--- /dev/null
+From fc36ef80ca2c68b2c9df06178048f08280e4334f Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Mon, 14 Jun 2021 17:31:33 +0900
+Subject: ALSA: firewire-motu: fix stream format for MOTU 8pre FireWire
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit fc36ef80ca2c68b2c9df06178048f08280e4334f upstream.
+
+My previous refactoring for ALSA firewire-motu driver brought regression
+to handle MOTU 8pre FireWire. The packet format is not operated correctly.
+
+Cc: <stable@vger.kernel.org>
+Fixes: dfbaa4dc11eb ("ALSA: firewire-motu: add model-specific table of chunk count")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20210614083133.39753-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/motu/motu-protocol-v2.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/motu/motu-protocol-v2.c
++++ b/sound/firewire/motu/motu-protocol-v2.c
+@@ -353,6 +353,7 @@ const struct snd_motu_spec snd_motu_spec
+ .protocol_version = SND_MOTU_PROTOCOL_V2,
+ .flags = SND_MOTU_SPEC_RX_MIDI_2ND_Q |
+ SND_MOTU_SPEC_TX_MIDI_2ND_Q,
+- .tx_fixed_pcm_chunks = {10, 6, 0},
+- .rx_fixed_pcm_chunks = {10, 6, 0},
++ // Two dummy chunks always in the end of data block.
++ .tx_fixed_pcm_chunks = {10, 10, 0},
++ .rx_fixed_pcm_chunks = {6, 6, 0},
+ };
--- /dev/null
+From 1948fc065a89f18d057b8ffaef6d7242ad99edb8 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 18 Jun 2021 18:17:20 +0200
+Subject: ALSA: hda/realtek: Add another ALC236 variant support
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1948fc065a89f18d057b8ffaef6d7242ad99edb8 upstream.
+
+The codec chip 10ec:0230 is another variant of ALC236, combined with a
+card reader. Apply the equivalent setup as 10ec:0236.
+
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1184869
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210618161720.28694-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -385,6 +385,7 @@ static void alc_fill_eapd_coef(struct hd
+ alc_update_coef_idx(codec, 0x67, 0xf000, 0x3000);
+ fallthrough;
+ case 0x10ec0215:
++ case 0x10ec0230:
+ case 0x10ec0233:
+ case 0x10ec0235:
+ case 0x10ec0236:
+@@ -3153,6 +3154,7 @@ static void alc_disable_headset_jack_key
+ alc_update_coef_idx(codec, 0x49, 0x0045, 0x0);
+ alc_update_coef_idx(codec, 0x44, 0x0045 << 8, 0x0);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x48, 0x0);
+@@ -3180,6 +3182,7 @@ static void alc_enable_headset_jack_key(
+ alc_update_coef_idx(codec, 0x49, 0x007f, 0x0045);
+ alc_update_coef_idx(codec, 0x44, 0x007f << 8, 0x0045 << 8);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x48, 0xd011);
+@@ -4737,6 +4740,7 @@ static void alc_headset_mode_unplugged(s
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0256);
+@@ -4851,6 +4855,7 @@ static void alc_headset_mode_mic_in(stru
+ alc_process_coef_fw(codec, coef0255);
+ snd_hda_set_pin_ctl_cache(codec, mic_pin, PIN_VREF50);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x45, 0xc489);
+@@ -5000,6 +5005,7 @@ static void alc_headset_mode_default(str
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x1b, 0x0e4b);
+@@ -5098,6 +5104,7 @@ static void alc_headset_mode_ctia(struct
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0256);
+@@ -5211,6 +5218,7 @@ static void alc_headset_mode_omtp(struct
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0256);
+@@ -5311,6 +5319,7 @@ static void alc_determine_headset_type(s
+ val = alc_read_coef_idx(codec, 0x46);
+ is_ctia = (val & 0x0070) == 0x0070;
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x1b, 0x0e4b);
+@@ -5604,6 +5613,7 @@ static void alc255_set_default_jack_type
+ case 0x10ec0255:
+ alc_process_coef_fw(codec, alc255fw);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_process_coef_fw(codec, alc256fw);
+@@ -6204,6 +6214,7 @@ static void alc_combo_jack_hp_jd_restart
+ alc_update_coef_idx(codec, 0x4a, 0x8000, 1 << 15); /* Reset HP JD */
+ alc_update_coef_idx(codec, 0x4a, 0x8000, 0 << 15);
+ break;
++ case 0x10ec0230:
+ case 0x10ec0235:
+ case 0x10ec0236:
+ case 0x10ec0255:
+@@ -9330,6 +9341,7 @@ static int patch_alc269(struct hda_codec
+ spec->shutup = alc256_shutup;
+ spec->init_hook = alc256_init;
+ break;
++ case 0x10ec0230:
+ case 0x10ec0236:
+ case 0x10ec0256:
+ spec->codec_variant = ALC269_TYPE_ALC256;
+@@ -10621,6 +10633,7 @@ static const struct hda_device_id snd_hd
+ HDA_CODEC_ENTRY(0x10ec0221, "ALC221", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0222, "ALC222", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0225, "ALC225", patch_alc269),
++ HDA_CODEC_ENTRY(0x10ec0230, "ALC236", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0231, "ALC231", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0233, "ALC233", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0234, "ALC234", patch_alc269),
--- /dev/null
+From 0ac05b25c3dd8299204ae9d50c1c2f7f05eef08f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 23 Jun 2021 14:20:22 +0200
+Subject: ALSA: hda/realtek: Apply LED fixup for HP Dragonfly G1, too
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0ac05b25c3dd8299204ae9d50c1c2f7f05eef08f upstream.
+
+HP Dragonfly G1 (SSID 103c:861f) also requires the same quirk for the
+mute and mic-mute LED just as Dragonfly G2 model.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213329
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210623122022.26179-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8331,6 +8331,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x84da, "HP OMEN dc0019-ur", ALC295_FIXUP_HP_OMEN),
+ SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
++ SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
--- /dev/null
+From f8fbcdfb0665de60997d9746809e1704ed782bbc Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 20 Jun 2021 08:59:52 +0200
+Subject: ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f8fbcdfb0665de60997d9746809e1704ed782bbc upstream.
+
+Asus Zenbook 14 UM431D has two speaker pins and a headphone pin, and
+the auto-parser ends up assigning the bass to the third DAC 0x06.
+Although the tone comes out, it's inconvenient because this DAC has no
+volume control unlike two other DACs.
+
+For obtaining the volume control for the bass speaker, this patch
+enforces the mapping to let both front and bass speaker pins sharing
+the same DAC. It's not ideal but a little bit of improvement.
+
+Since we've already applied the same workaround for another ASUS
+machine, we just need to hook the chain to the existing quirk.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212547
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210620065952.18948-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7831,6 +7831,8 @@ static const struct hda_fixup alc269_fix
+ { 0x20, AC_VERB_SET_PROC_COEF, 0x4e4b },
+ { }
+ },
++ .chained = true,
++ .chain_id = ALC289_FIXUP_ASUS_GA401,
+ },
+ [ALC285_FIXUP_HP_GPIO_LED] = {
+ .type = HDA_FIXUP_FUNC,
--- /dev/null
+From dfc2e8ae4066a95c7f9c2bb2dfa26651feaa6b83 Mon Sep 17 00:00:00 2001
+From: Jeremy Szu <jeremy.szu@canonical.com>
+Date: Fri, 25 Jun 2021 21:34:13 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 830 G8 Notebook PC
+
+From: Jeremy Szu <jeremy.szu@canonical.com>
+
+commit dfc2e8ae4066a95c7f9c2bb2dfa26651feaa6b83 upstream.
