--- /dev/null
+From 97e86631bccddfbbe0c13f9a9605cdef11d31296 Mon Sep 17 00:00:00 2001
+From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+Date: Wed, 8 Jun 2022 22:39:36 -0400
+Subject: btrfs: don't set lock_owner when locking extent buffer for reading
+
+From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+
+commit 97e86631bccddfbbe0c13f9a9605cdef11d31296 upstream.
+
+In 196d59ab9ccc "btrfs: switch extent buffer tree lock to rw_semaphore"
+the functions for tree read locking were rewritten, and in the process
+the read lock functions started setting eb->lock_owner = current->pid.
+Previously lock_owner was only set in tree write lock functions.
+
+Read locks are shared, so they don't have exclusive ownership of the
+underlying object, so setting lock_owner to any single value for a
+read lock makes no sense. It's mostly harmless because write locks
+and read locks are mutually exclusive, and none of the existing code
+in btrfs (btrfs_init_new_buffer and print_eb_refs_lock) cares what
+nonsense is written in lock_owner when no writer is holding the lock.
+
+KCSAN does care, and will complain about the data race incessantly.
+Remove the assignments in the read lock functions because they're
+useless noise.
+
+Fixes: 196d59ab9ccc ("btrfs: switch extent buffer tree lock to rw_semaphore")
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/locking.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/fs/btrfs/locking.c
++++ b/fs/btrfs/locking.c
+@@ -45,7 +45,6 @@ void __btrfs_tree_read_lock(struct exten
+ start_ns = ktime_get_ns();
+
+ down_read_nested(&eb->lock, nest);
+- eb->lock_owner = current->pid;
+ trace_btrfs_tree_read_lock(eb, start_ns);
+ }
+
+@@ -62,7 +61,6 @@ void btrfs_tree_read_lock(struct extent_
+ int btrfs_try_tree_read_lock(struct extent_buffer *eb)
+ {
+ if (down_read_trylock(&eb->lock)) {
+- eb->lock_owner = current->pid;
+ trace_btrfs_try_tree_read_lock(eb);
+ return 1;
+ }
+@@ -90,7 +88,6 @@ int btrfs_try_tree_write_lock(struct ext
+ void btrfs_tree_read_unlock(struct extent_buffer *eb)
+ {
+ trace_btrfs_tree_read_unlock(eb);
+- eb->lock_owner = 0;
+ up_read(&eb->lock);
+ }
+
--- /dev/null
+From bf7ba8ee759b7b7a34787ddd8dc3f190a3d7fa24 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 13 Jun 2022 15:09:49 -0400
+Subject: btrfs: fix deadlock with fsync+fiemap+transaction commit
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit bf7ba8ee759b7b7a34787ddd8dc3f190a3d7fa24 upstream.
+
+We are hitting the following deadlock in production occasionally
+
+Task 1 Task 2 Task 3 Task 4 Task 5
+ fsync(A)
+ start trans
+ start commit
+ falloc(A)
+ lock 5m-10m
+ start trans
+ wait for commit
+fiemap(A)
+ lock 0-10m
+ wait for 5m-10m
+ (have 0-5m locked)
+
+ have btrfs_need_log_full_commit
+ !full_sync
+ wait_ordered_extents
+ finish_ordered_io(A)
+ lock 0-5m
+ DEADLOCK
+
+We have an existing dependency of file extent lock -> transaction.
+However in fsync if we tried to do the fast logging, but then had to
+fall back to committing the transaction, we will be forced to call
+btrfs_wait_ordered_range() to make sure all of our extents are updated.
+
+This creates a dependency of transaction -> file extent lock, because
+btrfs_finish_ordered_io() will need to take the file extent lock in
+order to run the ordered extents.
+
+Fix this by stopping the transaction if we have to do the full commit
+and we attempted to do the fast logging. Then attach to the transaction
+and commit it if we need to.
