--- /dev/null
+From b6409dd6bdc03aa178bbff0d80db2a30d29b63ac Mon Sep 17 00:00:00 2001
+From: Alan Young <consult.awy@gmail.com>
+Date: Thu, 2 Dec 2021 15:06:07 +0000
+Subject: ALSA: ctl: Fix copy of updated id with element read/write
+
+From: Alan Young <consult.awy@gmail.com>
+
+commit b6409dd6bdc03aa178bbff0d80db2a30d29b63ac upstream.
+
+When control_compat.c:copy_ctl_value_to_user() is used, by
+ctl_elem_read_user() & ctl_elem_write_user(), it must also copy back the
+snd_ctl_elem_id value that may have been updated (filled in) by the call
+to snd_ctl_elem_read/snd_ctl_elem_write().
+
+This matches the functionality provided by snd_ctl_elem_read_user() and
+snd_ctl_elem_write_user(), via snd_ctl_build_ioff().
+
+Without this, and without making additional calls to snd_ctl_info()
+which are unnecessary when using the non-compat calls, a userspace
+application will not know the numid value for the element and
+consequently will not be able to use the poll/read interface on the
+control file to determine which elements have updates.
+
+Signed-off-by: Alan Young <consult.awy@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211202150607.543389-1-consult.awy@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/control_compat.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/core/control_compat.c
++++ b/sound/core/control_compat.c
+@@ -264,6 +264,7 @@ static int copy_ctl_value_to_user(void _
+ struct snd_ctl_elem_value *data,
+ int type, int count)
+ {
++ struct snd_ctl_elem_value32 __user *data32 = userdata;
+ int i, size;
+
+ if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN ||
+@@ -280,6 +281,8 @@ static int copy_ctl_value_to_user(void _
+ if (copy_to_user(valuep, data->value.bytes.data, size))
+ return -EFAULT;
+ }
++ if (copy_to_user(&data32->id, &data->id, sizeof(data32->id)))
++ return -EFAULT;
+ return 0;
+ }
+
--- /dev/null
+From d7f32791a9fcf0dae8b073cdea9b79e29098c5f4 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Tue, 23 Nov 2021 16:32:44 +0800
+Subject: ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit d7f32791a9fcf0dae8b073cdea9b79e29098c5f4 upstream.
+
+Lenovo ALC897 platform had headset Mic.
+This patch enable supported headset Mic.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/baab2c2536cb4cc18677a862c6f6d840@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10231,6 +10231,27 @@ static void alc671_fixup_hp_headset_mic2
+ }
+ }
+
++static void alc897_hp_automute_hook(struct hda_codec *codec,
++ struct hda_jack_callback *jack)
++{
++ struct alc_spec *spec = codec->spec;
++ int vref;
++
++ snd_hda_gen_hp_automute(codec, jack);
++ vref = spec->gen.hp_jack_present ? (PIN_HP | AC_PINCTL_VREF_100) : PIN_HP;
++ snd_hda_codec_write(codec, 0x1b, 0, AC_VERB_SET_PIN_WIDGET_CONTROL,
++ vref);
++}
++
++static void alc897_fixup_lenovo_headset_mic(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ spec->gen.hp_automute_hook = alc897_hp_automute_hook;
++ }
++}
++
+ static const struct coef_fw alc668_coefs[] = {
+ WRITE_COEF(0x01, 0xbebe), WRITE_COEF(0x02, 0xaaaa), WRITE_COEF(0x03, 0x0),
+ WRITE_COEF(0x04, 0x0180), WRITE_COEF(0x06, 0x0), WRITE_COEF(0x07, 0x0f80),
+@@ -10311,6 +10332,8 @@ enum {
+ ALC668_FIXUP_ASUS_NO_HEADSET_MIC,
+ ALC668_FIXUP_HEADSET_MIC,
+ ALC668_FIXUP_MIC_DET_COEF,
++ ALC897_FIXUP_LENOVO_HEADSET_MIC,
++ ALC897_FIXUP_HEADSET_MIC_PIN,
+ };
+
+ static const struct hda_fixup alc662_fixups[] = {
+@@ -10717,6 +10740,19 @@ static const struct hda_fixup alc662_fix
+ {}
+ },
+ },
++ [ALC897_FIXUP_LENOVO_HEADSET_MIC] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc897_fixup_lenovo_headset_mic,
++ },
++ [ALC897_FIXUP_HEADSET_MIC_PIN] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x1a, 0x03a11050 },
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC897_FIXUP_LENOVO_HEADSET_MIC
