--- /dev/null
+From 39381fe7394e5eafac76e7e9367e7351138a29c1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 22 May 2024 09:04:39 +0200
+Subject: ALSA: core: Fix NULL module pointer assignment at card init
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 39381fe7394e5eafac76e7e9367e7351138a29c1 upstream.
+
+The commit 81033c6b584b ("ALSA: core: Warn on empty module")
+introduced a WARN_ON() for a NULL module pointer passed at snd_card
+object creation, and it also wraps the code around it with '#ifdef
+MODULE'. This works in most cases, but the devils are always in
+details. "MODULE" is defined when the target code (i.e. the sound
+core) is built as a module; but this doesn't mean that the caller is
+also built-in or not. Namely, when only the sound core is built-in
+(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),
+the passed module pointer is ignored even if it's non-NULL, and
+card->module remains as NULL. This would result in the missing module
+reference up/down at the device open/close, leading to a race with the
+code execution after the module removal.
+
+For addressing the bug, move the assignment of card->module again out
+of ifdef. The WARN_ON() is still wrapped with ifdef because the
+module can be really NULL when all sound drivers are built-in.
+
+Note that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would
+lead to a false-positive NULL module check. Admittedly it won't catch
+perfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no
+real problem as it's only for debugging, and the condition is pretty
+rare.
+
+Fixes: 81033c6b584b ("ALSA: core: Warn on empty module")
+Reported-by: Xu Yang <xu.yang_2@nxp.com>
+Closes: https://lore.kernel.org/r/20240520170349.2417900-1-xu.yang_2@nxp.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Tested-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20240522070442.17786-1-tiwai@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/init.c
++++ b/sound/core/init.c
+@@ -307,8 +307,8 @@ static int snd_card_init(struct snd_card
+ card->number = idx;
+ #ifdef MODULE
+ WARN_ON(!module);
+- card->module = module;
+ #endif
++ card->module = module;
+ INIT_LIST_HEAD(&card->devices);
+ init_rwsem(&card->controls_rwsem);
+ rwlock_init(&card->ctl_files_rwlock);
--- /dev/null
+From 87988a534d8e12f2e6fc01fe63e6c1925dc5307c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 10 May 2024 12:14:23 +0200
+Subject: ALSA: Fix deadlocks with kctl removals at disconnection
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 87988a534d8e12f2e6fc01fe63e6c1925dc5307c upstream.
+
+In snd_card_disconnect(), we set card->shutdown flag at the beginning,
+call callbacks and do sync for card->power_ref_sleep waiters at the
+end. The callback may delete a kctl element, and this can lead to a
+deadlock when the device was in the suspended state. Namely:
+
+* A process waits for the power up at snd_power_ref_and_wait() in
+ snd_ctl_info() or read/write() inside card->controls_rwsem.
+
+* The system gets disconnected meanwhile, and the driver tries to
+ delete a kctl via snd_ctl_remove*(); it tries to take
+ card->controls_rwsem again, but this is already locked by the
+ above. Since the sleeper isn't woken up, this deadlocks.
+
+An easy fix is to wake up sleepers before processing the driver
+disconnect callbacks but right after setting the card->shutdown flag.
+Then all sleepers will abort immediately, and the code flows again.
+
+So, basically this patch moves the wait_event() call at the right
+timing. While we're at it, just to be sure, call wait_event_all()
+instead of wait_event(), although we don't use exclusive events on
+this queue for now.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218816
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Link: https://lore.kernel.org/r/20240510101424.6279-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/init.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/core/init.c
++++ b/sound/core/init.c
+@@ -518,6 +518,14 @@ int snd_card_disconnect(struct snd_card
+ }
+ spin_unlock(&card->files_lock);
+
++#ifdef CONFIG_PM
++ /* wake up sleepers here before other callbacks for avoiding potential
++ * deadlocks with other locks (e.g. in kctls);
++ * then this notifies the shutdown and sleepers would abort immediately
++ */
++ wake_up_all(&card->power_sleep);
++#endif
++
+ /* notify all connected devices about disconnection */
+ /* at this point, they cannot respond to any calls except release() */
+
+@@ -545,7 +553,6 @@ int snd_card_disconnect(struct snd_card
+ mutex_unlock(&snd_card_mutex);
+
+ #ifdef CONFIG_PM
+- wake_up(&card->power_sleep);
+ snd_power_sync_ref(card);
+ #endif
+ return 0;
--- /dev/null
+From b3b6f125da2773cbc681316842afba63ca9869aa Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Thu, 23 May 2024 14:18:31 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 440/460 G11.
