--- /dev/null
+From 32108c22ac619c32dd6db594319e259b63bfb387 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 19 Aug 2024 10:41:53 +0200
+Subject: ALSA: seq: Skip event type filtering for UMP events
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 32108c22ac619c32dd6db594319e259b63bfb387 upstream.
+
+UMP events don't use the event type field, hence it's invalid to apply
+the filter, which may drop the events unexpectedly.
+Skip the event filtering for UMP events, instead.
+
+Fixes: 46397622a3fa ("ALSA: seq: Add UMP support")
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20240819084156.10286-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/seq/seq_clientmgr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -537,6 +537,9 @@ static struct snd_seq_client *get_event_
+ return NULL;
+ if (! dest->accept_input)
+ goto __not_avail;
++ if (snd_seq_ev_is_ump(event))
++ return dest; /* ok - no filter checks */
++
+ if ((dest->filter & SNDRV_SEQ_FILTER_USE_EVENT) &&
+ ! test_bit(event->type, dest->event_filter))
+ goto __not_avail;
--- /dev/null
+From 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Sat, 17 Aug 2024 18:34:30 +0930
+Subject: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 upstream.
+
+[BUG]
+There is an internal report that KASAN is reporting use-after-free, with
+the following backtrace:
+
+ BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]
+ Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45
+ CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+ Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]
+ Call Trace:
+ dump_stack_lvl+0x61/0x80
+ print_address_description.constprop.0+0x5e/0x2f0
+ print_report+0x118/0x216
+ kasan_report+0x11d/0x1f0
+ btrfs_check_read_bio+0xa68/0xb70 [btrfs]
+ process_one_work+0xce0/0x12a0
+ worker_thread+0x717/0x1250
+ kthread+0x2e3/0x3c0
+ ret_from_fork+0x2d/0x70
+ ret_from_fork_asm+0x11/0x20
+
+ Allocated by task 20917:
+ kasan_save_stack+0x37/0x60
+ kasan_save_track+0x10/0x30
+ __kasan_slab_alloc+0x7d/0x80
+ kmem_cache_alloc_noprof+0x16e/0x3e0
+ mempool_alloc_noprof+0x12e/0x310
+ bio_alloc_bioset+0x3f0/0x7a0
+ btrfs_bio_alloc+0x2e/0x50 [btrfs]
+ submit_extent_page+0x4d1/0xdb0 [btrfs]
+ btrfs_do_readpage+0x8b4/0x12a0 [btrfs]
+ btrfs_readahead+0x29a/0x430 [btrfs]
+ read_pages+0x1a7/0xc60
+ page_cache_ra_unbounded+0x2ad/0x560
+ filemap_get_pages+0x629/0xa20
+ filemap_read+0x335/0xbf0
+ vfs_read+0x790/0xcb0
+ ksys_read+0xfd/0x1d0
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+ Freed by task 20917:
+ kasan_save_stack+0x37/0x60
+ kasan_save_track+0x10/0x30
+ kasan_save_free_info+0x37/0x50
+ __kasan_slab_free+0x4b/0x60
+ kmem_cache_free+0x214/0x5d0
+ bio_free+0xed/0x180
+ end_bbio_data_read+0x1cc/0x580 [btrfs]
+ btrfs_submit_chunk+0x98d/0x1880 [btrfs]
+ btrfs_submit_bio+0x33/0x70 [btrfs]
+ submit_one_bio+0xd4/0x130 [btrfs]
+ submit_extent_page+0x3ea/0xdb0 [btrfs]
+ btrfs_do_readpage+0x8b4/0x12a0 [btrfs]
+ btrfs_readahead+0x29a/0x430 [btrfs]
+ read_pages+0x1a7/0xc60
+ page_cache_ra_unbounded+0x2ad/0x560
+ filemap_get_pages+0x629/0xa20
+ filemap_read+0x335/0xbf0
+ vfs_read+0x790/0xcb0
+ ksys_read+0xfd/0x1d0
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[CAUSE]
+Although I cannot reproduce the error, the report itself is good enough
+to pin down the cause.
