add "Fixes:" from mainline for already chosen commits
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
diff --git a/queue/ALSA-hda-realtek-Improved-routing-for-Thinkpad-X1-7t.patch b/queue/ALSA-hda-realtek-Improved-routing-for-Thinkpad-X1-7t.patch
new file mode 100644
index 0000000..44e5c92
--- /dev/null
+++ b/queue/ALSA-hda-realtek-Improved-routing-for-Thinkpad-X1-7t.patch
@@ -0,0 +1,135 @@
+From 6a6660d049f88b89fd9a4b9db3581b245f7782fa Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 3 Sep 2020 10:33:00 +0200
+Subject: [PATCH] ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th
+ Gen
+
+commit 6a6660d049f88b89fd9a4b9db3581b245f7782fa upstream.
+
+There've been quite a few regression reports about the lowered volume
+(reduced to ca 65% from the previous level) on Lenovo Thinkpad X1
+after the commit d2cd795c4ece ("ALSA: hda - fixup for the bass speaker
+on Lenovo Carbon X1 7th gen"). Although the commit itself does the
+right thing from HD-audio POV in order to have a volume control for
+bass speakers, it seems that the machine has some secret recipe under
+the hood.
+
+Through experiments, Benjamin Poirier found out that the following
+routing gives the best result:
+* DAC1 (NID 0x02) -> Speaker pin (NID 0x14)
+* DAC2 (NID 0x03) -> Shared by both Bass Speaker pin (NID 0x17) &
+ Headphone pin (0x21)
+* DAC3 (NID 0x06) -> Unused
+
+DAC1 seems to have some equalizer internally applied, and you'd get
+again the output in a bad quality if you connect this to the
+headphone pin. Hence the headphone is connected to DAC2, which is now
+shared with the bass speaker pin. DAC3 has no volume amp, hence it's
+not connected at all.
+
+For achieving the routing above, this patch introduced a couple of
+workarounds:
+
+* The connection list of bass speaker pin (NID 0x17) is reduced not to
+ include DAC3 (NID 0x06)
+* Pass preferred_pairs array to specify the fixed connection
+
+Here, both workarounds are needed because the generic parser prefers
+the individual DAC assignment over others.
+
+When the routing above is applied, the generic parser creates the two
+volume controls "Front" and "Bass Speaker". Since we have only two
+DACs for three output pins, those are not fully controlling each
+output individually, and it would confuse PulseAudio. For avoiding
+the pitfall, in this patch, we rename those volume controls to some
+unique ones ("DAC1" and "DAC2"). Then PulseAudio ignore them and
+concentrate only on the still good-working "Master" volume control.
+If a user still wants to control each DAC volume, they can still
+change manually via "DAC1" and "DAC2" volume controls.
+
+Fixes: d2cd795c4ece ("ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen")
+Reported-by: Benjamin Poirier <benjamin.poirier@gmail.com>
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Tested-by: Benjamin Poirier <benjamin.poirier@gmail.com>
+Cc: <stable@vger.kernel.org>
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207407#c10
+BugLink: https://gist.github.com/hamidzr/dd81e429dc86f4327ded7a2030e7d7d9#gistcomment-3214171
+BugLink: https://gist.github.com/hamidzr/dd81e429dc86f4327ded7a2030e7d7d9#gistcomment-3276276
+Link: https://lore/kernel.org/r/20200829112746.3118-1-benjamin.poirier@gmail.com
+Link: https://lore.kernel.org/r/20200903083300.6333-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 2ef8b080d84b..c521a1f17096 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5868,6 +5868,39 @@ static void alc275_fixup_gpio4_off(struct hda_codec *codec,
+ }
+ }
+
++/* Quirk for Thinkpad X1 7th and 8th Gen
++ * The following fixed routing needed
++ * DAC1 (NID 0x02) -> Speaker (NID 0x14); some eq applied secretly
++ * DAC2 (NID 0x03) -> Bass (NID 0x17) & Headphone (NID 0x21); sharing a DAC
++ * DAC3 (NID 0x06) -> Unused, due to the lack of volume amp
++ */
++static void alc285_fixup_thinkpad_x1_gen7(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ static const hda_nid_t conn[] = { 0x02, 0x03 }; /* exclude 0x06 */
++ static const hda_nid_t preferred_pairs[] = {
++ 0x14, 0x02, 0x17, 0x03, 0x21, 0x03, 0
++ };
++ struct alc_spec *spec = codec->spec;
++
++ switch (action) {
++ case HDA_FIXUP_ACT_PRE_PROBE:
++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn);
++ spec->gen.preferred_dacs = preferred_pairs;
++ break;
++ case HDA_FIXUP_ACT_BUILD:
++ /* The generic parser creates somewhat unintuitive volume ctls
++ * with the fixed routing above, and the shared DAC2 may be
++ * confusing for PA.
