5.10-stable patches

added patches:
	alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
	alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
	alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch
	alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch
	alsa-hda-realtek-add-quirk-for-clevo-l140au.patch
	alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch
	can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch
	can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch
	can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch
	can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch
	can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch
	can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch
	can-kvaser_pciefd-empty-srb-buffer-in-probe.patch
	can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch
	ceph-force-updating-the-msg-pointer-in-non-split-case.patch
	serial-add-support-for-advantech-pci-1611u-card.patch
	statfs-enforce-statfs-structure-initialization.patch
	usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch
	usb-gadget-u_ether-fix-host-mac-address-case.patch
	usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
	usb-typec-altmodes-displayport-fix-pin_assignment_show.patch
	usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch
	usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch
	vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch

diff --git a/queue-5.10/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch b/queue-5.10/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
new file mode 100644 (file)
index 0000000..4cfa509
--- /dev/null
+++ b/queue-5.10/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
@@ -0,0 +1,38 @@
+From dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 Mon Sep 17 00:00:00 2001
+From: Nikhil Mahale <nmahale@nvidia.com>
+Date: Wed, 17 May 2023 14:37:36 +0530
+Subject: ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
+
+From: Nikhil Mahale <nmahale@nvidia.com>
+
+commit dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 upstream.
+
+These IDs are for AD102, AD103, AD104, AD106, and AD107 gpus with
+audio functions that are largely similar to the existing ones.
+
+Tested audio using gnome-settings, over HDMI, DP-SST and DP-MST
+connections on AD106 gpu.
+
+Signed-off-by: Nikhil Mahale <nmahale@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230517090736.15088-1-nmahale@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_hdmi.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -4374,6 +4374,11 @@ HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI
+ HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI",     patch_nvhdmi_2ch),
+ HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI",  patch_nvhdmi_2ch),
+ HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP",  patch_via_hdmi),

diff --git a/queue-5.10/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch b/queue-5.10/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
new file mode 100644 (file)
index 0000000..a3afb59
--- /dev/null
+++ b/queue-5.10/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
@@ -0,0 +1,57 @@
+From 3b44ec8c5c44790a82f07e90db45643c762878c6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 May 2023 20:44:12 +0200
+Subject: ALSA: hda: Fix Oops by 9.1 surround channel names
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3b44ec8c5c44790a82f07e90db45643c762878c6 upstream.
+
+get_line_out_pfx() may trigger an Oops by overflowing the static array
+with more than 8 channels.  This was reported for MacBookPro 12,1 with
+Cirrus codec.
+
+As a workaround, extend for the 9.1 channels and also fix the
+potential Oops by unifying the code paths accessing the same array
+with the proper size check.
+
+Reported-by: Olliver Schinagl <oliver@schinagl.nl>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/64d95eb0-dbdb-cff8-a8b1-988dc22b24cd@schinagl.nl
+Link: https://lore.kernel.org/r/20230516184412.24078-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_generic.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -1153,8 +1153,8 @@ static bool path_has_mixer(struct hda_co
+       return path && path->ctls[ctl_type];
+ }
+ 
+-static const char * const channel_name[4] = {
+-      "Front", "Surround", "CLFE", "Side"
++static const char * const channel_name[] = {
++      "Front", "Surround", "CLFE", "Side", "Back",
+ };
+ 
+ /* give some appropriate ctl name prefix for the given line out channel */
+@@ -1180,7 +1180,7 @@ static const char *get_line_out_pfx(stru
+ 
+       /* multi-io channels */
+       if (ch >= cfg->line_outs)
+-              return channel_name[ch];
++              goto fixed_name;
+ 
+       switch (cfg->line_out_type) {
+       case AUTO_PIN_SPEAKER_OUT:
+@@ -1232,6 +1232,7 @@ static const char *get_line_out_pfx(stru
+       if (cfg->line_outs == 1 && !spec->multi_ios)
+               return "Line Out";
+ 
++ fixed_name:
+       if (ch >= ARRAY_SIZE(channel_name)) {
+               snd_BUG();
+               return "PCM";

diff --git a/queue-5.10/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch b/queue-5.10/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch
new file mode 100644 (file)
index 0000000..97030ab
--- /dev/null
+++ b/queue-5.10/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch
@@ -0,0 +1,30 @@
+From 90670ef774a8b6700c38ce1222e6aa263be54d5f Mon Sep 17 00:00:00 2001
+From: Ai Chao <aichao@kylinos.cn>
+Date: Sat, 6 May 2023 10:26:53 +0800
+Subject: ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
+
+From: Ai Chao <aichao@kylinos.cn>
+
+commit 90670ef774a8b6700c38ce1222e6aa263be54d5f upstream.
+
+Add a quirk for HP EliteDesk 805 to fixup ALC3867 headset MIC no sound.
+
+Signed-off-by: Ai Chao <aichao@kylinos.cn>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230506022653.2074343-1-aichao@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11159,6 +11159,7 @@ static const struct snd_pci_quirk alc662
+       SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
+       SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
+       SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
++      SND_PCI_QUIRK(0x103c, 0x872b, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
+       SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2),
+       SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2),
+       SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2),

diff --git a/queue-5.10/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch b/queue-5.10/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch
new file mode 100644 (file)
index 0000000..22a6712
--- /dev/null
+++ b/queue-5.10/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch
@@ -0,0 +1,30 @@
+From a4671b7fba59775845ee60cfbdfc4ba64300211b Mon Sep 17 00:00:00 2001
+From: "Luke D. Jones" <luke@ljones.dev>
+Date: Sat, 6 May 2023 11:58:24 +1200
+Subject: ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
+
+From: Luke D. Jones <luke@ljones.dev>
+
+commit a4671b7fba59775845ee60cfbdfc4ba64300211b upstream.
+
+Add quirk for GU603 with 0x1c62 variant of codec.
+
+Signed-off-by: Luke D. Jones <luke@ljones.dev>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230505235824.49607-2-luke@ljones.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9044,6 +9044,7 @@ static const struct snd_pci_quirk alc269
+       SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC),
+       SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++      SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401),
+       SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS),
+       SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC),
+       SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401),

