5.4-stable patches

added patches:
	alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
	alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
	alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch
	alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch
	can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch
	can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch
	can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch
	can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch
	can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch
	can-kvaser_pciefd-empty-srb-buffer-in-probe.patch
	can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch
	ceph-force-updating-the-msg-pointer-in-non-split-case.patch
	kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch
	serial-add-support-for-advantech-pci-1611u-card.patch
	statfs-enforce-statfs-structure-initialization.patch
	usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch
	usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
	usb-typec-altmodes-displayport-fix-pin_assignment_show.patch
	usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch
	usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch

diff --git a/queue-5.4/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch b/queue-5.4/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
new file mode 100644 (file)
index 0000000..8956296
--- /dev/null
+++ b/queue-5.4/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
@@ -0,0 +1,38 @@
+From dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 Mon Sep 17 00:00:00 2001
+From: Nikhil Mahale <nmahale@nvidia.com>
+Date: Wed, 17 May 2023 14:37:36 +0530
+Subject: ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
+
+From: Nikhil Mahale <nmahale@nvidia.com>
+
+commit dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 upstream.
+
+These IDs are for AD102, AD103, AD104, AD106, and AD107 gpus with
+audio functions that are largely similar to the existing ones.
+
+Tested audio using gnome-settings, over HDMI, DP-SST and DP-MST
+connections on AD106 gpu.
+
+Signed-off-by: Nikhil Mahale <nmahale@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230517090736.15088-1-nmahale@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_hdmi.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -4197,6 +4197,11 @@ HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI
+ HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi),
++HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI",     patch_nvhdmi_2ch),
+ HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI",  patch_nvhdmi_2ch),
+ HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP",  patch_via_hdmi),

diff --git a/queue-5.4/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch b/queue-5.4/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
new file mode 100644 (file)
index 0000000..75f57e7
--- /dev/null
+++ b/queue-5.4/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
@@ -0,0 +1,57 @@
+From 3b44ec8c5c44790a82f07e90db45643c762878c6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 May 2023 20:44:12 +0200
+Subject: ALSA: hda: Fix Oops by 9.1 surround channel names
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3b44ec8c5c44790a82f07e90db45643c762878c6 upstream.
+
+get_line_out_pfx() may trigger an Oops by overflowing the static array
+with more than 8 channels.  This was reported for MacBookPro 12,1 with
+Cirrus codec.
+
+As a workaround, extend for the 9.1 channels and also fix the
+potential Oops by unifying the code paths accessing the same array
+with the proper size check.
+
+Reported-by: Olliver Schinagl <oliver@schinagl.nl>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/64d95eb0-dbdb-cff8-a8b1-988dc22b24cd@schinagl.nl
+Link: https://lore.kernel.org/r/20230516184412.24078-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_generic.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -1147,8 +1147,8 @@ static bool path_has_mixer(struct hda_co
+       return path && path->ctls[ctl_type];
+ }
+ 
+-static const char * const channel_name[4] = {
+-      "Front", "Surround", "CLFE", "Side"
++static const char * const channel_name[] = {
++      "Front", "Surround", "CLFE", "Side", "Back",
+ };
+ 
+ /* give some appropriate ctl name prefix for the given line out channel */
+@@ -1174,7 +1174,7 @@ static const char *get_line_out_pfx(stru
+ 
+       /* multi-io channels */
+       if (ch >= cfg->line_outs)
+-              return channel_name[ch];
++              goto fixed_name;
+ 
+       switch (cfg->line_out_type) {
+       case AUTO_PIN_SPEAKER_OUT:
+@@ -1226,6 +1226,7 @@ static const char *get_line_out_pfx(stru
+       if (cfg->line_outs == 1 && !spec->multi_ios)
+               return "Line Out";
+ 
++ fixed_name:
+       if (ch >= ARRAY_SIZE(channel_name)) {
+               snd_BUG();
+               return "PCM";

diff --git a/queue-5.4/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch b/queue-5.4/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch
new file mode 100644 (file)
index 0000000..edd8fb9
--- /dev/null
+++ b/queue-5.4/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch
@@ -0,0 +1,30 @@
+From 90670ef774a8b6700c38ce1222e6aa263be54d5f Mon Sep 17 00:00:00 2001
+From: Ai Chao <aichao@kylinos.cn>
+Date: Sat, 6 May 2023 10:26:53 +0800
+Subject: ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
+
+From: Ai Chao <aichao@kylinos.cn>
+
+commit 90670ef774a8b6700c38ce1222e6aa263be54d5f upstream.
+
+Add a quirk for HP EliteDesk 805 to fixup ALC3867 headset MIC no sound.
+
+Signed-off-by: Ai Chao <aichao@kylinos.cn>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230506022653.2074343-1-aichao@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10342,6 +10342,7 @@ static const struct snd_pci_quirk alc662
+       SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
+       SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
+       SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
++      SND_PCI_QUIRK(0x103c, 0x872b, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
+       SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2),
+       SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2),
+       SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2),

diff --git a/queue-5.4/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch b/queue-5.4/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch
new file mode 100644 (file)
index 0000000..6c6ac15
--- /dev/null
+++ b/queue-5.4/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch
@@ -0,0 +1,30 @@
+From a4671b7fba59775845ee60cfbdfc4ba64300211b Mon Sep 17 00:00:00 2001
+From: "Luke D. Jones" <luke@ljones.dev>
+Date: Sat, 6 May 2023 11:58:24 +1200
+Subject: ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
+
+From: Luke D. Jones <luke@ljones.dev>
+
+commit a4671b7fba59775845ee60cfbdfc4ba64300211b upstream.
+
+Add quirk for GU603 with 0x1c62 variant of codec.
+
+Signed-off-by: Luke D. Jones <luke@ljones.dev>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230505235824.49607-2-luke@ljones.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8273,6 +8273,7 @@ static const struct snd_pci_quirk alc269
+       SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC),
+       SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++      SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401),
+       SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS),
+       SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC),
+       SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401),

