--- /dev/null
+From 8804fa04a492f4176ea407390052292912227820 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Wed, 6 Dec 2023 13:39:27 -0600
+Subject: ALSA: hda/realtek: Add Framework laptop 16 to quirks
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 8804fa04a492f4176ea407390052292912227820 upstream.
+
+The Framework 16" laptop has the same controller as other Framework
+models. Apply the presence detection quirk.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231206193927.2996-1-mario.limonciello@amd.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10031,6 +10031,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10),
+ SND_PCI_QUIRK(0x8086, 0x3038, "Intel NUC 13", ALC295_FIXUP_CHROME_BOOK),
+ SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0xf111, 0x0005, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
--- /dev/null
+From 33038efb64f7576bac635164021f5c984d4c755f Mon Sep 17 00:00:00 2001
+From: Tim Bosse <flinn@timbos.se>
+Date: Wed, 6 Dec 2023 09:26:29 -0500
+Subject: ALSA: hda/realtek: add new Framework laptop to quirks
+
+From: Tim Bosse <flinn@timbos.se>
+
+commit 33038efb64f7576bac635164021f5c984d4c755f upstream.
+
+The Framework Laptop 13 (AMD Ryzen 7040Series) has an ALC295 with
+a disconnected or faulty headset mic presence detect similar to the
+previous models. It works with the same quirk chain as
+309d7363ca3d9fcdb92ff2d958be14d7e8707f68. This model has a VID:PID
+of f111:0006.
+
+Signed-off-by: Tim Bosse <flinn@timbos.se>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231206142629.388615-1-flinn@timbos.se
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10031,6 +10031,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10),
+ SND_PCI_QUIRK(0x8086, 0x3038, "Intel NUC 13", ALC295_FIXUP_CHROME_BOOK),
+ SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
+ /* Below is a quirk table taken from the old code.
--- /dev/null
+From 6f7e4664e597440dfbdb8b2931c561b717030d07 Mon Sep 17 00:00:00 2001
+From: Bin Li <bin.li@canonical.com>
+Date: Mon, 4 Dec 2023 18:04:50 +0800
+Subject: ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
+
+From: Bin Li <bin.li@canonical.com>
+
+commit 6f7e4664e597440dfbdb8b2931c561b717030d07 upstream.
+
+Lenovo M90 Gen5 is equipped with ALC897, and it needs
+ALC897_FIXUP_HEADSET_MIC_PIN quirk to make its headset mic work.
+
+Signed-off-by: Bin Li <bin.li@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231204100450.642783-1-bin.li@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11952,6 +11952,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x17aa, 0x32f7, "Lenovo ThinkCentre M90", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3321, "Lenovo ThinkCentre M70 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x331b, "Lenovo ThinkCentre M90 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x3364, "Lenovo ThinkCentre M90 Gen5", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3742, "Lenovo TianYi510Pro-14IOB", ALC897_FIXUP_HEADSET_MIC_PIN2),
+ SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD),
+ SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD),
--- /dev/null
+From 2b3a7a302c9804e463f2ea5b54dc3a6ad106a344 Mon Sep 17 00:00:00 2001
+From: Jason Zhang <jason.zhang@rock-chips.com>
+Date: Wed, 6 Dec 2023 09:31:39 +0800
+Subject: ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
+
+From: Jason Zhang <jason.zhang@rock-chips.com>
+
+commit 2b3a7a302c9804e463f2ea5b54dc3a6ad106a344 upstream.
+
+The pcm state can be SNDRV_PCM_STATE_DISCONNECTED at disconnect
+callback, and there is not an entry of SNDRV_PCM_STATE_DISCONNECTED
+in snd_pcm_state_names.
+
+This patch adds the missing entry to resolve this issue.
+
+cat /proc/asound/card2/pcm0p/sub0/status
+That results in stack traces like the following:
+
+[ 99.702732][ T5171] Unexpected kernel BRK exception at EL1
+[ 99.702774][ T5171] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP
+[ 99.703858][ T5171] Modules linked in: bcmdhd(E) (...)
