--- /dev/null
+From 9dedb724446913ea7b1591b4b3d2e3e909090980 Mon Sep 17 00:00:00 2001
+From: Zev Weiss <zev@bewilderbeest.net>
+Date: Thu, 23 Feb 2023 16:04:00 -0800
+Subject: ARM: dts: aspeed: asrock: Correct firmware flash SPI clocks
+
+From: Zev Weiss <zev@bewilderbeest.net>
+
+commit 9dedb724446913ea7b1591b4b3d2e3e909090980 upstream.
+
+While I'm not aware of any problems that have occurred running these
+at 100 MHz, the official word from ASRock is that 50 MHz is the
+correct speed to use, so let's be safe and use that instead.
+
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Cc: stable@vger.kernel.org
+Fixes: 2b81613ce417 ("ARM: dts: aspeed: Add ASRock E3C246D4I BMC")
+Fixes: a9a3d60b937a ("ARM: dts: aspeed: Add ASRock ROMED8HM3 BMC")
+Link: https://lore.kernel.org/r/20230224000400.12226-4-zev@bewilderbeest.net
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts | 2 +-
+ arch/arm/boot/dts/aspeed-bmc-asrock-romed8hm3.dts | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts
++++ b/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts
+@@ -63,7 +63,7 @@
+ status = "okay";
+ m25p,fast-read;
+ label = "bmc";
+- spi-max-frequency = <100000000>; /* 100 MHz */
++ spi-max-frequency = <50000000>; /* 50 MHz */
+ #include "openbmc-flash-layout.dtsi"
+ };
+ };
+--- a/arch/arm/boot/dts/aspeed-bmc-asrock-romed8hm3.dts
++++ b/arch/arm/boot/dts/aspeed-bmc-asrock-romed8hm3.dts
+@@ -51,7 +51,7 @@
+ status = "okay";
+ m25p,fast-read;
+ label = "bmc";
+- spi-max-frequency = <100000000>; /* 100 MHz */
++ spi-max-frequency = <50000000>; /* 50 MHz */
+ #include "openbmc-flash-layout-64.dtsi"
+ };
+ };
--- /dev/null
+From a3fd10732d276d7cf372c6746a78a1c8b6aa7541 Mon Sep 17 00:00:00 2001
+From: Zev Weiss <zev@bewilderbeest.net>
+Date: Thu, 23 Feb 2023 16:03:58 -0800
+Subject: ARM: dts: aspeed: romed8hm3: Fix GPIO polarity of system-fault LED
+
+From: Zev Weiss <zev@bewilderbeest.net>
+
+commit a3fd10732d276d7cf372c6746a78a1c8b6aa7541 upstream.
+
+Turns out it's in fact not the same as the heartbeat LED.
+
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Cc: stable@vger.kernel.org # v5.18+
+Fixes: a9a3d60b937a ("ARM: dts: aspeed: Add ASRock ROMED8HM3 BMC")
+Link: https://lore.kernel.org/r/20230224000400.12226-2-zev@bewilderbeest.net
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/aspeed-bmc-asrock-romed8hm3.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/aspeed-bmc-asrock-romed8hm3.dts
++++ b/arch/arm/boot/dts/aspeed-bmc-asrock-romed8hm3.dts
+@@ -31,7 +31,7 @@
+ };
+
+ system-fault {
+- gpios = <&gpio ASPEED_GPIO(Z, 2) GPIO_ACTIVE_LOW>;
++ gpios = <&gpio ASPEED_GPIO(Z, 2) GPIO_ACTIVE_HIGH>;
+ panic-indicator;
+ };
+ };
--- /dev/null
+From 6c950c20da38debf1ed531e0b972bd8b53d1c11f Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Fri, 17 Feb 2023 16:06:27 +0100
+Subject: ARM: dts: exynos: fix WM8960 clock name in Itop Elite
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 6c950c20da38debf1ed531e0b972bd8b53d1c11f upstream.
+
+The WM8960 Linux driver expects the clock to be named "mclk". Otherwise
+the clock will be ignored and not prepared/enabled by the driver.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 339b2fb36a67 ("ARM: dts: exynos: Add TOPEET itop elite based board")
+Link: https://lore.kernel.org/r/20230217150627.779764-3-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/exynos4412-itop-elite.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/exynos4412-itop-elite.dts
++++ b/arch/arm/boot/dts/exynos4412-itop-elite.dts
+@@ -182,7 +182,7 @@
+ compatible = "wlf,wm8960";
+ reg = <0x1a>;
+ clocks = <&pmu_system_controller 0>;
+- clock-names = "MCLK1";
++ clock-names = "mclk";
+ wlf,shared-lrclk;
+ #sound-dai-cells = <0>;
+ };
--- /dev/null
+From 665b9459bb53b8f19bd1541567e1fe9782c83c4b Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Sun, 12 Feb 2023 19:58:18 +0100
+Subject: ARM: dts: s5pv210: correct MIPI CSIS clock name
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 665b9459bb53b8f19bd1541567e1fe9782c83c4b upstream.
+
+The Samsung S5P/Exynos MIPI CSIS bindings and Linux driver expect first
+clock name to be "csis". Otherwise the driver fails to probe.
+
+Fixes: 94ad0f6d9278 ("ARM: dts: Add Device tree for s5pv210 SoC")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230212185818.43503-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/s5pv210.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/s5pv210.dtsi
++++ b/arch/arm/boot/dts/s5pv210.dtsi
+@@ -566,7 +566,7 @@
+ interrupts = <29>;
+ clocks = <&clocks CLK_CSIS>,
+ <&clocks SCLK_CSIS>;
+- clock-names = "clk_csis",
++ clock-names = "csis",
+ "sclk_csis";
+ bus-width = <4>;
+ status = "disabled";
--- /dev/null
+From d246331b78cbef86237f9c22389205bc9b4e1cc1 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Tue, 2 May 2023 16:00:06 -0400
+Subject: btrfs: don't free qgroup space unless specified
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit d246331b78cbef86237f9c22389205bc9b4e1cc1 upstream.
+
+Boris noticed in his simple quotas testing that he was getting a leak
+with Sweet Tea's change to subvol create that stopped doing a
+transaction commit. This was just a side effect of that change.