diff --git a/queue-5.4/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch b/queue-5.4/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch
new file mode 100644 (file)
index 0000000..48a8c37
--- /dev/null
+++ b/queue-5.4/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch
@@ -0,0 +1,39 @@
+From 1db080cbdbab28752bbb1c86d64daf96253a5da1 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Thu, 6 Apr 2023 13:08:45 +0200
+Subject: can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 1db080cbdbab28752bbb1c86d64daf96253a5da1 upstream.
+
+The control message provided by J1939 support MSG_CMSG_COMPAT but
+blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user
+space on 64 bit kernels.
+
+Link: https://github.com/hartkopp/can-isotp/issues/59
+Cc: Oleksij Rempel <o.rempel@pengutronix.de>
+Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/20230505110308.81087-3-mkl@pengutronix.de
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/socket.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -798,7 +798,7 @@ static int j1939_sk_recvmsg(struct socke
+       struct j1939_sk_buff_cb *skcb;
+       int ret = 0;
+ 
+-      if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE))
++      if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE | MSG_CMSG_COMPAT))
+               return -EINVAL;
+ 
+       if (flags & MSG_ERRQUEUE)

diff --git a/queue-5.4/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch b/queue-5.4/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch
new file mode 100644 (file)
index 0000000..052685d
--- /dev/null
+++ b/queue-5.4/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch
@@ -0,0 +1,47 @@
+From 84762d8da89d29ba842317eb842973e628c27391 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:15 +0200
+Subject: can: kvaser_pciefd: Call request_irq() before enabling interrupts
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit 84762d8da89d29ba842317eb842973e628c27391 upstream.
+
+Make sure the interrupt handler is registered before enabling interrupts.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-4-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -1823,6 +1823,11 @@ static int kvaser_pciefd_probe(struct pc
+       if (err)
+               goto err_teardown_can_ctrls;
+ 
++      err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler,
++                        IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie);
++      if (err)
++              goto err_teardown_can_ctrls;
++
+       iowrite32(KVASER_PCIEFD_SRB_IRQ_DPD0 | KVASER_PCIEFD_SRB_IRQ_DPD1,
+                 pcie->reg_base + KVASER_PCIEFD_SRB_IRQ_REG);
+ 
+@@ -1843,11 +1848,6 @@ static int kvaser_pciefd_probe(struct pc
+       iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1,
+                 pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG);
+ 
+-      err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler,
+-                        IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie);
+-      if (err)
+-              goto err_teardown_can_ctrls;
+-
+       err = kvaser_pciefd_reg_candev(pcie);
+       if (err)
+               goto err_free_irq;

diff --git a/queue-5.4/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch b/queue-5.4/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch
new file mode 100644 (file)
index 0000000..28929d9
--- /dev/null
+++ b/queue-5.4/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch
@@ -0,0 +1,33 @@
+From bf7ac55e991ca177f1ac16be51152f1ef291a4df Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:14 +0200
+Subject: can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit bf7ac55e991ca177f1ac16be51152f1ef291a4df upstream.
+
+The listen-only bit was never cleared, causing the controller to
+always use listen-only mode, if previously set.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-3-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -561,6 +561,8 @@ static void kvaser_pciefd_setup_controll
+ 
+       if (can->can.ctrlmode & CAN_CTRLMODE_LISTENONLY)
+               mode |= KVASER_PCIEFD_KCAN_MODE_LOM;
++      else
++              mode &= ~KVASER_PCIEFD_KCAN_MODE_LOM;
+ 
+       mode |= KVASER_PCIEFD_KCAN_MODE_EEN;
+       mode |= KVASER_PCIEFD_KCAN_MODE_EPEN;

diff --git a/queue-5.4/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch b/queue-5.4/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch
new file mode 100644 (file)
index 0000000..d8313e4
--- /dev/null
+++ b/queue-5.4/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch
@@ -0,0 +1,32 @@
+From 11164bc39459335ab93c6e99d53b7e4292fba38b Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:18 +0200
+Subject: can: kvaser_pciefd: Disable interrupts in probe error path
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit 11164bc39459335ab93c6e99d53b7e4292fba38b upstream.
+
+Disable interrupts in error path of probe function.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-7-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -1859,6 +1859,8 @@ static int kvaser_pciefd_probe(struct pc
+       return 0;
+ 
+ err_free_irq:
++      /* Disable PCI interrupts */
++      iowrite32(0, pcie->reg_base + KVASER_PCIEFD_IEN_REG);
+       free_irq(pcie->pci->irq, pcie);
+ 
+ err_teardown_can_ctrls:

