From b8da59393feafa9cf4874493d4bce814d0ffadb7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 22 May 2023 18:45:20 +0100 Subject: [PATCH] 5.4-stable patches added patches: alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch alsa-hda-fix-oops-by-9.1-surround-channel-names.patch alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch can-kvaser_pciefd-empty-srb-buffer-in-probe.patch can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch ceph-force-updating-the-msg-pointer-in-non-split-case.patch kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch serial-add-support-for-advantech-pci-1611u-card.patch statfs-enforce-statfs-structure-initialization.patch usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch usb-typec-altmodes-displayport-fix-pin_assignment_show.patch usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch --- ...dec-ids-a3-through-a7-to-patch-table.patch | 38 ++ ...x-oops-by-9.1-surround-channel-names.patch | 57 +++ ...tek-add-a-quirk-for-hp-elitedesk-805.patch | 30 ++ ...realtek-add-quirk-for-2nd-asus-gu603.patch | 30 ++ ...9-recvmsg-allow-msg_cmsg_compat-flag.patch | 39 ++ ...quest_irq-before-enabling-interrupts.patch | 47 +++ ...only-bit-if-not-explicitly-requested.patch | 33 ++ ...sable-interrupts-in-probe-error-path.patch | 32 ++ ...send-eflush-command-on-tfd-interrupt.patch | 93 +++++ ...ser_pciefd-empty-srb-buffer-in-probe.patch | 71 ++++ ..._state_stopped-in-kvaser_pciefd_stop.patch | 33 ++ ...ng-the-msg-pointer-in-non-split-case.patch | 46 +++ ...mpted-outside-instruction-boundaries.patch | 127 ++++++ ...support-for-advantech-pci-1611u-card.patch | 48 +++ queue-5.4/series | 20 + ...orce-statfs-structure-initialization.patch | 62 +++ ...sume-dwc3-before-accessing-registers.patch | 379 ++++++++++++++++++ ...scsi-command-timeouts-more-than-once.patch | 108 +++++ ...-displayport-fix-pin_assignment_show.patch | 53 +++ ...ci-controllers-overcurrent-bit-value.patch | 44 ++ ...-for-0-length-ioctl-control-messages.patch | 64 +++ 21 files changed, 1454 insertions(+) create mode 100644 queue-5.4/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch create mode 100644 queue-5.4/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch create mode 100644 queue-5.4/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch create mode 100644 queue-5.4/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch create mode 100644 queue-5.4/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch create mode 100644 queue-5.4/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch create mode 100644 queue-5.4/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch create mode 100644 queue-5.4/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch create mode 100644 queue-5.4/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch create mode 100644 queue-5.4/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch create mode 100644 queue-5.4/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch create mode 100644 queue-5.4/ceph-force-updating-the-msg-pointer-in-non-split-case.patch create mode 100644 queue-5.4/kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch create mode 100644 queue-5.4/serial-add-support-for-advantech-pci-1611u-card.patch create mode 100644 queue-5.4/statfs-enforce-statfs-structure-initialization.patch create mode 100644 queue-5.4/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch create mode 100644 queue-5.4/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch create mode 100644 queue-5.4/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch create mode 100644 queue-5.4/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch create mode 100644 queue-5.4/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch diff --git a/queue-5.4/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch b/queue-5.4/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch new file mode 100644 index 00000000000..89562967af9 --- /dev/null +++ b/queue-5.4/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch @@ -0,0 +1,38 @@ +From dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 Mon Sep 17 00:00:00 2001 +From: Nikhil Mahale +Date: Wed, 17 May 2023 14:37:36 +0530 +Subject: ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table + +From: Nikhil Mahale + +commit dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 upstream. + +These IDs are for AD102, AD103, AD104, AD106, and AD107 gpus with +audio functions that are largely similar to the existing ones. + +Tested audio using gnome-settings, over HDMI, DP-SST and DP-MST +connections on AD106 gpu. + +Signed-off-by: Nikhil Mahale +Cc: +Link: https://lore.kernel.org/r/20230517090736.15088-1-nmahale@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -4197,6 +4197,11 @@ HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI + HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP", patch_via_hdmi), diff --git a/queue-5.4/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch b/queue-5.4/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch new file mode 100644 index 00000000000..75f57e7dd1b --- /dev/null +++ b/queue-5.4/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch @@ -0,0 +1,57 @@ +From 3b44ec8c5c44790a82f07e90db45643c762878c6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 May 2023 20:44:12 +0200 +Subject: ALSA: hda: Fix Oops by 9.1 surround channel names + +From: Takashi Iwai + +commit 3b44ec8c5c44790a82f07e90db45643c762878c6 upstream. + +get_line_out_pfx() may trigger an Oops by overflowing the static array +with more than 8 channels. This was reported for MacBookPro 12,1 with +Cirrus codec. + +As a workaround, extend for the 9.1 channels and also fix the +potential Oops by unifying the code paths accessing the same array +with the proper size check. + +Reported-by: Olliver Schinagl +Cc: +Link: https://lore.kernel.org/r/64d95eb0-dbdb-cff8-a8b1-988dc22b24cd@schinagl.nl +Link: https://lore.kernel.org/r/20230516184412.24078-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_generic.