--- /dev/null
+From 6b6c17fe6fa58900fa69dd000d5333b679e5e33e Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Fri, 18 Jun 2021 13:04:47 +0900
+Subject: ALSA: bebob: fix rx packet format for Yamaha GO44/GO46, Terratec Phase 24/x24
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 6b6c17fe6fa58900fa69dd000d5333b679e5e33e upstream.
+
+Below devices reports zero as the number of channels for external output
+plug with MIDI type:
+
+ * Yamaha GO44/GO46
+ * Terratec Phase 24/X24
+
+As a result, rx packet format is invalid and they generate silent sound.
+This is a regression added in v5.13.
+
+This commit fixes the bug, addressed at a commit 1bd1b3be8655 ("ALSA:
+bebob: perform sequence replay for media clock recovery").
+
+Cc: <stable@vger.kernel.org>
+Fixes: 5c6ea94f2b7c ("ALSA: bebob: detect the number of available MIDI ports")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20210618040447.113306-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/bebob/bebob_stream.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/bebob/bebob_stream.c
++++ b/sound/firewire/bebob/bebob_stream.c
+@@ -883,6 +883,11 @@ static int detect_midi_ports(struct snd_
+ err = avc_bridgeco_get_plug_ch_count(bebob->unit, addr, &ch_count);
+ if (err < 0)
+ break;
++ // Yamaha GO44, GO46, Terratec Phase 24, Phase x24 reports 0 for the number of
++ // channels in external output plug 3 (MIDI type) even if it has a pair of physical
++ // MIDI jacks. As a workaround, assume it as one.
++ if (ch_count == 0)
++ ch_count = 1;
+ *midi_ports += ch_count;
+ }
+
+@@ -961,12 +966,12 @@ int snd_bebob_stream_discover(struct snd
+ if (err < 0)
+ goto end;
+
+- err = detect_midi_ports(bebob, bebob->rx_stream_formations, addr, AVC_BRIDGECO_PLUG_DIR_IN,
++ err = detect_midi_ports(bebob, bebob->tx_stream_formations, addr, AVC_BRIDGECO_PLUG_DIR_IN,
+ plugs[2], &bebob->midi_input_ports);
+ if (err < 0)
+ goto end;
+
+- err = detect_midi_ports(bebob, bebob->tx_stream_formations, addr, AVC_BRIDGECO_PLUG_DIR_OUT,
++ err = detect_midi_ports(bebob, bebob->rx_stream_formations, addr, AVC_BRIDGECO_PLUG_DIR_OUT,
+ plugs[3], &bebob->midi_output_ports);
+ if (err < 0)
+ goto end;
--- /dev/null
+From fc36ef80ca2c68b2c9df06178048f08280e4334f Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Mon, 14 Jun 2021 17:31:33 +0900
+Subject: ALSA: firewire-motu: fix stream format for MOTU 8pre FireWire
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit fc36ef80ca2c68b2c9df06178048f08280e4334f upstream.
+
+My previous refactoring for ALSA firewire-motu driver brought regression
+to handle MOTU 8pre FireWire. The packet format is not operated correctly.
+
+Cc: <stable@vger.kernel.org>
+Fixes: dfbaa4dc11eb ("ALSA: firewire-motu: add model-specific table of chunk count")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20210614083133.39753-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/motu/motu-protocol-v2.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/motu/motu-protocol-v2.c
++++ b/sound/firewire/motu/motu-protocol-v2.c
+@@ -353,6 +353,7 @@ const struct snd_motu_spec snd_motu_spec
+ .protocol_version = SND_MOTU_PROTOCOL_V2,
+ .flags = SND_MOTU_SPEC_RX_MIDI_2ND_Q |
+ SND_MOTU_SPEC_TX_MIDI_2ND_Q,
+- .tx_fixed_pcm_chunks = {10, 6, 0},
+- .rx_fixed_pcm_chunks = {10, 6, 0},
++ // Two dummy chunks always in the end of data block.
++ .tx_fixed_pcm_chunks = {10, 10, 0},
++ .rx_fixed_pcm_chunks = {6, 6, 0},
+ };
--- /dev/null
+From 1948fc065a89f18d057b8ffaef6d7242ad99edb8 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 18 Jun 2021 18:17:20 +0200
+Subject: ALSA: hda/realtek: Add another ALC236 variant support
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1948fc065a89f18d057b8ffaef6d7242ad99edb8 upstream.
+
+The codec chip 10ec:0230 is another variant of ALC236, combined with a
+card reader. Apply the equivalent setup as 10ec:0236.
+
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1184869
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210618161720.28694-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -385,6 +385,7 @@ static void alc_fill_eapd_coef(struct hd
+ alc_update_coef_idx(codec, 0x67, 0xf000, 0x3000);
+ fallthrough;
+ case 0x10ec0215:
++ case 0x10ec0230:
+ case 0x10ec0233:
+ case 0x10ec0235:
+ case 0x10ec0236:
+@@ -3153,6 +3154,7 @@ static void alc_disable_headset_jack_key
+ alc_update_coef_idx(codec, 0x49, 0x0045, 0x0);
+ alc_update_coef_idx(codec, 0x44, 0x0045 << 8, 0x0);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x48, 0x0);
+@@ -3180,6 +3182,7 @@ static void alc_enable_headset_jack_key(
+ alc_update_coef_idx(codec, 0x49, 0x007f, 0x0045);
+ alc_update_coef_idx(codec, 0x44, 0x007f << 8, 0x0045 << 8);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x48, 0xd011);
+@@ -4744,6 +4747,7 @@ static void alc_headset_mode_unplugged(s
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0256);
+@@ -4858,6 +4862,7 @@ static void alc_headset_mode_mic_in(stru
+ alc_process_coef_fw(codec, coef0255);
+ snd_hda_set_pin_ctl_cache(codec, mic_pin, PIN_VREF50);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x45, 0xc489);
+@@ -5007,6 +5012,7 @@ static void alc_headset_mode_default(str
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x1b, 0x0e4b);
+@@ -5105,6 +5111,7 @@ static void alc_headset_mode_ctia(struct
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0256);
+@@ -5218,6 +5225,7 @@ static void alc_headset_mode_omtp(struct
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0256);
+@@ -5318,6 +5326,7 @@ static void alc_determine_headset_type(s
+ val = alc_read_coef_idx(codec, 0x46);
+ is_ctia = (val & 0x0070) == 0x0070;
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x1b, 0x0e4b);
+@@ -5611,6 +5620,7 @@ static void alc255_set_default_jack_type
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, alc255fw);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_process_coef_fw(codec, alc256fw);
+@@ -6211,6 +6221,7 @@ static void alc_combo_jack_hp_jd_restart
+ alc_update_coef_idx(codec, 0x4a, 0x8000, 1 << 15); /* Reset HP JD */
+ alc_update_coef_idx(codec, 0x4a, 0x8000, 0 << 15);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0235:
+ case 0x10ec0236:
+ case 0x10ec0255:
+@@ -9345,6 +9356,7 @@ static int patch_alc269(struct hda_codec
+ spec->shutup = alc256_shutup;
+ spec->init_hook = alc256_init;
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ spec->codec_variant = ALC269_TYPE_ALC256;
+@@ -10636,6 +10648,7 @@ static const struct hda_device_id snd_hd
+ HDA_CODEC_ENTRY(0x10ec0221, "ALC221", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0222, "ALC222", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0225, "ALC225", patch_alc269),
++ HDA_CODEC_ENTRY(0x10ec0230, "ALC236", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0231, "ALC231", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0233, "ALC233", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0234, "ALC234", patch_alc269),
--- /dev/null
+From 0ac05b25c3dd8299204ae9d50c1c2f7f05eef08f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 23 Jun 2021 14:20:22 +0200
+Subject: ALSA: hda/realtek: Apply LED fixup for HP Dragonfly G1, too
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0ac05b25c3dd8299204ae9d50c1c2f7f05eef08f upstream.
+
+HP Dragonfly G1 (SSID 103c:861f) also requires the same quirk for the
+mute and mic-mute LED just as Dragonfly G2 model.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213329
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210623122022.26179-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8345,6 +8345,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x84da, "HP OMEN dc0019-ur", ALC295_FIXUP_HP_OMEN),
+ SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
++ SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
--- /dev/null
+From f8fbcdfb0665de60997d9746809e1704ed782bbc Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 20 Jun 2021 08:59:52 +0200
+Subject: ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f8fbcdfb0665de60997d9746809e1704ed782bbc upstream.
+
+Asus Zenbook 14 UM431D has two speaker pins and a headphone pin, and
+the auto-parser ends up assigning the bass to the third DAC 0x06.
+Although the tone comes out, it's inconvenient because this DAC has no
+volume control unlike two other DACs.
+
+For obtaining the volume control for the bass speaker, this patch
+enforces the mapping to let both front and bass speaker pins sharing
+the same DAC. It's not ideal but a little bit of improvement.
+
+Since we've already applied the same workaround for another ASUS
+machine, we just need to hook the chain to the existing quirk.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212547
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210620065952.18948-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7839,6 +7839,8 @@ static const struct hda_fixup alc269_fix
+ { 0x20, AC_VERB_SET_PROC_COEF, 0x4e4b },
+ { }
+ },
++ .chained = true,
++ .chain_id = ALC289_FIXUP_ASUS_GA401,
+ },
+ [ALC285_FIXUP_HP_GPIO_LED] = {
+ .type = HDA_FIXUP_FUNC,
--- /dev/null
+From 42334fbc219eb110e054cedf9e553a142f735b11 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Frank=20Sch=C3=A4fer?= <fschaefer.oss@googlemail.com>
+Date: Sat, 3 Jul 2021 15:54:16 +0200
+Subject: ALSA: hda/realtek: fix mute led of the HP Pavilion 15-eh1xxx series
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Schäfer <fschaefer.oss@googlemail.com>
+
+commit 42334fbc219eb110e054cedf9e553a142f735b11 upstream.
+
+The HP Pavilion 15-eh1xxx series uses the HP mainboard 88D0 with ALC287 and needs
+the ALC287_FIXUP_HP_GPIO_LED quirk to make the mute led working.
+Tested with a HP Pavilion 15-eh1557ng.
+
+Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210703135416.13151-1-fschaefer.oss@googlemail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8382,6 +8382,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x8898, "HP EliteBook 845 G8 Notebook PC", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x103c, 0x88d0, "HP Pavilion 15-eh1xxx (mainboard 88D0)", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
+ SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--- /dev/null
+From dfc2e8ae4066a95c7f9c2bb2dfa26651feaa6b83 Mon Sep 17 00:00:00 2001
+From: Jeremy Szu <jeremy.szu@canonical.com>
+Date: Fri, 25 Jun 2021 21:34:13 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 830 G8 Notebook PC
+
+From: Jeremy Szu <jeremy.szu@canonical.com>
+
+commit dfc2e8ae4066a95c7f9c2bb2dfa26651feaa6b83 upstream.