++ * Rename those to unique names so that PA doesn't touch them
++ * and use only Master volume.
++ */
++ rename_ctl(codec, "Front Playback Volume", "DAC1 Playback Volume");
++ rename_ctl(codec, "Bass Speaker Playback Volume", "DAC2 Playback Volume");
++ break;
++ }
++}
++
+ static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec,
+ const struct hda_fixup *fix,
+ int action)
+@@ -6136,6 +6169,7 @@ enum {
+ ALC289_FIXUP_DUAL_SPK,
+ ALC294_FIXUP_SPK2_TO_DAC1,
+ ALC294_FIXUP_ASUS_DUAL_SPK,
++ ALC285_FIXUP_THINKPAD_X1_GEN7,
+ ALC285_FIXUP_THINKPAD_HEADSET_JACK,
+ ALC294_FIXUP_ASUS_HPE,
+ ALC294_FIXUP_ASUS_COEF_1B,
+@@ -7281,11 +7315,17 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC294_FIXUP_SPK2_TO_DAC1
+ },
++ [ALC285_FIXUP_THINKPAD_X1_GEN7] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_thinkpad_x1_gen7,
++ .chained = true,
++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI
++ },
+ [ALC285_FIXUP_THINKPAD_HEADSET_JACK] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc_fixup_headset_jack,
+ .chained = true,
+- .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1
++ .chain_id = ALC285_FIXUP_THINKPAD_X1_GEN7
+ },
+ [ALC294_FIXUP_ASUS_HPE] = {
+ .type = HDA_FIXUP_VERBS,
+--
+2.27.0
+
diff --git a/queue/RDMA-mlx4-Read-pkey-table-length-instead-of-hardcode.patch b/queue/RDMA-mlx4-Read-pkey-table-length-instead-of-hardcode.patch
new file mode 100644
index 0000000..ba6f1a5
--- /dev/null
+++ b/queue/RDMA-mlx4-Read-pkey-table-length-instead-of-hardcode.patch
@@ -0,0 +1,41 @@
+From ec78b3bd66bc9a015505df0ef0eb153d9e64b03b Mon Sep 17 00:00:00 2001
+From: Mark Bloch <markb@mellanox.com>
+Date: Mon, 24 Aug 2020 14:02:29 +0300
+Subject: [PATCH] RDMA/mlx4: Read pkey table length instead of hardcoded value
+
+commit ec78b3bd66bc9a015505df0ef0eb153d9e64b03b upstream.
+
+If the pkey_table is not available (which is the case when RoCE is not
+supported), the cited commit caused a regression where mlx4_devices
+without RoCE are not created.
+
+Fix this by returning a pkey table length of zero in procedure
+eth_link_query_port() if the pkey-table length reported by the device is
+zero.
+
+Link: https://lore.kernel.org/r/20200824110229.1094376-1-leon@kernel.org
+Cc: <stable@vger.kernel.org>
+Fixes: 1901b91f9982 ("IB/core: Fix potential NULL pointer dereference in pkey cache")
+Fixes: fa417f7b520e ("IB/mlx4: Add support for IBoE")
+Signed-off-by: Mark Bloch <markb@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+
+diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
+index 5e7910a517da..bd4f975e7f9a 100644
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -784,7 +784,8 @@ static int eth_link_query_port(struct ib_device *ibdev, u8 port,
+ props->ip_gids = true;
+ props->gid_tbl_len = mdev->dev->caps.gid_table_len[port];
+ props->max_msg_sz = mdev->dev->caps.max_msg_sz;
+- props->pkey_tbl_len = 1;
++ if (mdev->dev->caps.pkey_table_len[port])
++ props->pkey_tbl_len = 1;
+ props->max_mtu = IB_MTU_4096;
+ props->max_vl_num = 2;
+ props->state = IB_PORT_DOWN;
+--
+2.27.0
+
diff --git a/queue/block-Set-same_page-to-false-in-__bio_try_merge_page.patch b/queue/block-Set-same_page-to-false-in-__bio_try_merge_page.patch
new file mode 100644
index 0000000..dcb7143
--- /dev/null
+++ b/queue/block-Set-same_page-to-false-in-__bio_try_merge_page.patch
@@ -0,0 +1,60 @@
+From 2cd896a5e86fc326bda8614b96c0401dcc145868 Mon Sep 17 00:00:00 2001
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+Date: Wed, 9 Sep 2020 08:44:25 +0530
+Subject: [PATCH] block: Set same_page to false in __bio_try_merge_page if ret
+ is false
+
+commit 2cd896a5e86fc326bda8614b96c0401dcc145868 upstream.
+
+If we hit the UINT_MAX limit of bio->bi_iter.bi_size and so we are anyway
+not merging this page in this bio, then it make sense to make same_page
+also as false before returning.
+
+Without this patch, we hit below WARNING in iomap.
