--- /dev/null
+From 04f0aea5cedb45cb8156cfcd6e4d2427e7fb8e08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2024 14:37:53 +0100
+Subject: ALSA: hda/ca0132: Use standard HD-audio quirk matching helpers
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 7c005292e20ac53dfa601bf2a7375fd4815511ad ]
+
+CA0132 used the PCI SSID lookup helper that doesn't support the model
+string matching or quirk aliasing.
+
+Replace it with the standard HD-audio quirk helpers for supporting
+those, and add the definition of the model strings for supported
+quirks, too. There should be no visible change to the outside for the
+working system, but the driver will parse the model option and apply
+the quirk based on it from now on.
+
+Link: https://patch.msgid.link/20241207133754.3658-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_ca0132.c | 37 ++++++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
+index e4673a71551a..d40197fb5fbd 100644
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -1134,7 +1134,6 @@ struct ca0132_spec {
+
+ struct hda_codec *codec;
+ struct delayed_work unsol_hp_work;
+- int quirk;
+
+ #ifdef ENABLE_TUNING_CONTROLS
+ long cur_ctl_vals[TUNING_CTLS_COUNT];
+@@ -1166,7 +1165,6 @@ struct ca0132_spec {
+ * CA0132 quirks table
+ */
+ enum {
+- QUIRK_NONE,
+ QUIRK_ALIENWARE,
+ QUIRK_ALIENWARE_M17XR4,
+ QUIRK_SBZ,
+@@ -1176,10 +1174,11 @@ enum {
+ QUIRK_R3D,
+ QUIRK_AE5,
+ QUIRK_AE7,
++ QUIRK_NONE = HDA_FIXUP_ID_NOT_SET,
+ };
+
+ #ifdef CONFIG_PCI
+-#define ca0132_quirk(spec) ((spec)->quirk)
++#define ca0132_quirk(spec) ((spec)->codec->fixup_id)
+ #define ca0132_use_pci_mmio(spec) ((spec)->use_pci_mmio)
+ #define ca0132_use_alt_functions(spec) ((spec)->use_alt_functions)
+ #define ca0132_use_alt_controls(spec) ((spec)->use_alt_controls)
+@@ -1293,7 +1292,7 @@ static const struct hda_pintbl ae7_pincfgs[] = {
+ {}
+ };
+
+-static const struct snd_pci_quirk ca0132_quirks[] = {
++static const struct hda_quirk ca0132_quirks[] = {
+ SND_PCI_QUIRK(0x1028, 0x057b, "Alienware M17x R4", QUIRK_ALIENWARE_M17XR4),
+ SND_PCI_QUIRK(0x1028, 0x0685, "Alienware 15 2015", QUIRK_ALIENWARE),
+ SND_PCI_QUIRK(0x1028, 0x0688, "Alienware 17 2015", QUIRK_ALIENWARE),
+@@ -1316,6 +1315,19 @@ static const struct snd_pci_quirk ca0132_quirks[] = {
+ {}
+ };
+
++static const struct hda_model_fixup ca0132_quirk_models[] = {
++ { .id = QUIRK_ALIENWARE, .name = "alienware" },
++ { .id = QUIRK_ALIENWARE_M17XR4, .name = "alienware-m17xr4" },
++ { .id = QUIRK_SBZ, .name = "sbz" },
++ { .id = QUIRK_ZXR, .name = "zxr" },
++ { .id = QUIRK_ZXR_DBPRO, .name = "zxr-dbpro" },
++ { .id = QUIRK_R3DI, .name = "r3di" },
++ { .id = QUIRK_R3D, .name = "r3d" },
++ { .id = QUIRK_AE5, .name = "ae5" },
++ { .id = QUIRK_AE7, .name = "ae7" },
++ {}
++};
++
+ /* Output selection quirk info structures. */
+ #define MAX_QUIRK_MMIO_GPIO_SET_VALS 3
+ #define MAX_QUIRK_SCP_SET_VALS 2
+@@ -9957,17 +9969,15 @@ static int ca0132_prepare_verbs(struct hda_codec *codec)
+ */
+ static void sbz_detect_quirk(struct hda_codec *codec)
+ {
+- struct ca0132_spec *spec = codec->spec;
+-
+ switch (codec->core.subsystem_id) {
+ case 0x11020033:
+- spec->quirk = QUIRK_ZXR;
++ codec->fixup_id = QUIRK_ZXR;
+ break;
+ case 0x1102003f:
+- spec->quirk = QUIRK_ZXR_DBPRO;
++ codec->fixup_id = QUIRK_ZXR_DBPRO;
+ break;
+ default:
+- spec->quirk = QUIRK_SBZ;
++ codec->fixup_id = QUIRK_SBZ;
+ break;
+ }
+ }
+@@ -9976,7 +9986,6 @@ static int patch_ca0132(struct hda_codec *codec)
+ {
+ struct ca0132_spec *spec;
+ int err;
+- const struct snd_pci_quirk *quirk;
+
+ codec_dbg(codec, "patch_ca0132\n");
+
+@@ -9987,11 +9996,7 @@ static int patch_ca0132(struct hda_codec *codec)
+ spec->codec = codec;
+
+ /* Detect codec quirk */
+- quirk = snd_pci_quirk_lookup(codec->bus->pci, ca0132_quirks);
+- if (quirk)
+- spec->quirk = quirk->value;
+- else
+- spec->quirk = QUIRK_NONE;
++ snd_hda_pick_fixup(codec, ca0132_quirk_models, ca0132_quirks, NULL);
+ if (ca0132_quirk(spec) == QUIRK_SBZ)
+ sbz_detect_quirk(codec);
+
+@@ -10068,7 +10073,7 @@ static int patch_ca0132(struct hda_codec *codec)
+ spec->mem_base = pci_iomap(codec->bus->pci, 2, 0xC20);
+ if (spec->mem_base == NULL) {
+ codec_warn(codec, "pci_iomap failed! Setting quirk to QUIRK_NONE.");
+- spec->quirk = QUIRK_NONE;
++ codec->fixup_id = QUIRK_NONE;
+ }
+ }
+ #endif
+--
+2.39.5
+
--- /dev/null
+From 557347fd65fb21dc66d2f711179773f7b874d85c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 10:57:57 +0000
+Subject: ALSA: hda: cs35l56: Remove calls to
+ cs35l56_force_sync_asp1_registers_from_cache()
+
+From: Simon Trimmer <simont@opensource.cirrus.com>
+
+[ Upstream commit 47b17ba05a463b22fa79f132e6f6899d53538802 ]
+
+Commit 5d7e328e20b3 ("ASoC: cs35l56: Revert support for dual-ownership
+of ASP registers")
+replaced cs35l56_force_sync_asp1_registers_from_cache() with a dummy
+implementation so that the HDA driver would continue to build.
+
+Remove the calls from HDA and remove the stub function.
+
+Signed-off-by: Simon Trimmer <simont@opensource.cirrus.com>
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://patch.msgid.link/20241206105757.718750-1-rf@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/cs35l56.h | 6 ------
+ sound/pci/hda/cs35l56_hda.c | 8 --------
+ 2 files changed, 14 deletions(-)
+
+diff --git a/include/sound/cs35l56.h b/include/sound/cs35l56.h
+index 94e8185c4795..3dc7a1551ac3 100644
+--- a/include/sound/cs35l56.h
++++ b/include/sound/cs35l56.h
+@@ -271,12 +271,6 @@ struct cs35l56_base {
+ struct gpio_desc *reset_gpio;
+ };
+
+-/* Temporary to avoid a build break with the HDA driver */
+-static inline int cs35l56_force_sync_asp1_registers_from_cache(struct cs35l56_base *cs35l56_base)
+-{
+- return 0;
+-}
+-
+ static inline bool cs35l56_is_otp_register(unsigned int reg)
+ {
+ return (reg >> 16) == 3;
+diff --git a/sound/pci/hda/cs35l56_hda.c b/sound/pci/hda/cs35l56_hda.c
+index e3ac0e23ae32..7baf3b506eef 100644
+--- a/sound/pci/hda/cs35l56_hda.c
++++ b/sound/pci/hda/cs35l56_hda.c
+@@ -151,10 +151,6 @@ static int cs35l56_hda_runtime_resume(struct device *dev)
+ }
+ }
+
+- ret = cs35l56_force_sync_asp1_registers_from_cache(&cs35l56->base);
+- if (ret)
+- goto err;
+-
+ return 0;
+
+ err:
+@@ -1059,9 +1055,6 @@ int cs35l56_hda_common_probe(struct cs35l56_hda *cs35l56, int hid, int id)
+
+ regmap_multi_reg_write(cs35l56->base.regmap, cs35l56_hda_dai_config,
+ ARRAY_SIZE(cs35l56_hda_dai_config));
+- ret = cs35l56_force_sync_asp1_registers_from_cache(&cs35l56->base);
+- if (ret)
+- goto dsp_err;
+
+ /*
+ * By default only enable one ASP1TXn, where n=amplifier index,
+@@ -1087,7 +1080,6 @@ int cs35l56_hda_common_probe(struct cs35l56_hda *cs35l56, int hid, int id)
+
+ pm_err:
+ pm_runtime_disable(cs35l56->base.dev);
+-dsp_err:
+ cs_dsp_remove(&cs35l56->cs_dsp);
+ err:
+ gpiod_set_value_cansleep(cs35l56->base.reset_gpio, 0);
+--
+2.39.5
+
--- /dev/null
+From 667322674444c5ee50384fe77f0e6a263e8a6498 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2024 23:18:36 +0300
+Subject: ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+[ Upstream commit 50db91fccea0da5c669bc68e2429e8de303758d3 ]
+
+Introduces the alc2xx-fixup-headset-mic model to simplify enabling
+headset microphones on ALC2XX codecs.
+
+Many recent configurations, as well as older systems that lacked this
+fix for a long time, leave headset microphones inactive by default.
+This addition provides a flexible workaround using the existing
+ALC2XX_FIXUP_HEADSET_MIC quirk.
+
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://patch.msgid.link/20241207201836.6879-1-kovalev@altlinux.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index e9ec5f79bd45..92fbfcd9ad31 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11184,6 +11184,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
+ {.id = ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, .name = "alc255-acer-headphone-and-mic"},
+ {.id = ALC285_FIXUP_HP_GPIO_AMP_INIT, .name = "alc285-hp-amp-init"},
+ {.id = ALC236_FIXUP_LENOVO_INV_DMIC, .name = "alc236-fixup-lenovo-inv-mic"},
++ {.id = ALC2XX_FIXUP_HEADSET_MIC, .name = "alc2xx-fixup-headset-mic"},
+ {}
+ };
+ #define ALC225_STANDARD_PINS \
+--
+2.39.5
+
--- /dev/null
+From b81bd9f285b9ff718407a889bade23600ee2f29e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 00:03:06 +0300
+Subject: ALSA: hda/realtek - Add support for ASUS Zen AIO 27 Z272SD_A272SD
+ audio
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+[ Upstream commit 1b452c2de5555d832cd51c46824272a44ad7acac ]
+
+Introduces necessary quirks to enable audio functionality on the
+ASUS Zen AIO 27 Z272SD_A272SD:
+- configures verbs to activate internal speakers and headphone jack.
+- implements adjustments for headset microphone functionality.
+
+The speaker and jack configurations were derived from a dump of
+the working Windows driver, while the headset microphone
+functionality was fine-tuned through experimental testing.
