--- /dev/null
+From 4b21a669ca21ed8f24ef4530b2918be5730114de Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Fri, 10 Nov 2023 15:16:06 +0800
+Subject: ALSA: hda/realtek - Add Dell ALC295 to pin fall back table
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 4b21a669ca21ed8f24ef4530b2918be5730114de upstream.
+
+Add ALC295 to pin fall back table.
+Remove 5 pin quirks for Dell ALC295.
+ALC295 was only support MIC2 for external MIC function.
+ALC295 assigned model "ALC269_FIXUP_DELL1_MIC_NO_PRESENCE" for pin
+fall back table.
+It was assigned wrong model. So, let's remove it.
+
+Fixes: fbc571290d9f ("ALSA: hda/realtek - Fixed Headphone Mic can't record on Dell platform")
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/7c1998e873834df98d59bd7e0d08c72e@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 19 +++----------------
+ 1 file changed, 3 insertions(+), 16 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10735,22 +10735,6 @@ static const struct snd_hda_pin_quirk al
+ {0x12, 0x90a60130},
+ {0x17, 0x90170110},
+ {0x21, 0x03211020}),
+- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE,
+- {0x14, 0x90170110},
+- {0x21, 0x04211020}),
+- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE,
+- {0x14, 0x90170110},
+- {0x21, 0x04211030}),
+- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+- ALC295_STANDARD_PINS,
+- {0x17, 0x21014020},
+- {0x18, 0x21a19030}),
+- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+- ALC295_STANDARD_PINS,
+- {0x17, 0x21014040},
+- {0x18, 0x21a19050}),
+- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+- ALC295_STANDARD_PINS),
+ SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC298_STANDARD_PINS,
+ {0x17, 0x90170110}),
+@@ -10794,6 +10778,9 @@ static const struct snd_hda_pin_quirk al
+ SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE,
+ {0x19, 0x40000000},
+ {0x1b, 0x40000000}),
++ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE,
++ {0x19, 0x40000000},
++ {0x1b, 0x40000000}),
+ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ {0x19, 0x40000000},
+ {0x1a, 0x40000000}),
--- /dev/null
+From 5d639b60971f003d3a9b2b31f8ec73b0718b5d57 Mon Sep 17 00:00:00 2001
+From: Stefan Binding <sbinding@opensource.cirrus.com>
+Date: Wed, 15 Nov 2023 16:21:16 +0000
+Subject: ALSA: hda/realtek: Add quirks for HP Laptops
+
+From: Stefan Binding <sbinding@opensource.cirrus.com>
+
+commit 5d639b60971f003d3a9b2b31f8ec73b0718b5d57 upstream.
+
+These HP laptops use Realtek HDA codec combined with 2 or 4 CS35L41
+Amplifiers using SPI with Internal Boost.
+
+Signed-off-by: Stefan Binding <sbinding@opensource.cirrus.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231115162116.494968-3-sbinding@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9816,6 +9816,9 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8c70, "HP EliteBook 835 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c71, "HP EliteBook 845 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c72, "HP EliteBook 865 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8ca4, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8ca7, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8cf5, "HP ZBook Studio 16", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
+ SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--- /dev/null
+From 713f040cd22285fcc506f40a0d259566e6758c3c Mon Sep 17 00:00:00 2001
+From: Chandradeep Dey <codesigning@chandradeepdey.com>
+Date: Sat, 11 Nov 2023 19:25:49 +0100
+Subject: ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
+
+From: Chandradeep Dey <codesigning@chandradeepdey.com>
+
+commit 713f040cd22285fcc506f40a0d259566e6758c3c upstream.
+
+Apply the already existing quirk chain ALC294_FIXUP_ASUS_SPK to enable
+the internal speaker of ASUS K6500ZC.
+
+Signed-off-by: Chandradeep Dey <codesigning@chandradeepdey.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/NizcVHQ--3-9@chandradeepdey.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9821,6 +9821,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1043, 0x10a1, "ASUS UX391UA", ALC294_FIXUP_ASUS_SPK),
+ SND_PCI_QUIRK(0x1043, 0x10c0, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x10d0, "ASUS X540LA/X540LJ", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1043, 0x10d3, "ASUS K6500ZC", ALC294_FIXUP_ASUS_SPK),
+ SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
--- /dev/null
+From b944aa9d86d5f782bfe5e51336434c960304839c Mon Sep 17 00:00:00 2001
+From: Matus Malych <matus@malych.org>
+Date: Tue, 14 Nov 2023 14:35:25 +0100
+Subject: ALSA: hda/realtek: Enable Mute LED on HP 255 G10
+
+From: Matus Malych <matus@malych.org>
+
+commit b944aa9d86d5f782bfe5e51336434c960304839c upstream.
+
+HP 255 G10 has a mute LED that can be made to work using quirk
+ALC236_FIXUP_HP_MUTE_LED_COEFBIT2.
+Enable already existing quirk - at correct line to keep order
+
+Signed-off-by: Matus Malych <matus@malych.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231114133524.11340-1-matus@malych.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9782,6 +9782,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b2f, "HP 255 15.6 inch G10 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x8b42, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b43, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b44, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
--- /dev/null
+From 8384c0baf223e1c3bc7b1c711d80a4c6106d210e Mon Sep 17 00:00:00 2001
+From: Eymen Yigit <eymenyg01@gmail.com>
+Date: Fri, 10 Nov 2023 18:07:15 +0300
+Subject: ALSA: hda/realtek: Enable Mute LED on HP 255 G8
+
+From: Eymen Yigit <eymenyg01@gmail.com>
+
+commit 8384c0baf223e1c3bc7b1c711d80a4c6106d210e upstream.
+
+This HP Notebook uses ALC236 codec with COEF 0x07 idx 1 controlling
+the mute LED. Enable already existing quirk for this device.
+
+Signed-off-by: Eymen Yigit <eymenyg01@gmail.com>
+Cc: Luka Guzenko <l.guzenko@web.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231110150715.5141-1-eymenyg01@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9746,6 +9746,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8898, "HP EliteBook 845 G8 Notebook PC", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x103c, 0x88d0, "HP Pavilion 15-eh1xxx (mainboard 88D0)", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8902, "HP OMEN 16", ALC285_FIXUP_HP_MUTE_LED),
++ SND_PCI_QUIRK(0x103c, 0x890e, "HP 255 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x8919, "HP Pavilion Aero Laptop 13-be0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x896d, "HP ZBook Firefly 16 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x896e, "HP EliteBook x360 830 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
--- /dev/null
+From c7a60651953359f98dbf24b43e1bf561e1573ed4 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 9 Nov 2023 15:19:54 +0100
+Subject: ALSA: info: Fix potential deadlock at disconnection
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c7a60651953359f98dbf24b43e1bf561e1573ed4 upstream.
+
+As reported recently, ALSA core info helper may cause a deadlock at
+the forced device disconnection during the procfs operation.
+
+The proc_remove() (that is called from the snd_card_disconnect()
+helper) has a synchronization of the pending procfs accesses via
+wait_for_completion(). Meanwhile, ALSA procfs helper takes the global
+mutex_lock(&info_mutex) at both the proc_open callback and
+snd_card_info_disconnect() helper. Since the proc_open can't finish
+due to the mutex lock, wait_for_completion() never returns, either,
+hence it deadlocks.
+
+ TASK#1 TASK#2
+ proc_reg_open()
+ takes use_pde()
+ snd_info_text_entry_open()
+ snd_card_disconnect()
+ snd_info_card_disconnect()
+ takes mutex_lock(&info_mutex)
+ proc_remove()
+ wait_for_completion(unused_pde)
+ ... waiting task#1 closes
+ mutex_lock(&info_mutex)
+ => DEADLOCK
+
+This patch is a workaround for avoiding the deadlock scenario above.