++ },
+ };
+
+ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
+@@ -10761,6 +10797,10 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD),
+ SND_PCI_QUIRK(0x14cd, 0x5003, "USI", ALC662_FIXUP_USI_HEADSET_MODE),
+ SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC662_FIXUP_LENOVO_MULTI_CODECS),
++ SND_PCI_QUIRK(0x17aa, 0x32ca, "Lenovo ThinkCentre M80", ALC897_FIXUP_HEADSET_MIC_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x32cb, "Lenovo ThinkCentre M70", ALC897_FIXUP_HEADSET_MIC_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x32cf, "Lenovo ThinkCentre M950", ALC897_FIXUP_HEADSET_MIC_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x32f7, "Lenovo ThinkCentre M90", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD),
+ SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD),
+ SND_PCI_QUIRK(0x1849, 0x5892, "ASRock B150M", ALC892_FIXUP_ASROCK_MOBO),
--- /dev/null
+From 619764cc2ec9ce1283a8bbcd89a1376a7c68293b Mon Sep 17 00:00:00 2001
+From: Werner Sembach <wse@tuxedocomputers.com>
+Date: Thu, 2 Dec 2021 17:50:10 +0100
+Subject: ALSA: hda/realtek: Fix quirk for TongFang PHxTxX1
+
+From: Werner Sembach <wse@tuxedocomputers.com>
+
+commit 619764cc2ec9ce1283a8bbcd89a1376a7c68293b upstream.
+
+This fixes the SND_PCI_QUIRK(...) of the TongFang PHxTxX1 barebone. This
+fixes the issue of sound not working after s3 suspend.
+
+When waking up from s3 suspend the Coef 0x10 is set to 0x0220 instead of
+0x0020. Setting the value manually makes the sound work again. This patch
+does this automatically.
+
+While being on it, I also fixed the comment formatting of the quirk and
+shortened variable and function names.
+
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Fixes: dd6dd6e3c791 ("ALSA: hda/realtek: Add quirk for TongFang PHxTxX1")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211202165010.876431-1-wse@tuxedocomputers.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 40 ++++++++++++++++++++++------------------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6503,22 +6503,26 @@ static void alc287_fixup_legion_15imhg05
+ /* for alc285_fixup_ideapad_s740_coef() */
+ #include "ideapad_s740_helper.c"
+
+-static void alc256_fixup_tongfang_reset_persistent_settings(struct hda_codec *codec,
+- const struct hda_fixup *fix,
+- int action)
++static const struct coef_fw alc256_fixup_set_coef_defaults_coefs[] = {
++ WRITE_COEF(0x10, 0x0020), WRITE_COEF(0x24, 0x0000),
++ WRITE_COEF(0x26, 0x0000), WRITE_COEF(0x29, 0x3000),
++ WRITE_COEF(0x37, 0xfe05), WRITE_COEF(0x45, 0x5089),
++ {}
++};
++
++static void alc256_fixup_set_coef_defaults(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
+ {
+ /*
+- * A certain other OS sets these coeffs to different values. On at least one TongFang
+- * barebone these settings might survive even a cold reboot. So to restore a clean slate the
+- * values are explicitly reset to default here. Without this, the external microphone is
+- * always in a plugged-in state, while the internal microphone is always in an unplugged
+- * state, breaking the ability to use the internal microphone.
+- */
+- alc_write_coef_idx(codec, 0x24, 0x0000);
+- alc_write_coef_idx(codec, 0x26, 0x0000);
+- alc_write_coef_idx(codec, 0x29, 0x3000);
+- alc_write_coef_idx(codec, 0x37, 0xfe05);
+- alc_write_coef_idx(codec, 0x45, 0x5089);
++ * A certain other OS sets these coeffs to different values. On at least
++ * one TongFang barebone these settings might survive even a cold
++ * reboot. So to restore a clean slate the values are explicitly reset
++ * to default here. Without this, the external microphone is always in a
++ * plugged-in state, while the internal microphone is always in an
++ * unplugged state, breaking the ability to use the internal microphone.
