--- /dev/null
+From dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 Mon Sep 17 00:00:00 2001
+From: Nikhil Mahale <nmahale@nvidia.com>
+Date: Wed, 17 May 2023 14:37:36 +0530
+Subject: ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
+
+From: Nikhil Mahale <nmahale@nvidia.com>
+
+commit dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 upstream.
+
+These IDs are for AD102, AD103, AD104, AD106, and AD107 gpus with
+audio functions that are largely similar to the existing ones.
+
+Tested audio using gnome-settings, over HDMI, DP-SST and DP-MST
+connections on AD106 gpu.
+
+Signed-off-by: Nikhil Mahale <nmahale@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230517090736.15088-1-nmahale@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_hdmi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -4577,6 +4577,11 @@ HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI
+ HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch),
+ HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch),
+ HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP", patch_via_hdmi),
--- /dev/null
+From 3b44ec8c5c44790a82f07e90db45643c762878c6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 May 2023 20:44:12 +0200
+Subject: ALSA: hda: Fix Oops by 9.1 surround channel names
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3b44ec8c5c44790a82f07e90db45643c762878c6 upstream.
+
+get_line_out_pfx() may trigger an Oops by overflowing the static array
+with more than 8 channels. This was reported for MacBookPro 12,1 with
+Cirrus codec.
+
+As a workaround, extend for the 9.1 channels and also fix the
+potential Oops by unifying the code paths accessing the same array
+with the proper size check.
+
+Reported-by: Olliver Schinagl <oliver@schinagl.nl>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/64d95eb0-dbdb-cff8-a8b1-988dc22b24cd@schinagl.nl
+Link: https://lore.kernel.org/r/20230516184412.24078-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_generic.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -1155,8 +1155,8 @@ static bool path_has_mixer(struct hda_co
+ return path && path->ctls[ctl_type];
+ }
+
+-static const char * const channel_name[4] = {
+- "Front", "Surround", "CLFE", "Side"
++static const char * const channel_name[] = {
++ "Front", "Surround", "CLFE", "Side", "Back",
+ };
+
+ /* give some appropriate ctl name prefix for the given line out channel */
+@@ -1182,7 +1182,7 @@ static const char *get_line_out_pfx(stru
+
+ /* multi-io channels */
+ if (ch >= cfg->line_outs)
+- return channel_name[ch];
++ goto fixed_name;
+
+ switch (cfg->line_out_type) {
+ case AUTO_PIN_SPEAKER_OUT:
+@@ -1234,6 +1234,7 @@ static const char *get_line_out_pfx(stru
+ if (cfg->line_outs == 1 && !spec->multi_ios)
+ return "Line Out";
+
++ fixed_name:
+ if (ch >= ARRAY_SIZE(channel_name)) {
+ snd_BUG();
+ return "PCM";
--- /dev/null
+From 90670ef774a8b6700c38ce1222e6aa263be54d5f Mon Sep 17 00:00:00 2001
+From: Ai Chao <aichao@kylinos.cn>
+Date: Sat, 6 May 2023 10:26:53 +0800
+Subject: ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
+
+From: Ai Chao <aichao@kylinos.cn>
+
+commit 90670ef774a8b6700c38ce1222e6aa263be54d5f upstream.
+
+Add a quirk for HP EliteDesk 805 to fixup ALC3867 headset MIC no sound.
+
+Signed-off-by: Ai Chao <aichao@kylinos.cn>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230506022653.2074343-1-aichao@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11664,6 +11664,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
+ SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
+ SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
++ SND_PCI_QUIRK(0x103c, 0x872b, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
+ SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2),
+ SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2),
+ SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2),
--- /dev/null
+From a4671b7fba59775845ee60cfbdfc4ba64300211b Mon Sep 17 00:00:00 2001
+From: "Luke D. Jones" <luke@ljones.dev>
+Date: Sat, 6 May 2023 11:58:24 +1200
+Subject: ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
+
+From: Luke D. Jones <luke@ljones.dev>
+
+commit a4671b7fba59775845ee60cfbdfc4ba64300211b upstream.
+
+Add quirk for GU603 with 0x1c62 variant of codec.
+
+Signed-off-by: Luke D. Jones <luke@ljones.dev>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230505235824.49607-2-luke@ljones.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9522,6 +9522,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC),
+ SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401),
+ SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS),
+ SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401),
--- /dev/null
+From 0a6b36c5dc3dda0196f4fb65bdb34c38b8d060c3 Mon Sep 17 00:00:00 2001
+From: Jeremy Soller <jeremy@system76.com>
+Date: Fri, 5 May 2023 10:36:51 -0600
+Subject: ALSA: hda/realtek: Add quirk for Clevo L140AU
+
+From: Jeremy Soller <jeremy@system76.com>
+
+commit 0a6b36c5dc3dda0196f4fb65bdb34c38b8d060c3 upstream.
+
+Fixes headset detection on Clevo L140AU.
+
+Signed-off-by: Jeremy Soller <jeremy@system76.com>
+Signed-off-by: Tim Crawford <tcrawford@system76.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230505163651.21257-1-tcrawford@system76.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9618,6 +9618,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1558, 0x7716, "Clevo NS50PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x7717, "Clevo NS70PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x7718, "Clevo L140PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0x7724, "Clevo L140AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x8228, "Clevo NR40BU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x8520, "Clevo NH50D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x8521, "Clevo NH77D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
--- /dev/null
+From 3e10f6ca76c4d00019badebd235c9d7f0068261e Mon Sep 17 00:00:00 2001
+From: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
+Date: Wed, 10 May 2023 15:22:27 +0100
+Subject: ALSA: hda/realtek: Add quirk for HP EliteBook G10 laptops
+
+From: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
+
+commit 3e10f6ca76c4d00019badebd235c9d7f0068261e upstream.
+
+Add support for HP EliteBook 835/845/845W/865 G10 laptops
+with CS35L41 amplifiers on I2C/SPI bus connected to Realtek codec.
+
+Signed-off-by: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230510142227.32945-1-vitalyr@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9458,7 +9458,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8aa3, "HP ProBook 450 G9 (MB 8AA1)", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8aa8, "HP EliteBook 640 G9 (MB 8AA6)", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8aab, "HP EliteBook 650 G9 (MB 8AA9)", ALC236_FIXUP_HP_GPIO_LED),
+- SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b42, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+@@ -9469,8 +9469,13 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8b47, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b5d, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8b5e, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8b63, "HP Elite Dragonfly 13.5 inch G4", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b65, "HP ProBook 455 15.6 inch G10 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8b66, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8b70, "HP EliteBook 835 G10", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x103c, 0x8b72, "HP EliteBook 845 G10", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x103c, 0x8b74, "HP EliteBook 845W G10", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x103c, 0x8b77, "HP ElieBook 865 G10", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b7d, "HP", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b87, "HP", ALC236_FIXUP_HP_GPIO_LED),
+@@ -9481,6 +9486,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8b92, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8bf0, "HP", ALC236_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8c26, "HP HP EliteBook 800G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
+ SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--- /dev/null
+From 9dc68a4fe70893b000fb3c92c68b9f72369cf448 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Fri, 12 May 2023 16:34:16 +0800
+Subject: ALSA: hda/realtek: Fix mute and micmute LEDs for yet another HP laptop
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 9dc68a4fe70893b000fb3c92c68b9f72369cf448 upstream.
+
+There's yet another laptop that needs the fixup to enable mute and
+micmute LEDs. So do it accordingly.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230512083417.157127-1-kai.heng.feng@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9485,6 +9485,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8b8f, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b92, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8b97, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8bf0, "HP", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c26, "HP HP EliteBook 800G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
--- /dev/null
+From 359b4315471181f108723c61612d96e383e56179 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 12 May 2023 09:58:58 +0200
+Subject: ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 359b4315471181f108723c61612d96e383e56179 upstream.
+
+Line6 Pod Go (0e41:424b) requires the similar workaround for the fixed
+48k sample rate like other Line6 models. This patch adds the
+corresponding entry to line6_parse_audio_format_rate_quirk().
+
+Reported-by: John Humlick <john@humlick.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230512075858.22813-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/format.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -423,6 +423,7 @@ static int line6_parse_audio_format_rate
+ case USB_ID(0x0e41, 0x4248): /* Line6 Helix >= fw 2.82 */
+ case USB_ID(0x0e41, 0x4249): /* Line6 Helix Rack >= fw 2.82 */
+ case USB_ID(0x0e41, 0x424a): /* Line6 Helix LT >= fw 2.82 */
++ case USB_ID(0x0e41, 0x424b): /* Line6 Pod Go */
+ case USB_ID(0x19f7, 0x0011): /* Rode Rodecaster Pro */
+ return set_fixed_rate(fp, 48000, SNDRV_PCM_RATE_48000);
+ }
--- /dev/null
+From db2773d65b02aed319a93efdfb958087771d4e19 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Thu, 6 Apr 2023 13:08:45 +0200
+Subject: can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit db2773d65b02aed319a93efdfb958087771d4e19 upstream.
+
+The control message provided by isotp support MSG_CMSG_COMPAT but
+blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user
+space on 64 bit kernels.
+
+Link: https://github.com/hartkopp/can-isotp/issues/59
+Cc: Oleksij Rempel <o.rempel@pengutronix.de>
+Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Fixes: 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket")
+Link: https://lore.kernel.org/20230505110308.81087-2-mkl@pengutronix.de
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -1106,7 +1106,7 @@ static int isotp_recvmsg(struct socket *
+ struct isotp_sock *so = isotp_sk(sk);
+ int ret = 0;
+
+- if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK))
++ if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK | MSG_CMSG_COMPAT))
+ return -EINVAL;
+
+ if (!so->bound)
--- /dev/null
+From 1db080cbdbab28752bbb1c86d64daf96253a5da1 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Thu, 6 Apr 2023 13:08:45 +0200
+Subject: can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 1db080cbdbab28752bbb1c86d64daf96253a5da1 upstream.
+
+The control message provided by J1939 support MSG_CMSG_COMPAT but
+blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user
+space on 64 bit kernels.
+
+Link: https://github.com/hartkopp/can-isotp/issues/59
+Cc: Oleksij Rempel <o.rempel@pengutronix.de>
+Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/20230505110308.81087-3-mkl@pengutronix.de
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -798,7 +798,7 @@ static int j1939_sk_recvmsg(struct socke
+ struct j1939_sk_buff_cb *skcb;
+ int ret = 0;
+
+- if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE))
++ if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE | MSG_CMSG_COMPAT))
+ return -EINVAL;
+
+ if (flags & MSG_ERRQUEUE)
--- /dev/null
+From 84762d8da89d29ba842317eb842973e628c27391 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:15 +0200
+Subject: can: kvaser_pciefd: Call request_irq() before enabling interrupts
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit 84762d8da89d29ba842317eb842973e628c27391 upstream.
+
+Make sure the interrupt handler is registered before enabling interrupts.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-4-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -1825,6 +1825,11 @@ static int kvaser_pciefd_probe(struct pc
+ if (err)
+ goto err_teardown_can_ctrls;
+
++ err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler,
++ IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie);
++ if (err)
++ goto err_teardown_can_ctrls;
++
+ iowrite32(KVASER_PCIEFD_SRB_IRQ_DPD0 | KVASER_PCIEFD_SRB_IRQ_DPD1,
+ pcie->reg_base + KVASER_PCIEFD_SRB_IRQ_REG);
+
+@@ -1845,11 +1850,6 @@ static int kvaser_pciefd_probe(struct pc
+ iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1,
+ pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG);
+
+- err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler,
+- IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie);
+- if (err)
+- goto err_teardown_can_ctrls;
+-
+ err = kvaser_pciefd_reg_candev(pcie);
+ if (err)
+ goto err_free_irq;
--- /dev/null
+From bf7ac55e991ca177f1ac16be51152f1ef291a4df Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:14 +0200
+Subject: can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit bf7ac55e991ca177f1ac16be51152f1ef291a4df upstream.
+
+The listen-only bit was never cleared, causing the controller to
+always use listen-only mode, if previously set.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-3-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -559,6 +559,8 @@ static void kvaser_pciefd_setup_controll
+
+ if (can->can.ctrlmode & CAN_CTRLMODE_LISTENONLY)
+ mode |= KVASER_PCIEFD_KCAN_MODE_LOM;
++ else
++ mode &= ~KVASER_PCIEFD_KCAN_MODE_LOM;
+
+ mode |= KVASER_PCIEFD_KCAN_MODE_EEN;
+ mode |= KVASER_PCIEFD_KCAN_MODE_EPEN;
--- /dev/null
+From 11164bc39459335ab93c6e99d53b7e4292fba38b Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:18 +0200
+Subject: can: kvaser_pciefd: Disable interrupts in probe error path
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit 11164bc39459335ab93c6e99d53b7e4292fba38b upstream.
+
+Disable interrupts in error path of probe function.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-7-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -1861,6 +1861,8 @@ static int kvaser_pciefd_probe(struct pc
+ return 0;
+
+ err_free_irq:
++ /* Disable PCI interrupts */
++ iowrite32(0, pcie->reg_base + KVASER_PCIEFD_IEN_REG);
+ free_irq(pcie->pci->irq, pcie);
+
+ err_teardown_can_ctrls:
--- /dev/null
+From 262d7a52ba27525e3c1203230c9f0524e48bbb34 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:17 +0200
+Subject: can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit 262d7a52ba27525e3c1203230c9f0524e48bbb34 upstream.
+
+Under certain circumstances we send two EFLUSH commands, resulting in two
+EFLUSH ack packets, while only expecting a single EFLUSH ack.
+This can cause the driver Tx flush completion to get out of sync.
+
+To avoid this problem, don't enable the "Transmit buffer flush done" (TFD)
+interrupt and remove the code handling it.