+
+The call trace is the regular endio workqueue context, but the
+free-by-task trace is showing that during btrfs_submit_chunk() we
+already hit a critical error, and is calling btrfs_bio_end_io() to error
+out. And the original endio function called bio_put() to free the whole
+bio.
+
+This means a double freeing thus causing use-after-free, e.g.:
+
+1. Enter btrfs_submit_bio() with a read bio
+ The read bio length is 128K, crossing two 64K stripes.
+
+2. The first run of btrfs_submit_chunk()
+
+2.1 Call btrfs_map_block(), which returns 64K
+2.2 Call btrfs_split_bio()
+ Now there are two bios, one referring to the first 64K, the other
+ referring to the second 64K.
+2.3 The first half is submitted.
+
+3. The second run of btrfs_submit_chunk()
+
+3.1 Call btrfs_map_block(), which by somehow failed
+ Now we call btrfs_bio_end_io() to handle the error
+
+3.2 btrfs_bio_end_io() calls the original endio function
+ Which is end_bbio_data_read(), and it calls bio_put() for the
+ original bio.
+
+ Now the original bio is freed.
+
+4. The submitted first 64K bio finished
+ Now we call into btrfs_check_read_bio() and tries to advance the bio
+ iter.
+ But since the original bio (thus its iter) is already freed, we
+ trigger the above use-after free.
+
+ And even if the memory is not poisoned/corrupted, we will later call
+ the original endio function, causing a double freeing.
+
+[FIX]
+Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),
+which has the extra check on split bios and do the proper refcounting
+for cloned bios.
+
+Furthermore there is already one extra btrfs_cleanup_bio() call, but
+that is duplicated to btrfs_orig_bbio_end_io() call, so remove that
+label completely.
+
+Reported-by: David Sterba <dsterba@suse.com>
+Fixes: 852eee62d31a ("btrfs: allow btrfs_submit_bio to split bios")
+CC: stable@vger.kernel.org # 6.6+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/bio.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/fs/btrfs/bio.c
++++ b/fs/btrfs/bio.c
+@@ -646,7 +646,6 @@ static bool btrfs_submit_chunk(struct bt
+ {
+ struct btrfs_inode *inode = bbio->inode;
+ struct btrfs_fs_info *fs_info = bbio->fs_info;
+- struct btrfs_bio *orig_bbio = bbio;
+ struct bio *bio = &bbio->bio;
+ u64 logical = bio->bi_iter.bi_sector << SECTOR_SHIFT;
+ u64 length = bio->bi_iter.bi_size;
+@@ -682,7 +681,7 @@ static bool btrfs_submit_chunk(struct bt
+ bbio->saved_iter = bio->bi_iter;
+ ret = btrfs_lookup_bio_sums(bbio);
+ if (ret)
+- goto fail_put_bio;
++ goto fail;
+ }
+
+ if (btrfs_op(bio) == BTRFS_MAP_WRITE) {
+@@ -704,13 +703,13 @@ static bool btrfs_submit_chunk(struct bt
+
+ ret = btrfs_bio_csum(bbio);
+ if (ret)
+- goto fail_put_bio;
++ goto fail;
+ } else if (use_append ||
+ (btrfs_is_zoned(fs_info) && inode &&
+ inode->flags & BTRFS_INODE_NODATASUM)) {
+ ret = btrfs_alloc_dummy_sum(bbio);
+ if (ret)
+- goto fail_put_bio;
++ goto fail;
+ }
+ }
+
+@@ -718,12 +717,23 @@ static bool btrfs_submit_chunk(struct bt
+ done:
+ return map_length == length;
+
+-fail_put_bio:
+- if (map_length < length)
+- btrfs_cleanup_bio(bbio);
+ fail:
+ btrfs_bio_counter_dec(fs_info);
+- btrfs_bio_end_io(orig_bbio, ret);
++ /*
++ * We have split the original bbio, now we have to end both the current
++ * @bbio and remaining one, as the remaining one will never be submitted.