++ */
++ alc_process_coef_fw(codec, alc256_fixup_set_coef_defaults_coefs);
+ }
+
+ static const struct coef_fw alc233_fixup_no_audio_jack_coefs[] = {
+@@ -6759,7 +6763,7 @@ enum {
+ ALC287_FIXUP_LEGION_15IMHG05_AUTOMUTE,
+ ALC287_FIXUP_YOGA7_14ITL_SPEAKERS,
+ ALC287_FIXUP_13S_GEN2_SPEAKERS,
+- ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS,
++ ALC256_FIXUP_SET_COEF_DEFAULTS,
+ ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE,
+ ALC233_FIXUP_NO_AUDIO_JACK,
+ };
+@@ -8465,9 +8469,9 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MODE,
+ },
+- [ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS] = {
++ [ALC256_FIXUP_SET_COEF_DEFAULTS] = {
+ .type = HDA_FIXUP_FUNC,
+- .v.func = alc256_fixup_tongfang_reset_persistent_settings,
++ .v.func = alc256_fixup_set_coef_defaults,
+ },
+ [ALC245_FIXUP_HP_GPIO_LED] = {
+ .type = HDA_FIXUP_FUNC,
+@@ -8929,7 +8933,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */
+ SND_PCI_QUIRK(0x1c06, 0x2013, "Lemote A1802", ALC269_FIXUP_LEMOTE_A1802),
+ SND_PCI_QUIRK(0x1c06, 0x2015, "Lemote A190X", ALC269_FIXUP_LEMOTE_A190X),
+- SND_PCI_QUIRK(0x1d05, 0x1132, "TongFang PHxTxX1", ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS),
++ SND_PCI_QUIRK(0x1d05, 0x1132, "TongFang PHxTxX1", ALC256_FIXUP_SET_COEF_DEFAULTS),
+ SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
--- /dev/null
+From 9d2479c960875ca1239bcb899f386970c13d9cfe Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 1 Dec 2021 08:36:04 +0100
+Subject: ALSA: pcm: oss: Fix negative period/buffer sizes
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 9d2479c960875ca1239bcb899f386970c13d9cfe upstream.
+
+The period size calculation in OSS layer may receive a negative value
+as an error, but the code there assumes only the positive values and
+handle them with size_t. Due to that, a too big value may be passed
+to the lower layers.
+
+This patch changes the code to handle with ssize_t and adds the proper
+error checks appropriately.
+
+Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com
+Reported-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com
+Link: https://lore.kernel.org/r/20211201073606.11660-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -147,7 +147,7 @@ snd_pcm_hw_param_value_min(const struct
+ *
+ * Return the maximum value for field PAR.
+ */
+-static unsigned int
++static int
+ snd_pcm_hw_param_value_max(const struct snd_pcm_hw_params *params,
+ snd_pcm_hw_param_t var, int *dir)
+ {
+@@ -682,18 +682,24 @@ static int snd_pcm_oss_period_size(struc
+ struct snd_pcm_hw_params *oss_params,
+ struct snd_pcm_hw_params *slave_params)
+ {
+- size_t s;
+- size_t oss_buffer_size, oss_period_size, oss_periods;
+- size_t min_period_size, max_period_size;
++ ssize_t s;
++ ssize_t oss_buffer_size;
++ ssize_t oss_period_size, oss_periods;
++ ssize_t min_period_size, max_period_size;
+ struct snd_pcm_runtime *runtime = substream->runtime;
+ size_t oss_frame_size;
+
+ oss_frame_size = snd_pcm_format_physical_width(params_format(oss_params)) *
+ params_channels(oss_params) / 8;
+
++ oss_buffer_size = snd_pcm_hw_param_value_max(slave_params,
++ SNDRV_PCM_HW_PARAM_BUFFER_SIZE,
++ NULL);
++ if (oss_buffer_size <= 0)
++ return -EINVAL;
+ oss_buffer_size = snd_pcm_plug_client_size(substream,
+- snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, NULL)) * oss_frame_size;
+- if (!oss_buffer_size)
++ oss_buffer_size * oss_frame_size);
++ if (oss_buffer_size <= 0)
+ return -EINVAL;
+ oss_buffer_size = rounddown_pow_of_two(oss_buffer_size);
+ if (atomic_read(&substream->mmap_count)) {
+@@ -730,7 +736,7 @@ static int snd_pcm_oss_period_size(struc