+Now we only send EFLUSH command after receiving status packet with
+"Init detected" (IDET) bit set.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-6-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c | 21 ++++-----------------
+ 1 file changed, 4 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -531,7 +531,7 @@ static int kvaser_pciefd_set_tx_irq(stru
+ KVASER_PCIEFD_KCAN_IRQ_TOF | KVASER_PCIEFD_KCAN_IRQ_ABD |
+ KVASER_PCIEFD_KCAN_IRQ_TAE | KVASER_PCIEFD_KCAN_IRQ_TAL |
+ KVASER_PCIEFD_KCAN_IRQ_FDIC | KVASER_PCIEFD_KCAN_IRQ_BPP |
+- KVASER_PCIEFD_KCAN_IRQ_TAR | KVASER_PCIEFD_KCAN_IRQ_TFD;
++ KVASER_PCIEFD_KCAN_IRQ_TAR;
+
+ iowrite32(msk, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+
+@@ -579,7 +579,7 @@ static void kvaser_pciefd_start_controll
+
+ spin_lock_irqsave(&can->lock, irq);
+ iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
+- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD,
++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
+ can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+
+ status = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_STAT_REG);
+@@ -622,7 +622,7 @@ static int kvaser_pciefd_bus_on(struct k
+ iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
+
+- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD,
++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
+ can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+
+ mode = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_MODE_REG);
+@@ -1015,8 +1015,7 @@ static int kvaser_pciefd_setup_can_ctrls
+ SET_NETDEV_DEV(netdev, &pcie->pci->dev);
+
+ iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
+- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD |
+- KVASER_PCIEFD_KCAN_IRQ_TFD,
++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
+ can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+
+ pcie->can[i] = can;
+@@ -1443,9 +1442,6 @@ static int kvaser_pciefd_handle_status_p
+ cmd = KVASER_PCIEFD_KCAN_CMD_AT;
+ cmd |= ++can->cmd_seq << KVASER_PCIEFD_KCAN_CMD_SEQ_SHIFT;
+ iowrite32(cmd, can->reg_base + KVASER_PCIEFD_KCAN_CMD_REG);
+-
+- iowrite32(KVASER_PCIEFD_KCAN_IRQ_TFD,
+- can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ } else if (p->header[0] & KVASER_PCIEFD_SPACK_IDET &&
+ p->header[0] & KVASER_PCIEFD_SPACK_IRM &&
+ cmdseq == (p->header[1] & KVASER_PCIEFD_PACKET_SEQ_MSK) &&
+@@ -1732,15 +1728,6 @@ static int kvaser_pciefd_transmit_irq(st
+ if (irq & KVASER_PCIEFD_KCAN_IRQ_TOF)
+ netdev_err(can->can.dev, "Tx FIFO overflow\n");
+
+- if (irq & KVASER_PCIEFD_KCAN_IRQ_TFD) {
+- u8 count = ioread32(can->reg_base +
+- KVASER_PCIEFD_KCAN_TX_NPACKETS_REG) & 0xff;
+-
+- if (count == 0)
+- iowrite32(KVASER_PCIEFD_KCAN_CTRL_EFLUSH,
+- can->reg_base + KVASER_PCIEFD_KCAN_CTRL_REG);
+- }
+-
+ if (irq & KVASER_PCIEFD_KCAN_IRQ_BPP)
+ netdev_err(can->can.dev,
+ "Fail to change bittiming, when not in reset mode\n");
--- /dev/null
+From c589557dd1426f5adf90c7a919d4fde5a3e4ef64 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:16 +0200
+Subject: can: kvaser_pciefd: Empty SRB buffer in probe
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit c589557dd1426f5adf90c7a919d4fde5a3e4ef64 upstream.
+
+Empty the "Shared receive buffer" (SRB) in probe, to assure we start in a
+known state, and don't process any irrelevant packets.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-5-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -71,10 +71,12 @@ MODULE_DESCRIPTION("CAN driver for Kvase
+ #define KVASER_PCIEFD_SYSID_BUILD_REG (KVASER_PCIEFD_SYSID_BASE + 0x14)
+ /* Shared receive buffer registers */
+ #define KVASER_PCIEFD_SRB_BASE 0x1f200
++#define KVASER_PCIEFD_SRB_FIFO_LAST_REG (KVASER_PCIEFD_SRB_BASE + 0x1f4)
+ #define KVASER_PCIEFD_SRB_CMD_REG (KVASER_PCIEFD_SRB_BASE + 0x200)
+ #define KVASER_PCIEFD_SRB_IEN_REG (KVASER_PCIEFD_SRB_BASE + 0x204)
+ #define KVASER_PCIEFD_SRB_IRQ_REG (KVASER_PCIEFD_SRB_BASE + 0x20c)
+ #define KVASER_PCIEFD_SRB_STAT_REG (KVASER_PCIEFD_SRB_BASE + 0x210)
++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG (KVASER_PCIEFD_SRB_BASE + 0x214)
+ #define KVASER_PCIEFD_SRB_CTRL_REG (KVASER_PCIEFD_SRB_BASE + 0x218)
+ /* EPCS flash controller registers */
+ #define KVASER_PCIEFD_SPI_BASE 0x1fc00
+@@ -111,6 +113,9 @@ MODULE_DESCRIPTION("CAN driver for Kvase
+ /* DMA support */
+ #define KVASER_PCIEFD_SRB_STAT_DMA BIT(24)
+
++/* SRB current packet level */
++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK 0xff
++
+ /* DMA Enable */
+ #define KVASER_PCIEFD_SRB_CTRL_DMA_ENABLE BIT(0)
+
+@@ -1059,6 +1064,7 @@ static int kvaser_pciefd_setup_dma(struc
+ {
+ int i;
+ u32 srb_status;
++ u32 srb_packet_count;
+ dma_addr_t dma_addr[KVASER_PCIEFD_DMA_COUNT];
+
+ /* Disable the DMA */
+@@ -1086,6 +1092,15 @@ static int kvaser_pciefd_setup_dma(struc
+ KVASER_PCIEFD_SRB_CMD_RDB1,
+ pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG);
+
++ /* Empty Rx FIFO */
++ srb_packet_count = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG) &
++ KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK;
++ while (srb_packet_count) {
++ /* Drop current packet in FIFO */
++ ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_FIFO_LAST_REG);
++ srb_packet_count--;
++ }
++
+ srb_status = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_STAT_REG);
+ if (!(srb_status & KVASER_PCIEFD_SRB_STAT_DI)) {
+ dev_err(&pcie->pci->dev, "DMA not idle before enabling\n");
--- /dev/null
+From aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:13 +0200
+Subject: can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 upstream.
+
+Set can.state to CAN_STATE_STOPPED in kvaser_pciefd_stop().
+Without this fix, wrong CAN state was repported after the interface was
+brought down.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-2-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -719,6 +719,7 @@ static int kvaser_pciefd_stop(struct net
+ iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ del_timer(&can->bec_poll_timer);
+ }
++ can->can.state = CAN_STATE_STOPPED;
+ close_candev(netdev);
+
+ return ret;
--- /dev/null
+From 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Thu, 18 May 2023 09:47:23 +0800
+Subject: ceph: force updating the msg pointer in non-split case
+
+From: Xiubo Li <xiubli@redhat.com>
+
+commit 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 upstream.
+
+When the MClientSnap reqeust's op is not CEPH_SNAP_OP_SPLIT the
+request may still contain a list of 'split_realms', and we need
+to skip it anyway. Or it will be parsed as a corrupt snaptrace.
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/61200
+Reported-by: Frank Schilder <frans@dtu.dk>
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/snap.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -1111,6 +1111,19 @@ skip_inode:
+ continue;
+ adjust_snap_realm_parent(mdsc, child, realm->ino);
+ }
++ } else {
++ /*
++ * In the non-split case both 'num_split_inos' and
++ * 'num_split_realms' should be 0, making this a no-op.
++ * However the MDS happens to populate 'split_realms' list
++ * in one of the UPDATE op cases by mistake.
++ *
++ * Skip both lists just in case to ensure that 'p' is
++ * positioned at the start of realm info, as expected by
++ * ceph_update_snap_trace().
++ */
++ p += sizeof(u64) * num_split_inos;
++ p += sizeof(u64) * num_split_realms;
+ }
+
+ /*
--- /dev/null
+From 443d61d1fa9faa60ef925513d83742902390100f Mon Sep 17 00:00:00 2001
+From: Chih-Yen Chang <cc85nod@gmail.com>
+Date: Sat, 6 May 2023 00:03:54 +0900
+Subject: ksmbd: allocate one more byte for implied bcc[0]
+
+From: Chih-Yen Chang <cc85nod@gmail.com>
+
+commit 443d61d1fa9faa60ef925513d83742902390100f upstream.
+
+ksmbd_smb2_check_message allows client to return one byte more, so we
+need to allocate additional memory in ksmbd_conn_handler_loop to avoid
+out-of-bound access.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/connection.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ksmbd/connection.c
++++ b/fs/ksmbd/connection.c
+@@ -353,7 +353,8 @@ int ksmbd_conn_handler_loop(void *p)
+ break;
+
+ /* 4 for rfc1002 length field */
+- size = pdu_size + 4;
++ /* 1 for implied bcc[0] */
++ size = pdu_size + 4 + 1;
+ conn->request_buf = kvmalloc(size, GFP_KERNEL);
+ if (!conn->request_buf)
+ break;
--- /dev/null
+From 02f76c401d17e409ed45bf7887148fcc22c93c85 Mon Sep 17 00:00:00 2001
+From: Chih-Yen Chang <cc85nod@gmail.com>
+Date: Sun, 14 May 2023 12:05:05 +0900
+Subject: ksmbd: fix global-out-of-bounds in smb2_find_context_vals
+
+From: Chih-Yen Chang <cc85nod@gmail.com>
+
+commit 02f76c401d17e409ed45bf7887148fcc22c93c85 upstream.
+
+Add tag_len argument in smb2_find_context_vals() to avoid out-of-bound
+read when create_context's name_len is larger than tag length.
+
+[ 7.995411] ==================================================================
+[ 7.995866] BUG: KASAN: global-out-of-bounds in memcmp+0x83/0xa0
+[ 7.996248] Read of size 8 at addr ffffffff8258d940 by task kworker/0:0/7
+...
+[ 7.998191] Call Trace:
+[ 7.998358] <TASK>
+[ 7.998503] dump_stack_lvl+0x33/0x50
+[ 7.998743] print_report+0xcc/0x620
+[ 7.999458] kasan_report+0xae/0xe0
+[ 7.999895] kasan_check_range+0x35/0x1b0
+[ 8.000152] memcmp+0x83/0xa0
+[ 8.000347] smb2_find_context_vals+0xf7/0x1e0
+[ 8.000635] smb2_open+0x1df2/0x43a0
+[ 8.006398] handle_ksmbd_work+0x274/0x810
+[ 8.006666] process_one_work+0x419/0x760
+[ 8.006922] worker_thread+0x2a2/0x6f0
+[ 8.007429] kthread+0x160/0x190
+[ 8.007946] ret_from_fork+0x1f/0x30
+[ 8.008181] </TASK>
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/oplock.c | 5 +++--
+ fs/ksmbd/oplock.h | 2 +-
+ fs/ksmbd/smb2pdu.c | 14 +++++++-------
+ 3 files changed, 11 insertions(+), 10 deletions(-)
+
+--- a/fs/ksmbd/oplock.c
++++ b/fs/ksmbd/oplock.c
+@@ -1449,11 +1449,12 @@ struct lease_ctx_info *parse_lease_state
+ * smb2_find_context_vals() - find a particular context info in open request
+ * @open_req: buffer containing smb2 file open(create) request
+ * @tag: context name to search for
++ * @tag_len: the length of tag
+ *
+ * Return: pointer to requested context, NULL if @str context not found
+ * or error pointer if name length is invalid.
+ */
+-struct create_context *smb2_find_context_vals(void *open_req, const char *tag)
++struct create_context *smb2_find_context_vals(void *open_req, const char *tag, int tag_len)
+ {
+ struct create_context *cc;
+ unsigned int next = 0;
+@@ -1492,7 +1493,7 @@ struct create_context *smb2_find_context
+ return ERR_PTR(-EINVAL);
+
+ name = (char *)cc + name_off;
+- if (memcmp(name, tag, name_len) == 0)
++ if (name_len == tag_len && !memcmp(name, tag, name_len))
+ return cc;
+
+ remain_len -= next;
+--- a/fs/ksmbd/oplock.h
++++ b/fs/ksmbd/oplock.h
+@@ -118,7 +118,7 @@ void create_durable_v2_rsp_buf(char *cc,
+ void create_mxac_rsp_buf(char *cc, int maximal_access);
+ void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id);
+ void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp);
+-struct create_context *smb2_find_context_vals(void *open_req, const char *str);
++struct create_context *smb2_find_context_vals(void *open_req, const char *tag, int tag_len);
+ struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn,
+ char *lease_key);
+ int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci,
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -2478,7 +2478,7 @@ static int smb2_create_sd_buffer(struct
+ return -ENOENT;
+
+ /* Parse SD BUFFER create contexts */
+- context = smb2_find_context_vals(req, SMB2_CREATE_SD_BUFFER);
++ context = smb2_find_context_vals(req, SMB2_CREATE_SD_BUFFER, 4);
+ if (!context)
+ return -ENOENT;
+ else if (IS_ERR(context))
+@@ -2680,7 +2680,7 @@ int smb2_open(struct ksmbd_work *work)
+
+ if (req->CreateContextsOffset) {
+ /* Parse non-durable handle create contexts */
+- context = smb2_find_context_vals(req, SMB2_CREATE_EA_BUFFER);
++ context = smb2_find_context_vals(req, SMB2_CREATE_EA_BUFFER, 4);
+ if (IS_ERR(context)) {
+ rc = PTR_ERR(context);
+ goto err_out1;
+@@ -2700,7 +2700,7 @@ int smb2_open(struct ksmbd_work *work)
+ }
+
+ context = smb2_find_context_vals(req,
+- SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST);
++ SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST, 4);
+ if (IS_ERR(context)) {
+ rc = PTR_ERR(context);
+ goto err_out1;
+@@ -2711,7 +2711,7 @@ int smb2_open(struct ksmbd_work *work)
+ }
+
+ context = smb2_find_context_vals(req,
+- SMB2_CREATE_TIMEWARP_REQUEST);
++ SMB2_CREATE_TIMEWARP_REQUEST, 4);
+ if (IS_ERR(context)) {
+ rc = PTR_ERR(context);
+ goto err_out1;
+@@ -2723,7 +2723,7 @@ int smb2_open(struct ksmbd_work *work)
+
+ if (tcon->posix_extensions) {
+ context = smb2_find_context_vals(req,
+- SMB2_CREATE_TAG_POSIX);
++ SMB2_CREATE_TAG_POSIX, 16);
+ if (IS_ERR(context)) {
+ rc = PTR_ERR(context);
+ goto err_out1;
+@@ -3122,7 +3122,7 @@ int smb2_open(struct ksmbd_work *work)
+ struct create_alloc_size_req *az_req;
+
+ az_req = (struct create_alloc_size_req *)smb2_find_context_vals(req,
+- SMB2_CREATE_ALLOCATION_SIZE);
++ SMB2_CREATE_ALLOCATION_SIZE, 4);
+ if (IS_ERR(az_req)) {
+ rc = PTR_ERR(az_req);
+ goto err_out;
+@@ -3149,7 +3149,7 @@ int smb2_open(struct ksmbd_work *work)
+ err);
+ }
+
+- context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID);
++ context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID, 4);
+ if (IS_ERR(context)) {
+ rc = PTR_ERR(context);
+ goto err_out;
--- /dev/null
+From f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f Mon Sep 17 00:00:00 2001
+From: Chih-Yen Chang <cc85nod@gmail.com>
+Date: Sat, 6 May 2023 00:01:54 +0900
+Subject: ksmbd: fix wrong UserName check in session_user
+
+From: Chih-Yen Chang <cc85nod@gmail.com>
+
+commit f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f upstream.
+
+The offset of UserName is related to the address of security
+buffer. To ensure the validaty of UserName, we need to compare name_off
++ name_len with secbuf_len instead of auth_msg_len.
+
+[ 27.096243] ==================================================================
+[ 27.096890] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x188/0x350
+[ 27.097609] Read of size 2 at addr ffff888005e3b542 by task kworker/0:0/7
+...
