--- /dev/null
+From f7f291e14dde32a07b1f0aa06921d28f875a7b54 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Sun, 11 Dec 2022 18:18:55 -0300
+Subject: cifs: fix oops during encryption
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit f7f291e14dde32a07b1f0aa06921d28f875a7b54 upstream.
+
+When running xfstests against Azure the following oops occurred on an
+arm64 system
+
+ Unable to handle kernel write to read-only memory at virtual address
+ ffff0001221cf000
+ Mem abort info:
+ ESR = 0x9600004f
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x0f: level 3 permission fault
+ Data abort info:
+ ISV = 0, ISS = 0x0000004f
+ CM = 0, WnR = 1
+ swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000
+ [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,
+ pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787
+ Internal error: Oops: 9600004f [#1] PREEMPT SMP
+ ...
+ pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)
+ pc : __memcpy+0x40/0x230
+ lr : scatterwalk_copychunks+0xe0/0x200
+ sp : ffff800014e92de0
+ x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008
+ x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008
+ x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000
+ x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014
+ x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058
+ x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590
+ x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580
+ x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005
+ x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001
+ x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000
+ Call trace:
+ __memcpy+0x40/0x230
+ scatterwalk_map_and_copy+0x98/0x100
+ crypto_ccm_encrypt+0x150/0x180
+ crypto_aead_encrypt+0x2c/0x40
+ crypt_message+0x750/0x880
+ smb3_init_transform_rq+0x298/0x340
+ smb_send_rqst.part.11+0xd8/0x180
+ smb_send_rqst+0x3c/0x100
+ compound_send_recv+0x534/0xbc0
+ smb2_query_info_compound+0x32c/0x440
+ smb2_set_ea+0x438/0x4c0
+ cifs_xattr_set+0x5d4/0x7c0
+
+This is because in scatterwalk_copychunks(), we attempted to write to
+a buffer (@sign) that was allocated in the stack (vmalloc area) by
+crypt_message() and thus accessing its remaining 8 (x2) bytes ended up
+crossing a page boundary.
+
+To simply fix it, we could just pass @sign kmalloc'd from
+crypt_message() and then we're done. Luckily, we don't seem to pass
+any other vmalloc'd buffers in smb_rqst::rq_iov...
+
+Instead, let's map the correct pages and offsets from vmalloc buffers
+as well in cifs_sg_set_buf() and then avoiding such oopses.
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsglob.h | 68 ++++++++++++++++++++++++
+ fs/cifs/cifsproto.h | 4 -
+ fs/cifs/misc.c | 4 -
+ fs/cifs/smb2ops.c | 143 ++++++++++++++++++++++++----------------------------
+ 4 files changed, 140 insertions(+), 79 deletions(-)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -13,6 +13,8 @@
+ #include <linux/in6.h>
+ #include <linux/inet.h>
+ #include <linux/slab.h>
++#include <linux/scatterlist.h>
++#include <linux/mm.h>
+ #include <linux/mempool.h>
+ #include <linux/workqueue.h>
+ #include <linux/utsname.h>
+@@ -2137,4 +2139,70 @@ static inline void move_cifs_info_to_smb
+ dst->FileNameLength = src->FileNameLength;
+ }
+
++static inline unsigned int cifs_get_num_sgs(const struct smb_rqst *rqst,
++ int num_rqst,
++ const u8 *sig)
++{
++ unsigned int len, skip;
++ unsigned int nents = 0;
++ unsigned long addr;
++ int i, j;
++
++ /* Assumes the first rqst has a transform header as the first iov.
++ * I.e.
++ * rqst[0].rq_iov[0] is transform header
++ * rqst[0].rq_iov[1+] data to be encrypted/decrypted
++ * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
++ */
++ for (i = 0; i < num_rqst; i++) {
++ /*
++ * The first rqst has a transform header where the
++ * first 20 bytes are not part of the encrypted blob.
