From e0eda7c59aaf0a4dae879cdde4eceb17d68c02fd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 24 Nov 2023 12:33:39 +0000 Subject: [PATCH] 6.5-stable patches added patches: alsa-hda-realtek-add-dell-alc295-to-pin-fall-back-table.patch alsa-hda-realtek-add-quirks-for-hp-laptops.patch alsa-hda-realtek-enable-internal-speaker-of-asus-k6500zc.patch alsa-hda-realtek-enable-mute-led-on-hp-255-g10.patch alsa-hda-realtek-enable-mute-led-on-hp-255-g8.patch alsa-info-fix-potential-deadlock-at-disconnection.patch btrfs-zoned-wait-for-data-bg-to-be-finished-on-direct-io-allocation.patch cifs-do-not-reset-chan_max-if-multichannel-is-not-supported-at-mount.patch cifs-fix-encryption-of-cleared-but-unset-rq_iter-data-buffers.patch cifs-force-interface-update-before-a-fresh-session-setup.patch cifs-reconnect-helper-should-set-reconnect-for-the-right-channel.patch fs-add-ctime-accessors-infrastructure.patch smb-client-fix-potential-deadlock-when-releasing-mids.patch smb-client-fix-use-after-free-bug-in-cifs_debug_data_proc_show.patch smb-client-fix-use-after-free-in-smb2_query_info_compound.patch smb3-allow-dumping-session-and-tcon-id-to-improve-stats-analysis-and-debugging.patch smb3-fix-caching-of-ctime-on-setxattr.patch smb3-fix-creating-fifos-when-mounting-with-sfu-mount-option.patch smb3-fix-touch-h-of-symlink.patch xfs-recovery-should-not-clear-di_flushiter-unconditionally.patch --- ...d-dell-alc295-to-pin-fall-back-table.patch | 61 ++++ ...da-realtek-add-quirks-for-hp-laptops.patch | 33 ++ ...ble-internal-speaker-of-asus-k6500zc.patch | 31 ++ ...ealtek-enable-mute-led-on-hp-255-g10.patch | 32 ++ ...realtek-enable-mute-led-on-hp-255-g8.patch | 32 ++ ...-potential-deadlock-at-disconnection.patch | 121 ++++++++ ...-be-finished-on-direct-io-allocation.patch | 60 ++++ ...ltichannel-is-not-supported-at-mount.patch | 38 +++ ...eared-but-unset-rq_iter-data-buffers.patch | 115 +++++++ ...-update-before-a-fresh-session-setup.patch | 40 +++ ...-set-reconnect-for-the-right-channel.patch | 47 +++ ...s-add-ctime-accessors-infrastructure.patch | 108 +++++++ queue-6.5/series | 20 ++ ...tential-deadlock-when-releasing-mids.patch | 97 ++++++ ...ree-bug-in-cifs_debug_data_proc_show.patch | 67 +++++ ...ter-free-in-smb2_query_info_compound.patch | 282 ++++++++++++++++++ ...improve-stats-analysis-and-debugging.patch | 95 ++++++ ...mb3-fix-caching-of-ctime-on-setxattr.patch | 38 +++ ...-when-mounting-with-sfu-mount-option.patch | 81 +++++ queue-6.5/smb3-fix-touch-h-of-symlink.patch | 35 +++ ...t-clear-di_flushiter-unconditionally.patch | 80 +++++ 21 files changed, 1513 insertions(+) create mode 100644 queue-6.5/alsa-hda-realtek-add-dell-alc295-to-pin-fall-back-table.patch create mode 100644 queue-6.5/alsa-hda-realtek-add-quirks-for-hp-laptops.patch create mode 100644 queue-6.5/alsa-hda-realtek-enable-internal-speaker-of-asus-k6500zc.patch create mode 100644 queue-6.5/alsa-hda-realtek-enable-mute-led-on-hp-255-g10.patch create mode 100644 queue-6.5/alsa-hda-realtek-enable-mute-led-on-hp-255-g8.patch create mode 100644 queue-6.5/alsa-info-fix-potential-deadlock-at-disconnection.patch create mode 100644 queue-6.5/btrfs-zoned-wait-for-data-bg-to-be-finished-on-direct-io-allocation.patch create mode 100644 queue-6.5/cifs-do-not-reset-chan_max-if-multichannel-is-not-supported-at-mount.patch create mode 100644 queue-6.5/cifs-fix-encryption-of-cleared-but-unset-rq_iter-data-buffers.patch create mode 100644 queue-6.5/cifs-force-interface-update-before-a-fresh-session-setup.patch create mode 100644 queue-6.5/cifs-reconnect-helper-should-set-reconnect-for-the-right-channel.patch create mode 100644 queue-6.5/fs-add-ctime-accessors-infrastructure.patch create mode 100644 queue-6.5/smb-client-fix-potential-deadlock-when-releasing-mids.patch create mode 100644 queue-6.5/smb-client-fix-use-after-free-bug-in-cifs_debug_data_proc_show.patch create mode 100644 queue-6.5/smb-client-fix-use-after-free-in-smb2_query_info_compound.patch create mode 100644 queue-6.5/smb3-allow-dumping-session-and-tcon-id-to-improve-stats-analysis-and-debugging.patch create mode 100644 queue-6.5/smb3-fix-caching-of-ctime-on-setxattr.patch create mode 100644 queue-6.5/smb3-fix-creating-fifos-when-mounting-with-sfu-mount-option.patch create mode 100644 queue-6.5/smb3-fix-touch-h-of-symlink.patch create mode 100644 queue-6.5/xfs-recovery-should-not-clear-di_flushiter-unconditionally.patch diff --git a/queue-6.5/alsa-hda-realtek-add-dell-alc295-to-pin-fall-back-table.patch b/queue-6.5/alsa-hda-realtek-add-dell-alc295-to-pin-fall-back-table.patch new file mode 100644 index 00000000000..37e2c5fb105 --- /dev/null +++ b/queue-6.5/alsa-hda-realtek-add-dell-alc295-to-pin-fall-back-table.patch @@ -0,0 +1,61 @@ +From 4b21a669ca21ed8f24ef4530b2918be5730114de Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Fri, 10 Nov 2023 15:16:06 +0800 +Subject: ALSA: hda/realtek - Add Dell ALC295 to pin fall back table + +From: Kailang Yang + +commit 4b21a669ca21ed8f24ef4530b2918be5730114de upstream. + +Add ALC295 to pin fall back table. +Remove 5 pin quirks for Dell ALC295. +ALC295 was only support MIC2 for external MIC function. +ALC295 assigned model "ALC269_FIXUP_DELL1_MIC_NO_PRESENCE" for pin +fall back table. +It was assigned wrong model. So, let's remove it. + +Fixes: fbc571290d9f ("ALSA: hda/realtek - Fixed Headphone Mic can't record on Dell platform") +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/7c1998e873834df98d59bd7e0d08c72e@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 19 +++---------------- + 1 file changed, 3 insertions(+), 16 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10641,22 +10641,6 @@ static const struct snd_hda_pin_quirk al + {0x12, 0x90a60130}, + {0x17, 0x90170110}, + {0x21, 0x03211020}), +- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE, +- {0x14, 0x90170110}, +- {0x21, 0x04211020}), +- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE, +- {0x14, 0x90170110}, +- {0x21, 0x04211030}), +- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, +- ALC295_STANDARD_PINS, +- {0x17, 0x21014020}, +- {0x18, 0x21a19030}), +- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, +- ALC295_STANDARD_PINS, +- {0x17, 0x21014040}, +- {0x18, 0x21a19050}), +- SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, +- ALC295_STANDARD_PINS), + SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC298_STANDARD_PINS, + {0x17, 0x90170110}), +@@ -10700,6 +10684,9 @@ static const struct snd_hda_pin_quirk al + SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE, + {0x19, 0x40000000}, + {0x1b, 0x40000000}), ++ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE, ++ {0x19, 0x40000000}, ++ {0x1b, 0x40000000}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x19, 0x40000000}, + {0x1a, 0x40000000}), diff --git a/queue-6.5/alsa-hda-realtek-add-quirks-for-hp-laptops.patch b/queue-6.5/alsa-hda-realtek-add-quirks-for-hp-laptops.patch new file mode 100644 index 00000000000..cd6e95c935a --- /dev/null +++ b/queue-6.5/alsa-hda-realtek-add-quirks-for-hp-laptops.patch @@ -0,0 +1,33 @@ +From 5d639b60971f003d3a9b2b31f8ec73b0718b5d57 Mon Sep 17 00:00:00 2001 +From: Stefan Binding +Date: Wed, 15 Nov 2023 16:21:16 +0000 +Subject: ALSA: hda/realtek: Add quirks for HP Laptops + +From: Stefan Binding + +commit 5d639b60971f003d3a9b2b31f8ec73b0718b5d57 upstream. + +These HP laptops use Realtek HDA codec combined with 2 or 4 CS35L41 +Amplifiers using SPI with Internal Boost. + +Signed-off-by: Stefan Binding +Cc: +Link: https://lore.kernel.org/r/20231115162116.494968-3-sbinding@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9740,6 +9740,9 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8c70, "HP EliteBook 835 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c71, "HP EliteBook 845 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c72, "HP EliteBook 865 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8ca4, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8ca7, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8cf5, "HP ZBook Studio 16", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-6.5/alsa-hda-realtek-enable-internal-speaker-of-asus-k6500zc.patch b/queue-6.5/alsa-hda-realtek-enable-internal-speaker-of-asus-k6500zc.patch new file mode 100644 index 00000000000..8c119a73a86 --- /dev/null +++ b/queue-6.5/alsa-hda-realtek-enable-internal-speaker-of-asus-k6500zc.patch @@ -0,0 +1,31 @@ +From 713f040cd22285fcc506f40a0d259566e6758c3c Mon Sep 17 00:00:00 2001 +From: Chandradeep Dey +Date: Sat, 11 Nov 2023 19:25:49 +0100 +Subject: ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC + +From: Chandradeep Dey + +commit 713f040cd22285fcc506f40a0d259566e6758c3c upstream. + +Apply the already existing quirk chain ALC294_FIXUP_ASUS_SPK to enable +the internal speaker of ASUS K6500ZC. + +Signed-off-by: Chandradeep Dey +Cc: +Link: https://lore.kernel.org/r/NizcVHQ--3-9@chandradeepdey.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9745,6 +9745,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x10a1, "ASUS UX391UA", ALC294_FIXUP_ASUS_SPK), + SND_PCI_QUIRK(0x1043, 0x10c0, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x10d0, "ASUS X540LA/X540LJ", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1043, 0x10d3, "ASUS K6500ZC", ALC294_FIXUP_ASUS_SPK), + SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), diff --git a/queue-6.5/alsa-hda-realtek-enable-mute-led-on-hp-255-g10.patch b/queue-6.5/alsa-hda-realtek-enable-mute-led-on-hp-255-g10.patch new file mode 100644 index 00000000000..cbb2e29fcbd --- /dev/null +++ b/queue-6.5/alsa-hda-realtek-enable-mute-led-on-hp-255-g10.patch @@ -0,0 +1,32 @@ +From b944aa9d86d5f782bfe5e51336434c960304839c Mon Sep 17 00:00:00 2001 +From: Matus Malych +Date: Tue, 14 Nov 2023 14:35:25 +0100 +Subject: ALSA: hda/realtek: Enable Mute LED on HP 255 G10 + +From: Matus Malych + +commit b944aa9d86d5f782bfe5e51336434c960304839c upstream. + +HP 255 G10 has a mute LED that can be made to work using quirk +ALC236_FIXUP_HP_MUTE_LED_COEFBIT2. +Enable already existing quirk - at correct line to keep order + +Signed-off-by: Matus Malych +Cc: +Link: https://lore.kernel.org/r/20231114133524.11340-1-matus@malych.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9706,6 +9706,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b2f, "HP 255 15.6 inch G10 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8b42, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b43, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b44, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), diff --git a/queue-6.5/alsa-hda-realtek-enable-mute-led-on-hp-255-g8.patch b/queue-6.5/alsa-hda-realtek-enable-mute-led-on-hp-255-g8.patch new file mode 100644 index 00000000000..40a30774021 --- /dev/null +++ b/queue-6.5/alsa-hda-realtek-enable-mute-led-on-hp-255-g8.patch @@ -0,0 +1,32 @@ +From 8384c0baf223e1c3bc7b1c711d80a4c6106d210e Mon Sep 17 00:00:00 2001 +From: Eymen Yigit +Date: Fri, 10 Nov 2023 18:07:15 +0300 +Subject: ALSA: hda/realtek: Enable Mute LED on HP 255 G8 + +From: Eymen Yigit + +commit 8384c0baf223e1c3bc7b1c711d80a4c6106d210e upstream. + +This HP Notebook uses ALC236 codec with COEF 0x07 idx 1 controlling +the mute LED. Enable already existing quirk for this device. + +Signed-off-by: Eymen Yigit +Cc: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20231110150715.5141-1-eymenyg01@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9670,6 +9670,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8898, "HP EliteBook 845 G8 Notebook PC", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x103c, 0x88d0, "HP Pavilion 15-eh1xxx (mainboard 88D0)", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8902, "HP OMEN 16", ALC285_FIXUP_HP_MUTE_LED), ++ SND_PCI_QUIRK(0x103c, 0x890e, "HP 255 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8919, "HP Pavilion Aero Laptop 13-be0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x896d, "HP ZBook Firefly 16 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x896e, "HP EliteBook x360 830 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), diff --git a/queue-6.5/alsa-info-fix-potential-deadlock-at-disconnection.patch b/queue-6.5/alsa-info-fix-potential-deadlock-at-disconnection.patch new file mode 100644 index 00000000000..3306cfe774c --- /dev/null +++ b/queue-6.5/alsa-info-fix-potential-deadlock-at-disconnection.patch @@ -0,0 +1,121 @@ +From c7a60651953359f98dbf24b43e1bf561e1573ed4 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 9 Nov 2023 15:19:54 +0100 +Subject: ALSA: info: Fix potential deadlock at disconnection + +From: Takashi Iwai + +commit c7a60651953359f98dbf24b43e1bf561e1573ed4 upstream. + +As reported recently, ALSA core info helper may cause a deadlock at +the forced device disconnection during the procfs operation. + +The proc_remove() (that is called from the snd_card_disconnect() +helper) has a synchronization of the pending procfs accesses via +wait_for_completion(). Meanwhile, ALSA procfs helper takes the global +mutex_lock(&info_mutex) at both the proc_open callback and +snd_card_info_disconnect() helper. Since the proc_open can't finish +due to the mutex lock, wait_for_completion() never returns, either, +hence it deadlocks. + + TASK#1 TASK#2 + proc_reg_open() + takes use_pde() + snd_info_text_entry_open() + snd_card_disconnect() + snd_info_card_disconnect() + takes mutex_lock(&info_mutex) + proc_remove() + wait_for_completion(unused_pde) + ... waiting task#1 closes + mutex_lock(&info_mutex) + => DEADLOCK + +This patch is a workaround for avoiding the deadlock scenario above. + +The basic strategy is to move proc_remove() call outside the mutex +lock. proc_remove() can work gracefully without extra locking, and it +can delete the tree recursively alone. So, we call proc_remove() at +snd_info_card_disconnection() at first, then delete the rest resources +recursively within the info_mutex lock. + +After the change, the function snd_info_disconnect() doesn't do +disconnection by itself any longer, but it merely clears the procfs +pointer. So rename the function to snd_info_clear_entries() for +avoiding confusion. + +The similar change is applied to snd_info_free_entry(), too. Since +the proc_remove() is called only conditionally with the non-NULL +entry->p, it's skipped after the snd_info_clear_entries() call. + +Reported-by: Shinhyung Kang +Closes: https://lore.kernel.org/r/664457955.21699345385931.JavaMail.epsvc@epcpadp4 +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/20231109141954.4283-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/info.