+[ 27.099950] Call Trace:
+[ 27.100194] <TASK>
+[ 27.100397] dump_stack_lvl+0x33/0x50
+[ 27.100752] print_report+0xcc/0x620
+[ 27.102305] kasan_report+0xae/0xe0
+[ 27.103072] kasan_check_range+0x35/0x1b0
+[ 27.103757] smb_strndup_from_utf16+0x188/0x350
+[ 27.105474] smb2_sess_setup+0xaf8/0x19c0
+[ 27.107935] handle_ksmbd_work+0x274/0x810
+[ 27.108315] process_one_work+0x419/0x760
+[ 27.108689] worker_thread+0x2a2/0x6f0
+[ 27.109385] kthread+0x160/0x190
+[ 27.110129] ret_from_fork+0x1f/0x30
+[ 27.110454] </TASK>
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -1373,7 +1373,7 @@ static struct ksmbd_user *session_user(s
+ struct authenticate_message *authblob;
+ struct ksmbd_user *user;
+ char *name;
+- unsigned int auth_msg_len, name_off, name_len, secbuf_len;
++ unsigned int name_off, name_len, secbuf_len;
+
+ secbuf_len = le16_to_cpu(req->SecurityBufferLength);
+ if (secbuf_len < sizeof(struct authenticate_message)) {
+@@ -1383,9 +1383,8 @@ static struct ksmbd_user *session_user(s
+ authblob = user_authblob(conn, req);
+ name_off = le32_to_cpu(authblob->UserName.BufferOffset);
+ name_len = le16_to_cpu(authblob->UserName.Length);
+- auth_msg_len = le16_to_cpu(req->SecurityBufferOffset) + secbuf_len;
+
+- if (auth_msg_len < (u64)name_off + name_len)
++ if (secbuf_len < (u64)name_off + name_len)
+ return NULL;
+
+ name = smb_strndup_from_utf16((const char *)authblob + name_off,
--- /dev/null
+From e7b8b8ed9960bf699bf4029f482d9e869c094ed6 Mon Sep 17 00:00:00 2001
+From: Gustav Johansson <gustajo@axis.com>
+Date: Sat, 6 May 2023 00:05:07 +0900
+Subject: ksmbd: smb2: Allow messages padded to 8byte boundary
+
+From: Gustav Johansson <gustajo@axis.com>
+
+commit e7b8b8ed9960bf699bf4029f482d9e869c094ed6 upstream.
+
+clc length is now accepted to <= 8 less than length,
+rather than < 8.
+
+Solve issues on some of Axis's smb clients which send
+messages where clc length is 8 bytes less than length.
+
+The specific client was running kernel 4.19.217 with
+smb dialect 3.0.2 on armv7l.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustav Johansson <gustajo@axis.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2misc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/ksmbd/smb2misc.c
++++ b/fs/ksmbd/smb2misc.c
+@@ -416,8 +416,11 @@ int ksmbd_smb2_check_message(struct ksmb
+
+ /*
+ * Allow a message that padded to 8byte boundary.
++ * Linux 4.19.217 with smb 3.0.2 are sometimes
++ * sending messages where the cls_len is exactly
++ * 8 bytes less than len.
+ */
+- if (clc_len < len && (len - clc_len) < 8)
++ if (clc_len < len && (len - clc_len) <= 8)
+ goto validate_credit;
+
+ pr_err_ratelimited(
--- /dev/null
+From afb2acb2e3a32e4d56f7fbd819769b98ed1b7520 Mon Sep 17 00:00:00 2001
+From: Michal Luczaj <mhal@rbox.co>
+Date: Wed, 10 May 2023 16:04:09 +0200
+Subject: KVM: Fix vcpu_array[0] races
+
+From: Michal Luczaj <mhal@rbox.co>
+
+commit afb2acb2e3a32e4d56f7fbd819769b98ed1b7520 upstream.
+
+In kvm_vm_ioctl_create_vcpu(), add vcpu to vcpu_array iff it's safe to
+access vcpu via kvm_get_vcpu() and kvm_for_each_vcpu(), i.e. when there's
+no failure path requiring vcpu removal and destruction. Such order is
+important because vcpu_array accessors may end up referencing vcpu at
+vcpu_array[0] even before online_vcpus is set to 1.
+
+When online_vcpus=0, any call to kvm_get_vcpu() goes through
+array_index_nospec() and ends with an attempt to xa_load(vcpu_array, 0):
+
+ int num_vcpus = atomic_read(&kvm->online_vcpus);
+ i = array_index_nospec(i, num_vcpus);
+ return xa_load(&kvm->vcpu_array, i);
+
+Similarly, when online_vcpus=0, a kvm_for_each_vcpu() does not iterate over
+an "empty" range, but actually [0, ULONG_MAX]:
+
+ xa_for_each_range(&kvm->vcpu_array, idx, vcpup, 0, \
+ (atomic_read(&kvm->online_vcpus) - 1))
+
+In both cases, such online_vcpus=0 edge case, even if leading to
+unnecessary calls to XArray API, should not be an issue; requesting
+unpopulated indexes/ranges is handled by xa_load() and xa_for_each_range().
+
+However, this means that when the first vCPU is created and inserted in
+vcpu_array *and* before online_vcpus is incremented, code calling
+kvm_get_vcpu()/kvm_for_each_vcpu() already has access to that first vCPU.
+
+This should not pose a problem assuming that once a vcpu is stored in
+vcpu_array, it will remain there, but that's not the case:
+kvm_vm_ioctl_create_vcpu() first inserts to vcpu_array, then requests a
+file descriptor. If create_vcpu_fd() fails, newly inserted vcpu is removed
+from the vcpu_array, then destroyed:
+
+ vcpu->vcpu_idx = atomic_read(&kvm->online_vcpus);
+ r = xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUNT);
+ kvm_get_kvm(kvm);
+ r = create_vcpu_fd(vcpu);
+ if (r < 0) {
+ xa_erase(&kvm->vcpu_array, vcpu->vcpu_idx);
+ kvm_put_kvm_no_destroy(kvm);
+ goto unlock_vcpu_destroy;
+ }
+ atomic_inc(&kvm->online_vcpus);
+
+This results in a possible race condition when a reference to a vcpu is
+acquired (via kvm_get_vcpu() or kvm_for_each_vcpu()) moments before said
+vcpu is destroyed.
+
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Message-Id: <20230510140410.1093987-2-mhal@rbox.co>
+Cc: stable@vger.kernel.org
+Fixes: c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray", 2021-12-08)
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3947,18 +3947,19 @@ static int kvm_vm_ioctl_create_vcpu(stru
+ }
+
+ vcpu->vcpu_idx = atomic_read(&kvm->online_vcpus);
+- r = xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUNT);
+- BUG_ON(r == -EBUSY);
++ r = xa_reserve(&kvm->vcpu_array, vcpu->vcpu_idx, GFP_KERNEL_ACCOUNT);
+ if (r)
+ goto unlock_vcpu_destroy;
+
+ /* Now it's all set up, let userspace reach it */
+ kvm_get_kvm(kvm);
+ r = create_vcpu_fd(vcpu);
+- if (r < 0) {
+- xa_erase(&kvm->vcpu_array, vcpu->vcpu_idx);
+- kvm_put_kvm_no_destroy(kvm);
+- goto unlock_vcpu_destroy;
++ if (r < 0)
++ goto kvm_put_xa_release;
++
++ if (KVM_BUG_ON(!!xa_store(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, 0), kvm)) {
++ r = -EINVAL;
++ goto kvm_put_xa_release;
+ }
+
+ /*
+@@ -3973,6 +3974,9 @@ static int kvm_vm_ioctl_create_vcpu(stru
+ kvm_create_vcpu_debugfs(vcpu);
+ return r;
+
++kvm_put_xa_release:
++ kvm_put_kvm_no_destroy(kvm);
++ xa_release(&kvm->vcpu_array, vcpu->vcpu_idx);
+ unlock_vcpu_destroy:
+ mutex_unlock(&kvm->lock);
+ kvm_dirty_ring_free(&vcpu->dirty_ring);
--- /dev/null
+From 0257d9908d38c0b1669af4bb1bc4dbca1f273fe6 Mon Sep 17 00:00:00 2001
+From: Peng Zhang <zhangpeng.00@bytedance.com>
+Date: Fri, 5 May 2023 22:58:29 +0800
+Subject: maple_tree: make maple state reusable after mas_empty_area()
+
+From: Peng Zhang <zhangpeng.00@bytedance.com>
+
+commit 0257d9908d38c0b1669af4bb1bc4dbca1f273fe6 upstream.
+
+Make mas->min and mas->max point to a node range instead of a leaf entry
+range. This allows mas to still be usable after mas_empty_area() returns.
+Users would get unexpected results from other operations on the maple
+state after calling the affected function.
+
+For example, x86 MAP_32BIT mmap() acts as if there is no suitable gap when
+there should be one.
+
+Link: https://lkml.kernel.org/r/20230505145829.74574-1-zhangpeng.00@bytedance.com
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Peng Zhang <zhangpeng.00@bytedance.com>
+Reported-by: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
+Reported-by: Tad <support@spotco.us>
+Reported-by: Michael Keyes <mgkeyes@vigovproductions.net>
+ Link: https://lore.kernel.org/linux-mm/32f156ba80010fd97dbaf0a0cdfc84366608624d.camel@intel.com/
+ Link: https://lore.kernel.org/linux-mm/e6108286ac025c268964a7ead3aab9899f9bc6e9.camel@spotco.us/
+Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -5338,15 +5338,9 @@ int mas_empty_area(struct ma_state *mas,
+
+ mt = mte_node_type(mas->node);
+ pivots = ma_pivots(mas_mn(mas), mt);
+- if (offset)
+- mas->min = pivots[offset - 1] + 1;
+-
+- if (offset < mt_pivots[mt])
+- mas->max = pivots[offset];
+-
+- if (mas->index < mas->min)
+- mas->index = mas->min;
+-
++ min = mas_safe_min(mas, pivots, offset);
++ if (mas->index < min)
++ mas->index = min;
+ mas->last = mas->index + size - 1;
+ return 0;
+ }
--- /dev/null
+From 04fc7816089c5a32c29a04ec94b998e219dfb946 Mon Sep 17 00:00:00 2001
+From: Domenico Cerasuolo <cerasuolodomenico@gmail.com>
+Date: Wed, 3 May 2023 17:12:00 +0200
+Subject: mm: fix zswap writeback race condition
+
+From: Domenico Cerasuolo <cerasuolodomenico@gmail.com>
+
+commit 04fc7816089c5a32c29a04ec94b998e219dfb946 upstream.
+
+The zswap writeback mechanism can cause a race condition resulting in
+memory corruption, where a swapped out page gets swapped in with data that
+was written to a different page.
+
+The race unfolds like this:
+1. a page with data A and swap offset X is stored in zswap
+2. page A is removed off the LRU by zpool driver for writeback in
+ zswap-shrink work, data for A is mapped by zpool driver
+3. user space program faults and invalidates page entry A, offset X is
+ considered free
+4. kswapd stores page B at offset X in zswap (zswap could also be
+ full, if so, page B would then be IOed to X, then skip step 5.)
+5. entry A is replaced by B in tree->rbroot, this doesn't affect the
+ local reference held by zswap-shrink work
+6. zswap-shrink work writes back A at X, and frees zswap entry A
+7. swapin of slot X brings A in memory instead of B
+
+The fix:
+Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW),
+zswap-shrink work just checks that the local zswap_entry reference is
+still the same as the one in the tree. If it's not the same it means that
+it's either been invalidated or replaced, in both cases the writeback is
+aborted because the local entry contains stale data.
+
+Reproducer:
+I originally found this by running `stress` overnight to validate my work
+on the zswap writeback mechanism, it manifested after hours on my test
+machine. The key to make it happen is having zswap writebacks, so
+whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do
+the trick.
+
+In order to reproduce this faster on a vm, I setup a system with ~100M of
+available memory and a 500M swap file, then running `stress --vm 1
+--vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens
+of minutes. One can speed things up even more by swinging
+/sys/module/zswap/parameters/max_pool_percent up and down between, say, 20
+and 1; this makes it reproduce in tens of seconds. It's crucial to set
+`--vm-stride` to something other than 4096 otherwise `stress` won't
+realize that memory has been corrupted because all pages would have the
+same data.
+
+Link: https://lkml.kernel.org/r/20230503151200.19707-1-cerasuolodomenico@gmail.com
+Signed-off-by: Domenico Cerasuolo <cerasuolodomenico@gmail.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Chris Li (Google) <chrisl@kernel.org>
+Cc: Dan Streetman <ddstreet@ieee.org>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Nitin Gupta <ngupta@vflare.org>
+Cc: Seth Jennings <sjenning@redhat.com>
+Cc: Vitaly Wool <vitaly.wool@konsulko.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zswap.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/mm/zswap.c
++++ b/mm/zswap.c
+@@ -1002,6 +1002,22 @@ static int zswap_writeback_entry(struct
+ goto fail;
+
+ case ZSWAP_SWAPCACHE_NEW: /* page is locked */
++ /*
++ * Having a local reference to the zswap entry doesn't exclude
++ * swapping from invalidating and recycling the swap slot. Once
++ * the swapcache is secured against concurrent swapping to and
++ * from the slot, recheck that the entry is still current before
++ * writing.
++ */
++ spin_lock(&tree->lock);
++ if (zswap_rb_search(&tree->rbroot, entry->offset) != entry) {
++ spin_unlock(&tree->lock);
++ delete_from_swap_cache(page_folio(page));
++ ret = -ENOMEM;
++ goto fail;
++ }
++ spin_unlock(&tree->lock);
++
+ /* decompress */
+ acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ dlen = PAGE_SIZE;
--- /dev/null
+From f22e9b67f19ccc73de1ae04375d4b30684e261f8 Mon Sep 17 00:00:00 2001
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+Date: Fri, 12 May 2023 15:14:35 +0200
+Subject: Revert "usb: gadget: udc: core: Invoke usb_gadget_connect only when started"
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+commit f22e9b67f19ccc73de1ae04375d4b30684e261f8 upstream.
+
+This reverts commit 0db213ea8eed5534a5169e807f28103cbc9d23df.
+
+It introduces an issues with configuring the USB gadget hangs forever
+on multiple Qualcomm and NXP i.MX SoC at least.
+
+Cc: stable@vger.kernel.org
+Fixes: 0db213ea8eed ("usb: gadget: udc: core: Invoke usb_gadget_connect only when started")
+Reported-by: Stephan Gerhold <stephan@gerhold.net>
+Reported-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/all/ZF4BvgsOyoKxdPFF@francesco-nb.int.toradex.com/
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20230512131435.205464-3-francesco@dolcini.it
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c | 148 ++++++++++++------------------------------
+ 1 file changed, 44 insertions(+), 104 deletions(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -37,10 +37,6 @@ static struct bus_type gadget_bus_type;
+ * @vbus: for udcs who care about vbus status, this value is real vbus status;
+ * for udcs who do not care about vbus status, this value is always true
+ * @started: the UDC's started state. True if the UDC had started.
+- * @connect_lock: protects udc->vbus, udc->started, gadget->connect, gadget->deactivate related
+- * functions. usb_gadget_connect_locked, usb_gadget_disconnect_locked,
+- * usb_udc_connect_control_locked, usb_gadget_udc_start_locked, usb_gadget_udc_stop_locked are
+- * called with this lock held.
+ *
+ * This represents the internal data structure which is used by the UDC-class
+ * to hold information about udc driver and gadget together.
+@@ -52,7 +48,6 @@ struct usb_udc {
+ struct list_head list;
+ bool vbus;
+ bool started;
+- struct mutex connect_lock;
+ };
+
+ static struct class *udc_class;
+@@ -665,9 +660,17 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(usb_gadget_vbus_disconnect);
+
+-/* Internal version of usb_gadget_connect needs to be called with connect_lock held. */
+-static int usb_gadget_connect_locked(struct usb_gadget *gadget)
+- __must_hold(&gadget->udc->connect_lock)
++/**
++ * usb_gadget_connect - software-controlled connect to USB host
++ * @gadget:the peripheral being connected
++ *
++ * Enables the D+ (or potentially D-) pullup. The host will start
++ * enumerating this gadget when the pullup is active and a VBUS session
++ * is active (the link is powered).