+
+Link: https://lore.kernel.org/all/CAGGMHBOGDUnMewBTrZgoBKFk_A4sNF4fEXwfH9Ay8SNTzjy0-g@mail.gmail.com/T/
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://patch.msgid.link/20241205210306.977634-1-kovalev@altlinux.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 192fc75b51e6..e9ec5f79bd45 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7704,6 +7704,7 @@ enum {
+ ALC274_FIXUP_HP_MIC,
+ ALC274_FIXUP_HP_HEADSET_MIC,
+ ALC274_FIXUP_HP_ENVY_GPIO,
++ ALC274_FIXUP_ASUS_ZEN_AIO_27,
+ ALC256_FIXUP_ASUS_HPE,
+ ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK,
+ ALC287_FIXUP_HP_GPIO_LED,
+@@ -9505,6 +9506,26 @@ static const struct hda_fixup alc269_fixups[] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc274_fixup_hp_envy_gpio,
+ },
++ [ALC274_FIXUP_ASUS_ZEN_AIO_27] = {
++ .type = HDA_FIXUP_VERBS,
++ .v.verbs = (const struct hda_verb[]) {
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x10 },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0xc420 },
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x40 },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0x8800 },
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x49 },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0x0249 },
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x4a },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0x202b },
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x62 },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0xa007 },
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x6b },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0x5060 },
++ {}
++ },
++ .chained = true,
++ .chain_id = ALC2XX_FIXUP_HEADSET_MIC,
++ },
+ [ALC256_FIXUP_ASUS_HPE] = {
+ .type = HDA_FIXUP_VERBS,
+ .v.verbs = (const struct hda_verb[]) {
+@@ -10615,6 +10636,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x1f62, "ASUS UX7602ZM", ALC245_FIXUP_CS35L41_SPI_2),
+ SND_PCI_QUIRK(0x1043, 0x1f92, "ASUS ROG Flow X16", ALC289_FIXUP_ASUS_GA401),
+ SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2),
++ SND_PCI_QUIRK(0x1043, 0x31d0, "ASUS Zen AIO 27 Z272SD_A272SD", ALC274_FIXUP_ASUS_ZEN_AIO_27),
+ SND_PCI_QUIRK(0x1043, 0x3a20, "ASUS G614JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS),
+ SND_PCI_QUIRK(0x1043, 0x3a30, "ASUS G814JVR/JIR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS),
+ SND_PCI_QUIRK(0x1043, 0x3a40, "ASUS G814JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS),
+--
+2.39.5
+
--- /dev/null
+From 6f79a7774bc646e286a2cf1f37669854119f6916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 19:11:18 +0530
+Subject: ARC: bpf: Correct conditional check in 'check_jmp_32'
+
+From: Hardevsinh Palaniya <hardevsinh.palaniya@siliconsignals.io>
+
+[ Upstream commit 7dd9eb6ba88964b091b89855ce7d2a12405013af ]
+
+The original code checks 'if (ARC_CC_AL)', which is always true since
+ARC_CC_AL is a constant. This makes the check redundant and likely
+obscures the intention of verifying whether the jump is conditional.
+
+Updates the code to check cond == ARC_CC_AL instead, reflecting the intent
+to differentiate conditional from unconditional jumps.
+
+Suggested-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Acked-by: Shahab Vahedi <list+bpf@vahedi.org>
+Signed-off-by: Hardevsinh Palaniya <hardevsinh.palaniya@siliconsignals.io>
+Signed-off-by: Vineet Gupta <vgupta@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/net/bpf_jit_arcv2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arc/net/bpf_jit_arcv2.c b/arch/arc/net/bpf_jit_arcv2.c
+index 4458e409ca0a..6d989b6d88c6 100644
+--- a/arch/arc/net/bpf_jit_arcv2.c
++++ b/arch/arc/net/bpf_jit_arcv2.c
+@@ -2916,7 +2916,7 @@ bool check_jmp_32(u32 curr_off, u32 targ_off, u8 cond)
+ addendum = (cond == ARC_CC_AL) ? 0 : INSN_len_normal;
+ disp = get_displacement(curr_off + addendum, targ_off);
+
+- if (ARC_CC_AL)
++ if (cond == ARC_CC_AL)
+ return is_valid_far_disp(disp);
+ else
+ return is_valid_near_disp(disp);
+--
+2.39.5
+
--- /dev/null
+From b8d8f10a22c41d56aee7650d495c82b77260e9bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 10:33:22 -0700
+Subject: ARC: build: disallow invalid PAE40 + 4K page config
+
+From: Vineet Gupta <vgupta@kernel.org>
+
+[ Upstream commit 8871331b1769978ecece205a430338a2581e5050 ]
+
+The config option being built was
+| CONFIG_ARC_MMU_V4=y
+| CONFIG_ARC_PAGE_SIZE_4K=y
+| CONFIG_HIGHMEM=y
+| CONFIG_ARC_HAS_PAE40=y
+
+This was hitting a BUILD_BUG_ON() since a 4K page can't hoist 1k, 8-byte
+PTE entries (8 byte due to PAE40). BUILD_BUG_ON() is a good last ditch
+resort, but such a config needs to be disallowed explicitly in Kconfig.
+
+Side-note: the actual fix is single liner dependency, but while at it
+cleaned out a few things:
+ - 4K dependency on MMU v3 or v4 is always true, since 288ff7de62af09
+ ("ARC: retire MMUv1 and MMUv2 support")
+ - PAE40 dependency in on MMU ver not really ISA, although that follows
+ eventually.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202409160223.xydgucbY-lkp@intel.com/
+Signed-off-by: Vineet Gupta <vgupta@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig
+index 5b2488142041..69c6e71fa1e6 100644
+--- a/arch/arc/Kconfig
++++ b/arch/arc/Kconfig
+@@ -297,7 +297,6 @@ config ARC_PAGE_SIZE_16K
+ config ARC_PAGE_SIZE_4K
+ bool "4KB"
+ select HAVE_PAGE_SIZE_4KB
+- depends on ARC_MMU_V3 || ARC_MMU_V4
+
+ endchoice
+
+@@ -474,7 +473,8 @@ config HIGHMEM
+
+ config ARC_HAS_PAE40
+ bool "Support for the 40-bit Physical Address Extension"
+- depends on ISA_ARCV2
++ depends on MMU_V4
++ depends on !ARC_PAGE_SIZE_4K
+ select HIGHMEM
+ select PHYS_ADDR_T_64BIT
+ help
+--
+2.39.5
+
--- /dev/null
+From cf091443156cd5e957e5b2c96fd17c07a93f775c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 14:37:15 +0200
+Subject: ARC: build: Try to guess GCC variant of cross compiler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 824927e88456331c7a999fdf5d9d27923b619590 ]
+
+ARC GCC compiler is packaged starting from Fedora 39i and the GCC
+variant of cross compile tools has arc-linux-gnu- prefix and not
+arc-linux-. This is causing that CROSS_COMPILE variable is left unset.
+
+This change allows builds without need to supply CROSS_COMPILE argument
+if distro package is used.
+
+Before this change:
+$ make -j 128 ARCH=arc W=1 drivers/infiniband/hw/mlx4/
+ gcc: warning: ‘-mcpu=’ is deprecated; use ‘-mtune=’ or ‘-march=’ instead
+ gcc: error: unrecognized command-line option ‘-mmedium-calls’
+ gcc: error: unrecognized command-line option ‘-mlock’
+ gcc: error: unrecognized command-line option ‘-munaligned-access’
+
+[1] https://packages.fedoraproject.org/pkgs/cross-gcc/gcc-arc-linux-gnu/index.html
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Vineet Gupta <vgupta@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arc/Makefile b/arch/arc/Makefile
+index 2390dd042e36..fb98478ed1ab 100644
+--- a/arch/arc/Makefile
++++ b/arch/arc/Makefile
+@@ -6,7 +6,7 @@
+ KBUILD_DEFCONFIG := haps_hs_smp_defconfig
+
+ ifeq ($(CROSS_COMPILE),)
+-CROSS_COMPILE := $(call cc-cross-prefix, arc-linux- arceb-linux-)
++CROSS_COMPILE := $(call cc-cross-prefix, arc-linux- arceb-linux- arc-linux-gnu-)
+ endif
+
+ cflags-y += -fno-common -pipe -fno-builtin -mmedium-calls -D__linux__
+--
+2.39.5
+
--- /dev/null
+From 5e539b2310a047c6c424d418e715a9670c0c9c96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 10:55:13 -0700
+Subject: ARC: build: Use __force to suppress per-CPU cmpxchg warnings
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 1e8af9f04346ecc0bccf0c53b728fc8eb3490a28 ]
+
+Currently, the cast of the first argument to cmpxchg_emu_u8() drops the
+__percpu address-space designator, which results in sparse complaints
+when applying cmpxchg() to per-CPU variables in ARC. Therefore, use
+__force to suppress these complaints, given that this does not pertain
+to cmpxchg() semantics, which are plently well-defined on variables in
+general, whether per-CPU or otherwise.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202409251336.ToC0TvWB-lkp@intel.com/
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Cc: <linux-snps-arc@lists.infradead.org>
+Signed-off-by: Vineet Gupta <vgupta@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/cmpxchg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arc/include/asm/cmpxchg.h b/arch/arc/include/asm/cmpxchg.h
+index 58045c898340..76f43db0890f 100644
+--- a/arch/arc/include/asm/cmpxchg.h
++++ b/arch/arc/include/asm/cmpxchg.h
+@@ -48,7 +48,7 @@
+ \
+ switch(sizeof((_p_))) { \
+ case 1: \
+- _prev_ = (__typeof__(*(ptr)))cmpxchg_emu_u8((volatile u8 *)_p_, (uintptr_t)_o_, (uintptr_t)_n_); \
++ _prev_ = (__typeof__(*(ptr)))cmpxchg_emu_u8((volatile u8 *__force)_p_, (uintptr_t)_o_, (uintptr_t)_n_); \
+ break; \
+ case 4: \
+ _prev_ = __cmpxchg(_p_, _o_, _n_); \
+--
+2.39.5
+
--- /dev/null
+From 54711ab081bc9e6dabcffce98910a44a38c4f4d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2024 23:22:56 +1100
+Subject: ASoC: audio-graph-card: Call of_node_put() on correct node
+
+From: Stephen Gordon <gordoste@iinet.net.au>
+
+[ Upstream commit 687630aa582acf674120c87350beb01d836c837c ]
+
+Signed-off-by: Stephen Gordon <gordoste@iinet.net.au>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/20241207122257.165096-1-gordoste@iinet.net.au
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/generic/audio-graph-card2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/generic/audio-graph-card2.c b/sound/soc/generic/audio-graph-card2.c
+index 93eee40cec76..63837e259659 100644
+--- a/sound/soc/generic/audio-graph-card2.c
++++ b/sound/soc/generic/audio-graph-card2.c
+@@ -779,7 +779,7 @@ static void graph_link_init(struct simple_util_priv *priv,
+ of_node_get(port_codec);
+ if (graph_lnk_is_multi(port_codec)) {
+ ep_codec = graph_get_next_multi_ep(&port_codec);
+- of_node_put(port_cpu);
++ of_node_put(port_codec);
+ port_codec = ep_to_port(ep_codec);
+ } else {
+ ep_codec = port_to_endpoint(port_codec);
+--
+2.39.5
+
--- /dev/null
+From 1e9edf125143692e45152b1da1f1f9e976d4eba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 16:07:32 -0500
+Subject: Bluetooth: hci_core: Fix sleeping function called from invalid
+ context
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 4d94f05558271654670d18c26c912da0c1c15549 ]
+
+This reworks hci_cb_list to not use mutex hci_cb_list_lock to avoid bugs
+like the bellow:
+
+BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585
+in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5070, name: kworker/u9:2
+preempt_count: 0, expected: 0
+RCU nest depth: 1, expected: 0
+4 locks held by kworker/u9:2/5070:
+ #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]
+ #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335
+ #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]
+ #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335
+ #2: ffff8880665d0078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 net/bluetooth/hci_event.c:6914
+ #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
+ #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
+ #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 net/bluetooth/hci_event.c:6915
+CPU: 0 PID: 5070 Comm: kworker/u9:2 Not tainted 6.8.0-syzkaller-08073-g480e035fc4c7 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
+Workqueue: hci0 hci_rx_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
+ __might_resched+0x5d4/0x780 kernel/sched/core.c:10187
+ __mutex_lock_common kernel/locking/mutex.c:585 [inline]
+ __mutex_lock+0xc1/0xd70 kernel/locking/mutex.c:752