+[ 99.747425][ T5171] CPU: 3 PID: 5171 Comm: cat Tainted: G C OE 5.10.189-android13-4-00003-g4a17384380d8-ab11086999 #1
+[ 99.748447][ T5171] Hardware name: Rockchip RK3588 CVTE V10 Board (DT)
+[ 99.749024][ T5171] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
+[ 99.749616][ T5171] pc : snd_pcm_substream_proc_status_read+0x264/0x2bc
+[ 99.750204][ T5171] lr : snd_pcm_substream_proc_status_read+0xa4/0x2bc
+[ 99.750778][ T5171] sp : ffffffc0175abae0
+[ 99.751132][ T5171] x29: ffffffc0175abb80 x28: ffffffc009a2c498
+[ 99.751665][ T5171] x27: 0000000000000001 x26: ffffff810cbae6e8
+[ 99.752199][ T5171] x25: 0000000000400cc0 x24: ffffffc0175abc60
+[ 99.752729][ T5171] x23: 0000000000000000 x22: ffffff802f558400
+[ 99.753263][ T5171] x21: ffffff81d8d8ff00 x20: ffffff81020cdc00
+[ 99.753795][ T5171] x19: ffffff802d110000 x18: ffffffc014fbd058
+[ 99.754326][ T5171] x17: 0000000000000000 x16: 0000000000000000
+[ 99.754861][ T5171] x15: 000000000000c276 x14: ffffffff9a976fda
+[ 99.755392][ T5171] x13: 0000000065689089 x12: 000000000000d72e
+[ 99.755923][ T5171] x11: ffffff802d110000 x10: 00000000000000e0
+[ 99.756457][ T5171] x9 : 9c431600c8385d00 x8 : 0000000000000008
+[ 99.756990][ T5171] x7 : 0000000000000000 x6 : 000000000000003f
+[ 99.757522][ T5171] x5 : 0000000000000040 x4 : ffffffc0175abb70
+[ 99.758056][ T5171] x3 : 0000000000000001 x2 : 0000000000000001
+[ 99.758588][ T5171] x1 : 0000000000000000 x0 : 0000000000000000
+[ 99.759123][ T5171] Call trace:
+[ 99.759404][ T5171] snd_pcm_substream_proc_status_read+0x264/0x2bc
+[ 99.759958][ T5171] snd_info_seq_show+0x54/0xa4
+[ 99.760370][ T5171] seq_read_iter+0x19c/0x7d4
+[ 99.760770][ T5171] seq_read+0xf0/0x128
+[ 99.761117][ T5171] proc_reg_read+0x100/0x1f8
+[ 99.761515][ T5171] vfs_read+0xf4/0x354
+[ 99.761869][ T5171] ksys_read+0x7c/0x148
+[ 99.762226][ T5171] __arm64_sys_read+0x20/0x30
+[ 99.762625][ T5171] el0_svc_common+0xd0/0x1e4
+[ 99.763023][ T5171] el0_svc+0x28/0x98
+[ 99.763358][ T5171] el0_sync_handler+0x8c/0xf0
+[ 99.763759][ T5171] el0_sync+0x1b8/0x1c0
+[ 99.764118][ T5171] Code: d65f03c0 b9406102 17ffffae 94191565 (d42aa240)
+[ 99.764715][ T5171] ---[ end trace 1eeffa3e17c58e10 ]---
+[ 99.780720][ T5171] Kernel panic - not syncing: BRK handler: Fatal exception
+
+Signed-off-by: Jason Zhang <jason.zhang@rock-chips.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231206013139.20506-1-jason.zhang@rock-chips.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/pcm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -253,6 +253,7 @@ static const char * const snd_pcm_state_
+ STATE(DRAINING),
+ STATE(PAUSED),
+ STATE(SUSPENDED),
++ STATE(DISCONNECTED),
+ };
+
+ static const char * const snd_pcm_access_names[] = {
--- /dev/null
+From bbb8e71965c3737bdc691afd803a34bfd61cfbeb Mon Sep 17 00:00:00 2001
+From: Sarah Grant <s@srd.tw>
+Date: Fri, 1 Dec 2023 18:16:54 +0000
+Subject: ALSA: usb-audio: Add Pioneer DJM-450 mixer controls
+
+From: Sarah Grant <s@srd.tw>
+
+commit bbb8e71965c3737bdc691afd803a34bfd61cfbeb upstream.
+
+These values mirror those of the Pioneer DJM-250MK2 as the channel layout
+appears identical based on my observations. This duplication could be removed in
+later contributions if desired.