+
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c | 67 +++++++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 52 insertions(+), 15 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2359,25 +2359,62 @@ int btrfs_sync_file(struct file *file, l
+ */
+ btrfs_inode_unlock(inode, BTRFS_ILOCK_MMAP);
+
+- if (ret != BTRFS_NO_LOG_SYNC) {
++ if (ret == BTRFS_NO_LOG_SYNC) {
++ ret = btrfs_end_transaction(trans);
++ goto out;
++ }
++
++ /* We successfully logged the inode, attempt to sync the log. */
++ if (!ret) {
++ ret = btrfs_sync_log(trans, root, &ctx);
+ if (!ret) {
+- ret = btrfs_sync_log(trans, root, &ctx);
+- if (!ret) {
+- ret = btrfs_end_transaction(trans);
+- goto out;
+- }
++ ret = btrfs_end_transaction(trans);
++ goto out;
+ }
+- if (!full_sync) {
+- ret = btrfs_wait_ordered_range(inode, start, len);
+- if (ret) {
+- btrfs_end_transaction(trans);
+- goto out;
+- }
+- }
+- ret = btrfs_commit_transaction(trans);
+- } else {
++ }
++
++ /*
++ * At this point we need to commit the transaction because we had
++ * btrfs_need_log_full_commit() or some other error.
++ *
++ * If we didn't do a full sync we have to stop the trans handle, wait on
++ * the ordered extents, start it again and commit the transaction. If
++ * we attempt to wait on the ordered extents here we could deadlock with
++ * something like fallocate() that is holding the extent lock trying to
++ * start a transaction while some other thread is trying to commit the
++ * transaction while we (fsync) are currently holding the transaction
++ * open.
++ */
++ if (!full_sync) {
+ ret = btrfs_end_transaction(trans);
++ if (ret)
++ goto out;
++ ret = btrfs_wait_ordered_range(inode, start, len);
++ if (ret)
++ goto out;
++
++ /*
++ * This is safe to use here because we're only interested in
++ * making sure the transaction that had the ordered extents is
++ * committed. We aren't waiting on anything past this point,
++ * we're purely getting the transaction and committing it.
++ */
++ trans = btrfs_attach_transaction_barrier(root);
++ if (IS_ERR(trans)) {
++ ret = PTR_ERR(trans);
++
++ /*
++ * We committed the transaction and there's no currently
++ * running transaction, this means everything we care
++ * about made it to disk and we are done.
++ */
++ if (ret == -ENOENT)
++ ret = 0;
++ goto out;
++ }
+ }
++
++ ret = btrfs_commit_transaction(trans);
+ out:
+ ASSERT(list_empty(&ctx.list));
+ err = file_check_and_advance_wb_err(file);
--- /dev/null
+From d4597898ba7b9d467b94a9aafd65ec408a75041f Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 6 Jun 2022 10:41:17 +0100
+Subject: btrfs: fix race between reflinking and ordered extent completion
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit d4597898ba7b9d467b94a9aafd65ec408a75041f upstream.
+
+While doing a reflink operation, if an ordered extent for a file range
+that does not overlap with the source and destination ranges of the
+reflink operation happens, we can end up having a failure in the reflink
+operation and return -EINVAL to user space.
+
+The following sequence of steps explains how this can happen:
+
+1) We have the page at file offset 315392 dirty (under delalloc);
+
+2) A reflink operation for this file starts, using the same file as both
+ source and destination, the source range is [372736, 409600) (length of
+ 36864 bytes) and the destination range is [208896, 245760);
+
+3) At btrfs_remap_file_range_prep(), we flush all delalloc in the source
+ and destination ranges, and wait for any ordered extents in those range
+ to complete;
+
+4) Still at btrfs_remap_file_range_prep(), we then flush all delalloc in
+ the inode, but we neither wait for it to complete nor any ordered
+ extents to complete. This results in starting delalloc for the page at
+ file offset 315392 and creating an ordered extent for that single page
+ range;
+
+5) We then move to btrfs_clone() and enter the loop to find file extent
+ items to copy from the source range to destination range;
+
+6) In the first iteration we end up at last file extent item stored in
+ leaf A:
+
+ (...)
+ item 131 key (143616 108 315392) itemoff 5101 itemsize 53
+ extent data disk bytenr 1903988736 nr 73728
+ extent data offset 12288 nr 61440 ram 73728
+
+ This represents the file range [315392, 376832), which overlaps with
+ the source range to clone.
+
+ @datal is set to 61440, key.offset is 315392 and @next_key_min_offset
+ is therefore set to 376832 (315392 + 61440).
+
+ @off (372736) is > key.offset (315392), so @new_key.offset is set to
+ the value of @destoff (208896).
+
+ @new_key.offset == @last_dest_end (208896) so @drop_start is set to
+ 208896 (@new_key.offset).
+
+ @datal is adjusted to 4096, as @off is > @key.offset.