diff --git a/queue-5.4/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch b/queue-5.4/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch
new file mode 100644 (file)
index 0000000..5675b50
--- /dev/null
+++ b/queue-5.4/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch
@@ -0,0 +1,93 @@
+From 262d7a52ba27525e3c1203230c9f0524e48bbb34 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:17 +0200
+Subject: can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit 262d7a52ba27525e3c1203230c9f0524e48bbb34 upstream.
+
+Under certain circumstances we send two EFLUSH commands, resulting in two
+EFLUSH ack packets, while only expecting a single EFLUSH ack.
+This can cause the driver Tx flush completion to get out of sync.
+
+To avoid this problem, don't enable the "Transmit buffer flush done" (TFD)
+interrupt and remove the code handling it.
+Now we only send EFLUSH command after receiving status packet with
+"Init detected" (IDET) bit set.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-6-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |   21 ++++-----------------
+ 1 file changed, 4 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -533,7 +533,7 @@ static int kvaser_pciefd_set_tx_irq(stru
+             KVASER_PCIEFD_KCAN_IRQ_TOF | KVASER_PCIEFD_KCAN_IRQ_ABD |
+             KVASER_PCIEFD_KCAN_IRQ_TAE | KVASER_PCIEFD_KCAN_IRQ_TAL |
+             KVASER_PCIEFD_KCAN_IRQ_FDIC | KVASER_PCIEFD_KCAN_IRQ_BPP |
+-            KVASER_PCIEFD_KCAN_IRQ_TAR | KVASER_PCIEFD_KCAN_IRQ_TFD;
++            KVASER_PCIEFD_KCAN_IRQ_TAR;
+ 
+       iowrite32(msk, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ 
+@@ -581,7 +581,7 @@ static void kvaser_pciefd_start_controll
+ 
+       spin_lock_irqsave(&can->lock, irq);
+       iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
+-      iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD,
++      iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
+                 can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ 
+       status = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_STAT_REG);
+@@ -624,7 +624,7 @@ static int kvaser_pciefd_bus_on(struct k
+       iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+       iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
+ 
+-      iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD,
++      iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
+                 can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ 
+       mode = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_MODE_REG);
+@@ -1009,8 +1009,7 @@ static int kvaser_pciefd_setup_can_ctrls
+               SET_NETDEV_DEV(netdev, &pcie->pci->dev);
+ 
+               iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
+-              iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD |
+-                        KVASER_PCIEFD_KCAN_IRQ_TFD,
++              iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
+                         can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+ 
+               pcie->can[i] = can;
+@@ -1439,9 +1438,6 @@ static int kvaser_pciefd_handle_status_p
+               cmd = KVASER_PCIEFD_KCAN_CMD_AT;
+               cmd |= ++can->cmd_seq << KVASER_PCIEFD_KCAN_CMD_SEQ_SHIFT;
+               iowrite32(cmd, can->reg_base + KVASER_PCIEFD_KCAN_CMD_REG);
+-
+-              iowrite32(KVASER_PCIEFD_KCAN_IRQ_TFD,
+-                        can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+       } else if (p->header[0] & KVASER_PCIEFD_SPACK_IDET &&
+                  p->header[0] & KVASER_PCIEFD_SPACK_IRM &&
+                  cmdseq == (p->header[1] & KVASER_PCIEFD_PACKET_SEQ_MSK) &&
+@@ -1730,15 +1726,6 @@ static int kvaser_pciefd_transmit_irq(st
+       if (irq & KVASER_PCIEFD_KCAN_IRQ_TOF)
+               netdev_err(can->can.dev, "Tx FIFO overflow\n");
+ 
+-      if (irq & KVASER_PCIEFD_KCAN_IRQ_TFD) {
+-              u8 count = ioread32(can->reg_base +
+-                                  KVASER_PCIEFD_KCAN_TX_NPACKETS_REG) & 0xff;
+-
+-              if (count == 0)
+-                      iowrite32(KVASER_PCIEFD_KCAN_CTRL_EFLUSH,
+-                                can->reg_base + KVASER_PCIEFD_KCAN_CTRL_REG);
+-      }
+-
+       if (irq & KVASER_PCIEFD_KCAN_IRQ_BPP)
+               netdev_err(can->can.dev,
+                          "Fail to change bittiming, when not in reset mode\n");

diff --git a/queue-5.4/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch b/queue-5.4/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch
new file mode 100644 (file)
index 0000000..d33cab9
--- /dev/null
+++ b/queue-5.4/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch
@@ -0,0 +1,71 @@
+From c589557dd1426f5adf90c7a919d4fde5a3e4ef64 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:16 +0200
+Subject: can: kvaser_pciefd: Empty SRB buffer in probe
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit c589557dd1426f5adf90c7a919d4fde5a3e4ef64 upstream.
+
+Empty the "Shared receive buffer" (SRB) in probe, to assure we start in a
+known state, and don't process any irrelevant packets.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-5-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |   15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -70,10 +70,12 @@ MODULE_DESCRIPTION("CAN driver for Kvase
+ #define KVASER_PCIEFD_SYSID_BUILD_REG (KVASER_PCIEFD_SYSID_BASE + 0x14)
+ /* Shared receive buffer registers */
+ #define KVASER_PCIEFD_SRB_BASE 0x1f200
++#define KVASER_PCIEFD_SRB_FIFO_LAST_REG (KVASER_PCIEFD_SRB_BASE + 0x1f4)
+ #define KVASER_PCIEFD_SRB_CMD_REG (KVASER_PCIEFD_SRB_BASE + 0x200)
+ #define KVASER_PCIEFD_SRB_IEN_REG (KVASER_PCIEFD_SRB_BASE + 0x204)
+ #define KVASER_PCIEFD_SRB_IRQ_REG (KVASER_PCIEFD_SRB_BASE + 0x20c)
+ #define KVASER_PCIEFD_SRB_STAT_REG (KVASER_PCIEFD_SRB_BASE + 0x210)
++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG (KVASER_PCIEFD_SRB_BASE + 0x214)
+ #define KVASER_PCIEFD_SRB_CTRL_REG (KVASER_PCIEFD_SRB_BASE + 0x218)
+ /* EPCS flash controller registers */
+ #define KVASER_PCIEFD_SPI_BASE 0x1fc00
+@@ -110,6 +112,9 @@ MODULE_DESCRIPTION("CAN driver for Kvase
+ /* DMA support */
+ #define KVASER_PCIEFD_SRB_STAT_DMA BIT(24)
+ 
++/* SRB current packet level */
++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK 0xff
++
+ /* DMA Enable */
+ #define KVASER_PCIEFD_SRB_CTRL_DMA_ENABLE BIT(0)
+ 
+@@ -1053,6 +1058,7 @@ static int kvaser_pciefd_setup_dma(struc
+ {
+       int i;
+       u32 srb_status;
++      u32 srb_packet_count;
+       dma_addr_t dma_addr[KVASER_PCIEFD_DMA_COUNT];
+ 
+       /* Disable the DMA */
+@@ -1080,6 +1086,15 @@ static int kvaser_pciefd_setup_dma(struc
+                 KVASER_PCIEFD_SRB_CMD_RDB1,
+                 pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG);
+ 
++      /* Empty Rx FIFO */
++      srb_packet_count = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG) &
++                         KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK;
++      while (srb_packet_count) {
++              /* Drop current packet in FIFO */
++              ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_FIFO_LAST_REG);
++              srb_packet_count--;
++      }
++
+       srb_status = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_STAT_REG);
+       if (!(srb_status & KVASER_PCIEFD_SRB_STAT_DI)) {
+               dev_err(&pcie->pci->dev, "DMA not idle before enabling\n");