+ hci_connect_cfm include/net/bluetooth/hci_core.h:2004 [inline]
+ hci_le_create_big_complete_evt+0x3d9/0xae0 net/bluetooth/hci_event.c:6939
+ hci_event_func net/bluetooth/hci_event.c:7514 [inline]
+ hci_event_packet+0xa53/0x1540 net/bluetooth/hci_event.c:7569
+ hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4171
+ process_one_work kernel/workqueue.c:3254 [inline]
+ process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335
+ worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
+ kthread+0x2f0/0x390 kernel/kthread.c:388
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
+ </TASK>
+
+Reported-by: syzbot+2fb0835e0c9cefc34614@syzkaller.appspotmail.com
+Tested-by: syzbot+2fb0835e0c9cefc34614@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2fb0835e0c9cefc34614
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 108 ++++++++++++++++++++-----------
+ net/bluetooth/hci_core.c | 10 +--
+ net/bluetooth/iso.c | 6 ++
+ net/bluetooth/l2cap_core.c | 12 ++--
+ net/bluetooth/rfcomm/core.c | 6 ++
+ net/bluetooth/sco.c | 12 ++--
+ 6 files changed, 97 insertions(+), 57 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index c95f7e6ba255..ba7b52584770 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -804,7 +804,6 @@ struct hci_conn_params {
+ extern struct list_head hci_dev_list;
+ extern struct list_head hci_cb_list;
+ extern rwlock_t hci_dev_list_lock;
+-extern struct mutex hci_cb_list_lock;
+
+ #define hci_dev_set_flag(hdev, nr) set_bit((nr), (hdev)->dev_flags)
+ #define hci_dev_clear_flag(hdev, nr) clear_bit((nr), (hdev)->dev_flags)
+@@ -2007,24 +2006,47 @@ struct hci_cb {
+
+ char *name;
+
++ bool (*match) (struct hci_conn *conn);
+ void (*connect_cfm) (struct hci_conn *conn, __u8 status);
+ void (*disconn_cfm) (struct hci_conn *conn, __u8 status);
+ void (*security_cfm) (struct hci_conn *conn, __u8 status,
+- __u8 encrypt);
++ __u8 encrypt);
+ void (*key_change_cfm) (struct hci_conn *conn, __u8 status);
+ void (*role_switch_cfm) (struct hci_conn *conn, __u8 status, __u8 role);
+ };
+
++static inline void hci_cb_lookup(struct hci_conn *conn, struct list_head *list)
++{
++ struct hci_cb *cb, *cpy;
++
++ rcu_read_lock();
++ list_for_each_entry_rcu(cb, &hci_cb_list, list) {
++ if (cb->match && cb->match(conn)) {
++ cpy = kmalloc(sizeof(*cpy), GFP_ATOMIC);
++ if (!cpy)
++ break;
++
++ *cpy = *cb;
++ INIT_LIST_HEAD(&cpy->list);
++ list_add_rcu(&cpy->list, list);
++ }
++ }
++ rcu_read_unlock();
++}
++
+ static inline void hci_connect_cfm(struct hci_conn *conn, __u8 status)
+ {
+- struct hci_cb *cb;
++ struct list_head list;
++ struct hci_cb *cb, *tmp;
++
++ INIT_LIST_HEAD(&list);
++ hci_cb_lookup(conn, &list);
+
+- mutex_lock(&hci_cb_list_lock);
+- list_for_each_entry(cb, &hci_cb_list, list) {
++ list_for_each_entry_safe(cb, tmp, &list, list) {
+ if (cb->connect_cfm)
+ cb->connect_cfm(conn, status);
++ kfree(cb);
+ }
+- mutex_unlock(&hci_cb_list_lock);
+
+ if (conn->connect_cfm_cb)
+ conn->connect_cfm_cb(conn, status);
+@@ -2032,43 +2054,55 @@ static inline void hci_connect_cfm(struct hci_conn *conn, __u8 status)
+
+ static inline void hci_disconn_cfm(struct hci_conn *conn, __u8 reason)
+ {
+- struct hci_cb *cb;
++ struct list_head list;
++ struct hci_cb *cb, *tmp;
++
++ INIT_LIST_HEAD(&list);
++ hci_cb_lookup(conn, &list);
+
+- mutex_lock(&hci_cb_list_lock);
+- list_for_each_entry(cb, &hci_cb_list, list) {
++ list_for_each_entry_safe(cb, tmp, &list, list) {
+ if (cb->disconn_cfm)
+ cb->disconn_cfm(conn, reason);
++ kfree(cb);
+ }
+- mutex_unlock(&hci_cb_list_lock);
+
+ if (conn->disconn_cfm_cb)
+ conn->disconn_cfm_cb(conn, reason);
+ }
+
+-static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status)
++static inline void hci_security_cfm(struct hci_conn *conn, __u8 status,
++ __u8 encrypt)
+ {
+- struct hci_cb *cb;
+- __u8 encrypt;
+-
+- if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
+- return;
++ struct list_head list;
++ struct hci_cb *cb, *tmp;
+
+- encrypt = test_bit(HCI_CONN_ENCRYPT, &conn->flags) ? 0x01 : 0x00;
++ INIT_LIST_HEAD(&list);
++ hci_cb_lookup(conn, &list);
+
+- mutex_lock(&hci_cb_list_lock);
+- list_for_each_entry(cb, &hci_cb_list, list) {
++ list_for_each_entry_safe(cb, tmp, &list, list) {
+ if (cb->security_cfm)
+ cb->security_cfm(conn, status, encrypt);
++ kfree(cb);
+ }
+- mutex_unlock(&hci_cb_list_lock);
+
+ if (conn->security_cfm_cb)
+ conn->security_cfm_cb(conn, status);
+ }
+
++static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status)
++{
++ __u8 encrypt;
++
++ if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
++ return;
++
++ encrypt = test_bit(HCI_CONN_ENCRYPT, &conn->flags) ? 0x01 : 0x00;
++
++ hci_security_cfm(conn, status, encrypt);
++}
++
+ static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status)
+ {
+- struct hci_cb *cb;
+ __u8 encrypt;
+
+ if (conn->state == BT_CONFIG) {
+@@ -2095,40 +2129,38 @@ static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status)
+ conn->sec_level = conn->pending_sec_level;
+ }
+
+- mutex_lock(&hci_cb_list_lock);
+- list_for_each_entry(cb, &hci_cb_list, list) {
+- if (cb->security_cfm)
+- cb->security_cfm(conn, status, encrypt);
+- }
+- mutex_unlock(&hci_cb_list_lock);
+-
+- if (conn->security_cfm_cb)
+- conn->security_cfm_cb(conn, status);
++ hci_security_cfm(conn, status, encrypt);
+ }
+
+ static inline void hci_key_change_cfm(struct hci_conn *conn, __u8 status)
+ {
+- struct hci_cb *cb;
++ struct list_head list;
++ struct hci_cb *cb, *tmp;
++
++ INIT_LIST_HEAD(&list);
++ hci_cb_lookup(conn, &list);
+
+- mutex_lock(&hci_cb_list_lock);
+- list_for_each_entry(cb, &hci_cb_list, list) {
++ list_for_each_entry_safe(cb, tmp, &list, list) {
+ if (cb->key_change_cfm)
+ cb->key_change_cfm(conn, status);
++ kfree(cb);
+ }
+- mutex_unlock(&hci_cb_list_lock);
+ }
+
+ static inline void hci_role_switch_cfm(struct hci_conn *conn, __u8 status,
+ __u8 role)
+ {
+- struct hci_cb *cb;
++ struct list_head list;
++ struct hci_cb *cb, *tmp;
++
++ INIT_LIST_HEAD(&list);
++ hci_cb_lookup(conn, &list);
+
+- mutex_lock(&hci_cb_list_lock);
+- list_for_each_entry(cb, &hci_cb_list, list) {
++ list_for_each_entry_safe(cb, tmp, &list, list) {
+ if (cb->role_switch_cfm)
+ cb->role_switch_cfm(conn, status, role);
++ kfree(cb);
+ }
+- mutex_unlock(&hci_cb_list_lock);
+ }
+
+ static inline bool hci_bdaddr_is_rpa(bdaddr_t *bdaddr, u8 addr_type)
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 72439764186e..b5553c08e731 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -57,7 +57,6 @@ DEFINE_RWLOCK(hci_dev_list_lock);
+
+ /* HCI callback list */
+ LIST_HEAD(hci_cb_list);
+-DEFINE_MUTEX(hci_cb_list_lock);
+
+ /* HCI ID Numbering */
+ static DEFINE_IDA(hci_index_ida);
+@@ -2993,9 +2992,7 @@ int hci_register_cb(struct hci_cb *cb)
+ {
+ BT_DBG("%p name %s", cb, cb->name);
+
+- mutex_lock(&hci_cb_list_lock);
+- list_add_tail(&cb->list, &hci_cb_list);
+- mutex_unlock(&hci_cb_list_lock);
++ list_add_tail_rcu(&cb->list, &hci_cb_list);
+
+ return 0;
+ }
+@@ -3005,9 +3002,8 @@ int hci_unregister_cb(struct hci_cb *cb)
+ {
+ BT_DBG("%p name %s", cb, cb->name);
+
+- mutex_lock(&hci_cb_list_lock);
+- list_del(&cb->list);
+- mutex_unlock(&hci_cb_list_lock);
++ list_del_rcu(&cb->list);
++ synchronize_rcu();
+
+ return 0;
+ }
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 644b606743e2..bda2f2da7d73 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -2137,6 +2137,11 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
+ return HCI_LM_ACCEPT;
+ }
+
++static bool iso_match(struct hci_conn *hcon)
++{
++ return hcon->type == ISO_LINK || hcon->type == LE_LINK;
++}
++
+ static void iso_connect_cfm(struct hci_conn *hcon, __u8 status)
+ {
+ if (hcon->type != ISO_LINK) {
+@@ -2318,6 +2323,7 @@ void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
+
+ static struct hci_cb iso_cb = {
+ .name = "ISO",
++ .match = iso_match,
+ .connect_cfm = iso_connect_cfm,
+ .disconn_cfm = iso_disconn_cfm,
+ };
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 6544c1ed7143..27b4c4a2ba1f 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -7217,6 +7217,11 @@ static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
+ return NULL;
+ }
+
++static bool l2cap_match(struct hci_conn *hcon)
++{
++ return hcon->type == ACL_LINK || hcon->type == LE_LINK;
++}
++
+ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
+ {
+ struct hci_dev *hdev = hcon->hdev;
+@@ -7224,9 +7229,6 @@ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
+ struct l2cap_chan *pchan;
+ u8 dst_type;
+
+- if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
+- return;
+-
+ BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
+
+ if (status) {
+@@ -7291,9 +7293,6 @@ int l2cap_disconn_ind(struct hci_conn *hcon)
+
+ static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
+ {
+- if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
+- return;
+-
+ BT_DBG("hcon %p reason %d", hcon, reason);
+
+ l2cap_conn_del(hcon, bt_to_errno(reason));
+@@ -7572,6 +7571,7 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
+
+ static struct hci_cb l2cap_cb = {
+ .name = "L2CAP",
++ .match = l2cap_match,
+ .connect_cfm = l2cap_connect_cfm,
+ .disconn_cfm = l2cap_disconn_cfm,
+ .security_cfm = l2cap_security_cfm,
+diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
+index ad5177e3a69b..4c56ca5a216c 100644
+--- a/net/bluetooth/rfcomm/core.c
++++ b/net/bluetooth/rfcomm/core.c
+@@ -2134,6 +2134,11 @@ static int rfcomm_run(void *unused)
+ return 0;
+ }
+
++static bool rfcomm_match(struct hci_conn *hcon)
++{
++ return hcon->type == ACL_LINK;
++}
++
+ static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
+ {
+ struct rfcomm_session *s;
+@@ -2180,6 +2185,7 @@ static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
+
+ static struct hci_cb rfcomm_cb = {
+ .name = "RFCOMM",
++ .match = rfcomm_match,
+ .security_cfm = rfcomm_security_cfm
+ };
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index b872a2ca3ff3..071c404c790a 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -1355,11 +1355,13 @@ int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
+ return lm;
+ }
+
+-static void sco_connect_cfm(struct hci_conn *hcon, __u8 status)
++static bool sco_match(struct hci_conn *hcon)
+ {
+- if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
+- return;
++ return hcon->type == SCO_LINK || hcon->type == ESCO_LINK;
++}
+
++static void sco_connect_cfm(struct hci_conn *hcon, __u8 status)
++{
+ BT_DBG("hcon %p bdaddr %pMR status %u", hcon, &hcon->dst, status);
+
+ if (!status) {
+@@ -1374,9 +1376,6 @@ static void sco_connect_cfm(struct hci_conn *hcon, __u8 status)
+
+ static void sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
+ {
+- if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
+- return;
+-
+ BT_DBG("hcon %p reason %d", hcon, reason);
+
+ sco_conn_del(hcon, bt_to_errno(reason));
+@@ -1402,6 +1401,7 @@ void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb)
+
+ static struct hci_cb sco_cb = {
+ .name = "SCO",
++ .match = sco_match,
+ .connect_cfm = sco_connect_cfm,
+ .disconn_cfm = sco_disconn_cfm,
+ };
+--
+2.39.5
+
--- /dev/null
+From 984bd4a473eda067fa6716a5ee4855564d74aaa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 20:10:59 -0800
+Subject: bpf: consider that tail calls invalidate packet pointers
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 1a4607ffba35bf2a630aab299e34dd3f6e658d70 ]
+
+Tail-called programs could execute any of the helpers that invalidate
+packet pointers. Hence, conservatively assume that each tail call
+invalidates packet pointers.
