Updated to 5.6.3

6 files changed, 69 insertions, 324 deletions

diff --git a/0002-ALSA-hda-Fix-potential-access-overflow-in-beep-helper.patch b/0002-ALSA-hda-Fix-potential-access-overflow-in-beep-helper.patch
new file mode 100644
index 0000000..48dfbf5
--- /dev/null
+++ b/0002-ALSA-hda-Fix-potential-access-overflow-in-beep-helper.patch
@@ -0,0 +1,42 @@
+From 28a3a4bec629ccb9cef64c546998052e0806cb1b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 7 Apr 2020 10:36:22 +0200
+Subject: ALSA: hda: Fix potential access overflow in beep helper
+
+The beep control helper function blindly stores the values in two
+stereo channels no matter whether the actual control is mono or
+stereo.  This is practically harmless, but it annoys the recently
+introduced sanity check, resulting in an error when the checker is
+enabled.
+
+This patch corrects the behavior to store only on the defined array
+member.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207139
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/pci/hda/hda_beep.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_beep.c b/sound/pci/hda/hda_beep.c
+index f5fd62ed4df5..841523f6b88d 100644
+--- a/sound/pci/hda/hda_beep.c
++++ b/sound/pci/hda/hda_beep.c
+@@ -290,8 +290,12 @@ int snd_hda_mixer_amp_switch_get_beep(struct snd_kcontrol *kcontrol,
+ {
+ 	struct hda_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct hda_beep *beep = codec->beep;
++	int chs = get_amp_channels(kcontrol);
++
+ 	if (beep && (!beep->enabled || !ctl_has_mute(kcontrol))) {
+-		ucontrol->value.integer.value[0] =
++		if (chs & 1)
++			ucontrol->value.integer.value[0] = beep->enabled;
++		if (chs & 2)
+ 			ucontrol->value.integer.value[1] = beep->enabled;
+ 		return 0;
+ 	}
+-- 
+cgit v1.2.3-1-gf6bb5
+
diff --git a/0002-mac80211-fix-authentication-with-iwlwifi-mvm.patch b/0002-mac80211-fix-authentication-with-iwlwifi-mvm.patch
deleted file mode 100644
index d4449b2..0000000
--- a/0002-mac80211-fix-authentication-with-iwlwifi-mvm.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 61397cbfb977f37e4423813d1ad43340a627563a Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Sun, 29 Mar 2020 22:50:06 +0200
-Subject: mac80211: fix authentication with iwlwifi/mvm
-
-The original patch didn't copy the ieee80211_is_data() condition
-because on most drivers the management frames don't go through
-this path. However, they do on iwlwifi/mvm, so we do need to keep
-the condition here.
-
-Cc: stable@vger.kernel.org
-Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/mac80211/tx.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
-index d9cca6dbd870..efe4c1fc68e5 100644
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -3610,7 +3610,8 @@ begin:
- 		 * Drop unicast frames to unauthorised stations unless they are
- 		 * EAPOL frames from the local station.
- 		 */
--		if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
-+		if (unlikely(ieee80211_is_data(hdr->frame_control) &&
-+			     !ieee80211_vif_is_mesh(&tx.sdata->vif) &&
- 			     tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
- 			     !is_multicast_ether_addr(hdr->addr1) &&
- 			     !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
--- 
-cgit v1.2.3-1-gf6bb5
-
diff --git a/0003-bpf-Undo-incorrect-__reg_bound_offset32-handling.patch b/0003-bpf-Undo-incorrect-__reg_bound_offset32-handling.patch
deleted file mode 100644
index 590e256..0000000
--- a/0003-bpf-Undo-incorrect-__reg_bound_offset32-handling.patch
+++ /dev/null
@@ -1,277 +0,0 @@
-From e04420186bb7d71b7a6237f36de4d9a75e83f56d Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <daniel@iogearbox.net>
-Date: Mon, 30 Mar 2020 18:03:22 +0200
-Subject: bpf: Undo incorrect __reg_bound_offset32 handling
-
-commit f2d67fec0b43edce8c416101cdc52e71145b5fef upstream.