diff --git a/queue-5.4/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch b/queue-5.4/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch
new file mode 100644 (file)
index 0000000..dcd3956
--- /dev/null
+++ b/queue-5.4/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch
@@ -0,0 +1,33 @@
+From aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <extja@kvaser.com>
+Date: Tue, 16 May 2023 15:43:13 +0200
+Subject: can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+commit aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 upstream.
+
+Set can.state to CAN_STATE_STOPPED in kvaser_pciefd_stop().
+Without this fix, wrong CAN state was repported after the interface was
+brought down.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/r/20230516134318.104279-2-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/kvaser_pciefd.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -719,6 +719,7 @@ static int kvaser_pciefd_stop(struct net
+               iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
+               del_timer(&can->bec_poll_timer);
+       }
++      can->can.state = CAN_STATE_STOPPED;
+       close_candev(netdev);
+ 
+       return ret;

diff --git a/queue-5.4/ceph-force-updating-the-msg-pointer-in-non-split-case.patch b/queue-5.4/ceph-force-updating-the-msg-pointer-in-non-split-case.patch
new file mode 100644 (file)
index 0000000..0d400fd
--- /dev/null
+++ b/queue-5.4/ceph-force-updating-the-msg-pointer-in-non-split-case.patch
@@ -0,0 +1,46 @@
+From 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Thu, 18 May 2023 09:47:23 +0800
+Subject: ceph: force updating the msg pointer in non-split case
+
+From: Xiubo Li <xiubli@redhat.com>
+
+commit 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 upstream.
+
+When the MClientSnap reqeust's op is not CEPH_SNAP_OP_SPLIT the
+request may still contain a list of 'split_realms', and we need
+to skip it anyway. Or it will be parsed as a corrupt snaptrace.
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/61200
+Reported-by: Frank Schilder <frans@dtu.dk>
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/snap.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -1005,6 +1005,19 @@ skip_inode:
+                               continue;
+                       adjust_snap_realm_parent(mdsc, child, realm->ino);
+               }
++      } else {
++              /*
++               * In the non-split case both 'num_split_inos' and
++               * 'num_split_realms' should be 0, making this a no-op.
++               * However the MDS happens to populate 'split_realms' list
++               * in one of the UPDATE op cases by mistake.
++               *
++               * Skip both lists just in case to ensure that 'p' is
++               * positioned at the start of realm info, as expected by
++               * ceph_update_snap_trace().
++               */
++              p += sizeof(u64) * num_split_inos;
++              p += sizeof(u64) * num_split_realms;
+       }
+ 
+       /*

diff --git a/queue-5.4/kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch b/queue-5.4/kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch
new file mode 100644 (file)
index 0000000..7776a88
--- /dev/null
+++ b/queue-5.4/kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch
@@ -0,0 +1,127 @@
+From 6cd88243c7e03845a450795e134b488fc2afb736 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 7 Jun 2022 10:09:03 -0400
+Subject: KVM: x86: do not report a vCPU as preempted outside instruction boundaries
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 6cd88243c7e03845a450795e134b488fc2afb736 upstream.
+
+If a vCPU is outside guest mode and is scheduled out, it might be in the
+process of making a memory access.  A problem occurs if another vCPU uses
+the PV TLB flush feature during the period when the vCPU is scheduled
+out, and a virtual address has already been translated but has not yet
+been accessed, because this is equivalent to using a stale TLB entry.
+
+To avoid this, only report a vCPU as preempted if sure that the guest
+is at an instruction boundary.  A rescheduling request will be delivered
+to the host physical CPU as an external interrupt, so for simplicity
+consider any vmexit *not* instruction boundary except for external
+interrupts.
+
+It would in principle be okay to report the vCPU as preempted also
+if it is sleeping in kvm_vcpu_block(): a TLB flush IPI will incur the
+vmentry/vmexit overhead unnecessarily, and optimistic spinning is
+also unlikely to succeed.  However, leave it for later because right
+now kvm_vcpu_check_block() is doing memory accesses.  Even
+though the TLB flush issue only applies to virtual memory address,
+it's very much preferrable to be conservative.
+
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[OP: use VCPU_STAT() for debugfs entries]
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/kvm_host.h |    3 +++
+ arch/x86/kvm/svm.c              |    3 ++-
+ arch/x86/kvm/vmx/vmx.c          |    1 +
+ arch/x86/kvm/x86.c              |   22 ++++++++++++++++++++++
+ 4 files changed, 28 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -563,6 +563,7 @@ struct kvm_vcpu_arch {
+       u64 ia32_misc_enable_msr;
+       u64 smbase;
+       u64 smi_count;
++      bool at_instruction_boundary;
+       bool tpr_access_reporting;
+       u64 ia32_xss;
+       u64 microcode_version;
+@@ -981,6 +982,8 @@ struct kvm_vcpu_stat {
+       u64 irq_injections;
+       u64 nmi_injections;
+       u64 req_event;
++      u64 preemption_reported;
++      u64 preemption_other;
+ };
+ 
+ struct x86_instruction_info;
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -6246,7 +6246,8 @@ out:
+ 
+ static void svm_handle_exit_irqoff(struct kvm_vcpu *vcpu)
+ {
+-
++      if (to_svm(vcpu)->vmcb->control.exit_code == SVM_EXIT_INTR)
++              vcpu->arch.at_instruction_boundary = true;
+ }
+ 
+ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu)
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -6358,6 +6358,7 @@ static void handle_external_interrupt_ir
+       );
+ 
+       kvm_after_interrupt(vcpu);
++      vcpu->arch.at_instruction_boundary = true;
+ }
+ STACK_FRAME_NON_STANDARD(handle_external_interrupt_irqoff);
+ 
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -207,6 +207,8 @@ struct kvm_stats_debugfs_item debugfs_en
+       { "nmi_injections", VCPU_STAT(nmi_injections) },
+       { "req_event", VCPU_STAT(req_event) },
+       { "l1d_flush", VCPU_STAT(l1d_flush) },
++      { "preemption_reported", VCPU_STAT(preemption_reported) },
++      { "preemption_other", VCPU_STAT(preemption_other) },
+       { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
+       { "mmu_pte_write", VM_STAT(mmu_pte_write) },
+       { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
+@@ -3562,6 +3564,19 @@ static void kvm_steal_time_set_preempted
+       struct kvm_host_map map;
+       struct kvm_steal_time *st;
+ 
++      /*
++       * The vCPU can be marked preempted if and only if the VM-Exit was on
++       * an instruction boundary and will not trigger guest emulation of any
++       * kind (see vcpu_run).  Vendor specific code controls (conservatively)
++       * when this is true, for example allowing the vCPU to be marked
++       * preempted if and only if the VM-Exit was due to a host interrupt.
++       */
++      if (!vcpu->arch.at_instruction_boundary) {
++              vcpu->stat.preemption_other++;
++              return;
++      }
++
++      vcpu->stat.preemption_reported++;
+       if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
+               return;
+ 
+@@ -8446,6 +8461,13 @@ static int vcpu_run(struct kvm_vcpu *vcp
+       vcpu->arch.l1tf_flush_l1d = true;
+ 
+       for (;;) {
++              /*
++               * If another guest vCPU requests a PV TLB flush in the middle
++               * of instruction emulation, the rest of the emulation could
++               * use a stale page translation. Assume that any code after
++               * this point can start executing an instruction.
++               */
++              vcpu->arch.at_instruction_boundary = false;
+               if (kvm_vcpu_running(vcpu)) {
+                       r = vcpu_enter_guest(vcpu);
+               } else {

