old target between steps 1 and 2 would
+not be visible by the new target.
+
+Fix the data corruption by loading the metadata in the resume handler.
+
+Also, validate block_size is at least as large as both the devices'
+logical block size and only read 1 block from the metadata during
+target constructor -- no need to read entirety of metadata now that it
+is done during resume.
+
+Fixes: 48debafe4f2f ("dm: add writecache target")
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-writecache.c | 52 ++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 37 insertions(+), 15 deletions(-)
+
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -882,6 +882,24 @@ static int writecache_alloc_entries(stru
+ return 0;
+ }
+
++static int writecache_read_metadata(struct dm_writecache *wc, sector_t n_sectors)
++{
++ struct dm_io_region region;
++ struct dm_io_request req;
++
++ region.bdev = wc->ssd_dev->bdev;
++ region.sector = wc->start_sector;
++ region.count = n_sectors;
++ req.bi_op = REQ_OP_READ;
++ req.bi_op_flags = REQ_SYNC;
++ req.mem.type = DM_IO_VMA;
++ req.mem.ptr.vma = (char *)wc->memory_map;
++ req.client = wc->dm_io;
++ req.notify.fn = NULL;
++
++ return dm_io(&req, 1, ®ion, NULL);
++}
++
+ static void writecache_resume(struct dm_target *ti)
+ {
+ struct dm_writecache *wc = ti->private;
+@@ -892,8 +910,18 @@ static void writecache_resume(struct dm_
+
+ wc_lock(wc);
+
+- if (WC_MODE_PMEM(wc))
++ if (WC_MODE_PMEM(wc)) {
+ persistent_memory_invalidate_cache(wc->memory_map, wc->memory_map_size);
++ } else {
++ r = writecache_read_metadata(wc, wc->metadata_sectors);
++ if (r) {
++ size_t sb_entries_offset;
++ writecache_error(wc, r, "unable to read metadata: %d", r);
++ sb_entries_offset = offsetof(struct wc_memory_superblock, entries);
++ memset((char *)wc->memory_map + sb_entries_offset, -1,
++ (wc->metadata_sectors << SECTOR_SHIFT) - sb_entries_offset);
++ }
++ }
+
+ wc->tree = RB_ROOT;
+ INIT_LIST_HEAD(&wc->lru);
+@@ -2005,6 +2033,12 @@ static int writecache_ctr(struct dm_targ
+ ti->error = "Invalid block size";
+ goto bad;
+ }
++ if (wc->block_size < bdev_logical_block_size(wc->dev->bdev) ||
++ wc->block_size < bdev_logical_block_size(wc->ssd_dev->bdev)) {
++ r = -EINVAL;
++ ti->error = "Block size is smaller than device logical block size";
++ goto bad;
++ }
+ wc->block_size_bits = __ffs(wc->block_size);
+
+ wc->max_writeback_jobs = MAX_WRITEBACK_JOBS;
+@@ -2093,8 +2127,6 @@ invalid_optional:
+ goto bad;
+ }
+ } else {
+- struct dm_io_region region;
+- struct dm_io_request req;
+ size_t n_blocks, n_metadata_blocks;
+ uint64_t n_bitmap_bits;
+
+@@ -2151,19 +2183,9 @@ invalid_optional:
+ goto bad;
+ }
+
+- region.bdev = wc->ssd_dev->bdev;
+- region.sector = wc->start_sector;
+- region.count = wc->metadata_sectors;
+- req.bi_op = REQ_OP_READ;
+- req.bi_op_flags = REQ_SYNC;
+- req.mem.type = DM_IO_VMA;
+- req.mem.ptr.vma = (char *)wc->memory_map;
+- req.client = wc->dm_io;
+- req.notify.fn = NULL;
+-
+- r = dm_io(&req, 1, ®ion, NULL);
++ r = writecache_read_metadata(wc, wc->block_size >> SECTOR_SHIFT);
+ if (r) {
+- ti->error = "Unable to read metadata";
++ ti->error = "Unable to read first block of metadata";
+ goto bad;
+ }
+ }
--- /dev/null
+From 1a06d017fb3f388734ffbe5dedee6f8c3af5f2db Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Sat, 11 Apr 2020 20:50:35 -0700
+Subject: Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 1a06d017fb3f388734ffbe5dedee6f8c3af5f2db upstream.