++ */
++ if (map_length < length) {
++ struct btrfs_bio *remaining = bbio->private;
++
++ ASSERT(bbio->bio.bi_pool == &btrfs_clone_bioset);
++ ASSERT(remaining);
++
++ remaining->bio.bi_status = ret;
++ btrfs_orig_bbio_end_io(remaining);
++ }
++ bbio->bio.bi_status = ret;
++ btrfs_orig_bbio_end_io(bbio);
+ /* Do not submit another chunk */
+ return true;
+ }
--- /dev/null
+From 2d3447261031503b181dacc549fe65ffe2d93d65 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 21 Aug 2024 15:53:18 -0400
+Subject: btrfs: run delayed iputs when flushing delalloc
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 2d3447261031503b181dacc549fe65ffe2d93d65 upstream.
+
+We have transient failures with btrfs/301, specifically in the part
+where we do
+
+ for i in $(seq 0 10); do
+ write 50m to file
+ rm -f file
+ done
+
+Sometimes this will result in a transient quota error, and it's because
+sometimes we start writeback on the file which results in a delayed
+iput, and thus the rm doesn't actually clean the file up. When we're
+flushing the quota space we need to run the delayed iputs to make sure
+all the unlinks that we think have completed have actually completed.
+This removes the small window where we could fail to find enough space
+in our quota.
+
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/qgroup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -3762,6 +3762,8 @@ static int try_flush_qgroup(struct btrfs
+ return 0;
+ }
+
++ btrfs_run_delayed_iputs(root->fs_info);
++ btrfs_wait_on_delayed_iputs(root->fs_info);
+ ret = btrfs_start_delalloc_snapshot(root, true);
+ if (ret < 0)
+ goto out;
--- /dev/null
+From 58aec91efb93338d1cc7acc0a93242613a2a4e5f Mon Sep 17 00:00:00 2001
+From: Miao Wang <shankerwangmiao@gmail.com>
+Date: Sun, 25 Aug 2024 22:17:39 +0800
+Subject: LoongArch: Remove the unused dma-direct.h
+
+From: Miao Wang <shankerwangmiao@gmail.com>
+
+commit 58aec91efb93338d1cc7acc0a93242613a2a4e5f upstream.
+
+dma-direct.h is introduced in commit d4b6f1562a3c3284 ("LoongArch: Add
+Non-Uniform Memory Access (NUMA) support"). In commit c78c43fe7d42524c
+("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA"),
+ARCH_HAS_PHYS_TO_DMA was deselected and the coresponding phys_to_dma()/
+dma_to_phys() functions were removed. However, the unused dma-direct.h
+was left behind, which is removed by this patch.
+
+Cc: <stable@vger.kernel.org>
+Fixes: c78c43fe7d42 ("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA")
+Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/dma-direct.h | 11 -----------
+ 1 file changed, 11 deletions(-)
+ delete mode 100644 arch/loongarch/include/asm/dma-direct.h
+
+--- a/arch/loongarch/include/asm/dma-direct.h
++++ /dev/null
+@@ -1,11 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 */
+-/*
+- * Copyright (C) 2020-2022 Loongson Technology Corporation Limited
+- */
+-#ifndef _LOONGARCH_DMA_DIRECT_H
+-#define _LOONGARCH_DMA_DIRECT_H
+-
+-dma_addr_t phys_to_dma(struct device *dev, phys_addr_t paddr);
+-phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
+-
+-#endif /* _LOONGARCH_DMA_DIRECT_H */
--- /dev/null
+From 128f71fe014fc91efa1407ce549f94a9a9f1072c Mon Sep 17 00:00:00 2001
+From: Huang-Huang Bao <i@eh5.me>
+Date: Tue, 9 Jul 2024 18:54:28 +0800
+Subject: pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins
+
+From: Huang-Huang Bao <i@eh5.me>
+
+commit 128f71fe014fc91efa1407ce549f94a9a9f1072c upstream.
+
+The base iomux offsets for each GPIO pin line are accumulatively
+calculated based off iomux width flag in rockchip_pinctrl_get_soc_data.
+If the iomux width flag is one of IOMUX_WIDTH_4BIT, IOMUX_WIDTH_3BIT or
+IOMUX_WIDTH_2BIT, the base offset for next pin line would increase by 8
+bytes, otherwise it would increase by 4 bytes.