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit b3b6f125da2773cbc681316842afba63ca9869aa upstream.
+
+HP ProBook 440/460 G11 needs ALC236_FIXUP_HP_GPIO_LED quirk to
+make mic-mute/audio-mute working.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20240523061832.607500-1-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9793,8 +9793,11 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8c70, "HP EliteBook 835 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c71, "HP EliteBook 845 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c72, "HP EliteBook 865 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8c89, "HP ProBook 460 G11", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c8a, "HP EliteBook 630", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c8c, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8c8d, "HP ProBook 440 G11", ALC236_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8c8e, "HP ProBook 460 G11", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c90, "HP EliteBook 640", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c91, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
--- /dev/null
+From 4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 14 May 2024 20:27:36 +0200
+Subject: ALSA: timer: Set lower bound of start tick time
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e upstream.
+
+Currently ALSA timer doesn't have the lower limit of the start tick
+time, and it allows a very small size, e.g. 1 tick with 1ns resolution
+for hrtimer. Such a situation may lead to an unexpected RCU stall,
+where the callback repeatedly queuing the expire update, as reported
+by fuzzer.
+
+This patch introduces a sanity check of the timer start tick time, so
+that the system returns an error when a too small start size is set.
+As of this patch, the lower limit is hard-coded to 100us, which is
+small enough but can still work somehow.
+
+Reported-by: syzbot+43120c2af6ca2938cc38@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/000000000000fa00a1061740ab6d@google.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20240514182745.4015-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -553,6 +553,14 @@ static int snd_timer_start1(struct snd_t
+ goto unlock;
+ }
+
++ /* check the actual time for the start tick;
++ * bail out as error if it's way too low (< 100us)
++ */
++ if (start) {
++ if ((u64)snd_timer_hw_resolution(timer) * ticks < 100000)
++ return -EINVAL;
++ }
++
+ if (start)
+ timeri->ticks = timeri->cticks = ticks;
+ else if (!timeri->cticks)
--- /dev/null
+From 302e9dca8428979c9c99f2dbb44dc1783f5011c3 Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Tue, 23 Apr 2024 17:21:58 +0300
+Subject: fs/ntfs3: Break dir enumeration if directory contents error
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit 302e9dca8428979c9c99f2dbb44dc1783f5011c3 upstream.
+
+If we somehow attempt to read beyond the directory size, an error
+is supposed to be returned.
+
+However, in some cases, read requests do not stop and instead enter
+into a loop.
+
+To avoid this, we set the position in the directory to the end.
+
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/dir.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ntfs3/dir.c
++++ b/fs/ntfs3/dir.c
+@@ -475,6 +475,7 @@ static int ntfs_readdir(struct file *fil
+ vbo = (u64)bit << index_bits;
+ if (vbo >= i_size) {
+ ntfs_inode_err(dir, "Looks like your dir is corrupt");
++ ctx->pos = eod;
+ err = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From 05afeeebcac850a016ec4fb1f681ceda11963562 Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Tue, 23 Apr 2024 15:31:56 +0300
+Subject: fs/ntfs3: Fix case when index is reused during tree transformation
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit 05afeeebcac850a016ec4fb1f681ceda11963562 upstream.