+
+ So in this iteration we call btrfs_replace_file_extents() for the range
+ [208896, 212991] (a single page, which is
+ [@drop_start, @new_key.offset + @datal - 1]).
+
+ @last_dest_end is set to 212992 (@new_key.offset + @datal =
+ 208896 + 4096 = 212992).
+
+ Before the next iteration of the loop, @key.offset is set to the value
+ 376832, which is @next_key_min_offset;
+
+7) On the second iteration btrfs_search_slot() leaves us again at leaf A,
+ but this time pointing beyond the last slot of leaf A, as that's where
+ a key with offset 376832 should be at if it existed. So end up calling
+ btrfs_next_leaf();
+
+8) btrfs_next_leaf() releases the path, but before it searches again the
+ tree for the next key/leaf, the ordered extent for the single page
+ range at file offset 315392 completes. That results in trimming the
+ file extent item we processed before, adjusting its key offset from
+ 315392 to 319488, reducing its length from 61440 to 57344 and inserting
+ a new file extent item for that single page range, with a key offset of
+ 315392 and a length of 4096.
+
+ Leaf A now looks like:
+
+ (...)
+ item 132 key (143616 108 315392) itemoff 4995 itemsize 53
+ extent data disk bytenr 1801666560 nr 4096
+ extent data offset 0 nr 4096 ram 4096
+ item 133 key (143616 108 319488) itemoff 4942 itemsize 53
+ extent data disk bytenr 1903988736 nr 73728
+ extent data offset 16384 nr 57344 ram 73728
+
+9) When btrfs_next_leaf() returns, it gives us a path pointing to leaf A
+ at slot 133, since it's the first key that follows what was the last
+ key we saw (143616 108 315392). In fact it's the same item we processed
+ before, but its key offset was changed, so it counts as a new key;
+
+10) So now we have:
+
+ @key.offset == 319488
+ @datal == 57344
+
+ @off (372736) is > key.offset (319488), so @new_key.offset is set to
+ 208896 (@destoff value).
+
+ @new_key.offset (208896) != @last_dest_end (212992), so @drop_start
+ is set to 212992 (@last_dest_end value).
+
+ @datal is adjusted to 4096 because @off > @key.offset.
+
+ So in this iteration we call btrfs_replace_file_extents() for the
+ invalid range of [212992, 212991] (which is
+ [@drop_start, @new_key.offset + @datal - 1]).
+
+ This range is empty, the end offset is smaller than the start offset
+ so btrfs_replace_file_extents() returns -EINVAL, which we end up
+ returning to user space and fail the reflink operation.
+
+ This all happens because the range of this file extent item was
+ already processed in the previous iteration.
+
+This scenario can be triggered very sporadically by fsx from fstests, for
+example with test case generic/522.
+
+So fix this by having btrfs_clone() skip file extent items that cover a
+file range that we have already processed.
+
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/reflink.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/reflink.c
++++ b/fs/btrfs/reflink.c
+@@ -344,6 +344,7 @@ static int btrfs_clone(struct inode *src
+ int ret;
+ const u64 len = olen_aligned;
+ u64 last_dest_end = destoff;
++ u64 prev_extent_end = off;
+
+ ret = -ENOMEM;
+ buf = kvmalloc(fs_info->nodesize, GFP_KERNEL);
+@@ -363,7 +364,6 @@ static int btrfs_clone(struct inode *src
+ key.offset = off;
+
+ while (1) {
+- u64 next_key_min_offset = key.offset + 1;
+ struct btrfs_file_extent_item *extent;
+ u64 extent_gen;
+ int type;
+@@ -431,14 +431,21 @@ process_slot:
+ * The first search might have left us at an extent item that
+ * ends before our target range's start, can happen if we have
+ * holes and NO_HOLES feature enabled.
++ *
++ * Subsequent searches may leave us on a file range we have
++ * processed before - this happens due to a race with ordered
++ * extent completion for a file range that is outside our source
++ * range, but that range was part of a file extent item that
++ * also covered a leading part of our source range.