-
-Anatoly has been fuzzing with kBdysch harness and reported a hang in
-one of the outcomes:
-
-  0: (b7) r0 = 808464432
-  1: (7f) r0 >>= r0
-  2: (14) w0 -= 808464432
-  3: (07) r0 += 808464432
-  4: (b7) r1 = 808464432
-  5: (de) if w1 s<= w0 goto pc+0
-   R0_w=invP(id=0,umin_value=808464432,umax_value=5103431727,var_off=(0x30303020;0x10000001f)) R1_w=invP808464432 R10=fp0
-  6: (07) r0 += -2144337872
-  7: (14) w0 -= -1607454672
-  8: (25) if r0 > 0x30303030 goto pc+0
-   R0_w=invP(id=0,umin_value=271581184,umax_value=271581311,var_off=(0x10300000;0x7f)) R1_w=invP808464432 R10=fp0
-  9: (76) if w0 s>= 0x303030 goto pc+2
-  12: (95) exit
-
-  from 8 to 9: safe
-
-  from 5 to 6: R0_w=invP(id=0,umin_value=808464432,umax_value=5103431727,var_off=(0x30303020;0x10000001f)) R1_w=invP808464432 R10=fp0
-  6: (07) r0 += -2144337872
-  7: (14) w0 -= -1607454672
-  8: (25) if r0 > 0x30303030 goto pc+0
-   R0_w=invP(id=0,umin_value=271581184,umax_value=271581311,var_off=(0x10300000;0x7f)) R1_w=invP808464432 R10=fp0
-  9: safe
-
-  from 8 to 9: safe
-  verification time 589 usec
-  stack depth 0
-  processed 17 insns (limit 1000000) [...]
-
-The underlying program was xlated as follows:
-
-  # bpftool p d x i 9
-   0: (b7) r0 = 808464432
-   1: (7f) r0 >>= r0
-   2: (14) w0 -= 808464432
-   3: (07) r0 += 808464432
-   4: (b7) r1 = 808464432
-   5: (de) if w1 s<= w0 goto pc+0
-   6: (07) r0 += -2144337872
-   7: (14) w0 -= -1607454672
-   8: (25) if r0 > 0x30303030 goto pc+0
-   9: (76) if w0 s>= 0x303030 goto pc+2
-  10: (05) goto pc-1
-  11: (05) goto pc-1
-  12: (95) exit
-
-The verifier rewrote original instructions it recognized as dead code with
-'goto pc-1', but reality differs from verifier simulation in that we're
-actually able to trigger a hang due to hitting the 'goto pc-1' instructions.
-
-Taking different examples to make the issue more obvious: in this example
-we're probing bounds on a completely unknown scalar variable in r1:
-
-  [...]
-  5: R0_w=inv1 R1_w=inv(id=0) R10=fp0
-  5: (18) r2 = 0x4000000000
-  7: R0_w=inv1 R1_w=inv(id=0) R2_w=inv274877906944 R10=fp0
-  7: (18) r3 = 0x2000000000
-  9: R0_w=inv1 R1_w=inv(id=0) R2_w=inv274877906944 R3_w=inv137438953472 R10=fp0
-  9: (18) r4 = 0x400
-  11: R0_w=inv1 R1_w=inv(id=0) R2_w=inv274877906944 R3_w=inv137438953472 R4_w=inv1024 R10=fp0
-  11: (18) r5 = 0x200
-  13: R0_w=inv1 R1_w=inv(id=0) R2_w=inv274877906944 R3_w=inv137438953472 R4_w=inv1024 R5_w=inv512 R10=fp0
-  13: (2d) if r1 > r2 goto pc+4
-   R0_w=inv1 R1_w=inv(id=0,umax_value=274877906944,var_off=(0x0; 0x7fffffffff)) R2_w=inv274877906944 R3_w=inv137438953472 R4_w=inv1024 R5_w=inv512 R10=fp0
-  14: R0_w=inv1 R1_w=inv(id=0,umax_value=274877906944,var_off=(0x0; 0x7fffffffff)) R2_w=inv274877906944 R3_w=inv137438953472 R4_w=inv1024 R5_w=inv512 R10=fp0
-  14: (ad) if r1 < r3 goto pc+3
-   R0_w=inv1 R1_w=inv(id=0,umin_value=137438953472,umax_value=274877906944,var_off=(0x0; 0x7fffffffff)) R2_w=inv274877906944 R3_w=inv137438953472 R4_w=inv1024 R5_w=inv512 R10=fp0
-  15: R0=inv1 R1=inv(id=0,umin_value=137438953472,umax_value=274877906944,var_off=(0x0; 0x7fffffffff)) R2=inv274877906944 R3=inv137438953472 R4=inv1024 R5=inv512 R10=fp0
-  15: (2e) if w1 > w4 goto pc+2
-   R0=inv1 R1=inv(id=0,umin_value=137438953472,umax_value=274877906944,var_off=(0x0; 0x7f00000000)) R2=inv274877906944 R3=inv137438953472 R4=inv1024 R5=inv512 R10=fp0
-  16: R0=inv1 R1=inv(id=0,umin_value=137438953472,umax_value=274877906944,var_off=(0x0; 0x7f00000000)) R2=inv274877906944 R3=inv137438953472 R4=inv1024 R5=inv512 R10=fp0
-  16: (ae) if w1 < w5 goto pc+1
-   R0=inv1 R1=inv(id=0,umin_value=137438953472,umax_value=274877906944,var_off=(0x0; 0x7f00000000)) R2=inv274877906944 R3=inv137438953472 R4=inv1024 R5=inv512 R10=fp0
-  [...]