+This mostly happens with very large memory system and / or after tweaking
+vm dirty threshold params to delay writeback of dirty data.
+
+WARNING: CPU: 18 PID: 5130 at fs/iomap/buffered-io.c:74 iomap_page_release+0x120/0x150
+ CPU: 18 PID: 5130 Comm: fio Kdump: loaded Tainted: G W 5.8.0-rc3 #6
+ Call Trace:
+ __remove_mapping+0x154/0x320 (unreliable)
+ iomap_releasepage+0x80/0x180
+ try_to_release_page+0x94/0xe0
+ invalidate_inode_page+0xc8/0x110
+ invalidate_mapping_pages+0x1dc/0x540
+ generic_fadvise+0x3c8/0x450
+ xfs_file_fadvise+0x2c/0xe0 [xfs]
+ vfs_fadvise+0x3c/0x60
+ ksys_fadvise64_64+0x68/0xe0
+ sys_fadvise64+0x28/0x40
+ system_call_exception+0xf8/0x1c0
+ system_call_common+0xf0/0x278
+
+Fixes: cc90bc68422 ("block: fix "check bi_size overflow before merge"")
+Reported-by: Shivaprasad G Bhat <sbhat@linux.ibm.com>
+Suggested-by: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+diff --git a/block/bio.c b/block/bio.c
+index a9931f23d933..e865ea55b9f9 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -879,8 +879,10 @@ bool __bio_try_merge_page(struct bio *bio, struct page *page,
+ struct bio_vec *bv = &bio->bi_io_vec[bio->bi_vcnt - 1];
+
+ if (page_is_mergeable(bv, page, len, off, same_page)) {
+- if (bio->bi_iter.bi_size > UINT_MAX - len)
++ if (bio->bi_iter.bi_size > UINT_MAX - len) {
++ *same_page = false;
+ return false;
++ }
+ bv->bv_len += len;
+ bio->bi_iter.bi_size += len;
+ return true;
+--
+2.27.0
+
diff --git a/queue/crypto-af_alg-Fix-regression-on-empty-requests.patch b/queue/crypto-af_alg-Fix-regression-on-empty-requests.patch
new file mode 100644
index 0000000..4542ff8
--- /dev/null
+++ b/queue/crypto-af_alg-Fix-regression-on-empty-requests.patch
@@ -0,0 +1,42 @@
+From 662bb52f50bca16a74fe92b487a14d7dccb85e1a Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 2 Jul 2020 13:32:21 +1000
+Subject: [PATCH] crypto: af_alg - Fix regression on empty requests
+
+commit 662bb52f50bca16a74fe92b487a14d7dccb85e1a upstream.
+
+Some user-space programs rely on crypto requests that have no
+control metadata. This broke when a check was added to require
+the presence of control metadata with the ctx->init flag.
+
+This patch fixes the regression by setting ctx->init as long as
+one sendmsg(2) has been made, with or without a control message.
+
+Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Fixes: f3c802a1f300 ("crypto: algif_aead - Only wake up when...")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 9fcb91ea10c4..5882ed46f1ad 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -851,6 +851,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
+ err = -EINVAL;
+ goto unlock;
+ }
++ ctx->init = true;
+
+ if (init) {
+ ctx->enc = enc;
+@@ -858,7 +859,6 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
+ memcpy(ctx->iv, con.iv->iv, ivsize);
+
+ ctx->aead_assoclen = con.aead_assoclen;
+- ctx->init = true;
+ }
+
+ while (size) {
+--
+2.27.0
+
diff --git a/queue/crypto-af_alg-Work-around-empty-control-messages-wit.patch b/queue/crypto-af_alg-Work-around-empty-control-messages-wit.patch
new file mode 100644
index 0000000..5eb48bf
--- /dev/null
+++ b/queue/crypto-af_alg-Work-around-empty-control-messages-wit.patch
@@ -0,0 +1,63 @@
+From c195d66a8a75c60515819b101975f38b7ec6577f Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 27 Aug 2020 17:14:36 +1000
+Subject: [PATCH] crypto: af_alg - Work around empty control messages without
+ MSG_MORE
+
+commit c195d66a8a75c60515819b101975f38b7ec6577f upstream.
+
+The iwd daemon uses libell which sets up the skcipher operation with
+two separate control messages. As the first control message is sent
+without MSG_MORE, it is interpreted as an empty request.
+
+While libell should be fixed to use MSG_MORE where appropriate, this
+patch works around the bug in the kernel so that existing binaries
+continue to work.
+
+We will print a warning however.
+
+A separate issue is that the new kernel code no longer allows the
+control message to be sent twice within the same request. This
+restriction is obviously incompatible with what iwd was doing (first
+setting an IV and then sending the real control message). This
+patch changes the kernel so that this is explicitly allowed.
