--- /dev/null
+From b392350ec3f229ad9603d3816f753479e441d99a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 15 Apr 2020 18:25:23 +0200
+Subject: ALSA: hda/hdmi: Add module option to disable audio component binding
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b392350ec3f229ad9603d3816f753479e441d99a upstream.
+
+As the recent regression showed, we want sometimes to turn off the
+audio component binding just for debugging. This patch adds the
+module option to control it easily without compilation.
+
+Fixes: ade49db337a9 ("ALSA: hda/hdmi - Allow audio component for AMD/ATI and Nvidia HDMI")
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207223
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200415162523.27499-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_hdmi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -57,6 +57,10 @@ MODULE_PARM_DESC(static_hdmi_pcm, "Don't
+ #define is_cherryview(codec) ((codec)->core.vendor_id == 0x80862883)
+ #define is_valleyview_plus(codec) (is_valleyview(codec) || is_cherryview(codec))
+
++static bool enable_acomp = true;
++module_param(enable_acomp, bool, 0444);
++MODULE_PARM_DESC(enable_acomp, "Enable audio component binding (default=yes)");
++
+ struct hdmi_spec_per_cvt {
+ hda_nid_t cvt_nid;
+ int assigned;
+@@ -2550,6 +2554,11 @@ static void generic_acomp_init(struct hd
+ {
+ struct hdmi_spec *spec = codec->spec;
+
++ if (!enable_acomp) {
++ codec_info(codec, "audio component disabled by module option\n");
++ return;
++ }
++
+ spec->port2pin = port2pin;
+ setup_drm_audio_ops(codec, ops);
+ if (!snd_hdac_acomp_init(&codec->bus->core, &spec->drm_audio_ops,
--- /dev/null
+From 7fbdcd8301a84c09cebfa64f1317a6dafeec9188 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Thu, 23 Apr 2020 14:18:31 +0800
+Subject: ALSA: hda/realtek - Add new codec supported for ALC245
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 7fbdcd8301a84c09cebfa64f1317a6dafeec9188 upstream.
+
+Enable new codec supported for ALC245.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/8c0804738b2c42439f59c39c8437817f@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -369,6 +369,7 @@ static void alc_fill_eapd_coef(struct hd
+ case 0x10ec0233:
+ case 0x10ec0235:
+ case 0x10ec0236:
++ case 0x10ec0245:
+ case 0x10ec0255:
+ case 0x10ec0256:
+ case 0x10ec0257:
+@@ -8102,6 +8103,7 @@ static int patch_alc269(struct hda_codec
+ spec->gen.mixer_nid = 0;
+ break;
+ case 0x10ec0215:
++ case 0x10ec0245:
+ case 0x10ec0285:
+ case 0x10ec0289:
+ spec->codec_variant = ALC269_TYPE_ALC215;
+@@ -9363,6 +9365,7 @@ static const struct hda_device_id snd_hd
+ HDA_CODEC_ENTRY(0x10ec0234, "ALC234", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0235, "ALC233", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0236, "ALC236", patch_alc269),
++ HDA_CODEC_ENTRY(0x10ec0245, "ALC245", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0255, "ALC255", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0256, "ALC256", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0257, "ALC257", patch_alc269),
--- /dev/null
+From 67791202c5e069cf2ba51db0718d56c634709e78 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 18 Apr 2020 21:06:39 +0200
+Subject: ALSA: hda/realtek - Fix unexpected init_amp override
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 67791202c5e069cf2ba51db0718d56c634709e78 upstream.
+
+The commit 1c76aa5fb48d ("ALSA: hda/realtek - Allow skipping
+spec->init_amp detection") changed the way to assign spec->init_amp
+field that specifies the way to initialize the amp. Along with the
+change, the commit also replaced a few fixups that set spec->init_amp
+in HDA_FIXUP_ACT_PROBE with HDA_FIXUP_ACT_PRE_PROBE. This was rather
+aligning to the other fixups, and not supposed to change the actual
+behavior.
+
+However, this change turned out to cause a regression on FSC S7020,
+which hit exactly the above. The reason was that there is still one
+place that overrides spec->init_amp after HDA_FIXUP_ACT_PRE_PROBE
+call, namely in alc_ssid_check().
+
+This patch fixes the regression by adding the proper spec->init_amp
+override check, i.e. verifying whether it's still ALC_INIT_UNDEFINED.
+
+Fixes: 1c76aa5fb48d ("ALSA: hda/realtek - Allow skipping spec->init_amp detection")
+Cc: <stable@vger.kernel.org>
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207329
+Link: https://lore.kernel.org/r/20200418190639.10082-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -789,9 +789,11 @@ static void alc_ssid_check(struct hda_co
+ {
+ if (!alc_subsystem_id(codec, ports)) {
+ struct alc_spec *spec = codec->spec;
+- codec_dbg(codec,
+- "realtek: Enable default setup for auto mode as fallback\n");
+- spec->init_amp = ALC_INIT_DEFAULT;
++ if (spec->init_amp == ALC_INIT_UNDEFINED) {
++ codec_dbg(codec,
++ "realtek: Enable default setup for auto mode as fallback\n");
++ spec->init_amp = ALC_INIT_DEFAULT;
++ }
+ }
+ }
+
--- /dev/null
+From 1c826792586f526a5a5cd21d55aad388f5bb0b23 Mon Sep 17 00:00:00 2001
+From: Alexander Tsoy <alexander@tsoy.me>
+Date: Sat, 18 Apr 2020 20:58:15 +0300
+Subject: ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices
+
+From: Alexander Tsoy <alexander@tsoy.me>
+
+commit 1c826792586f526a5a5cd21d55aad388f5bb0b23 upstream.
+
+Many Focusrite devices supports a limited set of sample rates per
+altsetting. These includes audio interfaces with ADAT ports:
+ - Scarlett 18i6, 18i8 1st gen, 18i20 1st gen;
+ - Scarlett 18i8 2nd gen, 18i20 2nd gen;
+ - Scarlett 18i8 3rd gen, 18i20 3rd gen;
+ - Clarett 2Pre USB, 4Pre USB, 8Pre USB.
+
+Maximum rate is exposed in the last 4 bytes of Format Type descriptor
+which has a non-standard bLength = 10.
+
+Tested-by: Alexey Skobkin <skobkin-ru@ya.ru>
+Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200418175815.12211-1-alexander@tsoy.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/format.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 52 insertions(+)
+
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -227,6 +227,52 @@ static int parse_audio_format_rates_v1(s
+ }
+
+ /*
++ * Many Focusrite devices supports a limited set of sampling rates per
++ * altsetting. Maximum rate is exposed in the last 4 bytes of Format Type
++ * descriptor which has a non-standard bLength = 10.
++ */
++static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip,
++ struct audioformat *fp,
++ unsigned int rate)
++{
++ struct usb_interface *iface;
++ struct usb_host_interface *alts;
++ unsigned char *fmt;
++ unsigned int max_rate;
++
++ iface = usb_ifnum_to_if(chip->dev, fp->iface);
++ if (!iface)
++ return true;
++
++ alts = &iface->altsetting[fp->altset_idx];
++ fmt = snd_usb_find_csint_desc(alts->extra, alts->extralen,
++ NULL, UAC_FORMAT_TYPE);
++ if (!fmt)
++ return true;
++
++ if (fmt[0] == 10) { /* bLength */
++ max_rate = combine_quad(&fmt[6]);
++
++ /* Validate max rate */
++ if (max_rate != 48000 &&
++ max_rate != 96000 &&
++ max_rate != 192000 &&
++ max_rate != 384000) {
++
++ usb_audio_info(chip,
++ "%u:%d : unexpected max rate: %u\n",
++ fp->iface, fp->altsetting, max_rate);
++
++ return true;
++ }
++
++ return rate <= max_rate;
++ }
++
++ return true;
++}
++
++/*
+ * Helper function to walk the array of sample rate triplets reported by
+ * the device. The problem is that we need to parse whole array first to
+ * get to know how many sample rates we have to expect.
+@@ -262,6 +308,11 @@ static int parse_uac2_sample_rate_range(
+ }
+
+ for (rate = min; rate <= max; rate += res) {
++ /* Filter out invalid rates on Focusrite devices */
++ if (USB_ID_VENDOR(chip->usb_id) == 0x1235 &&
++ !focusrite_valid_sample_rate(chip, fp, rate))
++ goto skip_rate;
++
+ if (fp->rate_table)
+ fp->rate_table[nr_rates] = rate;
+ if (!fp->rate_min || rate < fp->rate_min)
+@@ -276,6 +327,7 @@ static int parse_uac2_sample_rate_range(
+ break;
+ }
+
++skip_rate:
+ /* avoid endless loop */
+ if (res == 0)
+ break;
--- /dev/null
+From 59e1947ca09ebd1cae147c08c7c41f3141233c84 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Thu, 23 Apr 2020 12:54:19 +0800
+Subject: ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit 59e1947ca09ebd1cae147c08c7c41f3141233c84 upstream.
+
+snd_microii_spdif_default_get() invokes snd_usb_lock_shutdown(), which
+increases the refcount of the snd_usb_audio object "chip".
+
+When snd_microii_spdif_default_get() returns, local variable "chip"
+becomes invalid, so the refcount should be decreased to keep refcount
+balanced.
+
+The reference counting issue happens in several exception handling paths
+of snd_microii_spdif_default_get(). When those error scenarios occur
+such as usb_ifnum_to_if() returns NULL, the function forgets to decrease
+the refcnt increased by snd_usb_lock_shutdown(), causing a refcnt leak.
+
+Fix this issue by jumping to "end" label when those error scenarios
+occur.
+
+Fixes: 447d6275f0c2 ("ALSA: usb-audio: Add sanity checks for endpoint accesses")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1587617711-13200-1-git-send-email-xiyuyang19@fudan.edu.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer_quirks.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -1508,11 +1508,15 @@ static int snd_microii_spdif_default_get
+
+ /* use known values for that card: interface#1 altsetting#1 */
+ iface = usb_ifnum_to_if(chip->dev, 1);
+- if (!iface || iface->num_altsetting < 2)
+- return -EINVAL;
++ if (!iface || iface->num_altsetting < 2) {
++ err = -EINVAL;
++ goto end;
++ }
+ alts = &iface->altsetting[1];
+- if (get_iface_desc(alts)->bNumEndpoints < 1)
+- return -EINVAL;
++ if (get_iface_desc(alts)->bNumEndpoints < 1) {
++ err = -EINVAL;
++ goto end;
++ }
+ ep = get_endpoint(alts, 0)->bEndpointAddress;
+
+ err = snd_usb_ctl_msg(chip->dev,
--- /dev/null
+From 7686e3485253635c529cdd5f416fc640abaf076f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 20 Apr 2020 09:55:29 +0200
+Subject: ALSA: usx2y: Fix potential NULL dereference
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7686e3485253635c529cdd5f416fc640abaf076f upstream.
+
+The error handling code in usX2Y_rate_set() may hit a potential NULL
+dereference when an error occurs before allocating all us->urb[].
+Add a proper NULL check for fixing the corner case.
+
+Reported-by: Lin Yi <teroincn@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200420075529.27203-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/usx2y/usbusx2yaudio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/usx2y/usbusx2yaudio.c
++++ b/sound/usb/usx2y/usbusx2yaudio.c
+@@ -681,6 +681,8 @@ static int usX2Y_rate_set(struct usX2Yde
+ us->submitted = 2*NOOF_SETRATE_URBS;
+ for (i = 0; i < NOOF_SETRATE_URBS; ++i) {
+ struct urb *urb = us->urb[i];
++ if (!urb)
++ continue;
+ if (urb->status) {
+ if (!err)
+ err = -ENODEV;
--- /dev/null
+From ebf1474745b4373fdde0fcf32d9d1f369b50b212 Mon Sep 17 00:00:00 2001
+From: Gyeongtaek Lee <gt82.lee@samsung.com>
+Date: Sat, 18 Apr 2020 13:13:20 +0900
+Subject: ASoC: dapm: fixup dapm kcontrol widget
+
+From: Gyeongtaek Lee <gt82.lee@samsung.com>
+
+commit ebf1474745b4373fdde0fcf32d9d1f369b50b212 upstream.