+
+The HP EliteBook 830 G8 Notebook PC using ALC285 codec which using 0x04 to
+control mute LED and 0x01 to control micmute LED.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210625133414.26760-1-jeremy.szu@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8369,6 +8369,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x87f4, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f7, "HP Spectre x360 14", ALC245_FIXUP_HP_X360_AMP),
++ SND_PCI_QUIRK(0x103c, 0x880d, "HP EliteBook 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
--- /dev/null
+From c3d2c88209e85045a364e80fe12a6cde16745b72 Mon Sep 17 00:00:00 2001
+From: Jeremy Szu <jeremy.szu@canonical.com>
+Date: Fri, 18 Jun 2021 01:14:20 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook x360 830 G8
+
+From: Jeremy Szu <jeremy.szu@canonical.com>
+
+commit c3d2c88209e85045a364e80fe12a6cde16745b72 upstream.
+
+The HP EliteBook x360 830 G8 using ALC285 codec which using 0x04 to
+control mute LED and 0x01 to control micmute LED.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210617171422.16652-1-jeremy.szu@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8354,6 +8354,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f7, "HP Spectre x360 14", ALC245_FIXUP_HP_X360_AMP),
+ SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
--- /dev/null
+From a3b7f9b8fa2967e1b3c2a402301715124c90306b Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Thu, 1 Jul 2021 17:14:14 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G8
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit a3b7f9b8fa2967e1b3c2a402301715124c90306b upstream.
+
+The HP ProBook 445 G8 using ALC236 codec.
+COEF index 0x34 bit 5 is used to control the playback mute LED, but the
+microphone mute LED is controlled using pin VREF instead of a COEF index.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210701091417.9696-2-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8344,6 +8344,8 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8863, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
--- /dev/null
+From 2b70b264d34d398c77a5936e317336f00cf5badb Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Thu, 1 Jul 2021 17:14:13 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 450 G8
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit 2b70b264d34d398c77a5936e317336f00cf5badb upstream.
+
+The HP ProBook 450 G8 using ALC236 codec which using 0x02 to
+control mute LED and 0x01 to control micmute LED.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210701091417.9696-1-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8336,6 +8336,7 @@ static const struct snd_pci_quirk alc269
+ ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f2, "HP ProBook 640 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f4, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
--- /dev/null
+From fb3acdb2ba289aa06a5a995b3abef409bfe0a220 Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Thu, 1 Jul 2021 17:14:15 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 630 G8
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit fb3acdb2ba289aa06a5a995b3abef409bfe0a220 upstream.
+
+The HP ProBook 630 G8 using ALC236 codec which using 0x02 to
+control mute LED and 0x01 to control micmute LED.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210701091417.9696-3-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8337,6 +8337,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87f1, "HP ProBook 630 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f2, "HP ProBook 640 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f4, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 434591b2a77def0e78abfa38e5d7c4bca954e68a Mon Sep 17 00:00:00 2001
+From: Elia Devito <eliadevito@gmail.com>
+Date: Sat, 19 Jun 2021 22:41:04 +0200
+Subject: ALSA: hda/realtek: Improve fixup for HP Spectre x360 15-df0xxx
+
+From: Elia Devito <eliadevito@gmail.com>
+
+commit 434591b2a77def0e78abfa38e5d7c4bca954e68a upstream.
+
+On HP Spectre x360 15-df0xxx, after system boot with plugged headset, the
+headset mic are not detected.
+Moving pincfg and DAC's config to single fixup function fix this.
+
+[ The actual bug in the original code was that it used a chain to
+ ALC286_FIXUP_SPEAKER2_TO_DAC1, and it contains not only the DAC1
+ route fix but also another chain to ALC269_FIXUP_THINKPAD_ACPI.
+ I thought the latter one is harmless for non-Thinkpad, but it
+ doesn't seem so; it contains again yet another chain to
+ ALC269_FIXUP_SKI_IGNORE, and this might be bad for some machines,
+ including this HP machine. -- tiwai ]
+
+Signed-off-by: Elia Devito <eliadevito@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210619204105.5682-1-eliadevito@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6354,6 +6354,24 @@ static void alc_fixup_no_int_mic(struct
+ }
+ }
+
++static void alc285_fixup_hp_spectre_x360(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ static const hda_nid_t conn[] = { 0x02 };
++ static const struct hda_pintbl pincfgs[] = {
++ { 0x14, 0x90170110 }, /* rear speaker */
++ { }
++ };
++
++ switch (action) {
++ case HDA_FIXUP_ACT_PRE_PROBE:
++ snd_hda_apply_pincfgs(codec, pincfgs);
++ /* force front speaker to DAC1 */
++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn);
++ break;
++ }
++}
++
+ /* for hda_fixup_thinkpad_acpi() */
+ #include "thinkpad_helper.c"
+
+@@ -8138,13 +8156,8 @@ static const struct hda_fixup alc269_fix
+ .chain_id = ALC269_FIXUP_HP_LINE1_MIC1_LED,
+ },
+ [ALC285_FIXUP_HP_SPECTRE_X360] = {
+- .type = HDA_FIXUP_PINS,
+- .v.pins = (const struct hda_pintbl[]) {
+- { 0x14, 0x90170110 }, /* enable top speaker */
+- {}
+- },
+- .chained = true,
+- .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1,
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_hp_spectre_x360,
+ },
+ [ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP] = {
+ .type = HDA_FIXUP_FUNC,
--- /dev/null
+From 24d1e49415be546470b20429d748e240d0518b7e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 8 Jul 2021 11:07:38 +0200
+Subject: ALSA: intel8x0: Fix breakage at ac97 clock measurement
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 24d1e49415be546470b20429d748e240d0518b7e upstream.
+
+The recent workaround for the wild interrupts in commit c1f0616124c4
+("ALSA: intel8x0: Don't update period unless prepared") leaded to a
+regression, causing the interrupt storm during ac97 clock measurement
+at the driver probe. We need to handle the interrupt while the clock
+measurement as well as the proper PCM streams.
+
+Fixes: c1f0616124c4 ("ALSA: intel8x0: Don't update period unless prepared")
+Reported-and-tested-by: Max Filippov <jcmvbkbc@gmail.com>
+Tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/CAMo8BfKKMQkcsbOQaeEjq_FsJhdK=fn598dvh7YOcZshUSOH=g@mail.gmail.com
+Link: https://lore.kernel.org/r/20210708090738.1569-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/intel8x0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/intel8x0.c
++++ b/sound/pci/intel8x0.c
+@@ -692,7 +692,7 @@ static inline void snd_intel8x0_update(s
+ int status, civ, i, step;
+ int ack = 0;
+
+- if (!ichdev->prepared || ichdev->suspended)
++ if (!(ichdev->prepared || chip->in_measurement) || ichdev->suspended)
+ return;
+
+ spin_lock_irqsave(&chip->reg_lock, flags);
--- /dev/null
+From 362372ceb6556f338e230f2d90af27b47f82365a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 22 Jun 2021 11:06:47 +0200
+Subject: ALSA: usb-audio: Fix OOB access at proc output
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 362372ceb6556f338e230f2d90af27b47f82365a upstream.
+
+At extending the available mixer values for 32bit types, we forgot to
+add the corresponding entries for the format dump in the proc output.
+This may result in OOB access. Here adds the missing entries.
+
+Fixes: bc18e31c3042 ("ALSA: usb-audio: Fix parameter block size for UAC2 control requests")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210622090647.14021-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -3294,8 +3294,9 @@ static void snd_usb_mixer_dump_cval(stru
+ struct usb_mixer_elem_list *list)
+ {
+ struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list);
+- static const char * const val_types[] = {"BOOLEAN", "INV_BOOLEAN",
+- "S8", "U8", "S16", "U16"};
++ static const char * const val_types[] = {
++ "BOOLEAN", "INV_BOOLEAN", "S8", "U8", "S16", "U16", "S32", "U32",
++ };
+ snd_iprintf(buffer, " Info: id=%i, control=%i, cmask=0x%x, "
+ "channels=%i, type=\"%s\"\n", cval->head.id,
+ cval->control, cval->cmask, cval->channels,
--- /dev/null
+From aecc19ec404bdc745c781058ac97a373731c3089 Mon Sep 17 00:00:00 2001
+From: Daehwan Jung <dh10.jung@samsung.com>
+Date: Wed, 16 Jun 2021 18:34:55 +0900
+Subject: ALSA: usb-audio: fix rate on Ozone Z90 USB headset
+
+From: Daehwan Jung <dh10.jung@samsung.com>
+
+commit aecc19ec404bdc745c781058ac97a373731c3089 upstream.
+
+It mislabels its 96 kHz altsetting and that's why it causes some noise
+
+Signed-off-by: Daehwan Jung <dh10.jung@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1623836097-61918-1-git-send-email-dh10.jung@samsung.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/format.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -223,9 +223,11 @@ static int parse_audio_format_rates_v1(s
+ continue;
+ /* C-Media CM6501 mislabels its 96 kHz altsetting */
+ /* Terratec Aureon 7.1 USB C-Media 6206, too */
++ /* Ozone Z90 USB C-Media, too */
+ if (rate == 48000 && nr_rates == 1 &&
+ (chip->usb_id == USB_ID(0x0d8c, 0x0201) ||
+ chip->usb_id == USB_ID(0x0d8c, 0x0102) ||
++ chip->usb_id == USB_ID(0x0d8c, 0x0078) ||
+ chip->usb_id == USB_ID(0x0ccd, 0x00b1)) &&
+ fp->altsetting == 5 && fp->maxpacksize == 392)
+ rate = 96000;
--- /dev/null
+From 785b6f29a795f109685f286b91e0250c206fbffb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 23 Jun 2021 02:30:49 +0930
+Subject: ALSA: usb-audio: scarlett2: Fix wrong resume call
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 785b6f29a795f109685f286b91e0250c206fbffb upstream.
+
+The current way of the scarlett2 mixer code managing the
+usb_mixer_elem_info object is wrong in two ways: it passes its
+internal index to the head.id field, and the val_type field is
+uninitialized. This ended up with the wrong execution at the resume
+because a bogus unit id is passed wrongly. Also, in the later code
+extensions, we'll have more mixer elements, and passing the index will
+overflow the unit id size (of 256).
+
+This patch corrects those issues. It introduces a new value type,
+USB_MIXER_BESPOKEN, which indicates a non-standard mixer element, and
+use this type for all scarlett2 mixer elements, as well as
+initializing the fixed unit id 0 for avoiding the overflow.
