--- /dev/null
+From 10db5bccc390e8e4bd9fcd1fbd4f1b23f271a405 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 13 Apr 2020 10:20:30 +0200
+Subject: ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 10db5bccc390e8e4bd9fcd1fbd4f1b23f271a405 upstream.
+
+freeze_noirq and thaw_noirq need to check the PM availability like
+other PM ops. There are cases where the device got disabled due to
+the error, and the PM operation should be ignored for that.
+
+Fixes: 3e6db33aaf1d ("ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()")
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207043
+Link: https://lore.kernel.org/r/20200413082034.25166-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1071,6 +1071,8 @@ static int azx_freeze_noirq(struct devic
+ struct azx *chip = card->private_data;
+ struct pci_dev *pci = to_pci_dev(dev);
+
++ if (!azx_is_pm_ready(card))
++ return 0;
+ if (chip->driver_type == AZX_DRIVER_SKL)
+ pci_set_power_state(pci, PCI_D3hot);
+
+@@ -1083,6 +1085,8 @@ static int azx_thaw_noirq(struct device
+ struct azx *chip = card->private_data;
+ struct pci_dev *pci = to_pci_dev(dev);
+
++ if (!azx_is_pm_ready(card))
++ return 0;
+ if (chip->driver_type == AZX_DRIVER_SKL)
+ pci_set_power_state(pci, PCI_D0);
+
--- /dev/null
+From bb9562cf5c67813034c96afb50bd21130a504441 Mon Sep 17 00:00:00 2001
+From: Luke Nelson <lukenels@cs.washington.edu>
+Date: Wed, 8 Apr 2020 18:12:29 +0000
+Subject: arm, bpf: Fix bugs with ALU64 {RSH, ARSH} BPF_K shift by 0
+
+From: Luke Nelson <lukenels@cs.washington.edu>
+
+commit bb9562cf5c67813034c96afb50bd21130a504441 upstream.
+
+The current arm BPF JIT does not correctly compile RSH or ARSH when the
+immediate shift amount is 0. This causes the "rsh64 by 0 imm" and "arsh64
+by 0 imm" BPF selftests to hang the kernel by reaching an instruction
+the verifier determines to be unreachable.
+
+The root cause is in how immediate right shifts are encoded on arm.
+For LSR and ASR (logical and arithmetic right shift), a bit-pattern
+of 00000 in the immediate encodes a shift amount of 32. When the BPF
+immediate is 0, the generated code shifts by 32 instead of the expected
+behavior (a no-op).
+
+This patch fixes the bugs by adding an additional check if the BPF
+immediate is 0. After the change, the above mentioned BPF selftests pass.
+
+Fixes: 39c13c204bb11 ("arm: eBPF JIT compiler")
+Co-developed-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20200408181229.10909-1-luke.r.nels@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/net/bpf_jit_32.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/net/bpf_jit_32.c
++++ b/arch/arm/net/bpf_jit_32.c
+@@ -929,7 +929,11 @@ static inline void emit_a32_rsh_i64(cons
+ rd = arm_bpf_get_reg64(dst, tmp, ctx);
+
+ /* Do LSR operation */
+- if (val < 32) {
++ if (val == 0) {
++ /* An immediate value of 0 encodes a shift amount of 32
++ * for LSR. To shift by 0, don't do anything.
++ */
++ } else if (val < 32) {
+ emit(ARM_MOV_SI(tmp2[1], rd[1], SRTYPE_LSR, val), ctx);
+ emit(ARM_ORR_SI(rd[1], tmp2[1], rd[0], SRTYPE_ASL, 32 - val), ctx);
+ emit(ARM_MOV_SI(rd[0], rd[0], SRTYPE_LSR, val), ctx);
+@@ -955,7 +959,11 @@ static inline void emit_a32_arsh_i64(con
+ rd = arm_bpf_get_reg64(dst, tmp, ctx);
+
+ /* Do ARSH operation */
+- if (val < 32) {
++ if (val == 0) {
++ /* An immediate value of 0 encodes a shift amount of 32
++ * for ASR. To shift by 0, don't do anything.