+
+Reported-by: Caleb Jorden <caljorden@hotmail.com>
+Fixes: f3c802a1f300 ("crypto: algif_aead - Only wake up when...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index a6f581ab200c..8be8bec07cdd 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -16,6 +16,7 @@
+ #include <linux/module.h>
+ #include <linux/net.h>
+ #include <linux/rwsem.h>
++#include <linux/sched.h>
+ #include <linux/sched/signal.h>
+ #include <linux/security.h>
+
+@@ -845,9 +846,15 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
+ }
+
+ lock_sock(sk);
+- if (ctx->init && (init || !ctx->more)) {
+- err = -EINVAL;
+- goto unlock;
++ if (ctx->init && !ctx->more) {
++ if (ctx->used) {
++ err = -EINVAL;
++ goto unlock;
++ }
++
++ pr_info_once(
++ "%s sent an empty control message without MSG_MORE.\n",
++ current->comm);
+ }
+ ctx->init = true;
+
+--
+2.27.0
+
diff --git a/queue/crypto-algif_aead-fix-uninitialized-ctx-init.patch b/queue/crypto-algif_aead-fix-uninitialized-ctx-init.patch
new file mode 100644
index 0000000..0e39786
--- /dev/null
+++ b/queue/crypto-algif_aead-fix-uninitialized-ctx-init.patch
@@ -0,0 +1,73 @@
+From 21dfbcd1f5cbff9cf2f9e7e43475aed8d072b0dd Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 12 Aug 2020 14:58:25 +0200
+Subject: [PATCH] crypto: algif_aead - fix uninitialized ctx->init
+
+commit 21dfbcd1f5cbff9cf2f9e7e43475aed8d072b0dd upstream.
+
+In skcipher_accept_parent_nokey() the whole af_alg_ctx structure is
+cleared by memset() after allocation, so add such memset() also to
+aead_accept_parent_nokey() so that the new "init" field is also
+initialized to zero. Without that the initial ctx->init checks might
+randomly return true and cause errors.
+
+While there, also remove the redundant zero assignments in both
+functions.
+
+Found via libkcapi testsuite.
+
+Cc: Stephan Mueller <smueller@chronox.de>
+Fixes: f3c802a1f300 ("crypto: algif_aead - Only wake up when ctx->more is zero")
+Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
+index d48d2156e621..43c6aa784858 100644
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -558,12 +558,6 @@ static int aead_accept_parent_nokey(void *private, struct sock *sk)
+
+ INIT_LIST_HEAD(&ctx->tsgl_list);
+ ctx->len = len;
+- ctx->used = 0;
+- atomic_set(&ctx->rcvused, 0);
+- ctx->more = 0;
+- ctx->merge = 0;
+- ctx->enc = 0;
+- ctx->aead_assoclen = 0;
+ crypto_init_wait(&ctx->wait);
+
+ ask->private = ctx;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index a51ba22fef58..81c4022285a7 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -333,6 +333,7 @@ static int skcipher_accept_parent_nokey(void *private, struct sock *sk)
+ ctx = sock_kmalloc(sk, len, GFP_KERNEL);
+ if (!ctx)
+ return -ENOMEM;
++ memset(ctx, 0, len);
+
+ ctx->iv = sock_kmalloc(sk, crypto_skcipher_ivsize(tfm),
+ GFP_KERNEL);
+@@ -340,16 +341,10 @@ static int skcipher_accept_parent_nokey(void *private, struct sock *sk)
+ sock_kfree_s(sk, ctx, len);
+ return -ENOMEM;
+ }
+-
+ memset(ctx->iv, 0, crypto_skcipher_ivsize(tfm));
+
+ INIT_LIST_HEAD(&ctx->tsgl_list);
+ ctx->len = len;
+- ctx->used = 0;
+- atomic_set(&ctx->rcvused, 0);
+- ctx->more = 0;
+- ctx->merge = 0;
+- ctx->enc = 0;
+ crypto_init_wait(&ctx->wait);
+
+ ask->private = ctx;
+--
+2.27.0
+
diff --git a/queue/debugfs-Fix-module-state-check-condition.patch b/queue/debugfs-Fix-module-state-check-condition.patch
new file mode 100644
index 0000000..86d9994
--- /dev/null
+++ b/queue/debugfs-Fix-module-state-check-condition.patch
@@ -0,0 +1,42 @@
+From e3b9fc7eec55e6fdc8beeed18f2ed207086341e2 Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Tue, 11 Aug 2020 17:01:29 +0200
+Subject: [PATCH] debugfs: Fix module state check condition
+
+commit e3b9fc7eec55e6fdc8beeed18f2ed207086341e2 upstream.
+
+The '#ifdef MODULE' check in the original commit does not work as intended.
+The code under the check is not built at all if CONFIG_DEBUG_FS=y. Fix this
+by using a correct check.
