--- /dev/null
+From f8e4ae10de43fbb7ce85f79e04eca2988b6b2c40 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 13 Apr 2020 22:19:19 +0200
+Subject: ALSA: hda: Allow setting preallocation again for x86
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f8e4ae10de43fbb7ce85f79e04eca2988b6b2c40 upstream.
+
+The commit c31427d0d21e ("ALSA: hda: No preallocation on x86
+platforms") changed CONFIG_SND_HDA_PREALLOC_SIZE setup and its default
+to zero for x86, as the preallocation should work almost all cases.
+However, this expectation was too naive; some applications try to
+allocate as the max buffer size as possible, and it leads to the
+memory exhaustion. More badly, the commit changed the kconfig no
+longer adjustable for x86, so you can't fix it statically (although it
+can be still adjusted via procfs).
+
+So, practically seen, it's more recommended to set a reasonable limit
+for x86, too. This patch follows to that experience, and changes the
+default to 2048 and allow the kconfig adjustable again.
+
+Fixes: c31427d0d21e ("ALSA: hda: No preallocation on x86 platforms")
+Cc: <stable@vger.kernel.org>
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207223
+Link: https://lore.kernel.org/r/20200413201919.24241-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/hda/Kconfig | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/hda/Kconfig
++++ b/sound/hda/Kconfig
+@@ -21,16 +21,17 @@ config SND_HDA_EXT_CORE
+ select SND_HDA_CORE
+
+ config SND_HDA_PREALLOC_SIZE
+- int "Pre-allocated buffer size for HD-audio driver" if !SND_DMA_SGBUF
++ int "Pre-allocated buffer size for HD-audio driver"
+ range 0 32768
+- default 0 if SND_DMA_SGBUF
++ default 2048 if SND_DMA_SGBUF
+ default 64 if !SND_DMA_SGBUF
+ help
+ Specifies the default pre-allocated buffer-size in kB for the
+ HD-audio driver. A larger buffer (e.g. 2048) is preferred
+ for systems using PulseAudio. The default 64 is chosen just
+ for compatibility reasons.
+- On x86 systems, the default is zero as we need no preallocation.
++ On x86 systems, the default is 2048 as a reasonable value for
++ most of modern systems.
+
+ Note that the pre-allocation size can be changed dynamically
+ via a proc file (/proc/asound/card*/pcm*/sub*/prealloc), too.
--- /dev/null
+From 4963d66b8a26c489958063abb6900ea6ed8e4836 Mon Sep 17 00:00:00 2001
+From: Adam Barber <barberadam995@gmail.com>
+Date: Fri, 10 Apr 2020 17:00:32 +0800
+Subject: ALSA: hda/realtek - Enable the headset mic on Asus FX505DT
+
+From: Adam Barber <barberadam995@gmail.com>
+
+commit 4963d66b8a26c489958063abb6900ea6ed8e4836 upstream.
+
+On Asus FX505DT with Realtek ALC233, the headset mic is connected
+to pin 0x19, with default 0x411111f0.
+
+Enable headset mic by reconfiguring the pin to an external mic
+associated with the headphone on 0x21. Mic jack detection was also
+found to be working.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207131
+Signed-off-by: Adam Barber <barberadam995@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200410090032.2759-1-barberadam995@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7253,6 +7253,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK),
+ SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1043, 0x18f1, "Asus FX505DT", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1043, 0x19ce, "ASUS B9450FA", ALC294_FIXUP_ASUS_HPE),
+ SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW),
+ SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC),
--- /dev/null
+From 934b96594ed66b07dbc7e576d28814466df3a494 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 12 Apr 2020 10:13:31 +0200
+Subject: ALSA: usb-audio: Check mapping at creating connector controls, too
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 934b96594ed66b07dbc7e576d28814466df3a494 upstream.