++ */
++ for (j = 0; j < rqst[i].rq_nvec; j++) {
++ struct kvec *iov = &rqst[i].rq_iov[j];
++
++ skip = (i == 0) && (j == 0) ? 20 : 0;
++ addr = (unsigned long)iov->iov_base + skip;
++ if (unlikely(is_vmalloc_addr((void *)addr))) {
++ len = iov->iov_len - skip;
++ nents += DIV_ROUND_UP(offset_in_page(addr) + len,
++ PAGE_SIZE);
++ } else {
++ nents++;
++ }
++ }
++ nents += rqst[i].rq_npages;
++ }
++ nents += DIV_ROUND_UP(offset_in_page(sig) + SMB2_SIGNATURE_SIZE, PAGE_SIZE);
++ return nents;
++}
++
++/* We can not use the normal sg_set_buf() as we will sometimes pass a
++ * stack object as buf.
++ */
++static inline struct scatterlist *cifs_sg_set_buf(struct scatterlist *sg,
++ const void *buf,
++ unsigned int buflen)
++{
++ unsigned long addr = (unsigned long)buf;
++ unsigned int off = offset_in_page(addr);
++
++ addr &= PAGE_MASK;
++ if (unlikely(is_vmalloc_addr((void *)addr))) {
++ do {
++ unsigned int len = min_t(unsigned int, buflen, PAGE_SIZE - off);
++
++ sg_set_page(sg++, vmalloc_to_page((void *)addr), len, off);
++
++ off = 0;
++ addr += PAGE_SIZE;
++ buflen -= len;
++ } while (buflen);
++ } else {
++ sg_set_page(sg++, virt_to_page(addr), buflen, off);
++ }
++ return sg;
++}
++
+ #endif /* _CIFS_GLOB_H */
+--- a/fs/cifs/cifsproto.h
++++ b/fs/cifs/cifsproto.h
+@@ -600,8 +600,8 @@ int setup_aio_ctx_iter(struct cifs_aio_c
+ int cifs_alloc_hash(const char *name, struct shash_desc **sdesc);
+ void cifs_free_hash(struct shash_desc **sdesc);
+
+-extern void rqst_page_get_length(struct smb_rqst *rqst, unsigned int page,
+- unsigned int *len, unsigned int *offset);
++void rqst_page_get_length(const struct smb_rqst *rqst, unsigned int page,
++ unsigned int *len, unsigned int *offset);
+ struct cifs_chan *
+ cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server);
+ int cifs_try_adding_channels(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses);
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -1136,8 +1136,8 @@ cifs_free_hash(struct shash_desc **sdesc
+ * @len: Where to store the length for this page:
+ * @offset: Where to store the offset for this page
+ */
+-void rqst_page_get_length(struct smb_rqst *rqst, unsigned int page,
+- unsigned int *len, unsigned int *offset)
++void rqst_page_get_length(const struct smb_rqst *rqst, unsigned int page,
++ unsigned int *len, unsigned int *offset)
+ {
+ *len = rqst->rq_pagesz;
+ *offset = (page == 0) ? rqst->rq_offset : 0;
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -4204,69 +4204,82 @@ fill_transform_hdr(struct smb2_transform
+ memcpy(&tr_hdr->SessionId, &shdr->SessionId, 8);
+ }
+
+-/* We can not use the normal sg_set_buf() as we will sometimes pass a
+- * stack object as buf.
+- */
+-static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf,
+- unsigned int buflen)
++static void *smb2_aead_req_alloc(struct crypto_aead *tfm, const struct smb_rqst *rqst,
++ int num_rqst, const u8 *sig, u8 **iv,
++ struct aead_request **req, struct scatterlist **sgl,
++ unsigned int *num_sgs)
+ {
+- void *addr;
+- /*
+- * VMAP_STACK (at least) puts stack into the vmalloc address space
+- */
+- if (is_vmalloc_addr(buf))
+- addr = vmalloc_to_page(buf);
+- else
+- addr = virt_to_page(buf);
+- sg_set_page(sg, addr, buflen, offset_in_page(buf));
++ unsigned int req_size = sizeof(**req) + crypto_aead_reqsize(tfm);
++ unsigned int iv_size = crypto_aead_ivsize(tfm);
++ unsigned int len;
++ u8 *p;
++
++ *num_sgs = cifs_get_num_sgs(rqst, num_rqst, sig);
++
++ len = iv_size;
++ len += crypto_aead_alignmask(tfm) & ~(crypto_tfm_ctx_alignment() - 1);
++ len = ALIGN(len, crypto_tfm_ctx_alignment());
++ len += req_size;
++ len = ALIGN(len, __alignof__(struct scatterlist));
++ len += *num_sgs * sizeof(**sgl);
++
++ p = kmalloc(len, GFP_ATOMIC);
++ if (!p)
++ return NULL;
++
++ *iv = (u8 *)PTR_ALIGN(p, crypto_aead_alignmask(tfm) + 1);
++ *req = (struct aead_request *)PTR_ALIGN(*iv + iv_size,
++ crypto_tfm_ctx_alignment());
++ *sgl = (struct scatterlist *)PTR_ALIGN((u8 *)*req + req_size,
++ __alignof__(struct scatterlist));
++ return p;
+ }
+
+-/* Assumes the first rqst has a transform header as the first iov.