+
+Signed-off-by: Sarah Grant <s@srd.tw>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231201181654.5058-1-s@srd.tw
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_quirks.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -2978,6 +2978,7 @@ static int snd_bbfpro_controls_create(st
+ #define SND_DJM_850_IDX 0x2
+ #define SND_DJM_900NXS2_IDX 0x3
+ #define SND_DJM_750MK2_IDX 0x4
++#define SND_DJM_450_IDX 0x5
+
+
+ #define SND_DJM_CTL(_name, suffix, _default_value, _windex) { \
+@@ -3108,6 +3109,31 @@ static const struct snd_djm_ctl snd_djm_
+ };
+
+
++// DJM-450
++static const u16 snd_djm_opts_450_cap1[] = {
++ 0x0103, 0x0100, 0x0106, 0x0107, 0x0108, 0x0109, 0x010d, 0x010a };
++
++static const u16 snd_djm_opts_450_cap2[] = {
++ 0x0203, 0x0200, 0x0206, 0x0207, 0x0208, 0x0209, 0x020d, 0x020a };
++
++static const u16 snd_djm_opts_450_cap3[] = {
++ 0x030a, 0x0311, 0x0312, 0x0307, 0x0308, 0x0309, 0x030d };
++
++static const u16 snd_djm_opts_450_pb1[] = { 0x0100, 0x0101, 0x0104 };
++static const u16 snd_djm_opts_450_pb2[] = { 0x0200, 0x0201, 0x0204 };
++static const u16 snd_djm_opts_450_pb3[] = { 0x0300, 0x0301, 0x0304 };
++
++static const struct snd_djm_ctl snd_djm_ctls_450[] = {
++ SND_DJM_CTL("Capture Level", cap_level, 0, SND_DJM_WINDEX_CAPLVL),
++ SND_DJM_CTL("Ch1 Input", 450_cap1, 2, SND_DJM_WINDEX_CAP),
++ SND_DJM_CTL("Ch2 Input", 450_cap2, 2, SND_DJM_WINDEX_CAP),
++ SND_DJM_CTL("Ch3 Input", 450_cap3, 0, SND_DJM_WINDEX_CAP),
++ SND_DJM_CTL("Ch1 Output", 450_pb1, 0, SND_DJM_WINDEX_PB),
++ SND_DJM_CTL("Ch2 Output", 450_pb2, 1, SND_DJM_WINDEX_PB),
++ SND_DJM_CTL("Ch3 Output", 450_pb3, 2, SND_DJM_WINDEX_PB)
++};
++
++
+ // DJM-750
+ static const u16 snd_djm_opts_750_cap1[] = {
+ 0x0101, 0x0103, 0x0106, 0x0107, 0x0108, 0x0109, 0x010a, 0x010f };
+@@ -3203,6 +3229,7 @@ static const struct snd_djm_device snd_d
+ [SND_DJM_850_IDX] = SND_DJM_DEVICE(850),
+ [SND_DJM_900NXS2_IDX] = SND_DJM_DEVICE(900nxs2),
+ [SND_DJM_750MK2_IDX] = SND_DJM_DEVICE(750mk2),
++ [SND_DJM_450_IDX] = SND_DJM_DEVICE(450),
+ };
+
+
+@@ -3449,6 +3476,9 @@ int snd_usb_mixer_apply_create_quirk(str
+ case USB_ID(0x2b73, 0x0017): /* Pioneer DJ DJM-250MK2 */
+ err = snd_djm_controls_create(mixer, SND_DJM_250MK2_IDX);
+ break;
++ case USB_ID(0x2b73, 0x0013): /* Pioneer DJ DJM-450 */
++ err = snd_djm_controls_create(mixer, SND_DJM_450_IDX);
++ break;
+ case USB_ID(0x08e4, 0x017f): /* Pioneer DJ DJM-750 */
+ err = snd_djm_controls_create(mixer, SND_DJM_750_IDX);
+ break;
--- /dev/null
+From b24e3590c94ab0aba6e455996b502a83baa5c31c Mon Sep 17 00:00:00 2001
+From: Malcolm Hart <malcolm@5harts.com>
+Date: Mon, 27 Nov 2023 20:36:00 +0000
+Subject: ASoC: amd: yc: Fix non-functional mic on ASUS E1504FA
+
+From: Malcolm Hart <malcolm@5harts.com>
+
+commit b24e3590c94ab0aba6e455996b502a83baa5c31c upstream.
+
+This patch adds ASUSTeK COMPUTER INC "E1504FA" to the quirks file acp6x-mach.c
+to enable microphone array on ASUS Vivobook GO 15.
+I have this laptop and can confirm that the patch succeeds in enabling the
+microphone array.
+
+Signed-off-by: Malcolm Hart <malcolm@5harts.com>
+Cc: stable@vger.kernel.org
+Rule: add
+Link: https://lore.kernel.org/stable/875y1nt1bx.fsf%405harts.com
+Link: https://lore.kernel.org/r/871qcbszh0.fsf@5harts.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -286,6 +286,13 @@ static const struct dmi_system_id yc_acp
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "E1504FA"),
++ }
++ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "TIMI"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Redmi Book Pro 15 2022"),
+ }
--- /dev/null
+From 705318a99a138c29a512a72c3e0043b3cd7f55f4 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 6 Dec 2023 13:26:47 +0000
+Subject: io_uring/af_unix: disable sending io_uring over sockets
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 705318a99a138c29a512a72c3e0043b3cd7f55f4 upstream.