+
+Add the mapping check to build_connector_control() so that the device
+specific quirk can provide the node to skip for the badly behaving
+connector controls. As an example, ALC1220-VB-based codec implements
+the skip entry for the broken SPDIF connector detection.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206873
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200412081331.4742-5-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 18 +++++++++++-------
+ sound/usb/mixer_maps.c | 4 +++-
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1750,11 +1750,15 @@ static void get_connector_control_name(s
+
+ /* Build a mixer control for a UAC connector control (jack-detect) */
+ static void build_connector_control(struct usb_mixer_interface *mixer,
++ const struct usbmix_name_map *imap,
+ struct usb_audio_term *term, bool is_input)
+ {
+ struct snd_kcontrol *kctl;
+ struct usb_mixer_elem_info *cval;
+
++ if (check_ignored_ctl(find_map(imap, term->id, 0)))
++ return;
++
+ cval = kzalloc(sizeof(*cval), GFP_KERNEL);
+ if (!cval)
+ return;
+@@ -2090,7 +2094,7 @@ static int parse_audio_input_terminal(st
+ /* Check for jack detection. */
+ if ((iterm.type & 0xff00) != 0x0100 &&
+ uac_v2v3_control_is_readable(bmctls, control))
+- build_connector_control(state->mixer, &iterm, true);
++ build_connector_control(state->mixer, state->map, &iterm, true);
+
+ return 0;
+ }
+@@ -3051,13 +3055,13 @@ static int snd_usb_mixer_controls_badd(s
+ memset(&iterm, 0, sizeof(iterm));
+ iterm.id = UAC3_BADD_IT_ID4;
+ iterm.type = UAC_BIDIR_TERMINAL_HEADSET;
+- build_connector_control(mixer, &iterm, true);
++ build_connector_control(mixer, map->map, &iterm, true);
+
+ /* Output Term - Insertion control */
+ memset(&oterm, 0, sizeof(oterm));
+ oterm.id = UAC3_BADD_OT_ID3;
+ oterm.type = UAC_BIDIR_TERMINAL_HEADSET;
+- build_connector_control(mixer, &oterm, false);
++ build_connector_control(mixer, map->map, &oterm, false);
+ }
+
+ return 0;
+@@ -3132,8 +3136,8 @@ static int snd_usb_mixer_controls(struct
+ if ((state.oterm.type & 0xff00) != 0x0100 &&
+ uac_v2v3_control_is_readable(le16_to_cpu(desc->bmControls),
+ UAC2_TE_CONNECTOR)) {
+- build_connector_control(state.mixer, &state.oterm,
+- false);
++ build_connector_control(state.mixer, state.map,
++ &state.oterm, false);
+ }
+ } else { /* UAC_VERSION_3 */
+ struct uac3_output_terminal_descriptor *desc = p;
+@@ -3158,8 +3162,8 @@ static int snd_usb_mixer_controls(struct
+ if ((state.oterm.type & 0xff00) != 0x0100 &&
+ uac_v2v3_control_is_readable(le32_to_cpu(desc->bmControls),
+ UAC3_TE_INSERTION)) {
+- build_connector_control(state.mixer, &state.oterm,
+- false);
++ build_connector_control(state.mixer, state.map,
++ &state.oterm, false);
+ }
+ }
+ }
+--- a/sound/usb/mixer_maps.c
++++ b/sound/usb/mixer_maps.c
+@@ -360,9 +360,11 @@ static const struct usbmix_name_map cors
+ };
+
+ /* Some mobos shipped with a dummy HD-audio show the invalid GET_MIN/GET_MAX
+- * response for Input Gain Pad (id=19, control=12). Skip it.
++ * response for Input Gain Pad (id=19, control=12) and the connector status
++ * for SPDIF terminal (id=18). Skip them.
+ */
+ static const struct usbmix_name_map asus_rog_map[] = {
++ { 18, NULL }, /* OT, connector control */
+ { 19, NULL, 12 }, /* FU, Input Gain Pad */
+ {}
+ };
--- /dev/null
+From 7dc3c5a0172e6c0449502103356c3628d05bc0e0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 12 Apr 2020 10:13:30 +0200
+Subject: ALSA: usb-audio: Don't create jack controls for PCM terminals
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7dc3c5a0172e6c0449502103356c3628d05bc0e0 upstream.