diff --git a/queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-l140au.patch b/queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-l140au.patch
new file mode 100644 (file)
index 0000000..51d0f08
--- /dev/null
+++ b/queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-l140au.patch
@@ -0,0 +1,31 @@
+From 0a6b36c5dc3dda0196f4fb65bdb34c38b8d060c3 Mon Sep 17 00:00:00 2001
+From: Jeremy Soller <jeremy@system76.com>
+Date: Fri, 5 May 2023 10:36:51 -0600
+Subject: ALSA: hda/realtek: Add quirk for Clevo L140AU
+
+From: Jeremy Soller <jeremy@system76.com>
+
+commit 0a6b36c5dc3dda0196f4fb65bdb34c38b8d060c3 upstream.
+
+Fixes headset detection on Clevo L140AU.
+
+Signed-off-by: Jeremy Soller <jeremy@system76.com>
+Signed-off-by: Tim Crawford <tcrawford@system76.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230505163651.21257-1-tcrawford@system76.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9136,6 +9136,7 @@ static const struct snd_pci_quirk alc269
+       SND_PCI_QUIRK(0x1558, 0x7716, "Clevo NS50PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1558, 0x7717, "Clevo NS70PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1558, 0x7718, "Clevo L140PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++      SND_PCI_QUIRK(0x1558, 0x7724, "Clevo L140AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1558, 0x8228, "Clevo NR40BU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1558, 0x8520, "Clevo NH50D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1558, 0x8521, "Clevo NH77D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),

diff --git a/queue-5.10/alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch b/queue-5.10/alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch
new file mode 100644 (file)
index 0000000..326e5d8
--- /dev/null
+++ b/queue-5.10/alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch
@@ -0,0 +1,32 @@
+From 359b4315471181f108723c61612d96e383e56179 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 12 May 2023 09:58:58 +0200
+Subject: ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 359b4315471181f108723c61612d96e383e56179 upstream.
+
+Line6 Pod Go (0e41:424b) requires the similar workaround for the fixed
+48k sample rate like other Line6 models.  This patch adds the
+corresponding entry to line6_parse_audio_format_rate_quirk().
+
+Reported-by: John Humlick <john@humlick.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230512075858.22813-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/format.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -419,6 +419,7 @@ static int line6_parse_audio_format_rate
+       case USB_ID(0x0e41, 0x4248): /* Line6 Helix >= fw 2.82 */
+       case USB_ID(0x0e41, 0x4249): /* Line6 Helix Rack >= fw 2.82 */
+       case USB_ID(0x0e41, 0x424a): /* Line6 Helix LT >= fw 2.82 */
++      case USB_ID(0x0e41, 0x424b): /* Line6 Pod Go */
+       case USB_ID(0x19f7, 0x0011): /* Rode Rodecaster Pro */
+               return set_fixed_rate(fp, 48000, SNDRV_PCM_RATE_48000);
+       }

diff --git a/queue-5.10/can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch b/queue-5.10/can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch
new file mode 100644 (file)
index 0000000..7ce70fb
--- /dev/null
+++ b/queue-5.10/can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch
@@ -0,0 +1,37 @@
+From db2773d65b02aed319a93efdfb958087771d4e19 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Thu, 6 Apr 2023 13:08:45 +0200
+Subject: can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit db2773d65b02aed319a93efdfb958087771d4e19 upstream.
+
+The control message provided by isotp support MSG_CMSG_COMPAT but
+blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user
+space on 64 bit kernels.
+
+Link: https://github.com/hartkopp/can-isotp/issues/59
+Cc: Oleksij Rempel <o.rempel@pengutronix.de>
+Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Fixes: 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket")
+Link: https://lore.kernel.org/20230505110308.81087-2-mkl@pengutronix.de
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -1016,7 +1016,7 @@ static int isotp_recvmsg(struct socket *
+       int noblock = flags & MSG_DONTWAIT;
+       int ret = 0;
+ 
+-      if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK))
++      if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK | MSG_CMSG_COMPAT))
+               return -EINVAL;
+ 
+       if (!so->bound)

diff --git a/queue-5.10/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch b/queue-5.10/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch
new file mode 100644 (file)
index 0000000..48a8c37
--- /dev/null
+++ b/queue-5.10/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch
@@ -0,0 +1,39 @@
+From 1db080cbdbab28752bbb1c86d64daf96253a5da1 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Thu, 6 Apr 2023 13:08:45 +0200
+Subject: can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 1db080cbdbab28752bbb1c86d64daf96253a5da1 upstream.
+
+The control message provided by J1939 support MSG_CMSG_COMPAT but
+blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user
+space on 64 bit kernels.
+
+Link: https://github.com/hartkopp/can-isotp/issues/59
+Cc: Oleksij Rempel <o.rempel@pengutronix.de>
+Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/20230505110308.81087-3-mkl@pengutronix.de
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/socket.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -798,7 +798,7 @@ static int j1939_sk_recvmsg(struct socke
+       struct j1939_sk_buff_cb *skcb;
+       int ret = 0;
+ 
+-      if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE))
++      if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE | MSG_CMSG_COMPAT))
+               return -EINVAL;
+ 
+       if (flags & MSG_ERRQUEUE)

diff --git a/queue-5.10/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch b/queue-5.10/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch
new file mode 100644 (file)
index 0000000..b64deed
--- /dev/null
+++ b/queue-5.10/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch
@@ -0,0 +1,47 @@
+From 84762d8da89d29ba842317eb842973e628c27391 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:15 +0200
+Subject: can: kvaser_pciefd: Call request_irq() before enabling interrupts
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit 84762d8da89d29ba842317eb842973e628c27391 upstream.
+
+Make sure the interrupt handler is registered before enabling interrupts.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-4-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -1825,6 +1825,11 @@ static int kvaser_pciefd_probe(struct pc
+       if (err)
+               goto err_teardown_can_ctrls;
+ 
++      err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler,
++                        IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie);
++      if (err)
++              goto err_teardown_can_ctrls;
++
+       iowrite32(KVASER_PCIEFD_SRB_IRQ_DPD0 | KVASER_PCIEFD_SRB_IRQ_DPD1,
+                 pcie->reg_base + KVASER_PCIEFD_SRB_IRQ_REG);
+ 
+@@ -1845,11 +1850,6 @@ static int kvaser_pciefd_probe(struct pc
+       iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1,
+                 pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG);
+ 
+-      err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler,
+-                        IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie);
+-      if (err)
+-              goto err_teardown_can_ctrls;
+-
+       err = kvaser_pciefd_reg_candev(pcie);
+       if (err)
+               goto err_free_irq;

diff --git a/queue-5.10/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch b/queue-5.10/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch
new file mode 100644 (file)
index 0000000..28929d9
--- /dev/null
+++ b/queue-5.10/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch
@@ -0,0 +1,33 @@
+From bf7ac55e991ca177f1ac16be51152f1ef291a4df Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:14 +0200
+Subject: can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit bf7ac55e991ca177f1ac16be51152f1ef291a4df upstream.
+
+The listen-only bit was never cleared, causing the controller to
+always use listen-only mode, if previously set.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-3-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -561,6 +561,8 @@ static void kvaser_pciefd_setup_controll
+ 
+       if (can->can.ctrlmode & CAN_CTRLMODE_LISTENONLY)
+               mode |= KVASER_PCIEFD_KCAN_MODE_LOM;
++      else
++              mode &= ~KVASER_PCIEFD_KCAN_MODE_LOM;
+ 
+       mode |= KVASER_PCIEFD_KCAN_MODE_EEN;
+       mode |= KVASER_PCIEFD_KCAN_MODE_EPEN;