+
+The HP EliteBook 830 G8 Notebook PC using ALC285 codec which using 0x04 to
+control mute LED and 0x01 to control micmute LED.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210625133414.26760-1-jeremy.szu@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8355,6 +8355,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x87f4, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f7, "HP Spectre x360 14", ALC245_FIXUP_HP_X360_AMP),
++ SND_PCI_QUIRK(0x103c, 0x880d, "HP EliteBook 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
--- /dev/null
+From c3d2c88209e85045a364e80fe12a6cde16745b72 Mon Sep 17 00:00:00 2001
+From: Jeremy Szu <jeremy.szu@canonical.com>
+Date: Fri, 18 Jun 2021 01:14:20 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook x360 830 G8
+
+From: Jeremy Szu <jeremy.szu@canonical.com>
+
+commit c3d2c88209e85045a364e80fe12a6cde16745b72 upstream.
+
+The HP EliteBook x360 830 G8 using ALC285 codec which using 0x04 to
+control mute LED and 0x01 to control micmute LED.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210617171422.16652-1-jeremy.szu@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8340,6 +8340,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f7, "HP Spectre x360 14", ALC245_FIXUP_HP_X360_AMP),
+ SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
--- /dev/null
+From a3b7f9b8fa2967e1b3c2a402301715124c90306b Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Thu, 1 Jul 2021 17:14:14 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G8
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit a3b7f9b8fa2967e1b3c2a402301715124c90306b upstream.
+
+The HP ProBook 445 G8 using ALC236 codec.
+COEF index 0x34 bit 5 is used to control the playback mute LED, but the
+microphone mute LED is controlled using pin VREF instead of a COEF index.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210701091417.9696-2-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8330,6 +8330,8 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8863, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
--- /dev/null
+From 2b70b264d34d398c77a5936e317336f00cf5badb Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Thu, 1 Jul 2021 17:14:13 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 450 G8
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit 2b70b264d34d398c77a5936e317336f00cf5badb upstream.
+
+The HP ProBook 450 G8 using ALC236 codec which using 0x02 to
+control mute LED and 0x01 to control micmute LED.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210701091417.9696-1-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8322,6 +8322,7 @@ static const struct snd_pci_quirk alc269
+ ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f2, "HP ProBook 640 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f4, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
--- /dev/null
+From fb3acdb2ba289aa06a5a995b3abef409bfe0a220 Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Thu, 1 Jul 2021 17:14:15 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 630 G8
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit fb3acdb2ba289aa06a5a995b3abef409bfe0a220 upstream.
+
+The HP ProBook 630 G8 using ALC236 codec which using 0x02 to
+control mute LED and 0x01 to control micmute LED.
+Therefore, add a quirk to make it works.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210701091417.9696-3-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8323,6 +8323,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87f1, "HP ProBook 630 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f2, "HP ProBook 640 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f4, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 434591b2a77def0e78abfa38e5d7c4bca954e68a Mon Sep 17 00:00:00 2001
+From: Elia Devito <eliadevito@gmail.com>
+Date: Sat, 19 Jun 2021 22:41:04 +0200
+Subject: ALSA: hda/realtek: Improve fixup for HP Spectre x360 15-df0xxx
+
+From: Elia Devito <eliadevito@gmail.com>
+
+commit 434591b2a77def0e78abfa38e5d7c4bca954e68a upstream.
+
+On HP Spectre x360 15-df0xxx, after system boot with plugged headset, the
+headset mic are not detected.
+Moving pincfg and DAC's config to single fixup function fix this.
+
+[ The actual bug in the original code was that it used a chain to
+ ALC286_FIXUP_SPEAKER2_TO_DAC1, and it contains not only the DAC1
+ route fix but also another chain to ALC269_FIXUP_THINKPAD_ACPI.
+ I thought the latter one is harmless for non-Thinkpad, but it
+ doesn't seem so; it contains again yet another chain to
+ ALC269_FIXUP_SKI_IGNORE, and this might be bad for some machines,
+ including this HP machine. -- tiwai ]
+
+Signed-off-by: Elia Devito <eliadevito@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210619204105.5682-1-eliadevito@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6347,6 +6347,24 @@ static void alc_fixup_no_int_mic(struct
+ }
+ }
+
++static void alc285_fixup_hp_spectre_x360(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ static const hda_nid_t conn[] = { 0x02 };
++ static const struct hda_pintbl pincfgs[] = {
++ { 0x14, 0x90170110 }, /* rear speaker */
++ { }
++ };
++
++ switch (action) {
++ case HDA_FIXUP_ACT_PRE_PROBE:
++ snd_hda_apply_pincfgs(codec, pincfgs);
++ /* force front speaker to DAC1 */
++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn);
++ break;
++ }
++}
++
+ /* for hda_fixup_thinkpad_acpi() */
+ #include "thinkpad_helper.c"
+
+@@ -8124,13 +8142,8 @@ static const struct hda_fixup alc269_fix
+ .chain_id = ALC269_FIXUP_HP_LINE1_MIC1_LED,
+ },
+ [ALC285_FIXUP_HP_SPECTRE_X360] = {
+- .type = HDA_FIXUP_PINS,
+- .v.pins = (const struct hda_pintbl[]) {
+- { 0x14, 0x90170110 }, /* enable top speaker */
+- {}
+- },
+- .chained = true,
+- .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1,
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_hp_spectre_x360,
+ },
+ [ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP] = {
+ .type = HDA_FIXUP_FUNC,
--- /dev/null
+From 24d1e49415be546470b20429d748e240d0518b7e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 8 Jul 2021 11:07:38 +0200
+Subject: ALSA: intel8x0: Fix breakage at ac97 clock measurement
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 24d1e49415be546470b20429d748e240d0518b7e upstream.
+
+The recent workaround for the wild interrupts in commit c1f0616124c4
+("ALSA: intel8x0: Don't update period unless prepared") leaded to a
+regression, causing the interrupt storm during ac97 clock measurement
+at the driver probe. We need to handle the interrupt while the clock
+measurement as well as the proper PCM streams.
+
+Fixes: c1f0616124c4 ("ALSA: intel8x0: Don't update period unless prepared")
+Reported-and-tested-by: Max Filippov <jcmvbkbc@gmail.com>
+Tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/CAMo8BfKKMQkcsbOQaeEjq_FsJhdK=fn598dvh7YOcZshUSOH=g@mail.gmail.com
+Link: https://lore.kernel.org/r/20210708090738.1569-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/intel8x0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/intel8x0.c
++++ b/sound/pci/intel8x0.c
+@@ -715,7 +715,7 @@ static inline void snd_intel8x0_update(s
+ int status, civ, i, step;
+ int ack = 0;
+
+- if (!ichdev->prepared || ichdev->suspended)
++ if (!(ichdev->prepared || chip->in_measurement) || ichdev->suspended)
+ return;
+
+ spin_lock_irqsave(&chip->reg_lock, flags);
--- /dev/null
+From 362372ceb6556f338e230f2d90af27b47f82365a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 22 Jun 2021 11:06:47 +0200
+Subject: ALSA: usb-audio: Fix OOB access at proc output
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 362372ceb6556f338e230f2d90af27b47f82365a upstream.