+- * I.e.
+- * rqst[0].rq_iov[0] is transform header
+- * rqst[0].rq_iov[1+] data to be encrypted/decrypted
+- * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
+- */
+-static struct scatterlist *
+-init_sg(int num_rqst, struct smb_rqst *rqst, u8 *sign)
++static void *smb2_get_aead_req(struct crypto_aead *tfm, const struct smb_rqst *rqst,
++ int num_rqst, const u8 *sig, u8 **iv,
++ struct aead_request **req, struct scatterlist **sgl)
+ {
+- unsigned int sg_len;
++ unsigned int off, len, skip;
+ struct scatterlist *sg;
+- unsigned int i;
+- unsigned int j;
+- unsigned int idx = 0;
+- int skip;
+-
+- sg_len = 1;
+- for (i = 0; i < num_rqst; i++)
+- sg_len += rqst[i].rq_nvec + rqst[i].rq_npages;
++ unsigned int num_sgs;
++ unsigned long addr;
++ int i, j;
++ void *p;
+
+- sg = kmalloc_array(sg_len, sizeof(struct scatterlist), GFP_KERNEL);
+- if (!sg)
++ p = smb2_aead_req_alloc(tfm, rqst, num_rqst, sig, iv, req, sgl, &num_sgs);
++ if (!p)
+ return NULL;
+
+- sg_init_table(sg, sg_len);
++ sg_init_table(*sgl, num_sgs);
++ sg = *sgl;
++
++ /* Assumes the first rqst has a transform header as the first iov.
++ * I.e.
++ * rqst[0].rq_iov[0] is transform header
++ * rqst[0].rq_iov[1+] data to be encrypted/decrypted
++ * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
++ */
+ for (i = 0; i < num_rqst; i++) {
++ /*
++ * The first rqst has a transform header where the
++ * first 20 bytes are not part of the encrypted blob.
++ */
+ for (j = 0; j < rqst[i].rq_nvec; j++) {
+- /*
+- * The first rqst has a transform header where the
+- * first 20 bytes are not part of the encrypted blob
+- */
+- skip = (i == 0) && (j == 0) ? 20 : 0;
+- smb2_sg_set_buf(&sg[idx++],
+- rqst[i].rq_iov[j].iov_base + skip,
+- rqst[i].rq_iov[j].iov_len - skip);
+- }
++ struct kvec *iov = &rqst[i].rq_iov[j];
+
++ skip = (i == 0) && (j == 0) ? 20 : 0;
++ addr = (unsigned long)iov->iov_base + skip;
++ len = iov->iov_len - skip;
++ sg = cifs_sg_set_buf(sg, (void *)addr, len);
++ }
+ for (j = 0; j < rqst[i].rq_npages; j++) {
+- unsigned int len, offset;
+-
+- rqst_page_get_length(&rqst[i], j, &len, &offset);
+- sg_set_page(&sg[idx++], rqst[i].rq_pages[j], len, offset);
++ rqst_page_get_length(&rqst[i], j, &len, &off);
++ sg_set_page(sg++, rqst[i].rq_pages[j], len, off);
+ }
+ }
+- smb2_sg_set_buf(&sg[idx], sign, SMB2_SIGNATURE_SIZE);
+- return sg;
++ cifs_sg_set_buf(sg, sig, SMB2_SIGNATURE_SIZE);
++
++ return p;
+ }
+
+ static int
+@@ -4314,11 +4327,11 @@ crypt_message(struct TCP_Server_Info *se
+ u8 sign[SMB2_SIGNATURE_SIZE] = {};
+ u8 key[SMB3_ENC_DEC_KEY_SIZE];
+ struct aead_request *req;
+- char *iv;
+- unsigned int iv_len;
++ u8 *iv;
+ DECLARE_CRYPTO_WAIT(wait);
+ struct crypto_aead *tfm;
+ unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
++ void *creq;
+
+ rc = smb2_get_enc_key(server, le64_to_cpu(tr_hdr->SessionId), enc, key);
+ if (rc) {
+@@ -4352,32 +4365,15 @@ crypt_message(struct TCP_Server_Info *se
+ return rc;
+ }
+
+- req = aead_request_alloc(tfm, GFP_KERNEL);