+
+Before the hibernation patchset (e.g. f53335e3289f), in a Generation-2
+Linux VM on Hyper-V, the user can run "echo freeze > /sys/power/state" to
+freeze the system, i.e. Suspend-to-Idle. The user can press the keyboard
+or move the mouse to wake up the VM.
+
+With the hibernation patchset, Linux VM on Hyper-V can hibernate to disk,
+but Suspend-to-Idle is broken: when the synthetic keyboard/mouse are
+suspended, there is no way to wake up the VM.
+
+Fix the issue by not suspending and resuming the vmbus devices upon
+Suspend-to-Idle.
+
+Fixes: f53335e3289f ("Drivers: hv: vmbus: Suspend/resume the vmbus itself for hibernation")
+Cc: stable@vger.kernel.org
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Link: https://lore.kernel.org/r/1586663435-36243-1-git-send-email-decui@microsoft.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/vmbus_drv.c | 43 ++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 34 insertions(+), 9 deletions(-)
+
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -978,6 +978,9 @@ static int vmbus_resume(struct device *c
+
+ return drv->resume(dev);
+ }
++#else
++#define vmbus_suspend NULL
++#define vmbus_resume NULL
+ #endif /* CONFIG_PM_SLEEP */
+
+ /*
+@@ -997,11 +1000,22 @@ static void vmbus_device_release(struct
+ }
+
+ /*
+- * Note: we must use SET_NOIRQ_SYSTEM_SLEEP_PM_OPS rather than
+- * SET_SYSTEM_SLEEP_PM_OPS: see the comment before vmbus_bus_pm.
++ * Note: we must use the "noirq" ops: see the comment before vmbus_bus_pm.
++ *
++ * suspend_noirq/resume_noirq are set to NULL to support Suspend-to-Idle: we
++ * shouldn't suspend the vmbus devices upon Suspend-to-Idle, otherwise there
++ * is no way to wake up a Generation-2 VM.
++ *
++ * The other 4 ops are for hibernation.
+ */
++
+ static const struct dev_pm_ops vmbus_pm = {
+- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(vmbus_suspend, vmbus_resume)
++ .suspend_noirq = NULL,
++ .resume_noirq = NULL,
++ .freeze_noirq = vmbus_suspend,
++ .thaw_noirq = vmbus_resume,
++ .poweroff_noirq = vmbus_suspend,
++ .restore_noirq = vmbus_resume,
+ };
+
+ /* The one and only one */
+@@ -2281,6 +2295,9 @@ static int vmbus_bus_resume(struct devic
+
+ return 0;
+ }
++#else
++#define vmbus_bus_suspend NULL
++#define vmbus_bus_resume NULL
+ #endif /* CONFIG_PM_SLEEP */
+
+ static const struct acpi_device_id vmbus_acpi_device_ids[] = {
+@@ -2291,16 +2308,24 @@ static const struct acpi_device_id vmbus
+ MODULE_DEVICE_TABLE(acpi, vmbus_acpi_device_ids);
+
+ /*
+- * Note: we must use SET_NOIRQ_SYSTEM_SLEEP_PM_OPS rather than
+- * SET_SYSTEM_SLEEP_PM_OPS, otherwise NIC SR-IOV can not work, because the
+- * "pci_dev_pm_ops" uses the "noirq" callbacks: in the resume path, the
+- * pci "noirq" restore callback runs before "non-noirq" callbacks (see
++ * Note: we must use the "no_irq" ops, otherwise hibernation can not work with
++ * PCI device assignment, because "pci_dev_pm_ops" uses the "noirq" ops: in
++ * the resume path, the pci "noirq" restore op runs before "non-noirq" op (see
+ * resume_target_kernel() -> dpm_resume_start(), and hibernation_restore() ->
+ * dpm_resume_end()). This means vmbus_bus_resume() and the pci-hyperv's
+- * resume callback must also run via the "noirq" callbacks.
++ * resume callback must also run via the "noirq" ops.
++ *
++ * Set suspend_noirq/resume_noirq to NULL for Suspend-to-Idle: see the comment
++ * earlier in this file before vmbus_pm.