+
+Some funky firmwares set the connector flag even on PCM terminals
+although it doesn't make sense (and even actually the firmware doesn't
+react properly!). Let's skip creation of jack controls in such a
+case.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206873
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200412081331.4742-4-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2088,7 +2088,8 @@ static int parse_audio_input_terminal(st
+ check_input_term(state, term_id, &iterm);
+
+ /* Check for jack detection. */
+- if (uac_v2v3_control_is_readable(bmctls, control))
++ if ((iterm.type & 0xff00) != 0x0100 &&
++ uac_v2v3_control_is_readable(bmctls, control))
+ build_connector_control(state->mixer, &iterm, true);
+
+ return 0;
+@@ -3128,7 +3129,8 @@ static int snd_usb_mixer_controls(struct
+ if (err < 0 && err != -EINVAL)
+ return err;
+
+- if (uac_v2v3_control_is_readable(le16_to_cpu(desc->bmControls),
++ if ((state.oterm.type & 0xff00) != 0x0100 &&
++ uac_v2v3_control_is_readable(le16_to_cpu(desc->bmControls),
+ UAC2_TE_CONNECTOR)) {
+ build_connector_control(state.mixer, &state.oterm,
+ false);
+@@ -3153,7 +3155,8 @@ static int snd_usb_mixer_controls(struct
+ if (err < 0 && err != -EINVAL)
+ return err;
+
+- if (uac_v2v3_control_is_readable(le32_to_cpu(desc->bmControls),
++ if ((state.oterm.type & 0xff00) != 0x0100 &&
++ uac_v2v3_control_is_readable(le32_to_cpu(desc->bmControls),
+ UAC3_TE_INSERTION)) {
+ build_connector_control(state.mixer, &state.oterm,
+ false);
--- /dev/null
+From 3507245b82b4362dc9721cbc328644905a3efa22 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 12 Apr 2020 10:13:29 +0200
+Subject: ALSA: usb-audio: Don't override ignore_ctl_error value from the map
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3507245b82b4362dc9721cbc328644905a3efa22 upstream.
+
+The mapping table may contain also ignore_ctl_error flag for devices
+that are known to behave wild. Since this flag always writes the
+card's own ignore_ctl_error flag, it overrides the value already set
+by the module option, so it doesn't follow user's expectation.
+Let's fix the code not to clear the flag that has been set by user.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206873
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200412081331.4742-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -3085,7 +3085,7 @@ static int snd_usb_mixer_controls(struct
+ if (map->id == state.chip->usb_id) {
+ state.map = map->map;
+ state.selector_map = map->selector_map;
+- mixer->ignore_ctl_error = map->ignore_ctl_error;
++ mixer->ignore_ctl_error |= map->ignore_ctl_error;
+ break;
+ }
+ }
--- /dev/null
+From 48cc42973509afac24e83d6edc23901d102872d1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 12 Apr 2020 10:13:28 +0200
+Subject: ALSA: usb-audio: Filter error from connector kctl ops, too
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 48cc42973509afac24e83d6edc23901d102872d1 upstream.
+
+The ignore_ctl_error option should filter the error at kctl accesses,
+but there was an overlook: mixer_ctl_connector_get() returns an error
+from the request.
+
+This patch covers the forgotten code path and apply filter_error()
+properly. The locking error is still returned since this is a fatal
+error that has to be reported even with ignore_ctl_error option.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206873
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200412081331.4742-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1446,7 +1446,7 @@ error:
+ usb_audio_err(chip,
+ "cannot get connectors status: req = %#x, wValue = %#x, wIndex = %#x, type = %d\n",
+ UAC_GET_CUR, validx, idx, cval->val_type);
+- return ret;
++ return filter_error(cval, ret);
+ }
+
+ ucontrol->value.integer.value[0] = val;
--- /dev/null
+From 9cc3d0c6915aee5140f8335d41bbc3ff1b79aa4e Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 14 Apr 2020 11:42:48 +0100
+Subject: arm64: vdso: don't free unallocated pages
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 9cc3d0c6915aee5140f8335d41bbc3ff1b79aa4e upstream.