+
+Making the change in bpf_helper_changes_pkt_data() automatically makes
+use of check_cfg() logic that computes 'changes_pkt_data' effect for
+global sub-programs, such that the following program could be
+rejected:
+
+ int tail_call(struct __sk_buff *sk)
+ {
+ bpf_tail_call_static(sk, &jmp_table, 0);
+ return 0;
+ }
+
+ SEC("tc")
+ int not_safe(struct __sk_buff *sk)
+ {
+ int *p = (void *)(long)sk->data;
+ ... make p valid ...
+ tail_call(sk);
+ *p = 42; /* this is unsafe */
+ ...
+ }
+
+The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that
+can invalidate packet pointers. Otherwise, it can't be freplaced with
+tailcall_freplace.c:entry_freplace() that does a tail call.
+
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20241210041100.1898468-8-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 2 ++
+ tools/testing/selftests/bpf/progs/tc_bpf2bpf.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 4b0ad74cfff5..54a53fae9e98 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -7943,6 +7943,8 @@ bool bpf_helper_changes_pkt_data(enum bpf_func_id func_id)
+ case BPF_FUNC_xdp_adjust_head:
+ case BPF_FUNC_xdp_adjust_meta:
+ case BPF_FUNC_xdp_adjust_tail:
++ /* tail-called program could call any of the above */
++ case BPF_FUNC_tail_call:
+ return true;
+ default:
+ return false;
+diff --git a/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c b/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c
+index 8a0632c37839..79f5087dade2 100644
+--- a/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c
++++ b/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c
+@@ -10,6 +10,8 @@ int subprog(struct __sk_buff *skb)
+ int ret = 1;
+
+ __sink(ret);
++ /* let verifier know that 'subprog_tc' can change pointers to skb->data */
++ bpf_skb_change_proto(skb, 0, 0);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 685c85178f98f63684977001b68c81d5a3fa9317 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 11:42:45 +0000
+Subject: bpf: fix potential error return
+
+From: Anton Protopopov <aspsk@isovalent.com>
+
+[ Upstream commit c4441ca86afe4814039ee1b32c39d833c1a16bbc ]
+
+The bpf_remove_insns() function returns WARN_ON_ONCE(error), where
+error is a result of bpf_adj_branches(), and thus should be always 0
+However, if for any reason it is not 0, then it will be converted to
+boolean by WARN_ON_ONCE and returned to user space as 1, not an actual
+error value. Fix this by returning the original err after the WARN check.
+
+Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20241210114245.836164-1-aspsk@isovalent.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 233ea78f8f1b..3af5f42ea791 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -539,6 +539,8 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
+
+ int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt)
+ {
++ int err;
++
+ /* Branch offsets can't overflow when program is shrinking, no need
+ * to call bpf_adj_branches(..., true) here
+ */
+@@ -546,7 +548,9 @@ int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt)
+ sizeof(struct bpf_insn) * (prog->len - off - cnt));
+ prog->len -= cnt;
+
+- return WARN_ON_ONCE(bpf_adj_branches(prog, off, off + cnt, off, false));
++ err = bpf_adj_branches(prog, off, off + cnt, off, false);
++ WARN_ON_ONCE(err);
++ return err;
+ }
+
+ static void bpf_prog_kallsyms_del_subprogs(struct bpf_prog *fp)
+--
+2.39.5
+
--- /dev/null
+From 902b683d7eab7703b8d9968e37971d32bd58c144 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 20:10:54 -0800
+Subject: bpf: refactor bpf_helper_changes_pkt_data to use helper number
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit b238e187b4a2d3b54d80aec05a9cab6466b79dde ]
+
+Use BPF helper number instead of function pointer in
+bpf_helper_changes_pkt_data(). This would simplify usage of this
+function in verifier.c:check_cfg() (in a follow-up patch),
+where only helper number is easily available and there is no real need
+to lookup helper proto.
+
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20241210041100.1898468-3-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 1a4607ffba35 ("bpf: consider that tail calls invalidate packet pointers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/filter.h | 2 +-
+ kernel/bpf/core.c | 2 +-
+ kernel/bpf/verifier.c | 2 +-
+ net/core/filter.c | 63 +++++++++++++++++++-----------------------
+ 4 files changed, 31 insertions(+), 38 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index 7d7578a8eac1..5118caf8aa1c 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -1121,7 +1121,7 @@ bool bpf_jit_supports_arena(void);
+ bool bpf_jit_supports_insn(struct bpf_insn *insn, bool in_arena);
+ u64 bpf_arch_uaddress_limit(void);
+ void arch_bpf_stack_walk(bool (*consume_fn)(void *cookie, u64 ip, u64 sp, u64 bp), void *cookie);
+-bool bpf_helper_changes_pkt_data(void *func);
++bool bpf_helper_changes_pkt_data(enum bpf_func_id func_id);
+
+ static inline bool bpf_dump_raw_ok(const struct cred *cred)
+ {
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 3af5f42ea791..2b9c8c168a0b 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -2940,7 +2940,7 @@ void __weak bpf_jit_compile(struct bpf_prog *prog)
+ {
+ }
+
+-bool __weak bpf_helper_changes_pkt_data(void *func)
++bool __weak bpf_helper_changes_pkt_data(enum bpf_func_id func_id)
+ {
+ return false;
+ }
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 767f1cb8c27e..a0cab0d0252f 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -10476,7 +10476,7 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
+ }
+
+ /* With LD_ABS/IND some JITs save/restore skb from r1. */
+- changes_data = bpf_helper_changes_pkt_data(fn->func);
++ changes_data = bpf_helper_changes_pkt_data(func_id);
+ if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {
+ verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n",
+ func_id_name(func_id), func_id);
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 55495063621d..4b0ad74cfff5 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -7918,42 +7918,35 @@ static const struct bpf_func_proto bpf_tcp_raw_check_syncookie_ipv6_proto = {
+
+ #endif /* CONFIG_INET */
+
+-bool bpf_helper_changes_pkt_data(void *func)
+-{
+- if (func == bpf_skb_vlan_push ||
+- func == bpf_skb_vlan_pop ||
+- func == bpf_skb_store_bytes ||
+- func == bpf_skb_change_proto ||
+- func == bpf_skb_change_head ||
+- func == sk_skb_change_head ||
+- func == bpf_skb_change_tail ||
+- func == sk_skb_change_tail ||
+- func == bpf_skb_adjust_room ||
+- func == sk_skb_adjust_room ||
+- func == bpf_skb_pull_data ||
+- func == sk_skb_pull_data ||
+- func == bpf_clone_redirect ||
+- func == bpf_l3_csum_replace ||
+- func == bpf_l4_csum_replace ||
+- func == bpf_xdp_adjust_head ||
+- func == bpf_xdp_adjust_meta ||
+- func == bpf_msg_pull_data ||
+- func == bpf_msg_push_data ||
+- func == bpf_msg_pop_data ||
+- func == bpf_xdp_adjust_tail ||
+-#if IS_ENABLED(CONFIG_IPV6_SEG6_BPF)
+- func == bpf_lwt_seg6_store_bytes ||
+- func == bpf_lwt_seg6_adjust_srh ||
+- func == bpf_lwt_seg6_action ||
+-#endif
+-#ifdef CONFIG_INET
+- func == bpf_sock_ops_store_hdr_opt ||
+-#endif
+- func == bpf_lwt_in_push_encap ||
+- func == bpf_lwt_xmit_push_encap)
++bool bpf_helper_changes_pkt_data(enum bpf_func_id func_id)
++{
++ switch (func_id) {
++ case BPF_FUNC_clone_redirect:
++ case BPF_FUNC_l3_csum_replace:
++ case BPF_FUNC_l4_csum_replace:
++ case BPF_FUNC_lwt_push_encap:
++ case BPF_FUNC_lwt_seg6_action:
++ case BPF_FUNC_lwt_seg6_adjust_srh:
++ case BPF_FUNC_lwt_seg6_store_bytes:
++ case BPF_FUNC_msg_pop_data:
++ case BPF_FUNC_msg_pull_data:
++ case BPF_FUNC_msg_push_data:
++ case BPF_FUNC_skb_adjust_room:
++ case BPF_FUNC_skb_change_head:
++ case BPF_FUNC_skb_change_proto:
++ case BPF_FUNC_skb_change_tail:
++ case BPF_FUNC_skb_pull_data:
++ case BPF_FUNC_skb_store_bytes:
++ case BPF_FUNC_skb_vlan_pop:
++ case BPF_FUNC_skb_vlan_push:
++ case BPF_FUNC_store_hdr_opt:
++ case BPF_FUNC_xdp_adjust_head:
++ case BPF_FUNC_xdp_adjust_meta:
++ case BPF_FUNC_xdp_adjust_tail:
+ return true;
+-
+- return false;
++ default:
++ return false;
++ }
+ }
+
+ const struct bpf_func_proto bpf_event_output_data_proto __weak;
+--
+2.39.5
+
--- /dev/null
+From 6dae8c4a635846f3c57dcf27cbaadd6ecdd1b65e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 16:31:41 +0000
+Subject: btrfs: allow swap activation to be interruptible
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 ]
+
+During swap activation we iterate over the extents of a file, then do
+several checks for each extent, some of which may take some significant
+time such as checking if an extent is shared. Since a file can have
+many thousands of extents, this can be a very slow operation and it's
+currently not interruptible. I had a bug during development of a previous
+patch that resulted in an infinite loop when iterating the extents, so
+a core was busy looping and I couldn't cancel the operation, which is very
+annoying and requires a reboot. So make the loop interruptible by checking
+for fatal signals at the end of each iteration and stopping immediately if
+there is one.
+
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 4b3e256e0d0b..b5cfb85af937 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -10056,6 +10056,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file,
+ bsi.block_start = physical_block_start;
+ bsi.block_len = len;
+ }
++
++ if (fatal_signal_pending(current)) {
++ ret = -EINTR;
++ goto out;
++ }
+ }
+
+ if (bsi.block_len)
+--
+2.39.5
+
--- /dev/null
+From c11860dbe3054e37761cc5460a7245ecf5f660c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 11:53:27 +0000
+Subject: btrfs: flush delalloc workers queue before stopping cleaner kthread
+ during unmount
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit f10bef73fb355e3fc85e63a50386798be68ff486 ]
+
+During the unmount path, at close_ctree(), we first stop the cleaner
+kthread, using kthread_stop() which frees the associated task_struct, and
+then stop and destroy all the work queues. However after we stopped the
+cleaner we may still have a worker from the delalloc_workers queue running
+inode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(),
+which in turn tries to wake up the cleaner kthread - which was already
+destroyed before, resulting in a use-after-free on the task_struct.