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/sound/core/info.c ++++ b/sound/core/info.c +@@ -56,7 +56,7 @@ struct snd_info_private_data { + }; + + static int snd_info_version_init(void); +-static void snd_info_disconnect(struct snd_info_entry *entry); ++static void snd_info_clear_entries(struct snd_info_entry *entry); + + /* + +@@ -569,11 +569,16 @@ void snd_info_card_disconnect(struct snd + { + if (!card) + return; +- mutex_lock(&info_mutex); ++ + proc_remove(card->proc_root_link); +- card->proc_root_link = NULL; + if (card->proc_root) +- snd_info_disconnect(card->proc_root); ++ proc_remove(card->proc_root->p); ++ ++ mutex_lock(&info_mutex); ++ if (card->proc_root) ++ snd_info_clear_entries(card->proc_root); ++ card->proc_root_link = NULL; ++ card->proc_root = NULL; + mutex_unlock(&info_mutex); + } + +@@ -745,15 +750,14 @@ struct snd_info_entry *snd_info_create_c + } + EXPORT_SYMBOL(snd_info_create_card_entry); + +-static void snd_info_disconnect(struct snd_info_entry *entry) ++static void snd_info_clear_entries(struct snd_info_entry *entry) + { + struct snd_info_entry *p; + + if (!entry->p) + return; + list_for_each_entry(p, &entry->children, list) +- snd_info_disconnect(p); +- proc_remove(entry->p); ++ snd_info_clear_entries(p); + entry->p = NULL; + } + +@@ -770,8 +774,9 @@ void snd_info_free_entry(struct snd_info + if (!entry) + return; + if (entry->p) { ++ proc_remove(entry->p); + mutex_lock(&info_mutex); +- snd_info_disconnect(entry); ++ snd_info_clear_entries(entry); + mutex_unlock(&info_mutex); + } + diff --git a/queue-6.5/btrfs-zoned-wait-for-data-bg-to-be-finished-on-direct-io-allocation.patch b/queue-6.5/btrfs-zoned-wait-for-data-bg-to-be-finished-on-direct-io-allocation.patch new file mode 100644 index 00000000000..3e6cdff63f6 --- /dev/null +++ b/queue-6.5/btrfs-zoned-wait-for-data-bg-to-be-finished-on-direct-io-allocation.patch @@ -0,0 +1,60 @@ +From 776a838f1fa95670c1c1cf7109a898090b473fa3 Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Tue, 17 Oct 2023 17:00:31 +0900 +Subject: btrfs: zoned: wait for data BG to be finished on direct IO allocation + +From: Naohiro Aota + +commit 776a838f1fa95670c1c1cf7109a898090b473fa3 upstream. + +Running the fio command below on a ZNS device results in "Resource +temporarily unavailable" error. + + $ sudo fio --name=w --directory=/mnt --filesize=1GB --bs=16MB --numjobs=16 \ + --rw=write --ioengine=libaio --iodepth=128 --direct=1 + + fio: io_u error on file /mnt/w.2.0: Resource temporarily unavailable: write offset=117440512, buflen=16777216 + fio: io_u error on file /mnt/w.2.0: Resource temporarily unavailable: write offset=134217728, buflen=16777216 + ... + +This happens because -EAGAIN error returned from btrfs_reserve_extent() +called from btrfs_new_extent_direct() is spilling over to the userland. + +btrfs_reserve_extent() returns -EAGAIN when there is no active zone +available. Then, the caller should wait for some other on-going IO to +finish a zone and retry the allocation. + +This logic is already implemented for buffered write in cow_file_range(), +but it is missing for the direct IO counterpart. Implement the same logic +for it. + +Reported-by: Shinichiro Kawasaki +Fixes: 2ce543f47843 ("btrfs: zoned: wait until zone is finished when allocation didn't progress") +CC: stable@vger.kernel.org # 6.1+ +Tested-by: Shinichiro Kawasaki +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7142,8 +7142,15 @@ static struct extent_map *btrfs_new_exte + int ret; + + alloc_hint = get_extent_allocation_hint(inode, start, len); ++again: + ret = btrfs_reserve_extent(root, len, len, fs_info->sectorsize, + 0, alloc_hint, &ins, 1, 1); ++ if (ret == -EAGAIN) { ++ ASSERT(btrfs_is_zoned(fs_info)); ++ wait_on_bit_io(&inode->root->fs_info->flags, BTRFS_FS_NEED_ZONE_FINISH, ++ TASK_UNINTERRUPTIBLE); ++ goto again; ++ } + if (ret) + return ERR_PTR(ret); + diff --git a/queue-6.5/cifs-do-not-reset-chan_max-if-multichannel-is-not-supported-at-mount.patch b/queue-6.5/cifs-do-not-reset-chan_max-if-multichannel-is-not-supported-at-mount.patch new file mode 100644 index 00000000000..6937e3661d3 --- /dev/null +++ b/queue-6.5/cifs-do-not-reset-chan_max-if-multichannel-is-not-supported-at-mount.patch @@ -0,0 +1,38 @@ +From 6e5e64c9477d58e73cb1a0e83eacad1f8df247cf Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Mon, 30 Oct 2023 11:00:10 +0000 +Subject: cifs: do not reset chan_max if multichannel is not supported at mount + +From: Shyam Prasad N + +commit 6e5e64c9477d58e73cb1a0e83eacad1f8df247cf upstream. + +If the mount command has specified multichannel as a mount option, +but multichannel is found to be unsupported by the server at the time +of mount, we set chan_max to 1. Which means that the user needs to +remount the share if the server starts supporting multichannel. + +This change removes this reset. What it means is that if the user +specified multichannel or max_channels during mount, and at this +time, multichannel is not supported, but the server starts supporting +it at a later point, the client will be capable of scaling out the +number of channels. + +Cc: stable@vger.kernel.org +Signed-off-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/sess.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/smb/client/sess.c ++++ b/fs/smb/client/sess.c +@@ -186,7 +186,6 @@ int cifs_try_adding_channels(struct cifs + } + + if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { +- ses->chan_max = 1; + spin_unlock(&ses->chan_lock); + cifs_server_dbg(VFS, "no multichannel support\n"); + return 0; diff --git a/queue-6.5/cifs-fix-encryption-of-cleared-but-unset-rq_iter-data-buffers.patch b/queue-6.5/cifs-fix-encryption-of-cleared-but-unset-rq_iter-data-buffers.patch new file mode 100644 index 00000000000..77dc5321be5 --- /dev/null +++ b/queue-6.5/cifs-fix-encryption-of-cleared-but-unset-rq_iter-data-buffers.patch @@ -0,0 +1,115 @@ +From 37de5a80e932f828c34abeaae63170d73930dca3 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 6 Nov 2023 14:40:11 +0000 +Subject: cifs: Fix encryption of cleared, but unset rq_iter data buffers + +From: David Howells + +commit 37de5a80e932f828c34abeaae63170d73930dca3 upstream. + +Each smb_rqst struct contains two things: an array of kvecs (rq_iov) that +contains the protocol data for an RPC op and an iterator (rq_iter) that +contains the data payload of an RPC op. When an smb_rqst is allocated +rq_iter is it always cleared, but we don't set it up unless we're going to +use it. + +The functions that determines the size of the ciphertext buffer that will +be needed to encrypt a request, cifs_get_num_sgs(), assumes that rq_iter is +always initialised - and employs user_backed_iter() to check that the +iterator isn't user-backed. This used to incidentally work, because +->user_backed was set to false because the iterator has never been +initialised, but with commit f1b4cb650b9a0eeba206d8f069fcdc532bfbcd74[1] +which changes user_backed_iter() to determine this based on the iterator +type insted, a warning is now emitted: + + WARNING: CPU: 7 PID: 4584 at fs/smb/client/cifsglob.h:2165 smb2_get_aead_req+0x3fc/0x420 [cifs] + ... + RIP: 0010:smb2_get_aead_req+0x3fc/0x420 [cifs] + ... + crypt_message+0x33e/0x550 [cifs] + smb3_init_transform_rq+0x27d/0x3f0 [cifs] + smb_send_rqst+0xc7/0x160 [cifs] + compound_send_recv+0x3ca/0x9f0 [cifs] + cifs_send_recv+0x25/0x30 [cifs] + SMB2_tcon+0x38a/0x820 [cifs] + cifs_get_smb_ses+0x69c/0xee0 [cifs] + cifs_mount_get_session+0x76/0x1d0 [cifs] + dfs_mount_share+0x74/0x9d0 [cifs] + cifs_mount+0x6e/0x2e0 [cifs] + cifs_smb3_do_mount+0x143/0x300 [cifs] + smb3_get_tree+0x15e/0x290 [cifs] + vfs_get_tree+0x2d/0xe0 + do_new_mount+0x124/0x340 + __se_sys_mount+0x143/0x1a0 + +The problem is that rq_iter was never set, so the type is 0 (ie. ITER_UBUF) +which causes user_backed_iter() to return true. The code doesn't +malfunction because it checks the size of the iterator - which is 0. + +Fix cifs_get_num_sgs() to ignore rq_iter if its count is 0, thereby +bypassing