diff --git a/queue-5.10/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch b/queue-5.10/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch
new file mode 100644 (file)
index 0000000..290035c
--- /dev/null
+++ b/queue-5.10/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch
@@ -0,0 +1,32 @@
+From 11164bc39459335ab93c6e99d53b7e4292fba38b Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:18 +0200
+Subject: can: kvaser_pciefd: Disable interrupts in probe error path
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit 11164bc39459335ab93c6e99d53b7e4292fba38b upstream.
+
+Disable interrupts in error path of probe function.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-7-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -1861,6 +1861,8 @@ static int kvaser_pciefd_probe(struct pc
+       return 0;
+ 
+ err_free_irq:
++      /* Disable PCI interrupts */
++      iowrite32(0, pcie->reg_base + KVASER_PCIEFD_IEN_REG);
+       free_irq(pcie->pci->irq, pcie);
+ 
+ err_teardown_can_ctrls:

diff --git a/queue-5.10/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch b/queue-5.10/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch
new file mode 100644 (file)
index 0000000..738789a
--- /dev/null
+++ b/queue-5.10/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch
@@ -0,0 +1,93 @@
+From 262d7a52ba27525e3c1203230c9f0524e48bbb34 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:17 +0200
+Subject: can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit 262d7a52ba27525e3c1203230c9f0524e48bbb34 upstream.
+
+Under certain circumstances we send two EFLUSH commands, resulting in two
+EFLUSH ack packets, while only expecting a single EFLUSH ack.
+This can cause the driver Tx flush completion to get out of sync.
+
+To avoid this problem, don't enable the "Transmit buffer flush done" (TFD)
+interrupt and remove the code handling it.
+Now we only send EFLUSH command after receiving status packet with
+"Init detected" (IDET) bit set.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-6-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |   21 ++++-----------------
+ 1 file changed, 4 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -533,7 +533,7 @@ static int kvaser_pciefd_set_tx_irq(stru
+             KVASER_PCIEFD_KCAN_IRQ_TOF | KVASER_PCIEFD_KCAN_IRQ_ABD |
+             KVASER_PCIEFD_KCAN_IRQ_TAE | KVASER_PCIEFD_KCAN_IRQ_TAL |
+             KVASER_PCIEFD_KCAN_IRQ_FDIC | KVASER_PCIEFD_KCAN_IRQ_BPP |
+-            KVASER_PCIEFD_KCAN_IRQ_TAR | KVASER_PCIEFD_KCAN_IRQ_TFD;
++            KVASER_PCIEFD_KCAN_IRQ_TAR;
+ 
+       iowrite32(msk, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ 
+@@ -581,7 +581,7 @@ static void kvaser_pciefd_start_controll
+ 
+       spin_lock_irqsave(&can->lock, irq);
+       iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
+-      iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD,
++      iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
+                 can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ 
+       status = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_STAT_REG);
+@@ -624,7 +624,7 @@ static int kvaser_pciefd_bus_on(struct k
+       iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+       iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
+ 
+-      iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD,
++      iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
+                 can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ 
+       mode = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_MODE_REG);
+@@ -1011,8 +1011,7 @@ static int kvaser_pciefd_setup_can_ctrls
+               SET_NETDEV_DEV(netdev, &pcie->pci->dev);
+ 
+               iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
+-              iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD |
+-                        KVASER_PCIEFD_KCAN_IRQ_TFD,
++              iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
+                         can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ 
+               pcie->can[i] = can;
+@@ -1441,9 +1440,6 @@ static int kvaser_pciefd_handle_status_p
+               cmd = KVASER_PCIEFD_KCAN_CMD_AT;
+               cmd |= ++can->cmd_seq << KVASER_PCIEFD_KCAN_CMD_SEQ_SHIFT;
+               iowrite32(cmd, can->reg_base + KVASER_PCIEFD_KCAN_CMD_REG);
+-
+-              iowrite32(KVASER_PCIEFD_KCAN_IRQ_TFD,
+-                        can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+       } else if (p->header[0] & KVASER_PCIEFD_SPACK_IDET &&
+                  p->header[0] & KVASER_PCIEFD_SPACK_IRM &&
+                  cmdseq == (p->header[1] & KVASER_PCIEFD_PACKET_SEQ_MSK) &&
+@@ -1732,15 +1728,6 @@ static int kvaser_pciefd_transmit_irq(st
+       if (irq & KVASER_PCIEFD_KCAN_IRQ_TOF)
+               netdev_err(can->can.dev, "Tx FIFO overflow\n");
+ 
+-      if (irq & KVASER_PCIEFD_KCAN_IRQ_TFD) {
+-              u8 count = ioread32(can->reg_base +
+-                                  KVASER_PCIEFD_KCAN_TX_NPACKETS_REG) & 0xff;
+-
+-              if (count == 0)
+-                      iowrite32(KVASER_PCIEFD_KCAN_CTRL_EFLUSH,
+-                                can->reg_base + KVASER_PCIEFD_KCAN_CTRL_REG);
+-      }
+-
+       if (irq & KVASER_PCIEFD_KCAN_IRQ_BPP)
+               netdev_err(can->can.dev,
+                          "Fail to change bittiming, when not in reset mode\n");