+
+The basic strategy is to move proc_remove() call outside the mutex
+lock. proc_remove() can work gracefully without extra locking, and it
+can delete the tree recursively alone. So, we call proc_remove() at
+snd_info_card_disconnection() at first, then delete the rest resources
+recursively within the info_mutex lock.
+
+After the change, the function snd_info_disconnect() doesn't do
+disconnection by itself any longer, but it merely clears the procfs
+pointer. So rename the function to snd_info_clear_entries() for
+avoiding confusion.
+
+The similar change is applied to snd_info_free_entry(), too. Since
+the proc_remove() is called only conditionally with the non-NULL
+entry->p, it's skipped after the snd_info_clear_entries() call.
+
+Reported-by: Shinhyung Kang <s47.kang@samsung.com>
+Closes: https://lore.kernel.org/r/664457955.21699345385931.JavaMail.epsvc@epcpadp4
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231109141954.4283-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/info.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/sound/core/info.c
++++ b/sound/core/info.c
+@@ -56,7 +56,7 @@ struct snd_info_private_data {
+ };
+
+ static int snd_info_version_init(void);
+-static void snd_info_disconnect(struct snd_info_entry *entry);
++static void snd_info_clear_entries(struct snd_info_entry *entry);
+
+ /*
+
+@@ -569,11 +569,16 @@ void snd_info_card_disconnect(struct snd
+ {
+ if (!card)
+ return;
+- mutex_lock(&info_mutex);
++
+ proc_remove(card->proc_root_link);
+- card->proc_root_link = NULL;
+ if (card->proc_root)
+- snd_info_disconnect(card->proc_root);
++ proc_remove(card->proc_root->p);
++
++ mutex_lock(&info_mutex);
++ if (card->proc_root)
++ snd_info_clear_entries(card->proc_root);
++ card->proc_root_link = NULL;
++ card->proc_root = NULL;
+ mutex_unlock(&info_mutex);
+ }
+
+@@ -745,15 +750,14 @@ struct snd_info_entry *snd_info_create_c
+ }
+ EXPORT_SYMBOL(snd_info_create_card_entry);
+
+-static void snd_info_disconnect(struct snd_info_entry *entry)
++static void snd_info_clear_entries(struct snd_info_entry *entry)
+ {
+ struct snd_info_entry *p;
+
+ if (!entry->p)
+ return;
+ list_for_each_entry(p, &entry->children, list)
+- snd_info_disconnect(p);
+- proc_remove(entry->p);
++ snd_info_clear_entries(p);
+ entry->p = NULL;
+ }
+
+@@ -770,8 +774,9 @@ void snd_info_free_entry(struct snd_info
+ if (!entry)
+ return;
+ if (entry->p) {
++ proc_remove(entry->p);
+ mutex_lock(&info_mutex);
+- snd_info_disconnect(entry);
++ snd_info_clear_entries(entry);
+ mutex_unlock(&info_mutex);
+ }
+
--- /dev/null
+From 776a838f1fa95670c1c1cf7109a898090b473fa3 Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Tue, 17 Oct 2023 17:00:31 +0900
+Subject: btrfs: zoned: wait for data BG to be finished on direct IO allocation
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit 776a838f1fa95670c1c1cf7109a898090b473fa3 upstream.
+
+Running the fio command below on a ZNS device results in "Resource
+temporarily unavailable" error.
+
+ $ sudo fio --name=w --directory=/mnt --filesize=1GB --bs=16MB --numjobs=16 \
+ --rw=write --ioengine=libaio --iodepth=128 --direct=1
+
+ fio: io_u error on file /mnt/w.2.0: Resource temporarily unavailable: write offset=117440512, buflen=16777216
+ fio: io_u error on file /mnt/w.2.0: Resource temporarily unavailable: write offset=134217728, buflen=16777216
+ ...
+
+This happens because -EAGAIN error returned from btrfs_reserve_extent()
+called from btrfs_new_extent_direct() is spilling over to the userland.
+
+btrfs_reserve_extent() returns -EAGAIN when there is no active zone
+available. Then, the caller should wait for some other on-going IO to
+finish a zone and retry the allocation.
+
+This logic is already implemented for buffered write in cow_file_range(),
+but it is missing for the direct IO counterpart. Implement the same logic
+for it.
+
+Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Fixes: 2ce543f47843 ("btrfs: zoned: wait until zone is finished when allocation didn't progress")
+CC: stable@vger.kernel.org # 6.1+
+Tested-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6974,8 +6974,15 @@ static struct extent_map *btrfs_new_exte
+ int ret;
+
+ alloc_hint = get_extent_allocation_hint(inode, start, len);
++again:
+ ret = btrfs_reserve_extent(root, len, len, fs_info->sectorsize,
+ 0, alloc_hint, &ins, 1, 1);
++ if (ret == -EAGAIN) {
++ ASSERT(btrfs_is_zoned(fs_info));
++ wait_on_bit_io(&inode->root->fs_info->flags, BTRFS_FS_NEED_ZONE_FINISH,
++ TASK_UNINTERRUPTIBLE);
++ goto again;
++ }
+ if (ret)
+ return ERR_PTR(ret);
+
--- /dev/null
+From 9599d59eb8fc0c0fd9480c4f22901533d08965ee Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Mon, 6 Nov 2023 16:22:11 +0000
+Subject: cifs: do not pass cifs_sb when trying to add channels
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit 9599d59eb8fc0c0fd9480c4f22901533d08965ee upstream.
+
+The only reason why cifs_sb gets passed today to cifs_try_adding_channels
+is to pass the local_nls field for the new channels and binding session.
+However, the ses struct already has local_nls field that is setup during
+the first cifs_setup_session. So there is no need to pass cifs_sb.
+
+This change removes cifs_sb from the arg list for this and the functions
+that it calls and uses ses->local_nls instead.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsproto.h | 2 +-
+ fs/smb/client/connect.c | 2 +-
+ fs/smb/client/sess.c | 12 ++++++------
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/client/cifsproto.h
++++ b/fs/smb/client/cifsproto.h
+@@ -610,7 +610,7 @@ void cifs_free_hash(struct shash_desc **
+
+ struct cifs_chan *
+ cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server);
+-int cifs_try_adding_channels(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses);
++int cifs_try_adding_channels(struct cifs_ses *ses);
+ bool is_server_using_iface(struct TCP_Server_Info *server,
+ struct cifs_server_iface *iface);
+ bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface);
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -3561,7 +3561,7 @@ int cifs_mount(struct cifs_sb_info *cifs
+ ctx->prepath = NULL;
+
+ out:
+- cifs_try_adding_channels(cifs_sb, mnt_ctx.ses);
++ cifs_try_adding_channels(mnt_ctx.ses);
+ rc = mount_setup_tlink(cifs_sb, mnt_ctx.ses, mnt_ctx.tcon);
+ if (rc)
+ goto error;
+--- a/fs/smb/client/sess.c
++++ b/fs/smb/client/sess.c
+@@ -24,7 +24,7 @@
+ #include "fs_context.h"
+
+ static int
+-cifs_ses_add_channel(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses,
++cifs_ses_add_channel(struct cifs_ses *ses,
+ struct cifs_server_iface *iface);
+
+ bool
+@@ -157,7 +157,7 @@ cifs_chan_is_iface_active(struct cifs_se
+ }
+
+ /* returns number of channels added */
+-int cifs_try_adding_channels(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses)
++int cifs_try_adding_channels(struct cifs_ses *ses)
+ {
+ struct TCP_Server_Info *server = ses->server;
+ int old_chan_count, new_chan_count;
+@@ -230,7 +230,7 @@ int cifs_try_adding_channels(struct cifs
+ kref_get(&iface->refcount);
+
+ spin_unlock(&ses->iface_lock);
+- rc = cifs_ses_add_channel(cifs_sb, ses, iface);
++ rc = cifs_ses_add_channel(ses, iface);
+ spin_lock(&ses->iface_lock);
+
+ if (rc) {
+@@ -354,7 +354,7 @@ cifs_ses_find_chan(struct cifs_ses *ses,
+ }
+
+ static int
+-cifs_ses_add_channel(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses,
++cifs_ses_add_channel(struct cifs_ses *ses,
+ struct cifs_server_iface *iface)
+ {
+ struct TCP_Server_Info *chan_server;
+@@ -433,7 +433,7 @@ cifs_ses_add_channel(struct cifs_sb_info
+ * This will be used for encoding/decoding user/domain/pw
+ * during sess setup auth.