+
+At extending the available mixer values for 32bit types, we forgot to
+add the corresponding entries for the format dump in the proc output.
+This may result in OOB access. Here adds the missing entries.
+
+Fixes: bc18e31c3042 ("ALSA: usb-audio: Fix parameter block size for UAC2 control requests")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210622090647.14021-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -3273,8 +3273,9 @@ static void snd_usb_mixer_dump_cval(stru
+ struct usb_mixer_elem_list *list)
+ {
+ struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list);
+- static const char * const val_types[] = {"BOOLEAN", "INV_BOOLEAN",
+- "S8", "U8", "S16", "U16"};
++ static const char * const val_types[] = {
++ "BOOLEAN", "INV_BOOLEAN", "S8", "U8", "S16", "U16", "S32", "U32",
++ };
+ snd_iprintf(buffer, " Info: id=%i, control=%i, cmask=0x%x, "
+ "channels=%i, type=\"%s\"\n", cval->head.id,
+ cval->control, cval->cmask, cval->channels,
--- /dev/null
+From aecc19ec404bdc745c781058ac97a373731c3089 Mon Sep 17 00:00:00 2001
+From: Daehwan Jung <dh10.jung@samsung.com>
+Date: Wed, 16 Jun 2021 18:34:55 +0900
+Subject: ALSA: usb-audio: fix rate on Ozone Z90 USB headset
+
+From: Daehwan Jung <dh10.jung@samsung.com>
+
+commit aecc19ec404bdc745c781058ac97a373731c3089 upstream.
+
+It mislabels its 96 kHz altsetting and that's why it causes some noise
+
+Signed-off-by: Daehwan Jung <dh10.jung@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1623836097-61918-1-git-send-email-dh10.jung@samsung.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/format.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -208,9 +208,11 @@ static int parse_audio_format_rates_v1(s
+ continue;
+ /* C-Media CM6501 mislabels its 96 kHz altsetting */
+ /* Terratec Aureon 7.1 USB C-Media 6206, too */
++ /* Ozone Z90 USB C-Media, too */
+ if (rate == 48000 && nr_rates == 1 &&
+ (chip->usb_id == USB_ID(0x0d8c, 0x0201) ||
+ chip->usb_id == USB_ID(0x0d8c, 0x0102) ||
++ chip->usb_id == USB_ID(0x0d8c, 0x0078) ||
+ chip->usb_id == USB_ID(0x0ccd, 0x00b1)) &&
+ fp->altsetting == 5 && fp->maxpacksize == 392)
+ rate = 96000;
--- /dev/null
+From 785b6f29a795f109685f286b91e0250c206fbffb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 23 Jun 2021 02:30:49 +0930
+Subject: ALSA: usb-audio: scarlett2: Fix wrong resume call
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 785b6f29a795f109685f286b91e0250c206fbffb upstream.
+
+The current way of the scarlett2 mixer code managing the
+usb_mixer_elem_info object is wrong in two ways: it passes its
+internal index to the head.id field, and the val_type field is
+uninitialized. This ended up with the wrong execution at the resume
+because a bogus unit id is passed wrongly. Also, in the later code
+extensions, we'll have more mixer elements, and passing the index will
+overflow the unit id size (of 256).
+
+This patch corrects those issues. It introduces a new value type,
+USB_MIXER_BESPOKEN, which indicates a non-standard mixer element, and
+use this type for all scarlett2 mixer elements, as well as
+initializing the fixed unit id 0 for avoiding the overflow.
+
+Tested-by: Geoffrey D. Bennett <g@b4.vu>
+Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/49721219f45b7e175e729b0d9d9c142fd8f4342a.1624379707.git.g@b4.vu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 3 +++
+ sound/usb/mixer.h | 1 +
+ sound/usb/mixer_scarlett_gen2.c | 7 ++++++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -3631,6 +3631,9 @@ static int restore_mixer_value(struct us
+ struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list);
+ int c, err, idx;
+
++ if (cval->val_type == USB_MIXER_BESPOKEN)
++ return 0;
++
+ if (cval->cmask) {
+ idx = 0;
+ for (c = 0; c < MAX_CHANNELS; c++) {
+--- a/sound/usb/mixer.h
++++ b/sound/usb/mixer.h
+@@ -55,6 +55,7 @@ enum {
+ USB_MIXER_U16,
+ USB_MIXER_S32,
+ USB_MIXER_U32,
++ USB_MIXER_BESPOKEN, /* non-standard type */
+ };
+
+ typedef void (*usb_mixer_elem_dump_func_t)(struct snd_info_buffer *buffer,
+--- a/sound/usb/mixer_scarlett_gen2.c
++++ b/sound/usb/mixer_scarlett_gen2.c
+@@ -949,10 +949,15 @@ static int scarlett2_add_new_ctl(struct
+ if (!elem)
+ return -ENOMEM;
+
++ /* We set USB_MIXER_BESPOKEN type, so that the core USB mixer code
++ * ignores them for resume and other operations.
++ * Also, the head.id field is set to 0, as we don't use this field.
++ */
+ elem->head.mixer = mixer;
+ elem->control = index;
+- elem->head.id = index;
++ elem->head.id = 0;
+ elem->channels = channels;
++ elem->val_type = USB_MIXER_BESPOKEN;
+
+ kctl = snd_ctl_new1(ncontrol, elem);
+ if (!kctl) {
--- /dev/null
+From b43ca511178ed0ab6fd2405df28cf9e100273020 Mon Sep 17 00:00:00 2001
+From: Connor Abbott <cwabbott0@gmail.com>
+Date: Fri, 7 May 2021 14:27:33 +0200
+Subject: Bluetooth: btqca: Don't modify firmware contents in-place
+
+From: Connor Abbott <cwabbott0@gmail.com>
+
+commit b43ca511178ed0ab6fd2405df28cf9e100273020 upstream.