+
+Syzbot reported this with the following stack traces:
+
+ BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089
+ Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52
+
+ CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+ Workqueue: btrfs-delalloc btrfs_work_helper
+ Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:489
+ kasan_report+0x143/0x180 mm/kasan/report.c:602
+ __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089
+ lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
+ class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
+ try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205
+ submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615
+ run_ordered_work fs/btrfs/async-thread.c:288 [inline]
+ btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324
+ process_one_work kernel/workqueue.c:3229 [inline]
+ process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
+ worker_thread+0x870/0xd30 kernel/workqueue.c:3391
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+ Allocated by task 2:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ unpoison_slab_object mm/kasan/common.c:319 [inline]
+ __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
+ kasan_slab_alloc include/linux/kasan.h:250 [inline]
+ slab_post_alloc_hook mm/slub.c:4104 [inline]
+ slab_alloc_node mm/slub.c:4153 [inline]
+ kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205
+ alloc_task_struct_node kernel/fork.c:180 [inline]
+ dup_task_struct+0x57/0x8c0 kernel/fork.c:1113
+ copy_process+0x5d1/0x3d50 kernel/fork.c:2225
+ kernel_clone+0x223/0x870 kernel/fork.c:2807
+ kernel_thread+0x1bc/0x240 kernel/fork.c:2869
+ create_kthread kernel/kthread.c:412 [inline]
+ kthreadd+0x60d/0x810 kernel/kthread.c:767
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+ Freed by task 24:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
+ poison_slab_object mm/kasan/common.c:247 [inline]
+ __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2338 [inline]
+ slab_free mm/slub.c:4598 [inline]
+ kmem_cache_free+0x195/0x410 mm/slub.c:4700
+ put_task_struct include/linux/sched/task.h:144 [inline]
+ delayed_put_task_struct+0x125/0x300 kernel/exit.c:227
+ rcu_do_batch kernel/rcu/tree.c:2567 [inline]
+ rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
+ handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554
+ run_ksoftirqd+0xca/0x130 kernel/softirq.c:943
+ smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+ Last potentially related work creation:
+ kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
+ __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:544
+ __call_rcu_common kernel/rcu/tree.c:3086 [inline]
+ call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190
+ context_switch kernel/sched/core.c:5372 [inline]
+ __schedule+0x1803/0x4be0 kernel/sched/core.c:6756
+ __schedule_loop kernel/sched/core.c:6833 [inline]
+ schedule+0x14b/0x320 kernel/sched/core.c:6848
+ schedule_timeout+0xb0/0x290 kernel/time/sleep_timeout.c:75
+ do_wait_for_common kernel/sched/completion.c:95 [inline]
+ __wait_for_common kernel/sched/completion.c:116 [inline]
+ wait_for_common kernel/sched/completion.c:127 [inline]
+ wait_for_completion+0x355/0x620 kernel/sched/completion.c:148
+ kthread_stop+0x19e/0x640 kernel/kthread.c:712
+ close_ctree+0x524/0xd60 fs/btrfs/disk-io.c:4328
+ generic_shutdown_super+0x139/0x2d0 fs/super.c:642
+ kill_anon_super+0x3b/0x70 fs/super.c:1237
+ btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2112
+ deactivate_locked_super+0xc4/0x130 fs/super.c:473
+ cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
+ task_work_run+0x24f/0x310 kernel/task_work.c:239
+ ptrace_notify+0x2d2/0x380 kernel/signal.c:2503
+ ptrace_report_syscall include/linux/ptrace.h:415 [inline]
+ ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
+ syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173
+ syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
+ syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218
+ do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ The buggy address belongs to the object at ffff8880259d1e00
+ which belongs to the cache task_struct of size 7424
+ The buggy address is located 2584 bytes inside of
+ freed 7424-byte region [ffff8880259d1e00, ffff8880259d3b00)
+
+ The buggy address belongs to the physical page:
+ page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x259d0
+ head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+ memcg:ffff88802f4b56c1
+ flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
+ page_type: f5(slab)
+ raw: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122
+ raw: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1
+ head: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122
+ head: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1
+ head: 00fff00000000003 ffffea0000967401 ffffffffffffffff 0000000000000000
+ head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
+ page dumped because: kasan: bad access detected
+ page_owner tracks the page as allocated
+ page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12, tgid 12 (kworker/u8:1), ts 7328037942, free_ts 0
+ set_page_owner include/linux/page_owner.h:32 [inline]
+ post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
+ prep_new_page mm/page_alloc.c:1564 [inline]
+ get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3474
+ __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
+ alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
+ alloc_slab_page+0x6a/0x140 mm/slub.c:2408
+ allocate_slab+0x5a/0x2f0 mm/slub.c:2574
+ new_slab mm/slub.c:2627 [inline]
+ ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3815
+ __slab_alloc+0x58/0xa0 mm/slub.c:3905
+ __slab_alloc_node mm/slub.c:3980 [inline]
+ slab_alloc_node mm/slub.c:4141 [inline]
+ kmem_cache_alloc_node_noprof+0x269/0x380 mm/slub.c:4205
+ alloc_task_struct_node kernel/fork.c:180 [inline]
+ dup_task_struct+0x57/0x8c0 kernel/fork.c:1113
+ copy_process+0x5d1/0x3d50 kernel/fork.c:2225
+ kernel_clone+0x223/0x870 kernel/fork.c:2807
+ user_mode_thread+0x132/0x1a0 kernel/fork.c:2885
+ call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171
+ process_one_work kernel/workqueue.c:3229 [inline]
+ process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
+ worker_thread+0x870/0xd30 kernel/workqueue.c:3391
+ page_owner free stack trace missing
+
+ Memory state around the buggy address:
+ ffff8880259d2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880259d2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ >ffff8880259d2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8880259d2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880259d2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ==================================================================
+
+Fix this by flushing the delalloc workers queue before stopping the
+cleaner kthread.
+
+Reported-by: syzbot+b7cf50a0c173770dcb14@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/674ed7e8.050a0220.48a03.0031.GAE@google.com/
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 43b7b331b2da..563f106774e5 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -4264,6 +4264,15 @@ void __cold close_ctree(struct btrfs_fs_info *fs_info)
+ * already the cleaner, but below we run all pending delayed iputs.
+ */
+ btrfs_flush_workqueue(fs_info->fixup_workers);
++ /*
++ * Similar case here, we have to wait for delalloc workers before we
++ * proceed below and stop the cleaner kthread, otherwise we trigger a
++ * use-after-tree on the cleaner kthread task_struct when a delalloc
++ * worker running submit_compressed_extents() adds a delayed iput, which
++ * does a wake up on the cleaner kthread, which was already freed below
++ * when we call kthread_stop().
++ */
++ btrfs_flush_workqueue(fs_info->delalloc_workers);
+
+ /*
+ * After we parked the cleaner kthread, ordered extents may have
+--
+2.39.5
+
--- /dev/null
+From a1dad7e5e16a042edb28a1b81ece21323d1ae6f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2024 23:40:22 -0800
+Subject: btrfs: handle bio_split() errors
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+[ Upstream commit c7c97ceff98cc459bf5e358e5cbd06fcb651d501 ]
+
+Commit e546fe1da9bd ("block: Rework bio_split() return value") changed
+bio_split() so that it can return errors.
+
+Add error handling for it in btrfs_split_bio() and ultimately
+btrfs_submit_chunk(). As the bio is not submitted, the bio counter must
+be decremented to pair btrfs_bio_counter_inc_blocked().
+
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/bio.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/bio.c b/fs/btrfs/bio.c
+index 31f96c2d8691..5fd0b39d8c70 100644
+--- a/fs/btrfs/bio.c
++++ b/fs/btrfs/bio.c
+@@ -81,6 +81,9 @@ static struct btrfs_bio *btrfs_split_bio(struct btrfs_fs_info *fs_info,
+
+ bio = bio_split(&orig_bbio->bio, map_length >> SECTOR_SHIFT, GFP_NOFS,
+ &btrfs_clone_bioset);
++ if (IS_ERR(bio))
++ return ERR_CAST(bio);
++
+ bbio = btrfs_bio(bio);
+ btrfs_bio_init(bbio, fs_info, NULL, orig_bbio);
+ bbio->inode = orig_bbio->inode;
+@@ -684,7 +687,8 @@ static bool btrfs_submit_chunk(struct btrfs_bio *bbio, int mirror_num)
+ &bioc, &smap, &mirror_num);
+ if (error) {
+ ret = errno_to_blk_status(error);
+- goto fail;
++ btrfs_bio_counter_dec(fs_info);
++ goto end_bbio;
+ }
+
+ map_length = min(map_length, length);
+@@ -692,7 +696,15 @@ static bool btrfs_submit_chunk(struct btrfs_bio *bbio, int mirror_num)
+ map_length = btrfs_append_map_length(bbio, map_length);
+
+ if (map_length < length) {
+- bbio = btrfs_split_bio(fs_info, bbio, map_length);
++ struct btrfs_bio *split;
++
++ split = btrfs_split_bio(fs_info, bbio, map_length);
++ if (IS_ERR(split)) {
++ ret = errno_to_blk_status(PTR_ERR(split));
++ btrfs_bio_counter_dec(fs_info);
++ goto end_bbio;
++ }
++ bbio = split;
+ bio = &bbio->bio;
+ }
+
+@@ -766,6 +778,7 @@ static bool btrfs_submit_chunk(struct btrfs_bio *bbio, int mirror_num)
+
+ btrfs_bio_end_io(remaining, ret);
+ }
++end_bbio:
+ btrfs_bio_end_io(bbio, ret);
+ /* Do not submit another chunk */
+ return true;
+--
+2.39.5
+
--- /dev/null
+From 6e1cc4b6d1d08b217cf7bf1abed02003569aafac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Nov 2024 18:37:43 +0800
+Subject: drm/amdgpu: use sjt mec fw on gfx943 for sriov
+
+From: Victor Zhao <Victor.Zhao@amd.com>
+
+[ Upstream commit 9a4ab400f1fad0e6e8686b8f5fc5376383860ce8 ]
+
+Use second jump table in sriov for live migration or mulitple VF
+support so different VF can load different version of MEC as long
+as they support sjt
+
+Signed-off-by: Victor Zhao <Victor.Zhao@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c
+index c100845409f7..ffdb966c4127 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c
+@@ -45,6 +45,8 @@ MODULE_FIRMWARE("amdgpu/gc_9_4_3_mec.bin");
+ MODULE_FIRMWARE("amdgpu/gc_9_4_4_mec.bin");
+ MODULE_FIRMWARE("amdgpu/gc_9_4_3_rlc.bin");
+ MODULE_FIRMWARE("amdgpu/gc_9_4_4_rlc.bin");
++MODULE_FIRMWARE("amdgpu/gc_9_4_3_sjt_mec.bin");
++MODULE_FIRMWARE("amdgpu/gc_9_4_4_sjt_mec.bin");
+
+ #define GFX9_MEC_HPD_SIZE 4096
+ #define RLCG_UCODE_LOADING_START_ADDRESS 0x00002000L
+@@ -574,8 +576,12 @@ static int gfx_v9_4_3_init_cp_compute_microcode(struct amdgpu_device *adev,
+ {
+ int err;
+
+- err = amdgpu_ucode_request(adev, &adev->gfx.mec_fw,
+- "amdgpu/%s_mec.bin", chip_name);
++ if (amdgpu_sriov_vf(adev))
++ err = amdgpu_ucode_request(adev, &adev->gfx.mec_fw,
++ "amdgpu/%s_sjt_mec.bin", chip_name);
++ else
++ err = amdgpu_ucode_request(adev, &adev->gfx.mec_fw,
++ "amdgpu/%s_mec.bin", chip_name);
+ if (err)
+ goto out;
+ amdgpu_gfx_cp_init_microcode(adev, AMDGPU_UCODE_ID_CP_MEC1);
+--
+2.39.5
+
--- /dev/null
+From 71f34b814bf7e526f18b8bc61fe2a22336a2048f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2024 09:57:42 +0800
+Subject: drm/amdkfd: Correct the migration DMA map direction
+
+From: Prike Liang <Prike.Liang@amd.com>
+
+[ Upstream commit 5c3de6b02d38eb9386edf50490e050bb44398e40 ]
+
+The SVM DMA device map direction should be set the same as
+the DMA unmap setting, otherwise the DMA core will report
+the following warning.
+
+Before finialize this solution, there're some discussion on
+the DMA mapping type(stream-based or coherent) in this KFD
+migration case, followed by https://lore.kernel.org/all/04d4ab32
+-45a1-4b88-86ee-fb0f35a0ca40@amd.com/T/.
