--- /dev/null
+From dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 Mon Sep 17 00:00:00 2001
+From: Nikhil Mahale <nmahale@nvidia.com>
+Date: Wed, 17 May 2023 14:37:36 +0530
+Subject: ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
+
+From: Nikhil Mahale <nmahale@nvidia.com>
+
+commit dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 upstream.
+
+These IDs are for AD102, AD103, AD104, AD106, and AD107 gpus with
+audio functions that are largely similar to the existing ones.
+
+Tested audio using gnome-settings, over HDMI, DP-SST and DP-MST
+connections on AD106 gpu.
+
+Signed-off-by: Nikhil Mahale <nmahale@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230517090736.15088-1-nmahale@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_hdmi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -3889,6 +3889,11 @@ HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI
+ HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch),
+ HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch),
+ HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP", patch_via_hdmi),
--- /dev/null
+From 3b44ec8c5c44790a82f07e90db45643c762878c6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 May 2023 20:44:12 +0200
+Subject: ALSA: hda: Fix Oops by 9.1 surround channel names
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3b44ec8c5c44790a82f07e90db45643c762878c6 upstream.
+
+get_line_out_pfx() may trigger an Oops by overflowing the static array
+with more than 8 channels. This was reported for MacBookPro 12,1 with
+Cirrus codec.
+
+As a workaround, extend for the 9.1 channels and also fix the
+potential Oops by unifying the code paths accessing the same array
+with the proper size check.
+
+Reported-by: Olliver Schinagl <oliver@schinagl.nl>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/64d95eb0-dbdb-cff8-a8b1-988dc22b24cd@schinagl.nl
+Link: https://lore.kernel.org/r/20230516184412.24078-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_generic.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -1157,8 +1157,8 @@ static bool path_has_mixer(struct hda_co
+ return path && path->ctls[ctl_type];
+ }
+
+-static const char * const channel_name[4] = {
+- "Front", "Surround", "CLFE", "Side"
++static const char * const channel_name[] = {
++ "Front", "Surround", "CLFE", "Side", "Back",
+ };
+
+ /* give some appropriate ctl name prefix for the given line out channel */
+@@ -1184,7 +1184,7 @@ static const char *get_line_out_pfx(stru
+
+ /* multi-io channels */
+ if (ch >= cfg->line_outs)
+- return channel_name[ch];
++ goto fixed_name;
+
+ switch (cfg->line_out_type) {
+ case AUTO_PIN_SPEAKER_OUT:
+@@ -1236,6 +1236,7 @@ static const char *get_line_out_pfx(stru
+ if (cfg->line_outs == 1 && !spec->multi_ios)
+ return "Line Out";
+
++ fixed_name:
+ if (ch >= ARRAY_SIZE(channel_name)) {
+ snd_BUG();
+ return "PCM";
--- /dev/null
+From 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Thu, 18 May 2023 09:47:23 +0800
+Subject: ceph: force updating the msg pointer in non-split case
+
+From: Xiubo Li <xiubli@redhat.com>
+
+commit 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 upstream.
+
+When the MClientSnap reqeust's op is not CEPH_SNAP_OP_SPLIT the
+request may still contain a list of 'split_realms', and we need
+to skip it anyway. Or it will be parsed as a corrupt snaptrace.
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/61200
+Reported-by: Frank Schilder <frans@dtu.dk>
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/snap.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -959,6 +959,19 @@ skip_inode:
+ continue;
+ adjust_snap_realm_parent(mdsc, child, realm->ino);
+ }
++ } else {
++ /*
++ * In the non-split case both 'num_split_inos' and
++ * 'num_split_realms' should be 0, making this a no-op.
++ * However the MDS happens to populate 'split_realms' list
++ * in one of the UPDATE op cases by mistake.
++ *
++ * Skip both lists just in case to ensure that 'p' is
++ * positioned at the start of realm info, as expected by
++ * ceph_update_snap_trace().
++ */
++ p += sizeof(u64) * num_split_inos;
++ p += sizeof(u64) * num_split_realms;
+ }
+
+ /*
--- /dev/null
+From d2b00516de0e1d696724247098f6733a6ea53908 Mon Sep 17 00:00:00 2001
+From: Vitaliy Tomin <tomin@iszf.irk.ru>
+Date: Sun, 23 Apr 2023 11:45:12 +0800
+Subject: serial: Add support for Advantech PCI-1611U card
+
+From: Vitaliy Tomin <tomin@iszf.irk.ru>
+
+commit d2b00516de0e1d696724247098f6733a6ea53908 upstream.