+ */
+- ctx->local_nls = cifs_sb->local_nls;
++ ctx->local_nls = ses->local_nls;
+
+ /* Use RDMA if possible */
+ ctx->rdma = iface->rdma_capable;
+@@ -479,7 +479,7 @@ cifs_ses_add_channel(struct cifs_sb_info
+
+ rc = cifs_negotiate_protocol(xid, ses, chan->server);
+ if (!rc)
+- rc = cifs_setup_session(xid, ses, chan->server, cifs_sb->local_nls);
++ rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls);
+
+ mutex_unlock(&ses->session_mutex);
+
--- /dev/null
+From 6e5e64c9477d58e73cb1a0e83eacad1f8df247cf Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Mon, 30 Oct 2023 11:00:10 +0000
+Subject: cifs: do not reset chan_max if multichannel is not supported at mount
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit 6e5e64c9477d58e73cb1a0e83eacad1f8df247cf upstream.
+
+If the mount command has specified multichannel as a mount option,
+but multichannel is found to be unsupported by the server at the time
+of mount, we set chan_max to 1. Which means that the user needs to
+remount the share if the server starts supporting multichannel.
+
+This change removes this reset. What it means is that if the user
+specified multichannel or max_channels during mount, and at this
+time, multichannel is not supported, but the server starts supporting
+it at a later point, the client will be capable of scaling out the
+number of channels.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/sess.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/smb/client/sess.c
++++ b/fs/smb/client/sess.c
+@@ -186,7 +186,6 @@ int cifs_try_adding_channels(struct cifs
+ }
+
+ if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) {
+- ses->chan_max = 1;
+ spin_unlock(&ses->chan_lock);
+ cifs_server_dbg(VFS, "no multichannel support\n");
+ return 0;
--- /dev/null
+From 37de5a80e932f828c34abeaae63170d73930dca3 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 6 Nov 2023 14:40:11 +0000
+Subject: cifs: Fix encryption of cleared, but unset rq_iter data buffers
+
+From: David Howells <dhowells@redhat.com>
+
+commit 37de5a80e932f828c34abeaae63170d73930dca3 upstream.
+
+Each smb_rqst struct contains two things: an array of kvecs (rq_iov) that
+contains the protocol data for an RPC op and an iterator (rq_iter) that
+contains the data payload of an RPC op. When an smb_rqst is allocated
+rq_iter is it always cleared, but we don't set it up unless we're going to
+use it.
+
+The functions that determines the size of the ciphertext buffer that will
+be needed to encrypt a request, cifs_get_num_sgs(), assumes that rq_iter is
+always initialised - and employs user_backed_iter() to check that the
+iterator isn't user-backed. This used to incidentally work, because
+->user_backed was set to false because the iterator has never been
+initialised, but with commit f1b4cb650b9a0eeba206d8f069fcdc532bfbcd74[1]
+which changes user_backed_iter() to determine this based on the iterator
+type insted, a warning is now emitted:
+
+ WARNING: CPU: 7 PID: 4584 at fs/smb/client/cifsglob.h:2165 smb2_get_aead_req+0x3fc/0x420 [cifs]
+ ...
+ RIP: 0010:smb2_get_aead_req+0x3fc/0x420 [cifs]
+ ...
+ crypt_message+0x33e/0x550 [cifs]
+ smb3_init_transform_rq+0x27d/0x3f0 [cifs]
+ smb_send_rqst+0xc7/0x160 [cifs]
+ compound_send_recv+0x3ca/0x9f0 [cifs]
+ cifs_send_recv+0x25/0x30 [cifs]
+ SMB2_tcon+0x38a/0x820 [cifs]
+ cifs_get_smb_ses+0x69c/0xee0 [cifs]
+ cifs_mount_get_session+0x76/0x1d0 [cifs]
+ dfs_mount_share+0x74/0x9d0 [cifs]
+ cifs_mount+0x6e/0x2e0 [cifs]
+ cifs_smb3_do_mount+0x143/0x300 [cifs]
+ smb3_get_tree+0x15e/0x290 [cifs]
+ vfs_get_tree+0x2d/0xe0
+ do_new_mount+0x124/0x340
+ __se_sys_mount+0x143/0x1a0
+
+The problem is that rq_iter was never set, so the type is 0 (ie. ITER_UBUF)
+which causes user_backed_iter() to return true. The code doesn't
+malfunction because it checks the size of the iterator - which is 0.
+
+Fix cifs_get_num_sgs() to ignore rq_iter if its count is 0, thereby
+bypassing the warnings.
+
+It might be better to explicitly initialise rq_iter to a zero-length
+ITER_BVEC, say, as it can always be reinitialised later.
+
+Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list")
+Reported-by: Damian Tometzki <damian@riscv-rocks.de>
+Closes: https://lore.kernel.org/r/ZUfQo47uo0p2ZsYg@fedora.fritz.box/
+Tested-by: Damian Tometzki <damian@riscv-rocks.de>
+Cc: stable@vger.kernel.org
+cc: Eric Biggers <ebiggers@kernel.org>
+cc: linux-cifs@vger.kernel.org
+cc: linux-fsdevel@vger.kernel.org
+Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1b4cb650b9a0eeba206d8f069fcdc532bfbcd74 [1]
+Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsglob.h | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -2143,6 +2143,7 @@ static inline int cifs_get_num_sgs(const
+ unsigned int len, skip;
+ unsigned int nents = 0;
+ unsigned long addr;
++ size_t data_size;
+ int i, j;
+
+ /*
+@@ -2158,17 +2159,21 @@ static inline int cifs_get_num_sgs(const
+ * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
+ */
+ for (i = 0; i < num_rqst; i++) {
++ data_size = iov_iter_count(&rqst[i].rq_iter);
++
+ /* We really don't want a mixture of pinned and unpinned pages
+ * in the sglist. It's hard to keep track of which is what.
+ * Instead, we convert to a BVEC-type iterator higher up.
+ */
+- if (WARN_ON_ONCE(user_backed_iter(&rqst[i].rq_iter)))
++ if (data_size &&
++ WARN_ON_ONCE(user_backed_iter(&rqst[i].rq_iter)))
+ return -EIO;
+
+ /* We also don't want to have any extra refs or pins to clean
+ * up in the sglist.
+ */
+- if (WARN_ON_ONCE(iov_iter_extract_will_pin(&rqst[i].rq_iter)))
++ if (data_size &&
++ WARN_ON_ONCE(iov_iter_extract_will_pin(&rqst[i].rq_iter)))
+ return -EIO;
+
+ for (j = 0; j < rqst[i].rq_nvec; j++) {
+@@ -2184,7 +2189,8 @@ static inline int cifs_get_num_sgs(const
+ }
+ skip = 0;
+ }
+- nents += iov_iter_npages(&rqst[i].rq_iter, INT_MAX);
++ if (data_size)
++ nents += iov_iter_npages(&rqst[i].rq_iter, INT_MAX);
+ }
+ nents += DIV_ROUND_UP(offset_in_page(sig) + SMB2_SIGNATURE_SIZE, PAGE_SIZE);
+ return nents;
--- /dev/null
+From d9a6d78096056a3cb5c5f07a730ab92f2f9ac4e6 Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Mon, 30 Oct 2023 11:00:11 +0000
+Subject: cifs: force interface update before a fresh session setup
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit d9a6d78096056a3cb5c5f07a730ab92f2f9ac4e6 upstream.