+
+In the delayed inode code we have an optimization that will free extra
+reservations if we think we can pack a dir item into an already modified
+leaf. Previously this wouldn't be triggered in the subvolume create
+case because we'd commit the transaction, it was still possible but
+much harder to trigger. It could actually be triggered if we did a
+mkdir && subvol create with qgroups enabled.
+
+This occurs because in btrfs_insert_delayed_dir_index(), which gets
+called when we're adding the dir item, we do the following:
+
+ btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL);
+
+if we're able to skip reserving space.
+
+The problem here is that trans->block_rsv points at the temporary block
+rsv for the subvolume create, which has qgroup reservations in the block
+rsv.
+
+This is a problem because btrfs_block_rsv_release() will do the
+following:
+
+ if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {
+ qgroup_to_release = block_rsv->qgroup_rsv_reserved -
+ block_rsv->qgroup_rsv_size;
+ block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size;
+ }
+
+The temporary block rsv just has ->qgroup_rsv_reserved set,
+->qgroup_rsv_size == 0. The optimization in
+btrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then
+later on when we call btrfs_subvolume_release_metadata() which has
+
+ btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release);
+ btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release);
+
+qgroup_to_release is set to 0, and we do not convert the reserved
+metadata space.
+
+The problem here is that the block rsv code has been unconditionally
+messing with ->qgroup_rsv_reserved, because the main place this is used
+is delalloc, and any time we call btrfs_block_rsv_release() we do it
+with qgroup_to_release set, and thus do the proper accounting.
+
+The subvolume code is the only other code that uses the qgroup
+reservation stuff, but it's intermingled with the above optimization,
+and thus was getting its reservation freed out from underneath it and
+thus leaking the reserved space.
+
+The solution is to simply not mess with the qgroup reservations if we
+don't have qgroup_to_release set. This works with the existing code as
+anything that messes with the delalloc reservations always have
+qgroup_to_release set. This fixes the leak that Boris was observing.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/block-rsv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/block-rsv.c
++++ b/fs/btrfs/block-rsv.c
+@@ -124,7 +124,8 @@ static u64 block_rsv_release_bytes(struc
+ } else {
+ num_bytes = 0;
+ }
+- if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {
++ if (qgroup_to_release_ret &&
++ block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {
+ qgroup_to_release = block_rsv->qgroup_rsv_reserved -
+ block_rsv->qgroup_rsv_size;
+ block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size;
--- /dev/null
+From ac868bc9d136cde6e3eb5de77019a63d57a540ff Mon Sep 17 00:00:00 2001
+From: xiaoshoukui <xiaoshoukui@gmail.com>
+Date: Thu, 13 Apr 2023 05:55:07 -0400
+Subject: btrfs: fix assertion of exclop condition when starting balance
+
+From: xiaoshoukui <xiaoshoukui@gmail.com>
+
+commit ac868bc9d136cde6e3eb5de77019a63d57a540ff upstream.
+
+Balance as exclusive state is compatible with paused balance and device
+add, which makes some things more complicated. The assertion of valid
+states when starting from paused balance needs to take into account two
+more states, the combinations can be hit when there are several threads
+racing to start balance and device add. This won't typically happen when
+the commands are started from command line.
+
+Scenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE.
+
+Concurrently adding multiple devices to the same mount point and
+btrfs_exclop_finish executed finishes before assertion in
+btrfs_exclop_balance, exclusive_operation will changed to
+BTRFS_EXCLOP_NONE state which lead to assertion failed:
+
+ fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE ||
+ fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD,
+ in fs/btrfs/ioctl.c:456
+ Call Trace:
+ <TASK>
+ btrfs_exclop_balance+0x13c/0x310
+ ? memdup_user+0xab/0xc0
+ ? PTR_ERR+0x17/0x20
+ btrfs_ioctl_add_dev+0x2ee/0x320
+ btrfs_ioctl+0x9d5/0x10d0
+ ? btrfs_ioctl_encoded_write+0xb80/0xb80
+ __x64_sys_ioctl+0x197/0x210
+ do_syscall_64+0x3c/0xb0
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Scenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED.
+
+Concurrently adding multiple devices to the same mount point and
+btrfs_exclop_balance executed finish before the latter thread execute
+assertion in btrfs_exclop_balance, exclusive_operation will changed to
+BTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed:
+
+ fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE ||
+ fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD ||
+ fs_info->exclusive_operation == BTRFS_EXCLOP_NONE,
+ fs/btrfs/ioctl.c:458
+ Call Trace:
+ <TASK>
+ btrfs_exclop_balance+0x240/0x410
+ ? memdup_user+0xab/0xc0
+ ? PTR_ERR+0x17/0x20
+ btrfs_ioctl_add_dev+0x2ee/0x320
+ btrfs_ioctl+0x9d5/0x10d0
+ ? btrfs_ioctl_encoded_write+0xb80/0xb80
+ __x64_sys_ioctl+0x197/0x210
+ do_syscall_64+0x3c/0xb0
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+An example of the failed assertion is below, which shows that the
+paused balance is also needed to be checked.