the warnings. + +It might be better to explicitly initialise rq_iter to a zero-length +ITER_BVEC, say, as it can always be reinitialised later. + +Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") +Reported-by: Damian Tometzki +Closes: https://lore.kernel.org/r/ZUfQo47uo0p2ZsYg@fedora.fritz.box/ +Tested-by: Damian Tometzki +Cc: stable@vger.kernel.org +cc: Eric Biggers +cc: linux-cifs@vger.kernel.org +cc: linux-fsdevel@vger.kernel.org +Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1b4cb650b9a0eeba206d8f069fcdc532bfbcd74 [1] +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: David Howells +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsglob.h | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -2113,6 +2113,7 @@ static inline int cifs_get_num_sgs(const + unsigned int len, skip; + unsigned int nents = 0; + unsigned long addr; ++ size_t data_size; + int i, j; + + /* +@@ -2128,17 +2129,21 @@ static inline int cifs_get_num_sgs(const + * rqst[1+].rq_iov[0+] data to be encrypted/decrypted + */ + for (i = 0; i < num_rqst; i++) { ++ data_size = iov_iter_count(&rqst[i].rq_iter); ++ + /* We really don't want a mixture of pinned and unpinned pages + * in the sglist. It's hard to keep track of which is what. + * Instead, we convert to a BVEC-type iterator higher up. + */ +- if (WARN_ON_ONCE(user_backed_iter(&rqst[i].rq_iter))) ++ if (data_size && ++ WARN_ON_ONCE(user_backed_iter(&rqst[i].rq_iter))) + return -EIO; + + /* We also don't want to have any extra refs or pins to clean + * up in the sglist. + */ +- if (WARN_ON_ONCE(iov_iter_extract_will_pin(&rqst[i].rq_iter))) ++ if (data_size && ++ WARN_ON_ONCE(iov_iter_extract_will_pin(&rqst[i].rq_iter))) + return -EIO; + + for (j = 0; j < rqst[i].rq_nvec; j++) { +@@ -2154,7 +2159,8 @@ static inline int cifs_get_num_sgs(const + } + skip = 0; + } +- nents += iov_iter_npages(&rqst[i].rq_iter, INT_MAX); ++ if (data_size) ++ nents += iov_iter_npages(&rqst[i].rq_iter, INT_MAX); + } + nents += DIV_ROUND_UP(offset_in_page(sig) + SMB2_SIGNATURE_SIZE, PAGE_SIZE); + return nents; diff --git a/queue-6.5/cifs-force-interface-update-before-a-fresh-session-setup.patch b/queue-6.5/cifs-force-interface-update-before-a-fresh-session-setup.patch new file mode 100644 index 00000000000..ef7c4870e3f --- /dev/null +++ b/queue-6.5/cifs-force-interface-update-before-a-fresh-session-setup.patch @@ -0,0 +1,40 @@ +From d9a6d78096056a3cb5c5f07a730ab92f2f9ac4e6 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Mon, 30 Oct 2023 11:00:11 +0000 +Subject: cifs: force interface update before a fresh session setup + +From: Shyam Prasad N + +commit d9a6d78096056a3cb5c5f07a730ab92f2f9ac4e6 upstream. + +During a session reconnect, it is possible that the +server moved to another physical server (happens in case +of Azure files). So at this time, force a query of server +interfaces again (in case of multichannel session), such +that the secondary channels connect to the right +IP addresses (possibly updated now). + +Cc: stable@vger.kernel.org +Signed-off-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -3850,8 +3850,12 @@ cifs_setup_session(const unsigned int xi + is_binding = !CIFS_ALL_CHANS_NEED_RECONNECT(ses); + spin_unlock(&ses->chan_lock); + +- if (!is_binding) ++ if (!is_binding) { + ses->ses_status = SES_IN_SETUP; ++ ++ /* force iface_list refresh */ ++ ses->iface_last_update = 0; ++ } + spin_unlock(&ses->ses_lock); + + /* update ses ip_addr only for primary chan */ diff --git a/queue-6.5/cifs-reconnect-helper-should-set-reconnect-for-the-right-channel.patch b/queue-6.5/cifs-reconnect-helper-should-set-reconnect-for-the-right-channel.patch new file mode 100644 index 00000000000..65f91a5b2da --- /dev/null +++ b/queue-6.5/cifs-reconnect-helper-should-set-reconnect-for-the-right-channel.patch @@ -0,0 +1,47 @@ +From c3326a61cdbf3ce1273d9198b6cbf90965d7e029 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Mon, 30 Oct 2023 11:00:09 +0000 +Subject: cifs: reconnect helper should set reconnect for the right channel + +From: Shyam Prasad N + +commit c3326a61cdbf3ce1273d9198b6cbf90965d7e029 upstream. + +We introduced a helper function to be used by non-cifsd threads to +mark the connection for reconnect. For multichannel, when only +a particular channel needs to be reconnected, this had a bug. + +This change fixes that by marking that particular channel +for reconnect. + +Fixes: dca65818c80c ("cifs: use a different reconnect helper for non-cifsd threads") +Cc: stable@vger.kernel.org +Signed-off-by: Shyam Prasad N +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -156,13 +156,14 @@ cifs_signal_cifsd_for_reconnect(struct T + /* If server is a channel, select the primary channel */ + pserver = CIFS_SERVER_IS_CHAN(server) ? server->primary_server : server; + +- spin_lock(&pserver->srv_lock); ++ /* if we need to signal just this channel */ + if (!all_channels) { +- pserver->tcpStatus = CifsNeedReconnect; +- spin_unlock(&pserver->srv_lock); ++ spin_lock(&server->srv_lock); ++ if (server->tcpStatus != CifsExiting) ++ server->tcpStatus = CifsNeedReconnect; ++ spin_unlock(&server->srv_lock); + return; + } +- spin_unlock(&pserver->srv_lock); + + spin_lock(&cifs_tcp_ses_lock); + list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { diff --git a/queue-6.5/fs-add-ctime-accessors-infrastructure.patch b/queue-6.5/fs-add-ctime-accessors-infrastructure.patch new file mode 100644 index 00000000000..52dc9ab7fec --- /dev/null +++ b/queue-6.5/fs-add-ctime-accessors-infrastructure.patch @@ -0,0 +1,108 @@ +From 9b6304c1d53745c300b86f202d0dcff395e2d2db Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Wed, 5 Jul 2023 14:58:10 -0400 +Subject: fs: add ctime accessors infrastructure + +From: Jeff Layton + +commit 9b6304c1d53745c300b86f202d0dcff395e2d2db upstream. + +struct timespec64 has unused bits in the tv_nsec field that can be used +for other purposes. In future patches, we're going to change how the +inode->i_ctime is accessed in certain inodes in order to make use of +them. In order to do that safely though, we'll need to eradicate raw +accesses of the inode->i_ctime field from the kernel. + +Add new accessor functions for the ctime that we use to replace them. + +Reviewed-by: Jan Kara +Reviewed-by: Luis Chamberlain +Signed-off-by: Jeff Layton +Reviewed-by: Damien Le Moal +Message-Id: <20230705185812.579118-2-jlayton@kernel.org> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/inode.c | 16 ++++++++++++++++ + include/linux/fs.h | 45 ++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 60 insertions(+), 1 deletion(-) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -2499,6 +2499,22 @@ struct timespec64 current_time(struct in + EXPORT_SYMBOL(current_time); + + /** ++ * inode_set_ctime_current - set the ctime to current_time ++ * @inode: inode ++ * ++ * Set the inode->i_ctime to the current value for the inode. Returns ++ * the current value that was assigned to i_ctime. ++ */ ++struct timespec64 inode_set_ctime_current(struct inode *inode) ++{ ++ struct timespec64 now = current_time(inode); ++ ++ inode_set_ctime(inode, now.tv_sec, now.tv_nsec); ++ return now; ++} ++EXPORT_SYMBOL(inode_set_ctime_current); ++ ++/** + * in_group_or_capable - check whether caller is CAP_FSETID privileged + * @idmap: idmap of the mount @inode was found from + * @inode: inode to check +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1474,7 +1474,50 @@ static inline bool fsuidgid_has_mapping( + kgid_has_mapping(fs_userns, kgid); + } + +-extern struct timespec64 current_time(struct