+ */
+- if (key.offset + datal <= off) {
++ if (key.offset + datal <= prev_extent_end) {
+ path->slots[0]++;
+ goto process_slot;
+ } else if (key.offset >= off + len) {
+ break;
+ }
+- next_key_min_offset = key.offset + datal;
++
++ prev_extent_end = key.offset + datal;
+ size = btrfs_item_size(leaf, slot);
+ read_extent_buffer(leaf, buf, btrfs_item_ptr_offset(leaf, slot),
+ size);
+@@ -550,7 +557,7 @@ process_slot:
+ break;
+
+ btrfs_release_path(path);
+- key.offset = next_key_min_offset;
++ key.offset = prev_extent_end;
+
+ if (fatal_signal_pending(current)) {
+ ret = -EINTR;
--- /dev/null
+From 9faa1c8f92f33daad9db96944139de225cefa199 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 15 Jun 2022 15:53:09 +0200
+Subject: dt-bindings: usb: ehci: Increase the number of PHYs
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 9faa1c8f92f33daad9db96944139de225cefa199 upstream.
+
+"make dtbs_check":
+
+ arch/arm/boot/dts/r8a77470-iwg23s-sbc.dtb: usb@ee080100: phys: [[17, 0], [31]] is too long
+ From schema: Documentation/devicetree/bindings/usb/generic-ehci.yaml
+ arch/arm/boot/dts/r8a77470-iwg23s-sbc.dtb: usb@ee0c0100: phys: [[17, 1], [33], [21, 0]] is too long
+ From schema: Documentation/devicetree/bindings/usb/generic-ehci.yaml
+
+Some USB EHCI controllers (e.g. on the Renesas RZ/G1C SoC) have multiple
+PHYs. Increase the maximum number of PHYs to 3, which is sufficient for
+now.
+
+Fixes: 0499220d6dadafa5 ("dt-bindings: Add missing array size constraints")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/c5d19e2f9714f43effd90208798fc1936098078f.1655301043.git.geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/usb/generic-ehci.yaml | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/usb/generic-ehci.yaml
++++ b/Documentation/devicetree/bindings/usb/generic-ehci.yaml
+@@ -135,7 +135,8 @@ properties:
+ Phandle of a companion.
+
+ phys:
+- maxItems: 1
++ minItems: 1
++ maxItems: 3
+
+ phy-names:
+ const: usb
--- /dev/null
+From 0f074c1c95ea496dc91279b6c4b9845a337517fa Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 15 Jun 2022 15:54:02 +0200
+Subject: dt-bindings: usb: ohci: Increase the number of PHYs
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 0f074c1c95ea496dc91279b6c4b9845a337517fa upstream.
+
+"make dtbs_check":
+
+ arch/arm/boot/dts/r8a77470-iwg23s-sbc.dtb: usb@ee080000: phys: [[17, 0], [31]] is too long
+ From schema: Documentation/devicetree/bindings/usb/generic-ohci.yaml
+ arch/arm/boot/dts/r8a77470-iwg23s-sbc.dtb: usb@ee0c0000: phys: [[17, 1], [33], [21, 0]] is too long
+ From schema: Documentation/devicetree/bindings/usb/generic-ohci.yaml
+
+Some USB OHCI controllers (e.g. on the Renesas RZ/G1C SoC) have multiple
+PHYs. Increase the maximum number of PHYs to 3, which is sufficient for
+now.
+
+Fixes: 0499220d6dadafa5 ("dt-bindings: Add missing array size constraints")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/0112f9c8881513cb33bf7b66bc743dd08b35a2f5.1655301203.git.geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/usb/generic-ohci.yaml | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/usb/generic-ohci.yaml
++++ b/Documentation/devicetree/bindings/usb/generic-ohci.yaml
+@@ -102,7 +102,8 @@ properties:
+ Overrides the detected port count
+
+ phys:
+- maxItems: 1
++ minItems: 1
++ maxItems: 3
+
+ phy-names:
+ const: usb
--- /dev/null
+From 4cde00d50707c2ef6647b9b96b2cb40b6eb24397 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Tue, 31 May 2022 18:27:09 -0700
+Subject: f2fs: attach inline_data after setting compression
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 4cde00d50707c2ef6647b9b96b2cb40b6eb24397 upstream.
+
+This fixes the below corruption.