+
+During a session reconnect, it is possible that the
+server moved to another physical server (happens in case
+of Azure files). So at this time, force a query of server
+interfaces again (in case of multichannel session), such
+that the secondary channels connect to the right
+IP addresses (possibly updated now).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -3850,8 +3850,12 @@ cifs_setup_session(const unsigned int xi
+ is_binding = !CIFS_ALL_CHANS_NEED_RECONNECT(ses);
+ spin_unlock(&ses->chan_lock);
+
+- if (!is_binding)
++ if (!is_binding) {
+ ses->ses_status = SES_IN_SETUP;
++
++ /* force iface_list refresh */
++ ses->iface_last_update = 0;
++ }
+ spin_unlock(&ses->ses_lock);
+
+ /* update ses ip_addr only for primary chan */
--- /dev/null
+From c3326a61cdbf3ce1273d9198b6cbf90965d7e029 Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Mon, 30 Oct 2023 11:00:09 +0000
+Subject: cifs: reconnect helper should set reconnect for the right channel
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit c3326a61cdbf3ce1273d9198b6cbf90965d7e029 upstream.
+
+We introduced a helper function to be used by non-cifsd threads to
+mark the connection for reconnect. For multichannel, when only
+a particular channel needs to be reconnected, this had a bug.
+
+This change fixes that by marking that particular channel
+for reconnect.
+
+Fixes: dca65818c80c ("cifs: use a different reconnect helper for non-cifsd threads")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -156,13 +156,14 @@ cifs_signal_cifsd_for_reconnect(struct T
+ /* If server is a channel, select the primary channel */
+ pserver = SERVER_IS_CHAN(server) ? server->primary_server : server;
+
+- spin_lock(&pserver->srv_lock);
++ /* if we need to signal just this channel */
+ if (!all_channels) {
+- pserver->tcpStatus = CifsNeedReconnect;
+- spin_unlock(&pserver->srv_lock);
++ spin_lock(&server->srv_lock);
++ if (server->tcpStatus != CifsExiting)
++ server->tcpStatus = CifsNeedReconnect;
++ spin_unlock(&server->srv_lock);
+ return;
+ }
+- spin_unlock(&pserver->srv_lock);
+
+ spin_lock(&cifs_tcp_ses_lock);
+ list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) {
parisc-power-fix-power-soft-off-when-running-on-qemu.patch
parisc-fix-mmap_base-calculation-when-stack-grows-upwards.patch
xhci-enable-rpm-on-controllers-that-support-low-power-states.patch
+smb3-fix-creating-fifos-when-mounting-with-sfu-mount-option.patch
+smb3-fix-touch-h-of-symlink.patch
+smb3-allow-dumping-session-and-tcon-id-to-improve-stats-analysis-and-debugging.patch
+smb3-fix-caching-of-ctime-on-setxattr.patch
+smb-client-fix-use-after-free-bug-in-cifs_debug_data_proc_show.patch
+smb-client-fix-use-after-free-in-smb2_query_info_compound.patch
+smb-client-fix-potential-deadlock-when-releasing-mids.patch
+smb-client-fix-mount-when-dns_resolver-key-is-not-available.patch
+cifs-reconnect-helper-should-set-reconnect-for-the-right-channel.patch
+cifs-force-interface-update-before-a-fresh-session-setup.patch
+cifs-do-not-reset-chan_max-if-multichannel-is-not-supported-at-mount.patch
+cifs-do-not-pass-cifs_sb-when-trying-to-add-channels.patch
+cifs-fix-encryption-of-cleared-but-unset-rq_iter-data-buffers.patch
+xfs-recovery-should-not-clear-di_flushiter-unconditionally.patch
+btrfs-zoned-wait-for-data-bg-to-be-finished-on-direct-io-allocation.patch
+alsa-info-fix-potential-deadlock-at-disconnection.patch
+alsa-hda-realtek-enable-mute-led-on-hp-255-g8.patch
+alsa-hda-realtek-add-dell-alc295-to-pin-fall-back-table.patch
+alsa-hda-realtek-enable-internal-speaker-of-asus-k6500zc.patch
+alsa-hda-realtek-enable-mute-led-on-hp-255-g10.patch
+alsa-hda-realtek-add-quirks-for-hp-laptops.patch
--- /dev/null
+From 5e2fd17f434d2fed78efb123e2fc6711e4f598f1 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Thu, 9 Nov 2023 12:01:48 -0300
+Subject: smb: client: fix mount when dns_resolver key is not available
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit 5e2fd17f434d2fed78efb123e2fc6711e4f598f1 upstream.
+
+There was a wrong assumption that with CONFIG_CIFS_DFS_UPCALL=y there
+would always be a dns_resolver key set up so we could unconditionally
+upcall to resolve UNC hostname rather than using the value provided by
+mount(2).
+
+Only require it when performing automount of junctions within a DFS
+share so users that don't have dns_resolver key still can mount their
+regular shares with server hostname resolved by mount.cifs(8).
+
+Fixes: 348a04a8d113 ("smb: client: get rid of dfs code dep in namespace.c")
+Cc: stable@vger.kernel.org
+Tested-by: Eduard Bachmakov <e.bachmakov@gmail.com>
+Reported-by: Eduard Bachmakov <e.bachmakov@gmail.com>
+Closes: https://lore.kernel.org/all/CADCRUiNvZuiUZ0VGZZO9HRyPyw6x92kiA7o7Q4tsX5FkZqUkKg@mail.gmail.com/
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/dfs.c | 18 +++++++++++++-----
+ fs/smb/client/fs_context.h | 1 +
+ fs/smb/client/namespace.c | 17 +++++++++++++++--
+ 3 files changed, 29 insertions(+), 7 deletions(-)
+
+--- a/fs/smb/client/dfs.c
++++ b/fs/smb/client/dfs.c
+@@ -263,15 +263,23 @@ out:
+ return rc;
+ }
+
+-/* Resolve UNC hostname in @ctx->source and set ip addr in @ctx->dstaddr */
++/*
++ * If @ctx->dfs_automount, then update @ctx->dstaddr earlier with the DFS root
++ * server from where we'll start following any referrals. Otherwise rely on the
++ * value provided by mount(2) as the user might not have dns_resolver key set up
++ * and therefore failing to upcall to resolve UNC hostname under @ctx->source.