++ *
++ * Returns zero on success, else negative errno.
++ */
++int usb_gadget_connect(struct usb_gadget *gadget)
+ {
+ int ret = 0;
+
+@@ -676,12 +679,10 @@ static int usb_gadget_connect_locked(str
+ goto out;
+ }
+
+- if (gadget->deactivated || !gadget->udc->started) {
++ if (gadget->deactivated) {
+ /*
+ * If gadget is deactivated we only save new state.
+ * Gadget will be connected automatically after activation.
+- *
+- * udc first needs to be started before gadget can be pulled up.
+ */
+ gadget->connected = true;
+ goto out;
+@@ -696,32 +697,22 @@ out:
+
+ return ret;
+ }
++EXPORT_SYMBOL_GPL(usb_gadget_connect);
+
+ /**
+- * usb_gadget_connect - software-controlled connect to USB host
+- * @gadget:the peripheral being connected
++ * usb_gadget_disconnect - software-controlled disconnect from USB host
++ * @gadget:the peripheral being disconnected
+ *
+- * Enables the D+ (or potentially D-) pullup. The host will start
+- * enumerating this gadget when the pullup is active and a VBUS session
+- * is active (the link is powered).
++ * Disables the D+ (or potentially D-) pullup, which the host may see
++ * as a disconnect (when a VBUS session is active). Not all systems
++ * support software pullup controls.
++ *
++ * Following a successful disconnect, invoke the ->disconnect() callback
++ * for the current gadget driver so that UDC drivers don't need to.
+ *
+ * Returns zero on success, else negative errno.
+ */
+-int usb_gadget_connect(struct usb_gadget *gadget)
+-{
+- int ret;
+-
+- mutex_lock(&gadget->udc->connect_lock);
+- ret = usb_gadget_connect_locked(gadget);
+- mutex_unlock(&gadget->udc->connect_lock);
+-
+- return ret;
+-}
+-EXPORT_SYMBOL_GPL(usb_gadget_connect);
+-
+-/* Internal version of usb_gadget_disconnect needs to be called with connect_lock held. */
+-static int usb_gadget_disconnect_locked(struct usb_gadget *gadget)
+- __must_hold(&gadget->udc->connect_lock)
++int usb_gadget_disconnect(struct usb_gadget *gadget)
+ {
+ int ret = 0;
+
+@@ -733,12 +724,10 @@ static int usb_gadget_disconnect_locked(
+ if (!gadget->connected)
+ goto out;
+
+- if (gadget->deactivated || !gadget->udc->started) {
++ if (gadget->deactivated) {
+ /*
+ * If gadget is deactivated we only save new state.
+ * Gadget will stay disconnected after activation.
+- *
+- * udc should have been started before gadget being pulled down.
+ */
+ gadget->connected = false;
+ goto out;
+@@ -758,30 +747,6 @@ out:
+
+ return ret;
+ }
+-
+-/**
+- * usb_gadget_disconnect - software-controlled disconnect from USB host
+- * @gadget:the peripheral being disconnected
+- *
+- * Disables the D+ (or potentially D-) pullup, which the host may see
+- * as a disconnect (when a VBUS session is active). Not all systems
+- * support software pullup controls.
+- *
+- * Following a successful disconnect, invoke the ->disconnect() callback
+- * for the current gadget driver so that UDC drivers don't need to.
+- *
+- * Returns zero on success, else negative errno.
+- */
+-int usb_gadget_disconnect(struct usb_gadget *gadget)
+-{
+- int ret;
+-
+- mutex_lock(&gadget->udc->connect_lock);
+- ret = usb_gadget_disconnect_locked(gadget);
+- mutex_unlock(&gadget->udc->connect_lock);
+-
+- return ret;
+-}
+ EXPORT_SYMBOL_GPL(usb_gadget_disconnect);
+
+ /**
+@@ -802,11 +767,10 @@ int usb_gadget_deactivate(struct usb_gad
+ if (gadget->deactivated)
+ goto out;
+
+- mutex_lock(&gadget->udc->connect_lock);
+ if (gadget->connected) {
+- ret = usb_gadget_disconnect_locked(gadget);
++ ret = usb_gadget_disconnect(gadget);
+ if (ret)
+- goto unlock;
++ goto out;
+
+ /*
+ * If gadget was being connected before deactivation, we want
+@@ -816,8 +780,6 @@ int usb_gadget_deactivate(struct usb_gad
+ }
+ gadget->deactivated = true;
+
+-unlock:
+- mutex_unlock(&gadget->udc->connect_lock);
+ out:
+ trace_usb_gadget_deactivate(gadget, ret);
+
+@@ -841,7 +803,6 @@ int usb_gadget_activate(struct usb_gadge
+ if (!gadget->deactivated)
+ goto out;
+
+- mutex_lock(&gadget->udc->connect_lock);
+ gadget->deactivated = false;
+
+ /*
+@@ -849,8 +810,7 @@ int usb_gadget_activate(struct usb_gadge
+ * while it was being deactivated, we call usb_gadget_connect().
+ */
+ if (gadget->connected)
+- ret = usb_gadget_connect_locked(gadget);
+- mutex_unlock(&gadget->udc->connect_lock);
++ ret = usb_gadget_connect(gadget);
+
+ out:
+ trace_usb_gadget_activate(gadget, ret);
+@@ -1091,13 +1051,12 @@ EXPORT_SYMBOL_GPL(usb_gadget_set_state);
+
+ /* ------------------------------------------------------------------------- */
+
+-/* Acquire connect_lock before calling this function. */
+-static void usb_udc_connect_control_locked(struct usb_udc *udc) __must_hold(&udc->connect_lock)
++static void usb_udc_connect_control(struct usb_udc *udc)
+ {
+- if (udc->vbus && udc->started)
+- usb_gadget_connect_locked(udc->gadget);
++ if (udc->vbus)
++ usb_gadget_connect(udc->gadget);
+ else
+- usb_gadget_disconnect_locked(udc->gadget);
++ usb_gadget_disconnect(udc->gadget);
+ }
+
+ /**
+@@ -1113,12 +1072,10 @@ void usb_udc_vbus_handler(struct usb_gad
+ {
+ struct usb_udc *udc = gadget->udc;
+
+- mutex_lock(&udc->connect_lock);
+ if (udc) {
+ udc->vbus = status;
+- usb_udc_connect_control_locked(udc);
++ usb_udc_connect_control(udc);
+ }
+- mutex_unlock(&udc->connect_lock);
+ }
+ EXPORT_SYMBOL_GPL(usb_udc_vbus_handler);
+
+@@ -1140,7 +1097,7 @@ void usb_gadget_udc_reset(struct usb_gad
+ EXPORT_SYMBOL_GPL(usb_gadget_udc_reset);
+
+ /**
+- * usb_gadget_udc_start_locked - tells usb device controller to start up
++ * usb_gadget_udc_start - tells usb device controller to start up
+ * @udc: The UDC to be started
+ *
+ * This call is issued by the UDC Class driver when it's about
+@@ -1151,11 +1108,8 @@ EXPORT_SYMBOL_GPL(usb_gadget_udc_reset);
+ * necessary to have it powered on.
+ *
+ * Returns zero on success, else negative errno.
+- *
+- * Caller should acquire connect_lock before invoking this function.
+ */
+-static inline int usb_gadget_udc_start_locked(struct usb_udc *udc)
+- __must_hold(&udc->connect_lock)
++static inline int usb_gadget_udc_start(struct usb_udc *udc)
+ {
+ int ret;
+
+@@ -1172,7 +1126,7 @@ static inline int usb_gadget_udc_start_l
+ }
+
+ /**
+- * usb_gadget_udc_stop_locked - tells usb device controller we don't need it anymore
++ * usb_gadget_udc_stop - tells usb device controller we don't need it anymore
+ * @udc: The UDC to be stopped
+ *
+ * This call is issued by the UDC Class driver after calling
+@@ -1181,11 +1135,8 @@ static inline int usb_gadget_udc_start_l
+ * The details are implementation specific, but it can go as
+ * far as powering off UDC completely and disable its data
+ * line pullups.
+- *
+- * Caller should acquire connect lock before invoking this function.
+ */
+-static inline void usb_gadget_udc_stop_locked(struct usb_udc *udc)
+- __must_hold(&udc->connect_lock)
++static inline void usb_gadget_udc_stop(struct usb_udc *udc)
+ {
+ if (!udc->started) {
+ dev_err(&udc->dev, "UDC had already stopped\n");
+@@ -1344,7 +1295,6 @@ int usb_add_gadget(struct usb_gadget *ga
+
+ udc->gadget = gadget;
+ gadget->udc = udc;
+- mutex_init(&udc->connect_lock);
+
+ udc->started = false;
+
+@@ -1546,15 +1496,11 @@ static int gadget_bind_driver(struct dev
+ if (ret)
+ goto err_bind;
+
+- mutex_lock(&udc->connect_lock);
+- ret = usb_gadget_udc_start_locked(udc);
+- if (ret) {
+- mutex_unlock(&udc->connect_lock);
++ ret = usb_gadget_udc_start(udc);
++ if (ret)
+ goto err_start;
+- }
+ usb_gadget_enable_async_callbacks(udc);
+- usb_udc_connect_control_locked(udc);
+- mutex_unlock(&udc->connect_lock);
++ usb_udc_connect_control(udc);
+
+ kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE);
+ return 0;
+@@ -1585,14 +1531,12 @@ static void gadget_unbind_driver(struct
+
+ kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE);
+
+- mutex_lock(&udc->connect_lock);
+- usb_gadget_disconnect_locked(gadget);
++ usb_gadget_disconnect(gadget);
+ usb_gadget_disable_async_callbacks(udc);
+ if (gadget->irq)
+ synchronize_irq(gadget->irq);
+ udc->driver->unbind(gadget);
+- usb_gadget_udc_stop_locked(udc);
+- mutex_unlock(&udc->connect_lock);
++ usb_gadget_udc_stop(udc);
+
+ mutex_lock(&udc_lock);
+ driver->is_bound = false;
+@@ -1678,15 +1622,11 @@ static ssize_t soft_connect_store(struct
+ }
+
+ if (sysfs_streq(buf, "connect")) {
+- mutex_lock(&udc->connect_lock);
+- usb_gadget_udc_start_locked(udc);
+- usb_gadget_connect_locked(udc->gadget);
+- mutex_unlock(&udc->connect_lock);
++ usb_gadget_udc_start(udc);
++ usb_gadget_connect(udc->gadget);
+ } else if (sysfs_streq(buf, "disconnect")) {
+- mutex_lock(&udc->connect_lock);
+- usb_gadget_disconnect_locked(udc->gadget);
+- usb_gadget_udc_stop_locked(udc);
+- mutex_unlock(&udc->connect_lock);
++ usb_gadget_disconnect(udc->gadget);
++ usb_gadget_udc_stop(udc);
+ } else {
+ dev_err(dev, "unsupported command '%s'\n", buf);
+ ret = -EINVAL;
--- /dev/null
+From 5e1617210aede9f1b91bb9819c93097b6da481f9 Mon Sep 17 00:00:00 2001
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+Date: Fri, 12 May 2023 15:14:34 +0200
+Subject: Revert "usb: gadget: udc: core: Prevent redundant calls to pullup"
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+commit 5e1617210aede9f1b91bb9819c93097b6da481f9 upstream.
+
+This reverts commit a3afbf5cc887fc3401f012fe629810998ed61859.
+
+This depends on commit 0db213ea8eed ("usb: gadget: udc: core: Invoke
+usb_gadget_connect only when started") that introduces a regression,
+revert it till the issue is fixed.
+
+Cc: stable@vger.kernel.org
+Reported-by: Stephan Gerhold <stephan@gerhold.net>
+Reported-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/all/ZF4BvgsOyoKxdPFF@francesco-nb.int.toradex.com/
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20230512131435.205464-2-francesco@dolcini.it
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -676,9 +676,6 @@ static int usb_gadget_connect_locked(str
+ goto out;
+ }
+
+- if (gadget->connected)
+- goto out;
+-
+ if (gadget->deactivated || !gadget->udc->started) {
+ /*
+ * If gadget is deactivated we only save new state.
--- /dev/null
+From 95d698869b404772cc8b72560df71548491c10bc Mon Sep 17 00:00:00 2001
+From: Andrew Davis <afd@ti.com>
+Date: Thu, 20 Apr 2023 11:02:09 -0500
+Subject: serial: 8250_exar: Add support for USR298x PCI Modems
+
+From: Andrew Davis <afd@ti.com>
+
+commit 95d698869b404772cc8b72560df71548491c10bc upstream.
+
+Possibly the last PCI controller-based (i.e. not a soft/winmodem)
+dial-up modem one can still buy.
+
+Looks to have a stock XR17C154 PCI UART chip for communication, but for
+some reason when provisioning the PCI IDs they swapped the vendor and
+subvendor IDs. Otherwise this card would have worked out of the box.
+
+Searching online, some folks seem to not have this issue and others do,
+so it is possible only some batches of cards have this error.
+
+Create a new macro to handle the switched IDs and add support here.
+
+Signed-off-by: Andrew Davis <afd@ti.com>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230420160209.28221-1-afd@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_exar.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_exar.c
++++ b/drivers/tty/serial/8250/8250_exar.c
+@@ -40,9 +40,13 @@
+ #define PCI_DEVICE_ID_COMMTECH_4224PCIE 0x0020
+ #define PCI_DEVICE_ID_COMMTECH_4228PCIE 0x0021
+ #define PCI_DEVICE_ID_COMMTECH_4222PCIE 0x0022
++
+ #define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358
+ #define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358
+
++#define PCI_SUBDEVICE_ID_USR_2980 0x0128
++#define PCI_SUBDEVICE_ID_USR_2981 0x0129
++
+ #define PCI_DEVICE_ID_SEALEVEL_710xC 0x1001
+ #define PCI_DEVICE_ID_SEALEVEL_720xC 0x1002
+ #define PCI_DEVICE_ID_SEALEVEL_740xC 0x1004
+@@ -829,6 +833,15 @@ static const struct exar8250_board pbn_e
+ (kernel_ulong_t)&bd \
+ }
+
++#define USR_DEVICE(devid, sdevid, bd) { \
++ PCI_DEVICE_SUB( \
++ PCI_VENDOR_ID_USR, \
++ PCI_DEVICE_ID_EXAR_##devid, \
++ PCI_VENDOR_ID_EXAR, \
++ PCI_SUBDEVICE_ID_USR_##sdevid), 0, 0, \
++ (kernel_ulong_t)&bd \
++ }
++
+ static const struct pci_device_id exar_pci_tbl[] = {
+ EXAR_DEVICE(ACCESSIO, COM_2S, pbn_exar_XR17C15x),
+ EXAR_DEVICE(ACCESSIO, COM_4S, pbn_exar_XR17C15x),
+@@ -853,6 +866,10 @@ static const struct pci_device_id exar_p
+
+ IBM_DEVICE(XR17C152, SATURN_SERIAL_ONE_PORT, pbn_exar_ibm_saturn),
+
++ /* USRobotics USR298x-OEM PCI Modems */
++ USR_DEVICE(XR17C152, 2980, pbn_exar_XR17C15x),
++ USR_DEVICE(XR17C152, 2981, pbn_exar_XR17C15x),
++
+ /* Exar Corp. XR17C15[248] Dual/Quad/Octal UART */
+ EXAR_DEVICE(EXAR, XR17C152, pbn_exar_XR17C15x),
+ EXAR_DEVICE(EXAR, XR17C154, pbn_exar_XR17C15x),
--- /dev/null
+From d2b00516de0e1d696724247098f6733a6ea53908 Mon Sep 17 00:00:00 2001
+From: Vitaliy Tomin <tomin@iszf.irk.ru>
+Date: Sun, 23 Apr 2023 11:45:12 +0800
+Subject: serial: Add support for Advantech PCI-1611U card
+
+From: Vitaliy Tomin <tomin@iszf.irk.ru>
+
+commit d2b00516de0e1d696724247098f6733a6ea53908 upstream.