+ */
++
+ static const struct dev_pm_ops vmbus_bus_pm = {
+- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(vmbus_bus_suspend, vmbus_bus_resume)
++ .suspend_noirq = NULL,
++ .resume_noirq = NULL,
++ .freeze_noirq = vmbus_bus_suspend,
++ .thaw_noirq = vmbus_bus_resume,
++ .poweroff_noirq = vmbus_bus_suspend,
++ .restore_noirq = vmbus_bus_resume
+ };
+
+ static struct acpi_driver vmbus_acpi_driver = {
--- /dev/null
+From ac2b0813fceaf7cb3d8d46c7b33c90bae9fa49db Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 10 Sep 2019 16:42:42 +0300
+Subject: i2c: amd-mp2-pci: Fix Oops in amd_mp2_pci_init() error handling
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ac2b0813fceaf7cb3d8d46c7b33c90bae9fa49db upstream.
+
+The problem is that we dereference "privdata->pci_dev" when we print
+the error messages in amd_mp2_pci_init():
+
+ dev_err(ndev_dev(privdata), "Failed to enable MP2 PCI device\n");
+ ^^^^^^^^^^^^^^^^^
+
+Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-amd-mp2-pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-amd-mp2-pci.c
++++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c
+@@ -349,12 +349,12 @@ static int amd_mp2_pci_probe(struct pci_
+ if (!privdata)
+ return -ENOMEM;
+
++ privdata->pci_dev = pci_dev;
+ rc = amd_mp2_pci_init(privdata, pci_dev);
+ if (rc)
+ return rc;
+
+ mutex_init(&privdata->c2p_lock);
+- privdata->pci_dev = pci_dev;
+
+ pm_runtime_set_autosuspend_delay(&pci_dev->dev, 1000);
+ pm_runtime_use_autosuspend(&pci_dev->dev);
--- /dev/null
+From 47c370c1a5eea9b2f6f026d49e060c3748c89667 Mon Sep 17 00:00:00 2001
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Fri, 24 Apr 2020 18:31:46 +0100
+Subject: IB/rdmavt: Always return ERR_PTR from rvt_create_mmap_info()
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+commit 47c370c1a5eea9b2f6f026d49e060c3748c89667 upstream.
+
+The commit below modified rvt_create_mmap_info() to return ERR_PTR's but
+didn't update the callers to handle them. Modify rvt_create_mmap_info() to
+only return ERR_PTR and fix all error checking after
+rvt_create_mmap_info() was called.
+
+Fixes: ff23dfa13457 ("IB: Pass only ib_udata in function prototypes")
+Link: https://lore.kernel.org/r/20200424173146.10970-1-sudipm.mukherjee@gmail.com
+Cc: stable@vger.kernel.org [5.4+]
+Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Acked-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/rdmavt/cq.c | 4 ++--
+ drivers/infiniband/sw/rdmavt/mmap.c | 4 ++--
+ drivers/infiniband/sw/rdmavt/qp.c | 4 ++--
+ drivers/infiniband/sw/rdmavt/srq.c | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/sw/rdmavt/cq.c
++++ b/drivers/infiniband/sw/rdmavt/cq.c
+@@ -248,8 +248,8 @@ int rvt_create_cq(struct ib_cq *ibcq, co
+ */
+ if (udata && udata->outlen >= sizeof(__u64)) {
+ cq->ip = rvt_create_mmap_info(rdi, sz, udata, u_wc);
+- if (!cq->ip) {
+- err = -ENOMEM;
++ if (IS_ERR(cq->ip)) {
++ err = PTR_ERR(cq->ip);
+ goto bail_wc;
+ }
+
+--- a/drivers/infiniband/sw/rdmavt/mmap.c
++++ b/drivers/infiniband/sw/rdmavt/mmap.c
+@@ -154,7 +154,7 @@ done:
+ * @udata: user data (must be valid!)
