commit d71f695ce745df9544a85d8a762f16d72e72df00
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue May 5 19:15:53 2020 +0200

    Linux 4.14.179

commit 90d4469b0aefac7695e48a641551f74a38f55613
Author: Paul Moore <paul@paul-moore.com>
Date:   Tue Apr 28 09:59:02 2020 -0400

    selinux: properly handle multiple messages in selinux_netlink_send()
    
    commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream.
    
    Fix the SELinux netlink_send hook to properly handle multiple netlink
    messages in a single sk_buff; each message is parsed and subject to
    SELinux access control.  Prior to this patch, SELinux only inspected
    the first message in the sk_buff.
    
    Cc: stable@vger.kernel.org
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bd9339bf0b62f70a2f3f29c47262e667f75b1139
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Fri Apr 24 19:11:42 2020 +0300

    dmaengine: dmatest: Fix iteration non-stop logic
    
    commit b9f960201249f20deea586b4ec814669b4c6b1c0 upstream.
    
    Under some circumstances, i.e. when test is still running and about to
    time out and user runs, for example,
    
            grep -H . /sys/module/dmatest/parameters/*
    
    the iterations parameter is not respected and test is going on and on until
    user gives
    
            echo 0 > /sys/module/dmatest/parameters/run
    
    This is not what expected.
    
    The history of this bug is interesting. I though that the commit
      2d88ce76eb98 ("dmatest: add a 'wait' parameter")
    is a culprit, but looking closer to the code I think it simple revealed the
    broken logic from the day one, i.e. in the commit
      0a2ff57d6fba ("dmaengine: dmatest: add a maximum number of test iterations")
    which adds iterations parameter.
    
    So, to the point, the conditional of checking the thread to be stopped being
    first part of conjunction logic prevents to check iterations. Thus, we have to
    always check both conditions to be able to stop after given iterations.
    
    Since it wasn't visible before second commit appeared, I add a respective
    Fixes tag.
    
    Fixes: 2d88ce76eb98 ("dmatest: add a 'wait' parameter")
    Cc: Dan Williams <dan.j.williams@intel.com>
    Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20200424161147.16895-1-andriy.shevchenko@linux.intel.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4d6df332cf7c19118f3aafee8c7aa55a8feeac8e
Author: Andreas Gruenbacher <agruenba@redhat.com>
Date:   Mon Apr 20 15:51:47 2020 +0200

    nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl
    
    commit 7648f939cb919b9d15c21fff8cd9eba908d595dc upstream.
    
    nfs3_set_acl keeps track of the acl it allocated locally to determine if an acl
    needs to be released at the end.  This results in a memory leak when the
    function allocates an acl as well as a default acl.  Fix by releasing acls
    that differ from the acl originally passed into nfs3_set_acl.
    
    Fixes: b7fa0554cf1b ("[PATCH] NFS: Add support for NFSv3 ACLs")
    Reported-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
    Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dc4a3585daefe9b188bfc467d27d10477f45d670
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Wed Apr 29 21:02:03 2020 +0200

    ALSA: opti9xx: shut up gcc-10 range warning
    
    commit 5ce00760a84848d008554c693ceb6286f4d9c509 upstream.
    
    gcc-10 points out a few instances of suspicious integer arithmetic
    leading to value truncation:
    
    sound/isa/opti9xx/opti92x-ad1848.c: In function 'snd_opti9xx_configure':
    sound/isa/opti9xx/opti92x-ad1848.c:322:43: error: overflow in conversion from 'int' to 'unsigned char' changes value from '(int)snd_opti9xx_read(chip, 3) & -256 | 240' to '240' [-Werror=overflow]
      322 |   (snd_opti9xx_read(chip, reg) & ~(mask)) | ((value) & (mask)))
          |   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~
    sound/isa/opti9xx/opti92x-ad1848.c:351:3: note: in expansion of macro 'snd_opti9xx_write_mask'
      351 |   snd_opti9xx_write_mask(chip, OPTi9XX_MC_REG(3), 0xf0, 0xff);
          |   ^~~~~~~~~~~~~~~~~~~~~~
    sound/isa/opti9xx/miro.c: In function 'snd_miro_configure':
    sound/isa/opti9xx/miro.c:873:40: error: overflow in conversion from 'int' to 'unsigned char' changes value from '(int)snd_miro_read(chip, 3) & -256 | 240' to '240' [-Werror=overflow]
      873 |   (snd_miro_read(chip, reg) & ~(mask)) | ((value) & (mask)))
          |   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~
    sound/isa/opti9xx/miro.c:1010:3: note: in expansion of macro 'snd_miro_write_mask'
     1010 |   snd_miro_write_mask(chip, OPTi9XX_MC_REG(3), 0xf0, 0xff);
          |   ^~~~~~~~~~~~~~~~~~~
    