diff --git a/queue-5.10/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch b/queue-5.10/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch
new file mode 100644 (file)
index 0000000..494a3e2
--- /dev/null
+++ b/queue-5.10/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch
@@ -0,0 +1,71 @@
+From c589557dd1426f5adf90c7a919d4fde5a3e4ef64 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:16 +0200
+Subject: can: kvaser_pciefd: Empty SRB buffer in probe
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit c589557dd1426f5adf90c7a919d4fde5a3e4ef64 upstream.
+
+Empty the "Shared receive buffer" (SRB) in probe, to assure we start in a
+known state, and don't process any irrelevant packets.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-5-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |   15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -70,10 +70,12 @@ MODULE_DESCRIPTION("CAN driver for Kvase
+ #define KVASER_PCIEFD_SYSID_BUILD_REG (KVASER_PCIEFD_SYSID_BASE + 0x14)
+ /* Shared receive buffer registers */
+ #define KVASER_PCIEFD_SRB_BASE 0x1f200
++#define KVASER_PCIEFD_SRB_FIFO_LAST_REG (KVASER_PCIEFD_SRB_BASE + 0x1f4)
+ #define KVASER_PCIEFD_SRB_CMD_REG (KVASER_PCIEFD_SRB_BASE + 0x200)
+ #define KVASER_PCIEFD_SRB_IEN_REG (KVASER_PCIEFD_SRB_BASE + 0x204)
+ #define KVASER_PCIEFD_SRB_IRQ_REG (KVASER_PCIEFD_SRB_BASE + 0x20c)
+ #define KVASER_PCIEFD_SRB_STAT_REG (KVASER_PCIEFD_SRB_BASE + 0x210)
++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG (KVASER_PCIEFD_SRB_BASE + 0x214)
+ #define KVASER_PCIEFD_SRB_CTRL_REG (KVASER_PCIEFD_SRB_BASE + 0x218)
+ /* EPCS flash controller registers */
+ #define KVASER_PCIEFD_SPI_BASE 0x1fc00
+@@ -110,6 +112,9 @@ MODULE_DESCRIPTION("CAN driver for Kvase
+ /* DMA support */
+ #define KVASER_PCIEFD_SRB_STAT_DMA BIT(24)
+ 
++/* SRB current packet level */
++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK 0xff
++
+ /* DMA Enable */
+ #define KVASER_PCIEFD_SRB_CTRL_DMA_ENABLE BIT(0)
+ 
+@@ -1055,6 +1060,7 @@ static int kvaser_pciefd_setup_dma(struc
+ {
+       int i;
+       u32 srb_status;
++      u32 srb_packet_count;
+       dma_addr_t dma_addr[KVASER_PCIEFD_DMA_COUNT];
+ 
+       /* Disable the DMA */
+@@ -1082,6 +1088,15 @@ static int kvaser_pciefd_setup_dma(struc
+                 KVASER_PCIEFD_SRB_CMD_RDB1,
+                 pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG);
+ 
++      /* Empty Rx FIFO */
++      srb_packet_count = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG) &
++                         KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK;
++      while (srb_packet_count) {
++              /* Drop current packet in FIFO */
++              ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_FIFO_LAST_REG);
++              srb_packet_count--;
++      }
++
+       srb_status = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_STAT_REG);
+       if (!(srb_status & KVASER_PCIEFD_SRB_STAT_DI)) {
+               dev_err(&pcie->pci->dev, "DMA not idle before enabling\n");

diff --git a/queue-5.10/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch b/queue-5.10/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch
new file mode 100644 (file)
index 0000000..ffd6a1c
--- /dev/null
+++ b/queue-5.10/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch
@@ -0,0 +1,33 @@
+From aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:13 +0200
+Subject: can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 upstream.
+
+Set can.state to CAN_STATE_STOPPED in kvaser_pciefd_stop().
+Without this fix, wrong CAN state was repported after the interface was
+brought down.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-2-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -721,6 +721,7 @@ static int kvaser_pciefd_stop(struct net
+               iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+               del_timer(&can->bec_poll_timer);
+       }
++      can->can.state = CAN_STATE_STOPPED;
+       close_candev(netdev);
+ 
+       return ret;

diff --git a/queue-5.10/ceph-force-updating-the-msg-pointer-in-non-split-case.patch b/queue-5.10/ceph-force-updating-the-msg-pointer-in-non-split-case.patch
new file mode 100644 (file)
index 0000000..8fc9cca
--- /dev/null
+++ b/queue-5.10/ceph-force-updating-the-msg-pointer-in-non-split-case.patch
@@ -0,0 +1,46 @@
+From 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Thu, 18 May 2023 09:47:23 +0800
+Subject: ceph: force updating the msg pointer in non-split case
+
+From: Xiubo Li <xiubli@redhat.com>
+
+commit 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 upstream.
+
+When the MClientSnap reqeust's op is not CEPH_SNAP_OP_SPLIT the
+request may still contain a list of 'split_realms', and we need
+to skip it anyway. Or it will be parsed as a corrupt snaptrace.
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/61200
+Reported-by: Frank Schilder <frans@dtu.dk>
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/snap.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -1008,6 +1008,19 @@ skip_inode:
+                               continue;
+                       adjust_snap_realm_parent(mdsc, child, realm->ino);
+               }
++      } else {
++              /*
++               * In the non-split case both 'num_split_inos' and
++               * 'num_split_realms' should be 0, making this a no-op.
++               * However the MDS happens to populate 'split_realms' list
++               * in one of the UPDATE op cases by mistake.
++               *
++               * Skip both lists just in case to ensure that 'p' is
++               * positioned at the start of realm info, as expected by
++               * ceph_update_snap_trace().
++               */
++              p += sizeof(u64) * num_split_inos;
++              p += sizeof(u64) * num_split_realms;
+       }
+ 
+       /*

diff --git a/queue-5.10/serial-add-support-for-advantech-pci-1611u-card.patch b/queue-5.10/serial-add-support-for-advantech-pci-1611u-card.patch
new file mode 100644 (file)
index 0000000..ff989e0
--- /dev/null
+++ b/queue-5.10/serial-add-support-for-advantech-pci-1611u-card.patch
@@ -0,0 +1,48 @@
+From d2b00516de0e1d696724247098f6733a6ea53908 Mon Sep 17 00:00:00 2001
+From: Vitaliy Tomin <tomin@iszf.irk.ru>
+Date: Sun, 23 Apr 2023 11:45:12 +0800
+Subject: serial: Add support for Advantech PCI-1611U card
+
+From: Vitaliy Tomin <tomin@iszf.irk.ru>
+
+commit d2b00516de0e1d696724247098f6733a6ea53908 upstream.
+
+Add support for Advantech PCI-1611U card
+
+Advantech provides opensource drivers for this and many others card
+based on legacy copy of 8250_pci driver called adv950
+
+https://www.advantech.com/emt/support/details/driver?id=1-TDOIMJ
+
+It is hard to maintain to run as out of tree module on newer kernels.
+Just adding PCI ID to kernel 8250_pci works perfect.
+
+Signed-off-by: Vitaliy Tomin <tomin@iszf.irk.ru>
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/20230423034512.2671157-1-tomin@iszf.irk.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_pci.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -1839,6 +1839,8 @@ pci_moxa_setup(struct serial_private *pr
+ #define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530
+ #define PCI_VENDOR_ID_ADVANTECH               0x13fe
+ #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66
++#define PCI_DEVICE_ID_ADVANTECH_PCI1600       0x1600
++#define PCI_DEVICE_ID_ADVANTECH_PCI1600_1611  0x1611
+ #define PCI_DEVICE_ID_ADVANTECH_PCI3620       0x3620
+ #define PCI_DEVICE_ID_ADVANTECH_PCI3618       0x3618
+ #define PCI_DEVICE_ID_ADVANTECH_PCIf618       0xf618
+@@ -4185,6 +4187,9 @@ static SIMPLE_DEV_PM_OPS(pciserial_pm_op
+                        pciserial_resume_one);
+ 
+ static const struct pci_device_id serial_pci_tbl[] = {
++      {       PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI1600,
++              PCI_DEVICE_ID_ADVANTECH_PCI1600_1611, PCI_ANY_ID, 0, 0,
++              pbn_b0_4_921600 },
+       /* Advantech use PCI_DEVICE_ID_ADVANTECH_PCI3620 (0x3620) as 'PCI_SUBVENDOR_ID' */
+       {       PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI3620,
+               PCI_DEVICE_ID_ADVANTECH_PCI3620, 0x0001, 0, 0,