++ */
++ } else if (val < 32) {
+ emit(ARM_MOV_SI(tmp2[1], rd[1], SRTYPE_LSR, val), ctx);
+ emit(ARM_ORR_SI(rd[1], tmp2[1], rd[0], SRTYPE_ASL, 32 - val), ctx);
+ emit(ARM_MOV_SI(rd[0], rd[0], SRTYPE_ASR, val), ctx);
--- /dev/null
+From 4178417cc5359c329790a4a8f4a6604612338cca Mon Sep 17 00:00:00 2001
+From: Luke Nelson <lukenels@cs.washington.edu>
+Date: Thu, 9 Apr 2020 15:17:52 -0700
+Subject: arm, bpf: Fix offset overflow for BPF_MEM BPF_DW
+
+From: Luke Nelson <lukenels@cs.washington.edu>
+
+commit 4178417cc5359c329790a4a8f4a6604612338cca upstream.
+
+This patch fixes an incorrect check in how immediate memory offsets are
+computed for BPF_DW on arm.
+
+For BPF_LDX/ST/STX + BPF_DW, the 32-bit arm JIT breaks down an 8-byte
+access into two separate 4-byte accesses using off+0 and off+4. If off
+fits in imm12, the JIT emits a ldr/str instruction with the immediate
+and avoids the use of a temporary register. While the current check off
+<= 0xfff ensures that the first immediate off+0 doesn't overflow imm12,
+it's not sufficient for the second immediate off+4, which may cause the
+second access of BPF_DW to read/write the wrong address.
+
+This patch fixes the problem by changing the check to
+off <= 0xfff - 4 for BPF_DW, ensuring off+4 will never overflow.
+
+A side effect of simplifying the check is that it now allows using
+negative immediate offsets in ldr/str. This means that small negative
+offsets can also avoid the use of a temporary register.
+
+This patch introduces no new failures in test_verifier or test_bpf.c.
+
+Fixes: c5eae692571d6 ("ARM: net: bpf: improve 64-bit store implementation")
+Fixes: ec19e02b343db ("ARM: net: bpf: fix LDX instructions")
+Co-developed-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20200409221752.28448-1-luke.r.nels@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/net/bpf_jit_32.c | 40 ++++++++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 16 deletions(-)
+
+--- a/arch/arm/net/bpf_jit_32.c
++++ b/arch/arm/net/bpf_jit_32.c
+@@ -992,21 +992,35 @@ static inline void emit_a32_mul_r64(cons
+ arm_bpf_put_reg32(dst_hi, rd[0], ctx);
+ }
+
++static bool is_ldst_imm(s16 off, const u8 size)
++{
++ s16 off_max = 0;
++
++ switch (size) {
++ case BPF_B:
++ case BPF_W:
++ off_max = 0xfff;
++ break;
++ case BPF_H:
++ off_max = 0xff;
++ break;
++ case BPF_DW:
++ /* Need to make sure off+4 does not overflow. */
++ off_max = 0xfff - 4;
++ break;
++ }
++ return -off_max <= off && off <= off_max;
++}
++
+ /* *(size *)(dst + off) = src */
+ static inline void emit_str_r(const s8 dst, const s8 src[],
+- s32 off, struct jit_ctx *ctx, const u8 sz){
++ s16 off, struct jit_ctx *ctx, const u8 sz){
+ const s8 *tmp = bpf2a32[TMP_REG_1];
+- s32 off_max;
+ s8 rd;
+
+ rd = arm_bpf_get_reg32(dst, tmp[1], ctx);
+
+- if (sz == BPF_H)
+- off_max = 0xff;
+- else
+- off_max = 0xfff;
+-
+- if (off < 0 || off > off_max) {
++ if (!is_ldst_imm(off, sz)) {
+ emit_a32_mov_i(tmp[0], off, ctx);
+ emit(ARM_ADD_R(tmp[0], tmp[0], rd), ctx);
+ rd = tmp[0];
+@@ -1035,18 +1049,12 @@ static inline void emit_str_r(const s8 d
+
+ /* dst = *(size*)(src + off) */
+ static inline void emit_ldx_r(const s8 dst[], const s8 src,
+- s32 off, struct jit_ctx *ctx, const u8 sz){
++ s16 off, struct jit_ctx *ctx, const u8 sz){
+ const s8 *tmp = bpf2a32[TMP_REG_1];
+ const s8 *rd = is_stacked(dst_lo) ? tmp : dst;
+ s8 rm = src;
+- s32 off_max;
+-
+- if (sz == BPF_H)
+- off_max = 0xff;
+- else
+- off_max = 0xfff;
+
+- if (off < 0 || off > off_max) {
++ if (!is_ldst_imm(off, sz)) {
+ emit_a32_mov_i(tmp[0], off, ctx);
+ emit(ARM_ADD_R(tmp[0], tmp[0], src), ctx);
+ rm = tmp[0];
--- /dev/null
+From 1f6cb19be2e231fe092f40decb71f066eba090d7 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Fri, 10 Apr 2020 13:26:12 -0700
+Subject: bpf: Prevent re-mmap()'ing BPF map as writable for initially r/o mapping
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+commit 1f6cb19be2e231fe092f40decb71f066eba090d7 upstream.