+- if (!req) {
+- cifs_server_dbg(VFS, "%s: Failed to alloc aead request\n", __func__);
++ creq = smb2_get_aead_req(tfm, rqst, num_rqst, sign, &iv, &req, &sg);
++ if (unlikely(!creq))
+ return -ENOMEM;
+- }
+
+ if (!enc) {
+ memcpy(sign, &tr_hdr->Signature, SMB2_SIGNATURE_SIZE);
+ crypt_len += SMB2_SIGNATURE_SIZE;
+ }
+
+- sg = init_sg(num_rqst, rqst, sign);
+- if (!sg) {
+- cifs_server_dbg(VFS, "%s: Failed to init sg\n", __func__);
+- rc = -ENOMEM;
+- goto free_req;
+- }
+-
+- iv_len = crypto_aead_ivsize(tfm);
+- iv = kzalloc(iv_len, GFP_KERNEL);
+- if (!iv) {
+- cifs_server_dbg(VFS, "%s: Failed to alloc iv\n", __func__);
+- rc = -ENOMEM;
+- goto free_sg;
+- }
+-
+ if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
+ (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
+ memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES_GCM_NONCE);
+@@ -4386,6 +4382,7 @@ crypt_message(struct TCP_Server_Info *se
+ memcpy(iv + 1, (char *)tr_hdr->Nonce, SMB3_AES_CCM_NONCE);
+ }
+
++ aead_request_set_tfm(req, tfm);
+ aead_request_set_crypt(req, sg, sg, crypt_len, iv);
+ aead_request_set_ad(req, assoc_data_len);
+
+@@ -4398,11 +4395,7 @@ crypt_message(struct TCP_Server_Info *se
+ if (!rc && enc)
+ memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
+
+- kfree_sensitive(iv);
+-free_sg:
+- kfree_sensitive(sg);
+-free_req:
+- kfree_sensitive(req);
++ kfree_sensitive(creq);
+ return rc;
+ }
+
--- /dev/null
+From de5dc44370fbd6b46bd7f1a1e00369be54a041c8 Mon Sep 17 00:00:00 2001
+From: Tony Nguyen <anthony.l.nguyen@intel.com>
+Date: Mon, 12 Dec 2022 11:00:31 -0800
+Subject: igb: Initialize mailbox message for VF reset
+
+From: Tony Nguyen <anthony.l.nguyen@intel.com>
+
+commit de5dc44370fbd6b46bd7f1a1e00369be54a041c8 upstream.
+
+When a MAC address is not assigned to the VF, that portion of the message
+sent to the VF is not set. The memory, however, is allocated from the
+stack meaning that information may be leaked to the VM. Initialize the
+message buffer to 0 so that no information is passed to the VM in this
+case.
+
+Fixes: 6ddbc4cf1f4d ("igb: Indicate failure on vf reset for empty mac address")
+Reported-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20221212190031.3983342-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -7521,7 +7521,7 @@ static void igb_vf_reset_msg(struct igb_
+ {
+ struct e1000_hw *hw = &adapter->hw;
+ unsigned char *vf_mac = adapter->vf_data[vf].vf_mac_addresses;
+- u32 reg, msgbuf[3];
++ u32 reg, msgbuf[3] = {};
+ u8 *addr = (u8 *)(&msgbuf[1]);
+
+ /* process all the same items cleared in a function level reset */
--- /dev/null
+From 5adedd42245af0860ebda8fe0949f24f5204c1b1 Mon Sep 17 00:00:00 2001
+From: Nikolaus Voss <nikolaus.voss@haag-streit.com>
+Date: Wed, 19 Oct 2022 18:38:20 +0200
+Subject: KEYS: encrypted: fix key instantiation with user-provided data
+
+From: Nikolaus Voss <nikolaus.voss@haag-streit.com>
+
+commit 5adedd42245af0860ebda8fe0949f24f5204c1b1 upstream.