+
+[345393.335389] F2FS-fs (vdb): sanity_check_inode: inode (ino=6d0, mode=33206) should not have inline_data, run fsck to fix
+
+Cc: <stable@vger.kernel.org>
+Fixes: 677a82b44ebf ("f2fs: fix to do sanity check for inline inode")
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/namei.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -92,8 +92,6 @@ static struct inode *f2fs_new_inode(stru
+ if (test_opt(sbi, INLINE_XATTR))
+ set_inode_flag(inode, FI_INLINE_XATTR);
+
+- if (test_opt(sbi, INLINE_DATA) && f2fs_may_inline_data(inode))
+- set_inode_flag(inode, FI_INLINE_DATA);
+ if (f2fs_may_inline_dentry(inode))
+ set_inode_flag(inode, FI_INLINE_DENTRY);
+
+@@ -110,10 +108,6 @@ static struct inode *f2fs_new_inode(stru
+
+ f2fs_init_extent_tree(inode, NULL);
+
+- stat_inc_inline_xattr(inode);
+- stat_inc_inline_inode(inode);
+- stat_inc_inline_dir(inode);
+-
+ F2FS_I(inode)->i_flags =
+ f2fs_mask_flags(mode, F2FS_I(dir)->i_flags & F2FS_FL_INHERITED);
+
+@@ -130,6 +124,14 @@ static struct inode *f2fs_new_inode(stru
+ set_compress_context(inode);
+ }
+
++ /* Should enable inline_data after compression set */
++ if (test_opt(sbi, INLINE_DATA) && f2fs_may_inline_data(inode))
++ set_inode_flag(inode, FI_INLINE_DATA);
++
++ stat_inc_inline_xattr(inode);
++ stat_inc_inline_inode(inode);
++ stat_inc_inline_dir(inode);
++
+ f2fs_set_inode_flags(inode);
+
+ trace_f2fs_new_inode(inode, 0);
+@@ -328,6 +330,9 @@ static void set_compress_inode(struct f2
+ if (!is_extension_exist(name, ext[i], false))
+ continue;
+
++ /* Do not use inline_data with compression */
++ stat_dec_inline_inode(inode);
++ clear_inode_flag(inode, FI_INLINE_DATA);
+ set_compress_context(inode);
+ return;
+ }
--- /dev/null
+From 82c7863ed95d0914f02c7c8c011200a763bc6725 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Sat, 18 Jun 2022 00:42:24 -0700
+Subject: f2fs: do not count ENOENT for error case
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 82c7863ed95d0914f02c7c8c011200a763bc6725 upstream.
+
+Otherwise, we can get a wrong cp_error mark.
+
+Cc: <stable@vger.kernel.org>
+Fixes: a7b8618aa2f0 ("f2fs: avoid infinite loop to flush node pages")
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -1454,7 +1454,9 @@ page_hit:
+ out_err:
+ ClearPageUptodate(page);
+ out_put_err:
+- f2fs_handle_page_eio(sbi, page->index, NODE);
++ /* ENOENT comes from read_node_page which is not an error. */
++ if (err != -ENOENT)
++ f2fs_handle_page_eio(sbi, page->index, NODE);
+ f2fs_put_page(page, 1);
+ return ERR_PTR(err);
+ }
--- /dev/null
+From 61803e984307c767a96d85f3b61ca50e1705fc67 Mon Sep 17 00:00:00 2001
+From: Daeho Jeong <daehojeong@google.com>
+Date: Fri, 10 Jun 2022 11:32:40 -0700
+Subject: f2fs: fix iostat related lock protection
+
+From: Daeho Jeong <daehojeong@google.com>
+
+commit 61803e984307c767a96d85f3b61ca50e1705fc67 upstream.
+
+Made iostat related locks safe to be called from irq context again.