+
+ min_period_size = snd_pcm_plug_client_size(substream,
+ snd_pcm_hw_param_value_min(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL));
+- if (min_period_size) {
++ if (min_period_size > 0) {
+ min_period_size *= oss_frame_size;
+ min_period_size = roundup_pow_of_two(min_period_size);
+ if (oss_period_size < min_period_size)
+@@ -739,7 +745,7 @@ static int snd_pcm_oss_period_size(struc
+
+ max_period_size = snd_pcm_plug_client_size(substream,
+ snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL));
+- if (max_period_size) {
++ if (max_period_size > 0) {
+ max_period_size *= oss_frame_size;
+ max_period_size = rounddown_pow_of_two(max_period_size);
+ if (oss_period_size > max_period_size)
+@@ -752,7 +758,7 @@ static int snd_pcm_oss_period_size(struc
+ oss_periods = substream->oss.setup.periods;
+
+ s = snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIODS, NULL);
+- if (runtime->oss.maxfrags && s > runtime->oss.maxfrags)
++ if (s > 0 && runtime->oss.maxfrags && s > runtime->oss.maxfrags)
+ s = runtime->oss.maxfrags;
+ if (oss_periods > s)
+ oss_periods = s;
--- /dev/null
+From 6665bb30a6b1a4a853d52557c05482ee50e71391 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 1 Dec 2021 08:36:06 +0100
+Subject: ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6665bb30a6b1a4a853d52557c05482ee50e71391 upstream.
+
+A couple of calls in snd_pcm_oss_change_params_locked() ignore the
+possible errors. Catch those errors and abort the operation for
+avoiding further problems.
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211201073606.11660-4-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -884,8 +884,15 @@ static int snd_pcm_oss_change_params_loc
+ err = -EINVAL;
+ goto failure;
+ }
+- choose_rate(substream, sparams, runtime->oss.rate);
+- snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_CHANNELS, runtime->oss.channels, NULL);
++
++ err = choose_rate(substream, sparams, runtime->oss.rate);
++ if (err < 0)
++ goto failure;
++ err = snd_pcm_hw_param_near(substream, sparams,
++ SNDRV_PCM_HW_PARAM_CHANNELS,
++ runtime->oss.channels, NULL);
++ if (err < 0)
++ goto failure;
+
+ format = snd_pcm_oss_format_from(runtime->oss.format);
+
--- /dev/null
+From 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 1 Dec 2021 08:36:05 +0100
+Subject: ALSA: pcm: oss: Limit the period size to 16MB
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 upstream.
+
+Set the practical limit to the period size (the fragment shift in OSS)
+instead of a full 31bit; a too large value could lead to the exhaust
+of memory as we allocate temporary buffers of the period size, too.
+
+As of this patch, we set to 16MB limit, which should cover all use
+cases.
+
+Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com
+Reported-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com
+Link: https://lore.kernel.org/r/20211201073606.11660-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1962,7 +1962,7 @@ static int snd_pcm_oss_set_fragment1(str
+ if (runtime->oss.subdivision || runtime->oss.fragshift)
+ return -EINVAL;
+ fragshift = val & 0xffff;
+- if (fragshift >= 31)
++ if (fragshift >= 25) /* should be large enough */
+ return -EINVAL;
+ runtime->oss.fragshift = fragshift;
+ runtime->oss.maxfrags = (val >> 16) & 0xffff;
--- /dev/null
+From c2e39305299f0118298c2201f6d6cc7d3485f29e Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 24 Nov 2021 14:14:23 -0500
+Subject: btrfs: clear extent buffer uptodate when we fail to write it
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit c2e39305299f0118298c2201f6d6cc7d3485f29e upstream.