+
+File reference cycles have caused lots of problems for io_uring
+in the past, and it still doesn't work exactly right and races with
+unix_stream_read_generic(). The safest fix would be to completely
+disallow sending io_uring files via sockets via SCM_RIGHT, so there
+are no possible cycles invloving registered files and thus rendering
+SCM accounting on the io_uring side unnecessary.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 0091bfc81741b ("io_uring/af_unix: defer registered files gc to io_uring release")
+Reported-and-suggested-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/c716c88321939156909cfa1bd8b0faaf1c804103.1701868795.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/rsrc.h | 7 -------
+ net/core/scm.c | 6 ++++++
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/io_uring/rsrc.h
++++ b/io_uring/rsrc.h
+@@ -79,17 +79,10 @@ int io_sqe_files_register(struct io_ring
+
+ int __io_scm_file_account(struct io_ring_ctx *ctx, struct file *file);
+
+-#if defined(CONFIG_UNIX)
+-static inline bool io_file_need_scm(struct file *filp)
+-{
+- return !!unix_get_socket(filp);
+-}
+-#else
+ static inline bool io_file_need_scm(struct file *filp)
+ {
+ return false;
+ }
+-#endif
+
+ static inline int io_scm_file_account(struct io_ring_ctx *ctx,
+ struct file *file)
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -26,6 +26,7 @@
+ #include <linux/nsproxy.h>
+ #include <linux/slab.h>
+ #include <linux/errqueue.h>
++#include <linux/io_uring.h>
+
+ #include <linux/uaccess.h>
+
+@@ -103,6 +104,11 @@ static int scm_fp_copy(struct cmsghdr *c
+
+ if (fd < 0 || !(file = fget_raw(fd)))
+ return -EBADF;
++ /* don't allow io_uring files */
++ if (io_uring_get_socket(file)) {
++ fput(file);
++ return -EINVAL;
++ }
+ *fpp++ = file;
+ fpl->count++;
+ }
--- /dev/null
+From f7b32e785042d2357c5abc23ca6db1b92c91a070 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Sun, 3 Dec 2023 15:37:53 +0000
+Subject: io_uring: fix mutex_unlock with unreferenced ctx
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit f7b32e785042d2357c5abc23ca6db1b92c91a070 upstream.
+
+Callers of mutex_unlock() have to make sure that the mutex stays alive
+for the whole duration of the function call. For io_uring that means
+that the following pattern is not valid unless we ensure that the
+context outlives the mutex_unlock() call.
+
+mutex_lock(&ctx->uring_lock);
+req_put(req); // typically via io_req_task_submit()
+mutex_unlock(&ctx->uring_lock);
+
+Most contexts are fine: io-wq pins requests, syscalls hold the file,
+task works are taking ctx references and so on. However, the task work
+fallback path doesn't follow the rule.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 04fc6c802d ("io_uring: save ctx put/get for task_work submit")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/io-uring/CAG48ez3xSoYb+45f1RLtktROJrpiDQ1otNvdR+YLQf7m+Krj5Q@mail.gmail.com/
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -1377,6 +1377,7 @@ static __cold void io_iopoll_try_reap_ev
+ if (!(ctx->flags & IORING_SETUP_IOPOLL))
+ return;
+
++ percpu_ref_get(&ctx->refs);
+ mutex_lock(&ctx->uring_lock);
+ while (!wq_list_empty(&ctx->iopoll_list)) {
+ /* let it sleep and repeat later if can't complete a request */
+@@ -1394,6 +1395,7 @@ static __cold void io_iopoll_try_reap_ev
+ }
+ }
+ mutex_unlock(&ctx->uring_lock);
++ percpu_ref_put(&ctx->refs);
+ }
+
+ static int io_iopoll_check(struct io_ring_ctx *ctx, long min)
+@@ -2800,12 +2802,7 @@ static __cold void io_ring_exit_work(str
+ init_completion(&exit.completion);
+ init_task_work(&exit.task_work, io_tctx_exit_cb);
+ exit.ctx = ctx;
+- /*
+- * Some may use context even when all refs and requests have been put,
+- * and they are free to do so while still holding uring_lock or
+- * completion_lock, see io_req_task_submit(). Apart from other work,
+- * this lock/unlock section also waits them to finish.
+- */
++
+ mutex_lock(&ctx->uring_lock);
+ while (!list_empty(&ctx->tctx_list)) {
+ WARN_ON_ONCE(time_after(jiffies, timeout));
--- /dev/null
+From a2e7e59a94269484a83386972ca07c22fd188854 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Wed, 15 Nov 2023 18:25:44 +0000
+Subject: iommu: Avoid more races around device probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit a2e7e59a94269484a83386972ca07c22fd188854 upstream.
+
+It turns out there are more subtle races beyond just the main part of
+__iommu_probe_device() itself running in parallel - the dev_iommu_free()
+on the way out of an unsuccessful probe can still manage to trip up
+concurrent accesses to a device's fwspec. Thus, extend the scope of
+iommu_probe_device_lock() to also serialise fwspec creation and initial
+retrieval.