++ */
+ static int update_fs_context_dstaddr(struct smb3_fs_context *ctx)
+ {
+ struct sockaddr *addr = (struct sockaddr *)&ctx->dstaddr;
+- int rc;
++ int rc = 0;
+
+- rc = dns_resolve_server_name_to_ip(ctx->source, addr, NULL);
+- if (!rc)
+- cifs_set_port(addr, ctx->port);
++ if (!ctx->nodfs && ctx->dfs_automount) {
++ rc = dns_resolve_server_name_to_ip(ctx->source, addr, NULL);
++ if (!rc)
++ cifs_set_port(addr, ctx->port);
++ ctx->dfs_automount = false;
++ }
+ return rc;
+ }
+
+--- a/fs/smb/client/fs_context.h
++++ b/fs/smb/client/fs_context.h
+@@ -268,6 +268,7 @@ struct smb3_fs_context {
+ bool witness:1; /* use witness protocol */
+ char *leaf_fullpath;
+ struct cifs_ses *dfs_root_ses;
++ bool dfs_automount:1; /* set for dfs automount only */
+ };
+
+ extern const struct fs_parameter_spec smb3_fs_parameters[];
+--- a/fs/smb/client/namespace.c
++++ b/fs/smb/client/namespace.c
+@@ -117,6 +117,18 @@ cifs_build_devname(char *nodename, const
+ return dev;
+ }
+
++static bool is_dfs_mount(struct dentry *dentry)
++{
++ struct cifs_sb_info *cifs_sb = CIFS_SB(dentry->d_sb);
++ struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
++ bool ret;
++
++ spin_lock(&tcon->tc_lock);
++ ret = !!tcon->origin_fullpath;
++ spin_unlock(&tcon->tc_lock);
++ return ret;
++}
++
+ /* Return full path out of a dentry set for automount */
+ static char *automount_fullpath(struct dentry *dentry, void *page)
+ {
+@@ -212,8 +224,9 @@ static struct vfsmount *cifs_do_automoun
+ ctx->source = NULL;
+ goto out;
+ }
+- cifs_dbg(FYI, "%s: ctx: source=%s UNC=%s prepath=%s\n",
+- __func__, ctx->source, ctx->UNC, ctx->prepath);
++ ctx->dfs_automount = is_dfs_mount(mntpt);
++ cifs_dbg(FYI, "%s: ctx: source=%s UNC=%s prepath=%s dfs_automount=%d\n",
++ __func__, ctx->source, ctx->UNC, ctx->prepath, ctx->dfs_automount);
+
+ mnt = fc_mount(fc);
+ out:
--- /dev/null
+From e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Wed, 25 Oct 2023 14:58:35 -0300
+Subject: smb: client: fix potential deadlock when releasing mids
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 upstream.
+
+All release_mid() callers seem to hold a reference of @mid so there is
+no need to call kref_put(&mid->refcount, __release_mid) under
+@server->mid_lock spinlock. If they don't, then an use-after-free bug
+would have occurred anyways.
+
+By getting rid of such spinlock also fixes a potential deadlock as
+shown below
+
+CPU 0 CPU 1
+------------------------------------------------------------------
+cifs_demultiplex_thread() cifs_debug_data_proc_show()
+ release_mid()
+ spin_lock(&server->mid_lock);
+ spin_lock(&cifs_tcp_ses_lock)
+ spin_lock(&server->mid_lock)
+ __release_mid()
+ smb2_find_smb_tcon()
+ spin_lock(&cifs_tcp_ses_lock) *deadlock*
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsproto.h | 7 ++++++-
+ fs/smb/client/smb2misc.c | 2 +-
+ fs/smb/client/transport.c | 11 +----------
+ 3 files changed, 8 insertions(+), 12 deletions(-)
+
+--- a/fs/smb/client/cifsproto.h
++++ b/fs/smb/client/cifsproto.h
+@@ -81,7 +81,7 @@ extern char *cifs_build_path_to_root(str
+ extern char *build_wildcard_path_from_dentry(struct dentry *direntry);
+ char *cifs_build_devname(char *nodename, const char *prepath);
+ extern void delete_mid(struct mid_q_entry *mid);
+-extern void release_mid(struct mid_q_entry *mid);
++void __release_mid(struct kref *refcount);
+ extern void cifs_wake_up_task(struct mid_q_entry *mid);
+ extern int cifs_handle_standard(struct TCP_Server_Info *server,
+ struct mid_q_entry *mid);
+@@ -740,4 +740,9 @@ static inline bool dfs_src_pathname_equa
+ return true;
+ }
+
++static inline void release_mid(struct mid_q_entry *mid)
++{
++ kref_put(&mid->refcount, __release_mid);
++}
++
+ #endif /* _CIFSPROTO_H */
+--- a/fs/smb/client/smb2misc.c
++++ b/fs/smb/client/smb2misc.c
+@@ -787,7 +787,7 @@ __smb2_handle_cancelled_cmd(struct cifs_
+ {
+ struct close_cancelled_open *cancelled;
+
+- cancelled = kzalloc(sizeof(*cancelled), GFP_ATOMIC);
++ cancelled = kzalloc(sizeof(*cancelled), GFP_KERNEL);
+ if (!cancelled)
+ return -ENOMEM;
+
+--- a/fs/smb/client/transport.c
++++ b/fs/smb/client/transport.c
+@@ -76,7 +76,7 @@ alloc_mid(const struct smb_hdr *smb_buff
+ return temp;
+ }
+
+-static void __release_mid(struct kref *refcount)
++void __release_mid(struct kref *refcount)
+ {
+ struct mid_q_entry *midEntry =
+ container_of(refcount, struct mid_q_entry, refcount);
+@@ -156,15 +156,6 @@ static void __release_mid(struct kref *r
+ mempool_free(midEntry, cifs_mid_poolp);
+ }
+
+-void release_mid(struct mid_q_entry *mid)
+-{
+- struct TCP_Server_Info *server = mid->server;
+-
+- spin_lock(&server->mid_lock);
+- kref_put(&mid->refcount, __release_mid);
+- spin_unlock(&server->mid_lock);
+-}
+-
+ void
+ delete_mid(struct mid_q_entry *mid)
+ {
--- /dev/null
+From d328c09ee9f15ee5a26431f5aad7c9239fa85e62 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Tue, 24 Oct 2023 13:49:15 -0300
+Subject: smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 upstream.
+
+Skip SMB sessions that are being teared down
+(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()
+to avoid use-after-free in @ses.
+
+This fixes the following GPF when reading from /proc/fs/cifs/DebugData
+while mounting and umounting
+
+ [ 816.251274] general protection fault, probably for non-canonical
+ address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI
+ ...
+ [ 816.260138] Call Trace:
+ [ 816.260329] <TASK>
+ [ 816.260499] ? die_addr+0x36/0x90
+ [ 816.260762] ? exc_general_protection+0x1b3/0x410
+ [ 816.261126] ? asm_exc_general_protection+0x26/0x30
+ [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]
+ [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]
+ [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]
+ [ 816.262689] ? seq_read_iter+0x379/0x470
+ [ 816.262995] seq_read_iter+0x118/0x470
+ [ 816.263291] proc_reg_read_iter+0x53/0x90
+ [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f
+ [ 816.263945] vfs_read+0x201/0x350
+ [ 816.264211] ksys_read+0x75/0x100
+ [ 816.264472] do_syscall_64+0x3f/0x90
+ [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+ [ 816.265135] RIP: 0033:0x7fd5e669d381
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifs_debug.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/smb/client/cifs_debug.c
++++ b/fs/smb/client/cifs_debug.c
+@@ -452,6 +452,11 @@ skip_rdma:
+ seq_printf(m, "\n\n\tSessions: ");
+ i = 0;
+ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
++ spin_lock(&ses->ses_lock);
++ if (ses->ses_status == SES_EXITING) {
++ spin_unlock(&ses->ses_lock);
++ continue;
++ }
+ i++;
+ if ((ses->serverDomain == NULL) ||
+ (ses->serverOS == NULL) ||
+@@ -472,6 +477,7 @@ skip_rdma:
+ ses->ses_count, ses->serverOS, ses->serverNOS,
+ ses->capabilities, ses->ses_status);
+ }
++ spin_unlock(&ses->ses_lock);
+
+ seq_printf(m, "\n\tSecurity type: %s ",
+ get_security_type_str(server->ops->select_sectype(server, ses->sectype)));
--- /dev/null
+From 5c86919455c1edec99ebd3338ad213b59271a71b Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Mon, 30 Oct 2023 17:19:56 -0300
+Subject: smb: client: fix use-after-free in smb2_query_info_compound()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit 5c86919455c1edec99ebd3338ad213b59271a71b upstream.