+
+Tested-by: Geoffrey D. Bennett <g@b4.vu>
+Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/49721219f45b7e175e729b0d9d9c142fd8f4342a.1624379707.git.g@b4.vu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 3 +++
+ sound/usb/mixer.h | 1 +
+ sound/usb/mixer_scarlett_gen2.c | 7 ++++++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -3606,6 +3606,9 @@ static int restore_mixer_value(struct us
+ struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list);
+ int c, err, idx;
+
++ if (cval->val_type == USB_MIXER_BESPOKEN)
++ return 0;
++
+ if (cval->cmask) {
+ idx = 0;
+ for (c = 0; c < MAX_CHANNELS; c++) {
+--- a/sound/usb/mixer.h
++++ b/sound/usb/mixer.h
+@@ -55,6 +55,7 @@ enum {
+ USB_MIXER_U16,
+ USB_MIXER_S32,
+ USB_MIXER_U32,
++ USB_MIXER_BESPOKEN, /* non-standard type */
+ };
+
+ typedef void (*usb_mixer_elem_dump_func_t)(struct snd_info_buffer *buffer,
+--- a/sound/usb/mixer_scarlett_gen2.c
++++ b/sound/usb/mixer_scarlett_gen2.c
+@@ -949,10 +949,15 @@ static int scarlett2_add_new_ctl(struct
+ if (!elem)
+ return -ENOMEM;
+
++ /* We set USB_MIXER_BESPOKEN type, so that the core USB mixer code
++ * ignores them for resume and other operations.
++ * Also, the head.id field is set to 0, as we don't use this field.
++ */
+ elem->head.mixer = mixer;
+ elem->control = index;
+- elem->head.id = index;
++ elem->head.id = 0;
+ elem->channels = channels;
++ elem->val_type = USB_MIXER_BESPOKEN;
+
+ kctl = snd_ctl_new1(ncontrol, elem);
+ if (!kctl) {
--- /dev/null
+From b43ca511178ed0ab6fd2405df28cf9e100273020 Mon Sep 17 00:00:00 2001
+From: Connor Abbott <cwabbott0@gmail.com>
+Date: Fri, 7 May 2021 14:27:33 +0200
+Subject: Bluetooth: btqca: Don't modify firmware contents in-place
+
+From: Connor Abbott <cwabbott0@gmail.com>
+
+commit b43ca511178ed0ab6fd2405df28cf9e100273020 upstream.
+
+struct firmware::data is marked const, and when the firmware is
+compressed with xz (default at least with Fedora) it's mapped read-only
+which results in a crash:
+
+BUG: unable to handle page fault for address: ffffae57c0ca5047
+PGD 100000067 P4D 100000067 PUD 1001ce067 PMD 10165a067 PTE 8000000112bba161
+Oops: 0003 [#1] SMP NOPTI
+CPU: 3 PID: 204 Comm: kworker/u17:0 Not tainted 5.12.1-test+ #1
+Hardware name: Dell Inc. XPS 13 9310/0F7M4C, BIOS 1.2.5 12/10/2020
+Workqueue: hci0 hci_power_on [bluetooth]
+RIP: 0010:qca_download_firmware+0x27c/0x4e0 [btqca]
+Code: 1b 75 04 80 48 0c 01 0f b7 c6 8d 54 02 0c 41 39 d7 0f 8e 62 fe ff ff 48 63 c2 4c 01 e8 0f b7 38 0f b7 70 02 66 83 ff 11 75 d3 <80> 48 0c 80 41 83 fc 03 7e 6e 88 58 0d eb ce 41 0f b6 45 0e 48 8b
+RSP: 0018:ffffae57c08dfc68 EFLAGS: 00010246
+RAX: ffffae57c0ca503b RBX: 000000000000000e RCX: 0000000000000000
+RDX: 0000000000000037 RSI: 0000000000000006 RDI: 0000000000000011
+RBP: ffff978d9949e000 R08: ffff978d84ed7540 R09: ffffae57c0ca5000
+R10: 000000000010cd00 R11: 0000000000000001 R12: 0000000000000005
+R13: ffffae57c0ca5004 R14: ffff978d98ca8680 R15: 00000000000016a9
+FS: 0000000000000000(0000) GS:ffff9794ef6c0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffae57c0ca5047 CR3: 0000000113d5a004 CR4: 0000000000770ee0
+PKRU: 55555554
+Call Trace:
+ qca_uart_setup+0x2cb/0x1390 [btqca]
+ ? qca_read_soc_version+0x136/0x220 [btqca]
+ qca_setup+0x288/0xab0 [hci_uart]
+ hci_dev_do_open+0x1f3/0x780 [bluetooth]
+ ? try_to_wake_up+0x1c1/0x4f0
+ hci_power_on+0x3f/0x200 [bluetooth]
+ process_one_work+0x1ec/0x380
+ worker_thread+0x53/0x3e0
+ ? process_one_work+0x380/0x380
+ kthread+0x11b/0x140
+ ? kthread_associate_blkcg+0xa0/0xa0
+ ret_from_fork+0x1f/0x30
+Modules linked in: llc ip_set nf_tables nfnetlink snd_soc_skl_hda_dsp(+) ip6table_filter snd_soc_hdac_hdmi ip6_tables qrtr_mhi iptable_filter snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic s>
+ dell_wmi_sysman(+) dell_smbios snd dcdbas mhi vfat videobuf2_vmalloc i2c_i801 videobuf2_memops videobuf2_v4l2 dell_wmi_descriptor fat wmi_bmof soundcore i2c_smbus videobuf2_common libarc4 mei_me mei hid_se>
+ i2c_hid_acpi i2c_hid video pinctrl_tigerlake fuse
+CR2: ffffae57c0ca5047
+
+This also seems to fix a failure to suspend due to the firmware
+download on bootup getting interrupted by the crash:
+
+Bluetooth: hci0: SSR or FW download time out
+PM: dpm_run_callback(): acpi_subsys_suspend+0x0/0x60 returns -110
+PM: Device serial0-0 failed to suspend: error -110
+PM: Some devices failed to suspend, or early wake event detected
+
+Fixes: 83e8196 ("Bluetooth: btqca: Introduce generic QCA ROME support")
+Cc: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btqca.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -183,7 +183,7 @@ int qca_send_pre_shutdown_cmd(struct hci
+ EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd);
+
+ static void qca_tlv_check_data(struct qca_fw_config *config,
+- const struct firmware *fw, enum qca_btsoc_type soc_type)
++ u8 *fw_data, enum qca_btsoc_type soc_type)
+ {
+ const u8 *data;
+ u32 type_len;
+@@ -194,7 +194,7 @@ static void qca_tlv_check_data(struct qc
+ struct tlv_type_nvm *tlv_nvm;
+ uint8_t nvm_baud_rate = config->user_baud_rate;
+
+- tlv = (struct tlv_type_hdr *)fw->data;
++ tlv = (struct tlv_type_hdr *)fw_data;
+
+ type_len = le32_to_cpu(tlv->type_len);
+ length = (type_len >> 8) & 0x00ffffff;
+@@ -390,8 +390,9 @@ static int qca_download_firmware(struct
+ enum qca_btsoc_type soc_type)
+ {
+ const struct firmware *fw;
++ u8 *data;
+ const u8 *segment;
+- int ret, remain, i = 0;
++ int ret, size, remain, i = 0;
+
+ bt_dev_info(hdev, "QCA Downloading %s", config->fwname);
+
+@@ -402,10 +403,22 @@ static int qca_download_firmware(struct
+ return ret;
+ }
+
+- qca_tlv_check_data(config, fw, soc_type);
++ size = fw->size;
++ data = vmalloc(fw->size);
++ if (!data) {
++ bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s",
++ config->fwname);
++ release_firmware(fw);
++ return -ENOMEM;
++ }
++
++ memcpy(data, fw->data, size);
++ release_firmware(fw);
++
++ qca_tlv_check_data(config, data, soc_type);
+
+- segment = fw->data;
+- remain = fw->size;
++ segment = data;
++ remain = size;
+ while (remain > 0) {
+ int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain);
+
+@@ -435,7 +448,7 @@ static int qca_download_firmware(struct
+ ret = qca_inject_cmd_complete_event(hdev);
+
+ out:
+- release_firmware(fw);
++ vfree(data);
+
+ return ret;
+ }
--- /dev/null
+From 59f90f1351282ea2dbd0c59098fd9bb2634e920e Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Mon, 3 May 2021 13:06:05 +0300
+Subject: Bluetooth: hci_qca: fix potential GPF
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 59f90f1351282ea2dbd0c59098fd9bb2634e920e upstream.
+
+In qca_power_shutdown() qcadev local variable is
+initialized by hu->serdev.dev private data, but
+hu->serdev can be NULL and there is a check for it.
+
+Since, qcadev is not used before
+
+ if (!hu->serdev)
+ return;
+
+we can move its initialization after this "if" to
+prevent GPF.
+
+Fixes: 5559904ccc08 ("Bluetooth: hci_qca: Add QCA Rome power off support to the qca_power_shutdown()")
+Cc: stable@vger.kernel.org # v5.6+
+Cc: Rocky Liao <rjliao@codeaurora.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_qca.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1835,8 +1835,6 @@ static void qca_power_shutdown(struct hc
+ unsigned long flags;
+ enum qca_btsoc_type soc_type = qca_soc_type(hu);
+
+- qcadev = serdev_device_get_drvdata(hu->serdev);
+-
+ /* From this point we go into power off state. But serial port is
+ * still open, stop queueing the IBS data and flush all the buffered
+ * data in skb's.
+@@ -1852,6 +1850,8 @@ static void qca_power_shutdown(struct hc
+ if (!hu->serdev)
+ return;
+
++ qcadev = serdev_device_get_drvdata(hu->serdev);
++
+ if (qca_is_wcn399x(soc_type)) {
+ host_set_baudrate(hu, 2400);
+ qca_send_power_pulse(hu, false);
--- /dev/null
+From 1c58e933aba23f68c0d3f192f7cc6eed8fabd694 Mon Sep 17 00:00:00 2001
+From: Szymon Janc <szymon.janc@codecoup.pl>
+Date: Tue, 18 May 2021 16:54:36 +0200
+Subject: Bluetooth: Remove spurious error message
+
+From: Szymon Janc <szymon.janc@codecoup.pl>
+
+commit 1c58e933aba23f68c0d3f192f7cc6eed8fabd694 upstream.
+
+Even with rate limited reporting this is very spammy and since
+it is remote device that is providing bogus data there is no
+need to report this as error.
+
+Since real_len variable was used only to allow conditional error
+message it is now also removed.