+
+Reported-by: Zhenhua Huang <quic_zhenhuah@quicinc.com>
+Link: https://lore.kernel.org/linux-iommu/e2e20e1c-6450-4ac5-9804-b0000acdf7de@quicinc.com/
+Fixes: 01657bc14a39 ("iommu: Avoid races around device probe")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: André Draszik <andre.draszik@linaro.org>
+Tested-by: André Draszik <andre.draszik@linaro.org>
+Link: https://lore.kernel.org/r/16f433658661d7cadfea51e7c65da95826112a2b.1700071477.git.robin.murphy@arm.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/scan.c | 7 ++++++-
+ drivers/iommu/iommu.c | 19 +++++++++----------
+ drivers/iommu/of_iommu.c | 12 +++++++++---
+ include/linux/iommu.h | 1 +
+ 4 files changed, 25 insertions(+), 14 deletions(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1563,17 +1563,22 @@ static const struct iommu_ops *acpi_iomm
+ int err;
+ const struct iommu_ops *ops;
+
++ /* Serialise to make dev->iommu stable under our potential fwspec */
++ mutex_lock(&iommu_probe_device_lock);
+ /*
+ * If we already translated the fwspec there is nothing left to do,
+ * return the iommu_ops.
+ */
+ ops = acpi_iommu_fwspec_ops(dev);
+- if (ops)
++ if (ops) {
++ mutex_unlock(&iommu_probe_device_lock);
+ return ops;
++ }
+
+ err = iort_iommu_configure_id(dev, id_in);
+ if (err && err != -EPROBE_DEFER)
+ err = viot_iommu_configure(dev);
++ mutex_unlock(&iommu_probe_device_lock);
+
+ /*
+ * If we have reason to believe the IOMMU driver missed the initial
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -278,12 +278,13 @@ static void dev_iommu_free(struct device
+ kfree(param);
+ }
+
++DEFINE_MUTEX(iommu_probe_device_lock);
++
+ static int __iommu_probe_device(struct device *dev, struct list_head *group_list)
+ {
+ const struct iommu_ops *ops = dev->bus->iommu_ops;
+ struct iommu_device *iommu_dev;
+ struct iommu_group *group;
+- static DEFINE_MUTEX(iommu_probe_device_lock);
+ int ret;
+
+ if (!ops)
+@@ -295,11 +296,9 @@ static int __iommu_probe_device(struct d
+ * probably be able to use device_lock() here to minimise the scope,
+ * but for now enforcing a simple global ordering is fine.
+ */
+- mutex_lock(&iommu_probe_device_lock);
+- if (!dev_iommu_get(dev)) {
+- ret = -ENOMEM;
+- goto err_unlock;
+- }
++ lockdep_assert_held(&iommu_probe_device_lock);
++ if (!dev_iommu_get(dev))
++ return -ENOMEM;
+
+ if (!try_module_get(ops->owner)) {
+ ret = -EINVAL;
+@@ -326,7 +325,6 @@ static int __iommu_probe_device(struct d
+ mutex_unlock(&group->mutex);
+ iommu_group_put(group);
+
+- mutex_unlock(&iommu_probe_device_lock);
+ iommu_device_link(iommu_dev, dev);
+
+ return 0;
+@@ -341,9 +339,6 @@ out_module_put:
+ err_free:
+ dev_iommu_free(dev);
+
+-err_unlock:
+- mutex_unlock(&iommu_probe_device_lock);
+-
+ return ret;
+ }
+
+@@ -353,7 +348,9 @@ int iommu_probe_device(struct device *de
+ struct iommu_group *group;
+ int ret;
+
++ mutex_lock(&iommu_probe_device_lock);
+ ret = __iommu_probe_device(dev, NULL);
++ mutex_unlock(&iommu_probe_device_lock);
+ if (ret)
+ goto err_out;
+
+@@ -1684,7 +1681,9 @@ static int probe_iommu_group(struct devi
+ return 0;
+ }
+
++ mutex_lock(&iommu_probe_device_lock);
+ ret = __iommu_probe_device(dev, group_list);
++ mutex_unlock(&iommu_probe_device_lock);
+ if (ret == -ENODEV)
+ ret = 0;
+
+--- a/drivers/iommu/of_iommu.c
++++ b/drivers/iommu/of_iommu.c
+@@ -112,16 +112,20 @@ const struct iommu_ops *of_iommu_configu
+ const u32 *id)
+ {
+ const struct iommu_ops *ops = NULL;
+- struct iommu_fwspec *fwspec = dev_iommu_fwspec_get(dev);
++ struct iommu_fwspec *fwspec;
+ int err = NO_IOMMU;
+
+ if (!master_np)
+ return NULL;
+
++ /* Serialise to make dev->iommu stable under our potential fwspec */
++ mutex_lock(&iommu_probe_device_lock);
++ fwspec = dev_iommu_fwspec_get(dev);
+ if (fwspec) {
+- if (fwspec->ops)
++ if (fwspec->ops) {
++ mutex_unlock(&iommu_probe_device_lock);
+ return fwspec->ops;
+-
++ }
+ /* In the deferred case, start again from scratch */
+ iommu_fwspec_free(dev);
+ }
+@@ -155,6 +159,8 @@ const struct iommu_ops *of_iommu_configu
+ fwspec = dev_iommu_fwspec_get(dev);
+ ops = fwspec->ops;
+ }
++ mutex_unlock(&iommu_probe_device_lock);
++
+ /*
+ * If we have reason to believe the IOMMU driver missed the initial
+ * probe for dev, replay it to get things in order.