+
+ root@syzkaller:/home/xsk# ./repro
+ Failed to add device /dev/vda, errno 14
+ Failed to add device /dev/vda, errno 14
+ Failed to add device /dev/vda, errno 14
+ Failed to add device /dev/vda, errno 14
+ Failed to add device /dev/vda, errno 14
+ Failed to add device /dev/vda, errno 14
+ Failed to add device /dev/vda, errno 14
+ Failed to add device /dev/vda, errno 14
+ Failed to add device /dev/vda, errno 14
+ [ 416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0
+ Failed to add device /dev/vda, errno 14
+ [ 416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ [ 416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ Failed to add device /dev/vda, errno 14
+ [ 416.632787][ T7981] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.634282][ T7982] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ Failed to add device /dev/vda, errno 14
+ [ 416.636202][ T7983] BTRFS info (device loop0): fs_info exclusive_operation: 3
+ [ 416.637012][ T7984] BTRFS info (device loop0): fs_info exclusive_operation: 1
+ Failed to add device /dev/vda, errno 14
+ [ 416.637759][ T7984] assertion failed: fs_info->exclusive_operation ==
+ BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation ==
+ BTRFS_EXCLOP_DEV_ADD || fs_info->exclusive_operation ==
+ BTRFS_EXCLOP_NONE, in fs/btrfs/ioctl.c:458
+ [ 416.639845][ T7984] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+ [ 416.640485][ T7984] CPU: 0 PID: 7984 Comm: repro Not tainted 6.2.0 #7
+ [ 416.641172][ T7984] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ [ 416.642090][ T7984] RIP: 0010:btrfs_assertfail+0x2c/0x2e
+ [ 416.644423][ T7984] RSP: 0018:ffffc90003ea7e28 EFLAGS: 00010282
+ [ 416.645018][ T7984] RAX: 00000000000000cc RBX: 0000000000000000 RCX: 0000000000000000
+ [ 416.645763][ T7984] RDX: ffff88801d030000 RSI: ffffffff81637e7c RDI: fffff520007d4fb7
+ [ 416.646554][ T7984] RBP: ffffffff8a533de0 R08: 00000000000000cc R09: 0000000000000000
+ [ 416.647299][ T7984] R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8a533da0
+ [ 416.648041][ T7984] R13: 00000000000001ca R14: 000000005000940a R15: 0000000000000000
+ [ 416.648785][ T7984] FS: 00007fa2985d4640(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
+ [ 416.649616][ T7984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 416.650238][ T7984] CR2: 0000000000000000 CR3: 0000000018e5e000 CR4: 0000000000750ef0
+ [ 416.650980][ T7984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 416.651725][ T7984] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [ 416.652502][ T7984] PKRU: 55555554
+ [ 416.652888][ T7984] Call Trace:
+ [ 416.653241][ T7984] <TASK>
+ [ 416.653527][ T7984] btrfs_exclop_balance+0x240/0x410
+ [ 416.654036][ T7984] ? memdup_user+0xab/0xc0
+ [ 416.654465][ T7984] ? PTR_ERR+0x17/0x20
+ [ 416.654874][ T7984] btrfs_ioctl_add_dev+0x2ee/0x320
+ [ 416.655380][ T7984] btrfs_ioctl+0x9d5/0x10d0
+ [ 416.655822][ T7984] ? btrfs_ioctl_encoded_write+0xb80/0xb80
+ [ 416.656400][ T7984] __x64_sys_ioctl+0x197/0x210
+ [ 416.656874][ T7984] do_syscall_64+0x3c/0xb0
+ [ 416.657346][ T7984] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ [ 416.657922][ T7984] RIP: 0033:0x4546af
+ [ 416.660170][ T7984] RSP: 002b:00007fa2985d4150 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [ 416.660972][ T7984] RAX: ffffffffffffffda RBX: 00007fa2985d4640 RCX: 00000000004546af
+ [ 416.661714][ T7984] RDX: 0000000000000000 RSI: 000000005000940a RDI: 0000000000000003
+ [ 416.662449][ T7984] RBP: 00007fa2985d41d0 R08: 0000000000000000 R09: 00007ffee37a4c4f
+ [ 416.663195][ T7984] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa2985d4640
+ [ 416.663951][ T7984] R13: 0000000000000009 R14: 000000000041b320 R15: 00007fa297dd4000
+ [ 416.664703][ T7984] </TASK>
+ [ 416.665040][ T7984] Modules linked in:
+ [ 416.665590][ T7984] ---[ end trace 0000000000000000 ]---
+ [ 416.666176][ T7984] RIP: 0010:btrfs_assertfail+0x2c/0x2e
+ [ 416.668775][ T7984] RSP: 0018:ffffc90003ea7e28 EFLAGS: 00010282
+ [ 416.669425][ T7984] RAX: 00000000000000cc RBX: 0000000000000000 RCX: 0000000000000000
+ [ 416.670235][ T7984] RDX: ffff88801d030000 RSI: ffffffff81637e7c RDI: fffff520007d4fb7
+ [ 416.671050][ T7984] RBP: ffffffff8a533de0 R08: 00000000000000cc R09: 0000000000000000
+ [ 416.671867][ T7984] R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8a533da0
+ [ 416.672685][ T7984] R13: 00000000000001ca R14: 000000005000940a R15: 0000000000000000
+ [ 416.673501][ T7984] FS: 00007fa2985d4640(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
+ [ 416.674425][ T7984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 416.675114][ T7984] CR2: 0000000000000000 CR3: 0000000018e5e000 CR4: 0000000000750ef0
+ [ 416.675933][ T7984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 416.676760][ T7984] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Link: https://lore.kernel.org/linux-btrfs/20230324031611.98986-1-xiaoshoukui@gmail.com/
+CC: stable@vger.kernel.org # 6.1+
+Signed-off-by: xiaoshoukui <xiaoshoukui@ruijie.com.cn>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -454,7 +454,9 @@ void btrfs_exclop_balance(struct btrfs_f
+ case BTRFS_EXCLOP_BALANCE_PAUSED:
+ spin_lock(&fs_info->super_lock);
+ ASSERT(fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE ||
+- fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD);
++ fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD ||
++ fs_info->exclusive_operation == BTRFS_EXCLOP_NONE ||
++ fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED);
+ fs_info->exclusive_operation = BTRFS_EXCLOP_BALANCE_PAUSED;
+ spin_unlock(&fs_info->super_lock);
+ break;
--- /dev/null
+From 0cad8f14d70cfeb5173dce93cafeba665a95430e Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 9 May 2023 12:50:02 +0100
+Subject: btrfs: fix backref walking not returning all inode refs
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 0cad8f14d70cfeb5173dce93cafeba665a95430e upstream.
+
+When using the logical to ino ioctl v2, if the flag to ignore offsets of
+file extent items (BTRFS_LOGICAL_INO_ARGS_IGNORE_OFFSET) is given, the
+backref walking code ends up not returning references for all file offsets
+of an inode that point to the given logical bytenr. This happens since
+kernel 6.2, commit 6ce6ba534418 ("btrfs: use a single argument for extent
+offset in backref walking functions") because:
+
+1) It mistakenly skipped the search for file extent items in a leaf that
+ point to the target extent if that flag is given. Instead it should
+ only skip the filtering done by check_extent_in_eb() - that is, it
+ should not avoid the calls to that function (or find_extent_in_eb(),
+ which uses it).