    These are all harmless here as only the low 8 bit are passed down
    anyway. Change the macros to inline functions to make the code
    more readable and also avoid the warning.
    
    Strictly speaking those functions also need locking to make the
    read/write pair atomic, but it seems unlikely that anyone would
    still run into that issue.
    
    Fixes: 1841f613fd2e ("[ALSA] Add snd-miro driver")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Link: https://lore.kernel.org/r/20200429190216.85919-1-arnd@arndb.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 41c978d8d33ba1c9d46161316f17eec0c81a99da
Author: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Date:   Wed Apr 22 08:30:02 2020 -0500

    iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system
    
    commit b74aa02d7a30ee5e262072a7d6e8deff10b37924 upstream.
    
    Currently, system fails to boot because the legacy interrupt remapping
    mode does not enable 128-bit IRTE (GA), which is required for x2APIC
    support.
    
    Fix by using AMD_IOMMU_GUEST_IR_LEGACY_GA mode when booting with
    kernel option amd_iommu_intr=legacy instead. The initialization
    logic will check GASup and automatically fallback to using
    AMD_IOMMU_GUEST_IR_LEGACY if GA mode is not supported.
    
    Fixes: 3928aa3f5775 ("iommu/amd: Detect and enable guest vAPIC support")
    Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
    Link: https://lore.kernel.org/r/1587562202-14183-1-git-send-email-suravee.suthikulpanit@amd.com
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9ecf5561f13fbf1d919ea6c797cffc85ed42f6b9
Author: David Disseldorp <ddiss@suse.de>
Date:   Sun Apr 19 18:31:09 2020 +0200

    scsi: target/iblock: fix WRITE SAME zeroing
    
    commit 1d2ff149b263c9325875726a7804a0c75ef7112e upstream.
    
    SBC4 specifies that WRITE SAME requests with the UNMAP bit set to zero
    "shall perform the specified write operation to each LBA specified by the
    command".  Commit 2237498f0b5c ("target/iblock: Convert WRITE_SAME to
    blkdev_issue_zeroout") modified the iblock backend to call
    blkdev_issue_zeroout() when handling WRITE SAME requests with UNMAP=0 and a
    zero data segment.
    
    The iblock blkdev_issue_zeroout() call incorrectly provides a flags
    parameter of 0 (bool false), instead of BLKDEV_ZERO_NOUNMAP.  The bool
    false parameter reflects the blkdev_issue_zeroout() API prior to commit
    ee472d835c26 ("block: add a flags argument to (__)blkdev_issue_zeroout")
    which was merged shortly before 2237498f0b5c.
    
    Link: https://lore.kernel.org/r/20200419163109.11689-1-ddiss@suse.de
    Fixes: 2237498f0b5c ("target/iblock: Convert WRITE_SAME to blkdev_issue_zeroout")
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: David Disseldorp <ddiss@suse.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ecf93ef5fa40d26e99b48e9f18e18ad6029708bc
Author: Tang Bin <tangbin@cmss.chinamobile.com>
Date:   Sat Apr 18 21:47:03 2020 +0800

    iommu/qcom: Fix local_base status check
    
    commit b52649aee6243ea661905bdc5fbe28cc5f6dec76 upstream.
    
    The function qcom_iommu_device_probe() does not perform sufficient
    error checking after executing devm_ioremap_resource(), which can
    result in crashes if a critical error path is encountered.
    
    Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu")
    Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20200418134703.1760-1-tangbin@cmss.chinamobile.com
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 440e152362d19bb5ffe7ef5677de1107ee9c0989
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Thu Apr 16 15:50:57 2020 -0700

    vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn()
    
    commit 5cbf3264bc715e9eb384e2b68601f8c02bb9a61d upstream.
    
    Use follow_pfn() to get the PFN of a PFNMAP VMA instead of assuming that
    vma->vm_pgoff holds the base PFN of the VMA.  This fixes a bug where
    attempting to do VFIO_IOMMU_MAP_DMA on an arbitrary PFNMAP'd region of
    memory calculates garbage for the PFN.
    
    Hilariously, this only got detected because the first "PFN" calculated
    by vaddr_get_pfn() is PFN 0 (vma->vm_pgoff==0), and iommu_iova_to_phys()
    uses PA==0 as an error, which triggers a WARN in vfio_unmap_unpin()
    because the translation "failed".  PFN 0 is now unconditionally reserved
    on x86 in order to mitigate L1TF, which causes is_invalid_reserved_pfn()
    to return true and in turns results in vaddr_get_pfn() returning success
    for PFN 0.  Eventually the bogus calculation runs into PFNs that aren't
    reserved and leads to failure in vfio_pin_map_dma().  The subsequent
    call to vfio_remove_dma() attempts to unmap PFN 0 and WARNs.
    
      WARNING: CPU: 8 PID: 5130 at drivers/vfio/vfio_iommu_type1.c:750 vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1]
      Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio ...
      CPU: 8 PID: 5130 Comm: sgx Tainted: G        W         5.6.0-rc5-705d787c7fee-vfio+ #3
      Hardware name: Intel Corporation Mehlow UP Server Platform/Moss Beach Server, BIOS CNLSE2R1.D00.X119.B49.1803010910 03/01/2018
      RIP: 0010:vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1]
      Code: <0f> 0b 49 81 c5 00 10 00 00 e9 c5 fe ff ff bb 00 10 00 00 e9 3d fe
      RSP: 0018:ffffbeb5039ebda8 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff9a55cbf8d480 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9a52b771c200
      RBP: 0000000000000000 R08: 0000000000000040 R09: 00000000fffffff2
      R10: 0000000000000001 R11: ffff9a51fa896000 R12: 0000000184010000
      R13: 0000000184000000 R14: 0000000000010000 R15: ffff9a55cb66ea08
      FS:  00007f15d3830b40(0000) GS:ffff9a55d5600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000561cf39429e0 CR3: 000000084f75f005 CR4: 00000000003626e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       vfio_remove_dma+0x17/0x70 [vfio_iommu_type1]
       vfio_iommu_type1_ioctl+0x9e3/0xa7b [vfio_iommu_type1]
       ksys_ioctl+0x92/0xb0
       __x64_sys_ioctl+0x16/0x20
       do_syscall_64+0x4c/0x180
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x7f15d04c75d7
      Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48
    
    Fixes: 73fa0d10d077 ("vfio: Type1 IOMMU implementation")
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b4324db6f543504e28643fece393455b6a6f8112
Author: Yan Zhao <yan.y.zhao@intel.com>
Date:   Wed Apr 8 03:12:34 2020 -0400

    vfio: avoid possible overflow in vfio_iommu_type1_pin_pages
    
    commit 0ea971f8dcd6dee78a9a30ea70227cf305f11ff7 upstream.
    
    add parentheses to avoid possible vaddr overflow.
    
    Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices")
    Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 28acd21db599365892cf5910eaeab24e6782032e
Author: Alaa Hleihel <alaa@mellanox.com>
Date:   Mon Apr 13 16:22:35 2020 +0300

    RDMA/mlx4: Initialize ib_spec on the stack
    
    commit c08cfb2d8d78bfe81b37cc6ba84f0875bddd0d5c upstream.
    
    Initialize ib_spec on the stack before using it, otherwise we will have
    garbage values that will break creating default rules with invalid parsing
    error.
    