+--- a/include/linux/iommu.h
++++ b/include/linux/iommu.h
+@@ -657,6 +657,7 @@ static inline void dev_iommu_priv_set(st
+ dev->iommu->priv = priv;
+ }
+
++extern struct mutex iommu_probe_device_lock;
+ int iommu_probe_device(struct device *dev);
+ void iommu_release_device(struct device *dev);
+
--- /dev/null
+From d839a656d0f3caca9f96e9bf912fd394ac6a11bc Mon Sep 17 00:00:00 2001
+From: JP Kobryn <inwardvessel@gmail.com>
+Date: Fri, 1 Dec 2023 14:53:55 +0900
+Subject: kprobes: consistent rcu api usage for kretprobe holder
+
+From: JP Kobryn <inwardvessel@gmail.com>
+
+commit d839a656d0f3caca9f96e9bf912fd394ac6a11bc upstream.
+
+It seems that the pointer-to-kretprobe "rp" within the kretprobe_holder is
+RCU-managed, based on the (non-rethook) implementation of get_kretprobe().
+The thought behind this patch is to make use of the RCU API where possible
+when accessing this pointer so that the needed barriers are always in place
+and to self-document the code.
+
+The __rcu annotation to "rp" allows for sparse RCU checking. Plain writes
+done to the "rp" pointer are changed to make use of the RCU macro for
+assignment. For the single read, the implementation of get_kretprobe()
+is simplified by making use of an RCU macro which accomplishes the same,
+but note that the log warning text will be more generic.
+
+I did find that there is a difference in assembly generated between the
+usage of the RCU macros vs without. For example, on arm64, when using
+rcu_assign_pointer(), the corresponding store instruction is a
+store-release (STLR) which has an implicit barrier. When normal assignment
+is done, a regular store (STR) is found. In the macro case, this seems to
+be a result of rcu_assign_pointer() using smp_store_release() when the
+value to write is not NULL.
+
+Link: https://lore.kernel.org/all/20231122132058.3359-1-inwardvessel@gmail.com/
+
+Fixes: d741bf41d7c7 ("kprobes: Remove kretprobe hash")
+Cc: stable@vger.kernel.org
+Signed-off-by: JP Kobryn <inwardvessel@gmail.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kprobes.h | 7 ++-----
+ kernel/kprobes.c | 4 ++--
+ 2 files changed, 4 insertions(+), 7 deletions(-)
+
+--- a/include/linux/kprobes.h
++++ b/include/linux/kprobes.h
+@@ -140,7 +140,7 @@ static inline bool kprobe_ftrace(struct
+ *
+ */
+ struct kretprobe_holder {
+- struct kretprobe *rp;
++ struct kretprobe __rcu *rp;
+ refcount_t ref;
+ };
+
+@@ -248,10 +248,7 @@ unsigned long kretprobe_trampoline_handl
+
+ static nokprobe_inline struct kretprobe *get_kretprobe(struct kretprobe_instance *ri)
+ {
+- RCU_LOCKDEP_WARN(!rcu_read_lock_any_held(),
+- "Kretprobe is accessed from instance under preemptive context");
+-
+- return READ_ONCE(ri->rph->rp);
++ return rcu_dereference_check(ri->rph->rp, rcu_read_lock_any_held());
+ }
+
+ static nokprobe_inline unsigned long get_kretprobe_retaddr(struct kretprobe_instance *ri)
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -2253,7 +2253,7 @@ int register_kretprobe(struct kretprobe
+ if (!rp->rph)
+ return -ENOMEM;
+
+- rp->rph->rp = rp;
++ rcu_assign_pointer(rp->rph->rp, rp);
+ for (i = 0; i < rp->maxactive; i++) {
+ inst = kzalloc(sizeof(struct kretprobe_instance) +
+ rp->data_size, GFP_KERNEL);
+@@ -2314,7 +2314,7 @@ void unregister_kretprobes(struct kretpr
+ #ifdef CONFIG_KRETPROBE_ON_RETHOOK
+ rethook_free(rps[i]->rh);
+ #else
+- rps[i]->rph->rp = NULL;
++ rcu_assign_pointer(rps[i]->rph->rp, NULL);
+ #endif
+ }
+ mutex_unlock(&kprobe_mutex);
--- /dev/null
+From 107b4e063d78c300b21e2d5291b1aa94c514ea5b Mon Sep 17 00:00:00 2001
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+Date: Wed, 20 Sep 2023 10:52:10 +0200
+Subject: nvme-pci: Add sleep quirk for Kingston drives
+
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+
+commit 107b4e063d78c300b21e2d5291b1aa94c514ea5b upstream.