+ * @obj: opaque pointer to a cq, wq etc
+ *
+- * Return: rvt_mmap struct on success
++ * Return: rvt_mmap struct on success, ERR_PTR on failure
+ */
+ struct rvt_mmap_info *rvt_create_mmap_info(struct rvt_dev_info *rdi, u32 size,
+ struct ib_udata *udata, void *obj)
+@@ -166,7 +166,7 @@ struct rvt_mmap_info *rvt_create_mmap_in
+
+ ip = kmalloc_node(sizeof(*ip), GFP_KERNEL, rdi->dparms.node);
+ if (!ip)
+- return ip;
++ return ERR_PTR(-ENOMEM);
+
+ size = PAGE_ALIGN(size);
+
+--- a/drivers/infiniband/sw/rdmavt/qp.c
++++ b/drivers/infiniband/sw/rdmavt/qp.c
+@@ -1244,8 +1244,8 @@ struct ib_qp *rvt_create_qp(struct ib_pd
+
+ qp->ip = rvt_create_mmap_info(rdi, s, udata,
+ qp->r_rq.wq);
+- if (!qp->ip) {
+- ret = ERR_PTR(-ENOMEM);
++ if (IS_ERR(qp->ip)) {
++ ret = ERR_CAST(qp->ip);
+ goto bail_qpn;
+ }
+
+--- a/drivers/infiniband/sw/rdmavt/srq.c
++++ b/drivers/infiniband/sw/rdmavt/srq.c
+@@ -111,8 +111,8 @@ int rvt_create_srq(struct ib_srq *ibsrq,
+ u32 s = sizeof(struct rvt_rwq) + srq->rq.size * sz;
+
+ srq->ip = rvt_create_mmap_info(dev, s, udata, srq->rq.wq);
+- if (!srq->ip) {
+- ret = -ENOMEM;
++ if (IS_ERR(srq->ip)) {
++ ret = PTR_ERR(srq->ip);
+ goto bail_wq;
+ }
+
--- /dev/null
+From a9b760b0266f563b4784f695bbd0e717610dc10a Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 21 Apr 2020 15:55:16 +0800
+Subject: PM: ACPI: Output correct message on target power state
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit a9b760b0266f563b4784f695bbd0e717610dc10a upstream.
+
+Transitioned power state logged at the end of setting ACPI power.
+
+However, D3cold won't be in the message because state can only be
+D3hot at most.
+
+Use target_state to corretly report when power state is D3cold.
+
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/device_pm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/device_pm.c
++++ b/drivers/acpi/device_pm.c
+@@ -273,13 +273,13 @@ int acpi_device_set_power(struct acpi_de
+ end:
+ if (result) {
+ dev_warn(&device->dev, "Failed to change power state to %s\n",
+- acpi_power_state_string(state));
++ acpi_power_state_string(target_state));
+ } else {
+ device->power.state = target_state;
+ ACPI_DEBUG_PRINT((ACPI_DB_INFO,
+ "Device [%s] transitioned to %s\n",
+ device->pnp.bus_id,
+- acpi_power_state_string(state)));
++ acpi_power_state_string(target_state)));
+ }
+
+ return result;
--- /dev/null
+From 2351f8d295ed63393190e39c2f7c1fee1a80578f Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 23 Apr 2020 20:40:16 -0700
+Subject: PM: hibernate: Freeze kernel threads in software_resume()
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 2351f8d295ed63393190e39c2f7c1fee1a80578f upstream.
+
+Currently the kernel threads are not frozen in software_resume(), so
+between dpm_suspend_start(PMSG_QUIESCE) and resume_target_kernel(),
+system_freezable_power_efficient_wq can still try to submit SCSI
+commands and this can cause a panic since the low level SCSI driver
+(e.g. hv_storvsc) has quiesced the SCSI adapter and can not accept
+any SCSI commands: https://lkml.org/lkml/2020/4/10/47
+
+At first I posted a fix (https://lkml.org/lkml/2020/4/21/1318) trying
+to resolve the issue from hv_storvsc, but with the help of
+Bart Van Assche, I realized it's better to fix software_resume(),
+since this looks like a generic issue, not only pertaining to SCSI.
+
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/hibernate.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -898,6 +898,13 @@ static int software_resume(void)
+ error = freeze_processes();
+ if (error)
+ goto Close_Finish;
++
++ error = freeze_kernel_threads();
++ if (error) {
++ thaw_processes();
++ goto Close_Finish;
++ }
++
+ error = load_image_and_restore();
+ thaw_processes();
+ Finish:
--- /dev/null
+From fb73974172ffaaf57a7c42f35424d9aece1a5af6 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 28 Apr 2020 09:59:02 -0400
+Subject: selinux: properly handle multiple messages in selinux_netlink_send()
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream.
+
+Fix the SELinux netlink_send hook to properly handle multiple netlink
+messages in a single sk_buff; each message is parsed and subject to
+SELinux access control. Prior to this patch, SELinux only inspected
+the first message in the sk_buff.