+
+snd_soc_dapm_kcontrol widget which is created by autodisable control
+should contain correct on_val, mask and shift because it is set when the
+widget is powered and changed value is applied on registers by following
+code in dapm_seq_run_coalesced().
+
+ mask |= w->mask << w->shift;
+ if (w->power)
+ value |= w->on_val << w->shift;
+ else
+ value |= w->off_val << w->shift;
+
+Shift on the mask in dapm_kcontrol_data_alloc() is removed to prevent
+double shift.
+And, on_val in dapm_kcontrol_set_value() is modified to get correct
+value in the dapm_seq_run_coalesced().
+
+Signed-off-by: Gyeongtaek Lee <gt82.lee@samsung.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/000001d61537$b212f620$1638e260$@samsung.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-dapm.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -423,7 +423,7 @@ static int dapm_kcontrol_data_alloc(stru
+
+ memset(&template, 0, sizeof(template));
+ template.reg = e->reg;
+- template.mask = e->mask << e->shift_l;
++ template.mask = e->mask;
+ template.shift = e->shift_l;
+ template.off_val = snd_soc_enum_item_to_val(e, 0);
+ template.on_val = template.off_val;
+@@ -546,8 +546,22 @@ static bool dapm_kcontrol_set_value(cons
+ if (data->value == value)
+ return false;
+
+- if (data->widget)
+- data->widget->on_val = value;
++ if (data->widget) {
++ switch (dapm_kcontrol_get_wlist(kcontrol)->widgets[0]->id) {
++ case snd_soc_dapm_switch:
++ case snd_soc_dapm_mixer:
++ case snd_soc_dapm_mixer_named_ctl:
++ data->widget->on_val = value & data->widget->mask;
++ break;
++ case snd_soc_dapm_demux:
++ case snd_soc_dapm_mux:
++ data->widget->on_val = value >> data->widget->shift;
++ break;
++ default:
++ data->widget->on_val = value;
++ break;
++ }
++ }
+
+ data->value = value;
+
--- /dev/null
+From 763dafc520add02a1f4639b500c509acc0ea8e5b Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Mon, 20 Apr 2020 16:24:34 -0400
+Subject: audit: check the length of userspace generated audit records
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream.
+
+Commit 756125289285 ("audit: always check the netlink payload length
+in audit_receive_msg()") fixed a number of missing message length
+checks, but forgot to check the length of userspace generated audit
+records. The good news is that you need CAP_AUDIT_WRITE to submit
+userspace audit records, which is generally only given to trusted
+processes, so the impact should be limited.
+
+Cc: stable@vger.kernel.org
+Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
+Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1325,6 +1325,9 @@ static int audit_receive_msg(struct sk_b
+ case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC)
+ return 0;
++ /* exit early if there isn't at least one character to print */
++ if (data_len < 2)
++ return -EINVAL;
+
+ err = audit_filter(msg_type, AUDIT_FILTER_USER);
+ if (err == 1) { /* match or error */
--- /dev/null
+From db973a7289dad24e6c017dcedc6aee886579dc3a Mon Sep 17 00:00:00 2001
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Mon, 20 Apr 2020 18:14:20 -0700
+Subject: coredump: fix null pointer dereference on coredump
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+commit db973a7289dad24e6c017dcedc6aee886579dc3a upstream.
+
+If the core_pattern is set to "|" and any process segfaults then we get
+a null pointer derefernce while trying to coredump. The call stack shows:
+
+ RIP: do_coredump+0x628/0x11c0
+
+When the core_pattern has only "|" there is no use of trying the
+coredump and we can check that while formating the corename and exit
+with an error.
+
+After this change I get:
+
+ format_corename failed
+ Aborting core
+
+Fixes: 315c69261dd3 ("coredump: split pipe command whitespace before expanding template")
+Reported-by: Matthew Ruffell <matthew.ruffell@canonical.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Paul Wise <pabs3@bonedaddy.net>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200416194612.21418-1-sudipm.mukherjee@gmail.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/coredump.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/coredump.c
++++ b/fs/coredump.c
+@@ -211,6 +211,8 @@ static int format_corename(struct core_n
+ return -ENOMEM;
+ (*argv)[(*argc)++] = 0;
+ ++pat_ptr;
++ if (!(*pat_ptr))
++ return -ENOMEM;
+ }
+
+ /* Repeat as long as we have more pattern to process and more output
--- /dev/null
+From 290d5e4951832e39d10f4184610dbf09038f8483 Mon Sep 17 00:00:00 2001
+From: Mordechay Goodstein <mordechay.goodstein@intel.com>
+Date: Fri, 17 Apr 2020 10:08:10 +0300
+Subject: iwlwifi: mvm: beacon statistics shouldn't go backwards
+
+From: Mordechay Goodstein <mordechay.goodstein@intel.com>
+
+commit 290d5e4951832e39d10f4184610dbf09038f8483 upstream.
+
+We reset statistics also in case that we didn't reassoc so in
+this cases keep last beacon counter.
+
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/iwlwifi.20200417100405.1f9142751fbc.Ifbfd0f928a0a761110b8f4f2ca5483a61fb21131@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rx.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
+@@ -8,7 +8,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+- * Copyright(c) 2018 - 2019 Intel Corporation
++ * Copyright(c) 2018 - 2020 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -31,7 +31,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+- * Copyright(c) 2018 - 2019 Intel Corporation
++ * Copyright(c) 2018 - 2020 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -566,6 +566,7 @@ void iwl_mvm_rx_rx_mpdu(struct iwl_mvm *
+
+ struct iwl_mvm_stat_data {
+ struct iwl_mvm *mvm;
++ __le32 flags;
+ __le32 mac_id;
+ u8 beacon_filter_average_energy;
+ void *general;
+@@ -606,6 +607,13 @@ static void iwl_mvm_stat_iterator(void *
+ -general->beacon_average_energy[vif_id];
+ }
+
++ /* make sure that beacon statistics don't go backwards with TCM
++ * request to clear statistics
++ */
++ if (le32_to_cpu(data->flags) & IWL_STATISTICS_REPLY_FLG_CLEAR)
++ mvmvif->beacon_stats.accu_num_beacons +=
++ mvmvif->beacon_stats.num_beacons;
++
+ if (mvmvif->id != id)
+ return;
+
+@@ -763,6 +771,7 @@ void iwl_mvm_handle_rx_statistics(struct
+
+ flags = stats->flag;
+ }
++ data.flags = flags;
+
+ iwl_mvm_rx_stats_check_trigger(mvm, pkt);
+
--- /dev/null
+From 38af8d5a90a8c3b41ff0484855e24bd55b43ce9d Mon Sep 17 00:00:00 2001
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Fri, 17 Apr 2020 10:08:13 +0300
+Subject: iwlwifi: mvm: Do not declare support for ACK Enabled Aggregation
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+commit 38af8d5a90a8c3b41ff0484855e24bd55b43ce9d upstream.
+
+As this was not supposed to be enabled to begin with.
+
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/iwlwifi.20200417100405.53dbc3c6c36b.Idfe118546b92cc31548b2211472a5303c7de5909@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c
+@@ -525,8 +525,7 @@ static struct ieee80211_sband_iftype_dat
+ IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_16US |
+ IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_8,
+ .mac_cap_info[2] =
+- IEEE80211_HE_MAC_CAP2_32BIT_BA_BITMAP |
+- IEEE80211_HE_MAC_CAP2_ACK_EN,
++ IEEE80211_HE_MAC_CAP2_32BIT_BA_BITMAP,
+ .mac_cap_info[3] =
+ IEEE80211_HE_MAC_CAP3_OMI_CONTROL |
+ IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_VHT_2,
+@@ -610,8 +609,7 @@ static struct ieee80211_sband_iftype_dat
+ IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_16US |
+ IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_8,
+ .mac_cap_info[2] =
+- IEEE80211_HE_MAC_CAP2_BSR |
+- IEEE80211_HE_MAC_CAP2_ACK_EN,
++ IEEE80211_HE_MAC_CAP2_BSR,
+ .mac_cap_info[3] =
+ IEEE80211_HE_MAC_CAP3_OMI_CONTROL |
+ IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_VHT_2,
--- /dev/null
+From e6d419f943318e2b903e380dfd52a8dda6db3021 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 17 Apr 2020 10:08:14 +0300
+Subject: iwlwifi: mvm: fix inactive TID removal return value usage
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit e6d419f943318e2b903e380dfd52a8dda6db3021 upstream.
+
+The function iwl_mvm_remove_inactive_tids() returns bool, so we
+should just check "if (ret)", not "if (ret >= 0)" (which would
+do nothing useful here). We obviously therefore cannot use the
+return value of the function for the free_queue, we need to use
+the queue (i) we're currently dealing with instead.
+
+Cc: stable@vger.kernel.org # v5.4+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/iwlwifi.20200417100405.9d862ed72535.I9e27ccc3ee3c8855fc13682592b571581925dfbd@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -1169,9 +1169,9 @@ static int iwl_mvm_inactivity_check(stru
+ inactive_tid_bitmap,
+ &unshare_queues,
+ &changetid_queues);
+- if (ret >= 0 && free_queue < 0) {
++ if (ret && free_queue < 0) {
+ queue_owner = sta;
+- free_queue = ret;
++ free_queue = i;
+ }
+ /* only unlock sta lock - we still need the queue info lock */
+ spin_unlock_bh(&mvmsta->lock);
--- /dev/null
+From e5b72e3bc4763152e24bf4b8333bae21cc526c56 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 17 Apr 2020 10:08:12 +0300
+Subject: iwlwifi: mvm: limit maximum queue appropriately
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit e5b72e3bc4763152e24bf4b8333bae21cc526c56 upstream.
+
+Due to some hardware issues, queue 31 isn't usable on devices that have
+32 queues (7000, 8000, 9000 families), which is correctly reflected in
+the configuration and TX queue initialization.
+
+However, the firmware API and queue allocation code assumes that there
+are 32 queues, and if something actually attempts to use #31 this leads
+to a NULL-pointer dereference since it's not allocated.
+
+Fix this by limiting to 31 in the IWL_MVM_DQA_MAX_DATA_QUEUE, and also
+add some code to catch this earlier in the future, if the configuration
+changes perhaps.