+
+Some Kingston NV1 and A2000 are wasting a lot of power on specific TUXEDO
+platforms in s2idle sleep if 'Simple Suspend' is used.
+
+This patch applies a new quirk 'Force No Simple Suspend' to achieve a
+low power sleep without 'Simple Suspend'.
+
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Signed-off-by: Georg Gottleuber <ggo@tuxedocomputers.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/nvme.h | 5 +++++
+ drivers/nvme/host/pci.c | 16 +++++++++++++++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -154,6 +154,11 @@ enum nvme_quirks {
+ * No temperature thresholds for channels other than 0 (Composite).
+ */
+ NVME_QUIRK_NO_SECONDARY_TEMP_THRESH = (1 << 19),
++
++ /*
++ * Disables simple suspend/resume path.
++ */
++ NVME_QUIRK_FORCE_NO_SIMPLE_SUSPEND = (1 << 20),
+ };
+
+ /*
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3093,6 +3093,18 @@ static unsigned long check_vendor_combin
+ if ((dmi_match(DMI_BOARD_VENDOR, "LENOVO")) &&
+ dmi_match(DMI_BOARD_NAME, "LNVNB161216"))
+ return NVME_QUIRK_SIMPLE_SUSPEND;
++ } else if (pdev->vendor == 0x2646 && (pdev->device == 0x2263 ||
++ pdev->device == 0x500f)) {
++ /*
++ * Exclude some Kingston NV1 and A2000 devices from
++ * NVME_QUIRK_SIMPLE_SUSPEND. Do a full suspend to save a
++ * lot fo energy with s2idle sleep on some TUXEDO platforms.
++ */
++ if (dmi_match(DMI_BOARD_NAME, "NS5X_NS7XAU") ||
++ dmi_match(DMI_BOARD_NAME, "NS5x_7xAU") ||
++ dmi_match(DMI_BOARD_NAME, "NS5x_7xPU") ||
++ dmi_match(DMI_BOARD_NAME, "PH4PRX1_PH6PRX1"))
++ return NVME_QUIRK_FORCE_NO_SIMPLE_SUSPEND;
+ }
+
+ return 0;
+@@ -3133,7 +3145,9 @@ static struct nvme_dev *nvme_pci_alloc_d
+ dev->dev = get_device(&pdev->dev);
+
+ quirks |= check_vendor_combination_bug(pdev);
+- if (!noacpi && acpi_storage_d3(&pdev->dev)) {
++ if (!noacpi &&
++ !(quirks & NVME_QUIRK_FORCE_NO_SIMPLE_SUSPEND) &&
++ acpi_storage_d3(&pdev->dev)) {
+ /*
+ * Some systems use a bios work around to ask for D3 on
+ * platforms that support kernel managed suspend.
--- /dev/null
+From a1461f1fd6cfdc4b8917c9d4a91e92605d1f28dc Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Fri, 1 Dec 2023 14:53:56 +0900
+Subject: rethook: Use __rcu pointer for rethook::handler
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit a1461f1fd6cfdc4b8917c9d4a91e92605d1f28dc upstream.
+
+Since the rethook::handler is an RCU-maganged pointer so that it will
+notice readers the rethook is stopped (unregistered) or not, it should
+be an __rcu pointer and use appropriate functions to be accessed. This
+will use appropriate memory barrier when accessing it. OTOH,
+rethook::data is never changed, so we don't need to check it in
+get_kretprobe().
+
+NOTE: To avoid sparse warning, rethook::handler is defined by a raw
+function pointer type with __rcu instead of rethook_handler_t.
+
+Link: https://lore.kernel.org/all/170126066201.398836.837498688669005979.stgit@devnote2/
+
+Fixes: 54ecbe6f1ed5 ("rethook: Add a generic return hook")
+Cc: stable@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202311241808.rv9ceuAh-lkp@intel.com/
+Tested-by: JP Kobryn <inwardvessel@gmail.com>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kprobes.h | 6 ++----
+ include/linux/rethook.h | 7 ++++++-
+ kernel/trace/rethook.c | 23 ++++++++++++++---------
+ 3 files changed, 22 insertions(+), 14 deletions(-)
+
+--- a/include/linux/kprobes.h
++++ b/include/linux/kprobes.h
+@@ -202,10 +202,8 @@ extern int arch_trampoline_kprobe(struct
+ #ifdef CONFIG_KRETPROBE_ON_RETHOOK
+ static nokprobe_inline struct kretprobe *get_kretprobe(struct kretprobe_instance *ri)
+ {
+- RCU_LOCKDEP_WARN(!rcu_read_lock_any_held(),
+- "Kretprobe is accessed from instance under preemptive context");
+-
+- return (struct kretprobe *)READ_ONCE(ri->node.rethook->data);
++ /* rethook::data is non-changed field, so that you can access it freely. */
++ return (struct kretprobe *)ri->node.rethook->data;
+ }
+ static nokprobe_inline unsigned long get_kretprobe_retaddr(struct kretprobe_instance *ri)
+ {
+--- a/include/linux/rethook.h
++++ b/include/linux/rethook.h
+@@ -29,7 +29,12 @@ typedef void (*rethook_handler_t) (struc
+ */
+ struct rethook {
+ void *data;
+- rethook_handler_t handler;
++ /*
++ * To avoid sparse warnings, this uses a raw function pointer with
++ * __rcu, instead of rethook_handler_t. But this must be same as
++ * rethook_handler_t.