+
+Add support for Advantech PCI-1611U card
+
+Advantech provides opensource drivers for this and many others card
+based on legacy copy of 8250_pci driver called adv950
+
+https://www.advantech.com/emt/support/details/driver?id=1-TDOIMJ
+
+It is hard to maintain to run as out of tree module on newer kernels.
+Just adding PCI ID to kernel 8250_pci works perfect.
+
+Signed-off-by: Vitaliy Tomin <tomin@iszf.irk.ru>
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/20230423034512.2671157-1-tomin@iszf.irk.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -1651,6 +1651,8 @@ pci_wch_ch38x_setup(struct serial_privat
+ #define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530
+ #define PCI_VENDOR_ID_ADVANTECH 0x13fe
+ #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66
++#define PCI_DEVICE_ID_ADVANTECH_PCI1600 0x1600
++#define PCI_DEVICE_ID_ADVANTECH_PCI1600_1611 0x1611
+ #define PCI_DEVICE_ID_ADVANTECH_PCI3620 0x3620
+ #define PCI_DEVICE_ID_ADVANTECH_PCI3618 0x3618
+ #define PCI_DEVICE_ID_ADVANTECH_PCIf618 0xf618
+@@ -3851,6 +3853,9 @@ static SIMPLE_DEV_PM_OPS(pciserial_pm_op
+ pciserial_resume_one);
+
+ static const struct pci_device_id serial_pci_tbl[] = {
++ { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI1600,
++ PCI_DEVICE_ID_ADVANTECH_PCI1600_1611, PCI_ANY_ID, 0, 0,
++ pbn_b0_4_921600 },
+ /* Advantech use PCI_DEVICE_ID_ADVANTECH_PCI3620 (0x3620) as 'PCI_SUBVENDOR_ID' */
+ { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI3620,
+ PCI_DEVICE_ID_ADVANTECH_PCI3620, 0x0001, 0, 0,
cassini-fix-a-memory-leak-in-the-error-handling-path.patch
igb-fix-bit_shift-to-be-in-1.8-range.patch
vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch
+usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
+alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
+alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
+statfs-enforce-statfs-structure-initialization.patch
+serial-add-support-for-advantech-pci-1611u-card.patch
+ceph-force-updating-the-msg-pointer-in-non-split-case.patch
--- /dev/null
+From ed40866ec7d328b3dfb70db7e2011640a16202c3 Mon Sep 17 00:00:00 2001
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+Date: Thu, 4 May 2023 16:40:20 +0200
+Subject: statfs: enforce statfs[64] structure initialization
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+commit ed40866ec7d328b3dfb70db7e2011640a16202c3 upstream.
+
+s390's struct statfs and struct statfs64 contain padding, which
+field-by-field copying does not set. Initialize the respective structs
+with zeros before filling them and copying them to userspace, like it's
+already done for the compat versions of these structs.
+
+Found by KMSAN.
+
+[agordeev@linux.ibm.com: fixed typo in patch description]
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/20230504144021.808932-2-iii@linux.ibm.com
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/statfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/statfs.c
++++ b/fs/statfs.c
+@@ -114,6 +114,7 @@ static int do_statfs_native(struct kstat
+ if (sizeof(buf) == sizeof(*st))
+ memcpy(&buf, st, sizeof(*st));
+ else {
++ memset(&buf, 0, sizeof(buf));
+ if (sizeof buf.f_blocks == 4) {
+ if ((st->f_blocks | st->f_bfree | st->f_bavail |
+ st->f_bsize | st->f_frsize) &
+@@ -142,7 +143,6 @@ static int do_statfs_native(struct kstat
+ buf.f_namelen = st->f_namelen;
+ buf.f_frsize = st->f_frsize;
+ buf.f_flags = st->f_flags;
+- memset(buf.f_spare, 0, sizeof(buf.f_spare));
+ }
+ if (copy_to_user(p, &buf, sizeof(buf)))
+ return -EFAULT;
+@@ -155,6 +155,7 @@ static int do_statfs64(struct kstatfs *s
+ if (sizeof(buf) == sizeof(*st))
+ memcpy(&buf, st, sizeof(*st));
+ else {
++ memset(&buf, 0, sizeof(buf));
+ buf.f_type = st->f_type;
+ buf.f_bsize = st->f_bsize;
+ buf.f_blocks = st->f_blocks;
+@@ -166,7 +167,6 @@ static int do_statfs64(struct kstatfs *s
+ buf.f_namelen = st->f_namelen;
+ buf.f_frsize = st->f_frsize;
+ buf.f_flags = st->f_flags;
+- memset(buf.f_spare, 0, sizeof(buf.f_spare));
+ }
+ if (copy_to_user(p, &buf, sizeof(buf)))
+ return -EFAULT;
--- /dev/null
+From a398d5eac6984316e71474e25b975688f282379b Mon Sep 17 00:00:00 2001
+From: Maxime Bizon <mbizon@freebox.fr>
+Date: Fri, 5 May 2023 13:47:59 +0200
+Subject: usb-storage: fix deadlock when a scsi command timeouts more than once
+
+From: Maxime Bizon <mbizon@freebox.fr>
+
+commit a398d5eac6984316e71474e25b975688f282379b upstream.