diff --git a/queue-5.4/serial-add-support-for-advantech-pci-1611u-card.patch b/queue-5.4/serial-add-support-for-advantech-pci-1611u-card.patch
new file mode 100644 (file)
index 0000000..359b9ee
--- /dev/null
+++ b/queue-5.4/serial-add-support-for-advantech-pci-1611u-card.patch
@@ -0,0 +1,48 @@
+From d2b00516de0e1d696724247098f6733a6ea53908 Mon Sep 17 00:00:00 2001
+From: Vitaliy Tomin <tomin@iszf.irk.ru>
+Date: Sun, 23 Apr 2023 11:45:12 +0800
+Subject: serial: Add support for Advantech PCI-1611U card
+
+From: Vitaliy Tomin <tomin@iszf.irk.ru>
+
+commit d2b00516de0e1d696724247098f6733a6ea53908 upstream.
+
+Add support for Advantech PCI-1611U card
+
+Advantech provides opensource drivers for this and many others card
+based on legacy copy of 8250_pci driver called adv950
+
+https://www.advantech.com/emt/support/details/driver?id=1-TDOIMJ
+
+It is hard to maintain to run as out of tree module on newer kernels.
+Just adding PCI ID to kernel 8250_pci works perfect.
+
+Signed-off-by: Vitaliy Tomin <tomin@iszf.irk.ru>
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/20230423034512.2671157-1-tomin@iszf.irk.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_pci.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -1837,6 +1837,8 @@ pci_moxa_setup(struct serial_private *pr
+ #define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530
+ #define PCI_VENDOR_ID_ADVANTECH               0x13fe
+ #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66
++#define PCI_DEVICE_ID_ADVANTECH_PCI1600       0x1600
++#define PCI_DEVICE_ID_ADVANTECH_PCI1600_1611  0x1611
+ #define PCI_DEVICE_ID_ADVANTECH_PCI3620       0x3620
+ #define PCI_DEVICE_ID_ADVANTECH_PCI3618       0x3618
+ #define PCI_DEVICE_ID_ADVANTECH_PCIf618       0xf618
+@@ -4157,6 +4159,9 @@ static SIMPLE_DEV_PM_OPS(pciserial_pm_op
+                        pciserial_resume_one);
+ 
+ static const struct pci_device_id serial_pci_tbl[] = {
++      {       PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI1600,
++              PCI_DEVICE_ID_ADVANTECH_PCI1600_1611, PCI_ANY_ID, 0, 0,
++              pbn_b0_4_921600 },
+       /* Advantech use PCI_DEVICE_ID_ADVANTECH_PCI3620 (0x3620) as 'PCI_SUBVENDOR_ID' */
+       {       PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI3620,
+               PCI_DEVICE_ID_ADVANTECH_PCI3620, 0x0001, 0, 0,

diff --git a/queue-5.4/series b/queue-5.4/series
index f0965ed56f0ad3132d927df432d680582f50ab99..341637ae34ece8f67e7b5ef81458dd248324d664 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -78,3 +78,23 @@ wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch
 cassini-fix-a-memory-leak-in-the-error-handling-path.patch
 igb-fix-bit_shift-to-be-in-1.8-range.patch
 vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch
+usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch
+usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
+usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch
+usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch
+usb-typec-altmodes-displayport-fix-pin_assignment_show.patch
+alsa-hda-fix-oops-by-9.1-surround-channel-names.patch
+alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch
+alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch
+alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch
+can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch
+can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch
+can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch
+can-kvaser_pciefd-empty-srb-buffer-in-probe.patch
+can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch
+can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch
+can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch
+kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch
+statfs-enforce-statfs-structure-initialization.patch
+serial-add-support-for-advantech-pci-1611u-card.patch
+ceph-force-updating-the-msg-pointer-in-non-split-case.patch