+
+Cc: <stable@vger.kernel.org>
+Fixes: a1e09b03e6f5 ("f2fs: use iomap for direct I/O")
+Signed-off-by: Daeho Jeong <daehojeong@google.com>
+Reviewed-by: Stanley Chu <stanley.chu@mediatek.com>
+Tested-by: Eddie Huang <eddie.huang@mediatek.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/iostat.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+--- a/fs/f2fs/iostat.c
++++ b/fs/f2fs/iostat.c
+@@ -91,8 +91,9 @@ static inline void __record_iostat_laten
+ unsigned int cnt;
+ struct f2fs_iostat_latency iostat_lat[MAX_IO_TYPE][NR_PAGE_TYPE];
+ struct iostat_lat_info *io_lat = sbi->iostat_io_lat;
++ unsigned long flags;
+
+- spin_lock_bh(&sbi->iostat_lat_lock);
++ spin_lock_irqsave(&sbi->iostat_lat_lock, flags);
+ for (idx = 0; idx < MAX_IO_TYPE; idx++) {
+ for (io = 0; io < NR_PAGE_TYPE; io++) {
+ cnt = io_lat->bio_cnt[idx][io];
+@@ -106,7 +107,7 @@ static inline void __record_iostat_laten
+ io_lat->bio_cnt[idx][io] = 0;
+ }
+ }
+- spin_unlock_bh(&sbi->iostat_lat_lock);
++ spin_unlock_irqrestore(&sbi->iostat_lat_lock, flags);
+
+ trace_f2fs_iostat_latency(sbi, iostat_lat);
+ }
+@@ -115,14 +116,15 @@ static inline void f2fs_record_iostat(st
+ {
+ unsigned long long iostat_diff[NR_IO_TYPE];
+ int i;
++ unsigned long flags;
+
+ if (time_is_after_jiffies(sbi->iostat_next_period))
+ return;
+
+ /* Need double check under the lock */
+- spin_lock_bh(&sbi->iostat_lock);
++ spin_lock_irqsave(&sbi->iostat_lock, flags);
+ if (time_is_after_jiffies(sbi->iostat_next_period)) {
+- spin_unlock_bh(&sbi->iostat_lock);
++ spin_unlock_irqrestore(&sbi->iostat_lock, flags);
+ return;
+ }
+ sbi->iostat_next_period = jiffies +
+@@ -133,7 +135,7 @@ static inline void f2fs_record_iostat(st
+ sbi->prev_rw_iostat[i];
+ sbi->prev_rw_iostat[i] = sbi->rw_iostat[i];
+ }
+- spin_unlock_bh(&sbi->iostat_lock);
++ spin_unlock_irqrestore(&sbi->iostat_lock, flags);
+
+ trace_f2fs_iostat(sbi, iostat_diff);
+
+@@ -145,25 +147,27 @@ void f2fs_reset_iostat(struct f2fs_sb_in
+ struct iostat_lat_info *io_lat = sbi->iostat_io_lat;
+ int i;
+
+- spin_lock_bh(&sbi->iostat_lock);
++ spin_lock_irq(&sbi->iostat_lock);
+ for (i = 0; i < NR_IO_TYPE; i++) {
+ sbi->rw_iostat[i] = 0;
+ sbi->prev_rw_iostat[i] = 0;
+ }
+- spin_unlock_bh(&sbi->iostat_lock);
++ spin_unlock_irq(&sbi->iostat_lock);
+
+- spin_lock_bh(&sbi->iostat_lat_lock);
++ spin_lock_irq(&sbi->iostat_lat_lock);
+ memset(io_lat, 0, sizeof(struct iostat_lat_info));
+- spin_unlock_bh(&sbi->iostat_lat_lock);
++ spin_unlock_irq(&sbi->iostat_lat_lock);
+ }
+
+ void f2fs_update_iostat(struct f2fs_sb_info *sbi,
+ enum iostat_type type, unsigned long long io_bytes)
+ {
++ unsigned long flags;
++
+ if (!sbi->iostat_enable)
+ return;
+
+- spin_lock_bh(&sbi->iostat_lock);
++ spin_lock_irqsave(&sbi->iostat_lock, flags);
+ sbi->rw_iostat[type] += io_bytes;
+
+ if (type == APP_BUFFERED_IO || type == APP_DIRECT_IO)
+@@ -172,7 +176,7 @@ void f2fs_update_iostat(struct f2fs_sb_i
+ if (type == APP_BUFFERED_READ_IO || type == APP_DIRECT_READ_IO)
+ sbi->rw_iostat[APP_READ_IO] += io_bytes;
+
+- spin_unlock_bh(&sbi->iostat_lock);
++ spin_unlock_irqrestore(&sbi->iostat_lock, flags);
+
+ f2fs_record_iostat(sbi);
+ }
+@@ -185,6 +189,7 @@ static inline void __update_iostat_laten
+ struct f2fs_sb_info *sbi = iostat_ctx->sbi;
+ struct iostat_lat_info *io_lat = sbi->iostat_io_lat;
+ int idx;
++ unsigned long flags;
+
+ if (!sbi->iostat_enable)
+ return;
+@@ -202,12 +207,12 @@ static inline void __update_iostat_laten
+ idx = WRITE_ASYNC_IO;
+ }
+
+- spin_lock_bh(&sbi->iostat_lat_lock);
++ spin_lock_irqsave(&sbi->iostat_lat_lock, flags);
+ io_lat->sum_lat[idx][iotype] += ts_diff;
+ io_lat->bio_cnt[idx][iotype]++;
+ if (ts_diff > io_lat->peak_lat[idx][iotype])
+ io_lat->peak_lat[idx][iotype] = ts_diff;
+- spin_unlock_bh(&sbi->iostat_lat_lock);
++ spin_unlock_irqrestore(&sbi->iostat_lat_lock, flags);
+ }
+
+ void iostat_update_and_unbind_ctx(struct bio *bio, int rw)
--- /dev/null
+From 10b9c2c33ac706face458feab8965f11743c98c0 Mon Sep 17 00:00:00 2001
+From: Dmitry Rokosov <DDRokosov@sberdevices.ru>
+Date: Tue, 24 May 2022 18:14:46 +0000
+Subject: iio:humidity:hts221: rearrange iio trigger get and register
+
+From: Dmitry Rokosov <DDRokosov@sberdevices.ru>
+
+commit 10b9c2c33ac706face458feab8965f11743c98c0 upstream.