+
+I got dmesg errors on generic/281 on our overnight fstests. Looking at
+the history this happens occasionally, with errors like this
+
+ WARNING: CPU: 0 PID: 673217 at fs/btrfs/extent_io.c:6848 assert_eb_page_uptodate+0x3f/0x50
+ CPU: 0 PID: 673217 Comm: kworker/u4:13 Tainted: G W 5.16.0-rc2+ #469
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
+ Workqueue: btrfs-cache btrfs_work_helper
+ RIP: 0010:assert_eb_page_uptodate+0x3f/0x50
+ RSP: 0018:ffffae598230bc60 EFLAGS: 00010246
+ RAX: 0017ffffc0002112 RBX: ffffebaec4100900 RCX: 0000000000001000
+ RDX: ffffebaec45733c7 RSI: ffffebaec4100900 RDI: ffff9fd98919f340
+ RBP: 0000000000000d56 R08: ffff9fd98e300000 R09: 0000000000000000
+ R10: 0001207370a91c50 R11: 0000000000000000 R12: 00000000000007b0
+ R13: ffff9fd98919f340 R14: 0000000001500000 R15: 0000000001cb0000
+ FS: 0000000000000000(0000) GS:ffff9fd9fbc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f549fcf8940 CR3: 0000000114908004 CR4: 0000000000370ef0
+ Call Trace:
+
+ extent_buffer_test_bit+0x3f/0x70
+ free_space_test_bit+0xa6/0xc0
+ load_free_space_tree+0x1d6/0x430
+ caching_thread+0x454/0x630
+ ? rcu_read_lock_sched_held+0x12/0x60
+ ? rcu_read_lock_sched_held+0x12/0x60
+ ? rcu_read_lock_sched_held+0x12/0x60
+ ? lock_release+0x1f0/0x2d0
+ btrfs_work_helper+0xf2/0x3e0
+ ? lock_release+0x1f0/0x2d0
+ ? finish_task_switch.isra.0+0xf9/0x3a0
+ process_one_work+0x270/0x5a0
+ worker_thread+0x55/0x3c0
+ ? process_one_work+0x5a0/0x5a0
+ kthread+0x174/0x1a0
+ ? set_kthread_struct+0x40/0x40
+ ret_from_fork+0x1f/0x30
+
+This happens because we're trying to read from a extent buffer page that
+is !PageUptodate. This happens because we will clear the page uptodate
+when we have an IO error, but we don't clear the extent buffer uptodate.
+If we do a read later and find this extent buffer we'll think its valid
+and not return an error, and then trip over this warning.
+
+Fix this by also clearing uptodate on the extent buffer when this
+happens, so that we get an error when we do a btrfs_search_slot() and
+find this block later.
+
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -4285,6 +4285,12 @@ static void set_btree_ioerr(struct page
+ return;
+
+ /*
++ * A read may stumble upon this buffer later, make sure that it gets an
++ * error and knows there was an error.
++ */
++ clear_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags);
++
++ /*
+ * If we error out, we should add back the dirty_metadata_bytes
+ * to make it consistent.
+ */
--- /dev/null
+From 84c25448929942edacba905cecc0474e91114e7a Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Tue, 30 Nov 2021 12:40:21 +0900
+Subject: btrfs: fix re-dirty process of tree-log nodes
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit 84c25448929942edacba905cecc0474e91114e7a upstream.
+
+There is a report of a transaction abort of -EAGAIN with the following
+script.
+
+ #!/bin/sh
+
+ for d in sda sdb; do
+ mkfs.btrfs -d single -m single -f /dev/\${d}
+ done
+
+ mount /dev/sda /mnt/test
+ mount /dev/sdb /mnt/scratch
+
+ for dir in test scratch; do
+ echo 3 >/proc/sys/vm/drop_caches
+ fio --directory=/mnt/\${dir} --name=fio.\${dir} --rw=read --size=50G --bs=64m \
+ --numjobs=$(nproc) --time_based --ramp_time=5 --runtime=480 \
+ --group_reporting |& tee /dev/shm/fio.\${dir}
+ echo 3 >/proc/sys/vm/drop_caches
+ done
+
+ for d in sda sdb; do
+ umount /dev/\${d}
+ done
+
+The stack trace is shown in below.
+
+ [3310.967991] BTRFS: error (device sda) in btrfs_commit_transaction:2341: errno=-11 unknown (Error while writing out transaction)
+ [3310.968060] BTRFS info (device sda): forced readonly
+ [3310.968064] BTRFS warning (device sda): Skipping commit of aborted transaction.