inode *inode); ++struct timespec64 current_time(struct inode *inode); ++struct timespec64 inode_set_ctime_current(struct inode *inode); ++ ++/** ++ * inode_get_ctime - fetch the current ctime from the inode ++ * @inode: inode from which to fetch ctime ++ * ++ * Grab the current ctime from the inode and return it. ++ */ ++static inline struct timespec64 inode_get_ctime(const struct inode *inode) ++{ ++ return inode->i_ctime; ++} ++ ++/** ++ * inode_set_ctime_to_ts - set the ctime in the inode ++ * @inode: inode in which to set the ctime ++ * @ts: value to set in the ctime field ++ * ++ * Set the ctime in @inode to @ts ++ */ ++static inline struct timespec64 inode_set_ctime_to_ts(struct inode *inode, ++ struct timespec64 ts) ++{ ++ inode->i_ctime = ts; ++ return ts; ++} ++ ++/** ++ * inode_set_ctime - set the ctime in the inode ++ * @inode: inode in which to set the ctime ++ * @sec: tv_sec value to set ++ * @nsec: tv_nsec value to set ++ * ++ * Set the ctime in @inode to { @sec, @nsec } ++ */ ++static inline struct timespec64 inode_set_ctime(struct inode *inode, ++ time64_t sec, long nsec) ++{ ++ struct timespec64 ts = { .tv_sec = sec, ++ .tv_nsec = nsec }; ++ ++ return inode_set_ctime_to_ts(inode, ts); ++} + + /* + * Snapshotting support. diff --git a/queue-6.5/series b/queue-6.5/series index 0d87e5847e5..ca07879e06d 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -384,3 +384,23 @@ parisc-prevent-booting-64-bit-kernels-on-pa1.x-machines.patch parisc-pgtable-do-not-drop-upper-5-address-bits-of-physical-address.patch parisc-power-fix-power-soft-off-when-running-on-qemu.patch xhci-enable-rpm-on-controllers-that-support-low-power-states.patch +fs-add-ctime-accessors-infrastructure.patch +smb3-fix-creating-fifos-when-mounting-with-sfu-mount-option.patch +smb3-fix-touch-h-of-symlink.patch +smb3-allow-dumping-session-and-tcon-id-to-improve-stats-analysis-and-debugging.patch +smb3-fix-caching-of-ctime-on-setxattr.patch +smb-client-fix-use-after-free-bug-in-cifs_debug_data_proc_show.patch +smb-client-fix-use-after-free-in-smb2_query_info_compound.patch +smb-client-fix-potential-deadlock-when-releasing-mids.patch +cifs-reconnect-helper-should-set-reconnect-for-the-right-channel.patch +cifs-force-interface-update-before-a-fresh-session-setup.patch +cifs-do-not-reset-chan_max-if-multichannel-is-not-supported-at-mount.patch +cifs-fix-encryption-of-cleared-but-unset-rq_iter-data-buffers.patch +xfs-recovery-should-not-clear-di_flushiter-unconditionally.patch +btrfs-zoned-wait-for-data-bg-to-be-finished-on-direct-io-allocation.patch +alsa-info-fix-potential-deadlock-at-disconnection.patch +alsa-hda-realtek-enable-mute-led-on-hp-255-g8.patch +alsa-hda-realtek-add-dell-alc295-to-pin-fall-back-table.patch +alsa-hda-realtek-enable-internal-speaker-of-asus-k6500zc.patch +alsa-hda-realtek-enable-mute-led-on-hp-255-g10.patch +alsa-hda-realtek-add-quirks-for-hp-laptops.patch diff --git a/queue-6.5/smb-client-fix-potential-deadlock-when-releasing-mids.patch b/queue-6.5/smb-client-fix-potential-deadlock-when-releasing-mids.patch new file mode 100644 index 00000000000..5c9582ff635 --- /dev/null +++ b/queue-6.5/smb-client-fix-potential-deadlock-when-releasing-mids.patch @@ -0,0 +1,97 @@ +From e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 25 Oct 2023 14:58:35 -0300 +Subject: smb: client: fix potential deadlock when releasing mids + +From: Paulo Alcantara + +commit e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 upstream. + +All release_mid() callers seem to hold a reference of @mid so there is +no need to call kref_put(&mid->refcount, __release_mid) under +@server->mid_lock spinlock. If they don't, then an use-after-free bug +would have occurred anyways. + +By getting rid of such spinlock also fixes a potential deadlock as +shown below + +CPU 0 CPU 1 +------------------------------------------------------------------ +cifs_demultiplex_thread() cifs_debug_data_proc_show() + release_mid() + spin_lock(&server->mid_lock); + spin_lock(&cifs_tcp_ses_lock) + spin_lock(&server->mid_lock) + __release_mid() + smb2_find_smb_tcon() + spin_lock(&cifs_tcp_ses_lock) *deadlock* + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsproto.h | 7 ++++++- + fs/smb/client/smb2misc.c | 2 +- + fs/smb/client/transport.c | 11 +---------- + 3 files changed, 8 insertions(+), 12 deletions(-) + +--- a/fs/smb/client/cifsproto.h ++++ b/fs/smb/client/cifsproto.h +@@ -81,7 +81,7 @@ extern char *cifs_build_path_to_root(str + extern char *build_wildcard_path_from_dentry(struct dentry *direntry); + char *cifs_build_devname(char *nodename, const char *prepath); + extern void delete_mid(struct mid_q_entry *mid); +-extern void release_mid(struct mid_q_entry *mid); ++void __release_mid(struct kref *refcount); + extern void cifs_wake_up_task(struct mid_q_entry *mid); + extern int cifs_handle_standard(struct TCP_Server_Info *server, + struct mid_q_entry *mid); +@@ -741,4 +741,9 @@ static inline bool dfs_src_pathname_equa + return true; + } + ++static inline void release_mid(struct mid_q_entry *mid) ++{ ++ kref_put(&mid->refcount, __release_mid); ++} ++ + #endif /* _CIFSPROTO_H */ +--- a/fs/smb/client/smb2misc.c ++++ b/fs/smb/client/smb2misc.c +@@ -787,7 +787,7 @@ __smb2_handle_cancelled_cmd(struct cifs_ + { + struct close_cancelled_open *cancelled; + +- cancelled = kzalloc(sizeof(*cancelled), GFP_ATOMIC); ++ cancelled = kzalloc(sizeof(*cancelled), GFP_KERNEL); + if (!cancelled) + return -ENOMEM; + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -76,7 +76,7 @@ alloc_mid(const struct smb_hdr *smb_buff + return temp; + } + +-static void __release_mid(struct kref *refcount) ++void __release_mid(struct kref *refcount) + { + struct mid_q_entry *midEntry = + container_of(refcount, struct mid_q_entry, refcount); +@@ -156,15 +156,6 @@ static void __release_mid(struct kref *r + mempool_free(midEntry, cifs_mid_poolp); + } + +-void release_mid(struct mid_q_entry *mid) +-{ +- struct TCP_Server_Info *server = mid->server; +- +- spin_lock(&server->mid_lock); +- kref_put(&mid->refcount, __release_mid); +- spin_unlock(&server->mid_lock); +-} +- + void + delete_mid(struct mid_q_entry *mid) + { diff --git a/queue-6.5/smb-client-fix-use-after-free-bug-in-cifs_debug_data_proc_show.patch b/queue-6.5/smb-client-fix-use-after-free-bug-in-cifs_debug_data_proc_show.patch new file mode 100644 index 00000000000..e085b991212 --- /dev/null +++ b/queue-6.5/smb-client-fix-use-after-free-bug-in-cifs_debug_data_proc_show.patch @@ -0,0 +1,67 @@ +From d328c09ee9f15ee5a26431f5aad7c9239fa85e62 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Tue, 24 Oct 2023 13:49:15 -0300 +Subject: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() + +From: Paulo Alcantara + +commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 upstream. + +Skip SMB sessions that are being teared down +(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() +to avoid use-after-free in @ses. + +This fixes the following GPF when reading from /proc/fs/cifs/DebugData +while mounting and umounting + + [ 816.251274] general protection fault, probably for non-canonical + address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI + ... + [ 816.260138] Call Trace: + [ 816.260329] + [ 816.260499] ? die_addr+0x36/0x90 + [ 816.260762] ? exc_general_protection+0x1b3/0x410 + [ 816.261126] ? asm_exc_general_protection+0x26/0x30 + [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] + [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] + [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] + [ 816.262689] ? seq_read_iter+0x379/0x470 + [ 816.262995] seq_read_iter+0x118/0x470 + [ 816.263291] proc_reg_read_iter+0x53/0x90 + [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f + [ 816.263945] vfs_read+0x201/0x350 + [ 816.264211] ksys_read+0x75/0x100 + [ 816.264472] do_syscall_64+0x3f/0x90 + [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + [ 816.265135] RIP: 0033:0x7fd5e669d381 + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifs_debug.