+
+In most cases when adding a cluster to the directory index,
+they are placed at the end, and in the bitmap, this cluster corresponds
+to the last bit. The new directory size is calculated as follows:
+
+ data_size = (u64)(bit + 1) << indx->index_bits;
+
+In the case of reusing a non-final cluster from the index,
+data_size is calculated incorrectly, resulting in the directory size
+differing from the actual size.
+
+A check for cluster reuse has been added, and the size update is skipped.
+
+Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block")
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/index.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ntfs3/index.c
++++ b/fs/ntfs3/index.c
+@@ -1531,6 +1531,11 @@ static int indx_add_allocate(struct ntfs
+ goto out1;
+ }
+
++ if (data_size <= le64_to_cpu(alloc->nres.data_size)) {
++ /* Reuse index. */
++ goto out;
++ }
++
+ /* Increase allocation. */
+ err = attr_set_size(ni, ATTR_ALLOC, in->name, in->name_len,
+ &indx->alloc_run, data_size, &data_size, true,
+@@ -1541,6 +1546,7 @@ static int indx_add_allocate(struct ntfs
+ goto out1;
+ }
+
++out:
+ *vbn = bit << indx->idx2vbn_bits;
+
+ return 0;
--- /dev/null
+From a8948b5450e7c65a3a34ebf4ccfcebc19335d4fb Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Wed, 3 Apr 2024 10:08:04 +0300
+Subject: fs/ntfs3: Remove max link count info display during driver init
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit a8948b5450e7c65a3a34ebf4ccfcebc19335d4fb upstream.
+
+Removes the output of this purely informational message from the
+kernel buffer:
+
+ "ntfs3: Max link count 4000"
+
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/super.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/ntfs3/super.c
++++ b/fs/ntfs3/super.c
+@@ -1453,8 +1453,6 @@ static int __init init_ntfs_fs(void)
+ {
+ int err;
+
+- pr_info("ntfs3: Max link count %u\n", NTFS_LINK_MAX);
+-
+ if (IS_ENABLED(CONFIG_NTFS3_FS_POSIX_ACL))
+ pr_info("ntfs3: Enabled Linux POSIX ACLs support\n");
+ if (IS_ENABLED(CONFIG_NTFS3_64BIT_CLUSTER))
--- /dev/null
+From 110b24eb1a749bea3440f3ca2ff890a26179050a Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Wed, 17 Apr 2024 10:33:06 +0300
+Subject: fs/ntfs3: Taking DOS names into account during link counting
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit 110b24eb1a749bea3440f3ca2ff890a26179050a upstream.
+
+When counting and checking hard links in an ntfs file record,
+
+ struct MFT_REC {
+ struct NTFS_RECORD_HEADER rhdr; // 'FILE'
+ __le16 seq; // 0x10: Sequence number for this record.
+>> __le16 hard_links; // 0x12: The number of hard links to record.
+ __le16 attr_off; // 0x14: Offset to attributes.
+ ...
+
+the ntfs3 driver ignored short names (DOS names), causing the link count
+to be reduced by 1 and messages to be output to dmesg.
+
+For Windows, such a situation is a minor error, meaning chkdsk does not report
+errors on such a volume, and in the case of using the /f switch, it silently
+corrects them, reporting that no errors were found. This does not affect
+the consistency of the file system.
+
+Nevertheless, the behavior in the ntfs3 driver is incorrect and
+changes the content of the file system. This patch should fix that.
+
+PS: most likely, there has been a confusion of concepts
+MFT_REC::hard_links and inode::__i_nlink.