diff --git a/queue-5.10/series b/queue-5.10/series
index 4971621524f2d7a62de70be44a2103eed2306d20..9e6b5dde8c4f2948da91c42d2f5627eb666b64e1 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -120,3 +120,27 @@ igb-fix-bit_shift-to-be-in-1.8-range.patch
 vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch
 netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch
 bridge-always-declare-tunnel-functions.patch
+alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch
+usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch
+usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
+usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch
+usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch
+usb-gadget-u_ether-fix-host-mac-address-case.patch
+usb-typec-altmodes-displayport-fix-pin_assignment_show.patch
+alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
+alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
+alsa-hda-realtek-add-quirk-for-clevo-l140au.patch
+alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch
+alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch
+can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch
+can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch
+can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch
+can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch
+can-kvaser_pciefd-empty-srb-buffer-in-probe.patch
+can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch
+can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch
+can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch
+statfs-enforce-statfs-structure-initialization.patch
+serial-add-support-for-advantech-pci-1611u-card.patch
+vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch
+ceph-force-updating-the-msg-pointer-in-non-split-case.patch

diff --git a/queue-5.10/statfs-enforce-statfs-structure-initialization.patch b/queue-5.10/statfs-enforce-statfs-structure-initialization.patch
new file mode 100644 (file)
index 0000000..dd2b4ea
--- /dev/null
+++ b/queue-5.10/statfs-enforce-statfs-structure-initialization.patch
@@ -0,0 +1,62 @@
+From ed40866ec7d328b3dfb70db7e2011640a16202c3 Mon Sep 17 00:00:00 2001
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+Date: Thu, 4 May 2023 16:40:20 +0200
+Subject: statfs: enforce statfs[64] structure initialization
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+commit ed40866ec7d328b3dfb70db7e2011640a16202c3 upstream.
+
+s390's struct statfs and struct statfs64 contain padding, which
+field-by-field copying does not set. Initialize the respective structs
+with zeros before filling them and copying them to userspace, like it's
+already done for the compat versions of these structs.
+
+Found by KMSAN.
+
+[agordeev@linux.ibm.com: fixed typo in patch description]
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/20230504144021.808932-2-iii@linux.ibm.com
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/statfs.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/statfs.c
++++ b/fs/statfs.c
+@@ -130,6 +130,7 @@ static int do_statfs_native(struct kstat
+       if (sizeof(buf) == sizeof(*st))
+               memcpy(&buf, st, sizeof(*st));
+       else {
++              memset(&buf, 0, sizeof(buf));
+               if (sizeof buf.f_blocks == 4) {
+                       if ((st->f_blocks | st->f_bfree | st->f_bavail |
+                            st->f_bsize | st->f_frsize) &
+@@ -158,7 +159,6 @@ static int do_statfs_native(struct kstat
+               buf.f_namelen = st->f_namelen;
+               buf.f_frsize = st->f_frsize;
+               buf.f_flags = st->f_flags;
+-              memset(buf.f_spare, 0, sizeof(buf.f_spare));
+       }
+       if (copy_to_user(p, &buf, sizeof(buf)))
+               return -EFAULT;
+@@ -171,6 +171,7 @@ static int do_statfs64(struct kstatfs *s
+       if (sizeof(buf) == sizeof(*st))
+               memcpy(&buf, st, sizeof(*st));
+       else {
++              memset(&buf, 0, sizeof(buf));
+               buf.f_type = st->f_type;
+               buf.f_bsize = st->f_bsize;
+               buf.f_blocks = st->f_blocks;
+@@ -182,7 +183,6 @@ static int do_statfs64(struct kstatfs *s
+               buf.f_namelen = st->f_namelen;
+               buf.f_frsize = st->f_frsize;
+               buf.f_flags = st->f_flags;
+-              memset(buf.f_spare, 0, sizeof(buf.f_spare));
+       }
+       if (copy_to_user(p, &buf, sizeof(buf)))
+               return -EFAULT;