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/smb/client/cifs_debug.c ++++ b/fs/smb/client/cifs_debug.c +@@ -452,6 +452,11 @@ skip_rdma: + seq_printf(m, "\n\n\tSessions: "); + i = 0; + list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { ++ spin_lock(&ses->ses_lock); ++ if (ses->ses_status == SES_EXITING) { ++ spin_unlock(&ses->ses_lock); ++ continue; ++ } + i++; + if ((ses->serverDomain == NULL) || + (ses->serverOS == NULL) || +@@ -472,6 +477,7 @@ skip_rdma: + ses->ses_count, ses->serverOS, ses->serverNOS, + ses->capabilities, ses->ses_status); + } ++ spin_unlock(&ses->ses_lock); + + seq_printf(m, "\n\tSecurity type: %s ", + get_security_type_str(server->ops->select_sectype(server, ses->sectype))); diff --git a/queue-6.5/smb-client-fix-use-after-free-in-smb2_query_info_compound.patch b/queue-6.5/smb-client-fix-use-after-free-in-smb2_query_info_compound.patch new file mode 100644 index 00000000000..ff58ffd8299 --- /dev/null +++ b/queue-6.5/smb-client-fix-use-after-free-in-smb2_query_info_compound.patch @@ -0,0 +1,282 @@ +From 5c86919455c1edec99ebd3338ad213b59271a71b Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Mon, 30 Oct 2023 17:19:56 -0300 +Subject: smb: client: fix use-after-free in smb2_query_info_compound() + +From: Paulo Alcantara + +commit 5c86919455c1edec99ebd3338ad213b59271a71b upstream. + +The following UAF was triggered when running fstests generic/072 with +KASAN enabled against Windows Server 2022 and mount options +'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm' + + BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs] + Read of size 8 at addr ffff888014941048 by task xfs_io/27534 + + CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS + rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + Call Trace: + dump_stack_lvl+0x4a/0x80 + print_report+0xcf/0x650 + ? srso_alias_return_thunk+0x5/0x7f + ? srso_alias_return_thunk+0x5/0x7f + ? __phys_addr+0x46/0x90 + kasan_report+0xda/0x110 + ? smb2_query_info_compound+0x423/0x6d0 [cifs] + ? smb2_query_info_compound+0x423/0x6d0 [cifs] + smb2_query_info_compound+0x423/0x6d0 [cifs] + ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs] + ? srso_alias_return_thunk+0x5/0x7f + ? __stack_depot_save+0x39/0x480 + ? kasan_save_stack+0x33/0x60 + ? kasan_set_track+0x25/0x30 + ? ____kasan_slab_free+0x126/0x170 + smb2_queryfs+0xc2/0x2c0 [cifs] + ? __pfx_smb2_queryfs+0x10/0x10 [cifs] + ? __pfx___lock_acquire+0x10/0x10 + smb311_queryfs+0x210/0x220 [cifs] + ? __pfx_smb311_queryfs+0x10/0x10 [cifs] + ? srso_alias_return_thunk+0x5/0x7f + ? __lock_acquire+0x480/0x26c0 + ? lock_release+0x1ed/0x640 + ? srso_alias_return_thunk+0x5/0x7f + ? do_raw_spin_unlock+0x9b/0x100 + cifs_statfs+0x18c/0x4b0 [cifs] + statfs_by_dentry+0x9b/0xf0 + fd_statfs+0x4e/0xb0 + __do_sys_fstatfs+0x7f/0xe0 + ? __pfx___do_sys_fstatfs+0x10/0x10 + ? srso_alias_return_thunk+0x5/0x7f + ? lockdep_hardirqs_on_prepare+0x136/0x200 + ? srso_alias_return_thunk+0x5/0x7f + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + + Allocated by task 27534: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + __kasan_kmalloc+0x8f/0xa0 + open_cached_dir+0x71b/0x1240 [cifs] + smb2_query_info_compound+0x5c3/0x6d0 [cifs] + smb2_queryfs+0xc2/0x2c0 [cifs] + smb311_queryfs+0x210/0x220 [cifs] + cifs_statfs+0x18c/0x4b0 [cifs] + statfs_by_dentry+0x9b/0xf0 + fd_statfs+0x4e/0xb0 + __do_sys_fstatfs+0x7f/0xe0 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + + Freed by task 27534: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + kasan_save_free_info+0x2b/0x50 + ____kasan_slab_free+0x126/0x170 + slab_free_freelist_hook+0xd0/0x1e0 + __kmem_cache_free+0x9d/0x1b0 + open_cached_dir+0xff5/0x1240 [cifs] + smb2_query_info_compound+0x5c3/0x6d0 [cifs] + smb2_queryfs+0xc2/0x2c0 [cifs] + +This is a race between open_cached_dir() and cached_dir_lease_break() +where the cache entry for the open directory handle receives a lease +break while creating it. And before returning from open_cached_dir(), +we put the last reference of the new @cfid because of +!@cfid->has_lease. + +Besides the UAF, while running xfstests a lot of missed lease breaks +have been noticed in tests that run several concurrent statfs(2) calls +on those cached fids + + CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... + CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... + CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108 + CIFS: VFS: Dump pending requests: + CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... + CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... + CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108 + ... + +To fix both, in open_cached_dir() ensure that @cfid->has_lease is set +right before sending out compounded request so that any potential +lease break will be get processed by demultiplex thread while we're +still caching @cfid. And, if open failed for some reason, re-check +@cfid->has_lease to decide whether or not put lease reference. + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cached_dir.c | 84 ++++++++++++++++++++++++++------------------- + 1 file changed, 49 insertions(+), 35 deletions(-) + +--- a/fs/smb/client/cached_dir.c ++++ b/fs/smb/client/cached_dir.c +@@ -32,7 +32,7 @@ static struct cached_fid *find_or_create + * fully cached or it may be in the process of + * being deleted due to a lease break. + */ +- if (!cfid->has_lease) { ++ if (!cfid->time || !cfid->has_lease) { + spin_unlock(&cfids->cfid_list_lock); + return NULL; + } +@@ -193,10 +193,20 @@ int open_cached_dir(unsigned int xid, st + npath = path_no_prefix(cifs_sb, path); + if (IS_ERR(npath)) { + rc = PTR_ERR(npath); +- kfree(utf16_path); +- return rc; ++ goto out; + } + ++ if (!npath[0]) { ++ dentry = dget(cifs_sb->root); ++ } else { ++ dentry = path_to_dentry(cifs_sb, npath); ++ if (IS_ERR(dentry)) { ++ rc = -ENOENT; ++ goto out; ++ } ++ } ++ cfid->dentry = dentry; ++ + /* + * We do not hold the lock for the open because in case + * SMB2_open needs to reconnect. +@@ -249,6 +259,15 @@ int open_cached_dir(unsigned int xid, st + + smb2_set_related(&rqst[1]); + ++ /* ++ * Set @cfid->has_lease to true before sending out compounded request so ++ * its lease reference can be put in cached_dir_lease_break() due to a ++ * potential lease break right after the request is sent or while @cfid ++ * is still being cached. Concurrent processes won't be to use it yet ++ * due to @cfid->time being zero. ++ */ ++ cfid->has_lease = true; ++ + rc = compound_send_recv(xid, ses, server, + flags, 2, rqst, + resp_buftype, rsp_iov); +@@ -263,6 +282,8 @@ int open_cached_dir(unsigned int xid, st + cfid->tcon = tcon; + cfid->is_open = true; + ++ spin_lock(&cfids->cfid_list_lock); ++ + o_rsp = (struct smb2_create_rsp *)rsp_iov[0].iov_base; + oparms.fid->persistent_fid = o_rsp->PersistentFileId; + oparms.fid->volatile_fid = o_rsp->VolatileFileId; +@@ -270,18 +291,25 @@ int open_cached_dir(unsigned int xid, st + oparms.fid->mid = le64_to_cpu(o_rsp->hdr.MessageId); + #endif /* CIFS_DEBUG2 */ + +- if (o_rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE) ++ rc = -EINVAL; ++ if (o_rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE) { ++ spin_unlock(&cfids->cfid_list_lock); + goto oshr_free; ++ } + + smb2_parse_contexts(server, o_rsp, + &oparms.fid->epoch, + oparms.fid->lease_key, &oplock, + NULL, NULL); +- if (!