diff --git a/queue-5.4/statfs-enforce-statfs-structure-initialization.patch b/queue-5.4/statfs-enforce-statfs-structure-initialization.patch
new file mode 100644 (file)
index 0000000..df17846
--- /dev/null
+++ b/queue-5.4/statfs-enforce-statfs-structure-initialization.patch
@@ -0,0 +1,62 @@
+From ed40866ec7d328b3dfb70db7e2011640a16202c3 Mon Sep 17 00:00:00 2001
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+Date: Thu, 4 May 2023 16:40:20 +0200
+Subject: statfs: enforce statfs[64] structure initialization
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+commit ed40866ec7d328b3dfb70db7e2011640a16202c3 upstream.
+
+s390's struct statfs and struct statfs64 contain padding, which
+field-by-field copying does not set. Initialize the respective structs
+with zeros before filling them and copying them to userspace, like it's
+already done for the compat versions of these structs.
+
+Found by KMSAN.
+
+[agordeev@linux.ibm.com: fixed typo in patch description]
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/20230504144021.808932-2-iii@linux.ibm.com
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/statfs.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/statfs.c
++++ b/fs/statfs.c
+@@ -128,6 +128,7 @@ static int do_statfs_native(struct kstat
+       if (sizeof(buf) == sizeof(*st))
+               memcpy(&buf, st, sizeof(*st));
+       else {
++              memset(&buf, 0, sizeof(buf));
+               if (sizeof buf.f_blocks == 4) {
+                       if ((st->f_blocks | st->f_bfree | st->f_bavail |
+                            st->f_bsize | st->f_frsize) &
+@@ -156,7 +157,6 @@ static int do_statfs_native(struct kstat
+               buf.f_namelen = st->f_namelen;
+               buf.f_frsize = st->f_frsize;
+               buf.f_flags = st->f_flags;
+-              memset(buf.f_spare, 0, sizeof(buf.f_spare));
+       }
+       if (copy_to_user(p, &buf, sizeof(buf)))
+               return -EFAULT;
+@@ -169,6 +169,7 @@ static int do_statfs64(struct kstatfs *s
+       if (sizeof(buf) == sizeof(*st))
+               memcpy(&buf, st, sizeof(*st));
+       else {
++              memset(&buf, 0, sizeof(buf));
+               buf.f_type = st->f_type;
+               buf.f_bsize = st->f_bsize;
+               buf.f_blocks = st->f_blocks;
+@@ -180,7 +181,6 @@ static int do_statfs64(struct kstatfs *s
+               buf.f_namelen = st->f_namelen;
+               buf.f_frsize = st->f_frsize;
+               buf.f_flags = st->f_flags;
+-              memset(buf.f_spare, 0, sizeof(buf.f_spare));
+       }
+       if (copy_to_user(p, &buf, sizeof(buf)))
+               return -EFAULT;

diff --git a/queue-5.4/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch b/queue-5.4/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch
new file mode 100644 (file)
index 0000000..1b171cc
--- /dev/null
+++ b/queue-5.4/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch
@@ -0,0 +1,379 @@
+From 614ce6a2ea50068b45339257891e51e639ac9001 Mon Sep 17 00:00:00 2001
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+Date: Tue, 9 May 2023 20:18:36 +0530
+Subject: usb: dwc3: debugfs: Resume dwc3 before accessing registers
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+commit 614ce6a2ea50068b45339257891e51e639ac9001 upstream.
+
+When the dwc3 device is runtime suspended, various required clocks are in
+disabled state and it is not guaranteed that access to any registers would
+work. Depending on the SoC glue, a register read could be as benign as
+returning 0 or be fatal enough to hang the system.
+
+In order to prevent such scenarios of fatal errors, make sure to resume
+dwc3 then allow the function to proceed.
+
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Cc: stable@vger.kernel.org #3.2: 30332eeefec8: debugfs: regset32: Add Runtime PM support
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20230509144836.6803-1-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/debugfs.c |  109 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 109 insertions(+)
+
+--- a/drivers/usb/dwc3/debugfs.c
++++ b/drivers/usb/dwc3/debugfs.c
+@@ -327,6 +327,11 @@ static int dwc3_lsp_show(struct seq_file
+       unsigned int            current_mode;
+       unsigned long           flags;
+       u32                     reg;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_GSTS);
+@@ -345,6 +350,8 @@ static int dwc3_lsp_show(struct seq_file
+       }
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -390,6 +397,11 @@ static int dwc3_mode_show(struct seq_fil
+       struct dwc3             *dwc = s->private;
+       unsigned long           flags;
+       u32                     reg;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_GCTL);
+@@ -409,6 +421,8 @@ static int dwc3_mode_show(struct seq_fil
+               seq_printf(s, "UNKNOWN %08x\n", DWC3_GCTL_PRTCAP(reg));
+       }
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -455,6 +469,11 @@ static int dwc3_testmode_show(struct seq
+       struct dwc3             *dwc = s->private;
+       unsigned long           flags;
+       u32                     reg;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+@@ -485,6 +504,8 @@ static int dwc3_testmode_show(struct seq
+               seq_printf(s, "UNKNOWN %d\n", reg);
+       }
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -501,6 +522,7 @@ static ssize_t dwc3_testmode_write(struc
+       unsigned long           flags;
+       u32                     testmode = 0;
+       char                    buf[32];
++      int                     ret;
+ 
+       if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
+               return -EFAULT;
+@@ -518,10 +540,16 @@ static ssize_t dwc3_testmode_write(struc
+       else
+               testmode = 0;
+ 
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
++
+       spin_lock_irqsave(&dwc->lock, flags);
+       dwc3_gadget_set_test_mode(dwc, testmode);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return count;
+ }
+ 
+@@ -540,12 +568,18 @@ static int dwc3_link_state_show(struct s
+       enum dwc3_link_state    state;
+       u32                     reg;
+       u8                      speed;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_GSTS);
+       if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) {
+               seq_puts(s, "Not available\n");
+               spin_unlock_irqrestore(&dwc->lock, flags);
++              pm_runtime_put_sync(dwc->dev);
+               return 0;
+       }
+ 
+@@ -558,6 +592,8 @@ static int dwc3_link_state_show(struct s
+                  dwc3_gadget_hs_link_string(state));
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -576,6 +612,7 @@ static ssize_t dwc3_link_state_write(str
+       char                    buf[32];
+       u32                     reg;
+       u8                      speed;
++      int                     ret;
+ 
+       if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
+               return -EFAULT;
+@@ -595,10 +632,15 @@ static ssize_t dwc3_link_state_write(str
+       else
+               return -EINVAL;
+ 
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
++
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = dwc3_readl(dwc->regs, DWC3_GSTS);
+       if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) {
+               spin_unlock_irqrestore(&dwc->lock, flags);
++              pm_runtime_put_sync(dwc->dev);
+               return -EINVAL;
+       }
+ 
+@@ -608,12 +650,15 @@ static ssize_t dwc3_link_state_write(str
+       if (speed < DWC3_DSTS_SUPERSPEED &&
+           state != DWC3_LINK_STATE_RECOV) {
+               spin_unlock_irqrestore(&dwc->lock, flags);
++              pm_runtime_put_sync(dwc->dev);
+               return -EINVAL;
+       }
+ 
+       dwc3_gadget_set_link_state(dwc, state);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return count;
+ }
+ 
+@@ -636,6 +681,11 @@ static int dwc3_tx_fifo_size_show(struct
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_TXFIFO);
+@@ -646,6 +696,8 @@ static int dwc3_tx_fifo_size_show(struct
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -655,6 +707,11 @@ static int dwc3_rx_fifo_size_show(struct
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_RXFIFO);
+@@ -665,6 +722,8 @@ static int dwc3_rx_fifo_size_show(struct
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -674,12 +733,19 @@ static int dwc3_tx_request_queue_show(st
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_TXREQQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -689,12 +755,19 @@ static int dwc3_rx_request_queue_show(st
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_RXREQQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -704,12 +777,19 @@ static int dwc3_rx_info_queue_show(struc
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_RXINFOQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -719,12 +799,19 @@ static int dwc3_descriptor_fetch_queue_s
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_DESCFETCHQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -734,12 +821,19 @@ static int dwc3_event_queue_show(struct
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       u32                     val;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       val = dwc3_core_fifo_space(dep, DWC3_EVENTQ);
+       seq_printf(s, "%u\n", val);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -785,6 +879,11 @@ static int dwc3_trb_ring_show(struct seq
+       struct dwc3             *dwc = dep->dwc;
+       unsigned long           flags;
+       int                     i;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       if (dep->number <= 1) {
+@@ -814,6 +913,8 @@ static int dwc3_trb_ring_show(struct seq
+ out:
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -826,6 +927,11 @@ static int dwc3_ep_info_register_show(st
+       u32                     lower_32_bits;
+       u32                     upper_32_bits;
+       u32                     reg;
++      int                     ret;
++
++      ret = pm_runtime_resume_and_get(dwc->dev);
++      if (ret < 0)
++              return ret;
+ 
+       spin_lock_irqsave(&dwc->lock, flags);
+       reg = DWC3_GDBGLSPMUX_EPSELECT(dep->number);
+@@ -838,6 +944,8 @@ static int dwc3_ep_info_register_show(st
+       seq_printf(s, "0x%016llx\n", ep_info);
+       spin_unlock_irqrestore(&dwc->lock, flags);
+ 
++      pm_runtime_put_sync(dwc->dev);
++
+       return 0;
+ }
+ 
+@@ -899,6 +1007,7 @@ void dwc3_debugfs_init(struct dwc3 *dwc)
+       dwc->regset->regs = dwc3_regs;
+       dwc->regset->nregs = ARRAY_SIZE(dwc3_regs);
+       dwc->regset->base = dwc->regs - DWC3_GLOBALS_REGS_START;
++      dwc->regset->dev = dwc->dev;
+ 
+       root = debugfs_create_dir(dev_name(dwc->dev), NULL);
+       dwc->root = root;