    Fixes: a37a1a428431 ("IB/mlx4: Add mechanism to support flow steering over IB links")
    Link: https://lore.kernel.org/r/20200413132235.930642-1-leon@kernel.org
    Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
    Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
    Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2b6131e8316df2235dc0f63c03008376e027cee8
Author: Aharon Landau <aharonl@mellanox.com>
Date:   Mon Apr 13 16:20:28 2020 +0300

    RDMA/mlx5: Set GRH fields in query QP on RoCE
    
    commit 2d7e3ff7b6f2c614eb21d0dc348957a47eaffb57 upstream.
    
    GRH fields such as sgid_index, hop limit, et. are set in the QP context
    when QP is created/modified.
    
    Currently, when query QP is performed, we fill the GRH fields only if the
    GRH bit is set in the QP context, but this bit is not set for RoCE. Adjust
    the check so we will set all relevant data for the RoCE too.
    
    Since this data is returned to userspace, the below is an ABI regression.
    
    Fixes: d8966fcd4c25 ("IB/core: Use rdma_ah_attr accessor functions")
    Link: https://lore.kernel.org/r/20200413132028.930109-1-leon@kernel.org
    Signed-off-by: Aharon Landau <aharonl@mellanox.com>
    Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
    Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 74381a0cf22edda38dbb8cb492ce4d097868b195
Author: Sunwook Eom <speed.eom@samsung.com>
Date:   Fri Apr 10 12:54:19 2020 +0900

    dm verity fec: fix hash block number in verity_fec_decode
    
    commit ad4e80a639fc61d5ecebb03caa5cdbfb91fcebfc upstream.
    
    The error correction data is computed as if data and hash blocks
    were concatenated. But hash block number starts from v->hash_start.
    So, we have to calculate hash block number based on that.
    
    Fixes: a739ff3f543af ("dm verity: add support for forward error correction")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sunwook Eom <speed.eom@samsung.com>
    Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3ad04be60c18651061096d42c5056bb28a5a4ce4
Author: Dexuan Cui <decui@microsoft.com>
Date:   Thu Apr 23 20:40:16 2020 -0700

    PM: hibernate: Freeze kernel threads in software_resume()
    
    commit 2351f8d295ed63393190e39c2f7c1fee1a80578f upstream.
    
    Currently the kernel threads are not frozen in software_resume(), so
    between dpm_suspend_start(PMSG_QUIESCE) and resume_target_kernel(),
    system_freezable_power_efficient_wq can still try to submit SCSI
    commands and this can cause a panic since the low level SCSI driver
    (e.g. hv_storvsc) has quiesced the SCSI adapter and can not accept
    any SCSI commands: https://lkml.org/lkml/2020/4/10/47
    
    At first I posted a fix (https://lkml.org/lkml/2020/4/21/1318) trying
    to resolve the issue from hv_storvsc, but with the help of
    Bart Van Assche, I realized it's better to fix software_resume(),
    since this looks like a generic issue, not only pertaining to SCSI.
    
    Cc: All applicable <stable@vger.kernel.org>
    Signed-off-by: Dexuan Cui <decui@microsoft.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 79a3b3bb1cd1df58e2e7fb53f0e82b0ffcba28ab
Author: Kai-Heng Feng <kai.heng.feng@canonical.com>
Date:   Tue Apr 21 15:55:16 2020 +0800

    PM: ACPI: Output correct message on target power state
    
    commit a9b760b0266f563b4784f695bbd0e717610dc10a upstream.
    
    Transitioned power state logged at the end of setting ACPI power.
    
    However, D3cold won't be in the message because state can only be
    D3hot at most.
    
    Use target_state to corretly report when power state is D3cold.
    
    Cc: All applicable <stable@vger.kernel.org>
    Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 55052736ae668518abf01f7c59f5d58af2d07857
Author: Takashi Iwai <tiwai@suse.de>
Date:   Fri Apr 24 21:33:50 2020 +0200

    ALSA: pcm: oss: Place the plugin buffer overflow checks correctly
    
    commit 4285de0725b1bf73608abbcd35ad7fd3ddc0b61e upstream.
    