+
+Add support for Advantech PCI-1611U card
+
+Advantech provides opensource drivers for this and many others card
+based on legacy copy of 8250_pci driver called adv950
+
+https://www.advantech.com/emt/support/details/driver?id=1-TDOIMJ
+
+It is hard to maintain to run as out of tree module on newer kernels.
+Just adding PCI ID to kernel 8250_pci works perfect.
+
+Signed-off-by: Vitaliy Tomin <tomin@iszf.irk.ru>
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/20230423034512.2671157-1-tomin@iszf.irk.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -1940,6 +1940,8 @@ pci_moxa_setup(struct serial_private *pr
+ #define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530
+ #define PCI_VENDOR_ID_ADVANTECH 0x13fe
+ #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66
++#define PCI_DEVICE_ID_ADVANTECH_PCI1600 0x1600
++#define PCI_DEVICE_ID_ADVANTECH_PCI1600_1611 0x1611
+ #define PCI_DEVICE_ID_ADVANTECH_PCI3620 0x3620
+ #define PCI_DEVICE_ID_ADVANTECH_PCI3618 0x3618
+ #define PCI_DEVICE_ID_ADVANTECH_PCIf618 0xf618
+@@ -4105,6 +4107,9 @@ static SIMPLE_DEV_PM_OPS(pciserial_pm_op
+ pciserial_resume_one);
+
+ static const struct pci_device_id serial_pci_tbl[] = {
++ { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI1600,
++ PCI_DEVICE_ID_ADVANTECH_PCI1600_1611, PCI_ANY_ID, 0, 0,
++ pbn_b0_4_921600 },
+ /* Advantech use PCI_DEVICE_ID_ADVANTECH_PCI3620 (0x3620) as 'PCI_SUBVENDOR_ID' */
+ { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI3620,
+ PCI_DEVICE_ID_ADVANTECH_PCI3620, 0x0001, 0, 0,
--- /dev/null
+From 5f949f140f73696f64acb89a1f16ff9153d017e0 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Fri, 5 May 2023 17:23:01 +0200
+Subject: serial: qcom-geni: fix enabling deactivated interrupt
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 5f949f140f73696f64acb89a1f16ff9153d017e0 upstream.
+
+The driver have a race, experienced only with PREEMPT_RT patchset:
+
+CPU0 | CPU1
+==================================================================
+qcom_geni_serial_probe |
+ uart_add_one_port |
+ | serdev_drv_probe
+ | qca_serdev_probe
+ | serdev_device_open
+ | uart_open
+ | uart_startup
+ | qcom_geni_serial_startup
+ | enable_irq
+ | __irq_startup
+ | WARN_ON()
+ | IRQ not activated
+ request_threaded_irq |
+ irq_domain_activate_irq |
+
+The warning:
+
+ 894000.serial: ttyHS1 at MMIO 0x894000 (irq = 144, base_baud = 0) is a MSM
+ serial serial0: tty port ttyHS1 registered
+ WARNING: CPU: 7 PID: 107 at kernel/irq/chip.c:241 __irq_startup+0x78/0xd8
+ ...
+ qcom_geni_serial 894000.serial: serial engine reports 0 RX bytes in!
+
+Adding UART port triggers probe of child serial devices - serdev and
+eventually Qualcomm Bluetooth hci_qca driver. This opens UART port
+which enables the interrupt before it got activated in
+request_threaded_irq(). The issue originates in commit f3974413cf02
+("tty: serial: qcom_geni_serial: Wakeup IRQ cleanup") and discussion on
+mailing list [1]. However the above commit does not explain why the
+uart_add_one_port() is moved above requesting interrupt.
+
+[1] https://lore.kernel.org/all/5d9f3dfa.1c69fb81.84c4b.30bf@mx.google.com/
+
+Fixes: f3974413cf02 ("tty: serial: qcom_geni_serial: Wakeup IRQ cleanup")
+Cc: <stable@vger.kernel.org>
+Cc: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230505152301.2181270-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/qcom_geni_serial.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/serial/qcom_geni_serial.c
++++ b/drivers/tty/serial/qcom_geni_serial.c
+@@ -1483,19 +1483,18 @@ static int qcom_geni_serial_probe(struct
+ platform_set_drvdata(pdev, port);
+ port->handle_rx = console ? handle_rx_console : handle_rx_uart;
+
+- ret = uart_add_one_port(drv, uport);
+- if (ret)
+- return ret;
+-
+ irq_set_status_flags(uport->irq, IRQ_NOAUTOEN);
+ ret = devm_request_irq(uport->dev, uport->irq, qcom_geni_serial_isr,
+ IRQF_TRIGGER_HIGH, port->name, uport);
+ if (ret) {
+ dev_err(uport->dev, "Failed to get IRQ ret %d\n", ret);
+- uart_remove_one_port(drv, uport);
+ return ret;
+ }
+
++ ret = uart_add_one_port(drv, uport);
++ if (ret)
++ return ret;
++
+ /*
+ * Set pm_runtime status as ACTIVE so that wakeup_irq gets
+ * enabled/disabled from dev_pm_arm_wake_irq during system
netfilter-nf_tables-fix-nft_trans-type-confusion.patch
netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch
bridge-always-declare-tunnel-functions.patch
+alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch
+usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch
+usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
+usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch
+usb-dwc3-gadget-improve-dwc3_gadget_suspend-and-dwc3_gadget_resume.patch
+usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch
+usb-gadget-u_ether-fix-host-mac-address-case.patch
+usb-typec-altmodes-displayport-fix-pin_assignment_show.patch
+revert-usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch
+revert-usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch
+xhci-pci-only-run-d3cold-avoidance-quirk-for-s2idle.patch
+xhci-fix-incorrect-tracking-of-free-space-on-transfer-rings.patch
+alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
+alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
+alsa-hda-realtek-add-quirk-for-clevo-l140au.patch
+alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch
+alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch
+alsa-hda-realtek-add-quirk-for-hp-elitebook-g10-laptops.patch
+alsa-hda-realtek-fix-mute-and-micmute-leds-for-yet-another-hp-laptop.patch
+can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch
+can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch
+can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch
+can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch
+can-kvaser_pciefd-empty-srb-buffer-in-probe.patch
+can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch
+can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch
+can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch
+wifi-rtw88-use-work-to-update-rate-to-avoid-rcu-warning.patch
+smb3-close-all-deferred-handles-of-inode-in-case-of-handle-lease-break.patch
+smb3-drop-reference-to-cfile-before-sending-oplock-break.patch
+ksmbd-smb2-allow-messages-padded-to-8byte-boundary.patch
+ksmbd-allocate-one-more-byte-for-implied-bcc.patch
+ksmbd-fix-wrong-username-check-in-session_user.patch
+ksmbd-fix-global-out-of-bounds-in-smb2_find_context_vals.patch
+kvm-fix-vcpu_array-races.patch
+statfs-enforce-statfs-structure-initialization.patch
+maple_tree-make-maple-state-reusable-after-mas_empty_area.patch
+mm-fix-zswap-writeback-race-condition.patch
+serial-add-support-for-advantech-pci-1611u-card.patch
+serial-8250_exar-add-support-for-usr298x-pci-modems.patch
+serial-qcom-geni-fix-enabling-deactivated-interrupt.patch
+thunderbolt-clear-registers-properly-when-auto-clear-isn-t-in-use.patch
+vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch
+ceph-force-updating-the-msg-pointer-in-non-split-case.patch
--- /dev/null
+From 47592fa8eb03742048b096b4696ec133384c45eb Mon Sep 17 00:00:00 2001
+From: Bharath SM <bharathsm@microsoft.com>
+Date: Wed, 3 May 2023 14:38:35 +0000
+Subject: SMB3: Close all deferred handles of inode in case of handle lease break
+
+From: Bharath SM <bharathsm@microsoft.com>
+
+commit 47592fa8eb03742048b096b4696ec133384c45eb upstream.
+
+Oplock break may occur for different file handle than the deferred
+handle. Check for inode deferred closes list, if it's not empty then
+close all the deferred handles of inode because we should not cache
+handles if we dont have handle lease.
+
+Eg: If openfilelist has one deferred file handle and another open file
+handle from app for a same file, then on a lease break we choose the
+first handle in openfile list. The first handle in list can be deferred
+handle or actual open file handle from app. In case if it is actual open
+handle then today, we don't close deferred handles if we lose handle lease
+on a file. Problem with this is, later if app decides to close the existing
+open handle then we still be caching deferred handles until deferred close
+timeout. Leaving open handle may result in sharing violation when windows
+client tries to open a file with limited file share access.
+
+So we should check for deferred list of inode and walk through the list of
+deferred files in inode and close all deferred files.
+
+Fixes: 9e31678fb403 ("SMB3: fix lease break timeout when multiple deferred close handles for the same file.")
+Cc: stable@kernel.org
+Signed-off-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/file.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -5087,8 +5087,6 @@ void cifs_oplock_break(struct work_struc
+ struct TCP_Server_Info *server = tcon->ses->server;
+ int rc = 0;
+ bool purge_cache = false;
+- struct cifs_deferred_close *dclose;
+- bool is_deferred = false;
+
+ wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS,
+ TASK_UNINTERRUPTIBLE);
+@@ -5129,14 +5127,9 @@ oplock_break_ack:
+ * file handles but cached, then schedule deferred close immediately.
+ * So, new open will not use cached handle.
+ */
+- spin_lock(&CIFS_I(inode)->deferred_lock);
+- is_deferred = cifs_is_deferred_close(cfile, &dclose);
+- spin_unlock(&CIFS_I(inode)->deferred_lock);
+
+- if (!CIFS_CACHE_HANDLE(cinode) && is_deferred &&
+- cfile->deferred_close_scheduled && delayed_work_pending(&cfile->deferred)) {
++ if (!CIFS_CACHE_HANDLE(cinode) && !list_empty(&cinode->deferred_closes))
+ cifs_close_deferred_file(cinode);
+- }
+
+ /*
+ * releasing stale oplock after recent reconnect of smb session using
--- /dev/null
+From 59a556aebc43dded08535fe97d94ca3f657915e4 Mon Sep 17 00:00:00 2001
+From: Bharath SM <bharathsm@microsoft.com>
+Date: Mon, 15 May 2023 21:25:12 +0000
+Subject: SMB3: drop reference to cfile before sending oplock break
+
+From: Bharath SM <bharathsm@microsoft.com>
+
+commit 59a556aebc43dded08535fe97d94ca3f657915e4 upstream.
+
+In cifs_oplock_break function we drop reference to a cfile at
+the end of function, due to which close command goes on wire
+after lease break acknowledgment even if file is already closed
+by application but we had deferred the handle close.
+If other client with limited file shareaccess waiting on lease
+break ack proceeds operation on that file as soon as first client
+sends ack, then we may encounter status sharing violation error
+because of open handle.
+Solution is to put reference to cfile(send close on wire if last ref)
+and then send oplock acknowledgment to server.
+
+Fixes: 9e31678fb403 ("SMB3: fix lease break timeout when multiple deferred close handles for the same file.")
+Cc: stable@kernel.org
+Signed-off-by: Bharath SM <bharathsm@microsoft.com>
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsglob.h | 4 ++--
+ fs/cifs/file.c | 17 ++++++++++++-----
+ fs/cifs/smb1ops.c | 9 ++++-----
+ fs/cifs/smb2ops.c | 7 +++----
+ 4 files changed, 21 insertions(+), 16 deletions(-)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -428,8 +428,8 @@ struct smb_version_operations {
+ /* check for STATUS_NETWORK_SESSION_EXPIRED */
+ bool (*is_session_expired)(char *);
+ /* send oplock break response */
+- int (*oplock_response)(struct cifs_tcon *, struct cifs_fid *,
+- struct cifsInodeInfo *);
++ int (*oplock_response)(struct cifs_tcon *tcon, __u64 persistent_fid, __u64 volatile_fid,
++ __u16 net_fid, struct cifsInodeInfo *cifs_inode);
+ /* query remote filesystem */
+ int (*queryfs)(const unsigned int, struct cifs_tcon *,
+ struct cifs_sb_info *, struct kstatfs *);
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -5086,7 +5086,9 @@ void cifs_oplock_break(struct work_struc
+ struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
+ struct TCP_Server_Info *server = tcon->ses->server;
+ int rc = 0;
+- bool purge_cache = false;
++ bool purge_cache = false, oplock_break_cancelled;
++ __u64 persistent_fid, volatile_fid;
++ __u16 net_fid;
+
+ wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS,
+ TASK_UNINTERRUPTIBLE);
+@@ -5131,19 +5133,24 @@ oplock_break_ack:
+ if (!CIFS_CACHE_HANDLE(cinode) && !list_empty(&cinode->deferred_closes))
+ cifs_close_deferred_file(cinode);
+
++ persistent_fid = cfile->fid.persistent_fid;
++ volatile_fid = cfile->fid.volatile_fid;
++ net_fid = cfile->fid.netfid;
++ oplock_break_cancelled = cfile->oplock_break_cancelled;
++
++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */, false);
+ /*
+ * releasing stale oplock after recent reconnect of smb session using
+ * a now incorrect file handle is not a data integrity issue but do
+ * not bother sending an oplock release if session to server still is
+ * disconnected since oplock already released by the server
+ */
+- if (!cfile->oplock_break_cancelled) {
+- rc = tcon->ses->server->ops->oplock_response(tcon, &cfile->fid,
+- cinode);
++ if (!oplock_break_cancelled) {
++ rc = tcon->ses->server->ops->oplock_response(tcon, persistent_fid,
++ volatile_fid, net_fid, cinode);
+ cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
+ }
+
+- _cifsFileInfo_put(cfile, false /* do not wait for ourself */, false);
+ cifs_done_oplock_break(cinode);
+ }
+
+--- a/fs/cifs/smb1ops.c
++++ b/fs/cifs/smb1ops.c
+@@ -897,12 +897,11 @@ cifs_close_dir(const unsigned int xid, s
+ }
+
+ static int
+-cifs_oplock_response(struct cifs_tcon *tcon, struct cifs_fid *fid,
+- struct cifsInodeInfo *cinode)
++cifs_oplock_response(struct cifs_tcon *tcon, __u64 persistent_fid,
++ __u64 volatile_fid, __u16 net_fid, struct cifsInodeInfo *cinode)
+ {
+- return CIFSSMBLock(0, tcon, fid->netfid, current->tgid, 0, 0, 0, 0,
+- LOCKING_ANDX_OPLOCK_RELEASE, false,
+- CIFS_CACHE_READ(cinode) ? 1 : 0);
++ return CIFSSMBLock(0, tcon, net_fid, current->tgid, 0, 0, 0, 0,
++ LOCKING_ANDX_OPLOCK_RELEASE, false, CIFS_CACHE_READ(cinode) ? 1 : 0);
+ }
+
+ static int
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -2383,15 +2383,14 @@ smb2_is_network_name_deleted(char *buf,
+ }
+
+ static int
+-smb2_oplock_response(struct cifs_tcon *tcon, struct cifs_fid *fid,
+- struct cifsInodeInfo *cinode)
++smb2_oplock_response(struct cifs_tcon *tcon, __u64 persistent_fid,
++ __u64 volatile_fid, __u16 net_fid, struct cifsInodeInfo *cinode)
+ {
+ if (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_LEASING)
+ return SMB2_lease_break(0, tcon, cinode->lease_key,
+ smb2_get_lease_state(cinode));
+
+- return SMB2_oplock_break(0, tcon, fid->persistent_fid,
+- fid->volatile_fid,
++ return SMB2_oplock_break(0, tcon, persistent_fid, volatile_fid,
+ CIFS_CACHE_READ(cinode) ? 1 : 0);
+ }
+
--- /dev/null
+From ed40866ec7d328b3dfb70db7e2011640a16202c3 Mon Sep 17 00:00:00 2001
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+Date: Thu, 4 May 2023 16:40:20 +0200
+Subject: statfs: enforce statfs[64] structure initialization
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+commit ed40866ec7d328b3dfb70db7e2011640a16202c3 upstream.