+
+struct firmware::data is marked const, and when the firmware is
+compressed with xz (default at least with Fedora) it's mapped read-only
+which results in a crash:
+
+BUG: unable to handle page fault for address: ffffae57c0ca5047
+PGD 100000067 P4D 100000067 PUD 1001ce067 PMD 10165a067 PTE 8000000112bba161
+Oops: 0003 [#1] SMP NOPTI
+CPU: 3 PID: 204 Comm: kworker/u17:0 Not tainted 5.12.1-test+ #1
+Hardware name: Dell Inc. XPS 13 9310/0F7M4C, BIOS 1.2.5 12/10/2020
+Workqueue: hci0 hci_power_on [bluetooth]
+RIP: 0010:qca_download_firmware+0x27c/0x4e0 [btqca]
+Code: 1b 75 04 80 48 0c 01 0f b7 c6 8d 54 02 0c 41 39 d7 0f 8e 62 fe ff ff 48 63 c2 4c 01 e8 0f b7 38 0f b7 70 02 66 83 ff 11 75 d3 <80> 48 0c 80 41 83 fc 03 7e 6e 88 58 0d eb ce 41 0f b6 45 0e 48 8b
+RSP: 0018:ffffae57c08dfc68 EFLAGS: 00010246
+RAX: ffffae57c0ca503b RBX: 000000000000000e RCX: 0000000000000000
+RDX: 0000000000000037 RSI: 0000000000000006 RDI: 0000000000000011
+RBP: ffff978d9949e000 R08: ffff978d84ed7540 R09: ffffae57c0ca5000
+R10: 000000000010cd00 R11: 0000000000000001 R12: 0000000000000005
+R13: ffffae57c0ca5004 R14: ffff978d98ca8680 R15: 00000000000016a9
+FS: 0000000000000000(0000) GS:ffff9794ef6c0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffae57c0ca5047 CR3: 0000000113d5a004 CR4: 0000000000770ee0
+PKRU: 55555554
+Call Trace:
+ qca_uart_setup+0x2cb/0x1390 [btqca]
+ ? qca_read_soc_version+0x136/0x220 [btqca]
+ qca_setup+0x288/0xab0 [hci_uart]
+ hci_dev_do_open+0x1f3/0x780 [bluetooth]
+ ? try_to_wake_up+0x1c1/0x4f0
+ hci_power_on+0x3f/0x200 [bluetooth]
+ process_one_work+0x1ec/0x380
+ worker_thread+0x53/0x3e0
+ ? process_one_work+0x380/0x380
+ kthread+0x11b/0x140
+ ? kthread_associate_blkcg+0xa0/0xa0
+ ret_from_fork+0x1f/0x30
+Modules linked in: llc ip_set nf_tables nfnetlink snd_soc_skl_hda_dsp(+) ip6table_filter snd_soc_hdac_hdmi ip6_tables qrtr_mhi iptable_filter snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic s>
+ dell_wmi_sysman(+) dell_smbios snd dcdbas mhi vfat videobuf2_vmalloc i2c_i801 videobuf2_memops videobuf2_v4l2 dell_wmi_descriptor fat wmi_bmof soundcore i2c_smbus videobuf2_common libarc4 mei_me mei hid_se>
+ i2c_hid_acpi i2c_hid video pinctrl_tigerlake fuse
+CR2: ffffae57c0ca5047
+
+This also seems to fix a failure to suspend due to the firmware
+download on bootup getting interrupted by the crash:
+
+Bluetooth: hci0: SSR or FW download time out
+PM: dpm_run_callback(): acpi_subsys_suspend+0x0/0x60 returns -110
+PM: Device serial0-0 failed to suspend: error -110
+PM: Some devices failed to suspend, or early wake event detected
+
+Fixes: 83e8196 ("Bluetooth: btqca: Introduce generic QCA ROME support")
+Cc: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btqca.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -143,7 +143,7 @@ int qca_send_pre_shutdown_cmd(struct hci
+ EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd);
+
+ static void qca_tlv_check_data(struct qca_fw_config *config,
+- const struct firmware *fw, enum qca_btsoc_type soc_type)
++ u8 *fw_data, enum qca_btsoc_type soc_type)
+ {
+ const u8 *data;
+ u32 type_len;
+@@ -154,7 +154,7 @@ static void qca_tlv_check_data(struct qc
+ struct tlv_type_nvm *tlv_nvm;
+ uint8_t nvm_baud_rate = config->user_baud_rate;
+
+- tlv = (struct tlv_type_hdr *)fw->data;
++ tlv = (struct tlv_type_hdr *)fw_data;
+
+ type_len = le32_to_cpu(tlv->type_len);
+ length = (type_len >> 8) & 0x00ffffff;
+@@ -350,8 +350,9 @@ static int qca_download_firmware(struct
+ enum qca_btsoc_type soc_type)
+ {
+ const struct firmware *fw;
++ u8 *data;
+ const u8 *segment;
+- int ret, remain, i = 0;
++ int ret, size, remain, i = 0;
+
+ bt_dev_info(hdev, "QCA Downloading %s", config->fwname);
+
+@@ -362,10 +363,22 @@ static int qca_download_firmware(struct
+ return ret;
+ }
+
+- qca_tlv_check_data(config, fw, soc_type);
++ size = fw->size;
++ data = vmalloc(fw->size);
++ if (!data) {
++ bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s",
++ config->fwname);
++ release_firmware(fw);
++ return -ENOMEM;
++ }
++
++ memcpy(data, fw->data, size);
++ release_firmware(fw);
++
++ qca_tlv_check_data(config, data, soc_type);
+
+- segment = fw->data;
+- remain = fw->size;
++ segment = data;
++ remain = size;
+ while (remain > 0) {
+ int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain);
+
+@@ -395,7 +408,7 @@ static int qca_download_firmware(struct
+ ret = qca_inject_cmd_complete_event(hdev);
+
+ out:
+- release_firmware(fw);
++ vfree(data);
+
+ return ret;
+ }
--- /dev/null
+From 59f90f1351282ea2dbd0c59098fd9bb2634e920e Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Mon, 3 May 2021 13:06:05 +0300
+Subject: Bluetooth: hci_qca: fix potential GPF
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 59f90f1351282ea2dbd0c59098fd9bb2634e920e upstream.
+
+In qca_power_shutdown() qcadev local variable is
+initialized by hu->serdev.dev private data, but
+hu->serdev can be NULL and there is a check for it.
+
+Since, qcadev is not used before
+
+ if (!hu->serdev)
+ return;
+
+we can move its initialization after this "if" to
+prevent GPF.
+
+Fixes: 5559904ccc08 ("Bluetooth: hci_qca: Add QCA Rome power off support to the qca_power_shutdown()")
+Cc: stable@vger.kernel.org # v5.6+
+Cc: Rocky Liao <rjliao@codeaurora.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_qca.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1809,8 +1809,6 @@ static void qca_power_shutdown(struct hc
+ unsigned long flags;
+ enum qca_btsoc_type soc_type = qca_soc_type(hu);
+
+- qcadev = serdev_device_get_drvdata(hu->serdev);
+-
+ /* From this point we go into power off state. But serial port is
+ * still open, stop queueing the IBS data and flush all the buffered
+ * data in skb's.
+@@ -1826,6 +1824,8 @@ static void qca_power_shutdown(struct hc
+ if (!hu->serdev)
+ return;
+
++ qcadev = serdev_device_get_drvdata(hu->serdev);
++
+ if (qca_is_wcn399x(soc_type)) {
+ host_set_baudrate(hu, 2400);
+ qca_send_power_pulse(hu, false);
--- /dev/null
+From 1c58e933aba23f68c0d3f192f7cc6eed8fabd694 Mon Sep 17 00:00:00 2001
+From: Szymon Janc <szymon.janc@codecoup.pl>
+Date: Tue, 18 May 2021 16:54:36 +0200
+Subject: Bluetooth: Remove spurious error message
+
+From: Szymon Janc <szymon.janc@codecoup.pl>
+
+commit 1c58e933aba23f68c0d3f192f7cc6eed8fabd694 upstream.
+
+Even with rate limited reporting this is very spammy and since
+it is remote device that is providing bogus data there is no
+need to report this as error.
+
+Since real_len variable was used only to allow conditional error
+message it is now also removed.