+
+Commit cd3bc044af48 ("KEYS: encrypted: Instantiate key with
+user-provided decrypted data") added key instantiation with user
+provided decrypted data. The user data is hex-ascii-encoded but was
+just memcpy'ed to the binary buffer. Fix this to use hex2bin instead.
+
+Old keys created from user provided decrypted data saved with "keyctl
+pipe" are still valid, however if the key is recreated from decrypted
+data the old key must be converted to the correct format. This can be
+done with a small shell script, e.g.:
+
+BROKENKEY=abcdefABCDEF1234567890aaaaaaaaaa
+NEWKEY=$(echo -ne $BROKENKEY | xxd -p -c32)
+keyctl add user masterkey "$(cat masterkey.bin)" @u
+keyctl add encrypted testkey "new user:masterkey 32 $NEWKEY" @u
+
+However, NEWKEY is still broken: If for BROKENKEY 32 bytes were
+specified, a brute force attacker knowing the key properties would only
+need to try at most 2^(16*8) keys, as if the key was only 16 bytes long.
+
+The security issue is a result of the combination of limiting the input
+range to hex-ascii and using memcpy() instead of hex2bin(). It could
+have been fixed either by allowing binary input or using hex2bin() (and
+doubling the ascii input key length). This patch implements the latter.
+
+The corresponding test for the Linux Test Project ltp has also been
+fixed (see link below).
+
+Fixes: cd3bc044af48 ("KEYS: encrypted: Instantiate key with user-provided decrypted data")
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/ltp/20221006081709.92303897@mail.steuer-voss.de/
+Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Nikolaus Voss <nikolaus.voss@haag-streit.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/security/keys/trusted-encrypted.rst | 3 ++-
+ security/keys/encrypted-keys/encrypted.c | 6 +++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/Documentation/security/keys/trusted-encrypted.rst
++++ b/Documentation/security/keys/trusted-encrypted.rst
+@@ -350,7 +350,8 @@ Load an encrypted key "evm" from saved b
+
+ Instantiate an encrypted key "evm" using user-provided decrypted data::
+
+- $ keyctl add encrypted evm "new default user:kmk 32 `cat evm_decrypted_data.blob`" @u
++ $ evmkey=$(dd if=/dev/urandom bs=1 count=32 | xxd -c32 -p)
++ $ keyctl add encrypted evm "new default user:kmk 32 $evmkey" @u
+ 794890253
+
+ $ keyctl print 794890253
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -627,7 +627,7 @@ static struct encrypted_key_payload *enc
+ pr_err("encrypted key: instantiation of keys using provided decrypted data is disabled since CONFIG_USER_DECRYPTED_DATA is set to false\n");
+ return ERR_PTR(-EINVAL);
+ }
+- if (strlen(decrypted_data) != decrypted_datalen) {
++ if (strlen(decrypted_data) != decrypted_datalen * 2) {
+ pr_err("encrypted key: decrypted data provided does not match decrypted data length provided\n");
+ return ERR_PTR(-EINVAL);
+ }
+@@ -791,8 +791,8 @@ static int encrypted_init(struct encrypt
+ ret = encrypted_key_decrypt(epayload, format, hex_encoded_iv);
+ } else if (decrypted_data) {
+ get_random_bytes(epayload->iv, ivsize);
+- memcpy(epayload->decrypted_data, decrypted_data,
+- epayload->decrypted_datalen);
++ ret = hex2bin(epayload->decrypted_data, decrypted_data,
++ epayload->decrypted_datalen);
+ } else {
+ get_random_bytes(epayload->iv, ivsize);
+ get_random_bytes(epayload->decrypted_data, epayload->decrypted_datalen);
usb-serial-f81232-fix-division-by-zero-on-line-speed-change.patch
usb-serial-f81534-fix-division-by-zero-on-line-speed-change.patch
alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch
+xhci-apply-xhci_reset_to_default-quirk-to-adl-n.patch
+staging-r8188eu-fix-led-register-settings.patch
+igb-initialize-mailbox-message-for-vf-reset.patch
+usb-typec-ucsi-resume-in-separate-work.patch
+usb-dwc3-pci-update-pcie-device-id-for-usb3-controller-on-cpu-sub-system-for-raptor-lake.patch
+cifs-fix-oops-during-encryption.patch
+keys-encrypted-fix-key-instantiation-with-user-provided-data.patch
+usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch
--- /dev/null
+From 12c6223fc1804fd9295dc50d358294539b4a4184 Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <martin@kaiser.cx>
+Date: Sat, 15 Oct 2022 17:11:06 +0200
+Subject: staging: r8188eu: fix led register settings
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+commit 12c6223fc1804fd9295dc50d358294539b4a4184 upstream.