+
+2) It was also not building a list of inode extent elements (struct
+ extent_inode_elem) if we have multiple inode references for an extent
+ when the ignore offset flag is given to the logical to ino ioctl - it
+ would leave a single element, only the last one that was found.
+
+These stem from the confusing old interface for backref walking functions
+where we had an extent item offset argument that was a pointer to a u64
+and another boolean argument that indicated if the offset should be
+ignored, but the pointer could be NULL. That NULL case is used by
+relocation, qgroup extent accounting and fiemap, simply to avoid building
+the inode extent list for each reference, as it's not necessary for those
+use cases and therefore avoids memory allocations and some computations.
+
+Fix this by adding a boolean argument to the backref walk context
+structure to indicate that the inode extent list should not be built,
+make relocation set that argument to true and fix the backref walking
+logic to skip the calls to check_extent_in_eb() and find_extent_in_eb()
+only if this new argument is true, instead of 'ignore_extent_item_pos'
+being true.
+
+A test case for fstests will be added soon, to provide cover not only
+for these cases but to the logical to ino ioctl in general as well, as
+currently we do not have a test case for it.
+
+Reported-by: Vladimir Panteleev <git@vladimir.panteleev.md>
+Link: https://lore.kernel.org/linux-btrfs/CAHhfkvwo=nmzrJSqZ2qMfF-rZB-ab6ahHnCD_sq9h4o8v+M7QQ@mail.gmail.com/
+Fixes: 6ce6ba534418 ("btrfs: use a single argument for extent offset in backref walking functions")
+CC: stable@vger.kernel.org # 6.2+
+Tested-by: Vladimir Panteleev <git@vladimir.panteleev.md>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/backref.c | 19 ++++++++++---------
+ fs/btrfs/backref.h | 6 ++++++
+ fs/btrfs/relocation.c | 2 +-
+ 3 files changed, 17 insertions(+), 10 deletions(-)
+
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -45,7 +45,8 @@ static int check_extent_in_eb(struct btr
+ int root_count;
+ bool cached;
+
+- if (!btrfs_file_extent_compression(eb, fi) &&
++ if (!ctx->ignore_extent_item_pos &&
++ !btrfs_file_extent_compression(eb, fi) &&
+ !btrfs_file_extent_encryption(eb, fi) &&
+ !btrfs_file_extent_other_encoding(eb, fi)) {
+ u64 data_offset;
+@@ -552,7 +553,7 @@ static int add_all_parents(struct btrfs_
+ count++;
+ else
+ goto next;
+- if (!ctx->ignore_extent_item_pos) {
++ if (!ctx->skip_inode_ref_list) {
+ ret = check_extent_in_eb(ctx, &key, eb, fi, &eie);
+ if (ret == BTRFS_ITERATE_EXTENT_INODES_STOP ||
+ ret < 0)
+@@ -564,7 +565,7 @@ static int add_all_parents(struct btrfs_
+ eie, (void **)&old, GFP_NOFS);
+ if (ret < 0)
+ break;
+- if (!ret && !ctx->ignore_extent_item_pos) {
++ if (!ret && !ctx->skip_inode_ref_list) {
+ while (old->next)
+ old = old->next;
+ old->next = eie;
+@@ -1606,7 +1607,7 @@ again:
+ goto out;
+ }
+ if (ref->count && ref->parent) {
+- if (!ctx->ignore_extent_item_pos && !ref->inode_list &&
++ if (!ctx->skip_inode_ref_list && !ref->inode_list &&
+ ref->level == 0) {
+ struct btrfs_tree_parent_check check = { 0 };
+ struct extent_buffer *eb;
+@@ -1647,7 +1648,7 @@ again:
+ (void **)&eie, GFP_NOFS);
+ if (ret < 0)
+ goto out;
+- if (!ret && !ctx->ignore_extent_item_pos) {
++ if (!ret && !ctx->skip_inode_ref_list) {
+ /*
+ * We've recorded that parent, so we must extend
+ * its inode list here.
+@@ -1743,7 +1744,7 @@ int btrfs_find_all_leafs(struct btrfs_ba
+ static int btrfs_find_all_roots_safe(struct btrfs_backref_walk_ctx *ctx)
+ {
+ const u64 orig_bytenr = ctx->bytenr;
+- const bool orig_ignore_extent_item_pos = ctx->ignore_extent_item_pos;
++ const bool orig_skip_inode_ref_list = ctx->skip_inode_ref_list;
+ bool roots_ulist_allocated = false;
+ struct ulist_iterator uiter;
+ int ret = 0;
+@@ -1764,7 +1765,7 @@ static int btrfs_find_all_roots_safe(str
+ roots_ulist_allocated = true;
+ }
+
+- ctx->ignore_extent_item_pos = true;
++ ctx->skip_inode_ref_list = true;
+
+ ULIST_ITER_INIT(&uiter);
+ while (1) {
+@@ -1789,7 +1790,7 @@ static int btrfs_find_all_roots_safe(str
+ ulist_free(ctx->refs);
+ ctx->refs = NULL;
+ ctx->bytenr = orig_bytenr;
+- ctx->ignore_extent_item_pos = orig_ignore_extent_item_pos;
++ ctx->skip_inode_ref_list = orig_skip_inode_ref_list;
+
+ return ret;
+ }
+@@ -1912,7 +1913,7 @@ int btrfs_is_data_extent_shared(struct b
+ goto out_trans;
+ }
+
+- walk_ctx.ignore_extent_item_pos = true;
++ walk_ctx.skip_inode_ref_list = true;
+ walk_ctx.trans = trans;
+ walk_ctx.fs_info = fs_info;
+ walk_ctx.refs = &ctx->refs;
+--- a/fs/btrfs/backref.h
++++ b/fs/btrfs/backref.h
+@@ -60,6 +60,12 @@ struct btrfs_backref_walk_ctx {
+ * @extent_item_pos is ignored.