diff --git a/queue-5.10/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch b/queue-5.10/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch
new file mode 100644 (file)
index 0000000..248af44
--- /dev/null
+++ b/queue-5.10/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch
@@ -0,0 +1,379 @@
+From 614ce6a2ea50068b45339257891e51e639ac9001 Mon Sep 17 00:00:00 2001
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+Date: Tue, 9 May 2023 20:18:36 +0530
+Subject: usb: dwc3: debugfs: Resume dwc3 before accessing registers
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+commit 614ce6a2ea50068b45339257891e51e639ac9001 upstream.
+
+When the dwc3 device is runtime suspended, various required clocks are in
+disabled state and it is not guaranteed that access to any registers would
+work. Depending on the SoC glue, a register read could be as benign as
+returning 0 or be fatal enough to hang the system.
+
+In order to prevent such scenarios of fatal errors, make sure to resume
+dwc3 then allow the function to proceed.
+
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Cc: stable@vger.kernel.org #3.2: 30332eeefec8: debugfs: regset32: Add Runtime PM support
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20230509144836.6803-1-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/debugfs.c |  109 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 109 insertions(+)
+
+--- a/drivers/usb/dwc3/debugfs.c
++++ b/drivers/usb/dwc3/debugfs.c
+@@ -327,6 +327,11 @@ static int dwc3_lsp_show(struct seq_file
+       unsigned int            current_mode;
+       unsigned long           flags;
+       u32                     reg;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_GSTS);
+@@ -345,6 +350,8 @@ static int dwc3_lsp_show(struct seq_file
+       }
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -390,6 +397,11 @@ static int dwc3_mode_show(struct seq_fil
+       struct dwc3             *dwc = s->private;
+       unsigned long           flags;
+       u32                     reg;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_GCTL);
+@@ -409,6 +421,8 @@ static int dwc3_mode_show(struct seq_fil
+               seq_printf(s, "UNKNOWN %08x\n", DWC3_GCTL_PRTCAP(reg));
+       }
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -458,6 +472,11 @@ static int dwc3_testmode_show(struct seq
+       struct dwc3             *dwc = s->private;
+       unsigned long           flags;
+       u32                     reg;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+@@ -488,6 +507,8 @@ static int dwc3_testmode_show(struct seq
+               seq_printf(s, "UNKNOWN %d\n", reg);
+       }
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -504,6 +525,7 @@ static ssize_t dwc3_testmode_write(struc
+       unsigned long           flags;
+       u32                     testmode = 0;
+       char                    buf[32];
++      int                     ret;
+ 
+       if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
+               return -EFAULT;
+@@ -521,10 +543,16 @@ static ssize_t dwc3_testmode_write(struc
+       else
+               testmode = 0;
+ 
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
++
+       spin_lock_irqsave(&dwc->lock, flags);
+       dwc3_gadget_set_test_mode(dwc, testmode);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return count;
+ }
+ 
+@@ -543,12 +571,18 @@ static int dwc3_link_state_show(struct s
+       enum dwc3_link_state    state;
+       u32                     reg;
+       u8                      speed;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_GSTS);
+       if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) {
+               seq_puts(s, "Not available\n");
+               spin_unlock_irqrestore(&dwc->lock, flags);
++              pm_runtime_put_sync(dwc->dev);
+               return 0;
+       }
+ 
+@@ -561,6 +595,8 @@ static int dwc3_link_state_show(struct s
+                  dwc3_gadget_hs_link_string(state));
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -579,6 +615,7 @@ static ssize_t dwc3_link_state_write(str
+       char                    buf[32];
+       u32                     reg;
+       u8                      speed;
++      int                     ret;
+ 
+       if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
+               return -EFAULT;
+@@ -598,10 +635,15 @@ static ssize_t dwc3_link_state_write(str
+       else
+               return -EINVAL;
+ 
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
++
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_GSTS);
+       if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) {
+               spin_unlock_irqrestore(&dwc->lock, flags);
++              pm_runtime_put_sync(dwc->dev);
+               return -EINVAL;
+       }
+ 
+@@ -611,12 +653,15 @@ static ssize_t dwc3_link_state_write(str
+       if (speed < DWC3_DSTS_SUPERSPEED &&
+           state != DWC3_LINK_STATE_RECOV) {
+               spin_unlock_irqrestore(&dwc->lock, flags);
++              pm_runtime_put_sync(dwc->dev);
+               return -EINVAL;
+       }
+ 
+       dwc3_gadget_set_link_state(dwc, state);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return count;
+ }
+ 
+@@ -640,6 +685,11 @@ static int dwc3_tx_fifo_size_show(struct
+       unsigned long           flags;
+       int                     mdwidth;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_TXFIFO);
+@@ -654,6 +704,8 @@ static int dwc3_tx_fifo_size_show(struct
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -664,6 +716,11 @@ static int dwc3_rx_fifo_size_show(struct
+       unsigned long           flags;
+       int                     mdwidth;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_RXFIFO);
+@@ -678,6 +735,8 @@ static int dwc3_rx_fifo_size_show(struct
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -687,12 +746,19 @@ static int dwc3_tx_request_queue_show(st
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_TXREQQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -702,12 +768,19 @@ static int dwc3_rx_request_queue_show(st
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_RXREQQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -717,12 +790,19 @@ static int dwc3_rx_info_queue_show(struc
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_RXINFOQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -732,12 +812,19 @@ static int dwc3_descriptor_fetch_queue_s
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_DESCFETCHQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -747,12 +834,19 @@ static int dwc3_event_queue_show(struct
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_EVENTQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -797,6 +891,11 @@ static int dwc3_trb_ring_show(struct seq
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       int                     i;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       if (dep->number <= 1) {
+@@ -826,6 +925,8 @@ static int dwc3_trb_ring_show(struct seq
+ out:
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -838,6 +939,11 @@ static int dwc3_ep_info_register_show(st
+       u32                     lower_32_bits;
+       u32                     upper_32_bits;
+       u32                     reg;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = DWC3_GDBGLSPMUX_EPSELECT(dep->number);
+@@ -850,6 +956,8 @@ static int dwc3_ep_info_register_show(st
+       seq_printf(s, "0x%016llx\n", ep_info);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -911,6 +1019,7 @@ void dwc3_debugfs_init(struct dwc3 *dwc)
+       dwc->regset->regs = dwc3_regs;
+       dwc->regset->nregs = ARRAY_SIZE(dwc3_regs);
+       dwc->regset->base = dwc->regs - DWC3_GLOBALS_REGS_START;
++      dwc->regset->dev = dwc->dev;
+ 
+       root = debugfs_create_dir(dev_name(dwc->dev), usb_debug_root);
+       dwc->root = root;

diff --git a/queue-5.10/usb-gadget-u_ether-fix-host-mac-address-case.patch b/queue-5.10/usb-gadget-u_ether-fix-host-mac-address-case.patch
new file mode 100644 (file)
index 0000000..e980887
--- /dev/null
+++ b/queue-5.10/usb-gadget-u_ether-fix-host-mac-address-case.patch
@@ -0,0 +1,58 @@
+From 3c0f4f09c063e143822393d99cb2b19a85451c07 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Konrad=20Gr=C3=A4fe?= <k.graefe@gateware.de>
+Date: Fri, 5 May 2023 16:36:40 +0200
+Subject: usb: gadget: u_ether: Fix host MAC address case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Konrad Gräfe <k.graefe@gateware.de>
+
+commit 3c0f4f09c063e143822393d99cb2b19a85451c07 upstream.
+
+The CDC-ECM specification [1] requires to send the host MAC address as
+an uppercase hexadecimal string in chapter "5.4 Ethernet Networking
+Functional Descriptor":
+    The Unicode character is chosen from the set of values 30h through
+    39h and 41h through 46h (0-9 and A-F).
+
+However, snprintf(.., "%pm", ..) generates a lowercase MAC address
+string. While most host drivers are tolerant to this, UsbNcm.sys on
+Windows 10 is not. Instead it uses a different MAC address with all
+bytes set to zero including and after the first byte containing a
+lowercase letter. On Windows 11 Microsoft fixed it, but apparently they
+did not backport the fix.
+
+This change fixes the issue by upper-casing the MAC to comply with the
+specification.
+
+[1]: https://www.usb.org/document-library/class-definitions-communication-devices-12, file ECM120.pdf
+
+Fixes: bcd4a1c40bee ("usb: gadget: u_ether: construct with default values and add setters/getters")
+Cc: stable@vger.kernel.org
+Signed-off-by: Konrad Gräfe <k.graefe@gateware.de>
+Link: https://lore.kernel.org/r/20230505143640.443014-1-k.graefe@gateware.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_ether.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -17,6 +17,7 @@
+ #include <linux/etherdevice.h>
+ #include <linux/ethtool.h>
+ #include <linux/if_vlan.h>
++#include <linux/string_helpers.h>
+ 
+ #include "u_ether.h"
+ 
+@@ -974,6 +975,8 @@ int gether_get_host_addr_cdc(struct net_
+       dev = netdev_priv(net);
+       snprintf(host_addr, len, "%pm", dev->host_mac);
+ 
++      string_upper(host_addr, host_addr);
++
+       return strlen(host_addr);
+ }
+ EXPORT_SYMBOL_GPL(gether_get_host_addr_cdc);