+ [3310.968065] ------------[ cut here ]------------
+ [3310.968066] BTRFS: Transaction aborted (error -11)
+ [3310.968074] WARNING: CPU: 14 PID: 1684 at fs/btrfs/transaction.c:1946 btrfs_commit_transaction.cold+0x209/0x2c8
+ [3310.968131] CPU: 14 PID: 1684 Comm: fio Not tainted 5.14.10-300.fc35.x86_64 #1
+ [3310.968135] Hardware name: DIAWAY Tartu/Tartu, BIOS V2.01.B10 04/08/2021
+ [3310.968137] RIP: 0010:btrfs_commit_transaction.cold+0x209/0x2c8
+ [3310.968144] RSP: 0018:ffffb284ce393e10 EFLAGS: 00010282
+ [3310.968147] RAX: 0000000000000026 RBX: ffff973f147b0f60 RCX: 0000000000000027
+ [3310.968149] RDX: ffff974ecf098a08 RSI: 0000000000000001 RDI: ffff974ecf098a00
+ [3310.968150] RBP: ffff973f147b0f08 R08: 0000000000000000 R09: ffffb284ce393c48
+ [3310.968151] R10: ffffb284ce393c40 R11: ffffffff84f47468 R12: ffff973f101bfc00
+ [3310.968153] R13: ffff971f20cf2000 R14: 00000000fffffff5 R15: ffff973f147b0e58
+ [3310.968154] FS: 00007efe65468740(0000) GS:ffff974ecf080000(0000) knlGS:0000000000000000
+ [3310.968157] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [3310.968158] CR2: 000055691bcbe260 CR3: 000000105cfa4001 CR4: 0000000000770ee0
+ [3310.968160] PKRU: 55555554
+ [3310.968161] Call Trace:
+ [3310.968167] ? dput+0xd4/0x300
+ [3310.968174] btrfs_sync_file+0x3f1/0x490
+ [3310.968180] __x64_sys_fsync+0x33/0x60
+ [3310.968185] do_syscall_64+0x3b/0x90
+ [3310.968190] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [3310.968194] RIP: 0033:0x7efe6557329b
+ [3310.968200] RSP: 002b:00007ffe0236ebc0 EFLAGS: 00000293 ORIG_RAX: 000000000000004a
+ [3310.968203] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efe6557329b
+ [3310.968204] RDX: 0000000000000000 RSI: 00007efe58d77010 RDI: 0000000000000006
+ [3310.968205] RBP: 0000000004000000 R08: 0000000000000000 R09: 00007efe58d77010
+ [3310.968207] R10: 0000000016cacc0c R11: 0000000000000293 R12: 00007efe5ce95980
+ [3310.968208] R13: 0000000000000000 R14: 00007efe6447c790 R15: 0000000c80000000
+ [3310.968212] ---[ end trace 1a346f4d3c0d96ba ]---
+ [3310.968214] BTRFS: error (device sda) in cleanup_transaction:1946: errno=-11 unknown
+
+The abort occurs because of a write hole while writing out freeing tree
+nodes of a tree-log tree. For zoned btrfs, we re-dirty a freed tree
+node to ensure btrfs can write the region and does not leave a hole on
+write on a zoned device. The current code fails to re-dirty a node
+when the tree-log tree's depth is greater or equal to 2. That leads to
+a transaction abort with -EAGAIN.
+
+Fix the issue by properly re-dirtying a node on walking up the tree.
+
+Fixes: d3575156f662 ("btrfs: zoned: redirty released extent buffers")
+CC: stable@vger.kernel.org # 5.12+
+Link: https://github.com/kdave/btrfs-progs/issues/415
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2879,6 +2879,8 @@ static noinline int walk_up_log_tree(str
+ path->nodes[*level]->len);
+ if (ret)
+ return ret;
++ btrfs_redirty_list_add(trans->transaction,
++ next);
+ } else {
+ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
+ clear_extent_buffer_dirty(next);
+@@ -2959,6 +2961,7 @@ static int walk_log_tree(struct btrfs_tr
+ next->start, next->len);
+ if (ret)
+ goto out;
++ btrfs_redirty_list_add(trans->transaction, next);
+ } else {
+ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
+ clear_extent_buffer_dirty(next);
+@@ -3412,8 +3415,6 @@ static void free_log_tree(struct btrfs_t
+ EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT);
+ extent_io_tree_release(&log->log_csum_range);
+
+- if (trans && log->node)
+- btrfs_redirty_list_add(trans->transaction, log->node);
+ btrfs_put_root(log);
+ }
+
--- /dev/null
+From da5e817d9d75422eaaa05490d0b9a5e328fc1a51 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Fri, 3 Dec 2021 02:55:33 -0800
+Subject: btrfs: free exchange changeset on failures
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+commit da5e817d9d75422eaaa05490d0b9a5e328fc1a51 upstream.