+
+Cc: stable@vger.kernel.org
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c | 70 ++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 45 insertions(+), 25 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -5829,40 +5829,60 @@ static unsigned int selinux_ipv6_postrou
+
+ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
+ {
+- int err = 0;
+- u32 perm;
++ int rc = 0;
++ unsigned int msg_len;
++ unsigned int data_len = skb->len;
++ unsigned char *data = skb->data;
+ struct nlmsghdr *nlh;
+ struct sk_security_struct *sksec = sk->sk_security;
++ u16 sclass = sksec->sclass;
++ u32 perm;
+
+- if (skb->len < NLMSG_HDRLEN) {
+- err = -EINVAL;
+- goto out;
+- }
+- nlh = nlmsg_hdr(skb);
++ while (data_len >= nlmsg_total_size(0)) {
++ nlh = (struct nlmsghdr *)data;
+
+- err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
+- if (err) {
+- if (err == -EINVAL) {
++ /* NOTE: the nlmsg_len field isn't reliably set by some netlink
++ * users which means we can't reject skb's with bogus
++ * length fields; our solution is to follow what
++ * netlink_rcv_skb() does and simply skip processing at
++ * messages with length fields that are clearly junk
++ */
++ if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
++ return 0;
++
++ rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
++ if (rc == 0) {
++ rc = sock_has_perm(sk, perm);
++ if (rc)
++ return rc;
++ } else if (rc == -EINVAL) {
++ /* -EINVAL is a missing msg/perm mapping */
+ pr_warn_ratelimited("SELinux: unrecognized netlink"
+- " message: protocol=%hu nlmsg_type=%hu sclass=%s"
+- " pid=%d comm=%s\n",
+- sk->sk_protocol, nlh->nlmsg_type,
+- secclass_map[sksec->sclass - 1].name,
+- task_pid_nr(current), current->comm);
+- if (!enforcing_enabled(&selinux_state) ||
+- security_get_allow_unknown(&selinux_state))
+- err = 0;
++ " message: protocol=%hu nlmsg_type=%hu sclass=%s"
++ " pid=%d comm=%s\n",
++ sk->sk_protocol, nlh->nlmsg_type,
++ secclass_map[sclass - 1].name,
++ task_pid_nr(current), current->comm);
++ if (enforcing_enabled(&selinux_state) &&
++ !security_get_allow_unknown(&selinux_state))
++ return rc;
++ rc = 0;
++ } else if (rc == -ENOENT) {
++ /* -ENOENT is a missing socket/class mapping, ignore */
++ rc = 0;
++ } else {
++ return rc;
+ }
+
+- /* Ignore */
+- if (err == -ENOENT)
+- err = 0;
+- goto out;
++ /* move to the next message after applying netlink padding */
++ msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
++ if (msg_len >= data_len)
++ return 0;
++ data_len -= msg_len;
++ data += msg_len;
+ }
+
+- err = sock_has_perm(sk, perm);
+-out:
+- return err;
++ return rc;
+ }
+
+ static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
mmc-meson-mx-sdio-set-mmc_cap_wait_while_busy.patch
mmc-meson-mx-sdio-remove-the-broken-card_busy-op.patch
crypto-caam-fix-the-address-of-the-last-entry-of-s-g.patch
+alsa-hda-realtek-two-front-mics-on-a-lenovo-thinkcenter.patch
+alsa-usb-audio-correct-a-typo-of-nuprime-dac-10-usb-id.patch
+alsa-hda-hdmi-fix-without-unlocked-before-return.patch
+alsa-line6-fix-pod-hd500-audio-playback.patch
+alsa-pcm-oss-place-the-plugin-buffer-overflow-checks-correctly.patch
+i2c-amd-mp2-pci-fix-oops-in-amd_mp2_pci_init-error-handling.patch
+x86-hyperv-suspend-resume-the-vp-assist-page-for-hibernation.patch
+drivers-hv-vmbus-fix-suspend-to-idle-for-generation-2-vm.patch
+dlmfs_file_write-fix-the-bogosity-in-handling-non-zero-ppos.patch
+selinux-properly-handle-multiple-messages-in-selinux_netlink_send.patch
+ib-rdmavt-always-return-err_ptr-from-rvt_create_mmap_info.patch
+pm-acpi-output-correct-message-on-target-power-state.patch
+pm-hibernate-freeze-kernel-threads-in-software_resume.patch
+dm-verity-fec-fix-hash-block-number-in-verity_fec_decode.patch
+dm-writecache-fix-data-corruption-when-reloading-the-target.patch
+dm-multipath-use-updated-mpathf_queue_io-on-mapping-for-bio-based-mpath.patch
+arm-dts-imx6qdl-sr-som-ti-indicate-powering-off-wifi-is-safe.patch
--- /dev/null
+From 421f090c819d695942a470051cd624dc43deaf95 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Mon, 20 Apr 2020 19:46:11 -0700
+Subject: x86/hyperv: Suspend/resume the VP assist page for hibernation
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 421f090c819d695942a470051cd624dc43deaf95 upstream.