+
+The aarch32_vdso_pages[] array never has entries allocated in the C_VVAR
+or C_VDSO slots, and as the array is zero initialized these contain
+NULL.
+
+However in __aarch32_alloc_vdso_pages() when
+aarch32_alloc_kuser_vdso_page() fails we attempt to free the page whose
+struct page is at NULL, which is obviously nonsensical.
+
+This patch removes the erroneous page freeing.
+
+Fixes: 7c1deeeb0130 ("arm64: compat: VDSO setup for compat layer")
+Cc: <stable@vger.kernel.org> # 5.3.x-
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/vdso.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+--- a/arch/arm64/kernel/vdso.c
++++ b/arch/arm64/kernel/vdso.c
+@@ -260,18 +260,7 @@ static int __aarch32_alloc_vdso_pages(vo
+ if (ret)
+ return ret;
+
+- ret = aarch32_alloc_kuser_vdso_page();
+- if (ret) {
+- unsigned long c_vvar =
+- (unsigned long)page_to_virt(aarch32_vdso_pages[C_VVAR]);
+- unsigned long c_vdso =
+- (unsigned long)page_to_virt(aarch32_vdso_pages[C_VDSO]);
+-
+- free_page(c_vvar);
+- free_page(c_vdso);
+- }
+-
+- return ret;
++ return aarch32_alloc_kuser_vdso_page();
+ }
+ #else
+ static int __aarch32_alloc_vdso_pages(void)
--- /dev/null
+From 4d4225fc228e46948486d8b8207955f0c031b92e Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Thu, 2 Apr 2020 15:51:18 -0400
+Subject: btrfs: check commit root generation in should_ignore_root
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 4d4225fc228e46948486d8b8207955f0c031b92e upstream.
+
+Previously we would set the reloc root's last snapshot to transid - 1.
+However there was a problem with doing this, and we changed it to
+setting the last snapshot to the generation of the commit node of the fs
+root.
+
+This however broke should_ignore_root(). The assumption is that if we
+are in a generation newer than when the reloc root was created, then we
+would find the reloc root through normal backref lookups, and thus can
+ignore any fs roots we find with an old enough reloc root.
+
+Now that the last snapshot could be considerably further in the past
+than before, we'd end up incorrectly ignoring an fs root. Thus we'd
+find no nodes for the bytenr we were searching for, and we'd fail to
+relocate anything. We'd loop through the relocate code again and see
+that there were still used space in that block group, attempt to
+relocate those bytenr's again, fail in the same way, and just loop like
+this forever. This is tricky in that we have to not modify the fs root
+at all during this time, so we need to have a block group that has data
+in this fs root that is not shared by any other root, which is why this
+has been difficult to reproduce.
+
+Fixes: 054570a1dc94 ("Btrfs: fix relocation incorrectly dropping data references")
+CC: stable@vger.kernel.org # 4.9+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/relocation.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -561,8 +561,8 @@ static int should_ignore_root(struct btr
+ if (!reloc_root)
+ return 0;
+
+- if (btrfs_root_last_snapshot(&reloc_root->root_item) ==
+- root->fs_info->running_transaction->transid - 1)
++ if (btrfs_header_generation(reloc_root->commit_root) ==
++ root->fs_info->running_transaction->transid)
+ return 0;
+ /*
+ * if there is reloc tree and it was created in previous
--- /dev/null
+From 86d32f9a7c54ad74f4514d7fef7c847883207291 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 14 Apr 2020 21:33:16 +0100
+Subject: keys: Fix proc_keys_next to increase position index
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 86d32f9a7c54ad74f4514d7fef7c847883207291 upstream.