+
+The following UAF was triggered when running fstests generic/072 with
+KASAN enabled against Windows Server 2022 and mount options
+'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'
+
+ BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]
+ Read of size 8 at addr ffff888014941048 by task xfs_io/27534
+
+ CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+ rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+ Call Trace:
+ dump_stack_lvl+0x4a/0x80
+ print_report+0xcf/0x650
+ ? srso_alias_return_thunk+0x5/0x7f
+ ? srso_alias_return_thunk+0x5/0x7f
+ ? __phys_addr+0x46/0x90
+ kasan_report+0xda/0x110
+ ? smb2_query_info_compound+0x423/0x6d0 [cifs]
+ ? smb2_query_info_compound+0x423/0x6d0 [cifs]
+ smb2_query_info_compound+0x423/0x6d0 [cifs]
+ ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]
+ ? srso_alias_return_thunk+0x5/0x7f
+ ? __stack_depot_save+0x39/0x480
+ ? kasan_save_stack+0x33/0x60
+ ? kasan_set_track+0x25/0x30
+ ? ____kasan_slab_free+0x126/0x170
+ smb2_queryfs+0xc2/0x2c0 [cifs]
+ ? __pfx_smb2_queryfs+0x10/0x10 [cifs]
+ ? __pfx___lock_acquire+0x10/0x10
+ smb311_queryfs+0x210/0x220 [cifs]
+ ? __pfx_smb311_queryfs+0x10/0x10 [cifs]
+ ? srso_alias_return_thunk+0x5/0x7f
+ ? __lock_acquire+0x480/0x26c0
+ ? lock_release+0x1ed/0x640
+ ? srso_alias_return_thunk+0x5/0x7f
+ ? do_raw_spin_unlock+0x9b/0x100
+ cifs_statfs+0x18c/0x4b0 [cifs]
+ statfs_by_dentry+0x9b/0xf0
+ fd_statfs+0x4e/0xb0
+ __do_sys_fstatfs+0x7f/0xe0
+ ? __pfx___do_sys_fstatfs+0x10/0x10
+ ? srso_alias_return_thunk+0x5/0x7f
+ ? lockdep_hardirqs_on_prepare+0x136/0x200
+ ? srso_alias_return_thunk+0x5/0x7f
+ do_syscall_64+0x3f/0x90
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+ Allocated by task 27534:
+ kasan_save_stack+0x33/0x60
+ kasan_set_track+0x25/0x30
+ __kasan_kmalloc+0x8f/0xa0
+ open_cached_dir+0x71b/0x1240 [cifs]
+ smb2_query_info_compound+0x5c3/0x6d0 [cifs]
+ smb2_queryfs+0xc2/0x2c0 [cifs]
+ smb311_queryfs+0x210/0x220 [cifs]
+ cifs_statfs+0x18c/0x4b0 [cifs]
+ statfs_by_dentry+0x9b/0xf0
+ fd_statfs+0x4e/0xb0
+ __do_sys_fstatfs+0x7f/0xe0
+ do_syscall_64+0x3f/0x90
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+ Freed by task 27534:
+ kasan_save_stack+0x33/0x60
+ kasan_set_track+0x25/0x30
+ kasan_save_free_info+0x2b/0x50
+ ____kasan_slab_free+0x126/0x170
+ slab_free_freelist_hook+0xd0/0x1e0
+ __kmem_cache_free+0x9d/0x1b0
+ open_cached_dir+0xff5/0x1240 [cifs]
+ smb2_query_info_compound+0x5c3/0x6d0 [cifs]
+ smb2_queryfs+0xc2/0x2c0 [cifs]
+
+This is a race between open_cached_dir() and cached_dir_lease_break()
+where the cache entry for the open directory handle receives a lease
+break while creating it. And before returning from open_cached_dir(),
+we put the last reference of the new @cfid because of
+!@cfid->has_lease.
+
+Besides the UAF, while running xfstests a lot of missed lease breaks
+have been noticed in tests that run several concurrent statfs(2) calls
+on those cached fids
+
+ CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame...
+ CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...
+ CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108
+ CIFS: VFS: Dump pending requests:
+ CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame...
+ CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...
+ CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108
+ ...
+
+To fix both, in open_cached_dir() ensure that @cfid->has_lease is set
+right before sending out compounded request so that any potential
+lease break will be get processed by demultiplex thread while we're
+still caching @cfid. And, if open failed for some reason, re-check
+@cfid->has_lease to decide whether or not put lease reference.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cached_dir.c | 84 ++++++++++++++++++++++++++-------------------
+ 1 file changed, 49 insertions(+), 35 deletions(-)
+
+--- a/fs/smb/client/cached_dir.c
++++ b/fs/smb/client/cached_dir.c
+@@ -32,7 +32,7 @@ static struct cached_fid *find_or_create
+ * fully cached or it may be in the process of
+ * being deleted due to a lease break.
+ */
+- if (!cfid->has_lease) {
++ if (!cfid->time || !cfid->has_lease) {
+ spin_unlock(&cfids->cfid_list_lock);
+ return NULL;
+ }
+@@ -193,10 +193,20 @@ int open_cached_dir(unsigned int xid, st
+ npath = path_no_prefix(cifs_sb, path);
+ if (IS_ERR(npath)) {
+ rc = PTR_ERR(npath);
+- kfree(utf16_path);
+- return rc;
++ goto out;
+ }
+
++ if (!npath[0]) {
++ dentry = dget(cifs_sb->root);
++ } else {
++ dentry = path_to_dentry(cifs_sb, npath);
++ if (IS_ERR(dentry)) {
++ rc = -ENOENT;
++ goto out;
++ }
++ }
++ cfid->dentry = dentry;
++
+ /*
+ * We do not hold the lock for the open because in case
+ * SMB2_open needs to reconnect.
+@@ -249,6 +259,15 @@ int open_cached_dir(unsigned int xid, st
+
+ smb2_set_related(&rqst[1]);
+
++ /*
++ * Set @cfid->has_lease to true before sending out compounded request so
++ * its lease reference can be put in cached_dir_lease_break() due to a
++ * potential lease break right after the request is sent or while @cfid
++ * is still being cached. Concurrent processes won't be to use it yet
++ * due to @cfid->time being zero.
++ */
++ cfid->has_lease = true;
++
+ rc = compound_send_recv(xid, ses, server,
+ flags, 2, rqst,
+ resp_buftype, rsp_iov);
+@@ -263,6 +282,8 @@ int open_cached_dir(unsigned int xid, st
+ cfid->tcon = tcon;
+ cfid->is_open = true;
+
++ spin_lock(&cfids->cfid_list_lock);
++
+ o_rsp = (struct smb2_create_rsp *)rsp_iov[0].iov_base;
+ oparms.fid->persistent_fid = o_rsp->PersistentFileId;
+ oparms.fid->volatile_fid = o_rsp->VolatileFileId;
+@@ -270,18 +291,25 @@ int open_cached_dir(unsigned int xid, st
+ oparms.fid->mid = le64_to_cpu(o_rsp->hdr.MessageId);
+ #endif /* CIFS_DEBUG2 */
+
+- if (o_rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE)
++ rc = -EINVAL;
++ if (o_rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE) {
++ spin_unlock(&cfids->cfid_list_lock);
+ goto oshr_free;
++ }
+
+ smb2_parse_contexts(server, o_rsp,
+ &oparms.fid->epoch,
+ oparms.fid->lease_key, &oplock,
+ NULL, NULL);
+- if (!(oplock & SMB2_LEASE_READ_CACHING_HE))
++ if (!(oplock & SMB2_LEASE_READ_CACHING_HE)) {
++ spin_unlock(&cfids->cfid_list_lock);
+ goto oshr_free;
++ }
+ qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
+- if (le32_to_cpu(qi_rsp->OutputBufferLength) < sizeof(struct smb2_file_all_info))
++ if (le32_to_cpu(qi_rsp->OutputBufferLength) < sizeof(struct smb2_file_all_info)) {
++ spin_unlock(&cfids->cfid_list_lock);
+ goto oshr_free;
++ }
+ if (!smb2_validate_and_copy_iov(
+ le16_to_cpu(qi_rsp->OutputBufferOffset),
+ sizeof(struct smb2_file_all_info),
+@@ -289,37 +317,24 @@ int open_cached_dir(unsigned int xid, st
+ (char *)&cfid->file_all_info))
+ cfid->file_all_info_is_valid = true;
+
+- if (!npath[0])
+- dentry = dget(cifs_sb->root);
+- else {
+- dentry = path_to_dentry(cifs_sb, npath);
+- if (IS_ERR(dentry)) {
+- rc = -ENOENT;
+- goto oshr_free;
+- }
+- }
+- spin_lock(&cfids->cfid_list_lock);
+- cfid->dentry = dentry;
+ cfid->time = jiffies;
+- cfid->has_lease = true;
+ spin_unlock(&cfids->cfid_list_lock);
++ /* At this point the directory handle is fully cached */
++ rc = 0;
+
+ oshr_free:
+- kfree(utf16_path);
+ SMB2_open_free(&rqst[0]);
+ SMB2_query_info_free(&rqst[1]);
+ free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
+ free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base);
+- spin_lock(&cfids->cfid_list_lock);
+- if (!cfid->has_lease) {
+- if (rc) {
+- if (cfid->on_list) {
+- list_del(&cfid->entry);
+- cfid->on_list = false;
+- cfids->num_entries--;
+- }
+- rc = -ENOENT;
+- } else {
++ if (rc) {
++ spin_lock(&cfids->cfid_list_lock);
++ if (cfid->on_list) {
++ list_del(&cfid->entry);
++ cfid->on_list = false;
++ cfids->num_entries--;
++ }
++ if (cfid->has_lease) {
+ /*
+ * We are guaranteed to have two references at this
+ * point. One for the caller and one for a potential
+@@ -327,25 +342,24 @@ oshr_free:
+ * will be closed when the caller closes the cached
+ * handle.