+
+s390's struct statfs and struct statfs64 contain padding, which
+field-by-field copying does not set. Initialize the respective structs
+with zeros before filling them and copying them to userspace, like it's
+already done for the compat versions of these structs.
+
+Found by KMSAN.
+
+[agordeev@linux.ibm.com: fixed typo in patch description]
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/20230504144021.808932-2-iii@linux.ibm.com
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/statfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/statfs.c
++++ b/fs/statfs.c
+@@ -130,6 +130,7 @@ static int do_statfs_native(struct kstat
+ if (sizeof(buf) == sizeof(*st))
+ memcpy(&buf, st, sizeof(*st));
+ else {
++ memset(&buf, 0, sizeof(buf));
+ if (sizeof buf.f_blocks == 4) {
+ if ((st->f_blocks | st->f_bfree | st->f_bavail |
+ st->f_bsize | st->f_frsize) &
+@@ -158,7 +159,6 @@ static int do_statfs_native(struct kstat
+ buf.f_namelen = st->f_namelen;
+ buf.f_frsize = st->f_frsize;
+ buf.f_flags = st->f_flags;
+- memset(buf.f_spare, 0, sizeof(buf.f_spare));
+ }
+ if (copy_to_user(p, &buf, sizeof(buf)))
+ return -EFAULT;
+@@ -171,6 +171,7 @@ static int do_statfs64(struct kstatfs *s
+ if (sizeof(buf) == sizeof(*st))
+ memcpy(&buf, st, sizeof(*st));
+ else {
++ memset(&buf, 0, sizeof(buf));
+ buf.f_type = st->f_type;
+ buf.f_bsize = st->f_bsize;
+ buf.f_blocks = st->f_blocks;
+@@ -182,7 +183,6 @@ static int do_statfs64(struct kstatfs *s
+ buf.f_namelen = st->f_namelen;
+ buf.f_frsize = st->f_frsize;
+ buf.f_flags = st->f_flags;
+- memset(buf.f_spare, 0, sizeof(buf.f_spare));
+ }
+ if (copy_to_user(p, &buf, sizeof(buf)))
+ return -EFAULT;
--- /dev/null
+From c4af8e3fecd03b0aedcd38145955605cfebe7e3a Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Mon, 24 Apr 2023 14:55:54 -0500
+Subject: thunderbolt: Clear registers properly when auto clear isn't in use
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit c4af8e3fecd03b0aedcd38145955605cfebe7e3a upstream.
+
+When `QUIRK_AUTO_CLEAR_INT` isn't set, interrupt masking should be
+cleared by writing to Interrupt Mask Clear (IMR) and interrupt
+status should be cleared properly at shutdown/init.
+
+This fixes an error where interrupts are left enabled during resume
+from hibernation with `CONFIG_USB4=y`.
+
+Fixes: 468c49f44759 ("thunderbolt: Disable interrupt auto clear for rings")
+Cc: stable@vger.kernel.org # v6.3
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217343
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/nhi.c | 29 ++++++++++++++++++++++++-----
+ drivers/thunderbolt/nhi_regs.h | 2 ++
+ 2 files changed, 26 insertions(+), 5 deletions(-)
+
+--- a/drivers/thunderbolt/nhi.c
++++ b/drivers/thunderbolt/nhi.c
+@@ -54,6 +54,21 @@ static int ring_interrupt_index(const st
+ return bit;
+ }
+
++static void nhi_mask_interrupt(struct tb_nhi *nhi, int mask, int ring)
++{
++ if (nhi->quirks & QUIRK_AUTO_CLEAR_INT)
++ return;
++ iowrite32(mask, nhi->iobase + REG_RING_INTERRUPT_MASK_CLEAR_BASE + ring);
++}
++
++static void nhi_clear_interrupt(struct tb_nhi *nhi, int ring)
++{
++ if (nhi->quirks & QUIRK_AUTO_CLEAR_INT)
++ ioread32(nhi->iobase + REG_RING_NOTIFY_BASE + ring);
++ else
++ iowrite32(~0, nhi->iobase + REG_RING_INT_CLEAR + ring);
++}
++
+ /*
+ * ring_interrupt_active() - activate/deactivate interrupts for a single ring
+ *
+@@ -61,8 +76,8 @@ static int ring_interrupt_index(const st
+ */
+ static void ring_interrupt_active(struct tb_ring *ring, bool active)
+ {
+- int reg = REG_RING_INTERRUPT_BASE +
+- ring_interrupt_index(ring) / 32 * 4;
++ int index = ring_interrupt_index(ring) / 32 * 4;
++ int reg = REG_RING_INTERRUPT_BASE + index;
+ int interrupt_bit = ring_interrupt_index(ring) & 31;
+ int mask = 1 << interrupt_bit;
+ u32 old, new;
+@@ -123,7 +138,11 @@ static void ring_interrupt_active(struct
+ "interrupt for %s %d is already %s\n",
+ RING_TYPE(ring), ring->hop,
+ active ? "enabled" : "disabled");
+- iowrite32(new, ring->nhi->iobase + reg);
++
++ if (active)
++ iowrite32(new, ring->nhi->iobase + reg);
++ else
++ nhi_mask_interrupt(ring->nhi, mask, index);
+ }
+
+ /*
+@@ -136,11 +155,11 @@ static void nhi_disable_interrupts(struc
+ int i = 0;
+ /* disable interrupts */
+ for (i = 0; i < RING_INTERRUPT_REG_COUNT(nhi); i++)
+- iowrite32(0, nhi->iobase + REG_RING_INTERRUPT_BASE + 4 * i);
++ nhi_mask_interrupt(nhi, ~0, 4 * i);
+
+ /* clear interrupt status bits */
+ for (i = 0; i < RING_NOTIFY_REG_COUNT(nhi); i++)
+- ioread32(nhi->iobase + REG_RING_NOTIFY_BASE + 4 * i);
++ nhi_clear_interrupt(nhi, 4 * i);
+ }
+
+ /* ring helper methods */
+--- a/drivers/thunderbolt/nhi_regs.h
++++ b/drivers/thunderbolt/nhi_regs.h
+@@ -93,6 +93,8 @@ struct ring_desc {
+ #define REG_RING_INTERRUPT_BASE 0x38200
+ #define RING_INTERRUPT_REG_COUNT(nhi) ((31 + 2 * nhi->hop_count) / 32)
+
++#define REG_RING_INTERRUPT_MASK_CLEAR_BASE 0x38208
++
+ #define REG_INT_THROTTLING_RATE 0x38c00
+
+ /* Interrupt Vector Allocation */
--- /dev/null
+From 614ce6a2ea50068b45339257891e51e639ac9001 Mon Sep 17 00:00:00 2001
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+Date: Tue, 9 May 2023 20:18:36 +0530
+Subject: usb: dwc3: debugfs: Resume dwc3 before accessing registers
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+commit 614ce6a2ea50068b45339257891e51e639ac9001 upstream.
+
+When the dwc3 device is runtime suspended, various required clocks are in
+disabled state and it is not guaranteed that access to any registers would
+work. Depending on the SoC glue, a register read could be as benign as
+returning 0 or be fatal enough to hang the system.
+
+In order to prevent such scenarios of fatal errors, make sure to resume
+dwc3 then allow the function to proceed.
+
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Cc: stable@vger.kernel.org #3.2: 30332eeefec8: debugfs: regset32: Add Runtime PM support
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20230509144836.6803-1-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/debugfs.c | 109 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 109 insertions(+)
+
+--- a/drivers/usb/dwc3/debugfs.c
++++ b/drivers/usb/dwc3/debugfs.c
+@@ -327,6 +327,11 @@ static int dwc3_lsp_show(struct seq_file
+ unsigned int current_mode;
+ unsigned long flags;
+ u32 reg;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ reg = dwc3_readl(dwc->regs, DWC3_GSTS);
+@@ -345,6 +350,8 @@ static int dwc3_lsp_show(struct seq_file
+ }
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -390,6 +397,11 @@ static int dwc3_mode_show(struct seq_fil
+ struct dwc3 *dwc = s->private;
+ unsigned long flags;
+ u32 reg;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ reg = dwc3_readl(dwc->regs, DWC3_GCTL);
+@@ -409,6 +421,8 @@ static int dwc3_mode_show(struct seq_fil
+ seq_printf(s, "UNKNOWN %08x\n", DWC3_GCTL_PRTCAP(reg));
+ }
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -458,6 +472,11 @@ static int dwc3_testmode_show(struct seq
+ struct dwc3 *dwc = s->private;
+ unsigned long flags;
+ u32 reg;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+@@ -488,6 +507,8 @@ static int dwc3_testmode_show(struct seq
+ seq_printf(s, "UNKNOWN %d\n", reg);
+ }
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -504,6 +525,7 @@ static ssize_t dwc3_testmode_write(struc
+ unsigned long flags;
+ u32 testmode = 0;
+ char buf[32];
++ int ret;
+
+ if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
+ return -EFAULT;
+@@ -521,10 +543,16 @@ static ssize_t dwc3_testmode_write(struc
+ else
+ testmode = 0;
+
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
++
+ spin_lock_irqsave(&dwc->lock, flags);
+ dwc3_gadget_set_test_mode(dwc, testmode);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return count;
+ }
+
+@@ -543,12 +571,18 @@ static int dwc3_link_state_show(struct s
+ enum dwc3_link_state state;
+ u32 reg;
+ u8 speed;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ reg = dwc3_readl(dwc->regs, DWC3_GSTS);
+ if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) {
+ seq_puts(s, "Not available\n");
+ spin_unlock_irqrestore(&dwc->lock, flags);
++ pm_runtime_put_sync(dwc->dev);
+ return 0;
+ }
+
+@@ -561,6 +595,8 @@ static int dwc3_link_state_show(struct s
+ dwc3_gadget_hs_link_string(state));
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -579,6 +615,7 @@ static ssize_t dwc3_link_state_write(str
+ char buf[32];
+ u32 reg;
+ u8 speed;
++ int ret;
+
+ if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
+ return -EFAULT;
+@@ -598,10 +635,15 @@ static ssize_t dwc3_link_state_write(str
+ else
+ return -EINVAL;
+
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
++
+ spin_lock_irqsave(&dwc->lock, flags);
+ reg = dwc3_readl(dwc->regs, DWC3_GSTS);
+ if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) {
+ spin_unlock_irqrestore(&dwc->lock, flags);
++ pm_runtime_put_sync(dwc->dev);
+ return -EINVAL;
+ }
+
+@@ -611,12 +653,15 @@ static ssize_t dwc3_link_state_write(str
+ if (speed < DWC3_DSTS_SUPERSPEED &&
+ state != DWC3_LINK_STATE_RECOV) {
+ spin_unlock_irqrestore(&dwc->lock, flags);
++ pm_runtime_put_sync(dwc->dev);
+ return -EINVAL;
+ }
+
+ dwc3_gadget_set_link_state(dwc, state);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return count;
+ }
+
+@@ -640,6 +685,11 @@ static int dwc3_tx_fifo_size_show(struct
+ unsigned long flags;
+ u32 mdwidth;
+ u32 val;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ val = dwc3_core_fifo_space(dep, DWC3_TXFIFO);
+@@ -652,6 +702,8 @@ static int dwc3_tx_fifo_size_show(struct
+ seq_printf(s, "%u\n", val);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -662,6 +714,11 @@ static int dwc3_rx_fifo_size_show(struct
+ unsigned long flags;
+ u32 mdwidth;
+ u32 val;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ val = dwc3_core_fifo_space(dep, DWC3_RXFIFO);
+@@ -674,6 +731,8 @@ static int dwc3_rx_fifo_size_show(struct
+ seq_printf(s, "%u\n", val);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -683,12 +742,19 @@ static int dwc3_tx_request_queue_show(st
+ struct dwc3 *dwc = dep->dwc;
+ unsigned long flags;
+ u32 val;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ val = dwc3_core_fifo_space(dep, DWC3_TXREQQ);
+ seq_printf(s, "%u\n", val);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -698,12 +764,19 @@ static int dwc3_rx_request_queue_show(st
+ struct dwc3 *dwc = dep->dwc;
+ unsigned long flags;
+ u32 val;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ val = dwc3_core_fifo_space(dep, DWC3_RXREQQ);
+ seq_printf(s, "%u\n", val);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -713,12 +786,19 @@ static int dwc3_rx_info_queue_show(struc
+ struct dwc3 *dwc = dep->dwc;
+ unsigned long flags;
+ u32 val;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ val = dwc3_core_fifo_space(dep, DWC3_RXINFOQ);
+ seq_printf(s, "%u\n", val);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -728,12 +808,19 @@ static int dwc3_descriptor_fetch_queue_s
+ struct dwc3 *dwc = dep->dwc;
+ unsigned long flags;
+ u32 val;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ val = dwc3_core_fifo_space(dep, DWC3_DESCFETCHQ);
+ seq_printf(s, "%u\n", val);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -743,12 +830,19 @@ static int dwc3_event_queue_show(struct
+ struct dwc3 *dwc = dep->dwc;
+ unsigned long flags;
+ u32 val;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ val = dwc3_core_fifo_space(dep, DWC3_EVENTQ);
+ seq_printf(s, "%u\n", val);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -793,6 +887,11 @@ static int dwc3_trb_ring_show(struct seq
+ struct dwc3 *dwc = dep->dwc;
+ unsigned long flags;
+ int i;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ if (dep->number <= 1) {
+@@ -822,6 +921,8 @@ static int dwc3_trb_ring_show(struct seq
+ out:
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -834,6 +935,11 @@ static int dwc3_ep_info_register_show(st
+ u32 lower_32_bits;
+ u32 upper_32_bits;
+ u32 reg;
++ int ret;
++
++ ret = pm_runtime_resume_and_get(dwc->dev);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ reg = DWC3_GDBGLSPMUX_EPSELECT(dep->number);
+@@ -846,6 +952,8 @@ static int dwc3_ep_info_register_show(st
+ seq_printf(s, "0x%016llx\n", ep_info);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ pm_runtime_put_sync(dwc->dev);
++
+ return 0;
+ }
+
+@@ -905,6 +1013,7 @@ void dwc3_debugfs_init(struct dwc3 *dwc)
+ dwc->regset->regs = dwc3_regs;
+ dwc->regset->nregs = ARRAY_SIZE(dwc3_regs);
+ dwc->regset->base = dwc->regs - DWC3_GLOBALS_REGS_START;
++ dwc->regset->dev = dwc->dev;
+
+ root = debugfs_create_dir(dev_name(dwc->dev), usb_debug_root);
+ dwc->debug_root = root;
--- /dev/null
+From c8540870af4ce6ddeb27a7bb5498b75fb29b643c Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@kernel.org>
+Date: Wed, 3 May 2023 14:00:48 +0300
+Subject: usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume()
+
+From: Roger Quadros <rogerq@kernel.org>
+
+commit c8540870af4ce6ddeb27a7bb5498b75fb29b643c upstream.