-
-We're first probing lower/upper bounds via jmp64, later we do a similar
-check via jmp32 and examine the resulting var_off there. After fall-through
-in insn 14, we get the following bounded r1 with 0x7fffffffff unknown marked
-bits in the variable section.
-
-Thus, after knowing r1 <= 0x4000000000 and r1 >= 0x2000000000:
-
-  max: 0b100000000000000000000000000000000000000 / 0x4000000000
-  var: 0b111111111111111111111111111111111111111 / 0x7fffffffff
-  min: 0b010000000000000000000000000000000000000 / 0x2000000000
-
-Now, in insn 15 and 16, we perform a similar probe with lower/upper bounds
-in jmp32.
-
-Thus, after knowing r1 <= 0x4000000000 and r1 >= 0x2000000000 and
-                    w1 <= 0x400        and w1 >= 0x200:
-
-  max: 0b100000000000000000000000000000000000000 / 0x4000000000
-  var: 0b111111100000000000000000000000000000000 / 0x7f00000000
-  min: 0b010000000000000000000000000000000000000 / 0x2000000000
-
-The lower/upper bounds haven't changed since they have high bits set in
-u64 space and the jmp32 tests can only refine bounds in the low bits.
-
-However, for the var part the expectation would have been 0x7f000007ff
-or something less precise up to 0x7fffffffff. A outcome of 0x7f00000000
-is not correct since it would contradict the earlier probed bounds
-where we know that the result should have been in [0x200,0x400] in u32
-space. Therefore, tests with such info will lead to wrong verifier
-assumptions later on like falsely predicting conditional jumps to be
-always taken, etc.
-
-The issue here is that __reg_bound_offset32()'s implementation from
-commit 581738a681b6 ("bpf: Provide better register bounds after jmp32
-instructions") makes an incorrect range assumption:
-
-  static void __reg_bound_offset32(struct bpf_reg_state *reg)
-  {
-        u64 mask = 0xffffFFFF;
-        struct tnum range = tnum_range(reg->umin_value & mask,
-                                       reg->umax_value & mask);
-        struct tnum lo32 = tnum_cast(reg->var_off, 4);
-        struct tnum hi32 = tnum_lshift(tnum_rshift(reg->var_off, 32), 32);
-
-        reg->var_off = tnum_or(hi32, tnum_intersect(lo32, range));
-  }
-
-In the above walk-through example, __reg_bound_offset32() as-is chose
-a range after masking with 0xffffffff of [0x0,0x0] since umin:0x2000000000
-and umax:0x4000000000 and therefore the lo32 part was clamped to 0x0 as
-well. However, in the umin:0x2000000000 and umax:0x4000000000 range above
-we'd end up with an actual possible interval of [0x0,0xffffffff] for u32
-space instead.
-
-In case of the original reproducer, the situation looked as follows at
-insn 5 for r0:
-
-  [...]
-  5: R0_w=invP(id=0,umin_value=808464432,umax_value=5103431727,var_off=(0x0; 0x1ffffffff)) R1_w=invP808464432 R10=fp0
-                               0x30303030           0x13030302f
-  5: (de) if w1 s<= w0 goto pc+0
-   R0_w=invP(id=0,umin_value=808464432,umax_value=5103431727,var_off=(0x30303020; 0x10000001f)) R1_w=invP808464432 R10=fp0
-                             0x30303030           0x13030302f
-  [...]
-
-After the fall-through, we similarly forced the var_off result into
-the wrong range [0x30303030,0x3030302f] suggesting later on that fixed
-bits must only be of 0x30303020 with 0x10000001f unknowns whereas such
-assumption can only be made when both bounds in hi32 range match.