+
+Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block")
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/inode.c | 7 ++++---
+ fs/ntfs3/record.c | 11 ++---------
+ 2 files changed, 6 insertions(+), 12 deletions(-)
+
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -37,7 +37,7 @@ static struct inode *ntfs_read_mft(struc
+ bool is_dir;
+ unsigned long ino = inode->i_ino;
+ u32 rp_fa = 0, asize, t32;
+- u16 roff, rsize, names = 0;
++ u16 roff, rsize, names = 0, links = 0;
+ const struct ATTR_FILE_NAME *fname = NULL;
+ const struct INDEX_ROOT *root;
+ struct REPARSE_DATA_BUFFER rp; // 0x18 bytes
+@@ -190,11 +190,12 @@ next_attr:
+ rsize < SIZEOF_ATTRIBUTE_FILENAME)
+ goto out;
+
++ names += 1;
+ fname = Add2Ptr(attr, roff);
+ if (fname->type == FILE_NAME_DOS)
+ goto next_attr;
+
+- names += 1;
++ links += 1;
+ if (name && name->len == fname->name_len &&
+ !ntfs_cmp_names_cpu(name, (struct le_str *)&fname->name_len,
+ NULL, false))
+@@ -421,7 +422,7 @@ end_enum:
+ ni->mi.dirty = true;
+ }
+
+- set_nlink(inode, names);
++ set_nlink(inode, links);
+
+ if (S_ISDIR(mode)) {
+ ni->std_fa |= FILE_ATTRIBUTE_DIRECTORY;
+--- a/fs/ntfs3/record.c
++++ b/fs/ntfs3/record.c
+@@ -485,16 +485,9 @@ bool mi_remove_attr(struct ntfs_inode *n
+ if (aoff + asize > used)
+ return false;
+
+- if (ni && is_attr_indexed(attr)) {
++ if (ni && is_attr_indexed(attr) && attr->type == ATTR_NAME) {
+ u16 links = le16_to_cpu(ni->mi.mrec->hard_links);
+- struct ATTR_FILE_NAME *fname =
+- attr->type != ATTR_NAME ?
+- NULL :
+- resident_data_ex(attr,
+- SIZEOF_ATTRIBUTE_FILENAME);
+- if (fname && fname->type == FILE_NAME_DOS) {
+- /* Do not decrease links count deleting DOS name. */
+- } else if (!links) {
++ if (!links) {
+ /* minor error. Not critical. */
+ } else {
+ ni->mi.mrec->hard_links = cpu_to_le16(links - 1);
--- /dev/null
+From 9d2fd8bdc12f403a5c35c971936a0e1d5cb5108e Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 22 Apr 2024 14:10:41 -0700
+Subject: KEYS: asymmetric: Add missing dependencies of FIPS_SIGNATURE_SELFTEST
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 9d2fd8bdc12f403a5c35c971936a0e1d5cb5108e upstream.
+
+Since the signature self-test uses RSA and SHA-256, it must only be
+enabled when those algorithms are enabled. Otherwise it fails and
+panics the kernel on boot-up.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202404221528.51d75177-lkp@intel.com
+Fixes: 3cde3174eb91 ("certs: Add FIPS selftests")
+Cc: stable@vger.kernel.org
+Cc: Simo Sorce <simo@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/asymmetric_keys/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/asymmetric_keys/Kconfig
++++ b/crypto/asymmetric_keys/Kconfig
+@@ -84,5 +84,7 @@ config FIPS_SIGNATURE_SELFTEST
+ depends on KEYS
+ depends on ASYMMETRIC_KEY_TYPE
+ depends on PKCS7_MESSAGE_PARSER
++ depends on CRYPTO_RSA
++ depends on CRYPTO_SHA256
+
+ endif # ASYMMETRIC_KEY_TYPE
--- /dev/null
+From c91ecba9e421e4f2c9219cf5042fa63a12025310 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 9 May 2024 15:25:39 +0900
+Subject: ksmbd: avoid to send duplicate oplock break notifications
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit c91ecba9e421e4f2c9219cf5042fa63a12025310 upstream.
+
+This patch fixes generic/011 when oplocks is enable.
+
+Avoid to send duplicate oplock break notifications like smb2 leases
+case.