+
+If seq_file .next function does not change position index,
+read after some lseek can generate unexpected output:
+
+ $ dd if=/proc/keys bs=1 # full usual output
+ 0f6bfdf5 I--Q--- 2 perm 3f010000 1000 1000 user 4af2f79ab8848d0a: 740
+ 1fb91b32 I--Q--- 3 perm 1f3f0000 1000 65534 keyring _uid.1000: 2
+ 27589480 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16
+ 2f33ab67 I--Q--- 152 perm 3f030000 0 0 keyring _ses: 2
+ 33f1d8fa I--Q--- 4 perm 3f030000 1000 1000 keyring _ses: 1
+ 3d427fda I--Q--- 2 perm 3f010000 1000 1000 user 69ec44aec7678e5a: 740
+ 3ead4096 I--Q--- 1 perm 1f3f0000 1000 65534 keyring _uid_ses.1000: 1
+ 521+0 records in
+ 521+0 records out
+ 521 bytes copied, 0,00123769 s, 421 kB/s
+
+But a read after lseek in middle of last line results in the partial
+last line and then a repeat of the final line:
+
+ $ dd if=/proc/keys bs=500 skip=1
+ dd: /proc/keys: cannot skip to specified offset
+ g _uid_ses.1000: 1
+ 3ead4096 I--Q--- 1 perm 1f3f0000 1000 65534 keyring _uid_ses.1000: 1
+ 0+1 records in
+ 0+1 records out
+ 97 bytes copied, 0,000135035 s, 718 kB/s
+
+and a read after lseek beyond end of file results in the last line being
+shown:
+
+ $ dd if=/proc/keys bs=1000 skip=1 # read after lseek beyond end of file
+ dd: /proc/keys: cannot skip to specified offset
+ 3ead4096 I--Q--- 1 perm 1f3f0000 1000 65534 keyring _uid_ses.1000: 1
+ 0+1 records in
+ 0+1 records out
+ 76 bytes copied, 0,000119981 s, 633 kB/s
+
+See https://bugzilla.kernel.org/show_bug.cgi?id=206283
+
+Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/proc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/keys/proc.c
++++ b/security/keys/proc.c
+@@ -139,6 +139,8 @@ static void *proc_keys_next(struct seq_f
+ n = key_serial_next(p, v);
+ if (n)
+ *_pos = key_node_serial(n);
++ else
++ (*_pos)++;
+ return n;
+ }
+
--- /dev/null
+From 52e04b4ce5d03775b6a78f3ed1097480faacc9fd Mon Sep 17 00:00:00 2001
+From: Sumit Garg <sumit.garg@linaro.org>
+Date: Tue, 7 Apr 2020 15:40:55 +0530
+Subject: mac80211: fix race in ieee80211_register_hw()
+
+From: Sumit Garg <sumit.garg@linaro.org>
+
+commit 52e04b4ce5d03775b6a78f3ed1097480faacc9fd upstream.
+
+A race condition leading to a kernel crash is observed during invocation
+of ieee80211_register_hw() on a dragonboard410c device having wcn36xx
+driver built as a loadable module along with a wifi manager in user-space
+waiting for a wifi device (wlanX) to be active.