-
-Originally, I was thinking to fix this by moving reg into a temp reg and
-use proper coerce_reg_to_size() helper on the temp reg where we can then
-based on that define the range tnum for later intersection:
-
-  static void __reg_bound_offset32(struct bpf_reg_state *reg)
-  {
-        struct bpf_reg_state tmp = *reg;
-        struct tnum lo32, hi32, range;
-
-        coerce_reg_to_size(&tmp, 4);
-        range = tnum_range(tmp.umin_value, tmp.umax_value);
-        lo32 = tnum_cast(reg->var_off, 4);
-        hi32 = tnum_lshift(tnum_rshift(reg->var_off, 32), 32);
-        reg->var_off = tnum_or(hi32, tnum_intersect(lo32, range));
-  }
-
-In the case of the concrete example, this gives us a more conservative unknown
-section. Thus, after knowing r1 <= 0x4000000000 and r1 >= 0x2000000000 and
-                             w1 <= 0x400        and w1 >= 0x200:
-
-  max: 0b100000000000000000000000000000000000000 / 0x4000000000
-  var: 0b111111111111111111111111111111111111111 / 0x7fffffffff
-  min: 0b010000000000000000000000000000000000000 / 0x2000000000
-
-However, above new __reg_bound_offset32() has no effect on refining the
-knowledge of the register contents. Meaning, if the bounds in hi32 range
-mismatch we'll get the identity function given the range reg spans
-[0x0,0xffffffff] and we cast var_off into lo32 only to later on binary
-or it again with the hi32.
-
-Likewise, if the bounds in hi32 range match, then we mask both bounds
-with 0xffffffff, use the resulting umin/umax for the range to later
-intersect the lo32 with it. However, _prior_ called __reg_bound_offset()
-did already such intersection on the full reg and we therefore would only
-repeat the same operation on the lo32 part twice.
-
-Given this has no effect and the original commit had false assumptions,
-this patch reverts the code entirely which is also more straight forward
-for stable trees: apparently 581738a681b6 got auto-selected by Sasha's
-ML system and misclassified as a fix, so it got sucked into v5.4 where
-it should never have landed. A revert is low-risk also from a user PoV
-since it requires a recent kernel and llc to opt-into -mcpu=v3 BPF CPU
-to generate jmp32 instructions. A proper bounds refinement would need a
-significantly more complex approach which is currently being worked, but
-no stable material [0]. Hence revert is best option for stable. After the
-revert, the original reported program gets rejected as follows:
-
-  1: (7f) r0 >>= r0
-  2: (14) w0 -= 808464432
-  3: (07) r0 += 808464432
-  4: (b7) r1 = 808464432
-  5: (de) if w1 s<= w0 goto pc+0
-   R0_w=invP(id=0,umin_value=808464432,umax_value=5103431727,var_off=(0x0; 0x1ffffffff)) R1_w=invP808464432 R10=fp0
-  6: (07) r0 += -2144337872
-  7: (14) w0 -= -1607454672
-  8: (25) if r0 > 0x30303030 goto pc+0
-   R0_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x3fffffff)) R1_w=invP808464432 R10=fp0
-  9: (76) if w0 s>= 0x303030 goto pc+2
-   R0=invP(id=0,umax_value=3158063,var_off=(0x0; 0x3fffff)) R1=invP808464432 R10=fp0
-  10: (30) r0 = *(u8 *)skb[808464432]
-  BPF_LD_[ABS|IND] uses reserved fields
-  processed 11 insns (limit 1000000) [...]