    The checks of the plugin buffer overflow in the previous fix by commit
      f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
    are put in the wrong places mistakenly, which leads to the expected
    (repeated) sound when the rate plugin is involved.  Fix in the right
    places.
    
    Also, at those right places, the zero check is needed for the
    termination node, so added there as well, and let's get it done,
    finally.
    
    Fixes: f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200424193350.19678-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7d8378ca26173c0f318adb41fecf39fa66f1684f
Author: Wu Bo <wubo40@huawei.com>
Date:   Sun Apr 26 21:17:22 2020 +0800

    ALSA: hda/hdmi: fix without unlocked before return
    
    commit a2f647240998aa49632fb09b01388fdf2b87acfc upstream.
    
    Fix the following coccicheck warning:
    sound/pci/hda/patch_hdmi.c:1852:2-8: preceding lock on line 1846
    
    After add sanity check to pass klockwork check,
    The spdif_mutex should be unlock before return true
    in check_non_pcm_per_cvt().
    
    Fixes: 960a581e22d9 ("ALSA: hda: fix some klockwork scan warnings")
    Signed-off-by: Wu Bo <wubo40@huawei.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/1587907042-694161-1-git-send-email-wubo40@huawei.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a088316c38b98d1f3e45c6d85e773b130768a909
Author: Hui Wang <hui.wang@canonical.com>
Date:   Mon Apr 27 11:00:39 2020 +0800

    ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter
    
    commit ef0b3203c758b6b8abdb5dca651880347eae6b8c upstream.
    
    This new Lenovo ThinkCenter has two front mics which can't be handled
    by PA so far, so apply the fixup ALC283_FIXUP_HEADSET_MIC to change
    the location for one of the mics.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Hui Wang <hui.wang@canonical.com>
    Link: https://lore.kernel.org/r/20200427030039.10121-1-hui.wang@canonical.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 08e05f4f650703106f91933e50e40f8244dcb6a7
Author: Adrian Hunter <adrian.hunter@intel.com>
Date:   Wed Apr 22 14:16:29 2020 +0300

    mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers
    
    commit 1a8eb6b373c2af6533c13d1ea11f504e5010ed9a upstream.
    
    BIOS writers have begun the practice of setting 40 ohm eMMC driver strength
    even though the eMMC may not support it, on the assumption that the kernel
    will validate the value against the eMMC (Extended CSD DRIVER_STRENGTH
    [offset 197]) and revert to the default 50 ohm value if 40 ohm is invalid.
    
    This is done to avoid changing the value for different boards.
    
    Putting aside the merits of this approach, it is clear the eMMC's mask
    of supported driver strengths is more reliable than the value provided
    by BIOS. Add validation accordingly.
    
    Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
    Fixes: 51ced59cc02e ("mmc: sdhci-pci: Use ACPI DSM to get driver strength for some Intel devices")
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20200422111629.4899-1-adrian.hunter@intel.com
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a923cdf0883a4f4548ec7c940e3473d858f6e9a8
Author: Marek Behún <marek.behun@nic.cz>
Date:   Mon Apr 20 10:04:44 2020 +0200

    mmc: sdhci-xenon: fix annoying 1.8V regulator warning
    
    commit bb32e1987bc55ce1db400faf47d85891da3c9b9f upstream.
    
    For some reason the Host Control2 register of the Xenon SDHCI controller
    sometimes reports the bit representing 1.8V signaling as 0 when read
    after it was written as 1. Subsequent read reports 1.
    
    This causes the sdhci_start_signal_voltage_switch function to report
      1.8V regulator output did not become stable
    
    When CONFIG_PM is enabled, the host is suspended and resumend many
    times, and in each resume the switch to 1.8V is called, and so the
    kernel log reports this message annoyingly often.
    
    Do an empty read of the Host Control2 register in Xenon's
    .voltage_switch method to circumvent this.
    
    This patch fixes this particular problem on Turris MOX.
    