+
+As there's no dma_sync_single_for_*() in the DMA buffer accessed
+that because this migration operation should be sync properly and
+automatically. Give that there's might not be a performance problem
+in various cache sync policy of DMA sync. Therefore, in order to
+simplify the DMA direction setting alignment, let's set the DMA map
+direction as BIDIRECTIONAL.
+
+[ 150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930
+[ 150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds
+[ 150.834310] wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii
+[ 150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G OE 6.10.0-custom #492
+[ 150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021
+[ 150.834360] RIP: 0010:check_unmap+0x1cc/0x930
+[ 150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff <0f> 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50
+[ 150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086
+[ 150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027
+[ 150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680
+[ 150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850
+[ 150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40
+[ 150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b
+[ 150.834377] FS: 00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000
+[ 150.834379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0
+[ 150.834383] Call Trace:
+[ 150.834385] <TASK>
+[ 150.834387] ? show_regs+0x6d/0x80
+[ 150.834393] ? __warn+0x8c/0x140
+[ 150.834397] ? check_unmap+0x1cc/0x930
+[ 150.834400] ? report_bug+0x193/0x1a0
+[ 150.834406] ? handle_bug+0x46/0x80
+[ 150.834410] ? exc_invalid_op+0x1d/0x80
+[ 150.834413] ? asm_exc_invalid_op+0x1f/0x30
+[ 150.834420] ? check_unmap+0x1cc/0x930
+[ 150.834425] debug_dma_unmap_page+0x86/0x90
+[ 150.834431] ? srso_return_thunk+0x5/0x5f
+[ 150.834435] ? rmap_walk+0x28/0x50
+[ 150.834438] ? srso_return_thunk+0x5/0x5f
+[ 150.834441] ? remove_migration_ptes+0x79/0x80
+[ 150.834445] ? srso_return_thunk+0x5/0x5f
+[ 150.834448] dma_unmap_page_attrs+0xfa/0x1d0
+[ 150.834453] svm_range_dma_unmap_dev+0x8a/0xf0 [amdgpu]
+[ 150.834710] svm_migrate_ram_to_vram+0x361/0x740 [amdgpu]
+[ 150.834914] svm_migrate_to_vram+0xa8/0xe0 [amdgpu]
+[ 150.835111] svm_range_set_attr+0xff2/0x1450 [amdgpu]
+[ 150.835311] svm_ioctl+0x4a/0x50 [amdgpu]
+[ 150.835510] kfd_ioctl_svm+0x54/0x90 [amdgpu]
+[ 150.835701] kfd_ioctl+0x3c2/0x530 [amdgpu]
+[ 150.835888] ? __pfx_kfd_ioctl_svm+0x10/0x10 [amdgpu]
+[ 150.836075] ? srso_return_thunk+0x5/0x5f
+[ 150.836080] ? tomoyo_file_ioctl+0x20/0x30
+[ 150.836086] __x64_sys_ioctl+0x9c/0xd0
+[ 150.836091] x64_sys_call+0x1219/0x20d0
+[ 150.836095] do_syscall_64+0x51/0x120
+[ 150.836098] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 150.836102] RIP: 0033:0x7faf0f11a94f
+[ 150.836105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
+[ 150.836107] RSP: 002b:00007ffeced26bc0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[ 150.836110] RAX: ffffffffffffffda RBX: 000055c683528fb0 RCX: 00007faf0f11a94f
+[ 150.836112] RDX: 00007ffeced26c60 RSI: 00000000c0484b20 RDI: 0000000000000003
+[ 150.836114] RBP: 00007ffeced26c50 R08: 0000000000000000 R09: 0000000000000001
+[ 150.836115] R10: 0000000000000032 R11: 0000000000000246 R12: 000055c683528bd0
+[ 150.836117] R13: 0000000000000000 R14: 0000000000000021 R15: 0000000000000000
+[ 150.836122] </TASK>
+[ 150.836124] ---[ end trace 0000000000000000 ]---
+
+Signed-off-by: Prike Liang <Prike.Liang@amd.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c
+index 8ee3d07ffbdf..f31e9fbf634a 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c
+@@ -306,7 +306,7 @@ svm_migrate_copy_to_vram(struct kfd_node *node, struct svm_range *prange,
+ spage = migrate_pfn_to_page(migrate->src[i]);
+ if (spage && !is_zone_device_page(spage)) {
+ src[i] = dma_map_page(dev, spage, 0, PAGE_SIZE,
+- DMA_TO_DEVICE);
++ DMA_BIDIRECTIONAL);
+ r = dma_mapping_error(dev, src[i]);
+ if (r) {
+ dev_err(dev, "%s: fail %d dma_map_page\n",
+@@ -630,7 +630,7 @@ svm_migrate_copy_to_ram(struct amdgpu_device *adev, struct svm_range *prange,
+ goto out_oom;
+ }
+
+- dst[i] = dma_map_page(dev, dpage, 0, PAGE_SIZE, DMA_FROM_DEVICE);
++ dst[i] = dma_map_page(dev, dpage, 0, PAGE_SIZE, DMA_BIDIRECTIONAL);
+ r = dma_mapping_error(dev, dst[i]);
+ if (r) {
+ dev_err(adev->dev, "%s: fail %d dma_map_page\n", __func__, r);
+--
+2.39.5
+
--- /dev/null
+From b698b562ba2a5f752c9c1f9ba026d98660bcbc4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 15:57:53 +0100
+Subject: irqchip/gic: Correct declaration of *percpu_base pointer in union
+ gic_base
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit a1855f1b7c33642c9f7a01991fb763342a312e9b ]
+
+percpu_base is used in various percpu functions that expect variable in
+__percpu address space. Correct the declaration of percpu_base to
+
+void __iomem * __percpu *percpu_base;
+
+to declare the variable as __percpu pointer.
+
+The patch fixes several sparse warnings:
+
+irq-gic.c:1172:44: warning: incorrect type in assignment (different address spaces)
+irq-gic.c:1172:44: expected void [noderef] __percpu *[noderef] __iomem *percpu_base
+irq-gic.c:1172:44: got void [noderef] __iomem *[noderef] __percpu *
+...
+irq-gic.c:1231:43: warning: incorrect type in argument 1 (different address spaces)
+irq-gic.c:1231:43: expected void [noderef] __percpu *__pdata
+irq-gic.c:1231:43: got void [noderef] __percpu *[noderef] __iomem *percpu_base
+
+There were no changes in the resulting object files.
+
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/all/20241213145809.2918-2-ubizjak@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
+index 3be7bd8cd8cd..32abc2916b40 100644
+--- a/drivers/irqchip/irq-gic.c
++++ b/drivers/irqchip/irq-gic.c
+@@ -64,7 +64,7 @@ static void gic_check_cpu_features(void)
+
+ union gic_base {
+ void __iomem *common_base;
+- void __percpu * __iomem *percpu_base;
++ void __iomem * __percpu *percpu_base;
+ };
+
+ struct gic_chip_data {
+--
+2.39.5
+
--- /dev/null
+From 4d86e1dad35c47d5d4937100c92bbd3c6b37e5a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 11:31:19 +0900
+Subject: ksmbd: retry iterate_dir in smb2_query_dir
+
+From: Hobin Woo <hobin.woo@samsung.com>
+
+[ Upstream commit 2b904d61a97e8ba79e3bc216ba290fd7e1d85028 ]
+
+Some file systems do not ensure that the single call of iterate_dir
+reaches the end of the directory. For example, FUSE fetches entries from
+a daemon using 4KB buffer and stops fetching if entries exceed the
+buffer. And then an actor of caller, KSMBD, is used to fill the entries
+from the buffer.
+Thus, pattern searching on FUSE, files located after the 4KB could not
+be found and STATUS_NO_SUCH_FILE was returned.
+
+Signed-off-by: Hobin Woo <hobin.woo@samsung.com>
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Reviewed-by: Namjae Jeon <linkinjeon@kernel.org>
+Tested-by: Yoonho Shin <yoonho.shin@samsung.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 12 +++++++++++-
+ fs/smb/server/vfs.h | 1 +
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 7d01dd313351..aef5a1b7c490 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4224,6 +4224,7 @@ static bool __query_dir(struct dir_context *ctx, const char *name, int namlen,
+ /* dot and dotdot entries are already reserved */
+ if (!strcmp(".", name) || !strcmp("..", name))
+ return true;
++ d_info->num_scan++;
+ if (ksmbd_share_veto_filename(priv->work->tcon->share_conf, name))
+ return true;
+ if (!match_pattern(name, namlen, priv->search_pattern))
+@@ -4384,8 +4385,17 @@ int smb2_query_dir(struct ksmbd_work *work)
+ query_dir_private.info_level = req->FileInformationClass;
+ dir_fp->readdir_data.private = &query_dir_private;
+ set_ctx_actor(&dir_fp->readdir_data.ctx, __query_dir);
+-
++again:
++ d_info.num_scan = 0;
+ rc = iterate_dir(dir_fp->filp, &dir_fp->readdir_data.ctx);
++ /*
++ * num_entry can be 0 if the directory iteration stops before reaching
++ * the end of the directory and no file is matched with the search
++ * pattern.
++ */
++ if (rc >= 0 && !d_info.num_entry && d_info.num_scan &&
++ d_info.out_buf_len > 0)
++ goto again;
+ /*
+ * req->OutputBufferLength is too small to contain even one entry.
+ * In this case, it immediately returns OutputBufferLength 0 to client.
+diff --git a/fs/smb/server/vfs.h b/fs/smb/server/vfs.h
+index cb76f4b5bafe..06903024a2d8 100644
+--- a/fs/smb/server/vfs.h
++++ b/fs/smb/server/vfs.h
+@@ -43,6 +43,7 @@ struct ksmbd_dir_info {
+ char *rptr;
+ int name_len;
+ int out_buf_len;
++ int num_scan;
+ int num_entry;
+ int data_count;
+ int last_entry_offset;
+--
+2.39.5
+
--- /dev/null
+From d3c01cc2f24668a3f5d9bc0c5300da8fa1aa939f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 17:25:25 +0900
+Subject: ksmbd: set ATTR_CTIME flags when setting mtime
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit 21e46a79bbe6c4e1aa73b3ed998130f2ff07b128 ]
+
+David reported that the new warning from setattr_copy_mgtime is coming
+like the following.
+
+[ 113.215316] ------------[ cut here ]------------
+[ 113.215974] WARNING: CPU: 1 PID: 31 at fs/attr.c:300 setattr_copy+0x1ee/0x200
+[ 113.219192] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted 6.13.0-rc1+ #234
+[ 113.220127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+[ 113.221530] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
+[ 113.222220] RIP: 0010:setattr_copy+0x1ee/0x200
+[ 113.222833] Code: 24 28 49 8b 44 24 30 48 89 53 58 89 43 6c 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df e8 77 d6 ff ff e9 cd fe ff ff <0f> 0b e9 be fe ff ff 66 0
+[ 113.225110] RSP: 0018:ffffaf218010fb68 EFLAGS: 00010202
+[ 113.225765] RAX: 0000000000000120 RBX: ffffa446815f8568 RCX: 0000000000000003
+[ 113.226667] RDX: ffffaf218010fd38 RSI: ffffa446815f8568 RDI: ffffffff94eb03a0
+[ 113.227531] RBP: ffffaf218010fb90 R08: 0000001a251e217d R09: 00000000675259fa
+[ 113.228426] R10: 0000000002ba8a6d R11: ffffa4468196c7a8 R12: ffffaf218010fd38
+[ 113.229304] R13: 0000000000000120 R14: ffffffff94eb03a0 R15: 0000000000000000
+[ 113.230210] FS: 0000000000000000(0000) GS:ffffa44739d00000(0000) knlGS:0000000000000000
+[ 113.231215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 113.232055] CR2: 00007efe0053d27e CR3: 000000000331a000 CR4: 00000000000006b0
+[ 113.232926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 113.233812] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 113.234797] Call Trace:
+[ 113.235116] <TASK>
+[ 113.235393] ? __warn+0x73/0xd0
+[ 113.235802] ? setattr_copy+0x1ee/0x200
+[ 113.236299] ? report_bug+0xf3/0x1e0
+[ 113.236757] ? handle_bug+0x4d/0x90
+[ 113.237202] ? exc_invalid_op+0x13/0x60
+[ 113.237689] ? asm_exc_invalid_op+0x16/0x20
+[ 113.238185] ? setattr_copy+0x1ee/0x200
+[ 113.238692] btrfs_setattr+0x80/0x820 [btrfs]
+[ 113.239285] ? get_stack_info_noinstr+0x12/0xf0
+[ 113.239857] ? __module_address+0x22/0xa0
+[ 113.240368] ? handle_ksmbd_work+0x6e/0x460 [ksmbd]
+[ 113.240993] ? __module_text_address+0x9/0x50
+[ 113.241545] ? __module_address+0x22/0xa0
+[ 113.242033] ? unwind_next_frame+0x10e/0x920
+[ 113.242600] ? __pfx_stack_trace_consume_entry+0x10/0x10
+[ 113.243268] notify_change+0x2c2/0x4e0
+[ 113.243746] ? stack_depot_save_flags+0x27/0x730
+[ 113.244339] ? set_file_basic_info+0x130/0x2b0 [ksmbd]
+[ 113.244993] set_file_basic_info+0x130/0x2b0 [ksmbd]
+[ 113.245613] ? process_scheduled_works+0xbe/0x310
+[ 113.246181] ? worker_thread+0x100/0x240
+[ 113.246696] ? kthread+0xc8/0x100
+[ 113.247126] ? ret_from_fork+0x2b/0x40
+[ 113.247606] ? ret_from_fork_asm+0x1a/0x30
+[ 113.248132] smb2_set_info+0x63f/0xa70 [ksmbd]
+
+ksmbd is trying to set the atime and mtime via notify_change without also
+setting the ctime. so This patch add ATTR_CTIME flags when setting mtime
+to avoid a warning.