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -1147,8 +1147,8 @@ static bool path_has_mixer(struct hda_co + return path && path->ctls[ctl_type]; + } + +-static const char * const channel_name[4] = { +- "Front", "Surround", "CLFE", "Side" ++static const char * const channel_name[] = { ++ "Front", "Surround", "CLFE", "Side", "Back", + }; + + /* give some appropriate ctl name prefix for the given line out channel */ +@@ -1174,7 +1174,7 @@ static const char *get_line_out_pfx(stru + + /* multi-io channels */ + if (ch >= cfg->line_outs) +- return channel_name[ch]; ++ goto fixed_name; + + switch (cfg->line_out_type) { + case AUTO_PIN_SPEAKER_OUT: +@@ -1226,6 +1226,7 @@ static const char *get_line_out_pfx(stru + if (cfg->line_outs == 1 && !spec->multi_ios) + return "Line Out"; + ++ fixed_name: + if (ch >= ARRAY_SIZE(channel_name)) { + snd_BUG(); + return "PCM"; diff --git a/queue-5.4/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch b/queue-5.4/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch new file mode 100644 index 00000000000..edd8fb9c87a --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch @@ -0,0 +1,30 @@ +From 90670ef774a8b6700c38ce1222e6aa263be54d5f Mon Sep 17 00:00:00 2001 +From: Ai Chao +Date: Sat, 6 May 2023 10:26:53 +0800 +Subject: ALSA: hda/realtek: Add a quirk for HP EliteDesk 805 + +From: Ai Chao + +commit 90670ef774a8b6700c38ce1222e6aa263be54d5f upstream. + +Add a quirk for HP EliteDesk 805 to fixup ALC3867 headset MIC no sound. + +Signed-off-by: Ai Chao +Cc: +Link: https://lore.kernel.org/r/20230506022653.2074343-1-aichao@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10342,6 +10342,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB), ++ SND_PCI_QUIRK(0x103c, 0x872b, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2), diff --git a/queue-5.4/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch b/queue-5.4/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch new file mode 100644 index 00000000000..6c6ac155801 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch @@ -0,0 +1,30 @@ +From a4671b7fba59775845ee60cfbdfc4ba64300211b Mon Sep 17 00:00:00 2001 +From: "Luke D. Jones" +Date: Sat, 6 May 2023 11:58:24 +1200 +Subject: ALSA: hda/realtek: Add quirk for 2nd ASUS GU603 + +From: Luke D. Jones + +commit a4671b7fba59775845ee60cfbdfc4ba64300211b upstream. + +Add quirk for GU603 with 0x1c62 variant of codec. + +Signed-off-by: Luke D. Jones +Cc: +Link: https://lore.kernel.org/r/20230505235824.49607-2-luke@ljones.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8273,6 +8273,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS), + SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401), diff --git a/queue-5.4/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch b/queue-5.4/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch new file mode 100644 index 00000000000..48a8c37e2f9 --- /dev/null +++ b/queue-5.4/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch @@ -0,0 +1,39 @@ +From 1db080cbdbab28752bbb1c86d64daf96253a5da1 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Thu, 6 Apr 2023 13:08:45 +0200 +Subject: can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag + +From: Oliver Hartkopp + +commit 1db080cbdbab28752bbb1c86d64daf96253a5da1 upstream. + +The control message provided by J1939 support MSG_CMSG_COMPAT but +blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user +space on 64 bit kernels. + +Link: https://github.com/hartkopp/can-isotp/issues/59 +Cc: Oleksij Rempel +Suggested-by: Marc Kleine-Budde +Signed-off-by: Oliver Hartkopp +Tested-by: Oleksij Rempel +Acked-by: Oleksij Rempel +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://lore.kernel.org/20230505110308.81087-3-mkl@pengutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -798,7 +798,7 @@ static int j1939_sk_recvmsg(struct socke + struct j1939_sk_buff_cb *skcb; + int ret = 0; + +- if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE)) ++ if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE | MSG_CMSG_COMPAT)) + return -EINVAL; + + if (flags & MSG_ERRQUEUE) diff --git a/queue-5.4/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch b/queue-5.4/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch new file mode 100644 index 00000000000..052685deaf1 --- /dev/null +++ b/queue-5.4/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch @@ -0,0 +1,47 @@ +From 84762d8da89d29ba842317eb842973e628c27391 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:15 +0200 +Subject: can: kvaser_pciefd: Call request_irq() before enabling interrupts + +From: Jimmy Assarsson + +commit 84762d8da89d29ba842317eb842973e628c27391 upstream. + +Make sure the interrupt handler is registered before enabling interrupts. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-4-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -1823,6 +1823,11 @@ static int kvaser_pciefd_probe(struct pc + if (err) + goto err_teardown_can_ctrls; + ++ err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler, ++ IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie); ++ if (err) ++ goto err_teardown_can_ctrls; ++ + iowrite32(KVASER_PCIEFD_SRB_IRQ_DPD0 | KVASER_PCIEFD_SRB_IRQ_DPD1, + pcie->reg_base + KVASER_PCIEFD_SRB_IRQ_REG); + +@@ -1843,11 +1848,6 @@ static int kvaser_pciefd_probe(struct pc + iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1, + pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG); + +- err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler, +- IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie); +- if (err) +- goto err_teardown_can_ctrls; +- + err = kvaser_pciefd_reg_candev(pcie); + if (err) + goto err_free_irq; diff --git a/queue-5.4/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch b/queue-5.4/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch new file mode 100644 index 00000000000..28929d9b1f7 --- /dev/null +++ b/queue-5.4/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch @@ -0,0 +1,33 @@ +From bf7ac55e991ca177f1ac16be51152f1ef291a4df Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:14 +0200 +Subject: can: kvaser_pciefd: Clear listen-only bit if not explicitly requested + +From: Jimmy Assarsson + +commit bf7ac55e991ca177f1ac16be51152f1ef291a4df upstream. + +The listen-only bit was never cleared, causing the controller to +always use listen-only mode, if previously set. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-3-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -561,6 +561,8 @@ static void kvaser_pciefd_setup_controll + + if (can->can.ctrlmode & CAN_CTRLMODE_LISTENONLY) + mode |= KVASER_PCIEFD_KCAN_MODE_LOM; ++ else ++ mode &= ~KVASER_PCIEFD_KCAN_MODE_LOM; + + mode |= KVASER_PCIEFD_KCAN_MODE_EEN; + mode |= KVASER_PCIEFD_KCAN_MODE_EPEN; diff --git a/queue-5.4/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch b/queue-5.4/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch new file mode 100644 index 00000000000..d8313e437d2 --- /dev/null +++ b/queue-5.4/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch @@ -0,0 +1,32 @@ +From 11164bc39459335ab93c6e99d53b7e4292fba38b Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:18 +0200 +Subject: can: kvaser_pciefd: Disable interrupts in probe error path + +From: Jimmy Assarsson + +commit 11164bc39459335ab93c6e99d53b7e4292fba38b upstream. + +Disable interrupts in error path of probe function. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-7-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -1859,6 +1859,8 @@ static int kvaser_pciefd_probe(struct pc + return 0; + + err_free_irq: ++ /* Disable PCI interrupts */ ++ iowrite32(0, pcie->reg_base + KVASER_PCIEFD_IEN_REG); + free_irq(pcie->pci->irq, pcie); + + err_teardown_can_ctrls: diff --git a/queue-5.4/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch b/queue-5.4/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch new file mode 100644 index 00000000000..5675b50953f --- /dev/null +++ b/queue-5.4/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch @@ -0,0 +1,93 @@ +From 262d7a52ba27525e3c1203230c9f0524e48bbb34 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:17 +0200 +Subject: can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt + +From: Jimmy Assarsson + +commit 262d7a52ba27525e3c1203230c9f0524e48bbb34 upstream. + +Under certain circumstances we send two EFLUSH commands, resulting in two +EFLUSH ack packets, while only expecting a single EFLUSH ack. +This can cause the driver Tx flush completion to get out of sync. + +To avoid this problem, don't enable the "Transmit buffer flush done" (TFD) +interrupt and remove the code handling it. +Now we only send EFLUSH command after receiving status packet with +"Init detected" (IDET) bit set. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-6-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 21 ++++----------------- + 1 file changed, 4 insertions(+), 17 deletions(-) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -533,7 +533,7 @@ static int kvaser_pciefd_set_tx_irq(stru + KVASER_PCIEFD_KCAN_IRQ_TOF | KVASER_PCIEFD_KCAN_IRQ_ABD | + KVASER_PCIEFD_KCAN_IRQ_TAE | KVASER_PCIEFD_KCAN_IRQ_TAL | + KVASER_PCIEFD_KCAN_IRQ_FDIC | KVASER_PCIEFD_KCAN_IRQ_BPP | +- KVASER_PCIEFD_KCAN_IRQ_TAR | KVASER_PCIEFD_KCAN_IRQ_TFD; ++ KVASER_PCIEFD_KCAN_IRQ_TAR; + + iowrite32(msk, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + +@@ -581,7 +581,7 @@ static void kvaser_pciefd_start_controll + + spin_lock_irqsave(&can->lock, irq); + iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG); +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD, ++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD, + can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + + status = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_STAT_REG); +@@ -624,7 +624,7 @@ static int kvaser_pciefd_bus_on(struct k + iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG); + +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD, ++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD, + can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + + mode = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_MODE_REG); +@@ -1009,8 +1009,7 @@ static int kvaser_pciefd_setup_can_ctrls + SET_NETDEV_DEV(netdev, &pcie->pci->dev); + + iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG); +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | +- KVASER_PCIEFD_KCAN_IRQ_TFD, ++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD, + can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + + pcie->can[i] = can; +@@ -1439,9 +1438,6 @@ static int kvaser_pciefd_handle_status_p + cmd = KVASER_PCIEFD_KCAN_CMD_AT; + cmd |= ++can->cmd_seq << KVASER_PCIEFD_KCAN_CMD_SEQ_SHIFT; + iowrite32(cmd, can->reg_base + KVASER_PCIEFD_KCAN_CMD_REG); +- +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_TFD, +- can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + } else if (p->header[0] & KVASER_PCIEFD_SPACK_IDET && + p->header[0] & KVASER_PCIEFD_SPACK_IRM && + cmdseq == (p->header[1] & KVASER_PCIEFD_PACKET_SEQ_MSK) && +@@ -1730,15 +1726,6 @@ static int kvaser_pciefd_transmit_irq(st + if (irq & KVASER_PCIEFD_KCAN_IRQ_TOF) + netdev_err(can->can.dev, "Tx FIFO overflow\n"); + +- if (irq & KVASER_PCIEFD_KCAN_IRQ_TFD) { +- u8 count = ioread32(can->reg_base + +- KVASER_PCIEFD_KCAN_TX_NPACKETS_REG) & 0xff; +- +- if (count == 0) +- iowrite32(KVASER_PCIEFD_KCAN_CTRL_EFLUSH, +- can->reg_base + KVASER_PCIEFD_KCAN_CTRL_REG); +- } +- + if (irq & KVASER_PCIEFD_KCAN_IRQ_BPP) + netdev_err(can->can.dev, + "Fail to change bittiming, when not in reset mode\n"); diff --git a/queue-5.4/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch b/queue-5.4/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch new file mode 100644 index 00000000000..d33cab9b134 --- /dev/null +++ b/queue-5.4/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch @@ -0,0 +1,71 @@ +From c589557dd1426f5adf90c7a919d4fde5a3e4ef64 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:16 +0200 +Subject: can: kvaser_pciefd: Empty SRB buffer in probe + +From: Jimmy Assarsson + +commit c589557dd1426f5adf90c7a919d4fde5a3e4ef64 upstream. + +Empty the "Shared receive buffer" (SRB) in probe, to assure we start in a +known state, and don't process any irrelevant packets. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-5-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -70,10 +70,12 @@ MODULE_DESCRIPTION("CAN driver for Kvase + #define KVASER_PCIEFD_SYSID_BUILD_REG (KVASER_PCIEFD_SYSID_BASE + 0x14) + /* Shared receive buffer registers */ + #define KVASER_PCIEFD_SRB_BASE 0x1f200 ++#define KVASER_PCIEFD_SRB_FIFO_LAST_REG (KVASER_PCIEFD_SRB_BASE + 0x1f4) + #define KVASER_PCIEFD_SRB_CMD_REG (KVASER_PCIEFD_SRB_BASE + 0x200) + #define KVASER_PCIEFD_SRB_IEN_REG (KVASER_PCIEFD_SRB_BASE + 0x204) + #define KVASER_PCIEFD_SRB_IRQ_REG (KVASER_PCIEFD_SRB_BASE + 0x20c) + #define KVASER_PCIEFD_SRB_STAT_REG (KVASER_PCIEFD_SRB_BASE + 0x210) ++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG (KVASER_PCIEFD_SRB_BASE + 0x214) + #define KVASER_PCIEFD_SRB_CTRL_REG (KVASER_PCIEFD_SRB_BASE + 0x218) + /* EPCS flash controller registers */ + #define KVASER_PCIEFD_SPI_BASE 0x1fc00 +@@ -110,6 +112,9 @@ MODULE_DESCRIPTION("CAN driver for Kvase + /* DMA support */ + #define KVASER_PCIEFD_SRB_STAT_DMA BIT(24) + ++/* SRB current packet level */ ++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK 0xff ++ + /* DMA Enable */ + #define KVASER_PCIEFD_SRB_CTRL_DMA_ENABLE BIT(0) + +@@ -1053,6 +1058,7 @@ static int kvaser_pciefd_setup_dma(struc + { + int i; + u32 srb_status; ++ u32 srb_packet_count; + dma_addr_t dma_addr[KVASER_PCIEFD_DMA_COUNT]; + + /* Disable the DMA */ +@@ -1080,6 +1086,15 @@ static int kvaser_pciefd_setup_dma(struc + KVASER_PCIEFD_SRB_CMD_RDB1, + pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG); + ++ /* Empty Rx FIFO */ ++ srb_packet_count = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG) & ++ KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK; ++ while (srb_packet_count) { ++ /* Drop current packet in FIFO */ ++ ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_FIFO_LAST_REG); ++ srb_packet_count--; ++ } ++ + srb_status = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_STAT_REG); + if (!(srb_status & KVASER_PCIEFD_SRB_STAT_DI)) { + dev_err(&pcie->pci->dev, "DMA not idle before enabling\n"); diff --git a/queue-5.4/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch b/queue-5.4/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch new file mode 100644 index 00000000000..dcd395624b6 --- /dev/null +++ b/queue-5.4/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch @@ -0,0 +1,33 @@ +From aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:13 +0200 +Subject: can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop() + +From: Jimmy Assarsson + +commit aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 upstream. + +Set can.state to CAN_STATE_STOPPED in kvaser_pciefd_stop(). +Without this fix, wrong CAN state was repported after the interface was +brought down. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-2-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -719,6 +719,7 @@ static int kvaser_pciefd_stop(struct net + iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + del_timer(&can->bec_poll_timer); + } ++ can->can.state = CAN_STATE_STOPPED; + close_candev(netdev); + + return ret; diff --git a/queue-5.4/ceph-force-updating-the-msg-pointer-in-non-split-case.patch b/queue-5.4/ceph-force-updating-the-msg-pointer-in-non-split-case.patch new file mode 100644 index 00000000000..0d400fd4754 --- /dev/null +++ b/queue-5.4/ceph-force-updating-the-msg-pointer-in-non-split-case.patch @@ -0,0 +1,46 @@ +From 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Thu, 18 May 2023 09:47:23 +0800 +Subject: ceph: force updating the msg pointer in non-split case + +From: Xiubo Li + +commit 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 upstream. + +When the MClientSnap reqeust's op is not CEPH_SNAP_OP_SPLIT the +request may still contain a list of 'split_realms', and we need +to skip it anyway. Or it will be parsed as a corrupt snaptrace. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/61200 +Reported-by: Frank Schilder +Signed-off-by: Xiubo Li +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/snap.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -1005,6 +1005,19 @@ skip_inode: + continue; + adjust_snap_realm_parent(mdsc, child, realm->ino); + } ++ } else { ++ /* ++ * In the non-split case both 'num_split_inos' and ++ * 'num_split_realms' should be 0, making this a no-op. ++ * However the MDS happens to populate 'split_realms' list ++ * in one of the UPDATE op cases by mistake. ++ * ++ * Skip both lists just in case to ensure that 'p' is ++ * positioned at the start of realm info, as expected by ++ * ceph_update_snap_trace(). ++ */ ++ p += sizeof(u64) * num_split_inos; ++ p += sizeof(u64) * num_split_realms; + } + + /* diff --git a/queue-5.4/kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch b/queue-5.4/kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch new file mode 100644 index 00000000000..7776a88dfb7 --- /dev/null +++ b/queue-5.4/kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch @@ -0,0 +1,127 @@ +From 6cd88243c7e03845a450795e134b488fc2afb736 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 7 Jun 2022 10:09:03 -0400 +Subject: KVM: x86: do not report a vCPU as preempted outside instruction boundaries + +From: Paolo Bonzini + +commit 6cd88243c7e03845a450795e134b488fc2afb736 upstream. + +If a vCPU is outside guest mode and is scheduled out, it might be in the +process of making a memory access. A problem occurs if another vCPU uses +the PV TLB flush feature during the period when the vCPU is scheduled +out, and a virtual address has already been translated but has not yet +been accessed, because this is equivalent to using a stale TLB entry. + +To avoid this, only report a vCPU as preempted if sure that the guest +is at an instruction boundary. A rescheduling request will be delivered +to the host physical CPU as an external interrupt, so for simplicity +consider any vmexit *not* instruction boundary except for external +interrupts. + +It would in principle be okay to report the vCPU as preempted also +if it is sleeping in kvm_vcpu_block(): a TLB flush IPI will incur the +vmentry/vmexit overhead unnecessarily, and optimistic spinning is +also unlikely to succeed. However, leave it for later because right +now kvm_vcpu_check_block() is doing memory accesses. Even +though the TLB flush issue only applies to virtual memory address, +it's very much preferrable to be conservative. + +Reported-by: Jann Horn +Signed-off-by: Paolo Bonzini +[OP: use VCPU_STAT() for debugfs entries] +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 3 +++ + arch/x86/kvm/svm.c | 3 ++- + arch/x86/kvm/vmx/vmx.c | 1 + + arch/x86/kvm/x86.c | 22 ++++++++++++++++++++++ + 4 files changed, 