-
-  [0] https://lore.kernel.org/bpf/158507130343.15666.8018068546764556975.stgit@john-Precision-5820-Tower/T/
-
-Fixes: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")
-Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Link: https://lore.kernel.org/bpf/20200330160324.15259-2-daniel@iogearbox.net
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/bpf/verifier.c | 19 -------------------
- 1 file changed, 19 deletions(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 1cc945daa9c8..5080469094af 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -1034,17 +1034,6 @@ static void __reg_bound_offset(struct bpf_reg_state *reg)
- 						 reg->umax_value));
- }
- 
--static void __reg_bound_offset32(struct bpf_reg_state *reg)
--{
--	u64 mask = 0xffffFFFF;
--	struct tnum range = tnum_range(reg->umin_value & mask,
--				       reg->umax_value & mask);
--	struct tnum lo32 = tnum_cast(reg->var_off, 4);
--	struct tnum hi32 = tnum_lshift(tnum_rshift(reg->var_off, 32), 32);
--
--	reg->var_off = tnum_or(hi32, tnum_intersect(lo32, range));
--}
--
- /* Reset the min/max bounds of a register */
- static void __mark_reg_unbounded(struct bpf_reg_state *reg)
- {
-@@ -5717,10 +5706,6 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
- 	/* We might have learned some bits from the bounds. */
- 	__reg_bound_offset(false_reg);
- 	__reg_bound_offset(true_reg);
--	if (is_jmp32) {
--		__reg_bound_offset32(false_reg);
--		__reg_bound_offset32(true_reg);
--	}
- 	/* Intersecting with the old var_off might have improved our bounds
- 	 * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
- 	 * then new var_off is (0; 0x7f...fc) which improves our umax.
-@@ -5830,10 +5815,6 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
- 	/* We might have learned some bits from the bounds. */
- 	__reg_bound_offset(false_reg);
- 	__reg_bound_offset(true_reg);
--	if (is_jmp32) {
--		__reg_bound_offset32(false_reg);
--		__reg_bound_offset32(true_reg);
--	}
- 	/* Intersecting with the old var_off might have improved our bounds
- 	 * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
- 	 * then new var_off is (0; 0x7f...fc) which improves our umax.
--- 
-cgit v1.2.3-1-gf6bb5
-
diff --git a/PKGBUILD b/PKGBUILD
index 45daa03..0fce5d1 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -13,7 +13,7 @@
 pkgbase=linux-libre
 _supver=5
 _majver=6
-_minver=0
+_minver=3
 _gccpatchver='20191217'
 _gccpatchger='9.1'
 _gccpatchker='5.5'
@@ -22,7 +22,7 @@ _gccpatchker='5.5'
   else
     pkgver=${_supver}.${_majver}.${_minver}
   fi
-pkgrel=3
+pkgrel=1
 pkgdesc='Linux-libre'
 url='https://linux-libre.fsfla.org/'
 arch=(x86_64)
@@ -39,13 +39,13 @@ _gnupkgver=${pkgver}-gnu
 source=(
   https://linux-libre.fsfla.org/pub/linux-libre/releases/${_gnumajver}/linux-libre-${_gnumajver}.tar.xz{,.sign}
   0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
-  0002-mac80211-fix-authentication-with-iwlwifi-mvm.patch
-  0003-bpf-Undo-incorrect-__reg_bound_offset32-handling.patch
+  0002-ALSA-hda-Fix-potential-access-overflow-in-beep-helper.patch
   graysky_bdver2-hotfix.patch
   kernel_gcc_patch-${_gccpatchver}.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/${_gccpatchver}.tar.gz
   ath9k-regdom-hack.patch
   raid6-default-algo.patch
   config         # the main kernel config file
+  sphinx-workaround.patch
 )
   if [ "$_minver" != "0" ]; then
     source+=(https://linux-libre.fsfla.org/pub/linux-libre/releases/${_gnupkgver}/patch-${_gnumajver}-${_gnupkgver}.xz{,.sign})
@@ -56,13 +56,15 @@ validpgpkeys=(
 b2sums=('921a3836ffbd5ababb897b8d923ab3e97c10c39b8d01060fe41742005f8111b5c2c9e76c9b7bcf4fe59a056454a364eca5df8006ca8a174205df152007e18dff'
         'SKIP'