+
+Reported-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index aef5a1b7c490..04ffc5b158c3 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -6016,15 +6016,13 @@ static int set_file_basic_info(struct ksmbd_file *fp,
+ attrs.ia_valid |= (ATTR_ATIME | ATTR_ATIME_SET);
+ }
+
+- attrs.ia_valid |= ATTR_CTIME;
+ if (file_info->ChangeTime)
+- attrs.ia_ctime = ksmbd_NTtimeToUnix(file_info->ChangeTime);
+- else
+- attrs.ia_ctime = inode_get_ctime(inode);
++ inode_set_ctime_to_ts(inode,
++ ksmbd_NTtimeToUnix(file_info->ChangeTime));
+
+ if (file_info->LastWriteTime) {
+ attrs.ia_mtime = ksmbd_NTtimeToUnix(file_info->LastWriteTime);
+- attrs.ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET);
++ attrs.ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET | ATTR_CTIME);
+ }
+
+ if (file_info->Attributes) {
+@@ -6066,8 +6064,6 @@ static int set_file_basic_info(struct ksmbd_file *fp,
+ return -EACCES;
+
+ inode_lock(inode);
+- inode_set_ctime_to_ts(inode, attrs.ia_ctime);
+- attrs.ia_valid &= ~ATTR_CTIME;
+ rc = notify_change(idmap, dentry, &attrs, NULL);
+ inode_unlock(inode);
+ }
+--
+2.39.5
+
--- /dev/null
+From ae2c2f846e18131eb8ce19d0be47a6489f9492da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 16:18:21 +0100
+Subject: net: usb: qmi_wwan: add Telit FE910C04 compositions
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+[ Upstream commit 3b58b53a26598209a7ad8259a5114ce71f7c3d64 ]
+
+Add the following Telit FE910C04 compositions:
+
+0x10c0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag)
+T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 13 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=10c0 Rev=05.15
+S: Manufacturer=Telit Cinterion
+S: Product=FE910
+S: SerialNumber=f71b8b32
+C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10c4: rmnet + tty (AT) + tty (AT) + tty (diag)
+T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 14 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=10c4 Rev=05.15
+S: Manufacturer=Telit Cinterion
+S: Product=FE910
+S: SerialNumber=f71b8b32
+C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10c8: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb
+T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=10c8 Rev=05.15
+S: Manufacturer=Telit Cinterion
+S: Product=FE910
+S: SerialNumber=f71b8b32
+C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Link: https://patch.msgid.link/20241209151821.3688829-1-dnlplm@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 0c011d8f5d4d..9fe7f704a2f7 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1365,6 +1365,9 @@ static const struct usb_device_id products[] = {
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a9, 0)}, /* Telit FN920C04 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10c0, 0)}, /* Telit FE910C04 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10c4, 0)}, /* Telit FE910C04 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10c8, 0)}, /* Telit FE910C04 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+--
+2.39.5
+
--- /dev/null
+From c144d714dd62565c09c91d9499af876be74a45b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 10:05:26 -0800
+Subject: perf/x86/intel: Add Arrow Lake U support
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 4e54ed496343702837ddca5f5af720161c6a5407 ]
+
+From PMU's perspective, the new Arrow Lake U is the same as the
+Meteor Lake.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20241121180526.2364759-1-kan.liang@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index 28b4312f2563..f558be868a50 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -7067,6 +7067,7 @@ __init int intel_pmu_init(void)
+
+ case INTEL_METEORLAKE:
+ case INTEL_METEORLAKE_L:
++ case INTEL_ARROWLAKE_U:
+ intel_pmu_init_hybrid(hybrid_big_small);
+
+ x86_pmu.pebs_latency_data = cmt_latency_data;
+--
+2.39.5
+
ila-serialize-calls-to-nf_register_net_hooks.patch
net-ti-icssg-prueth-fix-firmware-load-sequence.patch
net-ti-icssg-prueth-fix-clearing-of-iep_cmp_cfg-regi.patch
+btrfs-allow-swap-activation-to-be-interruptible.patch
+perf-x86-intel-add-arrow-lake-u-support.patch
+wifi-mac80211-fix-mbss-changed-flags-corruption-on-3.patch
+wifi-cfg80211-clear-link-id-from-bitmap-during-link-.patch
+wifi-mac80211-wake-the-queues-in-case-of-failure-in-.patch
+drm-amdgpu-use-sjt-mec-fw-on-gfx943-for-sriov.patch
+drm-amdkfd-correct-the-migration-dma-map-direction.patch
+alsa-hda-cs35l56-remove-calls-to-cs35l56_force_sync_.patch
+alsa-hda-realtek-add-support-for-asus-zen-aio-27-z27.patch
+btrfs-handle-bio_split-errors.patch
+btrfs-flush-delalloc-workers-queue-before-stopping-c.patch
+alsa-hda-ca0132-use-standard-hd-audio-quirk-matching.patch
+alsa-hda-realtek-add-new-alc2xx-fixup-headset-mic-mo.patch
+sound-usb-enable-dsd-output-for-ddhifi-tc44c.patch
+sound-usb-format-don-t-warn-that-raw-dsd-is-unsuppor.patch
+spi-spi-cadence-qspi-disable-stig-mode-for-altera-so.patch
+asoc-audio-graph-card-call-of_node_put-on-correct-no.patch
+arc-build-disallow-invalid-pae40-4k-page-config.patch
+arc-build-use-__force-to-suppress-per-cpu-cmpxchg-wa.patch
+arc-bpf-correct-conditional-check-in-check_jmp_32.patch
+bpf-fix-potential-error-return.patch
+ksmbd-retry-iterate_dir-in-smb2_query_dir.patch
+ksmbd-set-attr_ctime-flags-when-setting-mtime.patch
+smb-client-destroy-cfid_put_wq-on-module-exit.patch
+net-usb-qmi_wwan-add-telit-fe910c04-compositions.patch
+bluetooth-hci_core-fix-sleeping-function-called-from.patch
+irqchip-gic-correct-declaration-of-percpu_base-point.patch
+arc-build-try-to-guess-gcc-variant-of-cross-compiler.patch
+bpf-refactor-bpf_helper_changes_pkt_data-to-use-help.patch
+bpf-consider-that-tail-calls-invalidate-packet-point.patch
--- /dev/null
+From c3a5f3b37a5d22b95fdee4d7f7f1cbed4029087c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 10:21:48 -0300
+Subject: smb: client: destroy cfid_put_wq on module exit
+
+From: Enzo Matsumiya <ematsumiya@suse.de>
+
+[ Upstream commit 633609c48a358134d3f8ef8241dff24841577f58 ]
+
+Fix potential problem in rmmod
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c
+index bf909c2f6b96..0ceebde38f9f 100644
+--- a/fs/smb/client/cifsfs.c
++++ b/fs/smb/client/cifsfs.c
+@@ -2018,6 +2018,7 @@ exit_cifs(void)
+ destroy_workqueue(decrypt_wq);
+ destroy_workqueue(fileinfo_put_wq);
+ destroy_workqueue(serverclose_wq);
++ destroy_workqueue(cfid_put_wq);
+ destroy_workqueue(cifsiod_wq);
+ cifs_proc_clean();
+ }
+--
+2.39.5
+
--- /dev/null
+From 4dc731ef9914a77b737d8ec9e4f19384e7b5c9af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 11:05:28 +0200
+Subject: sound: usb: enable DSD output for ddHiFi TC44C
+
+From: Adrian Ratiu <adrian.ratiu@collabora.com>
+
+[ Upstream commit c84bd6c810d1880194fea2229c7086e4b73fddc1 ]
+
+This is a UAC 2 DAC capable of raw DSD on intf 2 alt 4:
+
+Bus 007 Device 004: ID 262a:9302 SAVITECH Corp. TC44C
+Device Descriptor:
+ bLength 18
+ bDescriptorType 1
+ bcdUSB 2.00
+ bDeviceClass 239 Miscellaneous Device
+ bDeviceSubClass 2 [unknown]
+ bDeviceProtocol 1 Interface Association
+ bMaxPacketSize0 64
+ idVendor 0x262a SAVITECH Corp.
+ idProduct 0x9302 TC44C
+ bcdDevice 0.01
+ iManufacturer 1 DDHIFI
+ iProduct 2 TC44C
+ iSerial 6 5000000001
+.......
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 2
+ bAlternateSetting 4
+ bNumEndpoints 2
+ bInterfaceClass 1 Audio
+ bInterfaceSubClass 2 Streaming
+ bInterfaceProtocol 32
+ iInterface 0
+ AudioStreaming Interface Descriptor:
+ bLength 16
+ bDescriptorType 36
+ bDescriptorSubtype 1 (AS_GENERAL)
+ bTerminalLink 3
+ bmControls 0x00
+ bFormatType 1
+ bmFormats 0x80000000
+ bNrChannels 2
+ bmChannelConfig 0x00000000
+ iChannelNames 0
+.......
+
+Signed-off-by: Adrian Ratiu <adrian.ratiu@collabora.com>
+Link: https://patch.msgid.link/20241209090529.16134-1-adrian.ratiu@collabora.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index a0767de7f1b7..8ba0aff8be2e 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2325,6 +2325,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
+ QUIRK_FLAG_DSD_RAW),
+ DEVICE_FLG(0x2522, 0x0007, /* LH Labs Geek Out HD Audio 1V5 */
+ QUIRK_FLAG_SET_IFACE_FIRST),
++ DEVICE_FLG(0x262a, 0x9302, /* ddHiFi TC44C */
++ QUIRK_FLAG_DSD_RAW),
+ DEVICE_FLG(0x2708, 0x0002, /* Audient iD14 */
+ QUIRK_FLAG_IGNORE_CTL_ERROR),
+ DEVICE_FLG(0x2912, 0x30c8, /* Audioengine D1 */
+--
+2.39.5
+
--- /dev/null
+From 2a0c39fce7a9212e51c9529b7e0e52a5454bc2f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 11:05:29 +0200
+Subject: sound: usb: format: don't warn that raw DSD is unsupported
+
+From: Adrian Ratiu <adrian.ratiu@collabora.com>
+
+[ Upstream commit b50a3e98442b8d72f061617c7f7a71f7dba19484 ]
+
+UAC 2 & 3 DAC's set bit 31 of the format to signal support for a
+RAW_DATA type, typically used for DSD playback.