+
+Sequence diagram for a particular kernel crash scenario:
+
+ user-space ieee80211_register_hw() ieee80211_tasklet_handler()
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ | | |
+ |<---phy0----wiphy_register() |
+ |-----iwd if_add---->| |
+ | |<---IRQ----(RX packet)
+ | Kernel crash |
+ | due to unallocated |
+ | workqueue. |
+ | | |
+ | alloc_ordered_workqueue() |
+ | | |
+ | Misc wiphy init. |
+ | | |
+ | ieee80211_if_add() |
+ | | |
+
+As evident from above sequence diagram, this race condition isn't specific
+to a particular wifi driver but rather the initialization sequence in
+ieee80211_register_hw() needs to be fixed. So re-order the initialization
+sequence and the updated sequence diagram would look like:
+
+ user-space ieee80211_register_hw() ieee80211_tasklet_handler()
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ | | |
+ | alloc_ordered_workqueue() |
+ | | |
+ | Misc wiphy init. |
+ | | |
+ |<---phy0----wiphy_register() |
+ |-----iwd if_add---->| |
+ | |<---IRQ----(RX packet)
+ | | |
+ | ieee80211_if_add() |
+ | | |
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
+Link: https://lore.kernel.org/r/1586254255-28713-1-git-send-email-sumit.garg@linaro.org
+[Johannes: fix rtnl imbalances]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/main.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -1051,7 +1051,7 @@ int ieee80211_register_hw(struct ieee802
+ local->hw.wiphy->signal_type = CFG80211_SIGNAL_TYPE_UNSPEC;
+ if (hw->max_signal <= 0) {
+ result = -EINVAL;
+- goto fail_wiphy_register;
++ goto fail_workqueue;
+ }
+ }
+
+@@ -1113,7 +1113,7 @@ int ieee80211_register_hw(struct ieee802
+
+ result = ieee80211_init_cipher_suites(local);
+ if (result < 0)
+- goto fail_wiphy_register;
++ goto fail_workqueue;
+
+ if (!local->ops->remain_on_channel)
+ local->hw.wiphy->max_remain_on_channel_duration = 5000;
+@@ -1139,10 +1139,6 @@ int ieee80211_register_hw(struct ieee802
+
+ local->hw.wiphy->max_num_csa_counters = IEEE80211_MAX_CSA_COUNTERS_NUM;
+
+- result = wiphy_register(local->hw.wiphy);
+- if (result < 0)
+- goto fail_wiphy_register;
+-
+ /*
+ * We use the number of queues for feature tests (QoS, HT) internally
+ * so restrict them appropriately.
+@@ -1198,9 +1194,9 @@ int ieee80211_register_hw(struct ieee802
+ goto fail_flows;
+
+ rtnl_lock();
+-
+ result = ieee80211_init_rate_ctrl_alg(local,
+ hw->rate_control_algorithm);
++ rtnl_unlock();
+ if (result < 0) {
+ wiphy_debug(local->hw.wiphy,
+ "Failed to initialize rate control algorithm\n");
+@@ -1254,6 +1250,12 @@ int ieee80211_register_hw(struct ieee802
+ local->sband_allocated |= BIT(band);
+ }
+
++ result = wiphy_register(local->hw.wiphy);
++ if (result < 0)
++ goto fail_wiphy_register;
++
++ rtnl_lock();
++
+ /* add one default STA interface if supported */
+ if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_STATION) &&
+ !ieee80211_hw_check(hw, NO_AUTO_VIF)) {
+@@ -1293,17 +1295,17 @@ int ieee80211_register_hw(struct ieee802
+ #if defined(CONFIG_INET) || defined(CONFIG_IPV6)
+ fail_ifa:
+ #endif
++ wiphy_unregister(local->hw.wiphy);
++ fail_wiphy_register:
+ rtnl_lock();
+ rate_control_deinitialize(local);
+ ieee80211_remove_interfaces(local);
+- fail_rate:
+ rtnl_unlock();
++ fail_rate:
+ fail_flows:
+ ieee80211_led_exit(local);
+ destroy_workqueue(local->workqueue);
+ fail_workqueue:
+- wiphy_unregister(local->hw.wiphy);
+- fail_wiphy_register:
+ if (local->wiphy_ciphers_allocated)
+ kfree(local->hw.wiphy->cipher_suites);
+ kfree(local->int_scan_req);
+@@ -1353,8 +1355,8 @@ void ieee80211_unregister_hw(struct ieee
+ skb_queue_purge(&local->skb_queue_unreliable);
+ skb_queue_purge(&local->skb_queue_tdls_chsw);
+
+- destroy_workqueue(local->workqueue);
+ wiphy_unregister(local->hw.wiphy);
++ destroy_workqueue(local->workqueue);
+ ieee80211_led_exit(local);
+ kfree(local->int_scan_req);
+ }
--- /dev/null
+From 7ea862048317aa76d0f22334202779a25530980c Mon Sep 17 00:00:00 2001
+From: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
+Date: Fri, 10 Apr 2020 15:32:57 +0300
+Subject: mac80211_hwsim: Use kstrndup() in place of kasprintf()
+
+From: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
+
+commit 7ea862048317aa76d0f22334202779a25530980c upstream.