+
+[72454.143336] bt_err_ratelimited: 10 callbacks suppressed
+[72454.143337] Bluetooth: hci0: advertising data len corrected
+[72454.296314] Bluetooth: hci0: advertising data len corrected
+[72454.892329] Bluetooth: hci0: advertising data len corrected
+[72455.051319] Bluetooth: hci0: advertising data len corrected
+[72455.357326] Bluetooth: hci0: advertising data len corrected
+[72455.663295] Bluetooth: hci0: advertising data len corrected
+[72455.787278] Bluetooth: hci0: advertising data len corrected
+[72455.942278] Bluetooth: hci0: advertising data len corrected
+[72456.094276] Bluetooth: hci0: advertising data len corrected
+[72456.249137] Bluetooth: hci0: advertising data len corrected
+[72459.416333] bt_err_ratelimited: 13 callbacks suppressed
+[72459.416334] Bluetooth: hci0: advertising data len corrected
+[72459.721334] Bluetooth: hci0: advertising data len corrected
+[72460.011317] Bluetooth: hci0: advertising data len corrected
+[72460.327171] Bluetooth: hci0: advertising data len corrected
+[72460.638294] Bluetooth: hci0: advertising data len corrected
+[72460.946350] Bluetooth: hci0: advertising data len corrected
+[72461.225320] Bluetooth: hci0: advertising data len corrected
+[72461.690322] Bluetooth: hci0: advertising data len corrected
+[72462.118318] Bluetooth: hci0: advertising data len corrected
+[72462.427319] Bluetooth: hci0: advertising data len corrected
+[72464.546319] bt_err_ratelimited: 7 callbacks suppressed
+[72464.546319] Bluetooth: hci0: advertising data len corrected
+[72464.857318] Bluetooth: hci0: advertising data len corrected
+[72465.163332] Bluetooth: hci0: advertising data len corrected
+[72465.278331] Bluetooth: hci0: advertising data len corrected
+[72465.432323] Bluetooth: hci0: advertising data len corrected
+[72465.891334] Bluetooth: hci0: advertising data len corrected
+[72466.045334] Bluetooth: hci0: advertising data len corrected
+[72466.197321] Bluetooth: hci0: advertising data len corrected
+[72466.340318] Bluetooth: hci0: advertising data len corrected
+[72466.498335] Bluetooth: hci0: advertising data len corrected
+[72469.803299] bt_err_ratelimited: 10 callbacks suppressed
+
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=203753
+Cc: stable@vger.kernel.org
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5401,7 +5401,7 @@ static void process_adv_report(struct hc
+ struct hci_conn *conn;
+ bool match;
+ u32 flags;
+- u8 *ptr, real_len;
++ u8 *ptr;
+
+ switch (type) {
+ case LE_ADV_IND:
+@@ -5432,14 +5432,10 @@ static void process_adv_report(struct hc
+ break;
+ }
+
+- real_len = ptr - data;
+-
+- /* Adjust for actual length */
+- if (len != real_len) {
+- bt_dev_err_ratelimited(hdev, "advertising data len corrected %u -> %u",
+- len, real_len);
+- len = real_len;
+- }
++ /* Adjust for actual length. This handles the case when remote
++ * device is advertising with incorrect data length.
++ */
++ len = ptr - data;
+
+ /* If the direct address is present, then this report is from
+ * a LE Direct Advertising Report event. In that case it is
--- /dev/null
+From a506abc7b644d71966a75337d5a534f531b3cdc4 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 27 Apr 2021 12:34:04 -0400
+Subject: copy_page_to_iter(): fix ITER_DISCARD case
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a506abc7b644d71966a75337d5a534f531b3cdc4 upstream.
+
+we need to advance the iterator...
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/iov_iter.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -922,9 +922,12 @@ size_t copy_page_to_iter(struct page *pa
+ size_t wanted = copy_to_iter(kaddr + offset, bytes, i);
+ kunmap_atomic(kaddr);
+ return wanted;
+- } else if (unlikely(iov_iter_is_discard(i)))
++ } else if (unlikely(iov_iter_is_discard(i))) {
++ if (unlikely(i->count < bytes))
++ bytes = i->count;
++ i->count -= bytes;
+ return bytes;
+- else if (likely(!iov_iter_is_pipe(i)))
++ } else if (likely(!iov_iter_is_pipe(i)))
+ return copy_page_to_iter_iovec(page, offset, bytes, i);
+ else
+ return copy_page_to_iter_pipe(page, offset, bytes, i);
--- /dev/null
+From 5d49d3508b3c67201bd3e1bf7f4ef049111b7051 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 28 Jun 2021 19:14:50 +0800
+Subject: gfs2: Fix error handling in init_statfs
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 5d49d3508b3c67201bd3e1bf7f4ef049111b7051 upstream.
+
+On an error path, init_statfs calls iput(pn) after pn has already been put.
+Fix that by setting pn to NULL after the initial iput.
+
+Fixes: 97fd734ba17e ("gfs2: lookup local statfs inodes prior to journal recovery")
+Cc: stable@vger.kernel.org # v5.10+
+Reported-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/ops_fstype.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -670,6 +670,7 @@ static int init_statfs(struct gfs2_sbd *
+ }
+
+ iput(pn);
++ pn = NULL;
+ ip = GFS2_I(sdp->sd_sc_inode);
+ error = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, 0,
+ &sdp->sd_sc_gh);
--- /dev/null
+From d3c51c55cb9274dd43c156f1f26b5eb4d5f2d58c Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 21 Jun 2021 22:28:50 +0200
+Subject: gfs2: Fix underflow in gfs2_page_mkwrite
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit d3c51c55cb9274dd43c156f1f26b5eb4d5f2d58c upstream.
+
+On filesystems with a block size smaller than PAGE_SIZE and non-empty
+files smaller then PAGE_SIZE, gfs2_page_mkwrite could end up allocating
+excess blocks beyond the end of the file, similar to fallocate. This
+doesn't make sense; fix it.
+
+Reported-by: Bob Peterson <rpeterso@redhat.com>
+Fixes: 184b4e60853d ("gfs2: Fix end-of-file handling in gfs2_page_mkwrite")
+Cc: stable@vger.kernel.org # v5.5+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -474,8 +474,8 @@ static vm_fault_t gfs2_page_mkwrite(stru
+ file_update_time(vmf->vma->vm_file);
+
+ /* page is wholly or partially inside EOF */
+- if (offset > size - PAGE_SIZE)
+- length = offset_in_page(size);
++ if (size - offset < PAGE_SIZE)
++ length = size - offset;
+ else
+ length = PAGE_SIZE;
+
--- /dev/null
+From f8f84af5da9ee04ef1d271528656dac42a090d00 Mon Sep 17 00:00:00 2001
+From: Alexander Larkin <avlarkin82@gmail.com>
+Date: Sun, 4 Jul 2021 22:39:36 -0700
+Subject: Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
+
+From: Alexander Larkin <avlarkin82@gmail.com>
+
+commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream.
+
+Even though we validate user-provided inputs we then traverse past
+validated data when applying the new map. The issue was originally
+discovered by Murray McAllister with this simple POC (if the following
+is executed by an unprivileged user it will instantly panic the system):
+
+int main(void) {
+ int fd, ret;
+ unsigned int buffer[10000];
+
+ fd = open("/dev/input/js0", O_RDONLY);
+ if (fd == -1)
+ printf("Error opening file\n");
+
+ ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
+ printf("%d\n", ret);
+}
+
+The solution is to traverse internal buffer which is guaranteed to only
+contain valid date when constructing the map.