diff --git a/queue-5.4/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch b/queue-5.4/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
new file mode 100644 (file)
index 0000000..121a3ba
--- /dev/null
+++ b/queue-5.4/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch
@@ -0,0 +1,108 @@
+From a398d5eac6984316e71474e25b975688f282379b Mon Sep 17 00:00:00 2001
+From: Maxime Bizon <mbizon@freebox.fr>
+Date: Fri, 5 May 2023 13:47:59 +0200
+Subject: usb-storage: fix deadlock when a scsi command timeouts more than once
+
+From: Maxime Bizon <mbizon@freebox.fr>
+
+commit a398d5eac6984316e71474e25b975688f282379b upstream.
+
+With faulty usb-storage devices, read/write can timeout, in that case
+the SCSI layer will abort and re-issue the command. USB storage has no
+internal timeout, it relies on SCSI layer aborting commands via
+.eh_abort_handler() for non those responsive devices.
+
+After two consecutive timeouts of the same command, SCSI layer calls
+.eh_device_reset_handler(), without calling .eh_abort_handler() first.
+
+With usb-storage, this causes a deadlock:
+
+  -> .eh_device_reset_handler
+    -> device_reset
+      -> mutex_lock(&(us->dev_mutex));
+
+mutex already by usb_stor_control_thread(), which is waiting for
+command completion:
+
+  -> usb_stor_control_thread (mutex taken here)
+    -> usb_stor_invoke_transport
+      -> usb_stor_Bulk_transport
+        -> usb_stor_bulk_srb
+         -> usb_stor_bulk_transfer_sglist
+           -> usb_sg_wait
+
+Make sure we cancel any pending command in .eh_device_reset_handler()
+to avoid this.
+
+Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
+Cc: linux-usb@vger.kernel.org
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/all/ZEllnjMKT8ulZbJh@sakura/
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20230505114759.1189741-1-mbizon@freebox.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/scsiglue.c |   28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -407,22 +407,25 @@ static DEF_SCSI_QCMD(queuecommand)
+  ***********************************************************************/
+ 
+ /* Command timeout and abort */
+-static int command_abort(struct scsi_cmnd *srb)
++static int command_abort_matching(struct us_data *us, struct scsi_cmnd *srb_match)
+ {
+-      struct us_data *us = host_to_us(srb->device->host);
+-
+-      usb_stor_dbg(us, "%s called\n", __func__);
+-
+       /*
+        * us->srb together with the TIMED_OUT, RESETTING, and ABORTING
+        * bits are protected by the host lock.
+        */
+       scsi_lock(us_to_host(us));
+ 
+-      /* Is this command still active? */
+-      if (us->srb != srb) {
++      /* is there any active pending command to abort ? */
++      if (!us->srb) {
+               scsi_unlock(us_to_host(us));
+               usb_stor_dbg(us, "-- nothing to abort\n");
++              return SUCCESS;
++      }
++
++      /* Does the command match the passed srb if any ? */
++      if (srb_match && us->srb != srb_match) {
++              scsi_unlock(us_to_host(us));
++              usb_stor_dbg(us, "-- pending command mismatch\n");
+               return FAILED;
+       }
+ 
+@@ -445,6 +448,14 @@ static int command_abort(struct scsi_cmn
+       return SUCCESS;
+ }
+ 
++static int command_abort(struct scsi_cmnd *srb)
++{
++      struct us_data *us = host_to_us(srb->device->host);
++
++      usb_stor_dbg(us, "%s called\n", __func__);
++      return command_abort_matching(us, srb);
++}
++
+ /*
+  * This invokes the transport reset mechanism to reset the state of the
+  * device
+@@ -456,6 +467,9 @@ static int device_reset(struct scsi_cmnd
+ 
+       usb_stor_dbg(us, "%s called\n", __func__);
+ 
++      /* abort any pending command before reset */
++      command_abort_matching(us, NULL);
++
+       /* lock the device pointers and do the reset */
+       mutex_lock(&(us->dev_mutex));
+       result = us->transport_reset(us);