+
+Using an InterTech DMG-02 dongle, the led remains on when the system goes
+into standby mode. After wakeup, it's no longer possible to control the
+led.
+
+It turned out that the register settings to enable or disable the led were
+not correct. They worked for some dongles like the Edimax V2 but not for
+others like the InterTech DMG-02.
+
+This patch fixes the register settings. Bit 3 in the led_cfg2 register
+controls the led status, bit 5 must always be set to be able to control
+the led, bit 6 has no influence on the led. Setting the mac_pinmux_cfg
+register is not necessary.
+
+These settings were tested with Edimax V2 and InterTech DMG-02.
+
+Cc: stable@vger.kernel.org
+Fixes: 8cd574e6af54 ("staging: r8188eu: introduce new hal dir for RTL8188eu driver")
+Suggested-by: Michael Straube <straube.linux@gmail.com>
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Tested-by: Michael Straube <straube.linux@gmail.com> # InterTech DMG-02,
+Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com> # Edimax N150
+Link: https://lore.kernel.org/r/20221015151115.232095-2-martin@kaiser.cx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/r8188eu/core/rtw_led.c | 25 ++-----------------------
+ 1 file changed, 2 insertions(+), 23 deletions(-)
+
+--- a/drivers/staging/r8188eu/core/rtw_led.c
++++ b/drivers/staging/r8188eu/core/rtw_led.c
+@@ -32,40 +32,19 @@ static void ResetLedStatus(struct led_pr
+
+ static void SwLedOn(struct adapter *padapter, struct led_priv *pLed)
+ {
+- u8 LedCfg;
+- int res;
+-
+ if (padapter->bDriverStopped)
+ return;
+
+- res = rtw_read8(padapter, REG_LEDCFG2, &LedCfg);
+- if (res)
+- return;
+-
+- rtw_write8(padapter, REG_LEDCFG2, (LedCfg & 0xf0) | BIT(5) | BIT(6)); /* SW control led0 on. */
++ rtw_write8(padapter, REG_LEDCFG2, BIT(5)); /* SW control led0 on. */
+ pLed->bLedOn = true;
+ }
+
+ static void SwLedOff(struct adapter *padapter, struct led_priv *pLed)
+ {
+- u8 LedCfg;
+- int res;
+-
+ if (padapter->bDriverStopped)
+ goto exit;
+
+- res = rtw_read8(padapter, REG_LEDCFG2, &LedCfg);/* 0x4E */
+- if (res)
+- goto exit;
+-
+- LedCfg &= 0x90; /* Set to software control. */
+- rtw_write8(padapter, REG_LEDCFG2, (LedCfg | BIT(3)));
+- res = rtw_read8(padapter, REG_MAC_PINMUX_CFG, &LedCfg);
+- if (res)
+- goto exit;
+-
+- LedCfg &= 0xFE;
+- rtw_write8(padapter, REG_MAC_PINMUX_CFG, LedCfg);
++ rtw_write8(padapter, REG_LEDCFG2, BIT(5) | BIT(3));
+ exit:
+ pLed->bLedOn = false;
+ }
--- /dev/null
+From f05f80f217bf52443a2582bca19fd78188333f25 Mon Sep 17 00:00:00 2001
+From: Shruthi Sanil <shruthi.sanil@intel.com>
+Date: Fri, 25 Nov 2022 16:23:27 +0530
+Subject: usb: dwc3: pci: Update PCIe device ID for USB3 controller on CPU sub-system for Raptor Lake
+
+From: Shruthi Sanil <shruthi.sanil@intel.com>
+
+commit f05f80f217bf52443a2582bca19fd78188333f25 upstream.