+
+[72454.143336] bt_err_ratelimited: 10 callbacks suppressed
+[72454.143337] Bluetooth: hci0: advertising data len corrected
+[72454.296314] Bluetooth: hci0: advertising data len corrected
+[72454.892329] Bluetooth: hci0: advertising data len corrected
+[72455.051319] Bluetooth: hci0: advertising data len corrected
+[72455.357326] Bluetooth: hci0: advertising data len corrected
+[72455.663295] Bluetooth: hci0: advertising data len corrected
+[72455.787278] Bluetooth: hci0: advertising data len corrected
+[72455.942278] Bluetooth: hci0: advertising data len corrected
+[72456.094276] Bluetooth: hci0: advertising data len corrected
+[72456.249137] Bluetooth: hci0: advertising data len corrected
+[72459.416333] bt_err_ratelimited: 13 callbacks suppressed
+[72459.416334] Bluetooth: hci0: advertising data len corrected
+[72459.721334] Bluetooth: hci0: advertising data len corrected
+[72460.011317] Bluetooth: hci0: advertising data len corrected
+[72460.327171] Bluetooth: hci0: advertising data len corrected
+[72460.638294] Bluetooth: hci0: advertising data len corrected
+[72460.946350] Bluetooth: hci0: advertising data len corrected
+[72461.225320] Bluetooth: hci0: advertising data len corrected
+[72461.690322] Bluetooth: hci0: advertising data len corrected
+[72462.118318] Bluetooth: hci0: advertising data len corrected
+[72462.427319] Bluetooth: hci0: advertising data len corrected
+[72464.546319] bt_err_ratelimited: 7 callbacks suppressed
+[72464.546319] Bluetooth: hci0: advertising data len corrected
+[72464.857318] Bluetooth: hci0: advertising data len corrected
+[72465.163332] Bluetooth: hci0: advertising data len corrected
+[72465.278331] Bluetooth: hci0: advertising data len corrected
+[72465.432323] Bluetooth: hci0: advertising data len corrected
+[72465.891334] Bluetooth: hci0: advertising data len corrected
+[72466.045334] Bluetooth: hci0: advertising data len corrected
+[72466.197321] Bluetooth: hci0: advertising data len corrected
+[72466.340318] Bluetooth: hci0: advertising data len corrected
+[72466.498335] Bluetooth: hci0: advertising data len corrected
+[72469.803299] bt_err_ratelimited: 10 callbacks suppressed
+
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=203753
+Cc: stable@vger.kernel.org
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5441,7 +5441,7 @@ static void process_adv_report(struct hc
+ struct hci_conn *conn;
+ bool match;
+ u32 flags;
+- u8 *ptr, real_len;
++ u8 *ptr;
+
+ switch (type) {
+ case LE_ADV_IND:
+@@ -5472,14 +5472,10 @@ static void process_adv_report(struct hc
+ break;
+ }
+
+- real_len = ptr - data;
+-
+- /* Adjust for actual length */
+- if (len != real_len) {
+- bt_dev_err_ratelimited(hdev, "advertising data len corrected %u -> %u",
+- len, real_len);
+- len = real_len;
+- }
++ /* Adjust for actual length. This handles the case when remote
++ * device is advertising with incorrect data length.
++ */
++ len = ptr - data;
+
+ /* If the direct address is present, then this report is from
+ * a LE Direct Advertising Report event. In that case it is
--- /dev/null
+From a506abc7b644d71966a75337d5a534f531b3cdc4 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 27 Apr 2021 12:34:04 -0400
+Subject: copy_page_to_iter(): fix ITER_DISCARD case
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a506abc7b644d71966a75337d5a534f531b3cdc4 upstream.
+
+we need to advance the iterator...
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/iov_iter.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -967,9 +967,12 @@ size_t copy_page_to_iter(struct page *pa
+ size_t wanted = copy_to_iter(kaddr + offset, bytes, i);
+ kunmap_atomic(kaddr);
+ return wanted;
+- } else if (unlikely(iov_iter_is_discard(i)))
++ } else if (unlikely(iov_iter_is_discard(i))) {
++ if (unlikely(i->count < bytes))
++ bytes = i->count;
++ i->count -= bytes;
+ return bytes;
+- else if (likely(!iov_iter_is_pipe(i)))
++ } else if (likely(!iov_iter_is_pipe(i)))
+ return copy_page_to_iter_iovec(page, offset, bytes, i);
+ else
+ return copy_page_to_iter_pipe(page, offset, bytes, i);
--- /dev/null
+From 5d49d3508b3c67201bd3e1bf7f4ef049111b7051 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 28 Jun 2021 19:14:50 +0800
+Subject: gfs2: Fix error handling in init_statfs
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 5d49d3508b3c67201bd3e1bf7f4ef049111b7051 upstream.
+
+On an error path, init_statfs calls iput(pn) after pn has already been put.
+Fix that by setting pn to NULL after the initial iput.
+
+Fixes: 97fd734ba17e ("gfs2: lookup local statfs inodes prior to journal recovery")
+Cc: stable@vger.kernel.org # v5.10+
+Reported-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/ops_fstype.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -687,6 +687,7 @@ static int init_statfs(struct gfs2_sbd *
+ }
+
+ iput(pn);
++ pn = NULL;
+ ip = GFS2_I(sdp->sd_sc_inode);
+ error = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, 0,
+ &sdp->sd_sc_gh);
--- /dev/null
+From d3c51c55cb9274dd43c156f1f26b5eb4d5f2d58c Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 21 Jun 2021 22:28:50 +0200
+Subject: gfs2: Fix underflow in gfs2_page_mkwrite
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit d3c51c55cb9274dd43c156f1f26b5eb4d5f2d58c upstream.
+
+On filesystems with a block size smaller than PAGE_SIZE and non-empty
+files smaller then PAGE_SIZE, gfs2_page_mkwrite could end up allocating
+excess blocks beyond the end of the file, similar to fallocate. This
+doesn't make sense; fix it.
+
+Reported-by: Bob Peterson <rpeterso@redhat.com>
+Fixes: 184b4e60853d ("gfs2: Fix end-of-file handling in gfs2_page_mkwrite")
+Cc: stable@vger.kernel.org # v5.5+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -450,8 +450,8 @@ static vm_fault_t gfs2_page_mkwrite(stru
+ file_update_time(vmf->vma->vm_file);
+
+ /* page is wholly or partially inside EOF */
+- if (offset > size - PAGE_SIZE)
+- length = offset_in_page(size);
++ if (size - offset < PAGE_SIZE)
++ length = size - offset;
+ else
+ length = PAGE_SIZE;
+
--- /dev/null
+From b9c0ebb867d67cc4e9e1a7a2abf0ac9a2cc02051 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 30 May 2021 21:43:36 -0700
+Subject: Input: elants_i2c - fix NULL dereference at probing
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b9c0ebb867d67cc4e9e1a7a2abf0ac9a2cc02051 upstream.
+
+The recent change in elants_i2c driver to support more chips
+introduced a regression leading to Oops at probing. The driver reads
+id->driver_data, but the id may be NULL depending on the device type
+the driver gets bound.
+
+Replace the driver data extraction with the device_get_match_data()
+helper, and define the driver data in OF table, too.
+
+Fixes: 9517b95bdc46 ("Input: elants_i2c - add support for eKTF3624")
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1186454
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210528071024.26450-1-tiwai@suse.de
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/elants_i2c.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/touchscreen/elants_i2c.c
++++ b/drivers/input/touchscreen/elants_i2c.c
+@@ -1396,7 +1396,7 @@ static int elants_i2c_probe(struct i2c_c
+ init_completion(&ts->cmd_done);
+
+ ts->client = client;
+- ts->chip_id = (enum elants_chip_id)id->driver_data;
++ ts->chip_id = (enum elants_chip_id)(uintptr_t)device_get_match_data(&client->dev);
+ i2c_set_clientdata(client, ts);
+
+ ts->vcc33 = devm_regulator_get(&client->dev, "vcc33");
+@@ -1636,8 +1636,8 @@ MODULE_DEVICE_TABLE(acpi, elants_acpi_id
+
+ #ifdef CONFIG_OF
+ static const struct of_device_id elants_of_match[] = {
+- { .compatible = "elan,ekth3500" },
+- { .compatible = "elan,ektf3624" },
++ { .compatible = "elan,ekth3500", .data = (void *)EKTH3500 },
++ { .compatible = "elan,ektf3624", .data = (void *)EKTF3624 },
+ { /* sentinel */ }
+ };
+ MODULE_DEVICE_TABLE(of, elants_of_match);
--- /dev/null
+From f8f84af5da9ee04ef1d271528656dac42a090d00 Mon Sep 17 00:00:00 2001
+From: Alexander Larkin <avlarkin82@gmail.com>
+Date: Sun, 4 Jul 2021 22:39:36 -0700
+Subject: Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
+
+From: Alexander Larkin <avlarkin82@gmail.com>
+
+commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream.
+
+Even though we validate user-provided inputs we then traverse past
+validated data when applying the new map. The issue was originally
+discovered by Murray McAllister with this simple POC (if the following
+is executed by an unprivileged user it will instantly panic the system):
+
+int main(void) {
+ int fd, ret;
+ unsigned int buffer[10000];
+
+ fd = open("/dev/input/js0", O_RDONLY);
+ if (fd == -1)
+ printf("Error opening file\n");
+
+ ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
+ printf("%d\n", ret);
+}
+
+The solution is to traverse internal buffer which is guaranteed to only
+contain valid date when constructing the map.
+
+Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
+Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
+Reported-by: Murray McAllister <murray.mcallister@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Alexander Larkin <avlarkin82@gmail.com>
+Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joydev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/joydev.c
++++ b/drivers/input/joydev.c
+@@ -499,7 +499,7 @@ static int joydev_handle_JSIOCSBTNMAP(st
+ memcpy(joydev->keypam, keypam, len);
+
+ for (i = 0; i < joydev->nkey; i++)
+- joydev->keymap[keypam[i] - BTN_MISC] = i;
++ joydev->keymap[joydev->keypam[i] - BTN_MISC] = i;
+
+ out:
+ kfree(keypam);
--- /dev/null
+From 41e81022a04a0294c55cfa7e366bc14b9634c66e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 24 May 2021 10:02:59 -0700
+Subject: Input: usbtouchscreen - fix control-request directions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 41e81022a04a0294c55cfa7e366bc14b9634c66e upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Fix the four control requests which erroneously used usb_rcvctrlpipe().