+
+Prevent -ETIMEDOUT error on .suspend().
+e.g. If gadget driver is loaded and we are connected to a USB host,
+all transfers must be stopped before stopping the controller else
+we will not get a clean stop i.e. dwc3_gadget_run_stop() will take
+several seconds to complete and will return -ETIMEDOUT.
+
+Handle error cases properly in dwc3_gadget_suspend().
+Simplify dwc3_gadget_resume() by using the introduced helper function.
+
+Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume")
+Cc: stable@vger.kernel.org
+Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20230503110048.30617-1-rogerq@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 67 +++++++++++++++++++++++-----------------------
+ 1 file changed, 34 insertions(+), 33 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2587,6 +2587,21 @@ static int dwc3_gadget_soft_disconnect(s
+ return ret;
+ }
+
++static int dwc3_gadget_soft_connect(struct dwc3 *dwc)
++{
++ /*
++ * In the Synopsys DWC_usb31 1.90a programming guide section
++ * 4.1.9, it specifies that for a reconnect after a
++ * device-initiated disconnect requires a core soft reset
++ * (DCTL.CSftRst) before enabling the run/stop bit.
++ */
++ dwc3_core_soft_reset(dwc);
++
++ dwc3_event_buffers_setup(dwc);
++ __dwc3_gadget_start(dwc);
++ return dwc3_gadget_run_stop(dwc, true);
++}
++
+ static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on)
+ {
+ struct dwc3 *dwc = gadget_to_dwc(g);
+@@ -2625,21 +2640,10 @@ static int dwc3_gadget_pullup(struct usb
+
+ synchronize_irq(dwc->irq_gadget);
+
+- if (!is_on) {
++ if (!is_on)
+ ret = dwc3_gadget_soft_disconnect(dwc);
+- } else {
+- /*
+- * In the Synopsys DWC_usb31 1.90a programming guide section
+- * 4.1.9, it specifies that for a reconnect after a
+- * device-initiated disconnect requires a core soft reset
+- * (DCTL.CSftRst) before enabling the run/stop bit.
+- */
+- dwc3_core_soft_reset(dwc);
+-
+- dwc3_event_buffers_setup(dwc);
+- __dwc3_gadget_start(dwc);
+- ret = dwc3_gadget_run_stop(dwc, true);
+- }
++ else
++ ret = dwc3_gadget_soft_connect(dwc);
+
+ pm_runtime_put(dwc->dev);
+
+@@ -4555,42 +4559,39 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
+ int dwc3_gadget_suspend(struct dwc3 *dwc)
+ {
+ unsigned long flags;
++ int ret;
+
+ if (!dwc->gadget_driver)
+ return 0;
+
+- dwc3_gadget_run_stop(dwc, false);
++ ret = dwc3_gadget_soft_disconnect(dwc);
++ if (ret)
++ goto err;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ dwc3_disconnect_gadget(dwc);
+- __dwc3_gadget_stop(dwc);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
+ return 0;
++
++err:
++ /*
++ * Attempt to reset the controller's state. Likely no
++ * communication can be established until the host
++ * performs a port reset.
++ */
++ if (dwc->softconnect)
++ dwc3_gadget_soft_connect(dwc);
++
++ return ret;
+ }
+
+ int dwc3_gadget_resume(struct dwc3 *dwc)
+ {
+- int ret;
+-
+ if (!dwc->gadget_driver || !dwc->softconnect)
+ return 0;
+
+- ret = __dwc3_gadget_start(dwc);
+- if (ret < 0)
+- goto err0;
+-
+- ret = dwc3_gadget_run_stop(dwc, true);
+- if (ret < 0)
+- goto err1;
+-
+- return 0;
+-
+-err1:
+- __dwc3_gadget_stop(dwc);
+-
+-err0:
+- return ret;
++ return dwc3_gadget_soft_connect(dwc);
+ }
+
+ void dwc3_gadget_process_pending_events(struct dwc3 *dwc)
--- /dev/null
+From 3c0f4f09c063e143822393d99cb2b19a85451c07 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Konrad=20Gr=C3=A4fe?= <k.graefe@gateware.de>
+Date: Fri, 5 May 2023 16:36:40 +0200
+Subject: usb: gadget: u_ether: Fix host MAC address case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Konrad Gräfe <k.graefe@gateware.de>
+
+commit 3c0f4f09c063e143822393d99cb2b19a85451c07 upstream.
+
+The CDC-ECM specification [1] requires to send the host MAC address as
+an uppercase hexadecimal string in chapter "5.4 Ethernet Networking
+Functional Descriptor":
+ The Unicode character is chosen from the set of values 30h through
+ 39h and 41h through 46h (0-9 and A-F).
+
+However, snprintf(.., "%pm", ..) generates a lowercase MAC address
+string. While most host drivers are tolerant to this, UsbNcm.sys on
+Windows 10 is not. Instead it uses a different MAC address with all
+bytes set to zero including and after the first byte containing a
+lowercase letter. On Windows 11 Microsoft fixed it, but apparently they
+did not backport the fix.
+
+This change fixes the issue by upper-casing the MAC to comply with the
+specification.
+
+[1]: https://www.usb.org/document-library/class-definitions-communication-devices-12, file ECM120.pdf
+
+Fixes: bcd4a1c40bee ("usb: gadget: u_ether: construct with default values and add setters/getters")
+Cc: stable@vger.kernel.org
+Signed-off-by: Konrad Gräfe <k.graefe@gateware.de>
+Link: https://lore.kernel.org/r/20230505143640.443014-1-k.graefe@gateware.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -17,6 +17,7 @@
+ #include <linux/etherdevice.h>
+ #include <linux/ethtool.h>
+ #include <linux/if_vlan.h>
++#include <linux/string_helpers.h>
+
+ #include "u_ether.h"
+
+@@ -978,6 +979,8 @@ int gether_get_host_addr_cdc(struct net_
+ dev = netdev_priv(net);
+ snprintf(host_addr, len, "%pm", dev->host_mac);
+
++ string_upper(host_addr, host_addr);
++
+ return strlen(host_addr);
+ }
+ EXPORT_SYMBOL_GPL(gether_get_host_addr_cdc);
--- /dev/null
+From a398d5eac6984316e71474e25b975688f282379b Mon Sep 17 00:00:00 2001
+From: Maxime Bizon <mbizon@freebox.fr>
+Date: Fri, 5 May 2023 13:47:59 +0200
+Subject: usb-storage: fix deadlock when a scsi command timeouts more than once
+
+From: Maxime Bizon <mbizon@freebox.fr>
+
+commit a398d5eac6984316e71474e25b975688f282379b upstream.
+
+With faulty usb-storage devices, read/write can timeout, in that case
+the SCSI layer will abort and re-issue the command. USB storage has no
+internal timeout, it relies on SCSI layer aborting commands via
+.eh_abort_handler() for non those responsive devices.
+
+After two consecutive timeouts of the same command, SCSI layer calls
+.eh_device_reset_handler(), without calling .eh_abort_handler() first.
+
+With usb-storage, this causes a deadlock:
+
+ -> .eh_device_reset_handler
+ -> device_reset
+ -> mutex_lock(&(us->dev_mutex));
+
+mutex already by usb_stor_control_thread(), which is waiting for
+command completion:
+
+ -> usb_stor_control_thread (mutex taken here)
+ -> usb_stor_invoke_transport
+ -> usb_stor_Bulk_transport
+ -> usb_stor_bulk_srb
+ -> usb_stor_bulk_transfer_sglist
+ -> usb_sg_wait
+
+Make sure we cancel any pending command in .eh_device_reset_handler()
+to avoid this.
+
+Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
+Cc: linux-usb@vger.kernel.org
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/all/ZEllnjMKT8ulZbJh@sakura/
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20230505114759.1189741-1-mbizon@freebox.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/scsiglue.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -406,22 +406,25 @@ static DEF_SCSI_QCMD(queuecommand)
+ ***********************************************************************/
+
+ /* Command timeout and abort */
+-static int command_abort(struct scsi_cmnd *srb)
++static int command_abort_matching(struct us_data *us, struct scsi_cmnd *srb_match)
+ {
+- struct us_data *us = host_to_us(srb->device->host);
+-
+- usb_stor_dbg(us, "%s called\n", __func__);
+-
+ /*
+ * us->srb together with the TIMED_OUT, RESETTING, and ABORTING
+ * bits are protected by the host lock.
+ */
+ scsi_lock(us_to_host(us));
+
+- /* Is this command still active? */
+- if (us->srb != srb) {
++ /* is there any active pending command to abort ? */
++ if (!us->srb) {
+ scsi_unlock(us_to_host(us));
+ usb_stor_dbg(us, "-- nothing to abort\n");
++ return SUCCESS;
++ }
++
++ /* Does the command match the passed srb if any ? */
++ if (srb_match && us->srb != srb_match) {
++ scsi_unlock(us_to_host(us));
++ usb_stor_dbg(us, "-- pending command mismatch\n");
+ return FAILED;
+ }
+
+@@ -444,6 +447,14 @@ static int command_abort(struct scsi_cmn
+ return SUCCESS;
+ }
+
++static int command_abort(struct scsi_cmnd *srb)
++{
++ struct us_data *us = host_to_us(srb->device->host);
++
++ usb_stor_dbg(us, "%s called\n", __func__);
++ return command_abort_matching(us, srb);
++}
++
+ /*
+ * This invokes the transport reset mechanism to reset the state of the
+ * device
+@@ -455,6 +466,9 @@ static int device_reset(struct scsi_cmnd
+
+ usb_stor_dbg(us, "%s called\n", __func__);
+
++ /* abort any pending command before reset */
++ command_abort_matching(us, NULL);
++
+ /* lock the device pointers and do the reset */
+ mutex_lock(&(us->dev_mutex));
+ result = us->transport_reset(us);
--- /dev/null
+From d8f28269dd4bf9b55c3fb376ae31512730a96fce Mon Sep 17 00:00:00 2001
+From: Badhri Jagan Sridharan <badhri@google.com>
+Date: Mon, 8 May 2023 21:44:43 +0000
+Subject: usb: typec: altmodes/displayport: fix pin_assignment_show
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+commit d8f28269dd4bf9b55c3fb376ae31512730a96fce upstream.
+
+This patch fixes negative indexing of buf array in pin_assignment_show
+when get_current_pin_assignments returns 0 i.e. no compatible pin
+assignments are found.
+
+BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c
+...
+Call trace:
+dump_backtrace+0x110/0x204
+dump_stack_lvl+0x84/0xbc
+print_report+0x358/0x974
+kasan_report+0x9c/0xfc
+__do_kernel_fault+0xd4/0x2d4
+do_bad_area+0x48/0x168
+do_tag_check_fault+0x24/0x38
+do_mem_abort+0x6c/0x14c
+el1_abort+0x44/0x68
+el1h_64_sync_handler+0x64/0xa4
+el1h_64_sync+0x78/0x7c
+pin_assignment_show+0x26c/0x33c
+dev_attr_show+0x50/0xc0
+
+Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20230508214443.893436-1-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/altmodes/displayport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/typec/altmodes/displayport.c
++++ b/drivers/usb/typec/altmodes/displayport.c
+@@ -513,6 +513,10 @@ static ssize_t pin_assignment_show(struc
+
+ mutex_unlock(&dp->lock);
+
++ /* get_current_pin_assignments can return 0 when no matching pin assignments are found */
++ if (len == 0)
++ len++;
++
+ buf[len - 1] = '\n';
+ return len;
+ }
--- /dev/null
+From dddb342b5b9e482bb213aecc08cbdb201ea4f8da Mon Sep 17 00:00:00 2001
+From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+Date: Sun, 23 Apr 2023 18:59:52 +0800
+Subject: USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
+
+From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+
+commit dddb342b5b9e482bb213aecc08cbdb201ea4f8da upstream.
+
+OverCurrent condition is not standardized in the UHCI spec.
+Zhaoxin UHCI controllers report OverCurrent bit active off.
+In order to handle OverCurrent condition correctly, the uhci-hcd
+driver needs to be told to expect the active-off behavior.
+
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20230423105952.4526-1-WeitaoWang-oc@zhaoxin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/uhci-pci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/uhci-pci.c
++++ b/drivers/usb/host/uhci-pci.c
+@@ -119,11 +119,13 @@ static int uhci_pci_init(struct usb_hcd
+
+ uhci->rh_numports = uhci_count_ports(hcd);
+
+- /* Intel controllers report the OverCurrent bit active on.
+- * VIA controllers report it active off, so we'll adjust the
+- * bit value. (It's not standardized in the UHCI spec.)
++ /*
++ * Intel controllers report the OverCurrent bit active on. VIA
++ * and ZHAOXIN controllers report it active off, so we'll adjust
++ * the bit value. (It's not standardized in the UHCI spec.)
+ */
+- if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA)
++ if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA ||
++ to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_ZHAOXIN)
+ uhci->oc_low = 1;
+
+ /* HP's server management chip requires a longer port reset delay. */
--- /dev/null
+From 94d25e9128988c6a1fc9070f6e98215a95795bd8 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 1 May 2023 14:22:35 -0400
+Subject: USB: usbtmc: Fix direction for 0-length ioctl control messages
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 94d25e9128988c6a1fc9070f6e98215a95795bd8 upstream.
+
+The syzbot fuzzer found a problem in the usbtmc driver: When a user
+submits an ioctl for a 0-length control transfer, the driver does not
+check that the direction is set to OUT:
+
+------------[ cut here ]------------
+usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd
+WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
+Modules linked in:
+CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
+RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
+Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41
+RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000
+RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001
+RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528
+R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100
+FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
+ usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
+ usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153
+ usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]
+ usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097
+
+To fix this, we must override the direction in the bRequestType field
+of the control request structure when the length is 0.
+
+Reported-and-tested-by: syzbot+ce77725b89b7bd52425c@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/linux-usb/000000000000716a3705f9adb8ee@google.com/
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/ede1ee02-b718-49e7-a44c-51339fec706b@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usbtmc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -1928,6 +1928,8 @@ static int usbtmc_ioctl_request(struct u
+
+ if (request.req.wLength > USBTMC_BUFSIZE)
+ return -EMSGSIZE;
++ if (request.req.wLength == 0) /* Length-0 requests are never IN */
++ request.req.bRequestType &= ~USB_DIR_IN;
+
+ is_in = request.req.bRequestType & USB_DIR_IN;
+
--- /dev/null
+From 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 Mon Sep 17 00:00:00 2001
+From: George Kennedy <george.kennedy@oracle.com>
+Date: Fri, 12 May 2023 06:08:48 -0500
+Subject: vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+commit 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 upstream.
+
+After a call to console_unlock() in vcs_write() the vc_data struct can be
+freed by vc_port_destruct(). Because of that, the struct vc_data pointer
+must be reloaded in the while loop in vcs_write() after console_lock() to
+avoid a UAF when vcs_size() is called.