+ */
++ cfid->has_lease = false;
+ spin_unlock(&cfids->cfid_list_lock);
+ kref_put(&cfid->refcount, smb2_close_cached_fid);
+ goto out;
+ }
++ spin_unlock(&cfids->cfid_list_lock);
+ }
+- spin_unlock(&cfids->cfid_list_lock);
++out:
+ if (rc) {
+ if (cfid->is_open)
+ SMB2_close(0, cfid->tcon, cfid->fid.persistent_fid,
+ cfid->fid.volatile_fid);
+ free_cached_dir(cfid);
+- cfid = NULL;
+- }
+-out:
+- if (rc == 0) {
++ } else {
+ *ret_cfid = cfid;
+ atomic_inc(&tcon->num_remote_opens);
+ }
+-
++ kfree(utf16_path);
+ return rc;
+ }
+
--- /dev/null
+From de4eceab578ead12a71e5b5588a57e142bbe8ceb Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 9 Nov 2023 15:28:12 -0600
+Subject: smb3: allow dumping session and tcon id to improve stats analysis and debugging
+
+From: Steve French <stfrench@microsoft.com>
+
+commit de4eceab578ead12a71e5b5588a57e142bbe8ceb upstream.
+
+When multiple mounts are to the same share from the same client it was not
+possible to determine which section of /proc/fs/cifs/Stats (and DebugData)
+correspond to that mount. In some recent examples this turned out to be
+a significant problem when trying to analyze performance data - since
+there are many cases where unless we know the tree id and session id we
+can't figure out which stats (e.g. number of SMB3.1.1 requests by type,
+the total time they take, which is slowest, how many fail etc.) apply to
+which mount. The only existing loosely related ioctl CIFS_IOC_GET_MNT_INFO
+does not return the information needed to uniquely identify which tcon
+is which mount although it does return various flags and device info.
+
+Add a cifs.ko ioctl CIFS_IOC_GET_TCON_INFO (0x800ccf0c) to return tid,
+session id, tree connect count.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifs_ioctl.h | 6 ++++++
+ fs/smb/client/ioctl.c | 25 +++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+
+--- a/fs/smb/client/cifs_ioctl.h
++++ b/fs/smb/client/cifs_ioctl.h
+@@ -26,6 +26,11 @@ struct smb_mnt_fs_info {
+ __u64 cifs_posix_caps;
+ } __packed;
+
++struct smb_mnt_tcon_info {
++ __u32 tid;
++ __u64 session_id;
++} __packed;
++
+ struct smb_snapshot_array {
+ __u32 number_of_snapshots;
+ __u32 number_of_snapshots_returned;
+@@ -108,6 +113,7 @@ struct smb3_notify_info {
+ #define CIFS_IOC_NOTIFY _IOW(CIFS_IOCTL_MAGIC, 9, struct smb3_notify)
+ #define CIFS_DUMP_FULL_KEY _IOWR(CIFS_IOCTL_MAGIC, 10, struct smb3_full_key_debug_info)
+ #define CIFS_IOC_NOTIFY_INFO _IOWR(CIFS_IOCTL_MAGIC, 11, struct smb3_notify_info)
++#define CIFS_IOC_GET_TCON_INFO _IOR(CIFS_IOCTL_MAGIC, 12, struct smb_mnt_tcon_info)
+ #define CIFS_IOC_SHUTDOWN _IOR('X', 125, __u32)
+
+ /*
+--- a/fs/smb/client/ioctl.c
++++ b/fs/smb/client/ioctl.c
+@@ -117,6 +117,20 @@ out_drop_write:
+ return rc;
+ }
+
++static long smb_mnt_get_tcon_info(struct cifs_tcon *tcon, void __user *arg)
++{
++ int rc = 0;
++ struct smb_mnt_tcon_info tcon_inf;
++
++ tcon_inf.tid = tcon->tid;
++ tcon_inf.session_id = tcon->ses->Suid;
++
++ if (copy_to_user(arg, &tcon_inf, sizeof(struct smb_mnt_tcon_info)))
++ rc = -EFAULT;
++
++ return rc;
++}
++
+ static long smb_mnt_get_fsinfo(unsigned int xid, struct cifs_tcon *tcon,
+ void __user *arg)
+ {
+@@ -414,6 +428,17 @@ long cifs_ioctl(struct file *filep, unsi
+ tcon = tlink_tcon(pSMBFile->tlink);
+ rc = smb_mnt_get_fsinfo(xid, tcon, (void __user *)arg);
+ break;
++ case CIFS_IOC_GET_TCON_INFO:
++ cifs_sb = CIFS_SB(inode->i_sb);
++ tlink = cifs_sb_tlink(cifs_sb);
++ if (IS_ERR(tlink)) {
++ rc = PTR_ERR(tlink);
++ break;
++ }
++ tcon = tlink_tcon(tlink);
++ rc = smb_mnt_get_tcon_info(tcon, (void __user *)arg);
++ cifs_put_tlink(tlink);
++ break;
+ case CIFS_ENUMERATE_SNAPSHOTS:
+ if (pSMBFile == NULL)
+ break;
--- /dev/null
+From 5923d6686a100c2b4cabd4c2ca9d5a12579c7614 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Tue, 7 Nov 2023 21:38:13 -0600
+Subject: smb3: fix caching of ctime on setxattr
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 5923d6686a100c2b4cabd4c2ca9d5a12579c7614 upstream.
+
+Fixes xfstest generic/728 which had been failing due to incorrect
+ctime after setxattr and removexattr
+
+Update ctime on successful set of xattr
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/xattr.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/xattr.c
++++ b/fs/smb/client/xattr.c
+@@ -150,10 +150,13 @@ static int cifs_xattr_set(const struct x
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_XATTR)
+ goto out;
+
+- if (pTcon->ses->server->ops->set_EA)
++ if (pTcon->ses->server->ops->set_EA) {
+ rc = pTcon->ses->server->ops->set_EA(xid, pTcon,
+ full_path, name, value, (__u16)size,
+ cifs_sb->local_nls, cifs_sb);
++ if (rc == 0)
++ inode_set_ctime_current(inode);
++ }
+ break;
+
+ case XATTR_CIFS_ACL:
--- /dev/null
+From 72bc63f5e23a38b65ff2a201bdc11401d4223fa9 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 19 Oct 2023 23:01:49 -0500
+Subject: smb3: fix creating FIFOs when mounting with "sfu" mount option
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 72bc63f5e23a38b65ff2a201bdc11401d4223fa9 upstream.
