--- /dev/null
+From 10db5bccc390e8e4bd9fcd1fbd4f1b23f271a405 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 13 Apr 2020 10:20:30 +0200
+Subject: ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 10db5bccc390e8e4bd9fcd1fbd4f1b23f271a405 upstream.
+
+freeze_noirq and thaw_noirq need to check the PM availability like
+other PM ops. There are cases where the device got disabled due to
+the error, and the PM operation should be ignored for that.
+
+Fixes: 3e6db33aaf1d ("ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()")
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207043
+Link: https://lore.kernel.org/r/20200413082034.25166-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1129,6 +1129,8 @@ static int azx_freeze_noirq(struct devic
+ struct azx *chip = card->private_data;
+ struct pci_dev *pci = to_pci_dev(dev);
+
++ if (!azx_is_pm_ready(card))
++ return 0;
+ if (chip->driver_type == AZX_DRIVER_SKL)
+ pci_set_power_state(pci, PCI_D3hot);
+
+@@ -1141,6 +1143,8 @@ static int azx_thaw_noirq(struct device
+ struct azx *chip = card->private_data;
+ struct pci_dev *pci = to_pci_dev(dev);
+
++ if (!azx_is_pm_ready(card))
++ return 0;
+ if (chip->driver_type == AZX_DRIVER_SKL)
+ pci_set_power_state(pci, PCI_D0);
+
--- /dev/null
+From 4178417cc5359c329790a4a8f4a6604612338cca Mon Sep 17 00:00:00 2001
+From: Luke Nelson <lukenels@cs.washington.edu>
+Date: Thu, 9 Apr 2020 15:17:52 -0700
+Subject: arm, bpf: Fix offset overflow for BPF_MEM BPF_DW
+
+From: Luke Nelson <lukenels@cs.washington.edu>
+
+commit 4178417cc5359c329790a4a8f4a6604612338cca upstream.
+
+This patch fixes an incorrect check in how immediate memory offsets are
+computed for BPF_DW on arm.
+
+For BPF_LDX/ST/STX + BPF_DW, the 32-bit arm JIT breaks down an 8-byte
+access into two separate 4-byte accesses using off+0 and off+4. If off
+fits in imm12, the JIT emits a ldr/str instruction with the immediate
+and avoids the use of a temporary register. While the current check off
+<= 0xfff ensures that the first immediate off+0 doesn't overflow imm12,
+it's not sufficient for the second immediate off+4, which may cause the
+second access of BPF_DW to read/write the wrong address.
+
+This patch fixes the problem by changing the check to
+off <= 0xfff - 4 for BPF_DW, ensuring off+4 will never overflow.
+
+A side effect of simplifying the check is that it now allows using
+negative immediate offsets in ldr/str. This means that small negative
+offsets can also avoid the use of a temporary register.
+
+This patch introduces no new failures in test_verifier or test_bpf.c.
+
+Fixes: c5eae692571d6 ("ARM: net: bpf: improve 64-bit store implementation")
+Fixes: ec19e02b343db ("ARM: net: bpf: fix LDX instructions")
+Co-developed-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20200409221752.28448-1-luke.r.nels@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/net/bpf_jit_32.c | 40 ++++++++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 16 deletions(-)
+
+--- a/arch/arm/net/bpf_jit_32.c
++++ b/arch/arm/net/bpf_jit_32.c
+@@ -993,21 +993,35 @@ static inline void emit_a32_mul_r64(cons
+ arm_bpf_put_reg32(dst_hi, rd[0], ctx);
+ }
+
++static bool is_ldst_imm(s16 off, const u8 size)
++{
++ s16 off_max = 0;
++
++ switch (size) {
++ case BPF_B:
++ case BPF_W:
++ off_max = 0xfff;
++ break;
++ case BPF_H:
++ off_max = 0xff;
++ break;
++ case BPF_DW:
++ /* Need to make sure off+4 does not overflow. */
++ off_max = 0xfff - 4;
++ break;
++ }
++ return -off_max <= off && off <= off_max;
++}
++
+ /* *(size *)(dst + off) = src */
+ static inline void emit_str_r(const s8 dst, const s8 src[],
+- s32 off, struct jit_ctx *ctx, const u8 sz){
++ s16 off, struct jit_ctx *ctx, const u8 sz){
+ const s8 *tmp = bpf2a32[TMP_REG_1];
+- s32 off_max;
+ s8 rd;
+
+ rd = arm_bpf_get_reg32(dst, tmp[1], ctx);
+
+- if (sz == BPF_H)
+- off_max = 0xff;