+
+Unlike the other CPUs, CPU0 is never offlined during hibernation, so in the
+resume path, the "new" kernel's VP assist page is not suspended (i.e. not
+disabled), and later when we jump to the "old" kernel, the page is not
+properly re-enabled for CPU0 with the allocated page from the old kernel.
+
+So far, the VP assist page is used by hv_apic_eoi_write(), and is also
+used in the case of nested virtualization (running KVM atop Hyper-V).
+
+For hv_apic_eoi_write(), when the page is not properly re-enabled,
+hvp->apic_assist is always 0, so the HV_X64_MSR_EOI MSR is always written.
+This is not ideal with respect to performance, but Hyper-V can still
+correctly handle this according to the Hyper-V spec; nevertheless, Linux
+still must update the Hyper-V hypervisor with the correct VP assist page
+to prevent Hyper-V from writing to the stale page, which causes guest
+memory corruption and consequently may have caused the hangs and triple
+faults seen during non-boot CPUs resume.
+
+Fix the issue by calling hv_cpu_die()/hv_cpu_init() in the syscore ops.
+Without the fix, hibernation can fail at a rate of 1/300 ~ 1/500.
+With the fix, hibernation can pass a long-haul test of 2000 runs.
+
+In the case of nested virtualization, disabling/reenabling the assist
+page upon hibernation may be unsafe if there are active L2 guests.
+It looks KVM should be enhanced to abort the hibernation request if
+there is any active L2 guest.
+
+Fixes: 05bd330a7fd8 ("x86/hyperv: Suspend/resume the hypercall page for hibernation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Link: https://lore.kernel.org/r/1587437171-2472-1-git-send-email-decui@microsoft.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/hyperv/hv_init.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/hyperv/hv_init.c
++++ b/arch/x86/hyperv/hv_init.c
+@@ -73,7 +73,8 @@ static int hv_cpu_init(unsigned int cpu)
+ struct page *pg;
+
+ input_arg = (void **)this_cpu_ptr(hyperv_pcpu_input_arg);
+- pg = alloc_page(GFP_KERNEL);
++ /* hv_cpu_init() can be called with IRQs disabled from hv_resume() */
++ pg = alloc_page(irqs_disabled() ? GFP_ATOMIC : GFP_KERNEL);
+ if (unlikely(!pg))
+ return -ENOMEM;
+ *input_arg = page_address(pg);
+@@ -254,6 +255,7 @@ static int __init hv_pci_init(void)
+ static int hv_suspend(void)
+ {
+ union hv_x64_msr_hypercall_contents hypercall_msr;
++ int ret;
+
+ /*
+ * Reset the hypercall page as it is going to be invalidated
+@@ -270,12 +272,17 @@ static int hv_suspend(void)
+ hypercall_msr.enable = 0;
+ wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
+
+- return 0;
++ ret = hv_cpu_die(0);
++ return ret;
+ }
+
+ static void hv_resume(void)
+ {
+ union hv_x64_msr_hypercall_contents hypercall_msr;
++ int ret;
++
++ ret = hv_cpu_init(0);
++ WARN_ON(ret);
+
+ /* Re-enable the hypercall page */
+ rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
+@@ -288,6 +295,7 @@ static void hv_resume(void)
+ hv_hypercall_pg_saved = NULL;
+ }
+
++/* Note: when the ops are called, only CPU0 is online and IRQs are disabled. */
+ static struct syscore_ops hv_syscore_ops = {
+ .suspend = hv_suspend,
+ .resume = hv_resume,
projects / thirdparty / kernel / stable-queue.git / commitdiff