+
+Fixes: 97c2ec64667b ("ksmbd: avoid to send duplicate lease break notifications")
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/oplock.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/server/oplock.c
++++ b/fs/smb/server/oplock.c
+@@ -613,19 +613,24 @@ static int oplock_break_pending(struct o
+ if (opinfo->op_state == OPLOCK_CLOSING)
+ return -ENOENT;
+ else if (opinfo->level <= req_op_level) {
+- if (opinfo->is_lease &&
+- opinfo->o_lease->state !=
+- (SMB2_LEASE_HANDLE_CACHING_LE |
+- SMB2_LEASE_READ_CACHING_LE))
++ if (opinfo->is_lease == false)
++ return 1;
++
++ if (opinfo->o_lease->state !=
++ (SMB2_LEASE_HANDLE_CACHING_LE |
++ SMB2_LEASE_READ_CACHING_LE))
+ return 1;
+ }
+ }
+
+ if (opinfo->level <= req_op_level) {
+- if (opinfo->is_lease &&
+- opinfo->o_lease->state !=
+- (SMB2_LEASE_HANDLE_CACHING_LE |
+- SMB2_LEASE_READ_CACHING_LE)) {
++ if (opinfo->is_lease == false) {
++ wake_up_oplock_break(opinfo);
++ return 1;
++ }
++ if (opinfo->o_lease->state !=
++ (SMB2_LEASE_HANDLE_CACHING_LE |
++ SMB2_LEASE_READ_CACHING_LE)) {
+ wake_up_oplock_break(opinfo);
+ return 1;
+ }
--- /dev/null
+From 405ee4097c4bc3e70556520aed5ba52a511c2266 Mon Sep 17 00:00:00 2001
+From: Nandor Kracser <bonifaido@gmail.com>
+Date: Tue, 21 May 2024 22:56:17 +0900
+Subject: ksmbd: ignore trailing slashes in share paths
+
+From: Nandor Kracser <bonifaido@gmail.com>
+
+commit 405ee4097c4bc3e70556520aed5ba52a511c2266 upstream.
+
+Trailing slashes in share paths (like: /home/me/Share/) caused permission
+issues with shares for clients on iOS and on Android TV for me,
+but otherwise they work fine with plain old Samba.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/mgmt/share_config.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/mgmt/share_config.c
++++ b/fs/smb/server/mgmt/share_config.c
+@@ -165,8 +165,12 @@ static struct ksmbd_share_config *share_
+
+ share->path = kstrndup(ksmbd_share_config_path(resp), path_len,
+ GFP_KERNEL);
+- if (share->path)
++ if (share->path) {
+ share->path_sz = strlen(share->path);
++ while (share->path_sz > 1 &&
++ share->path[share->path_sz - 1] == '/')
++ share->path[--share->path_sz] = '\0';
++ }
+ share->create_mask = resp->create_mask;
+ share->directory_mask = resp->directory_mask;
+ share->force_create_mode = resp->force_create_mode;
--- /dev/null
+From eb85dace897c5986bc2f36b3c783c6abb8a4292e Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Mon, 20 May 2024 22:26:21 +0900
+Subject: nilfs2: fix potential hang in nilfs_detach_log_writer()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit eb85dace897c5986bc2f36b3c783c6abb8a4292e upstream.
+
+Syzbot has reported a potential hang in nilfs_detach_log_writer() called
+during nilfs2 unmount.
+
+Analysis revealed that this is because nilfs_segctor_sync(), which
+synchronizes with the log writer thread, can be called after
+nilfs_segctor_destroy() terminates that thread, as shown in the call trace
+below:
+
+nilfs_detach_log_writer
+ nilfs_segctor_destroy
+ nilfs_segctor_kill_thread --> Shut down log writer thread
+ flush_work
+ nilfs_iput_work_func
+ nilfs_dispose_list
+ iput
+ nilfs_evict_inode
+ nilfs_transaction_commit
+ nilfs_construct_segment (if inode needs sync)
+ nilfs_segctor_sync --> Attempt to synchronize with
+ log writer thread
+ *** DEADLOCK ***
+
+Fix this issue by changing nilfs_segctor_sync() so that the log writer
+thread returns normally without synchronizing after it terminates, and by
+forcing tasks that are already waiting to complete once after the thread
+terminates.