+
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/iwlwifi.20200417100405.98a79be2db6a.I3a4af6b03b87a6bc18db9b1ff9a812f397bee1fc@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/fw/api/txq.h | 6 +++---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 5 +++++
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/api/txq.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/api/txq.h
+@@ -8,7 +8,7 @@
+ * Copyright(c) 2007 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+- * Copyright(c) 2019 Intel Corporation
++ * Copyright(c) 2019 - 2020 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -31,7 +31,7 @@
+ * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+- * Copyright(c) 2019 Intel Corporation
++ * Copyright(c) 2019 - 2020 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -99,7 +99,7 @@ enum iwl_mvm_dqa_txq {
+ IWL_MVM_DQA_MAX_MGMT_QUEUE = 8,
+ IWL_MVM_DQA_AP_PROBE_RESP_QUEUE = 9,
+ IWL_MVM_DQA_MIN_DATA_QUEUE = 10,
+- IWL_MVM_DQA_MAX_DATA_QUEUE = 31,
++ IWL_MVM_DQA_MAX_DATA_QUEUE = 30,
+ };
+
+ enum iwl_mvm_tx_fifo {
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -722,6 +722,11 @@ static int iwl_mvm_find_free_queue(struc
+
+ lockdep_assert_held(&mvm->mutex);
+
++ if (WARN(maxq >= mvm->trans->trans_cfg->base_params->num_of_queues,
++ "max queue %d >= num_of_queues (%d)", maxq,
++ mvm->trans->trans_cfg->base_params->num_of_queues))
++ maxq = mvm->trans->trans_cfg->base_params->num_of_queues - 1;
++
+ /* This should not be hit with new TX path */
+ if (WARN_ON(iwl_mvm_has_new_tx_api(mvm)))
+ return -ENOSPC;
--- /dev/null
+From b98b33d5560a2d940f3b80f6768a6177bf3dfbc0 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 17 Apr 2020 10:08:09 +0300
+Subject: iwlwifi: pcie: actually release queue memory in TVQM
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b98b33d5560a2d940f3b80f6768a6177bf3dfbc0 upstream.
+
+The iwl_trans_pcie_dyn_txq_free() function only releases the frames
+that may be left on the queue by calling iwl_pcie_gen2_txq_unmap(),
+but doesn't actually free the DMA ring or byte-count tables for the
+queue. This leads to pretty large memory leaks (at least before my
+queue size improvements), in particular in monitor/sniffer mode on
+channel hopping since this happens on every channel change.
+
+This was also now more evident after the move to a DMA pool for the
+byte count tables, showing messages such as
+
+ BUG iwlwifi:bc (...): Objects remaining in iwlwifi:bc on __kmem_cache_shutdown()
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=206811.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Fixes: 6b35ff91572f ("iwlwifi: pcie: introduce a000 TX queues management")
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/iwlwifi.20200417100405.f5f4c4193ec1.Id5feebc9b4318041913a9c89fc1378bb5454292c@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+@@ -1283,6 +1283,9 @@ void iwl_trans_pcie_dyn_txq_free(struct
+
+ iwl_pcie_gen2_txq_unmap(trans, queue);
+
++ iwl_pcie_gen2_txq_free_memory(trans, trans_pcie->txq[queue]);
++ trans_pcie->txq[queue] = NULL;
++
+ IWL_DEBUG_TX_QUEUES(trans, "Deactivate queue %d\n", queue);
+ }
+
--- /dev/null
+From b6467ab142b708dd076f6186ca274f14af379c72 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 7 Apr 2020 23:40:58 -0700
+Subject: KVM: Check validity of resolved slot when searching memslots
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit b6467ab142b708dd076f6186ca274f14af379c72 upstream.
+
+Check that the resolved slot (somewhat confusingly named 'start') is a
+valid/allocated slot before doing the final comparison to see if the
+specified gfn resides in the associated slot. The resolved slot can be
+invalid if the binary search loop terminated because the search index
+was incremented beyond the number of used slots.
+
+This bug has existed since the binary search algorithm was introduced,
+but went unnoticed because KVM statically allocated memory for the max
+number of slots, i.e. the access would only be truly out-of-bounds if
+all possible slots were allocated and the specified gfn was less than
+the base of the lowest memslot. Commit 36947254e5f98 ("KVM: Dynamically
+size memslot array based on number of used slots") eliminated the "all
+possible slots allocated" condition and made the bug embarrasingly easy
+to hit.
+
+Fixes: 9c1a5d38780e6 ("kvm: optimize GFN to memslot lookup with large slots amount")
+Reported-by: syzbot+d889b59b2bb87d4047a2@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200408064059.8957-2-sean.j.christopherson@intel.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/kvm_host.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1027,7 +1027,7 @@ search_memslots(struct kvm_memslots *slo
+ start = slot + 1;
+ }
+
+- if (gfn >= memslots[start].base_gfn &&
++ if (start < slots->used_slots && gfn >= memslots[start].base_gfn &&
+ gfn < memslots[start].base_gfn + memslots[start].npages) {
+ atomic_set(&slots->lru_slot, start);
+ return &memslots[start];
--- /dev/null
+From 97daa028f3f621adff2c4f7b15fe0874e5b5bd6c Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 7 Apr 2020 23:40:59 -0700
+Subject: KVM: s390: Return last valid slot if approx index is out-of-bounds
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 97daa028f3f621adff2c4f7b15fe0874e5b5bd6c upstream.
+
+Return the index of the last valid slot from gfn_to_memslot_approx() if
+its binary search loop yielded an out-of-bounds index. The index can
+be out-of-bounds if the specified gfn is less than the base of the
+lowest memslot (which is also the last valid memslot).
+
+Note, the sole caller, kvm_s390_get_cmma(), ensures used_slots is
+non-zero.
+
+Fixes: afdad61615cc3 ("KVM: s390: Fix storage attributes migration with memory slots")
+Cc: stable@vger.kernel.org # 4.19.x: 0774a964ef56: KVM: Fix out of range accesses to memslots
+Cc: stable@vger.kernel.org # 4.19.x
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200408064059.8957-3-sean.j.christopherson@intel.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -1932,6 +1932,9 @@ static int gfn_to_memslot_approx(struct
+ start = slot + 1;
+ }
+
++ if (start >= slots->used_slots)
++ return slots->used_slots - 1;
++
+ if (gfn >= memslots[start].base_gfn &&
+ gfn < memslots[start].base_gfn + memslots[start].npages) {
+ atomic_set(&slots->lru_slot, start);
--- /dev/null
+From fb56baae5ea509e63c2a068d66a4d8ea91969fca Mon Sep 17 00:00:00 2001
+From: Uros Bizjak <ubizjak@gmail.com>
+Date: Tue, 14 Apr 2020 09:14:14 +0200
+Subject: KVM: VMX: Enable machine check support for 32bit targets
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+commit fb56baae5ea509e63c2a068d66a4d8ea91969fca upstream.
+
+There is no reason to limit the use of do_machine_check
+to 64bit targets. MCE handling works for both target familes.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Fixes: a0861c02a981 ("KVM: Add VT-x machine check support")
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Message-Id: <20200414071414.45636-1-ubizjak@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -4566,7 +4566,7 @@ static int handle_rmode_exception(struct
+ */
+ static void kvm_machine_check(void)
+ {
+-#if defined(CONFIG_X86_MCE) && defined(CONFIG_X86_64)
++#if defined(CONFIG_X86_MCE)
+ struct pt_regs regs = {
+ .cs = 3, /* Fake ring 3 no matter what the guest ran on */
+ .flags = X86_EFLAGS_IF,
--- /dev/null
+From 6cb5f3ea4654faf8c28b901266e960b1a4787b26 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 23 Apr 2020 11:13:49 +0200
+Subject: mac80211: populate debugfs only after cfg80211 init
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 6cb5f3ea4654faf8c28b901266e960b1a4787b26 upstream.
+
+When fixing the initialization race, we neglected to account for
+the fact that debugfs is initialized in wiphy_register(), and
+some debugfs things went missing (or rather were rerooted to the
+global debugfs root).
+
+Fix this by adding debugfs entries only after wiphy_register().
+This requires some changes in the rate control code since it
+currently adds debugfs at alloc time, which can no longer be
+done after the reordering.
+
+Reported-by: Jouni Malinen <j@w1.fi>
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Reported-by: Hauke Mehrtens <hauke@hauke-m.de>
+Reported-by: Felix Fietkau <nbd@nbd.name>
+Cc: stable@vger.kernel.org
+Fixes: 52e04b4ce5d0 ("mac80211: fix race in ieee80211_register_hw()")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Sumit Garg <sumit.garg@linaro.org>
+Link: https://lore.kernel.org/r/20200423111344.0e00d3346f12.Iadc76a03a55093d94391fc672e996a458702875d@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlegacy/3945-rs.c | 2 +-
+ drivers/net/wireless/intel/iwlegacy/4965-rs.c | 2 +-
+ drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +-
+ drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 2 +-
+ drivers/net/wireless/realtek/rtlwifi/rc.c | 2 +-
+ include/net/mac80211.h | 4 +++-
+ net/mac80211/main.c | 5 +++--
+ net/mac80211/rate.c | 15 ++++-----------
+ net/mac80211/rate.h | 23 +++++++++++++++++++++++
+ net/mac80211/rc80211_minstrel_ht.c | 19 +++++++++++++------
+ 10 files changed, 51 insertions(+), 25 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlegacy/3945-rs.c
++++ b/drivers/net/wireless/intel/iwlegacy/3945-rs.c
+@@ -374,7 +374,7 @@ out:
+ }
+
+ static void *
+-il3945_rs_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir)
++il3945_rs_alloc(struct ieee80211_hw *hw)
+ {
+ return hw->priv;
+ }
+--- a/drivers/net/wireless/intel/iwlegacy/4965-rs.c
++++ b/drivers/net/wireless/intel/iwlegacy/4965-rs.c
+@@ -2474,7 +2474,7 @@ il4965_rs_fill_link_cmd(struct il_priv *
+ }
+
+ static void *
+-il4965_rs_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir)
++il4965_rs_alloc(struct ieee80211_hw *hw)
+ {
+ return hw->priv;
+ }
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+@@ -3019,7 +3019,7 @@ static void rs_fill_link_cmd(struct iwl_
+ cpu_to_le16(priv->lib->bt_params->agg_time_limit);
+ }
+
+-static void *rs_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir)
++static void *rs_alloc(struct ieee80211_hw *hw)
+ {
+ return hw->priv;
+ }
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
+@@ -3663,7 +3663,7 @@ static void rs_fill_lq_cmd(struct iwl_mv
+ cpu_to_le16(iwl_mvm_coex_agg_time_limit(mvm, sta));
+ }
+
+-static void *rs_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir)
++static void *rs_alloc(struct ieee80211_hw *hw)
+ {
+ return hw->priv;
+ }
+--- a/drivers/net/wireless/realtek/rtlwifi/rc.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rc.c
+@@ -261,7 +261,7 @@ static void rtl_rate_update(void *ppriv,
+ {
+ }
+
+-static void *rtl_rate_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir)
++static void *rtl_rate_alloc(struct ieee80211_hw *hw)
+ {
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+ return rtlpriv;
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -5933,7 +5933,9 @@ enum rate_control_capabilities {
+ struct rate_control_ops {