+
+Fixes: 1d3e20236d7a ("[PATCH] USB: usbtouchscreen: unified USB touchscreen driver")
+Fixes: 24ced062a296 ("usbtouchscreen: add support for DMC TSC-10/25 devices")
+Fixes: 9e3b25837a20 ("Input: usbtouchscreen - add support for e2i touchscreen controller")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: stable@vger.kernel.org # 2.6.17
+Link: https://lore.kernel.org/r/20210524092048.4443-1-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/usbtouchscreen.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/touchscreen/usbtouchscreen.c
++++ b/drivers/input/touchscreen/usbtouchscreen.c
+@@ -251,7 +251,7 @@ static int e2i_init(struct usbtouch_usb
+ int ret;
+ struct usb_device *udev = interface_to_usbdev(usbtouch->interface);
+
+- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ 0x01, 0x02, 0x0000, 0x0081,
+ NULL, 0, USB_CTRL_SET_TIMEOUT);
+
+@@ -531,7 +531,7 @@ static int mtouch_init(struct usbtouch_u
+ if (ret)
+ return ret;
+
+- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ MTOUCHUSB_RESET,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
+@@ -543,7 +543,7 @@ static int mtouch_init(struct usbtouch_u
+ msleep(150);
+
+ for (i = 0; i < 3; i++) {
+- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ MTOUCHUSB_ASYNC_REPORT,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 1, NULL, 0, USB_CTRL_SET_TIMEOUT);
+@@ -722,7 +722,7 @@ static int dmc_tsc10_init(struct usbtouc
+ }
+
+ /* start sending data */
+- ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0),
++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+ TSC10_CMD_DATA1,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
--- /dev/null
+From 0e8f0d67401589a141950856902c7d0ec8d9c985 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 2 Jun 2021 14:48:21 -0400
+Subject: [xarray] iov_iter_fault_in_readable() should do nothing in xarray case
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 0e8f0d67401589a141950856902c7d0ec8d9c985 upstream.
+
+... and actually should just check it's given an iovec-backed iterator
+in the first place.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/iov_iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -476,7 +476,7 @@ int iov_iter_fault_in_readable(struct io
+ int err;
+ struct iovec v;
+
+- if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
++ if (iter_is_iovec(i)) {
+ iterate_iovec(i, bytes, v, iov, skip, ({
+ err = fault_in_pages_readable(v.iov_base, v.iov_len);
+ if (unlikely(err))
--- /dev/null
+From c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 7 May 2021 14:50:43 +0200
+Subject: media: dvb-usb: fix wrong definition
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 upstream.
+
+syzbot reported WARNING in vmalloc. The problem
+was in zero size passed to vmalloc.
+
+The root case was in wrong cxusb_bluebird_lgz201_properties
+definition. adapter array has only 1 entry, but num_adapters was
+2.
+
+Call Trace:
+ __vmalloc_node mm/vmalloc.c:2963 [inline]
+ vmalloc+0x67/0x80 mm/vmalloc.c:2996
+ dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251
+ dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184
+ dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline]
+ dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
+ dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
+ cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634
+
+Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB device")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/cxusb.c
++++ b/drivers/media/usb/dvb-usb/cxusb.c
+@@ -1947,7 +1947,7 @@ static struct dvb_usb_device_properties
+
+ .size_of_priv = sizeof(struct cxusb_state),
+
+- .num_adapters = 2,
++ .num_adapters = 1,
+ .adapter = {
+ {
+ .num_frontends = 1,
--- /dev/null
+From 122e093c1734361dedb64f65c99b93e28e4624f4 Mon Sep 17 00:00:00 2001
+From: Mike Rapoport <rppt@kernel.org>
+Date: Mon, 28 Jun 2021 19:33:26 -0700
+Subject: mm/page_alloc: fix memory map initialization for descending nodes
+
+From: Mike Rapoport <rppt@linux.ibm.com>
+
+commit 122e093c1734361dedb64f65c99b93e28e4624f4 upstream.
+
+On systems with memory nodes sorted in descending order, for instance Dell
+Precision WorkStation T5500, the struct pages for higher PFNs and
+respectively lower nodes, could be overwritten by the initialization of
+struct pages corresponding to the holes in the memory sections.
+
+For example for the below memory layout
+
+[ 0.245624] Early memory node ranges
+[ 0.248496] node 1: [mem 0x0000000000001000-0x0000000000090fff]
+[ 0.251376] node 1: [mem 0x0000000000100000-0x00000000dbdf8fff]
+[ 0.254256] node 1: [mem 0x0000000100000000-0x0000001423ffffff]
+[ 0.257144] node 0: [mem 0x0000001424000000-0x0000002023ffffff]
+
+the range 0x1424000000 - 0x1428000000 in the beginning of node 0 starts in
+the middle of a section and will be considered as a hole during the
+initialization of the last section in node 1.
+
+The wrong initialization of the memory map causes panic on boot when
+CONFIG_DEBUG_VM is enabled.
+
+Reorder loop order of the memory map initialization so that the outer loop
+will always iterate over populated memory regions in the ascending order
+and the inner loop will select the zone corresponding to the PFN range.
+
+This way initialization of the struct pages for the memory holes will be
+always done for the ranges that are actually not populated.
+
+[akpm@linux-foundation.org: coding style fixes]
+
+Link: https://lkml.kernel.org/r/YNXlMqBbL+tBG7yq@kernel.org
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213073
+Link: https://lkml.kernel.org/r/20210624062305.10940-1-rppt@kernel.org
+Fixes: 0740a50b9baa ("mm/page_alloc.c: refactor initialization of struct page for holes in memory layout")
+Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Boris Petkov <bp@alien8.de>
+Cc: Robert Shteynfeld <robert.shteynfeld@gmail.com>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mm.h | 1
+ mm/page_alloc.c | 96 ++++++++++++++++++++++++++++++++---------------------
+ 2 files changed, 59 insertions(+), 38 deletions(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -2474,7 +2474,6 @@ extern void set_dma_reserve(unsigned lon
+ extern void memmap_init_range(unsigned long, int, unsigned long,
+ unsigned long, unsigned long, enum meminit_context,
+ struct vmem_altmap *, int migratetype);
+-extern void memmap_init_zone(struct zone *zone);
+ extern void setup_per_zone_wmarks(void);
+ extern int __meminit init_per_zone_wmark_min(void);
+ extern void mem_init(void);
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -6400,7 +6400,7 @@ void __ref memmap_init_zone_device(struc
+ return;
+
+ /*
+- * The call to memmap_init_zone should have already taken care
++ * The call to memmap_init should have already taken care
+ * of the pages reserved for the memmap, so we can just jump to
+ * the end of that region and start processing the device pages.
+ */
+@@ -6465,7 +6465,7 @@ static void __meminit zone_init_free_lis
+ /*
+ * Only struct pages that correspond to ranges defined by memblock.memory
+ * are zeroed and initialized by going through __init_single_page() during
+- * memmap_init_zone().
++ * memmap_init_zone_range().
+ *
+ * But, there could be struct pages that correspond to holes in
+ * memblock.memory. This can happen because of the following reasons:
+@@ -6484,9 +6484,9 @@ static void __meminit zone_init_free_lis
+ * zone/node above the hole except for the trailing pages in the last
+ * section that will be appended to the zone/node below.
+ */
+-static u64 __meminit init_unavailable_range(unsigned long spfn,
+- unsigned long epfn,
+- int zone, int node)
++static void __init init_unavailable_range(unsigned long spfn,
++ unsigned long epfn,
++ int zone, int node)
+ {
+ unsigned long pfn;
+ u64 pgcnt = 0;
+@@ -6502,56 +6502,77 @@ static u64 __meminit init_unavailable_ra
+ pgcnt++;
+ }
+
+- return pgcnt;
++ if (pgcnt)
++ pr_info("On node %d, zone %s: %lld pages in unavailable ranges",
++ node, zone_names[zone], pgcnt);
+ }
+ #else
+-static inline u64 init_unavailable_range(unsigned long spfn, unsigned long epfn,
+- int zone, int node)
++static inline void init_unavailable_range(unsigned long spfn,
++ unsigned long epfn,
++ int zone, int node)
+ {
+- return 0;
+ }
+ #endif
+
+-void __meminit __weak memmap_init_zone(struct zone *zone)
++static void __init memmap_init_zone_range(struct zone *zone,
++ unsigned long start_pfn,
++ unsigned long end_pfn,
++ unsigned long *hole_pfn)
+ {
+ unsigned long zone_start_pfn = zone->zone_start_pfn;
+ unsigned long zone_end_pfn = zone_start_pfn + zone->spanned_pages;
+- int i, nid = zone_to_nid(zone), zone_id = zone_idx(zone);
+- static unsigned long hole_pfn;
++ int nid = zone_to_nid(zone), zone_id = zone_idx(zone);
++
++ start_pfn = clamp(start_pfn, zone_start_pfn, zone_end_pfn);
++ end_pfn = clamp(end_pfn, zone_start_pfn, zone_end_pfn);
++
++ if (start_pfn >= end_pfn)
++ return;
++
++ memmap_init_range(end_pfn - start_pfn, nid, zone_id, start_pfn,
++ zone_end_pfn, MEMINIT_EARLY, NULL, MIGRATE_MOVABLE);
++
++ if (*hole_pfn < start_pfn)
++ init_unavailable_range(*hole_pfn, start_pfn, zone_id, nid);
++
++ *hole_pfn = end_pfn;
++}
++
++static void __init memmap_init(void)
++{
+ unsigned long start_pfn, end_pfn;
+- u64 pgcnt = 0;
++ unsigned long hole_pfn = 0;
++ int i, j, zone_id, nid;
+
+- for_each_mem_pfn_range(i, nid, &start_pfn, &end_pfn, NULL) {
+- start_pfn = clamp(start_pfn, zone_start_pfn, zone_end_pfn);
+- end_pfn = clamp(end_pfn, zone_start_pfn, zone_end_pfn);
++ for_each_mem_pfn_range(i, MAX_NUMNODES, &start_pfn, &end_pfn, &nid) {
++ struct pglist_data *node = NODE_DATA(nid);
++
++ for (j = 0; j < MAX_NR_ZONES; j++) {
++ struct zone *zone = node->node_zones + j;
++
++ if (!populated_zone(zone))
++ continue;
+
+- if (end_pfn > start_pfn)
+- memmap_init_range(end_pfn - start_pfn, nid,
+- zone_id, start_pfn, zone_end_pfn,
+- MEMINIT_EARLY, NULL, MIGRATE_MOVABLE);
+-
+- if (hole_pfn < start_pfn)
+- pgcnt += init_unavailable_range(hole_pfn, start_pfn,
+- zone_id, nid);
+- hole_pfn = end_pfn;
++ memmap_init_zone_range(zone, start_pfn, end_pfn,
++ &hole_pfn);
++ zone_id = j;
++ }
+ }
+
+ #ifdef CONFIG_SPARSEMEM
+ /*
+- * Initialize the hole in the range [zone_end_pfn, section_end].
+- * If zone boundary falls in the middle of a section, this hole
+- * will be re-initialized during the call to this function for the
+- * higher zone.