+
+The skipped inode metadata flushout will then be processed together in the
+subsequent cleanup work in nilfs_segctor_destroy().
+
+Link: https://lkml.kernel.org/r/20240520132621.4054-4-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+e3973c409251e136fdd0@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e3973c409251e136fdd0
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Cc: "Bai, Shuangpeng" <sjb7183@psu.edu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/segment.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -2229,6 +2229,14 @@ static int nilfs_segctor_sync(struct nil
+ for (;;) {
+ set_current_state(TASK_INTERRUPTIBLE);
+
++ /*
++ * Synchronize only while the log writer thread is alive.
++ * Leave flushing out after the log writer thread exits to
++ * the cleanup work in nilfs_segctor_destroy().
++ */
++ if (!sci->sc_task)
++ break;
++
+ if (atomic_read(&wait_req.done)) {
+ err = wait_req.err;
+ break;
+@@ -2244,7 +2252,7 @@ static int nilfs_segctor_sync(struct nil
+ return err;
+ }
+
+-static void nilfs_segctor_wakeup(struct nilfs_sc_info *sci, int err)
++static void nilfs_segctor_wakeup(struct nilfs_sc_info *sci, int err, bool force)
+ {
+ struct nilfs_segctor_wait_request *wrq, *n;
+ unsigned long flags;
+@@ -2252,7 +2260,7 @@ static void nilfs_segctor_wakeup(struct
+ spin_lock_irqsave(&sci->sc_wait_request.lock, flags);
+ list_for_each_entry_safe(wrq, n, &sci->sc_wait_request.head, wq.entry) {
+ if (!atomic_read(&wrq->done) &&
+- nilfs_cnt32_ge(sci->sc_seq_done, wrq->seq)) {
++ (force || nilfs_cnt32_ge(sci->sc_seq_done, wrq->seq))) {
+ wrq->err = err;
+ atomic_set(&wrq->done, 1);
+ }
+@@ -2390,7 +2398,7 @@ static void nilfs_segctor_notify(struct
+ if (mode == SC_LSEG_SR) {
+ sci->sc_state &= ~NILFS_SEGCTOR_COMMIT;
+ sci->sc_seq_done = sci->sc_seq_accepted;
+- nilfs_segctor_wakeup(sci, err);
++ nilfs_segctor_wakeup(sci, err, false);
+ sci->sc_flush_request = 0;
+ } else {
+ if (mode == SC_FLUSH_FILE)
+@@ -2772,6 +2780,13 @@ static void nilfs_segctor_destroy(struct
+ || sci->sc_seq_request != sci->sc_seq_done);
+ spin_unlock(&sci->sc_state_lock);
+
++ /*
++ * Forcibly wake up tasks waiting in nilfs_segctor_sync(), which can
++ * be called from delayed iput() via nilfs_evict_inode() and can race
++ * with the above log writer thread termination.
++ */
++ nilfs_segctor_wakeup(sci, 0, true);
++
+ if (flush_work(&sci->sc_iput_work))
+ flag = true;
+
--- /dev/null
+From 936184eadd82906992ff1f5ab3aada70cce44cee Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Mon, 20 May 2024 22:26:20 +0900
+Subject: nilfs2: fix unexpected freezing of nilfs_segctor_sync()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 936184eadd82906992ff1f5ab3aada70cce44cee upstream.
+
+A potential and reproducible race issue has been identified where
+nilfs_segctor_sync() would block even after the log writer thread writes a
+checkpoint, unless there is an interrupt or other trigger to resume log
+writing.