+ unsigned long capa;
+ const char *name;
+- void *(*alloc)(struct ieee80211_hw *hw, struct dentry *debugfsdir);
++ void *(*alloc)(struct ieee80211_hw *hw);
++ void (*add_debugfs)(struct ieee80211_hw *hw, void *priv,
++ struct dentry *debugfsdir);
+ void (*free)(void *priv);
+
+ void *(*alloc_sta)(void *priv, struct ieee80211_sta *sta, gfp_t gfp);
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -1155,8 +1155,6 @@ int ieee80211_register_hw(struct ieee802
+ local->tx_headroom = max_t(unsigned int , local->hw.extra_tx_headroom,
+ IEEE80211_TX_STATUS_HEADROOM);
+
+- debugfs_hw_add(local);
+-
+ /*
+ * if the driver doesn't specify a max listen interval we
+ * use 5 which should be a safe default
+@@ -1248,6 +1246,9 @@ int ieee80211_register_hw(struct ieee802
+ if (result < 0)
+ goto fail_wiphy_register;
+
++ debugfs_hw_add(local);
++ rate_control_add_debugfs(local);
++
+ rtnl_lock();
+
+ /* add one default STA interface if supported */
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -214,17 +214,16 @@ static ssize_t rcname_read(struct file *
+ ref->ops->name, len);
+ }
+
+-static const struct file_operations rcname_ops = {
++const struct file_operations rcname_ops = {
+ .read = rcname_read,
+ .open = simple_open,
+ .llseek = default_llseek,
+ };
+ #endif
+
+-static struct rate_control_ref *rate_control_alloc(const char *name,
+- struct ieee80211_local *local)
++static struct rate_control_ref *
++rate_control_alloc(const char *name, struct ieee80211_local *local)
+ {
+- struct dentry *debugfsdir = NULL;
+ struct rate_control_ref *ref;
+
+ ref = kmalloc(sizeof(struct rate_control_ref), GFP_KERNEL);
+@@ -234,13 +233,7 @@ static struct rate_control_ref *rate_con
+ if (!ref->ops)
+ goto free;
+
+-#ifdef CONFIG_MAC80211_DEBUGFS
+- debugfsdir = debugfs_create_dir("rc", local->hw.wiphy->debugfsdir);
+- local->debugfs.rcdir = debugfsdir;
+- debugfs_create_file("name", 0400, debugfsdir, ref, &rcname_ops);
+-#endif
+-
+- ref->priv = ref->ops->alloc(&local->hw, debugfsdir);
++ ref->priv = ref->ops->alloc(&local->hw);
+ if (!ref->priv)
+ goto free;
+ return ref;
+--- a/net/mac80211/rate.h
++++ b/net/mac80211/rate.h
+@@ -60,6 +60,29 @@ static inline void rate_control_add_sta_
+ #endif
+ }
+
++extern const struct file_operations rcname_ops;
++
++static inline void rate_control_add_debugfs(struct ieee80211_local *local)
++{
++#ifdef CONFIG_MAC80211_DEBUGFS
++ struct dentry *debugfsdir;
++
++ if (!local->rate_ctrl)
++ return;
++
++ if (!local->rate_ctrl->ops->add_debugfs)
++ return;
++
++ debugfsdir = debugfs_create_dir("rc", local->hw.wiphy->debugfsdir);
++ local->debugfs.rcdir = debugfsdir;
++ debugfs_create_file("name", 0400, debugfsdir,
++ local->rate_ctrl, &rcname_ops);
++
++ local->rate_ctrl->ops->add_debugfs(&local->hw, local->rate_ctrl->priv,
++ debugfsdir);
++#endif
++}
++
+ void ieee80211_check_rate_mask(struct ieee80211_sub_if_data *sdata);
+
+ /* Get a reference to the rate control algorithm. If `name' is NULL, get the
+--- a/net/mac80211/rc80211_minstrel_ht.c
++++ b/net/mac80211/rc80211_minstrel_ht.c
+@@ -1631,7 +1631,7 @@ minstrel_ht_init_cck_rates(struct minstr
+ }
+
+ static void *
+-minstrel_ht_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir)
++minstrel_ht_alloc(struct ieee80211_hw *hw)
+ {
+ struct minstrel_priv *mp;
+
+@@ -1668,18 +1668,24 @@ minstrel_ht_alloc(struct ieee80211_hw *h
+ mp->hw = hw;
+ mp->update_interval = 100;
+
++ minstrel_ht_init_cck_rates(mp);
++
++ return mp;
++}
++
+ #ifdef CONFIG_MAC80211_DEBUGFS
++static void minstrel_ht_add_debugfs(struct ieee80211_hw *hw, void *priv,
++ struct dentry *debugfsdir)
++{
++ struct minstrel_priv *mp = priv;
++
+ mp->fixed_rate_idx = (u32) -1;
+ debugfs_create_u32("fixed_rate_idx", S_IRUGO | S_IWUGO, debugfsdir,
+ &mp->fixed_rate_idx);
+ debugfs_create_u32("sample_switch", S_IRUGO | S_IWUSR, debugfsdir,
+ &mp->sample_switch);
+-#endif
+-
+- minstrel_ht_init_cck_rates(mp);
+-
+- return mp;
+ }
++#endif
+
+ static void
+ minstrel_ht_free(void *priv)
+@@ -1718,6 +1724,7 @@ static const struct rate_control_ops mac
+ .alloc = minstrel_ht_alloc,
+ .free = minstrel_ht_free,
+ #ifdef CONFIG_MAC80211_DEBUGFS
++ .add_debugfs = minstrel_ht_add_debugfs,
+ .add_sta_debugfs = minstrel_ht_add_sta_debugfs,
+ #endif
+ .get_expected_throughput = minstrel_ht_get_expected_throughput,
--- /dev/null
+From 3c1d7e6ccb644d517a12f73a7ff200870926f865 Mon Sep 17 00:00:00 2001
+From: Longpeng <longpeng2@huawei.com>
+Date: Mon, 20 Apr 2020 18:13:51 -0700
+Subject: mm/hugetlb: fix a addressing exception caused by huge_pte_offset
+
+From: Longpeng <longpeng2@huawei.com>
+
+commit 3c1d7e6ccb644d517a12f73a7ff200870926f865 upstream.
+
+Our machine encountered a panic(addressing exception) after run for a
+long time and the calltrace is:
+
+ RIP: hugetlb_fault+0x307/0xbe0
+ RSP: 0018:ffff9567fc27f808 EFLAGS: 00010286
+ RAX: e800c03ff1258d48 RBX: ffffd3bb003b69c0 RCX: e800c03ff1258d48
+ RDX: 17ff3fc00eda72b7 RSI: 00003ffffffff000 RDI: e800c03ff1258d48
+ RBP: ffff9567fc27f8c8 R08: e800c03ff1258d48 R09: 0000000000000080
+ R10: ffffaba0704c22a8 R11: 0000000000000001 R12: ffff95c87b4b60d8
+ R13: 00005fff00000000 R14: 0000000000000000 R15: ffff9567face8074
+ FS: 00007fe2d9ffb700(0000) GS:ffff956900e40000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffd3bb003b69c0 CR3: 000000be67374000 CR4: 00000000003627e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ follow_hugetlb_page+0x175/0x540
+ __get_user_pages+0x2a0/0x7e0
+ __get_user_pages_unlocked+0x15d/0x210
+ __gfn_to_pfn_memslot+0x3c5/0x460 [kvm]
+ try_async_pf+0x6e/0x2a0 [kvm]
+ tdp_page_fault+0x151/0x2d0 [kvm]
+ ...
+ kvm_arch_vcpu_ioctl_run+0x330/0x490 [kvm]
+ kvm_vcpu_ioctl+0x309/0x6d0 [kvm]
+ do_vfs_ioctl+0x3f0/0x540
+ SyS_ioctl+0xa1/0xc0
+ system_call_fastpath+0x22/0x27
+
+For 1G hugepages, huge_pte_offset() wants to return NULL or pudp, but it
+may return a wrong 'pmdp' if there is a race. Please look at the
+following code snippet:
+
+ ...
+ pud = pud_offset(p4d, addr);
+ if (sz != PUD_SIZE && pud_none(*pud))
+ return NULL;
+ /* hugepage or swap? */
+ if (pud_huge(*pud) || !pud_present(*pud))
+ return (pte_t *)pud;
+
+ pmd = pmd_offset(pud, addr);
+ if (sz != PMD_SIZE && pmd_none(*pmd))
+ return NULL;
+ /* hugepage or swap? */
+ if (pmd_huge(*pmd) || !pmd_present(*pmd))
+ return (pte_t *)pmd;
+ ...
+
+The following sequence would trigger this bug:
+
+ - CPU0: sz = PUD_SIZE and *pud = 0 , continue
+ - CPU0: "pud_huge(*pud)" is false
+ - CPU1: calling hugetlb_no_page and set *pud to xxxx8e7(PRESENT)
+ - CPU0: "!pud_present(*pud)" is false, continue
+ - CPU0: pmd = pmd_offset(pud, addr) and maybe return a wrong pmdp
+
+However, we want CPU0 to return NULL or pudp in this case.
+
+We must make sure there is exactly one dereference of pud and pmd.
+
+Signed-off-by: Longpeng <longpeng2@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200413010342.771-1-longpeng2@huawei.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -5016,8 +5016,8 @@ pte_t *huge_pte_offset(struct mm_struct
+ {
+ pgd_t *pgd;
+ p4d_t *p4d;
+- pud_t *pud;
+- pmd_t *pmd;
++ pud_t *pud, pud_entry;
++ pmd_t *pmd, pmd_entry;
+
+ pgd = pgd_offset(mm, addr);
+ if (!pgd_present(*pgd))
+@@ -5027,17 +5027,19 @@ pte_t *huge_pte_offset(struct mm_struct
+ return NULL;
+
+ pud = pud_offset(p4d, addr);
+- if (sz != PUD_SIZE && pud_none(*pud))
++ pud_entry = READ_ONCE(*pud);
++ if (sz != PUD_SIZE && pud_none(pud_entry))
+ return NULL;
+ /* hugepage or swap? */
+- if (pud_huge(*pud) || !pud_present(*pud))
++ if (pud_huge(pud_entry) || !pud_present(pud_entry))
+ return (pte_t *)pud;
+
+ pmd = pmd_offset(pud, addr);
+- if (sz != PMD_SIZE && pmd_none(*pmd))
++ pmd_entry = READ_ONCE(*pmd);
++ if (sz != PMD_SIZE && pmd_none(pmd_entry))
+ return NULL;
+ /* hugepage or swap? */
+- if (pmd_huge(*pmd) || !pmd_present(*pmd))
++ if (pmd_huge(pmd_entry) || !pmd_present(pmd_entry))
+ return (pte_t *)pmd;
+
+ return NULL;
--- /dev/null
+From 56df70a63ed5d989c1d36deee94cae14342be6e9 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Mon, 20 Apr 2020 18:14:04 -0700
+Subject: mm/ksm: fix NULL pointer dereference when KSM zero page is enabled
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 56df70a63ed5d989c1d36deee94cae14342be6e9 upstream.
+
+find_mergeable_vma() can return NULL. In this case, it leads to a crash
+when we access vm_mm(its offset is 0x40) later in write_protect_page.
+And this case did happen on our server. The following call trace is
+captured in kernel 4.19 with the following patch applied and KSM zero
+page enabled on our server.
+
+ commit e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring")
+
+So add a vma check to fix it.
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
+ Oops: 0000 [#1] SMP NOPTI
+ CPU: 9 PID: 510 Comm: ksmd Kdump: loaded Tainted: G OE 4.19.36.bsk.9-amd64 #4.19.36.bsk.9
+ RIP: try_to_merge_one_page+0xc7/0x760
+ Code: 24 58 65 48 33 34 25 28 00 00 00 89 e8 0f 85 a3 06 00 00 48 83 c4
+ 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8b 46 08 a8 01 75 b8 <49>
+ 8b 44 24 40 4c 8d 7c 24 20 b9 07 00 00 00 4c 89 e6 4c 89 ff 48
+ RSP: 0018:ffffadbdd9fffdb0 EFLAGS: 00010246
+ RAX: ffffda83ffd4be08 RBX: ffffda83ffd4be40 RCX: 0000002c6e800000
+ RDX: 0000000000000000 RSI: ffffda83ffd4be40 RDI: 0000000000000000
+ RBP: ffffa11939f02ec0 R08: 0000000094e1a447 R09: 00000000abe76577
+ R10: 0000000000000962 R11: 0000000000004e6a R12: 0000000000000000
+ R13: ffffda83b1e06380 R14: ffffa18f31f072c0 R15: ffffda83ffd4be40
+ FS: 0000000000000000(0000) GS:ffffa0da43b80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000040 CR3: 0000002c77c0a003 CR4: 00000000007626e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ ksm_scan_thread+0x115e/0x1960
+ kthread+0xf5/0x130
+ ret_from_fork+0x1f/0x30
+
+[songmuchun@bytedance.com: if the vma is out of date, just exit]
+ Link: http://lkml.kernel.org/r/20200416025034.29780-1-songmuchun@bytedance.com
+[akpm@linux-foundation.org: add the conventional braces, replace /** with /*]
+Fixes: e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring")
+Co-developed-by: Xiongchun Duan <duanxiongchun@bytedance.com>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Yang Shi <yang.shi@linux.alibaba.com>
+Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Cc: Markus Elfring <Markus.Elfring@web.de>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200416025034.29780-1-songmuchun@bytedance.com
+Link: http://lkml.kernel.org/r/20200414132905.83819-1-songmuchun@bytedance.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/ksm.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -2112,8 +2112,16 @@ static void cmp_and_merge_page(struct pa
+
+ down_read(&mm->mmap_sem);
+ vma = find_mergeable_vma(mm, rmap_item->address);
+- err = try_to_merge_one_page(vma, page,
+- ZERO_PAGE(rmap_item->address));
++ if (vma) {
++ err = try_to_merge_one_page(vma, page,
++ ZERO_PAGE(rmap_item->address));
++ } else {
++ /*
++ * If the vma is out of date, we do not need to
++ * continue.