(oplock & SMB2_LEASE_READ_CACHING_HE)) ++ if (!(oplock & SMB2_LEASE_READ_CACHING_HE)) { ++ spin_unlock(&cfids->cfid_list_lock); + goto oshr_free; ++ } + qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base; +- if (le32_to_cpu(qi_rsp->OutputBufferLength) < sizeof(struct smb2_file_all_info)) ++ if (le32_to_cpu(qi_rsp->OutputBufferLength) < sizeof(struct smb2_file_all_info)) { ++ spin_unlock(&cfids->cfid_list_lock); + goto oshr_free; ++ } + if (!smb2_validate_and_copy_iov( + le16_to_cpu(qi_rsp->OutputBufferOffset), + sizeof(struct smb2_file_all_info), +@@ -289,37 +317,24 @@ int open_cached_dir(unsigned int xid, st + (char *)&cfid->file_all_info)) + cfid->file_all_info_is_valid = true; + +- if (!npath[0]) +- dentry = dget(cifs_sb->root); +- else { +- dentry = path_to_dentry(cifs_sb, npath); +- if (IS_ERR(dentry)) { +- rc = -ENOENT; +- goto oshr_free; +- } +- } +- spin_lock(&cfids->cfid_list_lock); +- cfid->dentry = dentry; + cfid->time = jiffies; +- cfid->has_lease = true; + spin_unlock(&cfids->cfid_list_lock); ++ /* At this point the directory handle is fully cached */ ++ rc = 0; + + oshr_free: +- kfree(utf16_path); + SMB2_open_free(&rqst[0]); + SMB2_query_info_free(&rqst[1]); + free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base); + free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base); +- spin_lock(&cfids->cfid_list_lock); +- if (!cfid->has_lease) { +- if (rc) { +- if (cfid->on_list) { +- list_del(&cfid->entry); +- cfid->on_list = false; +- cfids->num_entries--; +- } +- rc = -ENOENT; +- } else { ++ if (rc) { ++ spin_lock(&cfids->cfid_list_lock); ++ if (cfid->on_list) { ++ list_del(&cfid->entry); ++ cfid->on_list = false; ++ cfids->num_entries--; ++ } ++ if (cfid->has_lease) { + /* + * We are guaranteed to have two references at this + * point. One for the caller and one for a potential +@@ -327,25 +342,24 @@ oshr_free: + * will be closed when the caller closes the cached + * handle. + */ ++ cfid->has_lease = false; + spin_unlock(&cfids->cfid_list_lock); + kref_put(&cfid->refcount, smb2_close_cached_fid); + goto out; + } ++ spin_unlock(&cfids->cfid_list_lock); + } +- spin_unlock(&cfids->cfid_list_lock); ++out: + if (rc) { + if (cfid->is_open) + SMB2_close(0, cfid->tcon, cfid->fid.persistent_fid, + cfid->fid.volatile_fid); + free_cached_dir(cfid); +- cfid = NULL; +- } +-out: +- if (rc == 0) { ++ } else { + *ret_cfid = cfid; + atomic_inc(&tcon->num_remote_opens); + } +- ++ kfree(utf16_path); + return rc; + } + diff --git a/queue-6.5/smb3-allow-dumping-session-and-tcon-id-to-improve-stats-analysis-and-debugging.patch b/queue-6.5/smb3-allow-dumping-session-and-tcon-id-to-improve-stats-analysis-and-debugging.patch new file mode 100644 index 00000000000..b799384bb6e --- /dev/null +++ b/queue-6.5/smb3-allow-dumping-session-and-tcon-id-to-improve-stats-analysis-and-debugging.patch @@ -0,0 +1,95 @@ +From de4eceab578ead12a71e5b5588a57e142bbe8ceb Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 9 Nov 2023 15:28:12 -0600 +Subject: smb3: allow dumping session and tcon id to improve stats analysis and debugging + +From: Steve French + +commit de4eceab578ead12a71e5b5588a57e142bbe8ceb upstream. + +When multiple mounts are to the same share from the same client it was not +possible to determine which section of /proc/fs/cifs/Stats (and DebugData) +correspond to that mount. In some recent examples this turned out to be +a significant problem when trying to analyze performance data - since +there are many cases where unless we know the tree id and session id we +can't figure out which stats (e.g. number of SMB3.1.1 requests by type, +the total time they take, which is slowest, how many fail etc.) apply to +which mount. The only existing loosely related ioctl CIFS_IOC_GET_MNT_INFO +does not return the information needed to uniquely identify which tcon +is which mount although it does return various flags and device info. + +Add a cifs.ko ioctl CIFS_IOC_GET_TCON_INFO (0x800ccf0c) to return tid, +session id, tree connect count. + +Cc: stable@vger.kernel.org +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifs_ioctl.h | 6 ++++++ + fs/smb/client/ioctl.c | 25 +++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + +--- a/fs/smb/client/cifs_ioctl.h ++++ b/fs/smb/client/cifs_ioctl.h +@@ -26,6 +26,11 @@ struct smb_mnt_fs_info { + __u64 cifs_posix_caps; + } __packed; + ++struct smb_mnt_tcon_info { ++ __u32 tid; ++ __u64 session_id; ++} __packed; ++ + struct smb_snapshot_array { + __u32 number_of_snapshots; + __u32 number_of_snapshots_returned; +@@ -108,6 +113,7 @@ struct smb3_notify_info { + #define CIFS_IOC_NOTIFY _IOW(CIFS_IOCTL_MAGIC, 9, struct smb3_notify) + #define CIFS_DUMP_FULL_KEY _IOWR(CIFS_IOCTL_MAGIC, 10, struct smb3_full_key_debug_info) + #define CIFS_IOC_NOTIFY_INFO _IOWR(CIFS_IOCTL_MAGIC, 11, struct smb3_notify_info) ++#define CIFS_IOC_GET_TCON_INFO _IOR(CIFS_IOCTL_MAGIC, 12, struct smb_mnt_tcon_info) + #define CIFS_IOC_SHUTDOWN _IOR('X', 125, __u32) + + /* +--- a/fs/smb/client/ioctl.c ++++ b/fs/smb/client/ioctl.c +@@ -117,6 +117,20 @@ out_drop_write: + return rc; + } + ++static long smb_mnt_get_tcon_info(struct cifs_tcon *tcon, void __user *arg) ++{ ++ int rc = 0; ++ struct smb_mnt_tcon_info tcon_inf; ++ ++ tcon_inf.tid = tcon->tid; ++ tcon_inf.session_id = tcon->ses->Suid; ++ ++ if (copy_to_user(arg, &tcon_inf, sizeof(struct smb_mnt_tcon_info))) ++ rc = -EFAULT; ++ ++ return rc; ++} ++ + static long smb_mnt_get_fsinfo(unsigned int xid, struct cifs_tcon *tcon, + void __user *arg) + { +@@ -414,6 +428,17 @@ long cifs_ioctl(struct file *filep, unsi + tcon = tlink_tcon(pSMBFile->tlink); + rc = smb_mnt_get_fsinfo(xid, tcon, (void __user *)arg); + break; ++ case CIFS_IOC_GET_TCON_INFO: ++ cifs_sb = CIFS_SB(inode->i_sb); ++ tlink = cifs_sb_tlink(cifs_sb); ++ if (IS_ERR(tlink)) { ++ rc = PTR_ERR(tlink); ++ break; ++ } ++ tcon = tlink_tcon(tlink); ++ rc = smb_mnt_get_tcon_info(tcon, (void __user *)arg); ++ cifs_put_tlink(tlink); ++ break; + case CIFS_ENUMERATE_SNAPSHOTS: + if (pSMBFile == NULL) + break; diff --git a/queue-6.5/smb3-fix-caching-of-ctime-on-setxattr.patch b/queue-6.5/smb3-fix-caching-of-ctime-on-setxattr.patch new file mode 100644 index 00000000000..ffc297ee6f3 --- /dev/null +++ b/queue-6.5/smb3-fix-caching-of-ctime-on-setxattr.patch @@ -0,0 +1,38 @@ +From 5923d6686a100c2b4cabd4c2ca9d5a12579c7614 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 7 Nov 2023 21:38:13 -0600 +Subject: smb3: fix caching of ctime on setxattr + +From: Steve French + +commit 5923d6686a100c2b4cabd4c2ca9d5a12579c7614 upstream. + +Fixes xfstest generic/728 which had been failing due to incorrect +ctime after setxattr and removexattr + +Update ctime on successful set of xattr + +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/xattr.