+
+VM_MAYWRITE flag during initial memory mapping determines if already mmap()'ed
+pages can be later remapped as writable ones through mprotect() call. To
+prevent user application to rewrite contents of memory-mapped as read-only and
+subsequently frozen BPF map, remove VM_MAYWRITE flag completely on initially
+read-only mapping.
+
+Alternatively, we could treat any memory-mapping on unfrozen map as writable
+and bump writecnt instead. But there is little legitimate reason to map
+BPF map as read-only and then re-mmap() it as writable through mprotect(),
+instead of just mmap()'ing it as read/write from the very beginning.
+
+Also, at the suggestion of Jann Horn, drop unnecessary refcounting in mmap
+operations. We can just rely on VMA holding reference to BPF map's file
+properly.
+
+Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Jann Horn <jannh@google.com>
+Link: https://lore.kernel.org/bpf/20200410202613.3679837-1-andriin@fb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/syscall.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -592,9 +592,7 @@ static void bpf_map_mmap_open(struct vm_
+ {
+ struct bpf_map *map = vma->vm_file->private_data;
+
+- bpf_map_inc_with_uref(map);
+-
+- if (vma->vm_flags & VM_WRITE) {
++ if (vma->vm_flags & VM_MAYWRITE) {
+ mutex_lock(&map->freeze_mutex);
+ map->writecnt++;
+ mutex_unlock(&map->freeze_mutex);
+@@ -606,13 +604,11 @@ static void bpf_map_mmap_close(struct vm
+ {
+ struct bpf_map *map = vma->vm_file->private_data;
+
+- if (vma->vm_flags & VM_WRITE) {
++ if (vma->vm_flags & VM_MAYWRITE) {
+ mutex_lock(&map->freeze_mutex);
+ map->writecnt--;
+ mutex_unlock(&map->freeze_mutex);
+ }
+-
+- bpf_map_put_with_uref(map);
+ }
+
+ static const struct vm_operations_struct bpf_map_default_vmops = {
+@@ -641,14 +637,16 @@ static int bpf_map_mmap(struct file *fil
+ /* set default open/close callbacks */
+ vma->vm_ops = &bpf_map_default_vmops;
+ vma->vm_private_data = map;
++ vma->vm_flags &= ~VM_MAYEXEC;
++ if (!(vma->vm_flags & VM_WRITE))
++ /* disallow re-mapping with PROT_WRITE */
++ vma->vm_flags &= ~VM_MAYWRITE;
+
+ err = map->ops->map_mmap(map, vma);
+ if (err)
+ goto out;
+
+- bpf_map_inc_with_uref(map);
+-
+- if (vma->vm_flags & VM_WRITE)
++ if (vma->vm_flags & VM_MAYWRITE)
+ map->writecnt++;
+ out:
+ mutex_unlock(&map->freeze_mutex);
--- /dev/null
+From d87f639258a6a5980183f11876c884931ad93da2 Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Fri, 28 Feb 2020 16:14:11 -0800
+Subject: ext4: use non-movable memory for superblock readahead
+
+From: Roman Gushchin <guro@fb.com>
+
+commit d87f639258a6a5980183f11876c884931ad93da2 upstream.
+
+Since commit a8ac900b8163 ("ext4: use non-movable memory for the
+superblock") buffers for ext4 superblock were allocated using
+the sb_bread_unmovable() helper which allocated buffer heads
+out of non-movable memory blocks. It was necessarily to not block
+page migrations and do not cause cma allocation failures.