+
+Fixes some xfstests including generic/564 and generic/157
+
+The "sfu" mount option can be useful for creating special files (character
+and block devices in particular) but could not create FIFOs. It did
+recognize existing empty files with the "system" attribute flag as FIFOs
+but this is too general, so to support creating FIFOs more safely use a new
+tag (but the same length as those for char and block devices ie "IntxLNK"
+and "IntxBLK") "LnxFIFO" to indicate that the file should be treated as a
+FIFO (when mounted with the "sfu"). For some additional context note that
+"sfu" followed the way that "Services for Unix" on Windows handled these
+special files (at least for character and block devices and symlinks),
+which is different than newer Windows which can handle special files
+as reparse points (which isn't an option to many servers).
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifspdu.h | 2 +-
+ fs/smb/client/inode.c | 4 ++++
+ fs/smb/client/smb2ops.c | 8 +++++++-
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/client/cifspdu.h
++++ b/fs/smb/client/cifspdu.h
+@@ -2570,7 +2570,7 @@ typedef struct {
+
+
+ struct win_dev {
+- unsigned char type[8]; /* IntxCHR or IntxBLK */
++ unsigned char type[8]; /* IntxCHR or IntxBLK or LnxFIFO*/
+ __le64 major;
+ __le64 minor;
+ } __attribute__((packed));
+--- a/fs/smb/client/inode.c
++++ b/fs/smb/client/inode.c
+@@ -592,6 +592,10 @@ cifs_sfu_type(struct cifs_fattr *fattr,
+ cifs_dbg(FYI, "Symlink\n");
+ fattr->cf_mode |= S_IFLNK;
+ fattr->cf_dtype = DT_LNK;
++ } else if (memcmp("LnxFIFO", pbuf, 8) == 0) {
++ cifs_dbg(FYI, "FIFO\n");
++ fattr->cf_mode |= S_IFIFO;
++ fattr->cf_dtype = DT_FIFO;
+ } else {
+ fattr->cf_mode |= S_IFREG; /* file? */
+ fattr->cf_dtype = DT_REG;
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -5087,7 +5087,7 @@ smb2_make_node(unsigned int xid, struct
+ * over SMB2/SMB3 and Samba will do this with SMB3.1.1 POSIX Extensions
+ */
+
+- if (!S_ISCHR(mode) && !S_ISBLK(mode))
++ if (!S_ISCHR(mode) && !S_ISBLK(mode) && !S_ISFIFO(mode))
+ return rc;
+
+ cifs_dbg(FYI, "sfu compat create special file\n");
+@@ -5135,6 +5135,12 @@ smb2_make_node(unsigned int xid, struct
+ pdev->minor = cpu_to_le64(MINOR(dev));
+ rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
+ &bytes_written, iov, 1);
++ } else if (S_ISFIFO(mode)) {
++ memcpy(pdev->type, "LnxFIFO", 8);
++ pdev->major = 0;
++ pdev->minor = 0;
++ rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
++ &bytes_written, iov, 1);
+ }
+ tcon->ses->server->ops->close(xid, tcon, &fid);
+ d_drop(dentry);
--- /dev/null
+From 475efd9808a3094944a56240b2711349e433fb66 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 16 Oct 2023 12:18:23 -0500
+Subject: smb3: fix touch -h of symlink
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 475efd9808a3094944a56240b2711349e433fb66 upstream.
+
+For example:
+ touch -h -t 02011200 testfile
+where testfile is a symlink would not change the timestamp, but
+ touch -t 02011200 testfile
+does work to change the timestamp of the target
+
+Suggested-by: David Howells <dhowells@redhat.com>
+Reported-by: Micah Veilleux <micah.veilleux@iba-group.com>
+Closes: https://bugzilla.samba.org/show_bug.cgi?id=14476
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/client/cifsfs.c
++++ b/fs/smb/client/cifsfs.c
+@@ -1191,6 +1191,7 @@ const char *cifs_get_link(struct dentry
+
+ const struct inode_operations cifs_symlink_inode_ops = {
+ .get_link = cifs_get_link,
++ .setattr = cifs_setattr,
+ .permission = cifs_permission,
+ .listxattr = cifs_listxattr,
+ };
--- /dev/null
+From 7930d9e103700cde15833638855b750715c12091 Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Fri, 10 Nov 2023 15:33:14 +1100
+Subject: xfs: recovery should not clear di_flushiter unconditionally
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit 7930d9e103700cde15833638855b750715c12091 upstream.
+
+Because on v3 inodes, di_flushiter doesn't exist. It overlaps with
+zero padding in the inode, except when NREXT64=1 configurations are
+in use and the zero padding is no longer padding but holds the 64
+bit extent counter.
+
+This manifests obviously on big endian platforms (e.g. s390) because
+the log dinode is in host order and the overlap is the LSBs of the
+extent count field. It is not noticed on little endian machines
+because the overlap is at the MSB end of the extent count field and
+we need to get more than 2^^48 extents in the inode before it
+manifests. i.e. the heat death of the universe will occur before we
+see the problem in little endian machines.
+
+This is a zero-day issue for NREXT64=1 configuraitons on big endian
+machines. Fix it by only clearing di_flushiter on v2 inodes during
+recovery.
+
+Fixes: 9b7d16e34bbe ("xfs: Introduce XFS_DIFLAG2_NREXT64 and associated helpers")
+cc: stable@kernel.org # 5.19+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
+Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_inode_item_recover.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+--- a/fs/xfs/xfs_inode_item_recover.c
++++ b/fs/xfs/xfs_inode_item_recover.c
+@@ -369,24 +369,26 @@ xlog_recover_inode_commit_pass2(
+ * superblock flag to determine whether we need to look at di_flushiter
+ * to skip replay when the on disk inode is newer than the log one
+ */
+- if (!xfs_has_v3inodes(mp) &&
+- ldip->di_flushiter < be16_to_cpu(dip->di_flushiter)) {
+- /*
+- * Deal with the wrap case, DI_MAX_FLUSH is less
+- * than smaller numbers
+- */
+- if (be16_to_cpu(dip->di_flushiter) == DI_MAX_FLUSH &&
+- ldip->di_flushiter < (DI_MAX_FLUSH >> 1)) {
+- /* do nothing */
+- } else {
+- trace_xfs_log_recover_inode_skip(log, in_f);
+- error = 0;
+- goto out_release;
++ if (!xfs_has_v3inodes(mp)) {
++ if (ldip->di_flushiter < be16_to_cpu(dip->di_flushiter)) {
++ /*
++ * Deal with the wrap case, DI_MAX_FLUSH is less
++ * than smaller numbers
++ */
++ if (be16_to_cpu(dip->di_flushiter) == DI_MAX_FLUSH &&
++ ldip->di_flushiter < (DI_MAX_FLUSH >> 1)) {
++ /* do nothing */
++ } else {
++ trace_xfs_log_recover_inode_skip(log, in_f);
++ error = 0;
++ goto out_release;
++ }
+ }
++
++ /* Take the opportunity to reset the flush iteration count */
++ ldip->di_flushiter = 0;
+ }
+
+- /* Take the opportunity to reset the flush iteration count */
+- ldip->di_flushiter = 0;
+
+ if (unlikely(S_ISREG(ldip->di_mode))) {
+ if ((ldip->di_format != XFS_DINODE_FMT_EXTENTS) &&
projects / thirdparty / kernel / stable-queue.git / commitdiff