+
+Fixes: 275678e7a9be ("debugfs: Check module state before warning in {full/open}_proxy_open()")
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200811150129.53343-1-vdronov@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
+index b167d2d02148..a768a09430c3 100644
+--- a/fs/debugfs/file.c
++++ b/fs/debugfs/file.c
+@@ -177,7 +177,7 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
+ goto out;
+
+ if (!fops_get(real_fops)) {
+-#ifdef MODULE
++#ifdef CONFIG_MODULES
+ if (real_fops->owner &&
+ real_fops->owner->state == MODULE_STATE_GOING)
+ goto out;
+@@ -312,7 +312,7 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
+ goto out;
+
+ if (!fops_get(real_fops)) {
+-#ifdef MODULE
++#ifdef CONFIG_MODULES
+ if (real_fops->owner &&
+ real_fops->owner->state == MODULE_STATE_GOING)
+ goto out;
+--
+2.27.0
+
diff --git a/queue/kprobes-Fix-compiler-warning-for-CONFIG_KPROBES_ON_F.patch b/queue/kprobes-Fix-compiler-warning-for-CONFIG_KPROBES_ON_F.patch
new file mode 100644
index 0000000..5fbbc6c
--- /dev/null
+++ b/queue/kprobes-Fix-compiler-warning-for-CONFIG_KPROBES_ON_F.patch
@@ -0,0 +1,59 @@
+From 10de795a5addd1962406796a6e13ba6cc0fc6bee Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Thu, 6 Aug 2020 01:20:46 +0800
+Subject: [PATCH] kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE
+
+commit 10de795a5addd1962406796a6e13ba6cc0fc6bee upstream.
+
+Fix compiler warning(as show below) for !CONFIG_KPROBES_ON_FTRACE.
+
+kernel/kprobes.c: In function 'kill_kprobe':
+kernel/kprobes.c:1116:33: warning: statement with no effect
+[-Wunused-value]
+ 1116 | #define disarm_kprobe_ftrace(p) (-ENODEV)
+ | ^
+kernel/kprobes.c:2154:3: note: in expansion of macro
+'disarm_kprobe_ftrace'
+ 2154 | disarm_kprobe_ftrace(p);
+
+Link: https://lore.kernel.org/r/20200805142136.0331f7ea@canb.auug.org.au
+Link: https://lkml.kernel.org/r/20200805172046.19066-1-songmuchun@bytedance.com
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Fixes: 0cb2f1372baa ("kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index 07bf03fcf574..66d14107968d 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1079,9 +1079,20 @@ static int disarm_kprobe_ftrace(struct kprobe *p)
+ ipmodify ? &kprobe_ipmodify_enabled : &kprobe_ftrace_enabled);
+ }
+ #else /* !CONFIG_KPROBES_ON_FTRACE */
+-#define prepare_kprobe(p) arch_prepare_kprobe(p)
+-#define arm_kprobe_ftrace(p) (-ENODEV)
+-#define disarm_kprobe_ftrace(p) (-ENODEV)
++static inline int prepare_kprobe(struct kprobe *p)
++{
++ return arch_prepare_kprobe(p);
++}
++
++static inline int arm_kprobe_ftrace(struct kprobe *p)
++{
++ return -ENODEV;
++}
++
++static inline int disarm_kprobe_ftrace(struct kprobe *p)
++{
++ return -ENODEV;
++}
+ #endif
+
+ /* Arm a kprobe with text_mutex */
+--
+2.27.0
+
diff --git a/queue/mm-madvise-fix-vma-user-after-free.patch b/queue/mm-madvise-fix-vma-user-after-free.patch
new file mode 100644
index 0000000..33213ac
--- /dev/null
+++ b/queue/mm-madvise-fix-vma-user-after-free.patch
@@ -0,0 +1,88 @@
+From 7867fd7cc44e63c6673cd0f8fea155456d34d0de Mon Sep 17 00:00:00 2001
+From: Yang Shi <shy828301@gmail.com>
+Date: Fri, 4 Sep 2020 16:35:55 -0700
+Subject: [PATCH] mm: madvise: fix vma user-after-free
+
+commit 7867fd7cc44e63c6673cd0f8fea155456d34d0de upstream.