+
+The device ID 0xa70e is defined for the USB3 device controller in the CPU
+sub-system of Raptor Lake platform. Hence updating the ID accordingly.
+
+Fixes: bad0d1d726ac ("usb: dwc3: pci: Add support for Intel Raptor Lake")
+Cc: stable <stable@kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Shruthi Sanil <shruthi.sanil@intel.com>
+Link: https://lore.kernel.org/r/20221125105327.27945-1-shruthi.sanil@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -45,7 +45,7 @@
+ #define PCI_DEVICE_ID_INTEL_ADLN 0x465e
+ #define PCI_DEVICE_ID_INTEL_ADLN_PCH 0x54ee
+ #define PCI_DEVICE_ID_INTEL_ADLS 0x7ae1
+-#define PCI_DEVICE_ID_INTEL_RPL 0x460e
++#define PCI_DEVICE_ID_INTEL_RPL 0xa70e
+ #define PCI_DEVICE_ID_INTEL_RPLS 0x7a61
+ #define PCI_DEVICE_ID_INTEL_MTLP 0x7ec1
+ #define PCI_DEVICE_ID_INTEL_MTL 0x7e7e
--- /dev/null
+From e0dced9c7d4763fd97c86a13902d135f03cc42eb Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Wed, 23 Nov 2022 11:30:21 +0200
+Subject: usb: typec: ucsi: Resume in separate work
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit e0dced9c7d4763fd97c86a13902d135f03cc42eb upstream.
+
+It can take more than one second to check each connector
+when the system is resumed. So if you have, say, eight
+connectors, it may take eight seconds for ucsi_resume() to
+finish. That's a bit too much.
+
+This will modify ucsi_resume() so that it schedules a work
+where the interface is actually resumed instead of checking
+the connectors directly. The connections will also be
+checked in separate tasks which are queued for each connector
+separately.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216706
+Fixes: 99f6d4361113 ("usb: typec: ucsi: Check the connection on resume")
+Cc: <stable@vger.kernel.org>
+Reported-by: Todd Brandt <todd.e.brandt@intel.com>
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20221123093021.25981-1-heikki.krogerus@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 17 +++++++++++++----
+ drivers/usb/typec/ucsi/ucsi.h | 1 +
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -1270,8 +1270,9 @@ err:
+ return ret;
+ }
+
+-int ucsi_resume(struct ucsi *ucsi)
++static void ucsi_resume_work(struct work_struct *work)
+ {
++ struct ucsi *ucsi = container_of(work, struct ucsi, resume_work);
+ struct ucsi_connector *con;
+ u64 command;
+ int ret;
+@@ -1279,15 +1280,21 @@ int ucsi_resume(struct ucsi *ucsi)
+ /* Restore UCSI notification enable mask after system resume */
+ command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy;
+ ret = ucsi_send_command(ucsi, command, NULL, 0);
+- if (ret < 0)
+- return ret;
++ if (ret < 0) {
++ dev_err(ucsi->dev, "failed to re-enable notifications (%d)\n", ret);
++ return;
++ }
+
+ for (con = ucsi->connector; con->port; con++) {
+ mutex_lock(&con->lock);
+- ucsi_check_connection(con);
++ ucsi_partner_task(con, ucsi_check_connection, 1, 0);
+ mutex_unlock(&con->lock);
+ }
++}
+
++int ucsi_resume(struct ucsi *ucsi)
++{
++ queue_work(system_long_wq, &ucsi->resume_work);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(ucsi_resume);
+@@ -1347,6 +1354,7 @@ struct ucsi *ucsi_create(struct device *
+ if (!ucsi)
+ return ERR_PTR(-ENOMEM);
+
++ INIT_WORK(&ucsi->resume_work, ucsi_resume_work);
+ INIT_DELAYED_WORK(&ucsi->work, ucsi_init_work);
+ mutex_init(&ucsi->ppm_lock);
+ ucsi->dev = dev;
+@@ -1401,6 +1409,7 @@ void ucsi_unregister(struct ucsi *ucsi)
+
+ /* Make sure that we are not in the middle of driver initialization */
+ cancel_delayed_work_sync(&ucsi->work);
++ cancel_work_sync(&ucsi->resume_work);
+
+ /* Disable notifications */
+ ucsi->ops->async_write(ucsi, UCSI_CONTROL, &cmd, sizeof(cmd));
+--- a/drivers/usb/typec/ucsi/ucsi.h
++++ b/drivers/usb/typec/ucsi/ucsi.h
+@@ -287,6 +287,7 @@ struct ucsi {
+ struct ucsi_capability cap;
+ struct ucsi_connector *connector;
+
++ struct work_struct resume_work;
+ struct delayed_work work;
+ int work_count;
+ #define UCSI_ROLE_SWITCH_RETRY_PER_HZ 10
--- /dev/null
+From 8a7b31d545d3a15f0e6f5984ae16f0ca4fd76aac Mon Sep 17 00:00:00 2001
+From: Ferry Toth <ftoth@exalondelft.nl>
+Date: Mon, 5 Dec 2022 21:15:26 +0100
+Subject: usb: ulpi: defer ulpi_register on ulpi_read_id timeout
+
+From: Ferry Toth <ftoth@exalondelft.nl>
+
+commit 8a7b31d545d3a15f0e6f5984ae16f0ca4fd76aac upstream.