+
+Despite most of GPIO2-B iomux have 2-bit data width, which can be fit
+into 4 bytes space with write mask, it actually take 8 bytes width for
+whole GPIO2-B line.
+
+Commit e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328
+GPIO2-B pins") wrongly set iomux width flag to 0, causing all base
+iomux offset for line after GPIO2-B to be calculated wrong. Fix the
+iomux width flag to IOMUX_WIDTH_2BIT so the offset after GPIO2-B is
+correctly increased by 8, matching the actual width of GPIO2-B iomux.
+
+Fixes: e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins")
+Cc: stable@vger.kernel.org
+Reported-by: Richard Kojedzinszky <richard@kojedz.in>
+Closes: https://lore.kernel.org/linux-rockchip/4f29b743202397d60edfb3c725537415@kojedz.in/
+Tested-by: Richard Kojedzinszky <richard@kojedz.in>
+Signed-off-by: Huang-Huang Bao <i@eh5.me>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Tested-by: Daniel Golle <daniel@makrotopia.org>
+Tested-by: Trevor Woerner <twoerner@gmail.com>
+Link: https://lore.kernel.org/20240709105428.1176375-1-i@eh5.me
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-rockchip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinctrl-rockchip.c
++++ b/drivers/pinctrl/pinctrl-rockchip.c
+@@ -3802,7 +3802,7 @@ static struct rockchip_pin_bank rk3328_p
+ PIN_BANK_IOMUX_FLAGS(0, 32, "gpio0", 0, 0, 0, 0),
+ PIN_BANK_IOMUX_FLAGS(1, 32, "gpio1", 0, 0, 0, 0),
+ PIN_BANK_IOMUX_FLAGS(2, 32, "gpio2", 0,
+- 0,
++ IOMUX_WIDTH_2BIT,
+ IOMUX_WIDTH_3BIT,
+ 0),
+ PIN_BANK_IOMUX_FLAGS(3, 32, "gpio3",
--- /dev/null
+From 1c38a62f15e595346a1106025722869e87ffe044 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Thu, 8 Aug 2024 12:13:55 +0800
+Subject: pinctrl: single: fix potential NULL dereference in pcs_get_function()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 1c38a62f15e595346a1106025722869e87ffe044 upstream.
+
+pinmux_generic_get_function() can return NULL and the pointer 'function'
+was dereferenced without checking against NULL. Add checking of pointer
+'function' in pcs_get_function().
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://lore.kernel.org/20240808041355.2766009-1-make24@iscas.ac.cn
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-single.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -349,6 +349,8 @@ static int pcs_get_function(struct pinct
+ return -ENOTSUPP;
+ fselector = setting->func;
+ function = pinmux_generic_get_function(pctldev, fselector);
++ if (!function)
++ return -EINVAL;
+ *func = function->data;
+ if (!(*func)) {
+ dev_err(pcs->dev, "%s could not find function%i\n",
--- /dev/null
+alsa-seq-skip-event-type-filtering-for-ump-events.patch
+loongarch-remove-the-unused-dma-direct.h.patch
+btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch
+btrfs-run-delayed-iputs-when-flushing-delalloc.patch
+smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch
+pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch
+pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch
--- /dev/null
+From c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 21 Aug 2024 17:18:23 +0200
+Subject: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()
+
+From: Stefan Metzmacher <metze@samba.org>
+
+commit c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf upstream.
+
+This happens when called from SMB2_read() while using rdma
+and reaching the rdma_readwrite_threshold.
+
+Cc: stable@vger.kernel.org
+Fixes: a6559cc1d35d ("cifs: split out smb3_use_rdma_offload() helper")
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -4431,7 +4431,7 @@ smb2_new_read_req(void **buf, unsigned i
+ * If we want to do a RDMA write, fill in and append
+ * smbd_buffer_descriptor_v1 to the end of read request
+ */
+- if (smb3_use_rdma_offload(io_parms)) {
++ if (rdata && smb3_use_rdma_offload(io_parms)) {
+ struct smbd_buffer_descriptor_v1 *v1;
+ bool need_invalidate = server->dialect == SMB30_PROT_ID;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