++ */
++ err = 0;
++ }
+ up_read(&mm->mmap_sem);
+ /*
+ * In case of failure, the page was not really empty, so we
usb-hub-fix-handling-of-connect-changes-during-sleep.patch
usb-hub-revert-commit-bd0e6c9614b9-usb-hub-try-old-enumeration-scheme-first-for-high-speed-devices.patch
tty-serial-owl-add-much-needed-clk_prepare_enable.patch
+vmalloc-fix-remap_vmalloc_range-bounds-checks.patch
+staging-gasket-fix-incongruency-in-handling-of-sysfs-entries-creation.patch
+coredump-fix-null-pointer-dereference-on-coredump.patch
+mm-hugetlb-fix-a-addressing-exception-caused-by-huge_pte_offset.patch
+mm-ksm-fix-null-pointer-dereference-when-ksm-zero-page-is-enabled.patch
+tools-vm-fix-cross-compile-build.patch
+alsa-usx2y-fix-potential-null-dereference.patch
+alsa-hda-realtek-fix-unexpected-init_amp-override.patch
+alsa-hda-realtek-add-new-codec-supported-for-alc245.patch
+alsa-hda-hdmi-add-module-option-to-disable-audio-component-binding.patch
+alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch
+alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch
+tpm-tpm_tis-free-irq-if-probing-fails.patch
+tpm-fix-wrong-return-value-in-tpm_pcr_extend.patch
+tpm-ibmvtpm-retry-on-h_closed-in-tpm_ibmvtpm_send.patch
+kvm-s390-return-last-valid-slot-if-approx-index-is-out-of-bounds.patch
+kvm-check-validity-of-resolved-slot-when-searching-memslots.patch
+kvm-vmx-enable-machine-check-support-for-32bit-targets.patch
+tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch
+tty-rocket-avoid-oob-access.patch
+usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch
+signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch
+audit-check-the-length-of-userspace-generated-audit-records.patch
+asoc-dapm-fixup-dapm-kcontrol-widget.patch
+mac80211-populate-debugfs-only-after-cfg80211-init.patch
+sunrpc-fix-backchannel-rpc-soft-lockups.patch
+iwlwifi-pcie-actually-release-queue-memory-in-tvqm.patch
+iwlwifi-mvm-beacon-statistics-shouldn-t-go-backwards.patch
+iwlwifi-mvm-limit-maximum-queue-appropriately.patch
+iwlwifi-mvm-do-not-declare-support-for-ack-enabled-aggregation.patch
+iwlwifi-mvm-fix-inactive-tid-removal-return-value-usage.patch
--- /dev/null
+From 61e713bdca3678e84815f2427f7a063fc353a1fc Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 20 Apr 2020 11:41:50 -0500
+Subject: signal: Avoid corrupting si_pid and si_uid in do_notify_parent
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 61e713bdca3678e84815f2427f7a063fc353a1fc upstream.
+
+Christof Meerwald <cmeerw@cmeerw.org> writes:
+> Hi,
+>
+> this is probably related to commit
+> 7a0cf094944e2540758b7f957eb6846d5126f535 (signal: Correct namespace
+> fixups of si_pid and si_uid).
+>
+> With a 5.6.5 kernel I am seeing SIGCHLD signals that don't include a
+> properly set si_pid field - this seems to happen for multi-threaded
+> child processes.
+>
+> A simple test program (based on the sample from the signalfd man page):
+>
+> #include <sys/signalfd.h>
+> #include <signal.h>
+> #include <unistd.h>
+> #include <spawn.h>
+> #include <stdlib.h>
+> #include <stdio.h>
+>
+> #define handle_error(msg) \
+> do { perror(msg); exit(EXIT_FAILURE); } while (0)
+>
+> int main(int argc, char *argv[])
+> {
+> sigset_t mask;
+> int sfd;
+> struct signalfd_siginfo fdsi;
+> ssize_t s;
+>
+> sigemptyset(&mask);
+> sigaddset(&mask, SIGCHLD);
+>
+> if (sigprocmask(SIG_BLOCK, &mask, NULL) == -1)
+> handle_error("sigprocmask");
+>
+> pid_t chldpid;
+> char *chldargv[] = { "./sfdclient", NULL };
+> posix_spawn(&chldpid, "./sfdclient", NULL, NULL, chldargv, NULL);
+>
+> sfd = signalfd(-1, &mask, 0);
+> if (sfd == -1)
+> handle_error("signalfd");
+>
+> for (;;) {
+> s = read(sfd, &fdsi, sizeof(struct signalfd_siginfo));
+> if (s != sizeof(struct signalfd_siginfo))
+> handle_error("read");
+>
+> if (fdsi.ssi_signo == SIGCHLD) {
+> printf("Got SIGCHLD %d %d %d %d\n",
+> fdsi.ssi_status, fdsi.ssi_code,
+> fdsi.ssi_uid, fdsi.ssi_pid);
+> return 0;
+> } else {
+> printf("Read unexpected signal\n");
+> }
+> }
+> }
+>
+>
+> and a multi-threaded client to test with:
+>
+> #include <unistd.h>
+> #include <pthread.h>
+>
+> void *f(void *arg)
+> {
+> sleep(100);
+> }
+>
+> int main()
+> {
+> pthread_t t[8];
+>
+> for (int i = 0; i != 8; ++i)
+> {
+> pthread_create(&t[i], NULL, f, NULL);
+> }
+> }
+>
+> I tried to do a bit of debugging and what seems to be happening is
+> that
+>
+> /* From an ancestor pid namespace? */
+> if (!task_pid_nr_ns(current, task_active_pid_ns(t))) {
+>
+> fails inside task_pid_nr_ns because the check for "pid_alive" fails.
+>
+> This code seems to be called from do_notify_parent and there we
+> actually have "tsk != current" (I am assuming both are threads of the
+> current process?)
+
+I instrumented the code with a warning and received the following backtrace:
+> WARNING: CPU: 0 PID: 777 at kernel/pid.c:501 __task_pid_nr_ns.cold.6+0xc/0x15
+> Modules linked in:
+> CPU: 0 PID: 777 Comm: sfdclient Not tainted 5.7.0-rc1userns+ #2924
+> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+> RIP: 0010:__task_pid_nr_ns.cold.6+0xc/0x15
+> Code: ff 66 90 48 83 ec 08 89 7c 24 04 48 8d 7e 08 48 8d 74 24 04 e8 9a b6 44 00 48 83 c4 08 c3 48 c7 c7 59 9f ac 82 e8 c2 c4 04 00 <0f> 0b e9 3fd
+> RSP: 0018:ffffc9000042fbf8 EFLAGS: 00010046
+> RAX: 000000000000000c RBX: 0000000000000000 RCX: ffffc9000042faf4
+> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81193d29
+> RBP: ffffc9000042fc18 R08: 0000000000000000 R09: 0000000000000001
+> R10: 000000100f938416 R11: 0000000000000309 R12: ffff8880b941c140
+> R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880b941c140
+> FS: 0000000000000000(0000) GS:ffff8880bca00000(0000) knlGS:0000000000000000
+> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+> CR2: 00007f2e8c0a32e0 CR3: 0000000002e10000 CR4: 00000000000006f0
+> Call Trace:
+> send_signal+0x1c8/0x310
+> do_notify_parent+0x50f/0x550
+> release_task.part.21+0x4fd/0x620
+> do_exit+0x6f6/0xaf0
+> do_group_exit+0x42/0xb0
+> get_signal+0x13b/0xbb0
+> do_signal+0x2b/0x670
+> ? __audit_syscall_exit+0x24d/0x2b0
+> ? rcu_read_lock_sched_held+0x4d/0x60
+> ? kfree+0x24c/0x2b0
+> do_syscall_64+0x176/0x640
+> ? trace_hardirqs_off_thunk+0x1a/0x1c
+> entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+The immediate problem is as Christof noticed that "pid_alive(current) == false".
+This happens because do_notify_parent is called from the last thread to exit
+in a process after that thread has been reaped.
+
+The bigger issue is that do_notify_parent can be called from any
+process that manages to wait on a thread of a multi-threaded process
+from wait_task_zombie. So any logic based upon current for
+do_notify_parent is just nonsense, as current can be pretty much
+anything.
+
+So change do_notify_parent to call __send_signal directly.
+
+Inspecting the code it appears this problem has existed since the pid
+namespace support started handling this case in 2.6.30. This fix only
+backports to 7a0cf094944e ("signal: Correct namespace fixups of si_pid and si_uid")
+where the problem logic was moved out of __send_signal and into send_signal.
+
+Cc: stable@vger.kernel.org
+Fixes: 6588c1e3ff01 ("signals: SI_USER: Masquerade si_pid when crossing pid ns boundary")
+Ref: 921cf9f63089 ("signals: protect cinit from unblocked SIG_DFL signals")
+Link: https://lore.kernel.org/lkml/20200419201336.GI22017@edge.cmeerw.net/
+Reported-by: Christof Meerwald <cmeerw@cmeerw.org>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/signal.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1993,8 +1993,12 @@ bool do_notify_parent(struct task_struct
+ if (psig->action[SIGCHLD-1].sa.sa_handler == SIG_IGN)
+ sig = 0;
+ }
++ /*
++ * Send with __send_signal as si_pid and si_uid are in the
++ * parent's namespaces.
++ */
+ if (valid_signal(sig) && sig)
+- __group_send_sig_info(sig, &info, tsk->parent);
++ __send_signal(sig, &info, tsk->parent, PIDTYPE_TGID, false);
+ __wake_up_parent(tsk, tsk->parent);
+ spin_unlock_irqrestore(&psig->siglock, flags);
+
--- /dev/null
+From 9195d762042b0e5e4ded63606b4b30a93cba4400 Mon Sep 17 00:00:00 2001
+From: Luis Mendes <luis.p.mendes@gmail.com>
+Date: Fri, 3 Apr 2020 16:15:34 +0100
+Subject: staging: gasket: Fix incongruency in handling of sysfs entries creation
+
+From: Luis Mendes <luis.p.mendes@gmail.com>
+
+commit 9195d762042b0e5e4ded63606b4b30a93cba4400 upstream.
+
+Fix incongruency in handling of sysfs entries creation.
+This issue could cause invalid memory accesses, by not properly
+detecting the end of the sysfs attributes array.