+ */
+ bool ignore_extent_item_pos;
++ /*
++ * If true and bytenr corresponds to a data extent, then the inode list
++ * (each member describing inode number, file offset and root) is not
++ * added to each reference added to the @refs ulist.
++ */
++ bool skip_inode_ref_list;
+ /* A valid transaction handle or NULL. */
+ struct btrfs_trans_handle *trans;
+ /*
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -3422,7 +3422,7 @@ int add_data_references(struct reloc_con
+ btrfs_release_path(path);
+
+ ctx.bytenr = extent_key->objectid;
+- ctx.ignore_extent_item_pos = true;
++ ctx.skip_inode_ref_list = true;
+ ctx.fs_info = rc->extent_root->fs_info;
+
+ ret = btrfs_find_all_leafs(&ctx);
--- /dev/null
+From 6f932d4ef007d6a4ae03badcb749fbb8f49196f6 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 12 Apr 2023 11:33:09 +0100
+Subject: btrfs: fix btrfs_prev_leaf() to not return the same key twice
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 6f932d4ef007d6a4ae03badcb749fbb8f49196f6 upstream.
+
+A call to btrfs_prev_leaf() may end up returning a path that points to the
+same item (key) again. This happens if while btrfs_prev_leaf(), after we
+release the path, a concurrent insertion happens, which moves items off
+from a sibling into the front of the previous leaf, and an item with the
+computed previous key does not exists.
+
+For example, suppose we have the two following leaves:
+
+ Leaf A
+
+ -------------------------------------------------------------
+ | ... key (300 96 10) key (300 96 15) key (300 96 16) |
+ -------------------------------------------------------------
+ slot 20 slot 21 slot 22
+
+ Leaf B
+
+ -------------------------------------------------------------
+ | key (300 96 20) key (300 96 21) key (300 96 22) ... |
+ -------------------------------------------------------------
+ slot 0 slot 1 slot 2
+
+If we call btrfs_prev_leaf(), from btrfs_previous_item() for example, with
+a path pointing to leaf B and slot 0 and the following happens:
+
+1) At btrfs_prev_leaf() we compute the previous key to search as:
+ (300 96 19), which is a key that does not exists in the tree;
+
+2) Then we call btrfs_release_path() at btrfs_prev_leaf();
+
+3) Some other task inserts a key at leaf A, that sorts before the key at
+ slot 20, for example it has an objectid of 299. In order to make room
+ for the new key, the key at slot 22 is moved to the front of leaf B.
+ This happens at push_leaf_right(), called from split_leaf().
+
+ After this leaf B now looks like:
+
+ --------------------------------------------------------------------------------
+ | key (300 96 16) key (300 96 20) key (300 96 21) key (300 96 22) ... |
+ --------------------------------------------------------------------------------
+ slot 0 slot 1 slot 2 slot 3
+
+4) At btrfs_prev_leaf() we call btrfs_search_slot() for the computed
+ previous key: (300 96 19). Since the key does not exists,
+ btrfs_search_slot() returns 1 and with a path pointing to leaf B
+ and slot 1, the item with key (300 96 20);
+
+5) This makes btrfs_prev_leaf() return a path that points to slot 1 of
+ leaf B, the same key as before it was called, since the key at slot 0
+ of leaf B (300 96 16) is less than the computed previous key, which is
+ (300 96 19);
+
+6) As a consequence btrfs_previous_item() returns a path that points again
+ to the item with key (300 96 20).
+
+For some users of btrfs_prev_leaf() or btrfs_previous_item() this may not
+be functional a problem, despite not making sense to return a new path
+pointing again to the same item/key. However for a caller such as
+tree-log.c:log_dir_items(), this has a bad consequence, as it can result
+in not logging some dir index deletions in case the directory is being
+logged without holding the inode's VFS lock (logging triggered while
+logging a child inode for example) - for the example scenario above, in
+case the dir index keys 17, 18 and 19 were deleted in the current
+transaction.
+
+CC: stable@vger.kernel.org # 4.14+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.c | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -4489,10 +4489,12 @@ int btrfs_del_items(struct btrfs_trans_h
+ int btrfs_prev_leaf(struct btrfs_root *root, struct btrfs_path *path)
+ {
+ struct btrfs_key key;
++ struct btrfs_key orig_key;
+ struct btrfs_disk_key found_key;
+ int ret;
+
+ btrfs_item_key_to_cpu(path->nodes[0], &key, 0);
++ orig_key = key;
+
+ if (key.offset > 0) {
+ key.offset--;
+@@ -4509,8 +4511,36 @@ int btrfs_prev_leaf(struct btrfs_root *r
+
+ btrfs_release_path(path);
+ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
+- if (ret < 0)
++ if (ret <= 0)
+ return ret;
++
++ /*
++ * Previous key not found. Even if we were at slot 0 of the leaf we had
++ * before releasing the path and calling btrfs_search_slot(), we now may
++ * be in a slot pointing to the same original key - this can happen if
++ * after we released the path, one of more items were moved from a
++ * sibling leaf into the front of the leaf we had due to an insertion
++ * (see push_leaf_right()).
++ * If we hit this case and our slot is > 0 and just decrement the slot
++ * so that the caller does not process the same key again, which may or
++ * may not break the caller, depending on its logic.
++ */
++ if (path->slots[0] < btrfs_header_nritems(path->nodes[0])) {
++ btrfs_item_key(path->nodes[0], &found_key, path->slots[0]);
++ ret = comp_keys(&found_key, &orig_key);
++ if (ret == 0) {
++ if (path->slots[0] > 0) {
++ path->slots[0]--;
++ return 0;
++ }
++ /*
++ * At slot 0, same key as before, it means orig_key is
++ * the lowest, leftmost, key in the tree. We're done.
++ */
++ return 1;
++ }
++ }
++
+ btrfs_item_key(path->nodes[0], &found_key, 0);
+ ret = comp_keys(&found_key, &key);
+ /*
--- /dev/null
+From e7db9e5c6b9615b287d01f0231904fbc1fbde9c5 Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Fri, 28 Apr 2023 14:02:11 -0700
+Subject: btrfs: fix encoded write i_size corruption with no-holes
+
+From: Boris Burkov <boris@bur.io>
+
+commit e7db9e5c6b9615b287d01f0231904fbc1fbde9c5 upstream.