         'ab1fb19c67d4c107f75767581c33d9c1458b4d9fdb88f4adb41d30a36f5a2f95f1c48ef079eb87e1e6e8ce2f98b293195cb2c0f2a8ec975aa817453289158c6e'
-        'a5eb54f71903167d3305d4adec28d78d0e1b14d61e2e4eae0f1775accbdce0248aa4271f31d2ac95edbd86f875f361692fa5d71adb1403084ab5c61ebc0b67c6'
-        'ceb271b1ad73f743064db57361cf0a5e5afa81c9b2b16083bd4d114728dad52f9431f1aa85d510ab938f34890bbceb950fa661b7c6aba11dd23ac6a655c262ee'
+        '4d0a521668223e00d0c7a7e4359ae18a5506b65b3394f3050ea20e304cc37c2c73f757a09b70737118bffe95db23a02d4da7640a3726ce9c88966c3a8c5ceb11'
         '1892bd22775eac3bcc4d37f4fd30c95346bf3a0888cbbff57fd614973b525390dff2e315ce35b2e498523cceaab94ff21a80475dee8df3de4dd8fc0fab07d74e'
         'd76bd0bf237ea2bb7999fd3715cb664d89148cb0ade8057d57cdb40bc0a7954336e50ee077312e5e192398b0f35f055786deb98af9130d57e60f2ea040fbb66f'
         '2e58bb89b247b1678355368956e67c1de51fcde97a227b2162f6771e30f17fa5520faafe7be4b6816a542e7ae10d05f64c6b6354f352c12746d4b8da632936dd'
         'fde132f3705d908e6f2147c78a2193289916d72304ca5efa2229d79fc3e57a857314ce94e71425caef2f7f7b6cf87f05ef86335dc8bd4be78e7035afe608005a'
-        '84f84a583c27c5d8bbbd979fc8cb67a2220016fb128f29fe962dd0007b7af8103e684379ad73fb95164c2925a564bce024dba7e29d684056871922d30b5ae37d')
+        '607114d02b4fa5a37511cfdc191ceb628778eda79f28d0e5359205c4d697a7759c63c3d30172885acea4496eef638066d334b3132e7ddaaf91e36f2f92129f56'
+        'b4e1377d97ad7e8144d6e55b6d43731e3271a5aec65b65ca6d81026a95f15f549b9303fb3c6f492099ca691e3f65f4cf7f0c3aa742df03b396d7f6d81813aa95'
+        '33ce93ba7c83909f992a7bfa72ff9eebd82e70f4c5b4124ab450aea250748f3a429e436a045350aba547656897659be89a4f5cedd63e4c85f7af125510b9291d'
+        'SKIP')
 
 #export KBUILD_BUILD_HOST=arc4linux
 export KBUILD_BUILD_USER=$pkgbase
@@ -81,8 +83,8 @@ prepare() {
   # Hotfixes
   echo "Applying hotfixes"
   patch -p1 -i ../0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
-  patch -p1 -i ../0002-mac80211-fix-authentication-with-iwlwifi-mvm.patch
-  patch -p1 -i ../0003-bpf-Undo-incorrect-__reg_bound_offset32-handling.patch
+  patch -p1 -i ../0002-ALSA-hda-Fix-potential-access-overflow-in-beep-helper.patch
+  patch -p1 -i ../sphinx-workaround.patch
 
 
   # graysky gcc hotfixes
diff --git a/config b/config
index 6329135..292796b 100644
--- a/config
+++ b/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.6.0 Kernel Configuration
+# Linux/x86 5.6.3 Kernel Configuration
 #
 
 #
@@ -738,7 +738,7 @@ CONFIG_EFI_CAPSULE_LOADER=m
 CONFIG_APPLE_PROPERTIES=y
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 CONFIG_EFI_RCI2_TABLE=y
-CONFIG_EFI_DISABLE_PCI_DMA=y
+# CONFIG_EFI_DISABLE_PCI_DMA is not set
 # end of EFI (Extensible Firmware Interface) Support
 
 CONFIG_UEFI_CPER=y
@@ -6710,7 +6710,7 @@ CONFIG_SND_VERBOSE_PRINTK=y
 CONFIG_SND_DEBUG=y
 # CONFIG_SND_DEBUG_VERBOSE is not set
 # CONFIG_SND_PCM_XRUN_DEBUG is not set
-CONFIG_SND_CTL_VALIDATION=y
+# CONFIG_SND_CTL_VALIDATION is not set
 CONFIG_SND_VMASTER=y
 CONFIG_SND_DMA_SGBUF=y
 CONFIG_SND_SEQUENCER=m
diff --git a/sphinx-workaround.patch b/sphinx-workaround.patch
new file mode 100644
index 0000000..1aa3f1c
--- /dev/null
+++ b/sphinx-workaround.patch
@@ -0,0 +1,13 @@
+diff --git i/Documentation/conf.py w/Documentation/conf.py
+index 3c7bdf4cd31f..9a0ced58a3e9 100644
+--- i/Documentation/conf.py
++++ w/Documentation/conf.py
+@@ -36,7 +36,7 @@ needs_sphinx = '1.3'
+ # Add any Sphinx extension module names here, as strings. They can be
+ # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+ # ones.
+-extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', 'cdomain',
++extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include',
+               'kfigure', 'sphinx.ext.ifconfig', 'automarkup',
+               'maintainers_include']
+