+
+However commit 85c8f176a611 ("ext4: preload block group descriptors")
+broke this by introducing pre-reading of the ext4 superblock.
+The problem is that __breadahead() is using __getblk() underneath,
+which allocates buffer heads out of movable memory.
+
+It resulted in page migration failures I've seen on a machine
+with an ext4 partition and a preallocated cma area.
+
+Fix this by introducing sb_breadahead_unmovable() and
+__breadahead_gfp() helpers which use non-movable memory for buffer
+head allocations and use them for the ext4 superblock readahead.
+
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Fixes: 85c8f176a611 ("ext4: preload block group descriptors")
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Link: https://lore.kernel.org/r/20200229001411.128010-1-guro@fb.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/buffer.c | 11 +++++++++++
+ fs/ext4/inode.c | 2 +-
+ fs/ext4/super.c | 2 +-
+ include/linux/buffer_head.h | 8 ++++++++
+ 4 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/fs/buffer.c
++++ b/fs/buffer.c
+@@ -1377,6 +1377,17 @@ void __breadahead(struct block_device *b
+ }
+ EXPORT_SYMBOL(__breadahead);
+
++void __breadahead_gfp(struct block_device *bdev, sector_t block, unsigned size,
++ gfp_t gfp)
++{
++ struct buffer_head *bh = __getblk_gfp(bdev, block, size, gfp);
++ if (likely(bh)) {
++ ll_rw_block(REQ_OP_READ, REQ_RAHEAD, 1, &bh);
++ brelse(bh);
++ }
++}
++EXPORT_SYMBOL(__breadahead_gfp);
++
+ /**
+ * __bread_gfp() - reads a specified block and returns the bh
+ * @bdev: the block_device to read from
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4348,7 +4348,7 @@ make_io:
+ if (end > table)
+ end = table;
+ while (b <= end)
+- sb_breadahead(sb, b++);
++ sb_breadahead_unmovable(sb, b++);
+ }
+
+ /*
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4331,7 +4331,7 @@ static int ext4_fill_super(struct super_
+ /* Pre-read the descriptors into the buffer cache */
+ for (i = 0; i < db_count; i++) {
+ block = descriptor_loc(sb, logical_sb_block, i);
+- sb_breadahead(sb, block);
++ sb_breadahead_unmovable(sb, block);
+ }
+
+ for (i = 0; i < db_count; i++) {
+--- a/include/linux/buffer_head.h
++++ b/include/linux/buffer_head.h
+@@ -189,6 +189,8 @@ struct buffer_head *__getblk_gfp(struct
+ void __brelse(struct buffer_head *);
+ void __bforget(struct buffer_head *);
+ void __breadahead(struct block_device *, sector_t block, unsigned int size);
++void __breadahead_gfp(struct block_device *, sector_t block, unsigned int size,
++ gfp_t gfp);
+ struct buffer_head *__bread_gfp(struct block_device *,
+ sector_t block, unsigned size, gfp_t gfp);
+ void invalidate_bh_lrus(void);
+@@ -319,6 +321,12 @@ sb_breadahead(struct super_block *sb, se
+ __breadahead(sb->s_bdev, block, sb->s_blocksize);
+ }
+
++static inline void
++sb_breadahead_unmovable(struct super_block *sb, sector_t block)
++{
++ __breadahead_gfp(sb->s_bdev, block, sb->s_blocksize, 0);
++}
++
+ static inline struct buffer_head *
+ sb_getblk(struct super_block *sb, sector_t block)
+ {
--- /dev/null
+From f07cbad29741407ace2a9688548fa93d9cb38df3 Mon Sep 17 00:00:00 2001
+From: Andrey Ignatov <rdna@fb.com>
+Date: Mon, 6 Apr 2020 22:09:45 -0700
+Subject: libbpf: Fix bpf_get_link_xdp_id flags handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Ignatov <rdna@fb.com>
+
+commit f07cbad29741407ace2a9688548fa93d9cb38df3 upstream.
+
+Currently if one of XDP_FLAGS_{DRV,HW,SKB}_MODE flags is passed to
+bpf_get_link_xdp_id() and there is a single XDP program attached to
+ifindex, that program's id will be returned by bpf_get_link_xdp_id() in
+prog_id argument no matter what mode the program is attached in, i.e.