+
+Fixes: 84c45d5f3bf1 ("staging: gasket: Replace macro __ATTR with __ATTR_NULL")
+Signed-off-by: Luis Mendes <luis.p.mendes@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200403151534.20753-1-luis.p.mendes@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/gasket/gasket_sysfs.c | 3 +--
+ drivers/staging/gasket/gasket_sysfs.h | 4 ----
+ 2 files changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/staging/gasket/gasket_sysfs.c
++++ b/drivers/staging/gasket/gasket_sysfs.c
+@@ -228,8 +228,7 @@ int gasket_sysfs_create_entries(struct d
+ }
+
+ mutex_lock(&mapping->mutex);
+- for (i = 0; strcmp(attrs[i].attr.attr.name, GASKET_ARRAY_END_MARKER);
+- i++) {
++ for (i = 0; attrs[i].attr.attr.name != NULL; i++) {
+ if (mapping->attribute_count == GASKET_SYSFS_MAX_NODES) {
+ dev_err(device,
+ "Maximum number of sysfs nodes reached for device\n");
+--- a/drivers/staging/gasket/gasket_sysfs.h
++++ b/drivers/staging/gasket/gasket_sysfs.h
+@@ -30,10 +30,6 @@
+ */
+ #define GASKET_SYSFS_MAX_NODES 196
+
+-/* End markers for sysfs struct arrays. */
+-#define GASKET_ARRAY_END_TOKEN GASKET_RESERVED_ARRAY_END
+-#define GASKET_ARRAY_END_MARKER __stringify(GASKET_ARRAY_END_TOKEN)
+-
+ /*
+ * Terminator struct for a gasket_sysfs_attr array. Must be at the end of
+ * all gasket_sysfs_attribute arrays.
--- /dev/null
+From 6221f1d9b63fed6260273e59a2b89ab30537a811 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri, 17 Apr 2020 12:40:31 -0400
+Subject: SUNRPC: Fix backchannel RPC soft lockups
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 6221f1d9b63fed6260273e59a2b89ab30537a811 upstream.
+
+Currently, after the forward channel connection goes away,
+backchannel operations are causing soft lockups on the server
+because call_transmit_status's SOFTCONN logic ignores ENOTCONN.
+Such backchannel Calls are aggressively retried until the client
+reconnects.
+
+Backchannel Calls should use RPC_TASK_NOCONNECT rather than
+RPC_TASK_SOFTCONN. If there is no forward connection, the server is
+not capable of establishing a connection back to the client, thus
+that backchannel request should fail before the server attempts to
+send it. Commit 58255a4e3ce5 ("NFSD: NFSv4 callback client should
+use RPC_TASK_SOFTCONN") was merged several years before
+RPC_TASK_NOCONNECT was available.
+
+Because setup_callback_client() explicitly sets NOPING, the NFSv4.0
+callback connection depends on the first callback RPC to initiate
+a connection to the client. Thus NFSv4.0 needs to continue to use
+RPC_TASK_SOFTCONN.
+
+Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: <stable@vger.kernel.org> # v4.20+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4callback.c | 4 +++-
+ net/sunrpc/svc_xprt.c | 2 ++
+ net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 2 ++
+ net/sunrpc/xprtsock.c | 1 +
+ 4 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -1241,6 +1241,7 @@ nfsd4_run_cb_work(struct work_struct *wo
+ container_of(work, struct nfsd4_callback, cb_work);
+ struct nfs4_client *clp = cb->cb_clp;
+ struct rpc_clnt *clnt;
++ int flags;
+
+ if (cb->cb_need_restart) {
+ cb->cb_need_restart = false;
+@@ -1269,7 +1270,8 @@ nfsd4_run_cb_work(struct work_struct *wo
+ }
+
+ cb->cb_msg.rpc_cred = clp->cl_cb_cred;
+- rpc_call_async(clnt, &cb->cb_msg, RPC_TASK_SOFT | RPC_TASK_SOFTCONN,
++ flags = clp->cl_minorversion ? RPC_TASK_NOCONNECT : RPC_TASK_SOFTCONN;
++ rpc_call_async(clnt, &cb->cb_msg, RPC_TASK_SOFT | flags,
+ cb->cb_ops ? &nfsd4_cb_ops : &nfsd4_cb_probe_ops, cb);
+ }
+
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -1028,6 +1028,8 @@ static void svc_delete_xprt(struct svc_x
+
+ dprintk("svc: svc_delete_xprt(%p)\n", xprt);
+ xprt->xpt_ops->xpo_detach(xprt);
++ if (xprt->xpt_bc_xprt)
++ xprt->xpt_bc_xprt->ops->close(xprt->xpt_bc_xprt);
+
+ spin_lock_bh(&serv->sv_lock);
+ list_del_init(&xprt->xpt_list);
+--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
+@@ -242,6 +242,8 @@ static void
+ xprt_rdma_bc_close(struct rpc_xprt *xprt)
+ {
+ dprintk("svcrdma: %s: xprt %p\n", __func__, xprt);
++
++ xprt_disconnect_done(xprt);
+ xprt->cwnd = RPC_CWNDSHIFT;
+ }
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -2714,6 +2714,7 @@ static int bc_send_request(struct rpc_rq
+
+ static void bc_close(struct rpc_xprt *xprt)
+ {
++ xprt_disconnect_done(xprt);
+ }
+
+ /*
--- /dev/null
+From cf01699ee220c38099eb3e43ce3d10690c8b7060 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Mon, 20 Apr 2020 18:14:23 -0700
+Subject: tools/vm: fix cross-compile build
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit cf01699ee220c38099eb3e43ce3d10690c8b7060 upstream.
+
+Commit 7ed1c1901fe5 ("tools: fix cross-compile var clobbering") moved
+the setup of the CC variable to tools/scripts/Makefile.include to make
+the behavior consistent across all the tools Makefiles.
+
+As the vm tools missed the include we end up with the wrong CC in a
+cross-compiling evironment.
+
+Fixes: 7ed1c1901fe5 (tools: fix cross-compile var clobbering)
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Martin Kelly <martin@martingkelly.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200416104748.25243-1-l.stach@pengutronix.de
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/vm/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/vm/Makefile
++++ b/tools/vm/Makefile
+@@ -1,6 +1,8 @@
+ # SPDX-License-Identifier: GPL-2.0
+ # Makefile for vm tools
+ #
++include ../scripts/Makefile.include
++
+ TARGETS=page-types slabinfo page_owner_sort
+
+ LIB_DIR = ../lib/api
--- /dev/null
+From 29cb79795e324a8b65e7891d76f8f6ca911ba440 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Tue, 14 Apr 2020 19:42:26 +0800
+Subject: tpm: fix wrong return value in tpm_pcr_extend
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+commit 29cb79795e324a8b65e7891d76f8f6ca911ba440 upstream.
+
+For the algorithm that does not match the bank, a positive
+value EINVAL is returned here. I think this is a typo error.
+It is necessary to return an error value.
+
+Cc: stable@vger.kernel.org # 5.4.x
+Fixes: 9f75c8224631 ("KEYS: trusted: correctly initialize digests and fix locking issue")
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm-interface.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -322,7 +322,7 @@ int tpm_pcr_extend(struct tpm_chip *chip
+
+ for (i = 0; i < chip->nr_allocated_banks; i++) {
+ if (digests[i].alg_id != chip->allocated_banks[i].alg_id) {
+- rc = EINVAL;
++ rc = -EINVAL;
+ goto out;
+ }
+ }
--- /dev/null
+From eba5cf3dcb844c82f54d4a857e124824e252206d Mon Sep 17 00:00:00 2001
+From: George Wilson <gcwilson@linux.ibm.com>
+Date: Thu, 19 Mar 2020 23:27:58 -0400
+Subject: tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send()
+
+From: George Wilson <gcwilson@linux.ibm.com>
+
+commit eba5cf3dcb844c82f54d4a857e124824e252206d upstream.
+
+tpm_ibmvtpm_send() can fail during PowerVM Live Partition Mobility resume
+with an H_CLOSED return from ibmvtpm_send_crq(). The PAPR says, 'The
+"partner partition suspended" transport event disables the associated CRQ
+such that any H_SEND_CRQ hcall() to the associated CRQ returns H_Closed
+until the CRQ has been explicitly enabled using the H_ENABLE_CRQ hcall.'
+This patch adds a check in tpm_ibmvtpm_send() for an H_CLOSED return from
+ibmvtpm_send_crq() and in that case calls tpm_ibmvtpm_resume() and
+retries the ibmvtpm_send_crq() once.
+
+Cc: stable@vger.kernel.org # 3.7.x
+Fixes: 132f76294744 ("drivers/char/tpm: Add new device driver to support IBM vTPM")
+Reported-by: Linh Pham <phaml@us.ibm.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Signed-off-by: George Wilson <gcwilson@linux.ibm.com>
+Tested-by: Linh Pham <phaml@us.ibm.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_ibmvtpm.c | 136 ++++++++++++++++++++++-------------------
+ 1 file changed, 73 insertions(+), 63 deletions(-)
+
+--- a/drivers/char/tpm/tpm_ibmvtpm.c
++++ b/drivers/char/tpm/tpm_ibmvtpm.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+- * Copyright (C) 2012 IBM Corporation
++ * Copyright (C) 2012-2020 IBM Corporation
+ *
+ * Author: Ashley Lai <ashleydlai@gmail.com>
+ *
+@@ -134,6 +134,64 @@ static int tpm_ibmvtpm_recv(struct tpm_c
+ }
+
+ /**
++ * ibmvtpm_crq_send_init - Send a CRQ initialize message
++ * @ibmvtpm: vtpm device struct
++ *
++ * Return:
++ * 0 on success.
++ * Non-zero on failure.
++ */
++static int ibmvtpm_crq_send_init(struct ibmvtpm_dev *ibmvtpm)
++{
++ int rc;
++
++ rc = ibmvtpm_send_crq_word(ibmvtpm->vdev, INIT_CRQ_CMD);
++ if (rc != H_SUCCESS)
++ dev_err(ibmvtpm->dev,
++ "%s failed rc=%d\n", __func__, rc);
++
++ return rc;
++}
++
++/**
++ * tpm_ibmvtpm_resume - Resume from suspend
++ *
++ * @dev: device struct
++ *
++ * Return: Always 0.
++ */
++static int tpm_ibmvtpm_resume(struct device *dev)
++{
++ struct tpm_chip *chip = dev_get_drvdata(dev);
++ struct ibmvtpm_dev *ibmvtpm = dev_get_drvdata(&chip->dev);
++ int rc = 0;
++
++ do {
++ if (rc)
++ msleep(100);
++ rc = plpar_hcall_norets(H_ENABLE_CRQ,
++ ibmvtpm->vdev->unit_address);
++ } while (rc == H_IN_PROGRESS || rc == H_BUSY || H_IS_LONG_BUSY(rc));
++
++ if (rc) {
++ dev_err(dev, "Error enabling ibmvtpm rc=%d\n", rc);
++ return rc;
++ }
++
++ rc = vio_enable_interrupts(ibmvtpm->vdev);
++ if (rc) {
++ dev_err(dev, "Error vio_enable_interrupts rc=%d\n", rc);
++ return rc;
++ }
++
++ rc = ibmvtpm_crq_send_init(ibmvtpm);
++ if (rc)
++ dev_err(dev, "Error send_init rc=%d\n", rc);
++
++ return rc;
++}
++
++/**
+ * tpm_ibmvtpm_send() - Send a TPM command
+ * @chip: tpm chip struct
+ * @buf: buffer contains data to send
+@@ -146,6 +204,7 @@ static int tpm_ibmvtpm_recv(struct tpm_c
+ static int tpm_ibmvtpm_send(struct tpm_chip *chip, u8 *buf, size_t count)
+ {
+ struct ibmvtpm_dev *ibmvtpm = dev_get_drvdata(&chip->dev);
++ bool retry = true;
+ int rc, sig;
+
+ if (!ibmvtpm->rtce_buf) {
+@@ -179,18 +238,27 @@ static int tpm_ibmvtpm_send(struct tpm_c
+ */
+ ibmvtpm->tpm_processing_cmd = true;
+
++again:
+ rc = ibmvtpm_send_crq(ibmvtpm->vdev,
+ IBMVTPM_VALID_CMD, VTPM_TPM_COMMAND,
+ count, ibmvtpm->rtce_dma_handle);
+ if (rc != H_SUCCESS) {
++ /*
++ * H_CLOSED can be returned after LPM resume. Call
++ * tpm_ibmvtpm_resume() to re-enable the CRQ then retry
++ * ibmvtpm_send_crq() once before failing.