+
+This is correctly tested by (format & UAC*_FORMAT_TYPE_I_RAW_DATA),
+fp->dsd_raw = true; and call snd_usb_interface_dsd_format_quirks(),
+however a confusing and unnecessary message gets printed because
+the bit is not properly tested in the last "unsupported" if test:
+if (format & ~0x3F) { ... }
+
+For example the output:
+
+usb 7-1: new high-speed USB device number 5 using xhci_hcd
+usb 7-1: New USB device found, idVendor=262a, idProduct=9302, bcdDevice=0.01
+usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=6
+usb 7-1: Product: TC44C
+usb 7-1: Manufacturer: TC44C
+usb 7-1: SerialNumber: 5000000001
+hid-generic 0003:262A:9302.001E: No inputs registered, leaving
+hid-generic 0003:262A:9302.001E: hidraw6: USB HID v1.00 Device [DDHIFI TC44C] on usb-0000:08:00.3-1/input0
+usb 7-1: 2:4 : unsupported format bits 0x100000000
+
+This last "unsupported format" is actually wrong: we know the
+format is a RAW_DATA which we assume is DSD, so there is no need
+to print the confusing message.
+
+This we unset bit 31 of the format after recognizing it, to avoid
+the message.
+
+Suggested-by: Takashi Iwai <tiwai@suse.com>
+Signed-off-by: Adrian Ratiu <adrian.ratiu@collabora.com>
+Link: https://patch.msgid.link/20241209090529.16134-2-adrian.ratiu@collabora.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/format.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/sound/usb/format.c b/sound/usb/format.c
+index 0cbf1d4fbe6e..6049d957694c 100644
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -60,6 +60,8 @@ static u64 parse_audio_format_i_type(struct snd_usb_audio *chip,
+ pcm_formats |= SNDRV_PCM_FMTBIT_SPECIAL;
+ /* flag potentially raw DSD capable altsettings */
+ fp->dsd_raw = true;
++ /* clear special format bit to avoid "unsupported format" msg below */
++ format &= ~UAC2_FORMAT_TYPE_I_RAW_DATA;
+ }
+
+ format <<= 1;
+@@ -71,8 +73,11 @@ static u64 parse_audio_format_i_type(struct snd_usb_audio *chip,
+ sample_width = as->bBitResolution;
+ sample_bytes = as->bSubslotSize;
+
+- if (format & UAC3_FORMAT_TYPE_I_RAW_DATA)
++ if (format & UAC3_FORMAT_TYPE_I_RAW_DATA) {
+ pcm_formats |= SNDRV_PCM_FMTBIT_SPECIAL;
++ /* clear special format bit to avoid "unsupported format" msg below */
++ format &= ~UAC3_FORMAT_TYPE_I_RAW_DATA;
++ }
+
+ format <<= 1;
+ break;
+--
+2.39.5
+
--- /dev/null
+From 748433d73762c8cab97b53cf5fb056fe0a3cbd3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 14:33:38 +0800
+Subject: spi: spi-cadence-qspi: Disable STIG mode for Altera SoCFPGA.
+
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+
+[ Upstream commit 25fb0e77b90e290a1ca30900d54c6a495eea65e2 ]
+
+STIG mode is enabled by default for less than 8 bytes data read/write.
+STIG mode doesn't work with Altera SocFPGA platform due hardware
+limitation.
+Add a quirks to disable STIG mode for Altera SoCFPGA platform.
+
+Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Link: https://patch.msgid.link/20241204063338.296959-1-niravkumar.l.rabara@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
+index 1755ca026f08..73b1edd0531b 100644
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -43,6 +43,7 @@ static_assert(CQSPI_MAX_CHIPSELECT <= SPI_CS_CNT_MAX);
+ #define CQSPI_SLOW_SRAM BIT(4)
+ #define CQSPI_NEEDS_APB_AHB_HAZARD_WAR BIT(5)
+ #define CQSPI_RD_NO_IRQ BIT(6)
++#define CQSPI_DISABLE_STIG_MODE BIT(7)
+
+ /* Capabilities */
+ #define CQSPI_SUPPORTS_OCTAL BIT(0)
+@@ -103,6 +104,7 @@ struct cqspi_st {
+ bool apb_ahb_hazard;
+
+ bool is_jh7110; /* Flag for StarFive JH7110 SoC */
++ bool disable_stig_mode;
+
+ const struct cqspi_driver_platdata *ddata;
+ };
+@@ -1416,7 +1418,8 @@ static int cqspi_mem_process(struct spi_mem *mem, const struct spi_mem_op *op)
+ * reads, prefer STIG mode for such small reads.
+ */
+ if (!op->addr.nbytes ||
+- op->data.nbytes <= CQSPI_STIG_DATA_LEN_MAX)
++ (op->data.nbytes <= CQSPI_STIG_DATA_LEN_MAX &&
++ !cqspi->disable_stig_mode))
+ return cqspi_command_read(f_pdata, op);
+
+ return cqspi_read(f_pdata, op);
+@@ -1880,6 +1883,8 @@ static int cqspi_probe(struct platform_device *pdev)
+ if (ret)
+ goto probe_reset_failed;
+ }
++ if (ddata->quirks & CQSPI_DISABLE_STIG_MODE)
++ cqspi->disable_stig_mode = true;
+
+ if (of_device_is_compatible(pdev->dev.of_node,
+ "xlnx,versal-ospi-1.0")) {
+@@ -2043,7 +2048,8 @@ static const struct cqspi_driver_platdata intel_lgm_qspi = {
+ static const struct cqspi_driver_platdata socfpga_qspi = {
+ .quirks = CQSPI_DISABLE_DAC_MODE
+ | CQSPI_NO_SUPPORT_WR_COMPLETION
+- | CQSPI_SLOW_SRAM,
++ | CQSPI_SLOW_SRAM
++ | CQSPI_DISABLE_STIG_MODE,
+ };
+
+ static const struct cqspi_driver_platdata versal_ospi = {
+--
+2.39.5
+
--- /dev/null
+From 530a5a4c90009fff79525b9c0b9838f62e557bde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 09:45:30 +0530
+Subject: wifi: cfg80211: clear link ID from bitmap during link delete after
+ clean up
+
+From: Aditya Kumar Singh <quic_adisi@quicinc.com>
+
+[ Upstream commit b5c32ff6a3a38c74facdd1fe34c0d709a55527fd ]
+
+Currently, during link deletion, the link ID is first removed from the
+valid_links bitmap before performing any clean-up operations. However, some
+functions require the link ID to remain in the valid_links bitmap. One
+such example is cfg80211_cac_event(). The flow is -
+
+nl80211_remove_link()
+ cfg80211_remove_link()
+ ieee80211_del_intf_link()
+ ieee80211_vif_set_links()
+ ieee80211_vif_update_links()
+ ieee80211_link_stop()
+ cfg80211_cac_event()
+
+cfg80211_cac_event() requires link ID to be present but it is cleared
+already in cfg80211_remove_link(). Ultimately, WARN_ON() is hit.
+
+Therefore, clear the link ID from the bitmap only after completing the link
+clean-up.
+
+Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
+Link: https://patch.msgid.link/20241121-mlo_dfs_fix-v2-1-92c3bf7ab551@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 8 +++++++-
+ net/wireless/util.c | 3 +--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 1b1bf044378d..f11fd360b422 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -4992,10 +4992,16 @@ static void ieee80211_del_intf_link(struct wiphy *wiphy,
+ unsigned int link_id)
+ {
+ struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
++ u16 new_links = wdev->valid_links & ~BIT(link_id);
+
+ lockdep_assert_wiphy(sdata->local->hw.wiphy);
+
+- ieee80211_vif_set_links(sdata, wdev->valid_links, 0);
++ /* During the link teardown process, certain functions require the
++ * link_id to remain in the valid_links bitmap. Therefore, instead
++ * of removing the link_id from the bitmap, pass a masked value to
++ * simulate as if link_id does not exist anymore.
++ */
++ ieee80211_vif_set_links(sdata, new_links, 0);
+ }
+
+ static int
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index f49b55724f83..18585b1416c6 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -2843,10 +2843,9 @@ void cfg80211_remove_link(struct wireless_dev *wdev, unsigned int link_id)
+ break;
+ }
+
+- wdev->valid_links &= ~BIT(link_id);
+-
+ rdev_del_intf_link(rdev, wdev, link_id);
+
++ wdev->valid_links &= ~BIT(link_id);
+ eth_zero_addr(wdev->links[link_id].addr);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From d6622dc1439d2c043f36e640f63e8a44294fdc95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2024 17:29:20 +0100
+Subject: wifi: mac80211: fix mbss changed flags corruption on 32 bit systems
+
+From: Issam Hamdi <ih@simonwunderlich.de>
+
+[ Upstream commit 49dba1ded8dd5a6a12748631403240b2ab245c34 ]
+
+On 32-bit systems, the size of an unsigned long is 4 bytes,
+while a u64 is 8 bytes. Therefore, when using
+or_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE),
+the code is incorrectly searching for a bit in a 32-bit
+variable that is expected to be 64 bits in size,
+leading to incorrect bit finding.
+
+Solution: Ensure that the size of the bits variable is correctly
+adjusted for each architecture.
+
+ Call Trace:
+ ? show_regs+0x54/0x58
+ ? __warn+0x6b/0xd4
+ ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]
+ ? report_bug+0x113/0x150
+ ? exc_overflow+0x30/0x30
+ ? handle_bug+0x27/0x44
+ ? exc_invalid_op+0x18/0x50
+ ? handle_exception+0xf6/0xf6
+ ? exc_overflow+0x30/0x30
+ ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]
+ ? exc_overflow+0x30/0x30
+ ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]
+ ? ieee80211_mesh_work+0xff/0x260 [mac80211]
+ ? cfg80211_wiphy_work+0x72/0x98 [cfg80211]
+ ? process_one_work+0xf1/0x1fc
+ ? worker_thread+0x2c0/0x3b4
+ ? kthread+0xc7/0xf0
+ ? mod_delayed_work_on+0x4c/0x4c
+ ? kthread_complete_and_exit+0x14/0x14
+ ? ret_from_fork+0x24/0x38
+ ? kthread_complete_and_exit+0x14/0x14
+ ? ret_from_fork_asm+0xf/0x14
+ ? entry_INT80_32+0xf0/0xf0
+
+Signed-off-by: Issam Hamdi <ih@simonwunderlich.de>
+Link: https://patch.msgid.link/20241125162920.2711462-1-ih@simonwunderlich.de
+[restore no-op path for no changes]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index 640239f4425b..50eb1d8cd43d 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -1157,14 +1157,14 @@ void ieee80211_mbss_info_change_notify(struct ieee80211_sub_if_data *sdata,
+ u64 changed)
+ {
+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+- unsigned long bits = changed;
++ unsigned long bits[] = { BITMAP_FROM_U64(changed) };
+ u32 bit;
+
+- if (!bits)
++ if (!changed)
+ return;
+
+ /* if we race with running work, worst case this work becomes a noop */
+- for_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE)
++ for_each_set_bit(bit, bits, sizeof(changed) * BITS_PER_BYTE)
+ set_bit(bit, ifmsh->mbss_changed);
+ set_bit(MESH_WORK_MBSS_CHANGED, &ifmsh->wrkq_flags);
+ wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
+--
+2.39.5
+
--- /dev/null
+From ecc86b23b84839a45eed4b8eec5d9805a8050fcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 17:35:39 +0200
+Subject: wifi: mac80211: wake the queues in case of failure in resume
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 220bf000530f9b1114fa2a1022a871c7ce8a0b38 ]
+
+In case we fail to resume, we'll WARN with
+"Hardware became unavailable during restart." and we'll wait until user
+space does something. It'll typically bring the interface down and up to
+recover. This won't work though because the queues are still stopped on
+IEEE80211_QUEUE_STOP_REASON_SUSPEND reason.
+Make sure we clear that reason so that we give a chance to the recovery
+to succeed.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219447
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20241119173108.cd628f560f97.I76a15fdb92de450e5329940125f3c58916be3942@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index b4814e97cf74..38c30e4ddda9 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -1825,6 +1825,9 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ WARN(1, "Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.\n");
+ else
+ WARN(1, "Hardware became unavailable during restart.\n");
++ ieee80211_wake_queues_by_reason(hw, IEEE80211_MAX_QUEUE_MAP,
++ IEEE80211_QUEUE_STOP_REASON_SUSPEND,
++ false);
+ ieee80211_handle_reconfig_failure(local);
+ return res;
+ }
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