+
+This turned out to be because, depending on the execution timing of the
+log writer thread running in parallel, the log writer thread may skip
+responding to nilfs_segctor_sync(), which causes a call to schedule()
+waiting for completion within nilfs_segctor_sync() to lose the opportunity
+to wake up.
+
+The reason why waking up the task waiting in nilfs_segctor_sync() may be
+skipped is that updating the request generation issued using a shared
+sequence counter and adding an wait queue entry to the request wait queue
+to the log writer, are not done atomically. There is a possibility that
+log writing and request completion notification by nilfs_segctor_wakeup()
+may occur between the two operations, and in that case, the wait queue
+entry is not yet visible to nilfs_segctor_wakeup() and the wake-up of
+nilfs_segctor_sync() will be carried over until the next request occurs.
+
+Fix this issue by performing these two operations simultaneously within
+the lock section of sc_state_lock. Also, following the memory barrier
+guidelines for event waiting loops, move the call to set_current_state()
+in the same location into the event waiting loop to ensure that a memory
+barrier is inserted just before the event condition determination.
+
+Link: https://lkml.kernel.org/r/20240520132621.4054-3-konishi.ryusuke@gmail.com
+Fixes: 9ff05123e3bf ("nilfs2: segment constructor")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Cc: "Bai, Shuangpeng" <sjb7183@psu.edu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/segment.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -2207,19 +2207,28 @@ static int nilfs_segctor_sync(struct nil
+ struct nilfs_segctor_wait_request wait_req;
+ int err = 0;
+
+- spin_lock(&sci->sc_state_lock);
+ init_wait(&wait_req.wq);
+ wait_req.err = 0;
+ atomic_set(&wait_req.done, 0);
++ init_waitqueue_entry(&wait_req.wq, current);
++
++ /*
++ * To prevent a race issue where completion notifications from the
++ * log writer thread are missed, increment the request sequence count
++ * "sc_seq_request" and insert a wait queue entry using the current
++ * sequence number into the "sc_wait_request" queue at the same time
++ * within the lock section of "sc_state_lock".
++ */
++ spin_lock(&sci->sc_state_lock);
+ wait_req.seq = ++sci->sc_seq_request;
++ add_wait_queue(&sci->sc_wait_request, &wait_req.wq);
+ spin_unlock(&sci->sc_state_lock);
+
+- init_waitqueue_entry(&wait_req.wq, current);
+- add_wait_queue(&sci->sc_wait_request, &wait_req.wq);
+- set_current_state(TASK_INTERRUPTIBLE);
+ wake_up(&sci->sc_wait_daemon);
+
+ for (;;) {
++ set_current_state(TASK_INTERRUPTIBLE);
++
+ if (atomic_read(&wait_req.done)) {
+ err = wait_req.err;
+ break;
tools-latency-collector-fix-wformat-security-compile-warns.patch
tools-nolibc-stdlib-fix-memory-error-in-realloc.patch
net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch
+nilfs2-fix-unexpected-freezing-of-nilfs_segctor_sync.patch
+nilfs2-fix-potential-hang-in-nilfs_detach_log_writer.patch
+fs-ntfs3-remove-max-link-count-info-display-during-driver-init.patch
+fs-ntfs3-taking-dos-names-into-account-during-link-counting.patch
+fs-ntfs3-fix-case-when-index-is-reused-during-tree-transformation.patch
+fs-ntfs3-break-dir-enumeration-if-directory-contents-error.patch
+ksmbd-avoid-to-send-duplicate-oplock-break-notifications.patch
+ksmbd-ignore-trailing-slashes-in-share-paths.patch
+alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-440-460-g11.patch
+alsa-core-fix-null-module-pointer-assignment-at-card-init.patch
+alsa-timer-set-lower-bound-of-start-tick-time.patch
+alsa-fix-deadlocks-with-kctl-removals-at-disconnection.patch
+keys-asymmetric-add-missing-dependencies-of-fips_signature_selftest.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