+
+Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
+Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
+Reported-by: Murray McAllister <murray.mcallister@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Alexander Larkin <avlarkin82@gmail.com>
+Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joydev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/joydev.c
++++ b/drivers/input/joydev.c
+@@ -500,7 +500,7 @@ static int joydev_handle_JSIOCSBTNMAP(st
+ memcpy(joydev->keypam, keypam, len);
+
+ for (i = 0; i < joydev->nkey; i++)
+- joydev->keymap[keypam[i] - BTN_MISC] = i;
++ joydev->keymap[joydev->keypam[i] - BTN_MISC] = i;
+
+ out:
+ kfree(keypam);
--- /dev/null
+From 41e81022a04a0294c55cfa7e366bc14b9634c66e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 24 May 2021 10:02:59 -0700
+Subject: Input: usbtouchscreen - fix control-request directions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 41e81022a04a0294c55cfa7e366bc14b9634c66e upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Fix the four control requests which erroneously used usb_rcvctrlpipe().
+
+Fixes: 1d3e20236d7a ("[PATCH] USB: usbtouchscreen: unified USB touchscreen driver")
+Fixes: 24ced062a296 ("usbtouchscreen: add support for DMC TSC-10/25 devices")
+Fixes: 9e3b25837a20 ("Input: usbtouchscreen - add support for e2i touchscreen controller")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: stable@vger.kernel.org # 2.6.17
+Link: https://lore.kernel.org/r/20210524092048.4443-1-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/usbtouchscreen.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/touchscreen/usbtouchscreen.c
++++ b/drivers/input/touchscreen/usbtouchscreen.c
+@@ -251,7 +251,7 @@ static int e2i_init(struct usbtouch_usb
+ int ret;
+ struct usb_device *udev = interface_to_usbdev(usbtouch->interface);
+
+- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ 0x01, 0x02, 0x0000, 0x0081,
+ NULL, 0, USB_CTRL_SET_TIMEOUT);
+
+@@ -531,7 +531,7 @@ static int mtouch_init(struct usbtouch_u
+ if (ret)
+ return ret;
+
+- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ MTOUCHUSB_RESET,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
+@@ -543,7 +543,7 @@ static int mtouch_init(struct usbtouch_u
+ msleep(150);
+
+ for (i = 0; i < 3; i++) {
+- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ MTOUCHUSB_ASYNC_REPORT,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 1, NULL, 0, USB_CTRL_SET_TIMEOUT);
+@@ -722,7 +722,7 @@ static int dmc_tsc10_init(struct usbtouc
+ }
+
+ /* start sending data */
+- ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0),
++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+ TSC10_CMD_DATA1,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
--- /dev/null
+From 0e8f0d67401589a141950856902c7d0ec8d9c985 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 2 Jun 2021 14:48:21 -0400
+Subject: [xarray] iov_iter_fault_in_readable() should do nothing in xarray case
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 0e8f0d67401589a141950856902c7d0ec8d9c985 upstream.
+
+... and actually should just check it's given an iovec-backed iterator
+in the first place.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/iov_iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -434,7 +434,7 @@ int iov_iter_fault_in_readable(struct io
+ int err;
+ struct iovec v;
+
+- if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
++ if (iter_is_iovec(i)) {
+ iterate_iovec(i, bytes, v, iov, skip, ({
+ err = fault_in_pages_readable(v.iov_base, v.iov_len);
+ if (unlikely(err))
--- /dev/null
+From c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 7 May 2021 14:50:43 +0200
+Subject: media: dvb-usb: fix wrong definition
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 upstream.
+
+syzbot reported WARNING in vmalloc. The problem
+was in zero size passed to vmalloc.
+
+The root case was in wrong cxusb_bluebird_lgz201_properties
+definition. adapter array has only 1 entry, but num_adapters was
+2.
+
+Call Trace:
+ __vmalloc_node mm/vmalloc.c:2963 [inline]
+ vmalloc+0x67/0x80 mm/vmalloc.c:2996
+ dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251
+ dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184
+ dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline]
+ dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
+ dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
+ cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634
+
+Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB device")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/cxusb.c
++++ b/drivers/media/usb/dvb-usb/cxusb.c
+@@ -1947,7 +1947,7 @@ static struct dvb_usb_device_properties
+
+ .size_of_priv = sizeof(struct cxusb_state),
+
+- .num_adapters = 2,
++ .num_adapters = 1,
+ .adapter = {
+ {
+ .num_frontends = 1,
--- /dev/null
+From ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 17 Jun 2021 21:51:30 +0300
+Subject: net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 upstream.
+
+In ems_usb_disconnect() dev pointer, which is netdev private data, is
+used after free_candev() call:
+| if (dev) {
+| unregister_netdev(dev->netdev);
+| free_candev(dev->netdev);
+|
+| unlink_all_urbs(dev);
+|
+| usb_free_urb(dev->intr_urb);
+|
+| kfree(dev->intr_in_buffer);
+| kfree(dev->tx_msg_buffer);
+| }
+
+Fix it by simply moving free_candev() at the end of the block.
+
+Fail log:
+| BUG: KASAN: use-after-free in ems_usb_disconnect
+| Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895
+|
+| CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164
+| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4
+| Workqueue: usb_hub_wq hub_event
+| Call Trace:
+| dump_stack (lib/dump_stack.c:122)
+| print_address_description.constprop.0.cold (mm/kasan/report.c:234)
+| kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436)
+| ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058)
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/ems_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -1053,7 +1053,6 @@ static void ems_usb_disconnect(struct us
+
+ if (dev) {
+ unregister_netdev(dev->netdev);
+- free_candev(dev->netdev);
+
+ unlink_all_urbs(dev);
+
+@@ -1061,6 +1060,8 @@ static void ems_usb_disconnect(struct us
+
+ kfree(dev->intr_in_buffer);
+ kfree(dev->tx_msg_buffer);
++
++ free_candev(dev->netdev);
+ }
+ }
+
--- /dev/null
+From d98e4d95411bbde2220a7afa38dcc9c14d71acbe Mon Sep 17 00:00:00 2001
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Date: Mon, 28 Jun 2021 19:33:52 -0700
+Subject: ntfs: fix validity check for file name attribute
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+commit d98e4d95411bbde2220a7afa38dcc9c14d71acbe upstream.
+
+When checking the file name attribute, we want to ensure that it fits
+within the bounds of ATTR_RECORD. To do this, we should check that (attr
+record + file name offset + file name length) < (attr record + attr record
+length).
+
+However, the original check did not include the file name offset in the
+calculation. This means that corrupted on-disk metadata might not caught
+by the incorrect file name check, and lead to an invalid memory access.
+
+An example can be seen in the crash report of a memory corruption error
+found by Syzbot:
+https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246
+
+Adding the file name offset to the validity check fixes this error and
+passes the Syzbot reproducer test.
+
+Link: https://lkml.kernel.org/r/20210614050540.289494-1-desmondcheongzx@gmail.com
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
+Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
+Acked-by: Anton Altaparmakov <anton@tuxera.com>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ntfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ntfs/inode.c
++++ b/fs/ntfs/inode.c
+@@ -477,7 +477,7 @@ err_corrupt_attr:
+ }
+ file_name_attr = (FILE_NAME_ATTR*)((u8*)attr +
+ le16_to_cpu(attr->data.resident.value_offset));
+- p2 = (u8*)attr + le32_to_cpu(attr->data.resident.value_length);
++ p2 = (u8 *)file_name_attr + le32_to_cpu(attr->data.resident.value_length);
+ if (p2 < (u8*)attr || p2 > p)
+ goto err_corrupt_attr;
+ /* This attribute is ok, but is it in the $Extend directory? */
--- /dev/null
+From 04831e892b41618914b2123ae3b4fa77252e8656 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 23 Jun 2021 13:39:28 -0700
+Subject: selftests/lkdtm: Avoid needing explicit sub-shell
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 04831e892b41618914b2123ae3b4fa77252e8656 upstream.