++ */
++ if (rc == H_CLOSED && retry) {
++ tpm_ibmvtpm_resume(ibmvtpm->dev);
++ retry = false;
++ goto again;
++ }
+ dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc);
+- rc = 0;
+ ibmvtpm->tpm_processing_cmd = false;
+- } else
+- rc = 0;
++ }
+
+ spin_unlock(&ibmvtpm->rtce_lock);
+- return rc;
++ return 0;
+ }
+
+ static void tpm_ibmvtpm_cancel(struct tpm_chip *chip)
+@@ -269,26 +337,6 @@ static int ibmvtpm_crq_send_init_complet
+ }
+
+ /**
+- * ibmvtpm_crq_send_init - Send a CRQ initialize message
+- * @ibmvtpm: vtpm device struct
+- *
+- * Return:
+- * 0 on success.
+- * Non-zero on failure.
+- */
+-static int ibmvtpm_crq_send_init(struct ibmvtpm_dev *ibmvtpm)
+-{
+- int rc;
+-
+- rc = ibmvtpm_send_crq_word(ibmvtpm->vdev, INIT_CRQ_CMD);
+- if (rc != H_SUCCESS)
+- dev_err(ibmvtpm->dev,
+- "ibmvtpm_crq_send_init failed rc=%d\n", rc);
+-
+- return rc;
+-}
+-
+-/**
+ * tpm_ibmvtpm_remove - ibm vtpm remove entry point
+ * @vdev: vio device struct
+ *
+@@ -400,44 +448,6 @@ static int ibmvtpm_reset_crq(struct ibmv
+ ibmvtpm->crq_dma_handle, CRQ_RES_BUF_SIZE);
+ }
+
+-/**
+- * tpm_ibmvtpm_resume - Resume from suspend
+- *
+- * @dev: device struct
+- *
+- * Return: Always 0.
+- */
+-static int tpm_ibmvtpm_resume(struct device *dev)
+-{
+- struct tpm_chip *chip = dev_get_drvdata(dev);
+- struct ibmvtpm_dev *ibmvtpm = dev_get_drvdata(&chip->dev);
+- int rc = 0;
+-
+- do {
+- if (rc)
+- msleep(100);
+- rc = plpar_hcall_norets(H_ENABLE_CRQ,
+- ibmvtpm->vdev->unit_address);
+- } while (rc == H_IN_PROGRESS || rc == H_BUSY || H_IS_LONG_BUSY(rc));
+-
+- if (rc) {
+- dev_err(dev, "Error enabling ibmvtpm rc=%d\n", rc);
+- return rc;
+- }
+-
+- rc = vio_enable_interrupts(ibmvtpm->vdev);
+- if (rc) {
+- dev_err(dev, "Error vio_enable_interrupts rc=%d\n", rc);
+- return rc;
+- }
+-
+- rc = ibmvtpm_crq_send_init(ibmvtpm);
+- if (rc)
+- dev_err(dev, "Error send_init rc=%d\n", rc);
+-
+- return rc;
+-}
+-
+ static bool tpm_ibmvtpm_req_canceled(struct tpm_chip *chip, u8 status)
+ {
+ return (status == 0);
--- /dev/null
+From b160c94be5d2816b62c8ac338605668304242959 Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Date: Sun, 12 Apr 2020 20:04:12 +0300
+Subject: tpm/tpm_tis: Free IRQ if probing fails
+
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+
+commit b160c94be5d2816b62c8ac338605668304242959 upstream.
+
+Call disable_interrupts() if we have to revert to polling in order not to
+unnecessarily reserve the IRQ for the life-cycle of the driver.
+
+Cc: stable@vger.kernel.org # 4.5.x
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Fixes: e3837e74a06d ("tpm_tis: Refactor the interrupt setup")
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_tis_core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -433,6 +433,9 @@ static void disable_interrupts(struct tp
+ u32 intmask;
+ int rc;
+
++ if (priv->irq == 0)
++ return;
++
+ rc = tpm_tis_read32(priv, TPM_INT_ENABLE(priv->locality), &intmask);
+ if (rc < 0)
+ intmask = 0;
+@@ -983,9 +986,12 @@ int tpm_tis_core_init(struct device *dev
+ if (irq) {
+ tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED,
+ irq);
+- if (!(chip->flags & TPM_CHIP_FLAG_IRQ))
++ if (!(chip->flags & TPM_CHIP_FLAG_IRQ)) {
+ dev_err(&chip->dev, FW_BUG
+ "TPM interrupt not working, polling instead\n");
++
++ disable_interrupts(chip);
++ }
+ } else {
+ tpm_tis_probe_irq(chip, intmask);
+ }
--- /dev/null
+From 9a9fc42b86c06120744555fea43fdcabe297c656 Mon Sep 17 00:00:00 2001
+From: Andrew Melnychenko <andrew@daynix.com>
+Date: Tue, 14 Apr 2020 22:15:03 +0300
+Subject: tty: hvc: fix buffer overflow during hvc_alloc().
+
+From: Andrew Melnychenko <andrew@daynix.com>
+
+commit 9a9fc42b86c06120744555fea43fdcabe297c656 upstream.
+
+If there is a lot(more then 16) of virtio-console devices
+or virtio_console module is reloaded
+- buffers 'vtermnos' and 'cons_ops' are overflowed.
+In older kernels it overruns spinlock which leads to kernel freezing:
+https://bugzilla.redhat.com/show_bug.cgi?id=1786239
+
+To reproduce the issue, you can try simple script that
+loads/unloads module. Something like this:
+while [ 1 ]
+do
+ modprobe virtio_console
+ sleep 2
+ modprobe -r virtio_console
+ sleep 2
+done
+
+Description of problem:
+Guest get 'Call Trace' when loading module "virtio_console"
+and unloading it frequently - clearly reproduced on kernel-4.18.0:
+
+[ 81.498208] ------------[ cut here ]------------
+[ 81.499263] pvqspinlock: lock 0xffffffff92080020 has corrupted value 0xc0774ca0!
+[ 81.501000] WARNING: CPU: 0 PID: 785 at kernel/locking/qspinlock_paravirt.h:500 __pv_queued_spin_unlock_slowpath+0xc0/0xd0
+[ 81.503173] Modules linked in: virtio_console fuse xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nft_counter nf_nat_tftp nft_objref nf_conntrack_tftp tun bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nft_chain_route_ipv6 nft_chain_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nft_chain_route_ipv4 ip6_tables nft_compat ip_set nf_tables nfnetlink sunrpc bochs_drm drm_vram_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm i2c_piix4 pcspkr crct10dif_pclmul crc32_pclmul joydev ghash_clmulni_intel ip_tables xfs libcrc32c sd_mod sg ata_generic ata_piix virtio_net libata crc32c_intel net_failover failover serio_raw virtio_scsi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: virtio_console]
+[ 81.517019] CPU: 0 PID: 785 Comm: kworker/0:2 Kdump: loaded Not tainted 4.18.0-167.el8.x86_64 #1
+[ 81.518639] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014
+[ 81.520205] Workqueue: events control_work_handler [virtio_console]
+[ 81.521354] RIP: 0010:__pv_queued_spin_unlock_slowpath+0xc0/0xd0
+[ 81.522450] Code: 07 00 48 63 7a 10 e8 bf 64 f5 ff 66 90 c3 8b 05 e6 cf d6 01 85 c0 74 01 c3 8b 17 48 89 fe 48 c7 c7 38 4b 29 91 e8 3a 6c fa ff <0f> 0b c3 0f 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48
+[ 81.525830] RSP: 0018:ffffb51a01ffbd70 EFLAGS: 00010282
+[ 81.526798] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000
+[ 81.528110] RDX: ffff9e66f1826480 RSI: ffff9e66f1816a08 RDI: ffff9e66f1816a08
+[ 81.529437] RBP: ffffffff9153ff10 R08: 000000000000026c R09: 0000000000000053
+[ 81.530732] R10: 0000000000000000 R11: ffffb51a01ffbc18 R12: ffff9e66cd682200
+[ 81.532133] R13: ffffffff9153ff10 R14: ffff9e6685569500 R15: ffff9e66cd682000
+[ 81.533442] FS: 0000000000000000(0000) GS:ffff9e66f1800000(0000) knlGS:0000000000000000
+[ 81.534914] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 81.535971] CR2: 00005624c55b14d0 CR3: 00000003a023c000 CR4: 00000000003406f0
+[ 81.537283] Call Trace:
+[ 81.537763] __raw_callee_save___pv_queued_spin_unlock_slowpath+0x11/0x20
+[ 81.539011] .slowpath+0x9/0xe
+[ 81.539585] hvc_alloc+0x25e/0x300
+[ 81.540237] init_port_console+0x28/0x100 [virtio_console]
+[ 81.541251] handle_control_message.constprop.27+0x1c4/0x310 [virtio_console]
+[ 81.542546] control_work_handler+0x70/0x10c [virtio_console]
+[ 81.543601] process_one_work+0x1a7/0x3b0
+[ 81.544356] worker_thread+0x30/0x390
+[ 81.545025] ? create_worker+0x1a0/0x1a0
+[ 81.545749] kthread+0x112/0x130
+[ 81.546358] ? kthread_flush_work_fn+0x10/0x10
+[ 81.547183] ret_from_fork+0x22/0x40
+[ 81.547842] ---[ end trace aa97649bd16c8655 ]---
+[ 83.546539] general protection fault: 0000 [#1] SMP NOPTI
+[ 83.547422] CPU: 5 PID: 3225 Comm: modprobe Kdump: loaded Tainted: G W --------- - - 4.18.0-167.el8.x86_64 #1
+[ 83.549191] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014
+[ 83.550544] RIP: 0010:__pv_queued_spin_lock_slowpath+0x19a/0x2a0
+[ 83.551504] Code: c4 c1 ea 12 41 be 01 00 00 00 4c 8d 6d 14 41 83 e4 03 8d 42 ff 49 c1 e4 05 48 98 49 81 c4 40 a5 02 00 4c 03 24 c5 60 48 34 91 <49> 89 2c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84
+[ 83.554449] RSP: 0018:ffffb51a0323fdb0 EFLAGS: 00010202
+[ 83.555290] RAX: 000000000000301c RBX: ffffffff92080020 RCX: 0000000000000001
+[ 83.556426] RDX: 000000000000301d RSI: 0000000000000000 RDI: 0000000000000000
+[ 83.557556] RBP: ffff9e66f196a540 R08: 000000000000028a R09: ffff9e66d2757788
+[ 83.558688] R10: 0000000000000000 R11: 0000000000000000 R12: 646e61725f770b07
+[ 83.559821] R13: ffff9e66f196a554 R14: 0000000000000001 R15: 0000000000180000
+[ 83.560958] FS: 00007fd5032e8740(0000) GS:ffff9e66f1940000(0000) knlGS:0000000000000000
+[ 83.562233] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 83.563149] CR2: 00007fd5022b0da0 CR3: 000000038c334000 CR4: 00000000003406e0
+
+Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200414191503.3471783-1-andrew@daynix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/hvc/hvc_console.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/drivers/tty/hvc/hvc_console.c
++++ b/drivers/tty/hvc/hvc_console.c
+@@ -302,10 +302,6 @@ int hvc_instantiate(uint32_t vtermno, in
+ vtermnos[index] = vtermno;
+ cons_ops[index] = ops;
+
+- /* reserve all indices up to and including this index */
+- if (last_hvc < index)
+- last_hvc = index;
+-
+ /* check if we need to re-register the kernel console */
+ hvc_check_console(index);
+
+@@ -960,13 +956,22 @@ struct hvc_struct *hvc_alloc(uint32_t vt
+ cons_ops[i] == hp->ops)
+ break;
+
+- /* no matching slot, just use a counter */
+- if (i >= MAX_NR_HVC_CONSOLES)
+- i = ++last_hvc;
++ if (i >= MAX_NR_HVC_CONSOLES) {
++
++ /* find 'empty' slot for console */
++ for (i = 0; i < MAX_NR_HVC_CONSOLES && vtermnos[i] != -1; i++) {
++ }
++
++ /* no matching slot, just use a counter */
++ if (i == MAX_NR_HVC_CONSOLES)
++ i = ++last_hvc + MAX_NR_HVC_CONSOLES;
++ }
+
+ hp->index = i;
+- cons_ops[i] = ops;
+- vtermnos[i] = vtermno;
++ if (i < MAX_NR_HVC_CONSOLES) {
++ cons_ops[i] = ops;
++ vtermnos[i] = vtermno;
++ }
+
+ list_add_tail(&(hp->next), &hvc_structs);
+ mutex_unlock(&hvc_structs_mutex);
--- /dev/null
+From 7127d24372bf23675a36edc64d092dc7fd92ebe8 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Fri, 17 Apr 2020 12:59:59 +0200
+Subject: tty: rocket, avoid OOB access
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 7127d24372bf23675a36edc64d092dc7fd92ebe8 upstream.