++ */
++ void (__rcu *handler) (struct rethook_node *, void *, struct pt_regs *);
+ struct freelist_head pool;
+ refcount_t ref;
+ struct rcu_head rcu;
+--- a/kernel/trace/rethook.c
++++ b/kernel/trace/rethook.c
+@@ -63,7 +63,7 @@ static void rethook_free_rcu(struct rcu_
+ */
+ void rethook_stop(struct rethook *rh)
+ {
+- WRITE_ONCE(rh->handler, NULL);
++ rcu_assign_pointer(rh->handler, NULL);
+ }
+
+ /**
+@@ -78,11 +78,17 @@ void rethook_stop(struct rethook *rh)
+ */
+ void rethook_free(struct rethook *rh)
+ {
+- WRITE_ONCE(rh->handler, NULL);
++ rethook_stop(rh);
+
+ call_rcu(&rh->rcu, rethook_free_rcu);
+ }
+
++static inline rethook_handler_t rethook_get_handler(struct rethook *rh)
++{
++ return (rethook_handler_t)rcu_dereference_check(rh->handler,
++ rcu_read_lock_any_held());
++}
++
+ /**
+ * rethook_alloc() - Allocate struct rethook.
+ * @data: a data to pass the @handler when hooking the return.
+@@ -102,7 +108,7 @@ struct rethook *rethook_alloc(void *data
+ }
+
+ rh->data = data;
+- rh->handler = handler;
++ rcu_assign_pointer(rh->handler, handler);
+ rh->pool.head = NULL;
+ refcount_set(&rh->ref, 1);
+
+@@ -142,9 +148,10 @@ static void free_rethook_node_rcu(struct
+ */
+ void rethook_recycle(struct rethook_node *node)
+ {
+- lockdep_assert_preemption_disabled();
++ rethook_handler_t handler;
+
+- if (likely(READ_ONCE(node->rethook->handler)))
++ handler = rethook_get_handler(node->rethook);
++ if (likely(handler))
+ freelist_add(&node->freelist, &node->rethook->pool);
+ else
+ call_rcu(&node->rcu, free_rethook_node_rcu);
+@@ -160,11 +167,9 @@ NOKPROBE_SYMBOL(rethook_recycle);
+ */
+ struct rethook_node *rethook_try_get(struct rethook *rh)
+ {
+- rethook_handler_t handler = READ_ONCE(rh->handler);
++ rethook_handler_t handler = rethook_get_handler(rh);
+ struct freelist_node *fn;
+
+- lockdep_assert_preemption_disabled();
+-
+ /* Check whether @rh is going to be freed. */
+ if (unlikely(!handler))
+ return NULL;
+@@ -312,7 +317,7 @@ unsigned long rethook_trampoline_handler
+ rhn = container_of(first, struct rethook_node, llist);
+ if (WARN_ON_ONCE(rhn->frame != frame))
+ break;
+- handler = READ_ONCE(rhn->rethook->handler);
++ handler = rethook_get_handler(rhn->rethook);
+ if (handler)
+ handler(rhn, rhn->rethook->data, regs);
+
riscv-fix-misaligned-access-handling-of-c.swsp-and-c.patch
md-introduce-md_ro_state.patch
md-don-t-leave-md_recovery_frozen-in-error-path-of-m.patch
+iommu-avoid-more-races-around-device-probe.patch
+rethook-use-__rcu-pointer-for-rethook-handler.patch
+kprobes-consistent-rcu-api-usage-for-kretprobe-holder.patch
+asoc-amd-yc-fix-non-functional-mic-on-asus-e1504fa.patch
+io_uring-af_unix-disable-sending-io_uring-over-sockets.patch
+nvme-pci-add-sleep-quirk-for-kingston-drives.patch
+io_uring-fix-mutex_unlock-with-unreferenced-ctx.patch
+alsa-usb-audio-add-pioneer-djm-450-mixer-controls.patch
+alsa-pcm-fix-out-of-bounds-in-snd_pcm_state_names.patch
+alsa-hda-realtek-enable-headset-on-lenovo-m90-gen5.patch
+alsa-hda-realtek-add-new-framework-laptop-to-quirks.patch
+alsa-hda-realtek-add-framework-laptop-16-to-quirks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