+
+Some environments do not set $SHELL when running tests. There's no
+need to use $SHELL here anyway, since "cat" can be used to receive any
+delivered signals from the kernel. Additionally avoid using bash-isms
+in the command, and record stderr for posterity.
+
+Fixes: 46d1a0f03d66 ("selftests/lkdtm: Add tests for LKDTM targets")
+Cc: stable@vger.kernel.org
+Suggested-by: Guillaume Tucker <guillaume.tucker@collabora.com>
+Suggested-by: David Laight <David.Laight@ACULAB.COM>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210623203936.3151093-2-keescook@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/lkdtm/run.sh | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/lkdtm/run.sh
++++ b/tools/testing/selftests/lkdtm/run.sh
+@@ -76,10 +76,14 @@ fi
+ # Save existing dmesg so we can detect new content below
+ dmesg > "$DMESG"
+
+-# Most shells yell about signals and we're expecting the "cat" process
+-# to usually be killed by the kernel. So we have to run it in a sub-shell
+-# and silence errors.
+-($SHELL -c 'cat <(echo '"$test"') >'"$TRIGGER" 2>/dev/null) || true
++# Since the kernel is likely killing the process writing to the trigger
++# file, it must not be the script's shell itself. i.e. we cannot do:
++# echo "$test" >"$TRIGGER"
++# Instead, use "cat" to take the signal. Since the shell will yell about
++# the signal that killed the subprocess, we must ignore the failure and
++# continue. However we don't silence stderr since there might be other
++# useful details reported there in the case of other unexpected conditions.
++echo "$test" | cat >"$TRIGGER" || true
+
+ # Record and dump the results
+ dmesg | comm --nocheck-order -13 "$DMESG" - > "$LOG" || true
--- /dev/null
+From 4897807753e078655a78de39ed76044d784f3e63 Mon Sep 17 00:00:00 2001
+From: Hannu Hartikainen <hannu@hrtk.in>
+Date: Tue, 22 Jun 2021 17:14:54 +0300
+Subject: USB: cdc-acm: blacklist Heimann USB Appset device
+
+From: Hannu Hartikainen <hannu@hrtk.in>
+
+commit 4897807753e078655a78de39ed76044d784f3e63 upstream.
+
+The device (32a7:0000 Heimann Sensor GmbH USB appset demo) claims to be
+a CDC-ACM device in its descriptors but in fact is not. If it is run
+with echo disabled it returns garbled data, probably due to something
+that happens in the TTY layer. And when run with echo enabled (the
+default), it will mess up the calibration data of the sensor the first
+time any data is sent to the device.
+
+In short, I had a bad time after connecting the sensor and trying to get
+it to work. I hope blacklisting it in the cdc-acm driver will save
+someone else a bit of trouble.
+
+Signed-off-by: Hannu Hartikainen <hannu@hrtk.in>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210622141454.337948-1-hannu@hrtk.in
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1948,6 +1948,11 @@ static const struct usb_device_id acm_id
+ .driver_info = IGNORE_DEVICE,
+ },
+
++ /* Exclude Heimann Sensor GmbH USB appset demo */
++ { USB_DEVICE(0x32a7, 0x0000),
++ .driver_info = IGNORE_DEVICE,
++ },
++
+ /* control interfaces without any protocol set */
+ { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
+ USB_CDC_PROTO_NONE) },
--- /dev/null
+From 84524d1232ecca7cf8678e851b254f05cff4040a Mon Sep 17 00:00:00 2001
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Date: Thu, 17 Jun 2021 09:55:24 -0700
+Subject: usb: dwc3: Fix debugfs creation flow
+
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+
+commit 84524d1232ecca7cf8678e851b254f05cff4040a upstream.
+
+Creation EP's debugfs called earlier than debugfs folder for dwc3
+device created. As result EP's debugfs are created in '/sys/kernel/debug'
+instead of '/sys/kernel/debug/usb/dwc3.1.auto'.
+
+Moved dwc3_debugfs_init() function call before calling
+dwc3_core_init_mode() to allow create dwc3 debugfs parent before
+creating EP's debugfs's.
+
+Fixes: 8d396bb0a5b6 ("usb: dwc3: debugfs: Add and remove endpoint dirs dynamically")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Jack Pham <jackp@codeaurora.org>
+Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Link: https://lore.kernel.org/r/01fafb5b2d8335e98e6eadbac61fc796bdf3ec1a.1623948457.git.Minas.Harutyunyan@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1590,17 +1590,18 @@ static int dwc3_probe(struct platform_de
+ }
+
+ dwc3_check_params(dwc);
++ dwc3_debugfs_init(dwc);
+
+ ret = dwc3_core_init_mode(dwc);
+ if (ret)
+ goto err5;
+
+- dwc3_debugfs_init(dwc);
+ pm_runtime_put(dev);
+
+ return 0;
+
+ err5:
++ dwc3_debugfs_exit(dwc);
+ dwc3_event_buffers_cleanup(dwc);
+
+ usb_phy_shutdown(dwc->usb2_phy);
--- /dev/null
+From 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Mon Sep 17 00:00:00 2001
+From: Linyu Yuan <linyyuan@codeaurora.com>
+Date: Wed, 16 Jun 2021 19:51:42 +0800
+Subject: usb: gadget: eem: fix echo command packet response issue
+
+From: Linyu Yuan <linyyuan@codeaurora.com>
+
+commit 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 upstream.
+
+when receive eem echo command, it will send a response,
+but queue this response to the usb request which allocate
+from gadget device endpoint zero,
+and transmit the request to IN endpoint of eem interface.
+
+on dwc3 gadget, it will trigger following warning in function
+__dwc3_gadget_ep_queue(),
+
+ if (WARN(req->dep != dep, "request %pK belongs to '%s'\n",
+ &req->request, req->dep->name))
+ return -EINVAL;
+
+fix it by allocating a usb request from IN endpoint of eem interface,
+and transmit the usb request to same IN endpoint of eem interface.