+
+Syzkaller reported a UAF in vcs_size().
+
+BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
+Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119
+
+Call Trace:
+ <TASK>
+__asan_report_load4_noabort (mm/kasan/report_generic.c:380)
+vcs_size (drivers/tty/vt/vc_screen.c:215)
+vcs_write (drivers/tty/vt/vc_screen.c:664)
+vfs_write (fs/read_write.c:582 fs/read_write.c:564)
+...
+ <TASK>
+
+Allocated by task 1213:
+kmalloc_trace (mm/slab_common.c:1064)
+vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680
+ drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)
+con_install (drivers/tty/vt/vt.c:3334)
+tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415
+ drivers/tty/tty_io.c:1392)
+tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)
+chrdev_open (fs/char_dev.c:415)
+do_dentry_open (fs/open.c:921)
+vfs_open (fs/open.c:1052)
+...
+
+Freed by task 4116:
+kfree (mm/slab_common.c:1016)
+vc_port_destruct (drivers/tty/vt/vt.c:1044)
+tty_port_destructor (drivers/tty/tty_port.c:296)
+tty_port_put (drivers/tty/tty_port.c:312)
+vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
+vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
+tty_ioctl (drivers/tty/tty_io.c:2778)
+...
+
+The buggy address belongs to the object at ffff8880beab8800
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 424 bytes inside of
+ freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)
+
+The buggy address belongs to the physical page:
+page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000
+ index:0x0 pfn:0xbeab8
+head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0
+ pincount:0
+flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
+page_type: 0xffffffff()
+raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+Disabling lock debugging due to kernel taint
+
+Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()")
+Cc: stable <stable@kernel.org>
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lore.kernel.org/r/1683889728-10411-1-git-send-email-george.kennedy@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vc_screen.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -656,10 +656,17 @@ vcs_write(struct file *file, const char
+ }
+ }
+
+- /* The vcs_size might have changed while we slept to grab
+- * the user buffer, so recheck.
++ /* The vc might have been freed or vcs_size might have changed
++ * while we slept to grab the user buffer, so recheck.
+ * Return data written up to now on failure.
+ */
++ vc = vcs_vc(inode, &viewed);
++ if (!vc) {
++ if (written)
++ break;
++ ret = -ENXIO;
++ goto unlock_out;
++ }
+ size = vcs_size(vc, attr, false);
+ if (size < 0) {
+ if (written)
--- /dev/null
+From bcafcb959a57a6890e900199690c5fc47da1a304 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Mon, 8 May 2023 16:54:29 +0800
+Subject: wifi: rtw88: use work to update rate to avoid RCU warning
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit bcafcb959a57a6890e900199690c5fc47da1a304 upstream.
+
+The ieee80211_ops::sta_rc_update must be atomic, because
+ieee80211_chan_bw_change() holds rcu_read lock while calling
+drv_sta_rc_update(), so create a work to do original things.
+
+ Voluntary context switch within RCU read-side critical section!
+ WARNING: CPU: 0 PID: 4621 at kernel/rcu/tree_plugin.h:318
+ rcu_note_context_switch+0x571/0x5d0
+ CPU: 0 PID: 4621 Comm: kworker/u16:2 Tainted: G W OE
+ Workqueue: phy3 ieee80211_chswitch_work [mac80211]
+ RIP: 0010:rcu_note_context_switch+0x571/0x5d0
+ Call Trace:
+ <TASK>
+ __schedule+0xb0/0x1460
+ ? __mod_timer+0x116/0x360
+ schedule+0x5a/0xc0
+ schedule_timeout+0x87/0x150
+ ? trace_raw_output_tick_stop+0x60/0x60
+ wait_for_completion_timeout+0x7b/0x140
+ usb_start_wait_urb+0x82/0x160 [usbcore
+ usb_control_msg+0xe3/0x140 [usbcore
+ rtw_usb_read+0x88/0xe0 [rtw_usb
+ rtw_usb_read8+0xf/0x10 [rtw_usb
+ rtw_fw_send_h2c_command+0xa0/0x170 [rtw_core
+ rtw_fw_send_ra_info+0xc9/0xf0 [rtw_core
+ drv_sta_rc_update+0x7c/0x160 [mac80211
+ ieee80211_chan_bw_change+0xfb/0x110 [mac80211
+ ieee80211_change_chanctx+0x38/0x130 [mac80211
+ ieee80211_vif_use_reserved_switch+0x34e/0x900 [mac80211
+ ieee80211_link_use_reserved_context+0x88/0xe0 [mac80211
+ ieee80211_chswitch_work+0x95/0x170 [mac80211
+ process_one_work+0x201/0x410
+ worker_thread+0x4a/0x3b0
+ ? process_one_work+0x410/0x410
+ kthread+0xe1/0x110
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x1f/0x30
+ </TASK>
+
+Cc: stable@vger.kernel.org
+Fixes: c1edc86472fc ("rtw88: add ieee80211:sta_rc_update ops")
+Reported-by: Larry Finger <Larry.Finger@lwfinger.net>
+Link: https://lore.kernel.org/linux-wireless/f1e31e8e-f84e-3791-50fb-663a83c5c6e9@lwfinger.net/T/#t
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230508085429.46653-1-pkshih@realtek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/mac80211.c | 2 +-
+ drivers/net/wireless/realtek/rtw88/main.c | 15 +++++++++++++++
+ drivers/net/wireless/realtek/rtw88/main.h | 3 +++
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/mac80211.c
++++ b/drivers/net/wireless/realtek/rtw88/mac80211.c
+@@ -891,7 +891,7 @@ static void rtw_ops_sta_rc_update(struct
+ struct rtw_sta_info *si = (struct rtw_sta_info *)sta->drv_priv;
+
+ if (changed & IEEE80211_RC_BW_CHANGED)
+- rtw_update_sta_info(rtwdev, si, true);
++ ieee80211_queue_work(rtwdev->hw, &si->rc_work);
+ }
+
+ const struct ieee80211_ops rtw_ops = {
+--- a/drivers/net/wireless/realtek/rtw88/main.c
++++ b/drivers/net/wireless/realtek/rtw88/main.c
+@@ -296,6 +296,17 @@ static u8 rtw_acquire_macid(struct rtw_d
+ return mac_id;
+ }
+
++static void rtw_sta_rc_work(struct work_struct *work)
++{
++ struct rtw_sta_info *si = container_of(work, struct rtw_sta_info,
++ rc_work);
++ struct rtw_dev *rtwdev = si->rtwdev;
++
++ mutex_lock(&rtwdev->mutex);
++ rtw_update_sta_info(rtwdev, si, true);
++ mutex_unlock(&rtwdev->mutex);
++}
++
+ int rtw_sta_add(struct rtw_dev *rtwdev, struct ieee80211_sta *sta,
+ struct ieee80211_vif *vif)
+ {
+@@ -306,12 +317,14 @@ int rtw_sta_add(struct rtw_dev *rtwdev,
+ if (si->mac_id >= RTW_MAX_MAC_ID_NUM)
+ return -ENOSPC;
+
++ si->rtwdev = rtwdev;
+ si->sta = sta;
+ si->vif = vif;
+ si->init_ra_lv = 1;
+ ewma_rssi_init(&si->avg_rssi);
+ for (i = 0; i < ARRAY_SIZE(sta->txq); i++)
+ rtw_txq_init(rtwdev, sta->txq[i]);
++ INIT_WORK(&si->rc_work, rtw_sta_rc_work);
+
+ rtw_update_sta_info(rtwdev, si, true);
+ rtw_fw_media_status_report(rtwdev, si->mac_id, true);
+@@ -330,6 +343,8 @@ void rtw_sta_remove(struct rtw_dev *rtwd
+ struct rtw_sta_info *si = (struct rtw_sta_info *)sta->drv_priv;
+ int i;
+
++ cancel_work_sync(&si->rc_work);
++
+ rtw_release_macid(rtwdev, si->mac_id);
+ if (fw_exist)
+ rtw_fw_media_status_report(rtwdev, si->mac_id, false);
+--- a/drivers/net/wireless/realtek/rtw88/main.h
++++ b/drivers/net/wireless/realtek/rtw88/main.h
+@@ -734,6 +734,7 @@ struct rtw_txq {
+ DECLARE_EWMA(rssi, 10, 16);
+
+ struct rtw_sta_info {
++ struct rtw_dev *rtwdev;
+ struct ieee80211_sta *sta;
+ struct ieee80211_vif *vif;
+
+@@ -758,6 +759,8 @@ struct rtw_sta_info {
+
+ bool use_cfg_mask;
+ struct cfg80211_bitrate_mask *mask;
++
++ struct work_struct rc_work;
+ };
+
+ enum rtw_bfee_role {
--- /dev/null
+From fe82f16aafdaf8002281d3b9524291d4a4a28460 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Mon, 15 May 2023 16:40:59 +0300
+Subject: xhci: Fix incorrect tracking of free space on transfer rings
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit fe82f16aafdaf8002281d3b9524291d4a4a28460 upstream.
+
+This incorrect tracking caused unnecessary ring expansion in some
+usecases which over days of use consume a lot of memory.
+
+xhci driver tries to keep track of free transfer blocks (TRBs) on the
+ring buffer, but failed to add back some cancelled transfers that were
+turned into no-op operations instead of just moving past them.
+
+This can happen if there are several queued pending transfers which
+then are cancelled in reverse order.
+
+Solve this by counting the numer of steps we move the dequeue pointer
+once we complete a transfer, and add it to the number of free trbs
+instead of just adding the trb number of the current transfer.
+This way we ensure we count the no-op trbs on the way as well.
+
+Fixes: 55f6153d8cc8 ("xhci: remove extra loop in interrupt context")
+Cc: stable@vger.kernel.org
+Reported-by: Miller Hunter <MillerH@hearthnhome.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217242
+Tested-by: Miller Hunter <MillerH@hearthnhome.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20230515134059.161110-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-ring.c | 29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -276,6 +276,26 @@ static void inc_enq(struct xhci_hcd *xhc
+ trace_xhci_inc_enq(ring);
+ }
+
++static int xhci_num_trbs_to(struct xhci_segment *start_seg, union xhci_trb *start,
++ struct xhci_segment *end_seg, union xhci_trb *end,
++ unsigned int num_segs)
++{
++ union xhci_trb *last_on_seg;
++ int num = 0;
++ int i = 0;
++
++ do {
++ if (start_seg == end_seg && end >= start)
++ return num + (end - start);
++ last_on_seg = &start_seg->trbs[TRBS_PER_SEGMENT - 1];
++ num += last_on_seg - start;
++ start_seg = start_seg->next;
++ start = start_seg->trbs;
++ } while (i++ <= num_segs);
++
++ return -EINVAL;
++}
++
+ /*
+ * Check to see if there's room to enqueue num_trbs on the ring and make sure
+ * enqueue pointer will not advance into dequeue segment. See rules above.
+@@ -2141,6 +2161,7 @@ static int finish_td(struct xhci_hcd *xh
+ u32 trb_comp_code)
+ {
+ struct xhci_ep_ctx *ep_ctx;
++ int trbs_freed;
+
+ ep_ctx = xhci_get_ep_ctx(xhci, ep->vdev->out_ctx, ep->ep_index);
+
+@@ -2212,9 +2233,15 @@ static int finish_td(struct xhci_hcd *xh
+ }
+
+ /* Update ring dequeue pointer */
++ trbs_freed = xhci_num_trbs_to(ep_ring->deq_seg, ep_ring->dequeue,
++ td->last_trb_seg, td->last_trb,
++ ep_ring->num_segs);
++ if (trbs_freed < 0)
++ xhci_dbg(xhci, "Failed to count freed trbs at TD finish\n");
++ else
++ ep_ring->num_trbs_free += trbs_freed;
+ ep_ring->dequeue = td->last_trb;
+ ep_ring->deq_seg = td->last_trb_seg;
+- ep_ring->num_trbs_free += td->num_trbs - 1;
+ inc_deq(xhci, ep_ring);
+
+ return xhci_td_cleanup(xhci, td, ep_ring, td->status);
--- /dev/null
+From 2a821fc3136d5d99dcb9de152be8a052ca27d870 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Mon, 15 May 2023 16:40:58 +0300
+Subject: xhci-pci: Only run d3cold avoidance quirk for s2idle
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 2a821fc3136d5d99dcb9de152be8a052ca27d870 upstream.
+
+Donghun reports that a notebook that has an AMD Ryzen 5700U but supports
+S3 has problems with USB after resuming from suspend. The issue was
+bisected down to commit d1658268e439 ("usb: pci-quirks: disable D3cold on
+xhci suspend for s2idle on AMD Renoir").
+
+As this issue only happens on S3, narrow the broken D3cold quirk to only
+run in s2idle.
+
+Fixes: d1658268e439 ("usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir")
+Reported-and-tested-by: Donghun Yoon <donghun.yoon@lge.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20230515134059.161110-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 12 ++++++++++--
+ drivers/usb/host/xhci.h | 2 +-
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -13,6 +13,7 @@
+ #include <linux/module.h>
+ #include <linux/acpi.h>
+ #include <linux/reset.h>
++#include <linux/suspend.h>
+
+ #include "xhci.h"
+ #include "xhci-trace.h"
+@@ -194,7 +195,7 @@ static void xhci_pci_quirks(struct devic
+
+ if (pdev->vendor == PCI_VENDOR_ID_AMD &&
+ pdev->device == PCI_DEVICE_ID_AMD_RENOIR_XHCI)
+- xhci->quirks |= XHCI_BROKEN_D3COLD;
++ xhci->quirks |= XHCI_BROKEN_D3COLD_S2I;
+
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL) {
+ xhci->quirks |= XHCI_LPM_SUPPORT;
+@@ -609,9 +610,16 @@ static int xhci_pci_suspend(struct usb_h
+ * Systems with the TI redriver that loses port status change events
+ * need to have the registers polled during D3, so avoid D3cold.
+ */
+- if (xhci->quirks & (XHCI_COMP_MODE_QUIRK | XHCI_BROKEN_D3COLD))
++ if (xhci->quirks & XHCI_COMP_MODE_QUIRK)
+ pci_d3cold_disable(pdev);
+
++#ifdef CONFIG_SUSPEND
++ /* d3cold is broken, but only when s2idle is used */
++ if (pm_suspend_target_state == PM_SUSPEND_TO_IDLE &&
++ xhci->quirks & (XHCI_BROKEN_D3COLD_S2I))
++ pci_d3cold_disable(pdev);
++#endif
++
+ if (xhci->quirks & XHCI_PME_STUCK_QUIRK)
+ xhci_pme_quirk(hcd);
+
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1895,7 +1895,7 @@ struct xhci_hcd {
+ #define XHCI_DISABLE_SPARSE BIT_ULL(38)
+ #define XHCI_SG_TRB_CACHE_SIZE_QUIRK BIT_ULL(39)
+ #define XHCI_NO_SOFT_RETRY BIT_ULL(40)
+-#define XHCI_BROKEN_D3COLD BIT_ULL(41)
++#define XHCI_BROKEN_D3COLD_S2I BIT_ULL(41)
+ #define XHCI_EP_CTX_BROKEN_DCS BIT_ULL(42)
+ #define XHCI_SUSPEND_RESUME_CLKS BIT_ULL(43)
+ #define XHCI_RESET_TO_DEFAULT BIT_ULL(44)
projects / thirdparty / kernel / stable-queue.git / commitdiff