diff --git a/queue-5.10/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch b/queue-5.10/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
new file mode 100644 (file)
index 0000000..121a3ba
--- /dev/null
+++ b/queue-5.10/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
@@ -0,0 +1,108 @@
+From a398d5eac6984316e71474e25b975688f282379b Mon Sep 17 00:00:00 2001
+From: Maxime Bizon <mbizon@freebox.fr>
+Date: Fri, 5 May 2023 13:47:59 +0200
+Subject: usb-storage: fix deadlock when a scsi command timeouts more than once
+
+From: Maxime Bizon <mbizon@freebox.fr>
+
+commit a398d5eac6984316e71474e25b975688f282379b upstream.
+
+With faulty usb-storage devices, read/write can timeout, in that case
+the SCSI layer will abort and re-issue the command. USB storage has no
+internal timeout, it relies on SCSI layer aborting commands via
+.eh_abort_handler() for non those responsive devices.
+
+After two consecutive timeouts of the same command, SCSI layer calls
+.eh_device_reset_handler(), without calling .eh_abort_handler() first.
+
+With usb-storage, this causes a deadlock:
+
+  -> .eh_device_reset_handler
+    -> device_reset
+      -> mutex_lock(&(us->dev_mutex));
+
+mutex already by usb_stor_control_thread(), which is waiting for
+command completion:
+
+  -> usb_stor_control_thread (mutex taken here)
+    -> usb_stor_invoke_transport
+      -> usb_stor_Bulk_transport
+        -> usb_stor_bulk_srb
+         -> usb_stor_bulk_transfer_sglist
+           -> usb_sg_wait
+
+Make sure we cancel any pending command in .eh_device_reset_handler()
+to avoid this.
+
+Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
+Cc: linux-usb@vger.kernel.org
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/all/ZEllnjMKT8ulZbJh@sakura/
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20230505114759.1189741-1-mbizon@freebox.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/scsiglue.c |   28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -407,22 +407,25 @@ static DEF_SCSI_QCMD(queuecommand)
+  ***********************************************************************/
+ 
+ /* Command timeout and abort */
+-static int command_abort(struct scsi_cmnd *srb)
++static int command_abort_matching(struct us_data *us, struct scsi_cmnd *srb_match)
+ {
+-      struct us_data *us = host_to_us(srb->device->host);
+-
+-      usb_stor_dbg(us, "%s called\n", __func__);
+-
+       /*
+        * us->srb together with the TIMED_OUT, RESETTING, and ABORTING
+        * bits are protected by the host lock.
+        */
+       scsi_lock(us_to_host(us));
+ 
+-      /* Is this command still active? */
+-      if (us->srb != srb) {
++      /* is there any active pending command to abort ? */
++      if (!us->srb) {
+               scsi_unlock(us_to_host(us));
+               usb_stor_dbg(us, "-- nothing to abort\n");
++              return SUCCESS;
++      }
++
++      /* Does the command match the passed srb if any ? */
++      if (srb_match && us->srb != srb_match) {
++              scsi_unlock(us_to_host(us));
++              usb_stor_dbg(us, "-- pending command mismatch\n");
+               return FAILED;
+       }
+ 
+@@ -445,6 +448,14 @@ static int command_abort(struct scsi_cmn
+       return SUCCESS;
+ }
+ 
++static int command_abort(struct scsi_cmnd *srb)
++{
++      struct us_data *us = host_to_us(srb->device->host);
++
++      usb_stor_dbg(us, "%s called\n", __func__);
++      return command_abort_matching(us, srb);
++}
++
+ /*
+  * This invokes the transport reset mechanism to reset the state of the
+  * device
+@@ -456,6 +467,9 @@ static int device_reset(struct scsi_cmnd
+ 
+       usb_stor_dbg(us, "%s called\n", __func__);
+ 
++      /* abort any pending command before reset */
++      command_abort_matching(us, NULL);
++
+       /* lock the device pointers and do the reset */
+       mutex_lock(&(us->dev_mutex));
+       result = us->transport_reset(us);

diff --git a/queue-5.10/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch b/queue-5.10/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch
new file mode 100644 (file)
index 0000000..39e00cf
--- /dev/null
+++ b/queue-5.10/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch
@@ -0,0 +1,53 @@
+From d8f28269dd4bf9b55c3fb376ae31512730a96fce Mon Sep 17 00:00:00 2001
+From: Badhri Jagan Sridharan <badhri@google.com>
+Date: Mon, 8 May 2023 21:44:43 +0000
+Subject: usb: typec: altmodes/displayport: fix pin_assignment_show
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+commit d8f28269dd4bf9b55c3fb376ae31512730a96fce upstream.
+
+This patch fixes negative indexing of buf array in pin_assignment_show
+when get_current_pin_assignments returns 0 i.e. no compatible pin
+assignments are found.
+
+BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c
+...
+Call trace:
+dump_backtrace+0x110/0x204
+dump_stack_lvl+0x84/0xbc
+print_report+0x358/0x974
+kasan_report+0x9c/0xfc
+__do_kernel_fault+0xd4/0x2d4
+do_bad_area+0x48/0x168
+do_tag_check_fault+0x24/0x38
+do_mem_abort+0x6c/0x14c
+el1_abort+0x44/0x68
+el1h_64_sync_handler+0x64/0xa4
+el1h_64_sync+0x78/0x7c
+pin_assignment_show+0x26c/0x33c
+dev_attr_show+0x50/0xc0
+
+Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20230508214443.893436-1-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/altmodes/displayport.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/typec/altmodes/displayport.c
++++ b/drivers/usb/typec/altmodes/displayport.c
+@@ -503,6 +503,10 @@ static ssize_t pin_assignment_show(struc
+ 
+       mutex_unlock(&dp->lock);
+ 
++      /* get_current_pin_assignments can return 0 when no matching pin assignments are found */
++      if (len == 0)
++              len++;
++
+       buf[len - 1] = '\n';
+       return len;
+ }