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/xattr.c ++++ b/fs/smb/client/xattr.c +@@ -150,10 +150,13 @@ static int cifs_xattr_set(const struct x + if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_XATTR) + goto out; + +- if (pTcon->ses->server->ops->set_EA) ++ if (pTcon->ses->server->ops->set_EA) { + rc = pTcon->ses->server->ops->set_EA(xid, pTcon, + full_path, name, value, (__u16)size, + cifs_sb->local_nls, cifs_sb); ++ if (rc == 0) ++ inode_set_ctime_current(inode); ++ } + break; + + case XATTR_CIFS_ACL: diff --git a/queue-6.5/smb3-fix-creating-fifos-when-mounting-with-sfu-mount-option.patch b/queue-6.5/smb3-fix-creating-fifos-when-mounting-with-sfu-mount-option.patch new file mode 100644 index 00000000000..f3c3699f35e --- /dev/null +++ b/queue-6.5/smb3-fix-creating-fifos-when-mounting-with-sfu-mount-option.patch @@ -0,0 +1,81 @@ +From 72bc63f5e23a38b65ff2a201bdc11401d4223fa9 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 19 Oct 2023 23:01:49 -0500 +Subject: smb3: fix creating FIFOs when mounting with "sfu" mount option + +From: Steve French + +commit 72bc63f5e23a38b65ff2a201bdc11401d4223fa9 upstream. + +Fixes some xfstests including generic/564 and generic/157 + +The "sfu" mount option can be useful for creating special files (character +and block devices in particular) but could not create FIFOs. It did +recognize existing empty files with the "system" attribute flag as FIFOs +but this is too general, so to support creating FIFOs more safely use a new +tag (but the same length as those for char and block devices ie "IntxLNK" +and "IntxBLK") "LnxFIFO" to indicate that the file should be treated as a +FIFO (when mounted with the "sfu"). For some additional context note that +"sfu" followed the way that "Services for Unix" on Windows handled these +special files (at least for character and block devices and symlinks), +which is different than newer Windows which can handle special files +as reparse points (which isn't an option to many servers). + +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifspdu.h | 2 +- + fs/smb/client/inode.c | 4 ++++ + fs/smb/client/smb2ops.c | 8 +++++++- + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/cifspdu.h ++++ b/fs/smb/client/cifspdu.h +@@ -2570,7 +2570,7 @@ typedef struct { + + + struct win_dev { +- unsigned char type[8]; /* IntxCHR or IntxBLK */ ++ unsigned char type[8]; /* IntxCHR or IntxBLK or LnxFIFO*/ + __le64 major; + __le64 minor; + } __attribute__((packed)); +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -567,6 +567,10 @@ cifs_sfu_type(struct cifs_fattr *fattr, + cifs_dbg(FYI, "Symlink\n"); + fattr->cf_mode |= S_IFLNK; + fattr->cf_dtype = DT_LNK; ++ } else if (memcmp("LnxFIFO", pbuf, 8) == 0) { ++ cifs_dbg(FYI, "FIFO\n"); ++ fattr->cf_mode |= S_IFIFO; ++ fattr->cf_dtype = DT_FIFO; + } else { + fattr->cf_mode |= S_IFREG; /* file? */ + fattr->cf_dtype = DT_REG; +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -5212,7 +5212,7 @@ smb2_make_node(unsigned int xid, struct + * over SMB2/SMB3 and Samba will do this with SMB3.1.1 POSIX Extensions + */ + +- if (!S_ISCHR(mode) && !S_ISBLK(mode)) ++ if (!S_ISCHR(mode) && !S_ISBLK(mode) && !S_ISFIFO(mode)) + return rc; + + cifs_dbg(FYI, "sfu compat create special file\n"); +@@ -5260,6 +5260,12 @@ smb2_make_node(unsigned int xid, struct + pdev->minor = cpu_to_le64(MINOR(dev)); + rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms, + &bytes_written, iov, 1); ++ } else if (S_ISFIFO(mode)) { ++ memcpy(pdev->type, "LnxFIFO", 8); ++ pdev->major = 0; ++ pdev->minor = 0; ++ rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms, ++ &bytes_written, iov, 1); + } + tcon->ses->server->ops->close(xid, tcon, &fid); + d_drop(dentry); diff --git a/queue-6.5/smb3-fix-touch-h-of-symlink.patch b/queue-6.5/smb3-fix-touch-h-of-symlink.patch new file mode 100644 index 00000000000..36d839ed0f3 --- /dev/null +++ b/queue-6.5/smb3-fix-touch-h-of-symlink.patch @@ -0,0 +1,35 @@ +From 475efd9808a3094944a56240b2711349e433fb66 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 16 Oct 2023 12:18:23 -0500 +Subject: smb3: fix touch -h of symlink + +From: Steve French + +commit 475efd9808a3094944a56240b2711349e433fb66 upstream. + +For example: + touch -h -t 02011200 testfile +where testfile is a symlink would not change the timestamp, but + touch -t 02011200 testfile +does work to change the timestamp of the target + +Suggested-by: David Howells +Reported-by: Micah Veilleux +Closes: https://bugzilla.samba.org/show_bug.cgi?id=14476 +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -1191,6 +1191,7 @@ const char *cifs_get_link(struct dentry + + const struct inode_operations cifs_symlink_inode_ops = { + .get_link = cifs_get_link, ++ .setattr = cifs_setattr, + .permission = cifs_permission, + .listxattr = cifs_listxattr, + }; diff --git a/queue-6.5/xfs-recovery-should-not-clear-di_flushiter-unconditionally.patch b/queue-6.5/xfs-recovery-should-not-clear-di_flushiter-unconditionally.patch new file mode 100644 index 00000000000..5dc45ed72d9 --- /dev/null +++ b/queue-6.5/xfs-recovery-should-not-clear-di_flushiter-unconditionally.patch @@ -0,0 +1,80 @@ +From 7930d9e103700cde15833638855b750715c12091 Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Fri, 10 Nov 2023 15:33:14 +1100 +Subject: xfs: recovery should not clear di_flushiter unconditionally + +From: Dave Chinner + +commit 7930d9e103700cde15833638855b750715c12091 upstream. + +Because on v3 inodes, di_flushiter doesn't exist. It overlaps with +zero padding in the inode, except when NREXT64=1 configurations are +in use and the zero padding is no longer padding but holds the 64 +bit extent counter. + +This manifests obviously on big endian platforms (e.g. s390) because +the log dinode is in host order and the overlap is the LSBs of the +extent count field. It is not noticed on little endian machines +because the overlap is at the MSB end of the extent count field and +we need to get more than 2^^48 extents in the inode before it +manifests. i.e. the heat death of the universe will occur before we +see the problem in little endian machines. + +This is a zero-day issue for NREXT64=1 configuraitons on big endian +machines. Fix it by only clearing di_flushiter on v2 inodes during +recovery. + +Fixes: 9b7d16e34bbe ("xfs: Introduce XFS_DIFLAG2_NREXT64 and associated helpers") +cc: stable@kernel.org # 5.19+ +Signed-off-by: Dave Chinner +Reviewed-by: "Darrick J. Wong" +Signed-off-by: Chandan Babu R +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_inode_item_recover.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +--- a/fs/xfs/xfs_inode_item_recover.c ++++ b/fs/xfs/xfs_inode_item_recover.c +@@ -369,24 +369,26 @@ xlog_recover_inode_commit_pass2( + * superblock flag to determine whether we need to look at di_flushiter + * to skip replay when the on disk inode is newer than the log one + */ +- if (!xfs_has_v3inodes(mp) && +- ldip->di_flushiter < be16_to_cpu(dip->di_flushiter)) { +- /* +- * Deal with the wrap case, DI_MAX_FLUSH is less +- * than smaller numbers +- */ +- if (be16_to_cpu(dip->di_flushiter) == DI_MAX_FLUSH && +- ldip->di_flushiter < (DI_MAX_FLUSH >> 1)) { +- /* do nothing */ +- } else { +- trace_xfs_log_recover_inode_skip(log, in_f); +- error = 0; +- goto out_release; ++ if (!xfs_has_v3inodes(mp)) { ++ if (ldip->di_flushiter < be16_to_cpu(dip->di_flushiter)) { ++ /* ++ * Deal with the wrap case, DI_MAX_FLUSH is less ++ * than smaller numbers ++ */ ++ if (be16_to_cpu(dip->di_flushiter) == DI_MAX_FLUSH && ++ ldip->di_flushiter < (DI_MAX_FLUSH >> 1)) { ++ /* do nothing */ ++ } else { ++ trace_xfs_log_recover_inode_skip(log, in_f); ++ error = 0; ++ goto out_release; ++ } + } ++ ++ /* Take the opportunity to reset the flush iteration count */ ++ ldip->di_flushiter = 0; + } + +- /* Take the opportunity to reset the flush iteration count */ +- ldip->di_flushiter = 0; + + if (unlikely(S_ISREG(ldip->di_mode))) { + if ((ldip->di_format != XFS_DINODE_FMT_EXTENTS) && -- 2.47.3