+
+We have observed a btrfs filesystem corruption on workloads using
+no-holes and encoded writes via send stream v2. The symptom is that a
+file appears to be truncated to the end of its last aligned extent, even
+though the final unaligned extent and even the file extent and otherwise
+correctly updated inode item have been written.
+
+So if we were writing out a 1MiB+X file via 8 128K extents and one
+extent of length X, i_size would be set to 1MiB, but the ninth extent,
+nbyte, etc. would all appear correct otherwise.
+
+The source of the race is a narrow (one line of code) window in which a
+no-holes fs has read in an updated i_size, but has not yet set a shared
+disk_i_size variable to write. Therefore, if two ordered extents run in
+parallel (par for the course for receive workloads), the following
+sequence can play out: (following "threads" a bit loosely, since there
+are callbacks involved for endio but extra threads aren't needed to
+cause the issue)
+
+ ENC-WR1 (second to last) ENC-WR2 (last)
+ ------- -------
+ btrfs_do_encoded_write
+ set i_size = 1M
+ submit bio B1 ending at 1M
+ endio B1
+ btrfs_inode_safe_disk_i_size_write
+ local i_size = 1M
+ falls off a cliff for some reason
+ btrfs_do_encoded_write
+ set i_size = 1M+X
+ submit bio B2 ending at 1M+X
+ endio B2
+ btrfs_inode_safe_disk_i_size_write
+ local i_size = 1M+X
+ disk_i_size = 1M+X
+ disk_i_size = 1M
+ btrfs_delayed_update_inode
+ btrfs_delayed_update_inode
+
+And the delayed inode ends up filled with nbytes=1M+X and isize=1M, and
+writes respect i_size and present a corrupted file missing its last
+extents.
+
+Fix this by holding the inode lock in the no-holes case so that a thread
+can't sneak in a write to disk_i_size that gets overwritten with an out
+of date i_size.
+
+Fixes: 41a2ee75aab0 ("btrfs: introduce per-inode file extent tree")
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file-item.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/file-item.c
++++ b/fs/btrfs/file-item.c
+@@ -52,13 +52,13 @@ void btrfs_inode_safe_disk_i_size_write(
+ u64 start, end, i_size;
+ int ret;
+
++ spin_lock(&inode->lock);
+ i_size = new_i_size ?: i_size_read(&inode->vfs_inode);
+ if (btrfs_fs_incompat(fs_info, NO_HOLES)) {
+ inode->disk_i_size = i_size;
+- return;
++ goto out_unlock;
+ }
+
+- spin_lock(&inode->lock);
+ ret = find_contiguous_extent_bit(&inode->file_extent_tree, 0, &start,
+ &end, EXTENT_DIRTY);
+ if (!ret && start == 0)
+@@ -66,6 +66,7 @@ void btrfs_inode_safe_disk_i_size_write(
+ else
+ i_size = 0;
+ inode->disk_i_size = i_size;
++out_unlock:
+ spin_unlock(&inode->lock);
+ }
+
--- /dev/null
+From 0004ff15ea26015a0a3a6182dca3b9d1df32e2b7 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 4 May 2023 12:04:18 +0100
+Subject: btrfs: fix space cache inconsistency after error loading it from disk
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 0004ff15ea26015a0a3a6182dca3b9d1df32e2b7 upstream.
+
+When loading a free space cache from disk, at __load_free_space_cache(),
+if we fail to insert a bitmap entry, we still increment the number of
+total bitmaps in the btrfs_free_space_ctl structure, which is incorrect
+since we failed to add the bitmap entry. On error we then empty the
+cache by calling __btrfs_remove_free_space_cache(), which will result
+in getting the total bitmaps counter set to 1.
+
+A failure to load a free space cache is not critical, so if a failure
+happens we just rebuild the cache by scanning the extent tree, which
+happens at block-group.c:caching_thread(). Yet the failure will result
+in having the total bitmaps of the btrfs_free_space_ctl always bigger
+by 1 then the number of bitmap entries we have. So fix this by having
+the total bitmaps counter be incremented only if we successfully added
+the bitmap entry.
+
+Fixes: a67509c30079 ("Btrfs: add a io_ctl struct and helpers for dealing with the space cache")
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/free-space-cache.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/free-space-cache.c
++++ b/fs/btrfs/free-space-cache.c
+@@ -870,15 +870,16 @@ static int __load_free_space_cache(struc
+ }
+ spin_lock(&ctl->tree_lock);
+ ret = link_free_space(ctl, e);
+- ctl->total_bitmaps++;
+- recalculate_thresholds(ctl);
+- spin_unlock(&ctl->tree_lock);
+ if (ret) {
++ spin_unlock(&ctl->tree_lock);
+ btrfs_err(fs_info,
+ "Duplicate entries in free space cache, dumping");
+ kmem_cache_free(btrfs_free_space_cachep, e);
+ goto free_cache;
+ }
++ ctl->total_bitmaps++;
++ recalculate_thresholds(ctl);
++ spin_unlock(&ctl->tree_lock);
+ list_add_tail(&e->list, &bitmaps);
+ }
+
--- /dev/null
+From 1d6a4fc85717677e00fefffd847a50fc5928ce69 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 28 Apr 2023 14:13:05 +0800
+Subject: btrfs: make clear_cache mount option to rebuild FST without disabling it
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 1d6a4fc85717677e00fefffd847a50fc5928ce69 upstream.
+
+Previously clear_cache mount option would simply disable free-space-tree
+feature temporarily then re-enable it to rebuild the whole free space
+tree.
+
+But this is problematic for block-group-tree feature, as we have an
+artificial dependency on free-space-tree feature.
+
+If we go the existing method, after clearing the free-space-tree
+feature, we would flip the filesystem to read-only mode, as we detect a
+super block write with block-group-tree but no free-space-tree feature.
+
+This patch would change the behavior by properly rebuilding the free
+space tree without disabling this feature, thus allowing clear_cache
+mount option to work with block group tree.