    Signed-off-by: Marek Behún <marek.behun@nic.cz>
    Fixes: 8d876bf472db ("mmc: sdhci-xenon: wait 5ms after set 1.8V...")
    Cc: stable@vger.kernel.org # v4.16+
    Link: https://lore.kernel.org/r/20200420080444.25242-1-marek.behun@nic.cz
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3aaee8e2fe53c59b8c85ed17118b7e795ac6bd99
Author: Filipe Manana <fdmanana@suse.com>
Date:   Thu Apr 23 16:30:53 2020 +0100

    btrfs: fix partial loss of prealloc extent past i_size after fsync
    
    commit f135cea30de5f74d5bfb5116682073841fb4af8f upstream.
    
    When we have an inode with a prealloc extent that starts at an offset
    lower than the i_size and there is another prealloc extent that starts at
    an offset beyond i_size, we can end up losing part of the first prealloc
    extent (the part that starts at i_size) and have an implicit hole if we
    fsync the file and then have a power failure.
    
    Consider the following example with comments explaining how and why it
    happens.
    
      $ mkfs.btrfs -f /dev/sdb
      $ mount /dev/sdb /mnt
    
      # Create our test file with 2 consecutive prealloc extents, each with a
      # size of 128Kb, and covering the range from 0 to 256Kb, with a file
      # size of 0.
      $ xfs_io -f -c "falloc -k 0 128K" /mnt/foo
      $ xfs_io -c "falloc -k 128K 128K" /mnt/foo
    
      # Fsync the file to record both extents in the log tree.
      $ xfs_io -c "fsync" /mnt/foo
    
      # Now do a redudant extent allocation for the range from 0 to 64Kb.
      # This will merely increase the file size from 0 to 64Kb. Instead we
      # could also do a truncate to set the file size to 64Kb.
      $ xfs_io -c "falloc 0 64K" /mnt/foo
    
      # Fsync the file, so we update the inode item in the log tree with the
      # new file size (64Kb). This also ends up setting the number of bytes
      # for the first prealloc extent to 64Kb. This is done by the truncation
      # at btrfs_log_prealloc_extents().
      # This means that if a power failure happens after this, a write into
      # the file range 64Kb to 128Kb will not use the prealloc extent and
      # will result in allocation of a new extent.
      $ xfs_io -c "fsync" /mnt/foo
    
      # Now set the file size to 256K with a truncate and then fsync the file.
      # Since no changes happened to the extents, the fsync only updates the
      # i_size in the inode item at the log tree. This results in an implicit
      # hole for the file range from 64Kb to 128Kb, something which fsck will
      # complain when not using the NO_HOLES feature if we replay the log
      # after a power failure.
      $ xfs_io -c "truncate 256K" -c "fsync" /mnt/foo
    
    So instead of always truncating the log to the inode's current i_size at
    btrfs_log_prealloc_extents(), check first if there's a prealloc extent
    that starts at an offset lower than the i_size and with a length that
    crosses the i_size - if there is one, just make sure we truncate to a
    size that corresponds to the end offset of that prealloc extent, so
    that we don't lose the part of that extent that starts at i_size if a
    power failure happens.
    
    A test case for fstests follows soon.
    
    Fixes: 31d11b83b96f ("Btrfs: fix duplicate extents after fsync of file with prealloc extents")
    CC: stable@vger.kernel.org # 4.14+
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4f7ade415291d187d61f34fd85e925bbd96d1f47
Author: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Date:   Tue Apr 21 10:54:11 2020 +0800

    btrfs: fix block group leak when removing fails
    
    commit f6033c5e333238f299c3ae03fac8cc1365b23b77 upstream.
    
    btrfs_remove_block_group() invokes btrfs_lookup_block_group(), which
    returns a local reference of the block group that contains the given
    bytenr to "block_group" with increased refcount.
    
    When btrfs_remove_block_group() returns, "block_group" becomes invalid,
    so the refcount should be decreased to keep refcount balanced.
    
    The reference counting issue happens in several exception handling paths
    of btrfs_remove_block_group(). When those error scenarios occur such as
    btrfs_alloc_path() returns NULL, the function forgets to decrease its
    refcnt increased by btrfs_lookup_block_group() and will cause a refcnt
    leak.
    