+flags argument is not taken into account.
+
+For example, if there is a single program attached with
+XDP_FLAGS_SKB_MODE but user calls bpf_get_link_xdp_id() with flags =
+XDP_FLAGS_DRV_MODE, that skb program will be returned.
+
+Fix it by returning info->prog_id only if user didn't specify flags. If
+flags is specified then return corresponding mode-specific-field from
+struct xdp_link_info.
+
+The initial error was introduced in commit 50db9f073188 ("libbpf: Add a
+support for getting xdp prog id on ifindex") and then refactored in
+473f4e133a12 so 473f4e133a12 is used in the Fixes tag.
+
+Fixes: 473f4e133a12 ("libbpf: Add bpf_get_link_xdp_info() function to get more XDP information")
+Signed-off-by: Andrey Ignatov <rdna@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/bpf/0e9e30490b44b447bb2bebc69c7135e7fe7e4e40.1586236080.git.rdna@fb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/bpf/netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/lib/bpf/netlink.c
++++ b/tools/lib/bpf/netlink.c
+@@ -289,7 +289,7 @@ int bpf_get_link_xdp_info(int ifindex, s
+
+ static __u32 get_xdp_id(struct xdp_link_info *info, __u32 flags)
+ {
+- if (info->attach_mode != XDP_ATTACHED_MULTI)
++ if (info->attach_mode != XDP_ATTACHED_MULTI && !flags)
+ return info->prog_id;
+ if (flags & XDP_FLAGS_DRV_MODE)
+ return info->drv_prog_id;
--- /dev/null
+From b401efc120a399dfda1f4d2858a4de365c9b08ef Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Wed, 1 Apr 2020 13:23:28 -0500
+Subject: objtool: Fix switch table detection in .text.unlikely
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit b401efc120a399dfda1f4d2858a4de365c9b08ef upstream.
+
+If a switch jump table's indirect branch is in a ".cold" subfunction in
+.text.unlikely, objtool doesn't detect it, and instead prints a false
+warning:
+
+ drivers/media/v4l2-core/v4l2-ioctl.o: warning: objtool: v4l_print_format.cold()+0xd6: sibling call from callable instruction with modified stack frame
+ drivers/hwmon/max6650.o: warning: objtool: max6650_probe.cold()+0xa5: sibling call from callable instruction with modified stack frame
+ drivers/media/dvb-frontends/drxk_hard.o: warning: objtool: init_drxk.cold()+0x16f: sibling call from callable instruction with modified stack frame
+
+Fix it by comparing the function, instead of the section and offset.
+
+Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions")
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/157c35d42ca9b6354bbb1604fe9ad7d1153ccb21.1585761021.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/objtool/check.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -1011,10 +1011,7 @@ static struct rela *find_jump_table(stru
+ * it.
+ */
+ for (;
+- &insn->list != &file->insn_list &&
+- insn->sec == func->sec &&
+- insn->offset >= func->offset;
+-
++ &insn->list != &file->insn_list && insn->func && insn->func->pfunc == func;
+ insn = insn->first_jump_src ?: list_prev_entry(insn, list)) {
+
+ if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC)
--- /dev/null
+From 849f8583e955dbe3a1806e03ecacd5e71cce0a08 Mon Sep 17 00:00:00 2001
+From: Li Bin <huawei.libin@huawei.com>
+Date: Mon, 13 Apr 2020 19:29:21 +0800
+Subject: scsi: sg: add sg_remove_request in sg_common_write
+
+From: Li Bin <huawei.libin@huawei.com>
+
+commit 849f8583e955dbe3a1806e03ecacd5e71cce0a08 upstream.
+
+If the dxfer_len is greater than 256M then the request is invalid and we
+need to call sg_remove_request in sg_common_write.