+- else
+- off_max = 0xfff;
+-
+- if (off < 0 || off > off_max) {
++ if (!is_ldst_imm(off, sz)) {
+ emit_a32_mov_i(tmp[0], off, ctx);
+ emit(ARM_ADD_R(tmp[0], tmp[0], rd), ctx);
+ rd = tmp[0];
+@@ -1036,18 +1050,12 @@ static inline void emit_str_r(const s8 d
+
+ /* dst = *(size*)(src + off) */
+ static inline void emit_ldx_r(const s8 dst[], const s8 src,
+- s32 off, struct jit_ctx *ctx, const u8 sz){
++ s16 off, struct jit_ctx *ctx, const u8 sz){
+ const s8 *tmp = bpf2a32[TMP_REG_1];
+ const s8 *rd = is_stacked(dst_lo) ? tmp : dst;
+ s8 rm = src;
+- s32 off_max;
+-
+- if (sz == BPF_H)
+- off_max = 0xff;
+- else
+- off_max = 0xfff;
+
+- if (off < 0 || off > off_max) {
++ if (!is_ldst_imm(off, sz)) {
+ emit_a32_mov_i(tmp[0], off, ctx);
+ emit(ARM_ADD_R(tmp[0], tmp[0], src), ctx);
+ rm = tmp[0];
--- /dev/null
+From b401efc120a399dfda1f4d2858a4de365c9b08ef Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Wed, 1 Apr 2020 13:23:28 -0500
+Subject: objtool: Fix switch table detection in .text.unlikely
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit b401efc120a399dfda1f4d2858a4de365c9b08ef upstream.
+
+If a switch jump table's indirect branch is in a ".cold" subfunction in
+.text.unlikely, objtool doesn't detect it, and instead prints a false
+warning:
+
+ drivers/media/v4l2-core/v4l2-ioctl.o: warning: objtool: v4l_print_format.cold()+0xd6: sibling call from callable instruction with modified stack frame
+ drivers/hwmon/max6650.o: warning: objtool: max6650_probe.cold()+0xa5: sibling call from callable instruction with modified stack frame
+ drivers/media/dvb-frontends/drxk_hard.o: warning: objtool: init_drxk.cold()+0x16f: sibling call from callable instruction with modified stack frame
+
+Fix it by comparing the function, instead of the section and offset.
+
+Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions")
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/157c35d42ca9b6354bbb1604fe9ad7d1153ccb21.1585761021.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/objtool/check.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -938,10 +938,7 @@ static struct rela *find_switch_table(st
+ * it.
+ */
+ for (;
+- &insn->list != &file->insn_list &&
+- insn->sec == func->sec &&
+- insn->offset >= func->offset;
+-
++ &insn->list != &file->insn_list && insn->func && insn->func->pfunc == func;
+ insn = insn->first_jump_src ?: list_prev_entry(insn, list)) {
+
+ if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC)
--- /dev/null
+From 849f8583e955dbe3a1806e03ecacd5e71cce0a08 Mon Sep 17 00:00:00 2001
+From: Li Bin <huawei.libin@huawei.com>
+Date: Mon, 13 Apr 2020 19:29:21 +0800
+Subject: scsi: sg: add sg_remove_request in sg_common_write
+
+From: Li Bin <huawei.libin@huawei.com>
+
+commit 849f8583e955dbe3a1806e03ecacd5e71cce0a08 upstream.
+
+If the dxfer_len is greater than 256M then the request is invalid and we
+need to call sg_remove_request in sg_common_write.
+
+Link: https://lore.kernel.org/r/1586777361-17339-1-git-send-email-huawei.libin@huawei.com
+Fixes: f930c7043663 ("scsi: sg: only check for dxfer_len greater than 256M")
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Li Bin <huawei.libin@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -808,8 +808,10 @@ sg_common_write(Sg_fd * sfp, Sg_request
+ "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n",
+ (int) cmnd[0], (int) hp->cmd_len));
+
+- if (hp->dxfer_len >= SZ_256M)
++ if (hp->dxfer_len >= SZ_256M) {
++ sg_remove_request(sfp, srp);
+ return -EINVAL;
++ }
+
+ k = sg_start_req(srp, cmnd);
+ if (k) {
--- /dev/null
+arm-bpf-fix-offset-overflow-for-bpf_mem-bpf_dw.patch
+objtool-fix-switch-table-detection-in-.text.unlikely.patch
+scsi-sg-add-sg_remove_request-in-sg_common_write.patch
+alsa-hda-honor-pm-disablement-in-pm-freeze-and-thaw_noirq-ops.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