+
+Now we can mount a filesystem with block-group-tree feature and
+clear_mount option:
+
+ $ mkfs.btrfs -O block-group-tree /dev/test/scratch1 -f
+ $ sudo mount /dev/test/scratch1 /mnt/btrfs -o clear_cache
+ $ sudo dmesg -t | head -n 5
+ BTRFS info (device dm-1): force clearing of disk cache
+ BTRFS info (device dm-1): using free space tree
+ BTRFS info (device dm-1): auto enabling async discard
+ BTRFS info (device dm-1): rebuilding free space tree
+ BTRFS info (device dm-1): checking UUID tree
+
+CC: stable@vger.kernel.org # 6.1+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 25 ++++++++++++++++------
+ fs/btrfs/free-space-tree.c | 50 ++++++++++++++++++++++++++++++++++++++++++++-
+ fs/btrfs/free-space-tree.h | 3 +-
+ fs/btrfs/super.c | 3 --
+ 4 files changed, 70 insertions(+), 11 deletions(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3123,23 +3123,34 @@ int btrfs_start_pre_rw_mount(struct btrf
+ {
+ int ret;
+ const bool cache_opt = btrfs_test_opt(fs_info, SPACE_CACHE);
+- bool clear_free_space_tree = false;
++ bool rebuild_free_space_tree = false;
+
+ if (btrfs_test_opt(fs_info, CLEAR_CACHE) &&
+ btrfs_fs_compat_ro(fs_info, FREE_SPACE_TREE)) {
+- clear_free_space_tree = true;
++ rebuild_free_space_tree = true;
+ } else if (btrfs_fs_compat_ro(fs_info, FREE_SPACE_TREE) &&
+ !btrfs_fs_compat_ro(fs_info, FREE_SPACE_TREE_VALID)) {
+ btrfs_warn(fs_info, "free space tree is invalid");
+- clear_free_space_tree = true;
++ rebuild_free_space_tree = true;
+ }
+
+- if (clear_free_space_tree) {
+- btrfs_info(fs_info, "clearing free space tree");
+- ret = btrfs_clear_free_space_tree(fs_info);
++ if (rebuild_free_space_tree) {
++ btrfs_info(fs_info, "rebuilding free space tree");
++ ret = btrfs_rebuild_free_space_tree(fs_info);
+ if (ret) {
+ btrfs_warn(fs_info,
+- "failed to clear free space tree: %d", ret);
++ "failed to rebuild free space tree: %d", ret);
++ goto out;
++ }
++ }
++
++ if (btrfs_fs_compat_ro(fs_info, FREE_SPACE_TREE) &&
++ !btrfs_test_opt(fs_info, FREE_SPACE_TREE)) {
++ btrfs_info(fs_info, "disabling free space tree");
++ ret = btrfs_delete_free_space_tree(fs_info);
++ if (ret) {
++ btrfs_warn(fs_info,
++ "failed to disable free space tree: %d", ret);
+ goto out;
+ }
+ }
+--- a/fs/btrfs/free-space-tree.c
++++ b/fs/btrfs/free-space-tree.c
+@@ -1252,7 +1252,7 @@ out:
+ return ret;
+ }
+
+-int btrfs_clear_free_space_tree(struct btrfs_fs_info *fs_info)
++int btrfs_delete_free_space_tree(struct btrfs_fs_info *fs_info)
+ {
+ struct btrfs_trans_handle *trans;
+ struct btrfs_root *tree_root = fs_info->tree_root;
+@@ -1295,6 +1295,54 @@ int btrfs_clear_free_space_tree(struct b
+ abort:
+ btrfs_abort_transaction(trans, ret);
+ btrfs_end_transaction(trans);
++ return ret;
++}
++
++int btrfs_rebuild_free_space_tree(struct btrfs_fs_info *fs_info)
++{
++ struct btrfs_trans_handle *trans;
++ struct btrfs_key key = {
++ .objectid = BTRFS_FREE_SPACE_TREE_OBJECTID,
++ .type = BTRFS_ROOT_ITEM_KEY,
++ .offset = 0,
++ };
++ struct btrfs_root *free_space_root = btrfs_global_root(fs_info, &key);
++ struct rb_node *node;
++ int ret;
++
++ trans = btrfs_start_transaction(free_space_root, 1);
++ if (IS_ERR(trans))
++ return PTR_ERR(trans);
++
++ set_bit(BTRFS_FS_CREATING_FREE_SPACE_TREE, &fs_info->flags);
++ set_bit(BTRFS_FS_FREE_SPACE_TREE_UNTRUSTED, &fs_info->flags);
++
++ ret = clear_free_space_tree(trans, free_space_root);
++ if (ret)
++ goto abort;
++
++ node = rb_first_cached(&fs_info->block_group_cache_tree);
++ while (node) {
++ struct btrfs_block_group *block_group;
++
++ block_group = rb_entry(node, struct btrfs_block_group,
++ cache_node);
++ ret = populate_free_space_tree(trans, block_group);
++ if (ret)
++ goto abort;
++ node = rb_next(node);
++ }
++
++ btrfs_set_fs_compat_ro(fs_info, FREE_SPACE_TREE);
++ btrfs_set_fs_compat_ro(fs_info, FREE_SPACE_TREE_VALID);
++ clear_bit(BTRFS_FS_CREATING_FREE_SPACE_TREE, &fs_info->flags);
++
++ ret = btrfs_commit_transaction(trans);
++ clear_bit(BTRFS_FS_FREE_SPACE_TREE_UNTRUSTED, &fs_info->flags);
++ return ret;
++abort:
++ btrfs_abort_transaction(trans, ret);
++ btrfs_end_transaction(trans);
+ return ret;
+ }
+
+--- a/fs/btrfs/free-space-tree.h
++++ b/fs/btrfs/free-space-tree.h
+@@ -18,7 +18,8 @@ struct btrfs_caching_control;
+
+ void set_free_space_tree_thresholds(struct btrfs_block_group *block_group);
+ int btrfs_create_free_space_tree(struct btrfs_fs_info *fs_info);
+-int btrfs_clear_free_space_tree(struct btrfs_fs_info *fs_info);
++int btrfs_delete_free_space_tree(struct btrfs_fs_info *fs_info);
++int btrfs_rebuild_free_space_tree(struct btrfs_fs_info *fs_info);
+ int load_free_space_tree(struct btrfs_caching_control *caching_ctl);
+ int add_block_group_free_space(struct btrfs_trans_handle *trans,
+ struct btrfs_block_group *block_group);
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -828,8 +828,7 @@ out:
+ ret = -EINVAL;
+ }
+ if (btrfs_fs_compat_ro(info, BLOCK_GROUP_TREE) &&
+- (btrfs_test_opt(info, CLEAR_CACHE) ||
+- !btrfs_test_opt(info, FREE_SPACE_TREE))) {
++ !btrfs_test_opt(info, FREE_SPACE_TREE)) {
+ btrfs_err(info, "cannot disable free space tree with block-group-tree feature");
+ ret = -EINVAL;
+ }
--- /dev/null
+From c87f318e6f47696b4040b58f460d5c17ea0280e6 Mon Sep 17 00:00:00 2001
+From: Anastasia Belova <abelova@astralinux.ru>
+Date: Wed, 26 Apr 2023 14:53:23 +0300
+Subject: btrfs: print-tree: parent bytenr must be aligned to sector size
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+commit c87f318e6f47696b4040b58f460d5c17ea0280e6 upstream.