28 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -563,6 +563,7 @@ struct kvm_vcpu_arch { + u64 ia32_misc_enable_msr; + u64 smbase; + u64 smi_count; ++ bool at_instruction_boundary; + bool tpr_access_reporting; + u64 ia32_xss; + u64 microcode_version; +@@ -981,6 +982,8 @@ struct kvm_vcpu_stat { + u64 irq_injections; + u64 nmi_injections; + u64 req_event; ++ u64 preemption_reported; ++ u64 preemption_other; + }; + + struct x86_instruction_info; +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -6246,7 +6246,8 @@ out: + + static void svm_handle_exit_irqoff(struct kvm_vcpu *vcpu) + { +- ++ if (to_svm(vcpu)->vmcb->control.exit_code == SVM_EXIT_INTR) ++ vcpu->arch.at_instruction_boundary = true; + } + + static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu) +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -6358,6 +6358,7 @@ static void handle_external_interrupt_ir + ); + + kvm_after_interrupt(vcpu); ++ vcpu->arch.at_instruction_boundary = true; + } + STACK_FRAME_NON_STANDARD(handle_external_interrupt_irqoff); + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -207,6 +207,8 @@ struct kvm_stats_debugfs_item debugfs_en + { "nmi_injections", VCPU_STAT(nmi_injections) }, + { "req_event", VCPU_STAT(req_event) }, + { "l1d_flush", VCPU_STAT(l1d_flush) }, ++ { "preemption_reported", VCPU_STAT(preemption_reported) }, ++ { "preemption_other", VCPU_STAT(preemption_other) }, + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) }, + { "mmu_pte_write", VM_STAT(mmu_pte_write) }, + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) }, +@@ -3562,6 +3564,19 @@ static void kvm_steal_time_set_preempted + struct kvm_host_map map; + struct kvm_steal_time *st; + ++ /* ++ * The vCPU can be marked preempted if and only if the VM-Exit was on ++ * an instruction boundary and will not trigger guest emulation of any ++ * kind (see vcpu_run). Vendor specific code controls (conservatively) ++ * when this is true, for example allowing the vCPU to be marked ++ * preempted if and only if the VM-Exit was due to a host interrupt. ++ */ ++ if (!vcpu->arch.at_instruction_boundary) { ++ vcpu->stat.preemption_other++; ++ return; ++ } ++ ++ vcpu->stat.preemption_reported++; + if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED)) + return; + +@@ -8446,6 +8461,13 @@ static int vcpu_run(struct kvm_vcpu *vcp + vcpu->arch.l1tf_flush_l1d = true; + + for (;;) { ++ /* ++ * If another guest vCPU requests a PV TLB flush in the middle ++ * of instruction emulation, the rest of the emulation could ++ * use a stale page translation. Assume that any code after ++ * this point can start executing an instruction. ++ */ ++ vcpu->arch.at_instruction_boundary = false; + if (kvm_vcpu_running(vcpu)) { + r = vcpu_enter_guest(vcpu); + } else { diff --git a/queue-5.4/serial-add-support-for-advantech-pci-1611u-card.patch b/queue-5.4/serial-add-support-for-advantech-pci-1611u-card.patch new file mode 100644 index 00000000000..359b9ee78b9 --- /dev/null +++ b/queue-5.4/serial-add-support-for-advantech-pci-1611u-card.patch @@ -0,0 +1,48 @@ +From d2b00516de0e1d696724247098f6733a6ea53908 Mon Sep 17 00:00:00 2001 +From: Vitaliy Tomin +Date: Sun, 23 Apr 2023 11:45:12 +0800 +Subject: serial: Add support for Advantech PCI-1611U card + +From: Vitaliy Tomin + +commit d2b00516de0e1d696724247098f6733a6ea53908 upstream. + +Add support for Advantech PCI-1611U card + +Advantech provides opensource drivers for this and many others card +based on legacy copy of 8250_pci driver called adv950 + +https://www.advantech.com/emt/support/details/driver?id=1-TDOIMJ + +It is hard to maintain to run as out of tree module on newer kernels. +Just adding PCI ID to kernel 8250_pci works perfect. + +Signed-off-by: Vitaliy Tomin +Cc: stable +Link: https://lore.kernel.org/r/20230423034512.2671157-1-tomin@iszf.irk.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1837,6 +1837,8 @@ pci_moxa_setup(struct serial_private *pr + #define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530 + #define PCI_VENDOR_ID_ADVANTECH 0x13fe + #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66 ++#define PCI_DEVICE_ID_ADVANTECH_PCI1600 0x1600 ++#define PCI_DEVICE_ID_ADVANTECH_PCI1600_1611 0x1611 + #define PCI_DEVICE_ID_ADVANTECH_PCI3620 0x3620 + #define PCI_DEVICE_ID_ADVANTECH_PCI3618 0x3618 + #define PCI_DEVICE_ID_ADVANTECH_PCIf618 0xf618 +@@ -4157,6 +4159,9 @@ static SIMPLE_DEV_PM_OPS(pciserial_pm_op + pciserial_resume_one); + + static const struct pci_device_id serial_pci_tbl[] = { ++ { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI1600, ++ PCI_DEVICE_ID_ADVANTECH_PCI1600_1611, PCI_ANY_ID, 0, 0, ++ pbn_b0_4_921600 }, + /* Advantech use PCI_DEVICE_ID_ADVANTECH_PCI3620 (0x3620) as 'PCI_SUBVENDOR_ID' */ + { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI3620, + PCI_DEVICE_ID_ADVANTECH_PCI3620, 0x0001, 0, 0, diff --git a/queue-5.4/series b/queue-5.4/series index f0965ed56f0..341637ae34e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -78,3 +78,23 @@ wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch cassini-fix-a-memory-leak-in-the-error-handling-path.patch igb-fix-bit_shift-to-be-in-1.8-range.patch vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch +usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch +usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch +usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch +usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch +usb-typec-altmodes-displayport-fix-pin_assignment_show.patch +alsa-hda-fix-oops-by-9.1-surround-channel-names.patch +alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch +alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch +alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch +can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch +can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch +can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch +can-kvaser_pciefd-empty-srb-buffer-in-probe.patch +can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch +can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch +can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch +kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch +statfs-enforce-statfs-structure-initialization.patch +serial-add-support-for-advantech-pci-1611u-card.patch +ceph-force-updating-the-msg-pointer-in-non-split-case.patch diff --git a/queue-5.4/statfs-enforce-statfs-structure-initialization.patch b/queue-5.4/statfs-enforce-statfs-structure-initialization.patch new file mode 100644 index 00000000000..df17846c024 --- /dev/null +++ b/queue-5.4/statfs-enforce-statfs-structure-initialization.patch @@ -0,0 +1,62 @@ +From ed40866ec7d328b3dfb70db7e2011640a16202c3 Mon Sep 17 00:00:00 2001 +From: Ilya Leoshkevich +Date: Thu, 4 May 2023 16:40:20 +0200 +Subject: statfs: enforce statfs[64] structure initialization + +From: Ilya Leoshkevich + +commit ed40866ec7d328b3dfb70db7e2011640a16202c3 upstream. + +s390's struct statfs and struct statfs64 contain padding, which +field-by-field copying does not set. Initialize the respective structs +with zeros before filling them and copying them to userspace, like it's +already done for the compat versions of these structs. + +Found by KMSAN. + +[agordeev@linux.ibm.com: fixed typo in patch description] +Acked-by: Heiko Carstens +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Andrew Morton +Link: https://lore.kernel.org/r/20230504144021.808932-2-iii@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + fs/statfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/statfs.c ++++ b/fs/statfs.c +@@ -128,6 +128,7 @@ static int do_statfs_native(struct kstat + if (sizeof(buf) == sizeof(*st)) + memcpy(&buf, st, sizeof(*st)); + else { ++ memset(&buf, 0, sizeof(buf)); + if (sizeof buf.f_blocks == 4) { + if ((st->f_blocks | st->f_bfree | st->f_bavail | + st->f_bsize | st->f_frsize) & +@@ -156,7 +157,6 @@ static int do_statfs_native(struct kstat + buf.f_namelen = st->f_namelen; + buf.f_frsize = st->f_frsize; + buf.f_flags = st->f_flags; +- memset(buf.f_spare, 0, sizeof(buf.f_spare)); + } + if (copy_to_user(p, &buf, sizeof(buf))) + return -EFAULT; +@@ -169,6 +169,7 @@ static int do_statfs64(struct kstatfs *s + if (sizeof(buf) == sizeof(*st)) + memcpy(&buf, st, sizeof(*st)); + else { ++ memset(&buf, 0, sizeof(buf)); + buf.f_type = st->f_type; + buf.f_bsize = st->f_bsize; + buf.f_blocks = st->f_blocks; +@@ -180,7 +181,6 @@ static int do_statfs64(struct kstatfs *s + buf.f_namelen = st->f_namelen; + buf.f_frsize = st->f_frsize; + buf.f_flags = st->f_flags; +- memset(buf.f_spare, 0, sizeof(buf.f_spare)); + } + if (copy_to_user(p, &buf, sizeof(buf))) + return -EFAULT; diff --git a/queue-5.4/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch b/queue-5.4/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch new file mode 100644 index 00000000000..1b171cc61c6 --- /dev/null +++ b/queue-5.4/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch @@ -0,0 +1,379 @@ +From 614ce6a2ea50068b45339257891e51e639ac9001 Mon Sep 17 00:00:00 2001 +From: Udipto Goswami +Date: Tue, 9 May 2023 20:18:36 +0530 +Subject: usb: dwc3: debugfs: Resume dwc3 before accessing registers + +From: Udipto Goswami + +commit 614ce6a2ea50068b45339257891e51e639ac9001 upstream. + +When the dwc3 device is runtime suspended, various required clocks are in +disabled state and it is not guaranteed that access to any registers would +work. Depending on the SoC glue, a register read could be as benign as +returning 0 or be fatal enough to hang the system. + +In order to prevent such scenarios of fatal errors, make sure to resume +dwc3 then allow the function to proceed. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable@vger.kernel.org #3.2: 30332eeefec8: debugfs: regset32: Add Runtime PM support +Signed-off-by: Udipto Goswami +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20230509144836.6803-1-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/debugfs.c | 109 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 109 insertions(+) + +--- a/drivers/usb/dwc3/debugfs.c ++++ b/drivers/usb/dwc3/debugfs.c +@@ -327,6 +327,11 @@ static int dwc3_lsp_show(struct seq_file + unsigned int current_mode; + unsigned long flags; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GSTS); +@@ -345,6 +350,8 @@ static int dwc3_lsp_show(struct seq_file + } + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -390,6 +397,11 @@ static int dwc3_mode_show(struct seq_fil + struct dwc3 *dwc = s->private; + unsigned long flags; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GCTL); +@@ -409,6 +421,8 @@ static int dwc3_mode_show(struct seq_fil + seq_printf(s, "UNKNOWN %08x\n", DWC3_GCTL_PRTCAP(reg)); + } + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -455,6 +469,11 @@ static int dwc3_testmode_show(struct seq + struct dwc3 *dwc = s->private; + unsigned long flags; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_DCTL); +@@ -485,6 +504,8 @@ static int dwc3_testmode_show(struct seq + seq_printf(s, "UNKNOWN %d\n", reg); + } + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -501,6 +522,7 @@ static ssize_t dwc3_testmode_write(struc + unsigned long flags; + u32 testmode = 0; + char buf[32]; ++ int ret; + + if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) + return -EFAULT; +@@ -518,10 +540,16 @@ static ssize_t dwc3_testmode_write(struc + else + testmode = 0; + ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; ++ + spin_lock_irqsave(&dwc->lock, flags); + dwc3_gadget_set_test_mode(dwc, testmode); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return count; + } + +@@ -540,12 +568,18 @@ static int dwc3_link_state_show(struct s + enum dwc3_link_state state; + u32 reg; + u8 speed; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GSTS); + if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) { + seq_puts(s, "Not available\n"); + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put_sync(dwc->dev); + return 0; + } + +@@ -558,6 +592,8 @@ static int dwc3_link_state_show(struct s + dwc3_gadget_hs_link_string(state)); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -576,6 +612,7 @@ static ssize_t dwc3_link_state_write(str + char buf[32]; + u32 reg; + u8 speed; ++ int ret; + + if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) + return -EFAULT; +@@ -595,10 +632,15 @@ static ssize_t dwc3_link_state_write(str + else + return -EINVAL; + ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; ++ + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GSTS); + if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) { + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put_sync(dwc->dev); + return -EINVAL; + } + +@@ -608,12 +650,15 @@ static ssize_t dwc3_link_state_write(str + if (speed < DWC3_DSTS_SUPERSPEED && + state != DWC3_LINK_STATE_RECOV) { + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put_sync(dwc->dev); + return -EINVAL; + } + + dwc3_gadget_set_link_state(dwc, state); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return count; + } + +@@ -636,6 +681,11 @@ static int dwc3_tx_fifo_size_show(struct + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_TXFIFO); +@@ -646,6 +696,8 @@ static int dwc3_tx_fifo_size_show(struct + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -655,6 +707,11 @@ static int dwc3_rx_fifo_size_show(struct + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_RXFIFO); +@@ -665,6 +722,8 @@ static int dwc3_rx_fifo_size_show(struct + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -674,12 +733,19 @@ static int dwc3_tx_request_queue_show(st + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_TXREQQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -689,12 +755,19 @@ static int dwc3_rx_request_queue_show(st + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_RXREQQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -704,12 +777,19 @@ static int dwc3_rx_info_queue_show(struc + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_RXINFOQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -719,12 +799,19 @@ static int dwc3_descriptor_fetch_queue_s + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_DESCFETCHQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -734,12 +821,19 @@ static int dwc3_event_queue_show(struct + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_EVENTQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -785,6 +879,11 @@ static int dwc3_trb_ring_show(struct seq + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + int i; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + if (dep->number <= 1) { +@@ -814,6 +913,8 @@ static int dwc3_trb_ring_show(struct seq + out: + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -826,6 +927,11 @@ static int dwc3_ep_info_register_show(st + u32 lower_32_bits; + u32 upper_32_bits; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = DWC3_GDBGLSPMUX_EPSELECT(dep->number); +@@ -838,6 +944,8 @@ static int dwc3_ep_info_register_show(st + seq_printf(s, "0x%016llx\n", ep_info); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -899,6 +1007,7 @@ void dwc3_debugfs_init(struct dwc3 *dwc) + dwc->regset->regs = dwc3_regs; + dwc->regset->nregs = ARRAY_SIZE(dwc3_regs); + dwc->regset->base = dwc->regs - DWC3_GLOBALS_REGS_START; ++ dwc->regset->dev = dwc->dev; + + root = debugfs_create_dir(dev_name(dwc->dev), NULL); + dwc->root = root; diff --git a/queue-5.4/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch b/queue-5.4/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch new file mode 100644 index 00000000000..121a3baad71 --- /dev/null +++ b/queue-5.4/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch @@ -0,0 +1,108 @@ +From a398d5eac6984316e71474e25b975688f282379b Mon Sep 17 00:00:00 2001 +From: Maxime Bizon +Date: Fri, 5 May 2023 13:47:59 +0200 +Subject: usb-storage: fix deadlock when a scsi command timeouts more than once + +From: Maxime Bizon + +commit a398d5eac6984316e71474e25b975688f282379b upstream. + +With faulty usb-storage devices, read/write can timeout, in that case +the SCSI layer will abort and re-issue the command. USB storage has no +internal timeout, it relies on SCSI layer aborting commands via +.eh_abort_handler() for non those responsive devices. + +After two consecutive timeouts of the same command, SCSI layer calls +.eh_device_reset_handler(), without calling .eh_abort_handler() first. + +With usb-storage, this causes a deadlock: + + -> .eh_device_reset_handler + -> device_reset + -> mutex_lock(&(us->dev_mutex)); + +mutex already by usb_stor_control_thread(), which is waiting for +command completion: + + -> usb_stor_control_thread (mutex taken here) + -> usb_stor_invoke_transport + -> usb_stor_Bulk_transport + -> usb_stor_bulk_srb + -> usb_stor_bulk_transfer_sglist + -> usb_sg_wait + +Make sure we cancel any pending command in .eh_device_reset_handler() +to avoid this. + +Signed-off-by: Maxime Bizon +Cc: linux-usb@vger.kernel.org +Cc: stable +Link: https://lore.kernel.org/all/ZEllnjMKT8ulZbJh@sakura/ +Reviewed-by: Alan Stern +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20230505114759.1189741-1-mbizon@freebox.fr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/scsiglue.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -407,22 +407,25 @@ static DEF_SCSI_QCMD(queuecommand) + ***********************************************************************/ + + /* Command timeout and abort */ +-static int command_abort(struct scsi_cmnd *srb) ++static int command_abort_matching(struct us_data *us, struct scsi_cmnd *srb_match) + { +- struct us_data *us = host_to_us(srb->device->host); +- +- usb_stor_dbg(us, "%s called\n", __func__); +- + /* + * us->srb together with the TIMED_OUT, RESETTING, and ABORTING + * bits are protected by the host lock. + */ + scsi_lock(us_to_host(us)); + +- /* Is this command still active? */ +- if (us->srb != srb) { ++ /* is there any active pending command to abort ? */ ++ if (!us->srb) { + scsi_unlock(us_to_host(us)); + usb_stor_dbg(us, "-- nothing to abort\n"); ++ return SUCCESS; ++ } ++ ++ /* Does the command match the passed srb if any ? */ ++ if (srb_match && us->srb != srb_match) { ++ scsi_unlock(us_to_host(us)); ++ usb_stor_dbg(us, "-- pending command mismatch\n"); + return FAILED; + } + +@@ -445,6 +448,14 @@ static int command_abort(struct scsi_cmn + return SUCCESS; + } + ++static int command_abort(struct scsi_cmnd *srb) ++{ ++ struct us_data *us = host_to_us(srb->device->host); ++ ++ usb_stor_dbg(us, "%s called\n", __func__); ++ return command_abort_matching(us, srb); ++} ++ + /* + * This invokes the transport reset mechanism to reset the state of the + * device +@@ -456,6 +467,9 @@ static int device_reset(struct scsi_cmnd + + usb_stor_dbg(us, "%s called\n", __func__); + ++ /* abort