+
+Signed-off-by: Linyu Yuan <linyyuan@codeaurora.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210616115142.34075-1-linyyuan@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_eem.c | 43 ++++++++++++++++++++++++++++++++----
+ 1 file changed, 39 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_eem.c
++++ b/drivers/usb/gadget/function/f_eem.c
+@@ -30,6 +30,11 @@ struct f_eem {
+ u8 ctrl_id;
+ };
+
++struct in_context {
++ struct sk_buff *skb;
++ struct usb_ep *ep;
++};
++
+ static inline struct f_eem *func_to_eem(struct usb_function *f)
+ {
+ return container_of(f, struct f_eem, port.func);
+@@ -320,9 +325,12 @@ fail:
+
+ static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req)
+ {
+- struct sk_buff *skb = (struct sk_buff *)req->context;
++ struct in_context *ctx = req->context;
+
+- dev_kfree_skb_any(skb);
++ dev_kfree_skb_any(ctx->skb);
++ kfree(req->buf);
++ usb_ep_free_request(ctx->ep, req);
++ kfree(ctx);
+ }
+
+ /*
+@@ -410,7 +418,9 @@ static int eem_unwrap(struct gether *por
+ * b15: bmType (0 == data, 1 == command)
+ */
+ if (header & BIT(15)) {
+- struct usb_request *req = cdev->req;
++ struct usb_request *req;
++ struct in_context *ctx;
++ struct usb_ep *ep;
+ u16 bmEEMCmd;
+
+ /* EEM command packet format:
+@@ -439,11 +449,36 @@ static int eem_unwrap(struct gether *por
+ skb_trim(skb2, len);
+ put_unaligned_le16(BIT(15) | BIT(11) | len,
+ skb_push(skb2, 2));
++
++ ep = port->in_ep;
++ req = usb_ep_alloc_request(ep, GFP_ATOMIC);
++ if (!req) {
++ dev_kfree_skb_any(skb2);
++ goto next;
++ }
++
++ req->buf = kmalloc(skb2->len, GFP_KERNEL);
++ if (!req->buf) {
++ usb_ep_free_request(ep, req);
++ dev_kfree_skb_any(skb2);
++ goto next;
++ }
++
++ ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
++ if (!ctx) {
++ kfree(req->buf);
++ usb_ep_free_request(ep, req);
++ dev_kfree_skb_any(skb2);
++ goto next;
++ }
++ ctx->skb = skb2;
++ ctx->ep = ep;
++
+ skb_copy_bits(skb2, 0, req->buf, skb2->len);
+ req->length = skb2->len;
+ req->complete = eem_cmd_complete;
+ req->zero = 1;
+- req->context = skb2;
++ req->context = ctx;
+ if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC))
+ DBG(cdev, "echo response queue fail\n");
+ break;
--- /dev/null
+From d143825baf15f204dac60acdf95e428182aa3374 Mon Sep 17 00:00:00 2001
+From: Moritz Fischer <mdf@kernel.org>
+Date: Tue, 15 Jun 2021 08:37:58 -0700
+Subject: usb: renesas-xhci: Fix handling of unknown ROM state
+
+From: Moritz Fischer <mdf@kernel.org>
+
+commit d143825baf15f204dac60acdf95e428182aa3374 upstream.
+
+The ROM load sometimes seems to return an unknown status
+(RENESAS_ROM_STATUS_NO_RESULT) instead of success / fail.
+
+If the ROM load indeed failed this leads to failures when trying to
+communicate with the controller later on.
+
+Attempt to load firmware using RAM load in those cases.
+
+Fixes: 2478be82de44 ("usb: renesas-xhci: Add ROM loader for uPD720201")
+Cc: stable@vger.kernel.org
+Cc: Mathias Nyman <mathias.nyman@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Vinod Koul <vkoul@kernel.org>
+Tested-by: Vinod Koul <vkoul@kernel.org>
+Reviewed-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Link: https://lore.kernel.org/r/20210615153758.253572-1-mdf@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci-renesas.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci-renesas.c
++++ b/drivers/usb/host/xhci-pci-renesas.c
+@@ -207,7 +207,8 @@ static int renesas_check_rom_state(struc
+ return 0;
+
+ case RENESAS_ROM_STATUS_NO_RESULT: /* No result yet */
+- return 0;
++ dev_dbg(&pdev->dev, "Unknown ROM status ...\n");
++ break;
+
+ case RENESAS_ROM_STATUS_ERROR: /* Error State */
+ default: /* All other states are marked as "Reserved states" */
+@@ -224,13 +225,12 @@ static int renesas_fw_check_running(stru
+ u8 fw_state;
+ int err;
+
+- /* Check if device has ROM and loaded, if so skip everything */
+- err = renesas_check_rom(pdev);
+- if (err) { /* we have rom */
+- err = renesas_check_rom_state(pdev);
+- if (!err)
+- return err;
+- }
++ /*
++ * Only if device has ROM and loaded FW we can skip loading and
++ * return success. Otherwise (even unknown state), attempt to load FW.
++ */
++ if (renesas_check_rom(pdev) && !renesas_check_rom_state(pdev))
++ return 0;
+
+ /*
+ * Test if the device is actually needing the firmware. As most
--- /dev/null
+From 03026197bb657d784220b040c6173267a0375741 Mon Sep 17 00:00:00 2001
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Date: Thu, 17 Jun 2021 15:32:26 +0800
+Subject: usb: typec: Add the missed altmode_id_remove() in typec_register_altmode()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+commit 03026197bb657d784220b040c6173267a0375741 upstream.
+
+typec_register_altmode() misses to call altmode_id_remove() in an error
+path. Add the missed function call to fix it.
+
+Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Link: https://lore.kernel.org/r/20210617073226.47599-1-jingxiangfeng@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/class.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/class.c
++++ b/drivers/usb/typec/class.c
+@@ -446,8 +446,10 @@ typec_register_altmode(struct device *pa
+ int ret;
+
+ alt = kzalloc(sizeof(*alt), GFP_KERNEL);
+- if (!alt)
++ if (!alt) {
++ altmode_id_remove(parent, id);
+ return ERR_PTR(-ENOMEM);
++ }
+
+ alt->adev.svid = desc->svid;
+ alt->adev.mode = desc->mode;
--- /dev/null
+From b31d9d6d7abbf6483b871b6370bc31c930d53f54 Mon Sep 17 00:00:00 2001
+From: "Zhangjiantao (Kirin, nanjing)" <water.zhangjiantao@huawei.com>
+Date: Thu, 17 Jun 2021 18:03:54 +0300
+Subject: xhci: solve a double free problem while doing s4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>
+
+commit b31d9d6d7abbf6483b871b6370bc31c930d53f54 upstream.
+
+when system is doing s4, the process of xhci_resume may be as below:
+1、xhci_mem_cleanup
+2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough).
+xhci_mem_cleanup will be executed twice when system is out of memory.
+xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL.
+It will be freed twice when xhci_mem_cleanup is called the second time.
+
+We got following bug when system resumes from s4:
+
+kernel BUG at mm/slub.c:309!
+Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+CPU: 0 PID: 5929 Tainted: G S W 5.4.96-arm64-desktop #1
+pc : __slab_free+0x5c/0x424
+lr : kfree+0x30c/0x32c
+
+Call trace:
+ __slab_free+0x5c/0x424
+ kfree+0x30c/0x32c
+ xhci_mem_cleanup+0x394/0x3cc
+ xhci_mem_init+0x9ac/0x1070
+ xhci_init+0x8c/0x1d0
+ xhci_resume+0x1cc/0x5fc
+ xhci_plat_resume+0x64/0x70
+ platform_pm_thaw+0x28/0x60
+ dpm_run_callback+0x54/0x24c
+ device_resume+0xd0/0x200
+ async_resume+0x24/0x60
+ async_run_entry_fn+0x44/0x110
+ process_one_work+0x1f0/0x490
+ worker_thread+0x5c/0x450
+ kthread+0x158/0x160
+ ret_from_fork+0x10/0x24
+
+Original patch that caused this issue was backported to 4.4 stable,
+so this should be backported to 4.4 stabe as well.
+
+Fixes: cf0ee7c60c89 ("xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Jiantao Zhang <water.zhangjiantao@huawei.com>
+Signed-off-by: Tao Xue <xuetao09@huawei.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210617150354.1512157-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1938,6 +1938,7 @@ no_bw:
+ xhci->hw_ports = NULL;
+ xhci->rh_bw = NULL;
+ xhci->ext_caps = NULL;
++ xhci->port_caps = NULL;
+
+ xhci->page_size = 0;
+ xhci->page_shift = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