++ * Initialize the memory map for hole in the range [memory_end,
++ * section_end].
++ * Append the pages in this hole to the highest zone in the last
++ * node.
++ * The call to init_unavailable_range() is outside the ifdef to
++ * silence the compiler warining about zone_id set but not used;
++ * for FLATMEM it is a nop anyway
+ */
+- end_pfn = round_up(zone_end_pfn, PAGES_PER_SECTION);
++ end_pfn = round_up(end_pfn, PAGES_PER_SECTION);
+ if (hole_pfn < end_pfn)
+- pgcnt += init_unavailable_range(hole_pfn, end_pfn,
+- zone_id, nid);
+ #endif
+-
+- if (pgcnt)
+- pr_info(" %s zone: %llu pages in unavailable ranges\n",
+- zone->name, pgcnt);
++ init_unavailable_range(hole_pfn, end_pfn, zone_id, nid);
+ }
+
+ static int zone_batchsize(struct zone *zone)
+@@ -7254,7 +7275,6 @@ static void __init free_area_init_core(s
+ set_pageblock_order();
+ setup_usemap(zone);
+ init_currently_empty_zone(zone, zone->zone_start_pfn, size);
+- memmap_init_zone(zone);
+ }
+ }
+
+@@ -7780,6 +7800,8 @@ void __init free_area_init(unsigned long
+ node_set_state(nid, N_MEMORY);
+ check_for_memory(pgdat, nid);
+ }
++
++ memmap_init();
+ }
+
+ static int __init cmdline_parse_core(char *p, unsigned long *core,
--- /dev/null
+From ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 17 Jun 2021 21:51:30 +0300
+Subject: net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 upstream.
+
+In ems_usb_disconnect() dev pointer, which is netdev private data, is
+used after free_candev() call:
+| if (dev) {
+| unregister_netdev(dev->netdev);
+| free_candev(dev->netdev);
+|
+| unlink_all_urbs(dev);
+|
+| usb_free_urb(dev->intr_urb);
+|
+| kfree(dev->intr_in_buffer);
+| kfree(dev->tx_msg_buffer);
+| }
+
+Fix it by simply moving free_candev() at the end of the block.
+
+Fail log:
+| BUG: KASAN: use-after-free in ems_usb_disconnect
+| Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895
+|
+| CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164
+| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4
+| Workqueue: usb_hub_wq hub_event
+| Call Trace:
+| dump_stack (lib/dump_stack.c:122)
+| print_address_description.constprop.0.cold (mm/kasan/report.c:234)
+| kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436)
+| ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058)
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/ems_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -1053,7 +1053,6 @@ static void ems_usb_disconnect(struct us
+
+ if (dev) {
+ unregister_netdev(dev->netdev);
+- free_candev(dev->netdev);
+
+ unlink_all_urbs(dev);
+
+@@ -1061,6 +1060,8 @@ static void ems_usb_disconnect(struct us
+
+ kfree(dev->intr_in_buffer);
+ kfree(dev->tx_msg_buffer);
++
++ free_candev(dev->netdev);
+ }
+ }
+
--- /dev/null
+From d98e4d95411bbde2220a7afa38dcc9c14d71acbe Mon Sep 17 00:00:00 2001
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Date: Mon, 28 Jun 2021 19:33:52 -0700
+Subject: ntfs: fix validity check for file name attribute
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+commit d98e4d95411bbde2220a7afa38dcc9c14d71acbe upstream.
+
+When checking the file name attribute, we want to ensure that it fits
+within the bounds of ATTR_RECORD. To do this, we should check that (attr
+record + file name offset + file name length) < (attr record + attr record
+length).
+
+However, the original check did not include the file name offset in the
+calculation. This means that corrupted on-disk metadata might not caught
+by the incorrect file name check, and lead to an invalid memory access.
+
+An example can be seen in the crash report of a memory corruption error
+found by Syzbot:
+https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246
+
+Adding the file name offset to the validity check fixes this error and
+passes the Syzbot reproducer test.
+
+Link: https://lkml.kernel.org/r/20210614050540.289494-1-desmondcheongzx@gmail.com
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
+Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
+Acked-by: Anton Altaparmakov <anton@tuxera.com>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ntfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ntfs/inode.c
++++ b/fs/ntfs/inode.c
+@@ -477,7 +477,7 @@ err_corrupt_attr:
+ }
+ file_name_attr = (FILE_NAME_ATTR*)((u8*)attr +
+ le16_to_cpu(attr->data.resident.value_offset));
+- p2 = (u8*)attr + le32_to_cpu(attr->data.resident.value_length);
++ p2 = (u8 *)file_name_attr + le32_to_cpu(attr->data.resident.value_length);
+ if (p2 < (u8*)attr || p2 > p)
+ goto err_corrupt_attr;
+ /* This attribute is ok, but is it in the $Extend directory? */
--- /dev/null
+From 04831e892b41618914b2123ae3b4fa77252e8656 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 23 Jun 2021 13:39:28 -0700
+Subject: selftests/lkdtm: Avoid needing explicit sub-shell
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 04831e892b41618914b2123ae3b4fa77252e8656 upstream.
+
+Some environments do not set $SHELL when running tests. There's no
+need to use $SHELL here anyway, since "cat" can be used to receive any
+delivered signals from the kernel. Additionally avoid using bash-isms
+in the command, and record stderr for posterity.
+
+Fixes: 46d1a0f03d66 ("selftests/lkdtm: Add tests for LKDTM targets")
+Cc: stable@vger.kernel.org
+Suggested-by: Guillaume Tucker <guillaume.tucker@collabora.com>
+Suggested-by: David Laight <David.Laight@ACULAB.COM>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210623203936.3151093-2-keescook@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/lkdtm/run.sh | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/lkdtm/run.sh
++++ b/tools/testing/selftests/lkdtm/run.sh
+@@ -76,10 +76,14 @@ fi
+ # Save existing dmesg so we can detect new content below
+ dmesg > "$DMESG"
+
+-# Most shells yell about signals and we're expecting the "cat" process
+-# to usually be killed by the kernel. So we have to run it in a sub-shell
+-# and silence errors.
+-($SHELL -c 'cat <(echo '"$test"') >'"$TRIGGER" 2>/dev/null) || true
++# Since the kernel is likely killing the process writing to the trigger
++# file, it must not be the script's shell itself. i.e. we cannot do:
++# echo "$test" >"$TRIGGER"
++# Instead, use "cat" to take the signal. Since the shell will yell about
++# the signal that killed the subprocess, we must ignore the failure and
++# continue. However we don't silence stderr since there might be other
++# useful details reported there in the case of other unexpected conditions.
++echo "$test" | cat >"$TRIGGER" || true
+
+ # Record and dump the results
+ dmesg | comm --nocheck-order -13 "$DMESG" - > "$LOG" || true
+bluetooth-hci_qca-fix-potential-gpf.patch
+bluetooth-btqca-don-t-modify-firmware-contents-in-place.patch
+bluetooth-remove-spurious-error-message.patch
+alsa-bebob-fix-rx-packet-format-for-yamaha-go44-go46-terratec-phase-24-x24.patch
+alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch
+alsa-usb-audio-fix-oob-access-at-proc-output.patch
+alsa-firewire-motu-fix-stream-format-for-motu-8pre-firewire.patch
+alsa-usb-audio-scarlett2-fix-wrong-resume-call.patch
+alsa-intel8x0-fix-breakage-at-ac97-clock-measurement.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-probook-450-g8.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-probook-445-g8.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-probook-630-g8.patch
+alsa-hda-realtek-add-another-alc236-variant-support.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-x360-830-g8.patch
+alsa-hda-realtek-improve-fixup-for-hp-spectre-x360-15-df0xxx.patch
+alsa-hda-realtek-fix-bass-speaker-dac-mapping-for-asus-um431d.patch
+alsa-hda-realtek-apply-led-fixup-for-hp-dragonfly-g1-too.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-830-g8-notebook-pc.patch
+alsa-hda-realtek-fix-mute-led-of-the-hp-pavilion-15-eh1xxx-series.patch
+media-dvb-usb-fix-wrong-definition.patch
+input-usbtouchscreen-fix-control-request-directions.patch
+net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch
+usb-gadget-eem-fix-echo-command-packet-response-issue.patch
+usb-renesas-xhci-fix-handling-of-unknown-rom-state.patch
+usb-cdc-acm-blacklist-heimann-usb-appset-device.patch
+usb-dwc3-fix-debugfs-creation-flow.patch
+usb-typec-tcpci-fix-up-sink-disconnect-thresholds-for-pd.patch
+usb-typec-tcpm-relax-disconnect-threshold-during-power-negotiation.patch
+usb-typec-add-the-missed-altmode_id_remove-in-typec_register_altmode.patch
+xhci-solve-a-double-free-problem-while-doing-s4.patch
+mm-page_alloc-fix-memory-map-initialization-for-descending-nodes.patch
+gfs2-fix-underflow-in-gfs2_page_mkwrite.patch
+gfs2-fix-error-handling-in-init_statfs.patch
+ntfs-fix-validity-check-for-file-name-attribute.patch
+selftests-lkdtm-avoid-needing-explicit-sub-shell.patch
+copy_page_to_iter-fix-iter_discard-case.patch
+teach-copy_page_to_iter-to-handle-compound-pages.patch
+iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch
+input-elants_i2c-fix-null-dereference-at-probing.patch
+input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch
--- /dev/null
+From 08aa64796016cb47b2ef3d0924653b4d944b0d65 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 29 Apr 2021 20:42:25 -0400
+Subject: teach copy_page_to_iter() to handle compound pages
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 08aa64796016cb47b2ef3d0924653b4d944b0d65 upstream.
+
+ In situation when copy_page_to_iter() got a compound page the current
+code would only work on systems with no CONFIG_HIGHMEM. It *is* the majority
+of real-world setups, or we would've drown in bug reports by now. Still needs
+fixing.