+
+Fstests runs on my VMs have show several kmemleak reports like the following.
+
+ unreferenced object 0xffff88811ae59080 (size 64):
+ comm "xfs_io", pid 12124, jiffies 4294987392 (age 6.368s)
+ hex dump (first 32 bytes):
+ 00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00 ................
+ 90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff ................
+ backtrace:
+ [<00000000ac0176d2>] ulist_add_merge+0x60/0x150 [btrfs]
+ [<0000000076e9f312>] set_state_bits+0x86/0xc0 [btrfs]
+ [<0000000014fe73d6>] set_extent_bit+0x270/0x690 [btrfs]
+ [<000000004f675208>] set_record_extent_bits+0x19/0x20 [btrfs]
+ [<00000000b96137b1>] qgroup_reserve_data+0x274/0x310 [btrfs]
+ [<0000000057e9dcbb>] btrfs_check_data_free_space+0x5c/0xa0 [btrfs]
+ [<0000000019c4511d>] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs]
+ [<000000006d37e007>] btrfs_dio_iomap_begin+0x415/0x970 [btrfs]
+ [<00000000fb8a74b8>] iomap_iter+0x161/0x1e0
+ [<0000000071dff6ff>] __iomap_dio_rw+0x1df/0x700
+ [<000000002567ba53>] iomap_dio_rw+0x5/0x20
+ [<0000000072e555f8>] btrfs_file_write_iter+0x290/0x530 [btrfs]
+ [<000000005eb3d845>] new_sync_write+0x106/0x180
+ [<000000003fb505bf>] vfs_write+0x24d/0x2f0
+ [<000000009bb57d37>] __x64_sys_pwrite64+0x69/0xa0
+ [<000000003eba3fdf>] do_syscall_64+0x43/0x90
+
+In case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata()
+fail the allocated extent_changeset will not be freed.
+
+So in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space()
+free the allocated extent_changeset to get rid of the allocated memory.
+
+The issue currently only happens in the direct IO write path, but only
+after 65b3c08606e5 ("btrfs: fix ENOSPC failure when attempting direct IO
+write into NOCOW range"), and also at defrag_one_locked_target(). Every
+other place is always calling extent_changeset_free() even if its call
+to btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has
+failed.
+
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/delalloc-space.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/delalloc-space.c
++++ b/fs/btrfs/delalloc-space.c
+@@ -143,10 +143,13 @@ int btrfs_check_data_free_space(struct b
+
+ /* Use new btrfs_qgroup_reserve_data to reserve precious data space. */
+ ret = btrfs_qgroup_reserve_data(inode, reserved, start, len);
+- if (ret < 0)
++ if (ret < 0) {
+ btrfs_free_reserved_data_space_noquota(fs_info, len);
+- else
++ extent_changeset_free(*reserved);
++ *reserved = NULL;
++ } else {
+ ret = 0;
++ }
+ return ret;
+ }
+
+@@ -452,8 +455,11 @@ int btrfs_delalloc_reserve_space(struct
+ if (ret < 0)
+ return ret;
+ ret = btrfs_delalloc_reserve_metadata(inode, len);
+- if (ret < 0)
++ if (ret < 0) {
+ btrfs_free_reserved_data_space(inode, *reserved, start, len);
++ extent_changeset_free(*reserved);
++ *reserved = NULL;
++ }
+ return ret;
+ }
+
--- /dev/null
+From 8289ed9f93bef2762f9184e136d994734b16d997 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 1 Dec 2021 19:56:17 +0800
+Subject: btrfs: replace the BUG_ON in btrfs_del_root_ref with proper error handling
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 8289ed9f93bef2762f9184e136d994734b16d997 upstream.
+
+I hit the BUG_ON() with generic/475 test case, and to my surprise, all
+callers of btrfs_del_root_ref() are already aborting transaction, thus
+there is not need for such BUG_ON(), just go to @out label and caller
+will properly handle the error.