+
+With faulty usb-storage devices, read/write can timeout, in that case
+the SCSI layer will abort and re-issue the command. USB storage has no
+internal timeout, it relies on SCSI layer aborting commands via
+.eh_abort_handler() for non those responsive devices.
+
+After two consecutive timeouts of the same command, SCSI layer calls
+.eh_device_reset_handler(), without calling .eh_abort_handler() first.
+
+With usb-storage, this causes a deadlock:
+
+ -> .eh_device_reset_handler
+ -> device_reset
+ -> mutex_lock(&(us->dev_mutex));
+
+mutex already by usb_stor_control_thread(), which is waiting for
+command completion:
+
+ -> usb_stor_control_thread (mutex taken here)
+ -> usb_stor_invoke_transport
+ -> usb_stor_Bulk_transport
+ -> usb_stor_bulk_srb
+ -> usb_stor_bulk_transfer_sglist
+ -> usb_sg_wait
+
+Make sure we cancel any pending command in .eh_device_reset_handler()
+to avoid this.
+
+Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
+Cc: linux-usb@vger.kernel.org
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/all/ZEllnjMKT8ulZbJh@sakura/
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20230505114759.1189741-1-mbizon@freebox.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/scsiglue.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -408,22 +408,25 @@ static DEF_SCSI_QCMD(queuecommand)
+ ***********************************************************************/
+
+ /* Command timeout and abort */
+-static int command_abort(struct scsi_cmnd *srb)
++static int command_abort_matching(struct us_data *us, struct scsi_cmnd *srb_match)
+ {
+- struct us_data *us = host_to_us(srb->device->host);
+-
+- usb_stor_dbg(us, "%s called\n", __func__);
+-
+ /*
+ * us->srb together with the TIMED_OUT, RESETTING, and ABORTING
+ * bits are protected by the host lock.
+ */
+ scsi_lock(us_to_host(us));
+
+- /* Is this command still active? */
+- if (us->srb != srb) {
++ /* is there any active pending command to abort ? */
++ if (!us->srb) {
+ scsi_unlock(us_to_host(us));
+ usb_stor_dbg(us, "-- nothing to abort\n");
++ return SUCCESS;
++ }
++
++ /* Does the command match the passed srb if any ? */
++ if (srb_match && us->srb != srb_match) {
++ scsi_unlock(us_to_host(us));
++ usb_stor_dbg(us, "-- pending command mismatch\n");
+ return FAILED;
+ }
+
+@@ -446,6 +449,14 @@ static int command_abort(struct scsi_cmn
+ return SUCCESS;
+ }
+
++static int command_abort(struct scsi_cmnd *srb)
++{
++ struct us_data *us = host_to_us(srb->device->host);
++
++ usb_stor_dbg(us, "%s called\n", __func__);
++ return command_abort_matching(us, srb);
++}
++
+ /*
+ * This invokes the transport reset mechanism to reset the state of the
+ * device
+@@ -457,6 +468,9 @@ static int device_reset(struct scsi_cmnd
+
+ usb_stor_dbg(us, "%s called\n", __func__);
+
++ /* abort any pending command before reset */
++ command_abort_matching(us, NULL);
++
+ /* lock the device pointers and do the reset */
+ mutex_lock(&(us->dev_mutex));
+ result = us->transport_reset(us);
projects / thirdparty / kernel / stable-queue.git / commitdiff