+
+ Current variant works for solitary page; rename that to
+__copy_page_to_iter() and turn the handling of compound pages into a loop over
+subpages.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/iov_iter.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -957,11 +957,9 @@ static inline bool page_copy_sane(struct
+ return false;
+ }
+
+-size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
++static size_t __copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
+ struct iov_iter *i)
+ {
+- if (unlikely(!page_copy_sane(page, offset, bytes)))
+- return 0;
+ if (i->type & (ITER_BVEC | ITER_KVEC | ITER_XARRAY)) {
+ void *kaddr = kmap_atomic(page);
+ size_t wanted = copy_to_iter(kaddr + offset, bytes, i);
+@@ -977,6 +975,30 @@ size_t copy_page_to_iter(struct page *pa
+ else
+ return copy_page_to_iter_pipe(page, offset, bytes, i);
+ }
++
++size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
++ struct iov_iter *i)
++{
++ size_t res = 0;
++ if (unlikely(!page_copy_sane(page, offset, bytes)))
++ return 0;
++ page += offset / PAGE_SIZE; // first subpage
++ offset %= PAGE_SIZE;
++ while (1) {
++ size_t n = __copy_page_to_iter(page, offset,
++ min(bytes, (size_t)PAGE_SIZE - offset), i);
++ res += n;
++ bytes -= n;
++ if (!bytes || !n)
++ break;
++ offset += n;
++ if (offset == PAGE_SIZE) {
++ page++;
++ offset = 0;
++ }
++ }
++ return res;
++}
+ EXPORT_SYMBOL(copy_page_to_iter);
+
+ size_t copy_page_from_iter(struct page *page, size_t offset, size_t bytes,
--- /dev/null
+From 4897807753e078655a78de39ed76044d784f3e63 Mon Sep 17 00:00:00 2001
+From: Hannu Hartikainen <hannu@hrtk.in>
+Date: Tue, 22 Jun 2021 17:14:54 +0300
+Subject: USB: cdc-acm: blacklist Heimann USB Appset device
+
+From: Hannu Hartikainen <hannu@hrtk.in>
+
+commit 4897807753e078655a78de39ed76044d784f3e63 upstream.
+
+The device (32a7:0000 Heimann Sensor GmbH USB appset demo) claims to be
+a CDC-ACM device in its descriptors but in fact is not. If it is run
+with echo disabled it returns garbled data, probably due to something
+that happens in the TTY layer. And when run with echo enabled (the
+default), it will mess up the calibration data of the sensor the first
+time any data is sent to the device.
+
+In short, I had a bad time after connecting the sensor and trying to get
+it to work. I hope blacklisting it in the cdc-acm driver will save
+someone else a bit of trouble.
+
+Signed-off-by: Hannu Hartikainen <hannu@hrtk.in>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210622141454.337948-1-hannu@hrtk.in
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1959,6 +1959,11 @@ static const struct usb_device_id acm_id
+ .driver_info = IGNORE_DEVICE,
+ },
+
++ /* Exclude Heimann Sensor GmbH USB appset demo */
++ { USB_DEVICE(0x32a7, 0x0000),
++ .driver_info = IGNORE_DEVICE,
++ },
++
+ /* control interfaces without any protocol set */
+ { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
+ USB_CDC_PROTO_NONE) },
--- /dev/null
+From 84524d1232ecca7cf8678e851b254f05cff4040a Mon Sep 17 00:00:00 2001
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Date: Thu, 17 Jun 2021 09:55:24 -0700
+Subject: usb: dwc3: Fix debugfs creation flow
+
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+
+commit 84524d1232ecca7cf8678e851b254f05cff4040a upstream.
+
+Creation EP's debugfs called earlier than debugfs folder for dwc3
+device created. As result EP's debugfs are created in '/sys/kernel/debug'
+instead of '/sys/kernel/debug/usb/dwc3.1.auto'.
+
+Moved dwc3_debugfs_init() function call before calling
+dwc3_core_init_mode() to allow create dwc3 debugfs parent before
+creating EP's debugfs's.
+
+Fixes: 8d396bb0a5b6 ("usb: dwc3: debugfs: Add and remove endpoint dirs dynamically")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Jack Pham <jackp@codeaurora.org>
+Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Link: https://lore.kernel.org/r/01fafb5b2d8335e98e6eadbac61fc796bdf3ec1a.1623948457.git.Minas.Harutyunyan@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1616,17 +1616,18 @@ static int dwc3_probe(struct platform_de
+ }
+
+ dwc3_check_params(dwc);
++ dwc3_debugfs_init(dwc);
+
+ ret = dwc3_core_init_mode(dwc);
+ if (ret)
+ goto err5;
+
+- dwc3_debugfs_init(dwc);
+ pm_runtime_put(dev);
+
+ return 0;
+
+ err5:
++ dwc3_debugfs_exit(dwc);
+ dwc3_event_buffers_cleanup(dwc);
+
+ usb_phy_shutdown(dwc->usb2_phy);
--- /dev/null
+From 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Mon Sep 17 00:00:00 2001
+From: Linyu Yuan <linyyuan@codeaurora.com>
+Date: Wed, 16 Jun 2021 19:51:42 +0800
+Subject: usb: gadget: eem: fix echo command packet response issue
+
+From: Linyu Yuan <linyyuan@codeaurora.com>
+
+commit 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 upstream.
+
+when receive eem echo command, it will send a response,
+but queue this response to the usb request which allocate
+from gadget device endpoint zero,
+and transmit the request to IN endpoint of eem interface.
+
+on dwc3 gadget, it will trigger following warning in function
+__dwc3_gadget_ep_queue(),
+
+ if (WARN(req->dep != dep, "request %pK belongs to '%s'\n",
+ &req->request, req->dep->name))
+ return -EINVAL;
+
+fix it by allocating a usb request from IN endpoint of eem interface,
+and transmit the usb request to same IN endpoint of eem interface.
+
+Signed-off-by: Linyu Yuan <linyyuan@codeaurora.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210616115142.34075-1-linyyuan@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_eem.c | 43 ++++++++++++++++++++++++++++++++----
+ 1 file changed, 39 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_eem.c
++++ b/drivers/usb/gadget/function/f_eem.c
+@@ -30,6 +30,11 @@ struct f_eem {
+ u8 ctrl_id;
+ };
+
++struct in_context {
++ struct sk_buff *skb;
++ struct usb_ep *ep;
++};
++
+ static inline struct f_eem *func_to_eem(struct usb_function *f)
+ {
+ return container_of(f, struct f_eem, port.func);
+@@ -320,9 +325,12 @@ fail:
+
+ static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req)
+ {
+- struct sk_buff *skb = (struct sk_buff *)req->context;
++ struct in_context *ctx = req->context;
+
+- dev_kfree_skb_any(skb);
++ dev_kfree_skb_any(ctx->skb);
++ kfree(req->buf);
++ usb_ep_free_request(ctx->ep, req);
++ kfree(ctx);
+ }
+
+ /*
+@@ -410,7 +418,9 @@ static int eem_unwrap(struct gether *por
+ * b15: bmType (0 == data, 1 == command)
+ */
+ if (header & BIT(15)) {
+- struct usb_request *req = cdev->req;
++ struct usb_request *req;
++ struct in_context *ctx;
++ struct usb_ep *ep;
+ u16 bmEEMCmd;
+
+ /* EEM command packet format:
+@@ -439,11 +449,36 @@ static int eem_unwrap(struct gether *por
+ skb_trim(skb2, len);
+ put_unaligned_le16(BIT(15) | BIT(11) | len,
+ skb_push(skb2, 2));
++
++ ep = port->in_ep;
++ req = usb_ep_alloc_request(ep, GFP_ATOMIC);
++ if (!req) {
++ dev_kfree_skb_any(skb2);
++ goto next;
++ }
++
++ req->buf = kmalloc(skb2->len, GFP_KERNEL);
++ if (!req->buf) {
++ usb_ep_free_request(ep, req);
++ dev_kfree_skb_any(skb2);
++ goto next;
++ }
++
++ ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
++ if (!ctx) {
++ kfree(req->buf);
++ usb_ep_free_request(ep, req);
++ dev_kfree_skb_any(skb2);
++ goto next;
++ }
++ ctx->skb = skb2;
++ ctx->ep = ep;
++
+ skb_copy_bits(skb2, 0, req->buf, skb2->len);
+ req->length = skb2->len;
+ req->complete = eem_cmd_complete;
+ req->zero = 1;
+- req->context = skb2;
++ req->context = ctx;
+ if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC))
+ DBG(cdev, "echo response queue fail\n");
+ break;
--- /dev/null
+From d143825baf15f204dac60acdf95e428182aa3374 Mon Sep 17 00:00:00 2001
+From: Moritz Fischer <mdf@kernel.org>
+Date: Tue, 15 Jun 2021 08:37:58 -0700
+Subject: usb: renesas-xhci: Fix handling of unknown ROM state
+
+From: Moritz Fischer <mdf@kernel.org>
+
+commit d143825baf15f204dac60acdf95e428182aa3374 upstream.
+
+The ROM load sometimes seems to return an unknown status
+(RENESAS_ROM_STATUS_NO_RESULT) instead of success / fail.
+
+If the ROM load indeed failed this leads to failures when trying to
+communicate with the controller later on.
+
+Attempt to load firmware using RAM load in those cases.
+
+Fixes: 2478be82de44 ("usb: renesas-xhci: Add ROM loader for uPD720201")
+Cc: stable@vger.kernel.org
+Cc: Mathias Nyman <mathias.nyman@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Vinod Koul <vkoul@kernel.org>
+Tested-by: Vinod Koul <vkoul@kernel.org>
+Reviewed-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Link: https://lore.kernel.org/r/20210615153758.253572-1-mdf@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci-renesas.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci-renesas.c
++++ b/drivers/usb/host/xhci-pci-renesas.c
+@@ -207,7 +207,8 @@ static int renesas_check_rom_state(struc
+ return 0;
+
+ case RENESAS_ROM_STATUS_NO_RESULT: /* No result yet */
+- return 0;
++ dev_dbg(&pdev->dev, "Unknown ROM status ...\n");
++ break;
+
+ case RENESAS_ROM_STATUS_ERROR: /* Error State */
+ default: /* All other states are marked as "Reserved states" */
+@@ -224,13 +225,12 @@ static int renesas_fw_check_running(stru
+ u8 fw_state;
+ int err;
+
+- /* Check if device has ROM and loaded, if so skip everything */
+- err = renesas_check_rom(pdev);
+- if (err) { /* we have rom */
+- err = renesas_check_rom_state(pdev);
+- if (!err)
+- return err;
+- }
++ /*
++ * Only if device has ROM and loaded FW we can skip loading and
++ * return success. Otherwise (even unknown state), attempt to load FW.
++ */
++ if (renesas_check_rom(pdev) && !renesas_check_rom_state(pdev))
++ return 0;
+
+ /*
+ * Test if the device is actually needing the firmware. As most
--- /dev/null
+From 03026197bb657d784220b040c6173267a0375741 Mon Sep 17 00:00:00 2001
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Date: Thu, 17 Jun 2021 15:32:26 +0800
+Subject: usb: typec: Add the missed altmode_id_remove() in typec_register_altmode()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+commit 03026197bb657d784220b040c6173267a0375741 upstream.
+
+typec_register_altmode() misses to call altmode_id_remove() in an error
+path. Add the missed function call to fix it.