+
+The syzbot reported the below use-after-free:
+
+ BUG: KASAN: use-after-free in madvise_willneed mm/madvise.c:293 [inline]
+ BUG: KASAN: use-after-free in madvise_vma mm/madvise.c:942 [inline]
+ BUG: KASAN: use-after-free in do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145
+ Read of size 8 at addr ffff8880a6163eb0 by task syz-executor.0/9996
+
+ CPU: 0 PID: 9996 Comm: syz-executor.0 Not tainted 5.9.0-rc1-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x18f/0x20d lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ madvise_willneed mm/madvise.c:293 [inline]
+ madvise_vma mm/madvise.c:942 [inline]
+ do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145
+ do_madvise mm/madvise.c:1169 [inline]
+ __do_sys_madvise mm/madvise.c:1171 [inline]
+ __se_sys_madvise mm/madvise.c:1169 [inline]
+ __x64_sys_madvise+0xd9/0x110 mm/madvise.c:1169
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ Allocated by task 9992:
+ kmem_cache_alloc+0x138/0x3a0 mm/slab.c:3482
+ vm_area_alloc+0x1c/0x110 kernel/fork.c:347
+ mmap_region+0x8e5/0x1780 mm/mmap.c:1743
+ do_mmap+0xcf9/0x11d0 mm/mmap.c:1545
+ vm_mmap_pgoff+0x195/0x200 mm/util.c:506
+ ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ Freed by task 9992:
+ kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693
+ remove_vma+0x132/0x170 mm/mmap.c:184
+ remove_vma_list mm/mmap.c:2613 [inline]
+ __do_munmap+0x743/0x1170 mm/mmap.c:2869
+ do_munmap mm/mmap.c:2877 [inline]
+ mmap_region+0x257/0x1780 mm/mmap.c:1716
+ do_mmap+0xcf9/0x11d0 mm/mmap.c:1545
+ vm_mmap_pgoff+0x195/0x200 mm/util.c:506
+ ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+It is because vma is accessed after releasing mmap_lock, but someone
+else acquired the mmap_lock and the vma is gone.
+
+Releasing mmap_lock after accessing vma should fix the problem.
+
+Fixes: 692fe62433d4c ("mm: Handle MADV_WILLNEED through vfs_fadvise()")
+Reported-by: syzbot+b90df26038d1d5d85c97@syzkaller.appspotmail.com
+Signed-off-by: Yang Shi <shy828301@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: <stable@vger.kernel.org> [5.4+]
+Link: https://lkml.kernel.org/r/20200816141204.162624-1-shy828301@gmail.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/mm/madvise.c b/mm/madvise.c
+index dd1d43cf026d..d4aa5f776543 100644
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -289,9 +289,9 @@ static long madvise_willneed(struct vm_area_struct *vma,
+ */
+ *prev = NULL; /* tell sys_madvise we drop mmap_lock */
+ get_file(file);
+- mmap_read_unlock(current->mm);
+ offset = (loff_t)(start - vma->vm_start)
+ + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
++ mmap_read_unlock(current->mm);
+ vfs_fadvise(file, offset, end - start, POSIX_FADV_WILLNEED);
+ fput(file);
+ mmap_read_lock(current->mm);
+--
+2.27.0
+
diff --git a/queue/mm-slub-fix-conversion-of-freelist_corrupted.patch b/queue/mm-slub-fix-conversion-of-freelist_corrupted.patch
new file mode 100644
index 0000000..f649ba0
--- /dev/null
+++ b/queue/mm-slub-fix-conversion-of-freelist_corrupted.patch
@@ -0,0 +1,74 @@
+From dc07a728d49cf025f5da2c31add438d839d076c0 Mon Sep 17 00:00:00 2001
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+Date: Fri, 4 Sep 2020 16:35:30 -0700
+Subject: [PATCH] mm: slub: fix conversion of freelist_corrupted()
+
+commit dc07a728d49cf025f5da2c31add438d839d076c0 upstream.
+
+Commit 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in
+deactivate_slab()") suffered an update when picked up from LKML [1].
+
+Specifically, relocating 'freelist = NULL' into 'freelist_corrupted()'
+created a no-op statement. Fix it by sticking to the behavior intended
+in the original patch [1]. In addition, make freelist_corrupted()
+immune to passing NULL instead of &freelist.
+
+The issue has been spotted via static analysis and code review.
+
+[1] https://lore.kernel.org/linux-mm/20200331031450.12182-1-dongli.zhang@oracle.com/
+
+Fixes: 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in deactivate_slab()")
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dongli Zhang <dongli.zhang@oracle.com>
+Cc: Joe Jin <joe.jin@oracle.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20200824130643.10291-1-erosca@de.adit-jv.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/mm/slub.c b/mm/slub.c
+index 68c02b2eecd9..d4177aecedf6 100644
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -672,12 +672,12 @@ static void slab_fix(struct kmem_cache *s, char *fmt, ...)
+ }
+
+ static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
+- void *freelist, void *nextfree)
++ void **freelist, void *nextfree)
+ {
+ if ((s->flags & SLAB_CONSISTENCY_CHECKS) &&
+- !check_valid_pointer(s, page, nextfree)) {
+- object_err(s, page, freelist, "Freechain corrupt");
+- freelist = NULL;
++ !check_valid_pointer(s, page, nextfree) && freelist) {
++ object_err(s, page, *freelist, "Freechain corrupt");
++ *freelist = NULL;
+ slab_fix(s, "Isolate corrupted freechain");
+ return true;
+ }
+@@ -1494,7 +1494,7 @@ static inline void dec_slabs_node(struct kmem_cache *s, int node,
+ int objects) {}
+
+ static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
+- void *freelist, void *nextfree)
++ void **freelist, void *nextfree)
+ {
+ return false;
+ }
+@@ -2184,7 +2184,7 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page,
+ * 'freelist' is already corrupted. So isolate all objects
+ * starting at 'freelist'.