    Fix this issue by jumping to "out_put_group" label and calling
    btrfs_put_block_group() when those error scenarios occur.
    
    CC: stable@vger.kernel.org # 4.4+
    Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
    Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 500a886a3ac7f4d33638ea5375ef70cc89a5805b
Author: Vasily Averin <vvs@virtuozzo.com>
Date:   Wed Apr 29 12:01:24 2020 +0300

    drm/qxl: qxl_release use after free
    
    commit 933db73351d359f74b14f4af095808260aff11f9 upstream.
    
    qxl_release should not be accesses after qxl_push_*_ring_release() calls:
    userspace driver can process submitted command quickly, move qxl_release
    into release_ring, generate interrupt and trigger garbage collector.
    
    It can lead to crashes in qxl driver or trigger memory corruption
    in some kmalloc-192 slab object
    
    Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
    qxl_push_{cursor,command}_ring_release() calls to close that race window.
    
    cc: stable@vger.kernel.org
    Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)")
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
    [backported to v4.14-stable]
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1c78ac39f10c375145f872c9a8a7f6e412d21040
Author: Vasily Averin <vvs@virtuozzo.com>
Date:   Mon Apr 27 08:32:51 2020 +0300

    drm/qxl: qxl_release leak in qxl_hw_surface_alloc()
    
    commit a65aa9c3676ffccb21361d52fcfedd5b5ff387d7 upstream.
    
    Cc: stable@vger.kernel.org
    Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations")
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Link: http://patchwork.freedesktop.org/patch/msgid/2e5a13ae-9ab2-5401-aa4d-03d5f5593423@virtuozzo.com
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f4027b733eedca270354c9c0a6704b4eadffa289
Author: Vasily Averin <vvs@virtuozzo.com>
Date:   Mon Apr 27 08:32:46 2020 +0300

    drm/qxl: qxl_release leak in qxl_draw_dirty_fb()
    
    commit 85e9b88af1e6164f19ec71381efd5e2bcfc17620 upstream.
    
    ret should be changed to release allocated struct qxl_release
    
    Cc: stable@vger.kernel.org
    Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations")
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Link: http://patchwork.freedesktop.org/patch/msgid/22cfd55f-07c8-95d0-a2f7-191b7153c3d4@virtuozzo.com
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4ad0ae87d0e5e004a95e150c7df7c4ba5342e454
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Thu Apr 23 18:17:43 2020 +0300

    drm/edid: Fix off-by-one in DispID DTD pixel clock
    
    commit 6292b8efe32e6be408af364132f09572aed14382 upstream.
    
    The DispID DTD pixel clock is documented as:
    "00 00 00 h → FF FF FF h | Pixel clock ÷ 10,000 0.01 → 167,772.16 Mega Pixels per Sec"
    Which seems to imply that we to add one to the raw value.
    
    Reality seems to agree as there are tiled displays in the wild
    which currently show a 10kHz difference in the pixel clock
    between the tiles (one tile gets its mode from the base EDID,
    the other from the DispID block).
    
    Cc: stable@vger.kernel.org
    References: https://gitlab.freedesktop.org/drm/intel/-/issues/27
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200423151743.18767-1-ville.syrjala@linux.intel.com
    Reviewed-by: Manasi Navare <manasi.d.navare@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b4586e02a3457b877a0fd2bc7734112d91d451a6
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Mon Dec 31 22:34:31 2018 -0500

    ext4: fix special inode number checks in __ext4_iget()
    
    commit 191ce17876c9367819c4b0a25b503c0f6d9054d8 upstream.
    
    The check for special (reserved) inode number checks in __ext4_iget()
    was broken by commit 8a363970d1dc: ("ext4: avoid declaring fs
    inconsistent due to invalid file handles").  This was caused by a
    botched reversal of the sense of the flag now known as
    EXT4_IGET_SPECIAL (when it was previously named EXT4_IGET_NORMAL).
    Fix the logic appropriately.
    
    Fixes: 8a363970d1dc ("ext4: avoid declaring fs inconsistent...")
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Cc: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>