+
+Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Link: https://lore.kernel.org/r/20210617073226.47599-1-jingxiangfeng@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/class.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/class.c
++++ b/drivers/usb/typec/class.c
+@@ -517,8 +517,10 @@ typec_register_altmode(struct device *pa
+ int ret;
+
+ alt = kzalloc(sizeof(*alt), GFP_KERNEL);
+- if (!alt)
++ if (!alt) {
++ altmode_id_remove(parent, id);
+ return ERR_PTR(-ENOMEM);
++ }
+
+ alt->adev.svid = desc->svid;
+ alt->adev.mode = desc->mode;
--- /dev/null
+From 4288debeaa4e21d8dd5132739ffba2d343892bbf Mon Sep 17 00:00:00 2001
+From: Badhri Jagan Sridharan <badhri@google.com>
+Date: Tue, 15 Jun 2021 10:43:23 -0700
+Subject: usb: typec: tcpci: Fix up sink disconnect thresholds for PD
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+commit 4288debeaa4e21d8dd5132739ffba2d343892bbf upstream.
+
+"Table 4-3 VBUS Sink Characteristics" of "Type-C Cable and Connector
+Specification" defines the disconnect voltage thresholds of various
+configurations. This change fixes the disconnect threshold voltage
+calculation based on vSinkPD_min and vSinkDisconnectPD as defined
+by the table.
+
+Fixes: e1a97bf80a022 ("usb: typec: tcpci: Implement Auto discharge disconnect callbacks")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Link: https://lore.kernel.org/r/20210615174323.1160132-1-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/tcpci.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpci.c
++++ b/drivers/usb/typec/tcpm/tcpci.c
+@@ -21,8 +21,12 @@
+ #define PD_RETRY_COUNT_DEFAULT 3
+ #define PD_RETRY_COUNT_3_0_OR_HIGHER 2
+ #define AUTO_DISCHARGE_DEFAULT_THRESHOLD_MV 3500
+-#define AUTO_DISCHARGE_PD_HEADROOM_MV 850
+-#define AUTO_DISCHARGE_PPS_HEADROOM_MV 1250
++#define VSINKPD_MIN_IR_DROP_MV 750
++#define VSRC_NEW_MIN_PERCENT 95
++#define VSRC_VALID_MIN_MV 500
++#define VPPS_NEW_MIN_PERCENT 95
++#define VPPS_VALID_MIN_MV 100
++#define VSINKDISCONNECT_PD_MIN_PERCENT 90
+
+ #define tcpc_presenting_rd(reg, cc) \
+ (!(TCPC_ROLE_CTRL_DRP & (reg)) && \
+@@ -324,11 +328,13 @@ static int tcpci_set_auto_vbus_discharge
+ threshold = AUTO_DISCHARGE_DEFAULT_THRESHOLD_MV;
+ } else if (mode == TYPEC_PWR_MODE_PD) {
+ if (pps_active)
+- threshold = (95 * requested_vbus_voltage_mv / 100) -
+- AUTO_DISCHARGE_PD_HEADROOM_MV;
++ threshold = ((VPPS_NEW_MIN_PERCENT * requested_vbus_voltage_mv / 100) -
++ VSINKPD_MIN_IR_DROP_MV - VPPS_VALID_MIN_MV) *
++ VSINKDISCONNECT_PD_MIN_PERCENT / 100;
+ else
+- threshold = (95 * requested_vbus_voltage_mv / 100) -
+- AUTO_DISCHARGE_PPS_HEADROOM_MV;
++ threshold = ((VSRC_NEW_MIN_PERCENT * requested_vbus_voltage_mv / 100) -
++ VSINKPD_MIN_IR_DROP_MV - VSRC_VALID_MIN_MV) *
++ VSINKDISCONNECT_PD_MIN_PERCENT / 100;
+ } else {
+ /* 3.5V for non-pd sink */
+ threshold = AUTO_DISCHARGE_DEFAULT_THRESHOLD_MV;
--- /dev/null
+From 2b537cf877eae6d2f2f102052290676e40b74a1d Mon Sep 17 00:00:00 2001
+From: Kyle Tso <kyletso@google.com>
+Date: Wed, 16 Jun 2021 17:01:02 +0800
+Subject: usb: typec: tcpm: Relax disconnect threshold during power negotiation
+
+From: Kyle Tso <kyletso@google.com>
+
+commit 2b537cf877eae6d2f2f102052290676e40b74a1d upstream.
+
+If the voltage is being decreased in power negotiation, the Source will
+set the power supply to operate at the new voltage level before sending
+PS_RDY. Relax the threshold before sending Request Message so that it
+will not race with Source which begins to adjust the voltage right after
+it sends Accept Message (PPS) or tSrcTransition (25~35ms) after it sends
+Accept Message (non-PPS).
+
+The real threshold will be set after Sink receives PS_RDY Message.
+
+Fixes: f321a02caebd ("usb: typec: tcpm: Implement enabling Auto Discharge disconnect support")
+Cc: stable <stable@vger.kernel.org>
+Cc: Badhri Jagan Sridharan <badhri@google.com>
+Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Kyle Tso <kyletso@google.com>
+Link: https://lore.kernel.org/r/20210616090102.1897674-1-kyletso@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/tcpm.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -2576,6 +2576,11 @@ static void tcpm_pd_ctrl_request(struct
+ } else {
+ next_state = SNK_WAIT_CAPABILITIES;
+ }
++
++ /* Threshold was relaxed before sending Request. Restore it back. */
++ tcpm_set_auto_vbus_discharge_threshold(port, TYPEC_PWR_MODE_PD,
++ port->pps_data.active,
++ port->supply_voltage);
+ tcpm_set_state(port, next_state, 0);
+ break;
+ case SNK_NEGOTIATE_PPS_CAPABILITIES:
+@@ -2589,6 +2594,11 @@ static void tcpm_pd_ctrl_request(struct
+ port->send_discover)
+ port->vdm_sm_running = true;
+
++ /* Threshold was relaxed before sending Request. Restore it back. */
++ tcpm_set_auto_vbus_discharge_threshold(port, TYPEC_PWR_MODE_PD,
++ port->pps_data.active,
++ port->supply_voltage);
++
+ tcpm_set_state(port, SNK_READY, 0);
+ break;
+ case DR_SWAP_SEND:
+@@ -3308,6 +3318,12 @@ static int tcpm_pd_send_request(struct t
+ if (ret < 0)
+ return ret;
+
++ /*
++ * Relax the threshold as voltage will be adjusted after Accept Message plus tSrcTransition.
++ * It is safer to modify the threshold here.
++ */
++ tcpm_set_auto_vbus_discharge_threshold(port, TYPEC_PWR_MODE_USB, false, 0);
++
+ memset(&msg, 0, sizeof(msg));
+ msg.header = PD_HEADER_LE(PD_DATA_REQUEST,
+ port->pwr_role,
+@@ -3405,6 +3421,9 @@ static int tcpm_pd_send_pps_request(stru
+ if (ret < 0)
+ return ret;
+
++ /* Relax the threshold as voltage will be adjusted right after Accept Message. */
++ tcpm_set_auto_vbus_discharge_threshold(port, TYPEC_PWR_MODE_USB, false, 0);
++
+ memset(&msg, 0, sizeof(msg));
+ msg.header = PD_HEADER_LE(PD_DATA_REQUEST,
+ port->pwr_role,
+@@ -4186,6 +4205,10 @@ static void run_state_machine(struct tcp
+ port->hard_reset_count = 0;
+ ret = tcpm_pd_send_request(port);
+ if (ret < 0) {
++ /* Restore back to the original state */
++ tcpm_set_auto_vbus_discharge_threshold(port, TYPEC_PWR_MODE_PD,
++ port->pps_data.active,
++ port->supply_voltage);
+ /* Let the Source send capabilities again. */
+ tcpm_set_state(port, SNK_WAIT_CAPABILITIES, 0);
+ } else {
+@@ -4196,6 +4219,10 @@ static void run_state_machine(struct tcp
+ case SNK_NEGOTIATE_PPS_CAPABILITIES:
+ ret = tcpm_pd_send_pps_request(port);
+ if (ret < 0) {
++ /* Restore back to the original state */
++ tcpm_set_auto_vbus_discharge_threshold(port, TYPEC_PWR_MODE_PD,
++ port->pps_data.active,
++ port->supply_voltage);
+ port->pps_status = ret;
+ /*
+ * If this was called due to updates to sink
--- /dev/null
+From b31d9d6d7abbf6483b871b6370bc31c930d53f54 Mon Sep 17 00:00:00 2001
+From: "Zhangjiantao (Kirin, nanjing)" <water.zhangjiantao@huawei.com>
+Date: Thu, 17 Jun 2021 18:03:54 +0300
+Subject: xhci: solve a double free problem while doing s4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>
+
+commit b31d9d6d7abbf6483b871b6370bc31c930d53f54 upstream.
+
+when system is doing s4, the process of xhci_resume may be as below:
+1、xhci_mem_cleanup
+2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough).
+xhci_mem_cleanup will be executed twice when system is out of memory.
+xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL.
+It will be freed twice when xhci_mem_cleanup is called the second time.
+
+We got following bug when system resumes from s4:
+
+kernel BUG at mm/slub.c:309!
+Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+CPU: 0 PID: 5929 Tainted: G S W 5.4.96-arm64-desktop #1
+pc : __slab_free+0x5c/0x424
+lr : kfree+0x30c/0x32c
+
+Call trace:
+ __slab_free+0x5c/0x424
+ kfree+0x30c/0x32c
+ xhci_mem_cleanup+0x394/0x3cc
+ xhci_mem_init+0x9ac/0x1070
+ xhci_init+0x8c/0x1d0
+ xhci_resume+0x1cc/0x5fc
+ xhci_plat_resume+0x64/0x70
+ platform_pm_thaw+0x28/0x60
+ dpm_run_callback+0x54/0x24c
+ device_resume+0xd0/0x200
+ async_resume+0x24/0x60
+ async_run_entry_fn+0x44/0x110
+ process_one_work+0x1f0/0x490
+ worker_thread+0x5c/0x450
+ kthread+0x158/0x160
+ ret_from_fork+0x10/0x24
+
+Original patch that caused this issue was backported to 4.4 stable,
+so this should be backported to 4.4 stabe as well.
+
+Fixes: cf0ee7c60c89 ("xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Jiantao Zhang <water.zhangjiantao@huawei.com>
+Signed-off-by: Tao Xue <xuetao09@huawei.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210617150354.1512157-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1924,6 +1924,7 @@ no_bw:
+ xhci->hw_ports = NULL;
+ xhci->rh_bw = NULL;
+ xhci->ext_caps = NULL;
++ xhci->port_caps = NULL;
+
+ xhci->page_size = 0;
+ xhci->page_shift = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