+ */
+- if (freelist_corrupted(s, page, freelist, nextfree))
++ if (freelist_corrupted(s, page, &freelist, nextfree))
+ break;
+
+ do {
+--
+2.27.0
+
diff --git a/queue/rxrpc-Make-rxrpc_kernel_get_srtt-indicate-validity.patch b/queue/rxrpc-Make-rxrpc_kernel_get_srtt-indicate-validity.patch
new file mode 100644
index 0000000..6d6e1d8
--- /dev/null
+++ b/queue/rxrpc-Make-rxrpc_kernel_get_srtt-indicate-validity.patch
@@ -0,0 +1,89 @@
+From 1d4adfaf65746203861c72d9d78de349eb97d528 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 20 Aug 2020 15:13:00 +0100
+Subject: [PATCH] rxrpc: Make rxrpc_kernel_get_srtt() indicate validity
+
+commit 1d4adfaf65746203861c72d9d78de349eb97d528 upstream.
+
+Fix rxrpc_kernel_get_srtt() to indicate the validity of the returned
+smoothed RTT. If we haven't had any valid samples yet, the SRTT isn't
+useful.
+
+Fixes: c410bf01933e ("rxrpc: Fix the excessive initial retransmission timeout")
+Signed-off-by: David Howells <dhowells@redhat.com>
+
+diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c
+index 5d9ef517cf81..e7e98ad63a91 100644
+--- a/fs/afs/fs_probe.c
++++ b/fs/afs/fs_probe.c
+@@ -161,8 +161,8 @@ void afs_fileserver_probe_result(struct afs_call *call)
+ }
+ }
+
+- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall);
+- if (rtt_us < server->probe.rtt) {
++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) &&
++ rtt_us < server->probe.rtt) {
+ server->probe.rtt = rtt_us;
+ server->rtt = rtt_us;
+ alist->preferred = index;
+diff --git a/fs/afs/vl_probe.c b/fs/afs/vl_probe.c
+index e3aa013c2177..081b7e5b13f5 100644
+--- a/fs/afs/vl_probe.c
++++ b/fs/afs/vl_probe.c
+@@ -92,8 +92,8 @@ void afs_vlserver_probe_result(struct afs_call *call)
+ }
+ }
+
+- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall);
+- if (rtt_us < server->probe.rtt) {
++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) &&
++ rtt_us < server->probe.rtt) {
+ server->probe.rtt = rtt_us;
+ alist->preferred = index;
+ have_result = true;
+diff --git a/include/net/af_rxrpc.h b/include/net/af_rxrpc.h
+index 91eacbdcf33d..f6abcc0bbd6e 100644
+--- a/include/net/af_rxrpc.h
++++ b/include/net/af_rxrpc.h
+@@ -59,7 +59,7 @@ bool rxrpc_kernel_abort_call(struct socket *, struct rxrpc_call *,
+ void rxrpc_kernel_end_call(struct socket *, struct rxrpc_call *);
+ void rxrpc_kernel_get_peer(struct socket *, struct rxrpc_call *,
+ struct sockaddr_rxrpc *);
+-u32 rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *);
++bool rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *, u32 *);
+ int rxrpc_kernel_charge_accept(struct socket *, rxrpc_notify_rx_t,
+ rxrpc_user_attach_call_t, unsigned long, gfp_t,
+ unsigned int);
+diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
+index ca29976bb193..68396d052052 100644
+--- a/net/rxrpc/peer_object.c
++++ b/net/rxrpc/peer_object.c
+@@ -502,11 +502,21 @@ EXPORT_SYMBOL(rxrpc_kernel_get_peer);
+ * rxrpc_kernel_get_srtt - Get a call's peer smoothed RTT
+ * @sock: The socket on which the call is in progress.
+ * @call: The call to query
++ * @_srtt: Where to store the SRTT value.
+ *
+- * Get the call's peer smoothed RTT.
++ * Get the call's peer smoothed RTT in uS.