diff --git a/queue-5.10/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch b/queue-5.10/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch
new file mode 100644 (file)
index 0000000..9088bc7
--- /dev/null
+++ b/queue-5.10/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch
@@ -0,0 +1,44 @@
+From dddb342b5b9e482bb213aecc08cbdb201ea4f8da Mon Sep 17 00:00:00 2001
+From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+Date: Sun, 23 Apr 2023 18:59:52 +0800
+Subject: USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
+
+From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+
+commit dddb342b5b9e482bb213aecc08cbdb201ea4f8da upstream.
+
+OverCurrent condition is not standardized in the UHCI spec.
+Zhaoxin UHCI controllers report OverCurrent bit active off.
+In order to handle OverCurrent condition correctly, the uhci-hcd
+driver needs to be told to expect the active-off behavior.
+
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20230423105952.4526-1-WeitaoWang-oc@zhaoxin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/uhci-pci.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/uhci-pci.c
++++ b/drivers/usb/host/uhci-pci.c
+@@ -119,11 +119,13 @@ static int uhci_pci_init(struct usb_hcd
+ 
+       uhci->rh_numports = uhci_count_ports(hcd);
+ 
+-      /* Intel controllers report the OverCurrent bit active on.
+-       * VIA controllers report it active off, so we'll adjust the
+-       * bit value.  (It's not standardized in the UHCI spec.)
++      /*
++       * Intel controllers report the OverCurrent bit active on.  VIA
++       * and ZHAOXIN controllers report it active off, so we'll adjust
++       * the bit value.  (It's not standardized in the UHCI spec.)
+        */
+-      if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA)
++      if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA ||
++                      to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_ZHAOXIN)
+               uhci->oc_low = 1;
+ 
+       /* HP's server management chip requires a longer port reset delay. */

diff --git a/queue-5.10/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch b/queue-5.10/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch
new file mode 100644 (file)
index 0000000..24835d8
--- /dev/null
+++ b/queue-5.10/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch
@@ -0,0 +1,64 @@
+From 94d25e9128988c6a1fc9070f6e98215a95795bd8 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 1 May 2023 14:22:35 -0400
+Subject: USB: usbtmc: Fix direction for 0-length ioctl control messages
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 94d25e9128988c6a1fc9070f6e98215a95795bd8 upstream.
+
+The syzbot fuzzer found a problem in the usbtmc driver: When a user
+submits an ioctl for a 0-length control transfer, the driver does not
+check that the direction is set to OUT:
+
+------------[ cut here ]------------
+usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd
+WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
+Modules linked in:
+CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
+RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
+Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41
+RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000
+RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001
+RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528
+R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100
+FS:  0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
+ usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
+ usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153
+ usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]
+ usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097
+
+To fix this, we must override the direction in the bRequestType field
+of the control request structure when the length is 0.
+
+Reported-and-tested-by: syzbot+ce77725b89b7bd52425c@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/linux-usb/000000000000716a3705f9adb8ee@google.com/
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/ede1ee02-b718-49e7-a44c-51339fec706b@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usbtmc.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -1898,6 +1898,8 @@ static int usbtmc_ioctl_request(struct u
+ 
+       if (request.req.wLength > USBTMC_BUFSIZE)
+               return -EMSGSIZE;
++      if (request.req.wLength == 0)   /* Length-0 requests are never IN */
++              request.req.bRequestType &= ~USB_DIR_IN;
+ 
+       is_in = request.req.bRequestType & USB_DIR_IN;
+ 

diff --git a/queue-5.10/vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch b/queue-5.10/vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch
new file mode 100644 (file)
index 0000000..5d47059
--- /dev/null
+++ b/queue-5.10/vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch
@@ -0,0 +1,113 @@
+From 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 Mon Sep 17 00:00:00 2001
+From: George Kennedy <george.kennedy@oracle.com>
+Date: Fri, 12 May 2023 06:08:48 -0500
+Subject: vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+commit 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 upstream.
+
+After a call to console_unlock() in vcs_write() the vc_data struct can be
+freed by vc_port_destruct(). Because of that, the struct vc_data pointer
+must be reloaded in the while loop in vcs_write() after console_lock() to
+avoid a UAF when vcs_size() is called.
+
+Syzkaller reported a UAF in vcs_size().
+
+BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
+Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119
+
+Call Trace:
+ <TASK>
+__asan_report_load4_noabort (mm/kasan/report_generic.c:380)
+vcs_size (drivers/tty/vt/vc_screen.c:215)
+vcs_write (drivers/tty/vt/vc_screen.c:664)
+vfs_write (fs/read_write.c:582 fs/read_write.c:564)
+...
+ <TASK>
+
+Allocated by task 1213:
+kmalloc_trace (mm/slab_common.c:1064)
+vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680
+    drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)
+con_install (drivers/tty/vt/vt.c:3334)
+tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415
+    drivers/tty/tty_io.c:1392)
+tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)
+chrdev_open (fs/char_dev.c:415)
+do_dentry_open (fs/open.c:921)
+vfs_open (fs/open.c:1052)
+...
+
+Freed by task 4116:
+kfree (mm/slab_common.c:1016)
+vc_port_destruct (drivers/tty/vt/vt.c:1044)
+tty_port_destructor (drivers/tty/tty_port.c:296)
+tty_port_put (drivers/tty/tty_port.c:312)
+vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
+vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
+tty_ioctl (drivers/tty/tty_io.c:2778)
+...
+
+The buggy address belongs to the object at ffff8880beab8800
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 424 bytes inside of
+ freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)
+
+The buggy address belongs to the physical page:
+page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000
+    index:0x0 pfn:0xbeab8
+head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0
+    pincount:0
+flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
+page_type: 0xffffffff()
+raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                  ^
+ ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+Disabling lock debugging due to kernel taint
+
+Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()")
+Cc: stable <stable@kernel.org>
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lore.kernel.org/r/1683889728-10411-1-git-send-email-george.kennedy@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vc_screen.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -656,10 +656,17 @@ vcs_write(struct file *file, const char
+                       }
+               }
+ 
+-              /* The vcs_size might have changed while we slept to grab
+-               * the user buffer, so recheck.
++              /* The vc might have been freed or vcs_size might have changed
++               * while we slept to grab the user buffer, so recheck.
+                * Return data written up to now on failure.
+                */
++              vc = vcs_vc(inode, &viewed);
++              if (!vc) {
++                      if (written)
++                              break;
++                      ret = -ENXIO;
++                      goto unlock_out;
++              }
+               size = vcs_size(vc, attr, false);
+               if (size < 0) {
+                       if (written)