+
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/root-tree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/root-tree.c
++++ b/fs/btrfs/root-tree.c
+@@ -336,7 +336,8 @@ int btrfs_del_root_ref(struct btrfs_tran
+ key.offset = ref_id;
+ again:
+ ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1);
+- BUG_ON(ret < 0);
++ if (ret < 0)
++ goto out;
+ if (ret == 0) {
+ leaf = path->nodes[0];
+ ref = btrfs_item_ptr(leaf, path->slots[0],
--- /dev/null
+From 51a08bdeca27988a17c87b87d8e64ffecbd2a172 Mon Sep 17 00:00:00 2001
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Date: Tue, 7 Dec 2021 12:54:19 +0100
+Subject: cifs: Fix crash on unload of cifs_arc4.ko
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+commit 51a08bdeca27988a17c87b87d8e64ffecbd2a172 upstream.
+
+The exit function is wrongly placed in the __init section and this leads
+to a crash when the module is unloaded. Just remove both the init and
+exit functions since this module does not need them.
+
+Fixes: 71c02863246167b3d ("cifs: fork arc4 and create a separate module...")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Cc: stable@vger.kernel.org # 5.15
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smbfs_common/cifs_arc4.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+--- a/fs/smbfs_common/cifs_arc4.c
++++ b/fs/smbfs_common/cifs_arc4.c
+@@ -72,16 +72,3 @@ void cifs_arc4_crypt(struct arc4_ctx *ct
+ ctx->y = y;
+ }
+ EXPORT_SYMBOL_GPL(cifs_arc4_crypt);
+-
+-static int __init
+-init_smbfs_common(void)
+-{
+- return 0;
+-}
+-static void __init
+-exit_smbfs_common(void)
+-{
+-}
+-
+-module_init(init_smbfs_common)
+-module_exit(exit_smbfs_common)
--- /dev/null
+From 69002c8ce914ef0ae22a6ea14b43bb30b9a9a6a8 Mon Sep 17 00:00:00 2001
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+Date: Fri, 12 Nov 2021 17:54:46 +0300
+Subject: scsi: qla2xxx: Format log strings only if needed
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+commit 69002c8ce914ef0ae22a6ea14b43bb30b9a9a6a8 upstream.
+
+Commit 598a90f2002c ("scsi: qla2xxx: add ring buffer for tracing debug
+logs") introduced unconditional log string formatting to ql_dbg() even if
+ql_dbg_log event is disabled. It harms performance because some strings are
+formatted in fastpath and/or interrupt context.
+
+Link: https://lore.kernel.org/r/20211112145446.51210-1-r.bolshakov@yadro.com
+Fixes: 598a90f2002c ("scsi: qla2xxx: add ring buffer for tracing debug logs")
+Cc: Rajan Shanmugavelu <rajan.shanmugavelu@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_dbg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_dbg.c
++++ b/drivers/scsi/qla2xxx/qla_dbg.c
+@@ -2491,6 +2491,9 @@ ql_dbg(uint level, scsi_qla_host_t *vha,
+ struct va_format vaf;
+ char pbuf[64];
+
++ if (!ql_mask_match(level) && !trace_ql_dbg_log_enabled())
++ return;
++
+ va_start(va, fmt);
+
+ vaf.fmt = fmt;
mm-damon-core-fix-fake-load-reports-due-to-uninterruptible-sleeps.patch
mm-slub-fix-endianness-bug-for-alloc-free_traces-attributes.patch
mm-bdi-initialize-bdi_min_ratio-when-bdi-is-unregistered.patch
+alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch
+alsa-hda-realtek-add-headset-mic-support-for-lenovo-alc897-platform.patch
+alsa-hda-realtek-fix-quirk-for-tongfang-phxtxx1.patch
+alsa-pcm-oss-fix-negative-period-buffer-sizes.patch
+alsa-pcm-oss-limit-the-period-size-to-16mb.patch
+alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch
+cifs-fix-crash-on-unload-of-cifs_arc4.ko.patch
+scsi-qla2xxx-format-log-strings-only-if-needed.patch
+btrfs-clear-extent-buffer-uptodate-when-we-fail-to-write-it.patch
+btrfs-fix-re-dirty-process-of-tree-log-nodes.patch
+btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch
+btrfs-free-exchange-changeset-on-failures.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