+
+syzbot reports a warning:
+
+precision 33020 too large
+WARNING: CPU: 0 PID: 9618 at lib/vsprintf.c:2471 set_precision+0x150/0x180 lib/vsprintf.c:2471
+ vsnprintf+0xa7b/0x19a0 lib/vsprintf.c:2547
+ kvasprintf+0xb2/0x170 lib/kasprintf.c:22
+ kasprintf+0xbb/0xf0 lib/kasprintf.c:59
+ hwsim_del_radio_nl+0x63a/0x7e0 drivers/net/wireless/mac80211_hwsim.c:3625
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline]
+ ...
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Thus it seems that kasprintf() with "%.*s" format can not be used for
+duplicating a string with arbitrary length. Replace it with kstrndup().
+
+Note that later this string is limited to NL80211_WIPHY_NAME_MAXLEN == 64,
+but the code is simpler this way.
+
+Reported-by: syzbot+6693adf1698864d21734@syzkaller.appspotmail.com
+Reported-by: syzbot+a4aee3f42d7584d76761@syzkaller.appspotmail.com
+Cc: stable@kernel.org
+Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
+Link: https://lore.kernel.org/r/20200410123257.14559-1-tuomas.tynkkynen@iki.fi
+[johannes: add note about length limit]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mac80211_hwsim.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3600,9 +3600,9 @@ static int hwsim_new_radio_nl(struct sk_
+ }
+
+ if (info->attrs[HWSIM_ATTR_RADIO_NAME]) {
+- hwname = kasprintf(GFP_KERNEL, "%.*s",
+- nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]),
+- (char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]));
++ hwname = kstrndup((char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]),
++ nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]),
++ GFP_KERNEL);
+ if (!hwname)
+ return -ENOMEM;
+ param.hwname = hwname;
+@@ -3622,9 +3622,9 @@ static int hwsim_del_radio_nl(struct sk_
+ if (info->attrs[HWSIM_ATTR_RADIO_ID]) {
+ idx = nla_get_u32(info->attrs[HWSIM_ATTR_RADIO_ID]);
+ } else if (info->attrs[HWSIM_ATTR_RADIO_NAME]) {
+- hwname = kasprintf(GFP_KERNEL, "%.*s",
+- nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]),
+- (char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]));
++ hwname = kstrndup((char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]),
++ nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]),
++ GFP_KERNEL);
+ if (!hwname)
+ return -ENOMEM;
+ } else
--- /dev/null
+From 0e012b4e4b5ec8e064be3502382579dd0bb43269 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sun, 12 Apr 2020 00:40:30 +0200
+Subject: nl80211: fix NL80211_ATTR_FTM_RESPONDER policy
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 0e012b4e4b5ec8e064be3502382579dd0bb43269 upstream.
+
+The nested policy here should be established using the
+NLA_POLICY_NESTED() macro so the length is properly
+filled in.