+
+Since commit 0f0101719138 ("usb: dwc3: Don't switch OTG -> peripheral
+if extcon is present") Dual Role support on Intel Merrifield platform
+broke due to rearranging the call to dwc3_get_extcon().
+
+It appears to be caused by ulpi_read_id() on the first test write failing
+with -ETIMEDOUT. Currently ulpi_read_id() expects to discover the phy via
+DT when the test write fails and returns 0 in that case, even if DT does not
+provide the phy. As a result usb probe completes without phy.
+
+Make ulpi_read_id() return -ETIMEDOUT to its user if the first test write
+fails. The user should then handle it appropriately. A follow up patch
+will make dwc3_core_init() set -EPROBE_DEFER in this case and bail out.
+
+Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT")
+Cc: stable@vger.kernel.org
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
+Link: https://lore.kernel.org/r/20221205201527.13525-2-ftoth@exalondelft.nl
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/common/ulpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/common/ulpi.c
++++ b/drivers/usb/common/ulpi.c
+@@ -207,7 +207,7 @@ static int ulpi_read_id(struct ulpi *ulp
+ /* Test the interface */
+ ret = ulpi_write(ulpi, ULPI_SCRATCH, 0xaa);
+ if (ret < 0)
+- goto err;
++ return ret;
+
+ ret = ulpi_read(ulpi, ULPI_SCRATCH);
+ if (ret < 0)
--- /dev/null
+From fed70b61ef2c0aed54456db3d485b215f6cc3209 Mon Sep 17 00:00:00 2001
+From: Reka Norman <rekanorman@chromium.org>
+Date: Wed, 30 Nov 2022 11:19:40 +0200
+Subject: xhci: Apply XHCI_RESET_TO_DEFAULT quirk to ADL-N
+
+From: Reka Norman <rekanorman@chromium.org>
+
+commit fed70b61ef2c0aed54456db3d485b215f6cc3209 upstream.
+
+ADL-N systems have the same issue as ADL-P, where a large boot firmware
+delay is seen if USB ports are left in U3 at shutdown. So apply the
+XHCI_RESET_TO_DEFAULT quirk to ADL-N as well.
+
+This patch depends on commit 34cd2db408d5 ("xhci: Add quirk to reset
+host back to default state at shutdown").
+
+The issue it fixes is a ~20s boot time delay when booting from S5. It
+affects ADL-N devices, and ADL-N support was added starting from v5.16.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Reka Norman <rekanorman@chromium.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20221130091944.2171610-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -59,6 +59,7 @@
+ #define PCI_DEVICE_ID_INTEL_TIGER_LAKE_XHCI 0x9a13
+ #define PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI 0x1138
+ #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI 0x51ed
++#define PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_PCH_XHCI 0x54ed
+
+ #define PCI_DEVICE_ID_AMD_RENOIR_XHCI 0x1639
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9
+@@ -246,7 +247,8 @@ static void xhci_pci_quirks(struct devic
+ xhci->quirks |= XHCI_MISSING_CAS;
+
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+- pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI)
++ (pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI ||
++ pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_PCH_XHCI))
+ xhci->quirks |= XHCI_RESET_TO_DEFAULT;
+
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
projects / thirdparty / kernel / stable-queue.git / commitdiff