any pending command before reset */ ++ command_abort_matching(us, NULL); ++ + /* lock the device pointers and do the reset */ + mutex_lock(&(us->dev_mutex)); + result = us->transport_reset(us); diff --git a/queue-5.4/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch b/queue-5.4/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch new file mode 100644 index 00000000000..0c243d60a5a --- /dev/null +++ b/queue-5.4/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch @@ -0,0 +1,53 @@ +From d8f28269dd4bf9b55c3fb376ae31512730a96fce Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Mon, 8 May 2023 21:44:43 +0000 +Subject: usb: typec: altmodes/displayport: fix pin_assignment_show + +From: Badhri Jagan Sridharan + +commit d8f28269dd4bf9b55c3fb376ae31512730a96fce upstream. + +This patch fixes negative indexing of buf array in pin_assignment_show +when get_current_pin_assignments returns 0 i.e. no compatible pin +assignments are found. + +BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c +... +Call trace: +dump_backtrace+0x110/0x204 +dump_stack_lvl+0x84/0xbc +print_report+0x358/0x974 +kasan_report+0x9c/0xfc +__do_kernel_fault+0xd4/0x2d4 +do_bad_area+0x48/0x168 +do_tag_check_fault+0x24/0x38 +do_mem_abort+0x6c/0x14c +el1_abort+0x44/0x68 +el1h_64_sync_handler+0x64/0xa4 +el1h_64_sync+0x78/0x7c +pin_assignment_show+0x26c/0x33c +dev_attr_show+0x50/0xc0 + +Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode") +Cc: stable@vger.kernel.org +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230508214443.893436-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -501,6 +501,10 @@ static ssize_t pin_assignment_show(struc + + mutex_unlock(&dp->lock); + ++ /* get_current_pin_assignments can return 0 when no matching pin assignments are found */ ++ if (len == 0) ++ len++; ++ + buf[len - 1] = '\n'; + return len; + } diff --git a/queue-5.4/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch b/queue-5.4/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch new file mode 100644 index 00000000000..9088bc78a18 --- /dev/null +++ b/queue-5.4/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch @@ -0,0 +1,44 @@ +From dddb342b5b9e482bb213aecc08cbdb201ea4f8da Mon Sep 17 00:00:00 2001 +From: Weitao Wang +Date: Sun, 23 Apr 2023 18:59:52 +0800 +Subject: USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value + +From: Weitao Wang + +commit dddb342b5b9e482bb213aecc08cbdb201ea4f8da upstream. + +OverCurrent condition is not standardized in the UHCI spec. +Zhaoxin UHCI controllers report OverCurrent bit active off. +In order to handle OverCurrent condition correctly, the uhci-hcd +driver needs to be told to expect the active-off behavior. + +Suggested-by: Alan Stern +Cc: stable@vger.kernel.org +Signed-off-by: Weitao Wang +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20230423105952.4526-1-WeitaoWang-oc@zhaoxin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/uhci-pci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/uhci-pci.c ++++ b/drivers/usb/host/uhci-pci.c +@@ -119,11 +119,13 @@ static int uhci_pci_init(struct usb_hcd + + uhci->rh_numports = uhci_count_ports(hcd); + +- /* Intel controllers report the OverCurrent bit active on. +- * VIA controllers report it active off, so we'll adjust the +- * bit value. (It's not standardized in the UHCI spec.) ++ /* ++ * Intel controllers report the OverCurrent bit active on. VIA ++ * and ZHAOXIN controllers report it active off, so we'll adjust ++ * the bit value. (It's not standardized in the UHCI spec.) + */ +- if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA) ++ if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA || ++ to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_ZHAOXIN) + uhci->oc_low = 1; + + /* HP's server management chip requires a longer port reset delay. */ diff --git a/queue-5.4/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch b/queue-5.4/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch new file mode 100644 index 00000000000..24835d8255a --- /dev/null +++ b/queue-5.4/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch @@ -0,0 +1,64 @@ +From 94d25e9128988c6a1fc9070f6e98215a95795bd8 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 1 May 2023 14:22:35 -0400 +Subject: USB: usbtmc: Fix direction for 0-length ioctl control messages + +From: Alan Stern + +commit 94d25e9128988c6a1fc9070f6e98215a95795bd8 upstream. + +The syzbot fuzzer found a problem in the usbtmc driver: When a user +submits an ioctl for a 0-length control transfer, the driver does not +check that the direction is set to OUT: + +------------[ cut here ]------------ +usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd +WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 +Modules linked in: +CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 +RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 +Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41 +RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000 +RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001 +RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528 +R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100 +FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 + usb_internal_control_msg drivers/usb/core/message.c:102 [inline] + usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 + usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline] + usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097 + +To fix this, we must override the direction in the bRequestType field +of the control request structure when the length is 0. + +Reported-and-tested-by: syzbot+ce77725b89b7bd52425c@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/linux-usb/000000000000716a3705f9adb8ee@google.com/ +CC: +Link: https://lore.kernel.org/r/ede1ee02-b718-49e7-a44c-51339fec706b@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/usbtmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -1898,6 +1898,8 @@ static int usbtmc_ioctl_request(struct u + + if (request.req.wLength > USBTMC_BUFSIZE) + return -EMSGSIZE; ++ if (request.req.wLength == 0) /* Length-0 requests are never IN */ ++ request.req.bRequestType &= ~USB_DIR_IN; + + is_in = request.req.bRequestType & USB_DIR_IN; + -- 2.47.3