diff --git a/queue-5.4/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch b/queue-5.4/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch
new file mode 100644 (file)
index 0000000..0c243d6
--- /dev/null
+++ b/queue-5.4/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch
@@ -0,0 +1,53 @@
+From d8f28269dd4bf9b55c3fb376ae31512730a96fce Mon Sep 17 00:00:00 2001
+From: Badhri Jagan Sridharan <badhri@google.com>
+Date: Mon, 8 May 2023 21:44:43 +0000
+Subject: usb: typec: altmodes/displayport: fix pin_assignment_show
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+commit d8f28269dd4bf9b55c3fb376ae31512730a96fce upstream.
+
+This patch fixes negative indexing of buf array in pin_assignment_show
+when get_current_pin_assignments returns 0 i.e. no compatible pin
+assignments are found.
+
+BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c
+...
+Call trace:
+dump_backtrace+0x110/0x204
+dump_stack_lvl+0x84/0xbc
+print_report+0x358/0x974
+kasan_report+0x9c/0xfc
+__do_kernel_fault+0xd4/0x2d4
+do_bad_area+0x48/0x168
+do_tag_check_fault+0x24/0x38
+do_mem_abort+0x6c/0x14c
+el1_abort+0x44/0x68
+el1h_64_sync_handler+0x64/0xa4
+el1h_64_sync+0x78/0x7c
+pin_assignment_show+0x26c/0x33c
+dev_attr_show+0x50/0xc0
+
+Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20230508214443.893436-1-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/altmodes/displayport.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/typec/altmodes/displayport.c
++++ b/drivers/usb/typec/altmodes/displayport.c
+@@ -501,6 +501,10 @@ static ssize_t pin_assignment_show(struc
+ 
+       mutex_unlock(&dp->lock);
+ 
++      /* get_current_pin_assignments can return 0 when no matching pin assignments are found */
++      if (len == 0)
++              len++;
++
+       buf[len - 1] = '\n';
+       return len;
+ }

diff --git a/queue-5.4/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch b/queue-5.4/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch
new file mode 100644 (file)
index 0000000..9088bc7
--- /dev/null
+++ b/queue-5.4/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch
@@ -0,0 +1,44 @@
+From dddb342b5b9e482bb213aecc08cbdb201ea4f8da Mon Sep 17 00:00:00 2001
+From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+Date: Sun, 23 Apr 2023 18:59:52 +0800
+Subject: USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
+
+From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+
+commit dddb342b5b9e482bb213aecc08cbdb201ea4f8da upstream.
+
+OverCurrent condition is not standardized in the UHCI spec.
+Zhaoxin UHCI controllers report OverCurrent bit active off.
+In order to handle OverCurrent condition correctly, the uhci-hcd
+driver needs to be told to expect the active-off behavior.
+
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20230423105952.4526-1-WeitaoWang-oc@zhaoxin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/uhci-pci.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/uhci-pci.c
++++ b/drivers/usb/host/uhci-pci.c
+@@ -119,11 +119,13 @@ static int uhci_pci_init(struct usb_hcd
+ 
+       uhci->rh_numports = uhci_count_ports(hcd);
+ 
+-      /* Intel controllers report the OverCurrent bit active on.
+-       * VIA controllers report it active off, so we'll adjust the
+-       * bit value.  (It's not standardized in the UHCI spec.)
++      /*
++       * Intel controllers report the OverCurrent bit active on.  VIA
++       * and ZHAOXIN controllers report it active off, so we'll adjust
++       * the bit value.  (It's not standardized in the UHCI spec.)
+        */
+-      if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA)
++      if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA ||
++                      to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_ZHAOXIN)
+               uhci->oc_low = 1;
+ 
+       /* HP's server management chip requires a longer port reset delay. */

diff --git a/queue-5.4/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch b/queue-5.4/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch
new file mode 100644 (file)
index 0000000..24835d8
--- /dev/null
+++ b/queue-5.4/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch
@@ -0,0 +1,64 @@
+From 94d25e9128988c6a1fc9070f6e98215a95795bd8 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 1 May 2023 14:22:35 -0400
+Subject: USB: usbtmc: Fix direction for 0-length ioctl control messages
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 94d25e9128988c6a1fc9070f6e98215a95795bd8 upstream.
+
+The syzbot fuzzer found a problem in the usbtmc driver: When a user
+submits an ioctl for a 0-length control transfer, the driver does not
+check that the direction is set to OUT:
+
+------------[ cut here ]------------
+usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd
+WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
+Modules linked in:
+CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
+RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
+Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41
+RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000
+RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001
+RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528
+R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100
+FS:  0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
+ usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
+ usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153
+ usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]
+ usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097
+
+To fix this, we must override the direction in the bRequestType field
+of the control request structure when the length is 0.
+
+Reported-and-tested-by: syzbot+ce77725b89b7bd52425c@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/linux-usb/000000000000716a3705f9adb8ee@google.com/
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/ede1ee02-b718-49e7-a44c-51339fec706b@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usbtmc.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -1898,6 +1898,8 @@ static int usbtmc_ioctl_request(struct u
+ 
+       if (request.req.wLength > USBTMC_BUFSIZE)
+               return -EMSGSIZE;
++      if (request.req.wLength == 0)   /* Length-0 requests are never IN */
++              request.req.bRequestType &= ~USB_DIR_IN;
+ 
+       is_in = request.req.bRequestType & USB_DIR_IN;
+