+
+init_r_port can access pc104 array out of bounds. pc104 is a 2D array
+defined to have 4 members. Each member has 8 submembers.
+* we can have more than 4 (PCI) boards, i.e. [board] can be OOB
+* line is not modulo-ed by anything, so the first line on the second
+ board can be 4, on the 3rd 12 or alike (depending on previously
+ registered boards). It's zero only on the first line of the first
+ board. So even [line] can be OOB, quite soon (with the 2nd registered
+ board already).
+
+This code is broken for ages, so just avoid the OOB accesses and don't
+try to fix it as we would need to find out the correct line number. Use
+the default: RS232, if we are out.
+
+Generally, if anyone needs to set the interface types, a module parameter
+is past the last thing that should be used for this purpose. The
+parameters' description says it's for ISA cards anyway.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/r/20200417105959.15201-2-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/rocket.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+--- a/drivers/tty/rocket.c
++++ b/drivers/tty/rocket.c
+@@ -632,18 +632,21 @@ init_r_port(int board, int aiop, int cha
+ tty_port_init(&info->port);
+ info->port.ops = &rocket_port_ops;
+ info->flags &= ~ROCKET_MODE_MASK;
+- switch (pc104[board][line]) {
+- case 422:
+- info->flags |= ROCKET_MODE_RS422;
+- break;
+- case 485:
+- info->flags |= ROCKET_MODE_RS485;
+- break;
+- case 232:
+- default:
++ if (board < ARRAY_SIZE(pc104) && line < ARRAY_SIZE(pc104_1))
++ switch (pc104[board][line]) {
++ case 422:
++ info->flags |= ROCKET_MODE_RS422;
++ break;
++ case 485:
++ info->flags |= ROCKET_MODE_RS485;
++ break;
++ case 232:
++ default:
++ info->flags |= ROCKET_MODE_RS232;
++ break;
++ }
++ else
+ info->flags |= ROCKET_MODE_RS232;
+- break;
+- }
+
+ info->intmask = RXF_TRIG | TXFIFO_MT | SRC_INT | DELTA_CD | DELTA_CTS | DELTA_DSR;
+ if (sInitChan(ctlp, &info->channel, aiop, chan) == 0) {
--- /dev/null
+From 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 22 Apr 2020 16:14:57 -0400
+Subject: usb-storage: Add unusual_devs entry for JMicron JMS566
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b upstream.
+
+Cyril Roelandt reports that his JMicron JMS566 USB-SATA bridge fails
+to handle WRITE commands with the FUA bit set, even though it claims
+to support FUA. (Oddly enough, a later version of the same bridge,
+version 2.03 as opposed to 1.14, doesn't claim to support FUA. Also
+oddly, the bridge _does_ support FUA when using the UAS transport
+instead of the Bulk-Only transport -- but this device was blacklisted
+for uas in commit bc3bdb12bbb3 ("usb-storage: Disable UAS on JMicron
+SATA enclosure") for apparently unrelated reasons.)
+
+This patch adds a usb-storage unusual_devs entry with the BROKEN_FUA
+flag. This allows the bridge to work properly with usb-storage.
+
+Reported-and-tested-by: Cyril Roelandt <tipecaml@gmail.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2004221613110.11262-100000@iolanthe.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2323,6 +2323,13 @@ UNUSUAL_DEV( 0x3340, 0xffff, 0x0000, 0x
+ USB_SC_DEVICE,USB_PR_DEVICE,NULL,
+ US_FL_MAX_SECTORS_64 ),
+
++/* Reported by Cyril Roelandt <tipecaml@gmail.com> */
++UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x0114,
++ "JMicron",
++ "USB to ATA/ATAPI Bridge",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_BROKEN_FUA ),
++
+ /* Reported by Andrey Rahmatullin <wrar@altlinux.org> */
+ UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100,
+ "iRiver",
--- /dev/null
+From bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 20 Apr 2020 18:14:11 -0700
+Subject: vmalloc: fix remap_vmalloc_range() bounds checks
+
+From: Jann Horn <jannh@google.com>
+
+commit bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 upstream.
+
+remap_vmalloc_range() has had various issues with the bounds checks it
+promises to perform ("This function checks that addr is a valid
+vmalloc'ed area, and that it is big enough to cover the vma") over time,
+e.g.:
+
+ - not detecting pgoff<<PAGE_SHIFT overflow
+
+ - not detecting (pgoff<<PAGE_SHIFT)+usize overflow
+
+ - not checking whether addr and addr+(pgoff<<PAGE_SHIFT) are the same
+ vmalloc allocation
+
+ - comparing a potentially wildly out-of-bounds pointer with the end of
+ the vmalloc region
+
+In particular, since commit fc9702273e2e ("bpf: Add mmap() support for
+BPF_MAP_TYPE_ARRAY"), unprivileged users can cause kernel null pointer
+dereferences by calling mmap() on a BPF map with a size that is bigger
+than the distance from the start of the BPF map to the end of the
+address space.
+
+This could theoretically be used as a kernel ASLR bypass, by using
+whether mmap() with a given offset oopses or returns an error code to
+perform a binary search over the possible address range.
+
+To allow remap_vmalloc_range_partial() to verify that addr and
+addr+(pgoff<<PAGE_SHIFT) are in the same vmalloc region, pass the offset
+to remap_vmalloc_range_partial() instead of adding it to the pointer in
+remap_vmalloc_range().
+
+In remap_vmalloc_range_partial(), fix the check against
+get_vm_area_size() by using size comparisons instead of pointer
+comparisons, and add checks for pgoff.
+
+Fixes: 833423143c3a ("[PATCH] mm: introduce remap_vmalloc_range()")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: KP Singh <kpsingh@chromium.org>
+Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/vmcore.c | 5 +++--
+ include/linux/vmalloc.h | 2 +-
+ mm/vmalloc.c | 16 +++++++++++++---
+ samples/vfio-mdev/mdpy.c | 2 +-
+ 4 files changed, 18 insertions(+), 7 deletions(-)
+
+--- a/fs/proc/vmcore.c
++++ b/fs/proc/vmcore.c
+@@ -266,7 +266,8 @@ static int vmcoredd_mmap_dumps(struct vm
+ if (start < offset + dump->size) {
+ tsz = min(offset + (u64)dump->size - start, (u64)size);
+ buf = dump->buf + start - offset;
+- if (remap_vmalloc_range_partial(vma, dst, buf, tsz)) {
++ if (remap_vmalloc_range_partial(vma, dst, buf, 0,
++ tsz)) {
+ ret = -EFAULT;
+ goto out_unlock;
+ }
+@@ -624,7 +625,7 @@ static int mmap_vmcore(struct file *file
+ tsz = min(elfcorebuf_sz + elfnotes_sz - (size_t)start, size);
+ kaddr = elfnotes_buf + start - elfcorebuf_sz - vmcoredd_orig_sz;
+ if (remap_vmalloc_range_partial(vma, vma->vm_start + len,
+- kaddr, tsz))
++ kaddr, 0, tsz))
+ goto fail;
+
+ size -= tsz;
+--- a/include/linux/vmalloc.h
++++ b/include/linux/vmalloc.h
+@@ -122,7 +122,7 @@ extern void vunmap(const void *addr);
+
+ extern int remap_vmalloc_range_partial(struct vm_area_struct *vma,
+ unsigned long uaddr, void *kaddr,
+- unsigned long size);
++ unsigned long pgoff, unsigned long size);
+
+ extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
+ unsigned long pgoff);
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -34,6 +34,7 @@
+ #include <linux/llist.h>
+ #include <linux/bitops.h>
+ #include <linux/rbtree_augmented.h>
++#include <linux/overflow.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/tlbflush.h>
+@@ -2976,6 +2977,7 @@ finished:
+ * @vma: vma to cover
+ * @uaddr: target user address to start at
+ * @kaddr: virtual address of vmalloc kernel memory
++ * @pgoff: offset from @kaddr to start at
+ * @size: size of map area
+ *
+ * Returns: 0 for success, -Exxx on failure
+@@ -2988,9 +2990,15 @@ finished:
+ * Similar to remap_pfn_range() (see mm/memory.c)
+ */
+ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
+- void *kaddr, unsigned long size)
++ void *kaddr, unsigned long pgoff,
++ unsigned long size)
+ {
+ struct vm_struct *area;
++ unsigned long off;
++ unsigned long end_index;
++
++ if (check_shl_overflow(pgoff, PAGE_SHIFT, &off))
++ return -EINVAL;
+
+ size = PAGE_ALIGN(size);
+
+@@ -3004,8 +3012,10 @@ int remap_vmalloc_range_partial(struct v
+ if (!(area->flags & (VM_USERMAP | VM_DMA_COHERENT)))
+ return -EINVAL;
+
+- if (kaddr + size > area->addr + get_vm_area_size(area))
++ if (check_add_overflow(size, off, &end_index) ||
++ end_index > get_vm_area_size(area))
+ return -EINVAL;
++ kaddr += off;
+
+ do {
+ struct page *page = vmalloc_to_page(kaddr);
+@@ -3044,7 +3054,7 @@ int remap_vmalloc_range(struct vm_area_s
+ unsigned long pgoff)
+ {
+ return remap_vmalloc_range_partial(vma, vma->vm_start,
+- addr + (pgoff << PAGE_SHIFT),
++ addr, pgoff,
+ vma->vm_end - vma->vm_start);
+ }
+ EXPORT_SYMBOL(remap_vmalloc_range);
+--- a/samples/vfio-mdev/mdpy.c
++++ b/samples/vfio-mdev/mdpy.c
+@@ -418,7 +418,7 @@ static int mdpy_mmap(struct mdev_device
+ return -EINVAL;
+
+ return remap_vmalloc_range_partial(vma, vma->vm_start,
+- mdev_state->memblk,
++ mdev_state->memblk, 0,
+ vma->vm_end - vma->vm_start);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