+ */
+-u32 rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call)
++bool rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call,
++ u32 *_srtt)
+ {
+- return call->peer->srtt_us >> 3;
++ struct rxrpc_peer *peer = call->peer;
++
++ if (peer->rtt_count == 0) {
++ *_srtt = 1000000; /* 1S */
++ return false;
++ }
++
++ *_srtt = call->peer->srtt_us >> 3;
++ return true;
+ }
+ EXPORT_SYMBOL(rxrpc_kernel_get_srtt);
+--
+2.27.0
+
diff --git a/queue/series b/queue/series
index 5a29ca0..45779d4 100644
--- a/queue/series
+++ b/queue/series
@@ -112,3 +112,15 @@
regulator-push-allocation-in-regulator_init_coupling.patch
selftests-timers-Turn-off-timeout-setting.patch
staging-wlan-ng-fix-out-of-bounds-read-in-prism2sta_.patch
+ALSA-hda-realtek-Improved-routing-for-Thinkpad-X1-7t.patch
+RDMA-mlx4-Read-pkey-table-length-instead-of-hardcode.patch
+block-Set-same_page-to-false-in-__bio_try_merge_page.patch
+crypto-af_alg-Fix-regression-on-empty-requests.patch
+crypto-af_alg-Work-around-empty-control-messages-wit.patch
+crypto-algif_aead-fix-uninitialized-ctx-init.patch
+debugfs-Fix-module-state-check-condition.patch
+kprobes-Fix-compiler-warning-for-CONFIG_KPROBES_ON_F.patch
+mm-madvise-fix-vma-user-after-free.patch
+mm-slub-fix-conversion-of-freelist_corrupted.patch
+rxrpc-Make-rxrpc_kernel_get_srtt-indicate-validity.patch
+tools-build-feature-Quote-CC-and-CXX-for-their-argum.patch
diff --git a/queue/tools-build-feature-Quote-CC-and-CXX-for-their-argum.patch b/queue/tools-build-feature-Quote-CC-and-CXX-for-their-argum.patch
new file mode 100644
index 0000000..60d2971
--- /dev/null
+++ b/queue/tools-build-feature-Quote-CC-and-CXX-for-their-argum.patch
@@ -0,0 +1,87 @@
+From fa5c893181ed2ca2f96552f50073786d2cfce6c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20D=C3=ADaz?= <daniel.diaz@linaro.org>
+Date: Wed, 12 Aug 2020 17:15:17 -0500
+Subject: [PATCH] tools build feature: Quote CC and CXX for their arguments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit fa5c893181ed2ca2f96552f50073786d2cfce6c0 upstream.
+
+When using a cross-compilation environment, such as OpenEmbedded,
+the CC an CXX variables are set to something more than just a
+command: there are arguments (such as --sysroot) that need to be
+passed on to the compiler so that the right set of headers and
+libraries are used.
+
+For the particular case that our systems detected, CC is set to
+the following:
+
+ export CC="aarch64-linaro-linux-gcc --sysroot=/oe/build/tmp/work/machine/perf/1.0-r9/recipe-sysroot"
+
+Without quotes, detection is as follows:
+
+ Auto-detecting system features:
+ ... dwarf: [ OFF ]
+ ... dwarf_getlocations: [ OFF ]
+ ... glibc: [ OFF ]
+ ... gtk2: [ OFF ]
+ ... libbfd: [ OFF ]
+ ... libcap: [ OFF ]
+ ... libelf: [ OFF ]
+ ... libnuma: [ OFF ]
+ ... numa_num_possible_cpus: [ OFF ]
+ ... libperl: [ OFF ]
+ ... libpython: [ OFF ]
+ ... libcrypto: [ OFF ]
+ ... libunwind: [ OFF ]
+ ... libdw-dwarf-unwind: [ OFF ]
+ ... zlib: [ OFF ]
+ ... lzma: [ OFF ]
+ ... get_cpuid: [ OFF ]
+ ... bpf: [ OFF ]
+ ... libaio: [ OFF ]
+ ... libzstd: [ OFF ]
+ ... disassembler-four-args: [ OFF ]
+
+ Makefile.config:414: *** No gnu/libc-version.h found, please install glibc-dev[el]. Stop.
+ Makefile.perf:230: recipe for target 'sub-make' failed
+ make[1]: *** [sub-make] Error 2
+ Makefile:69: recipe for target 'all' failed
+ make: *** [all] Error 2
+
+With CC and CXX quoted, some of those features are now detected.
+
+Fixes: e3232c2f39ac ("tools build feature: Use CC and CXX from parent")
+Signed-off-by: Daniel Díaz <daniel.diaz@linaro.org>
+Reviewed-by: Thomas Hebb <tommyhebb@gmail.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: KP Singh <kpsingh@chromium.org>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Yonghong Song <yhs@fb.com>
+Link: http://lore.kernel.org/lkml/20200812221518.2869003-1-daniel.diaz@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+diff --git a/tools/build/Makefile.feature b/tools/build/Makefile.feature
+index 774f0b0ca28a..e7818b44b48e 100644
+--- a/tools/build/Makefile.feature
++++ b/tools/build/Makefile.feature
+@@ -8,7 +8,7 @@ endif
+
+ feature_check = $(eval $(feature_check_code))
+ define feature_check_code
+- feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CC=$(CC) CXX=$(CXX) CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0)
++ feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CC="$(CC)" CXX="$(CXX)" CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0)
+ endef
+
+ feature_set = $(eval $(feature_set_code))
+--
+2.27.0
+