+
+IIO trigger interface function iio_trigger_get() should be called after
+iio_trigger_register() (or its devm analogue) strictly, because of
+iio_trigger_get() acquires module refcnt based on the trigger->owner
+pointer, which is initialized inside iio_trigger_register() to
+THIS_MODULE.
+If this call order is wrong, the next iio_trigger_put() (from sysfs
+callback or "delete module" path) will dereference "default" module
+refcnt, which is incorrect behaviour.
+
+Fixes: e4a70e3e7d84 ("iio: humidity: add support to hts221 rh/temp combo device")
+Signed-off-by: Dmitry Rokosov <ddrokosov@sberdevices.ru>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20220524181150.9240-6-ddrokosov@sberdevices.ru
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/humidity/hts221_buffer.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/humidity/hts221_buffer.c
++++ b/drivers/iio/humidity/hts221_buffer.c
+@@ -135,9 +135,12 @@ int hts221_allocate_trigger(struct iio_d
+
+ iio_trigger_set_drvdata(hw->trig, iio_dev);
+ hw->trig->ops = &hts221_trigger_ops;
++
++ err = devm_iio_trigger_register(hw->dev, hw->trig);
++
+ iio_dev->trig = iio_trigger_get(hw->trig);
+
+- return devm_iio_trigger_register(hw->dev, hw->trig);
++ return err;
+ }
+
+ static int hts221_buffer_preenable(struct iio_dev *iio_dev)
usb-gadget-uvc-fix-list-double-add-in-uvcg_video_pump.patch
usb-gadget-fix-non-unique-driver-names-in-raw-gadget-driver.patch
usb-gadget-fix-double-free-bug-in-raw_gadget-driver.patch
+usb-chipidea-udc-check-request-status-before-setting-device-address.patch
+dt-bindings-usb-ohci-increase-the-number-of-phys.patch
+dt-bindings-usb-ehci-increase-the-number-of-phys.patch
+btrfs-fix-race-between-reflinking-and-ordered-extent-completion.patch
+btrfs-don-t-set-lock_owner-when-locking-extent-buffer-for-reading.patch
+btrfs-fix-deadlock-with-fsync-fiemap-transaction-commit.patch
+f2fs-attach-inline_data-after-setting-compression.patch
+f2fs-fix-iostat-related-lock-protection.patch
+f2fs-do-not-count-enoent-for-error-case.patch
+iio-humidity-hts221-rearrange-iio-trigger-get-and-register.patch
--- /dev/null
+From b24346a240b36cfc4df194d145463874985aa29b Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Thu, 23 Jun 2022 11:02:42 +0800
+Subject: usb: chipidea: udc: check request status before setting device address
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit b24346a240b36cfc4df194d145463874985aa29b upstream.
+
+The complete() function may be called even though request is not
+completed. In this case, it's necessary to check request status so
+as not to set device address wrongly.
+
+Fixes: 10775eb17bee ("usb: chipidea: udc: update gadget states according to ch9")
+cc: <stable@vger.kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20220623030242.41796-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/udc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1048,6 +1048,9 @@ isr_setup_status_complete(struct usb_ep
+ struct ci_hdrc *ci = req->context;
+ unsigned long flags;
+
++ if (req->status < 0)
++ return;
++
+ if (ci->setaddr) {
+ hw_usb_set_address(ci, ci->address);
+ ci->setaddr = false;
projects / thirdparty / kernel / stable-queue.git / commitdiff