+
+Cc: stable@vger.kernel.org
+Fixes: 81e54d08d9d8 ("cfg80211: support FTM responder configuration/statistics")
+Link: https://lore.kernel.org/r/20200412004029.9d0722bb56c8.Ie690bfcc4a1a61ff8d8ca7e475d59fcaa52fb2da@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -619,10 +619,8 @@ const struct nla_policy nl80211_policy[N
+ [NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
+ .len = NL80211_HE_MAX_CAPABILITY_LEN },
+
+- [NL80211_ATTR_FTM_RESPONDER] = {
+- .type = NLA_NESTED,
+- .validation_data = nl80211_ftm_responder_policy,
+- },
++ [NL80211_ATTR_FTM_RESPONDER] =
++ NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
+ [NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
+ [NL80211_ATTR_PEER_MEASUREMENTS] =
+ NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
usb-dwc3-gadget-don-t-clear-flags-before-transfer-ended.patch
asoc-intel-mrfld-fix-incorrect-check-on-p-sink.patch
asoc-intel-mrfld-return-error-codes-when-an-error-occurs.patch
+alsa-hda-allow-setting-preallocation-again-for-x86.patch
+alsa-hda-realtek-enable-the-headset-mic-on-asus-fx505dt.patch
+alsa-usb-audio-filter-error-from-connector-kctl-ops-too.patch
+alsa-usb-audio-don-t-override-ignore_ctl_error-value-from-the-map.patch
+alsa-usb-audio-don-t-create-jack-controls-for-pcm-terminals.patch
+alsa-usb-audio-check-mapping-at-creating-connector-controls-too.patch
+arm64-vdso-don-t-free-unallocated-pages.patch
+keys-fix-proc_keys_next-to-increase-position-index.patch
+tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch
+btrfs-check-commit-root-generation-in-should_ignore_root.patch
+nl80211-fix-nl80211_attr_ftm_responder-policy.patch
+mac80211-fix-race-in-ieee80211_register_hw.patch
+mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch
--- /dev/null
+From 0bbe7f719985efd9adb3454679ecef0984cb6800 Mon Sep 17 00:00:00 2001
+From: Xiao Yang <yangx.jy@cn.fujitsu.com>
+Date: Tue, 14 Apr 2020 09:51:45 +0800
+Subject: tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation
+
+From: Xiao Yang <yangx.jy@cn.fujitsu.com>
+
+commit 0bbe7f719985efd9adb3454679ecef0984cb6800 upstream.
+
+Traced event can trigger 'snapshot' operation(i.e. calls snapshot_trigger()
+or snapshot_count_trigger()) when register_snapshot_trigger() has completed
+registration but doesn't allocate buffer for 'snapshot' event trigger. In
+the rare case, 'snapshot' operation always detects the lack of allocated
+buffer so make register_snapshot_trigger() allocate buffer first.
+
+trigger-snapshot.tc in kselftest reproduces the issue on slow vm:
+-----------------------------------------------------------
+cat trace
+...
+ftracetest-3028 [002] .... 236.784290: sched_process_fork: comm=ftracetest pid=3028 child_comm=ftracetest child_pid=3036
+ <...>-2875 [003] .... 240.460335: tracing_snapshot_instance_cond: *** SNAPSHOT NOT ALLOCATED ***
+ <...>-2875 [003] .... 240.460338: tracing_snapshot_instance_cond: *** stopping trace here! ***
+-----------------------------------------------------------
+
+Link: http://lkml.kernel.org/r/20200414015145.66236-1-yangx.jy@cn.fujitsu.com
+
+Cc: stable@vger.kernel.org
+Fixes: 93e31ffbf417a ("tracing: Add 'snapshot' event trigger command")
+Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -1088,14 +1088,10 @@ register_snapshot_trigger(char *glob, st
+ struct event_trigger_data *data,
+ struct trace_event_file *file)
+ {
+- int ret = register_trigger(glob, ops, data, file);
++ if (tracing_alloc_snapshot_instance(file->tr) != 0)
++ return 0;
+
+- if (ret > 0 && tracing_alloc_snapshot_instance(file->tr) != 0) {
+- unregister_trigger(glob, ops, data, file);
+- ret = 0;
+- }
+-
+- return ret;
++ return register_trigger(glob, ops, data, file);
+ }
+
+ static int
projects / thirdparty / kernel / stable-queue.git / commitdiff