+
+Link: https://lore.kernel.org/r/1586777361-17339-1-git-send-email-huawei.libin@huawei.com
+Fixes: f930c7043663 ("scsi: sg: only check for dxfer_len greater than 256M")
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Li Bin <huawei.libin@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -793,8 +793,10 @@ sg_common_write(Sg_fd * sfp, Sg_request
+ "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n",
+ (int) cmnd[0], (int) hp->cmd_len));
+
+- if (hp->dxfer_len >= SZ_256M)
++ if (hp->dxfer_len >= SZ_256M) {
++ sg_remove_request(sfp, srp);
+ return -EINVAL;
++ }
+
+ k = sg_start_req(srp, cmnd);
+ if (k) {
netfilter-nft_set_rbtree-drop-spurious-condition-for-overlap-detection-on-insertion.patch
+arm-bpf-fix-offset-overflow-for-bpf_mem-bpf_dw.patch
+objtool-fix-switch-table-detection-in-.text.unlikely.patch
+scsi-sg-add-sg_remove_request-in-sg_common_write.patch
+alsa-hda-honor-pm-disablement-in-pm-freeze-and-thaw_noirq-ops.patch
+ext4-use-non-movable-memory-for-superblock-readahead.patch
+watchdog-sp805-fix-restart-handler.patch
+xsk-fix-out-of-boundary-write-in-__xsk_rcv_memcpy.patch
+libbpf-fix-bpf_get_link_xdp_id-flags-handling.patch
+arm-bpf-fix-bugs-with-alu64-rsh-arsh-bpf_k-shift-by-0.patch
+bpf-prevent-re-mmap-ing-bpf-map-as-writable-for-initially-r-o-mapping.patch
--- /dev/null
+From ea104a9e4d3e9ebc26fb78dac35585b142ee288b Mon Sep 17 00:00:00 2001
+From: Michael Walle <michael@walle.cc>
+Date: Fri, 27 Mar 2020 17:24:50 +0100
+Subject: watchdog: sp805: fix restart handler
+
+From: Michael Walle <michael@walle.cc>
+
+commit ea104a9e4d3e9ebc26fb78dac35585b142ee288b upstream.
+
+The restart handler is missing two things, first, the registers
+has to be unlocked and second there is no synchronization for the
+write_relaxed() calls.
+
+This was tested on a custom board with the NXP LS1028A SoC.
+
+Fixes: 6c5c0d48b686c ("watchdog: sp805: add restart handler")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20200327162450.28506-1-michael@walle.cc
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/sp805_wdt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/watchdog/sp805_wdt.c
++++ b/drivers/watchdog/sp805_wdt.c
+@@ -137,10 +137,14 @@ wdt_restart(struct watchdog_device *wdd,
+ {
+ struct sp805_wdt *wdt = watchdog_get_drvdata(wdd);
+
++ writel_relaxed(UNLOCK, wdt->base + WDTLOCK);
+ writel_relaxed(0, wdt->base + WDTCONTROL);
+ writel_relaxed(0, wdt->base + WDTLOAD);
+ writel_relaxed(INT_ENABLE | RESET_ENABLE, wdt->base + WDTCONTROL);
+
++ /* Flush posted writes. */
++ readl_relaxed(wdt->base + WDTLOCK);
++
+ return 0;
+ }
+
--- /dev/null
+From db5c97f02373917efe2c218ebf8e3d8b19e343b6 Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Thu, 2 Apr 2020 15:52:10 +0800
+Subject: xsk: Fix out of boundary write in __xsk_rcv_memcpy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Li RongQing <lirongqing@baidu.com>
+
+commit db5c97f02373917efe2c218ebf8e3d8b19e343b6 upstream.
+
+first_len is the remainder of the first page we're copying.
+If this size is larger, then out of page boundary write will
+otherwise happen.
+
+Fixes: c05cd3645814 ("xsk: add support to allow unaligned chunk placement")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Acked-by: Björn Töpel <bjorn.topel@intel.com>
+Link: https://lore.kernel.org/bpf/1585813930-19712-1-git-send-email-lirongqing@baidu.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xdp/xsk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -131,8 +131,9 @@ static void __xsk_rcv_memcpy(struct xdp_
+ u64 page_start = addr & ~(PAGE_SIZE - 1);
+ u64 first_len = PAGE_SIZE - (addr - page_start);
+
+- memcpy(to_buf, from_buf, first_len + metalen);
+- memcpy(next_pg_addr, from_buf + first_len, len - first_len);
++ memcpy(to_buf, from_buf, first_len);
++ memcpy(next_pg_addr, from_buf + first_len,
++ len + metalen - first_len);
+
+ return;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