+
+Check nodesize to sectorsize in alignment check in print_extent_item.
+The comment states that and this is correct, similar check is done
+elsewhere in the functions.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: ea57788eb76d ("btrfs: require only sector size alignment for parent eb bytenr")
+CC: stable@vger.kernel.org # 4.14+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/print-tree.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -151,10 +151,10 @@ static void print_extent_item(struct ext
+ pr_cont("shared data backref parent %llu count %u\n",
+ offset, btrfs_shared_data_ref_count(eb, sref));
+ /*
+- * offset is supposed to be a tree block which
+- * must be aligned to nodesize.
++ * Offset is supposed to be a tree block which must be
++ * aligned to sectorsize.
+ */
+- if (!IS_ALIGNED(offset, eb->fs_info->nodesize))
++ if (!IS_ALIGNED(offset, eb->fs_info->sectorsize))
+ pr_info(
+ "\t\t\t(parent %llu not aligned to sectorsize %u)\n",
+ offset, eb->fs_info->sectorsize);
--- /dev/null
+From 64b5d5b2852661284ccbb038c697562cc56231bf Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Thu, 27 Apr 2023 09:45:32 +0800
+Subject: btrfs: properly reject clear_cache and v1 cache for block-group-tree
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 64b5d5b2852661284ccbb038c697562cc56231bf upstream.
+
+[BUG]
+With block-group-tree feature enabled, mounting it with clear_cache
+would cause the following transaction abort at mount or remount:
+
+ BTRFS info (device dm-4): force clearing of disk cache
+ BTRFS info (device dm-4): using free space tree
+ BTRFS info (device dm-4): auto enabling async discard
+ BTRFS info (device dm-4): clearing free space tree
+ BTRFS info (device dm-4): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)
+ BTRFS info (device dm-4): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)
+ BTRFS error (device dm-4): block-group-tree feature requires fres-space-tree and no-holes
+ BTRFS error (device dm-4): super block corruption detected before writing it to disk
+ BTRFS: error (device dm-4) in write_all_supers:4288: errno=-117 Filesystem corrupted (unexpected superblock corruption detected)
+ BTRFS warning (device dm-4: state E): Skipping commit of aborted transaction.
+
+[CAUSE]
+For block-group-tree feature, we have an artificial dependency on
+free-space-tree.
+
+This means if we detect block-group-tree without v2 cache, we consider
+it a corruption and cause the problem.
+
+For clear_cache mount option, it would temporary disable v2 cache, then
+re-enable it.
+
+But unfortunately for that temporary v2 cache disabled status, we refuse
+to write a superblock with bg tree only flag, thus leads to the above
+transaction abortion.
+
+[FIX]
+For now, just reject clear_cache and v1 cache mount option for block
+group tree. So now we got a graceful rejection other than a transaction
+abort:
+
+ BTRFS info (device dm-4): force clearing of disk cache
+ BTRFS error (device dm-4): cannot disable free space tree with block-group-tree feature
+ BTRFS error (device dm-4): open_ctree failed
+
+CC: stable@vger.kernel.org # 6.1+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -826,7 +826,12 @@ out:
+ !btrfs_test_opt(info, CLEAR_CACHE)) {
+ btrfs_err(info, "cannot disable free space tree");
+ ret = -EINVAL;
+-
++ }
++ if (btrfs_fs_compat_ro(info, BLOCK_GROUP_TREE) &&
++ (btrfs_test_opt(info, CLEAR_CACHE) ||
++ !btrfs_test_opt(info, FREE_SPACE_TREE))) {
++ btrfs_err(info, "cannot disable free space tree with block-group-tree feature");
++ ret = -EINVAL;
+ }
+ if (!ret)
+ ret = btrfs_check_mountopts_zoned(info);
--- /dev/null
+From c83b56d1dd87cf67492bb770c26d6f87aee70ed6 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 8 May 2023 07:58:37 -0700
+Subject: btrfs: zero the buffer before marking it dirty in btrfs_redirty_list_add
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit c83b56d1dd87cf67492bb770c26d6f87aee70ed6 upstream.
+
+btrfs_redirty_list_add zeroes the buffer data and sets the
+EXTENT_BUFFER_NO_CHECK to make sure writeback is fine with a bogus
+header. But it does that after already marking the buffer dirty, which
+means that writeback could already be looking at the buffer.
+
+Switch the order of operations around so that the buffer is only marked
+dirty when we're ready to write it.
+
+Fixes: d3575156f662 ("btrfs: zoned: redirty released extent buffers")
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zoned.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -1610,11 +1610,11 @@ void btrfs_redirty_list_add(struct btrfs
+ !list_empty(&eb->release_list))
+ return;
+
++ memzero_extent_buffer(eb, 0, eb->len);
++ set_bit(EXTENT_BUFFER_NO_CHECK, &eb->bflags);
+ set_extent_buffer_dirty(eb);
+ set_extent_bits_nowait(&trans->dirty_pages, eb->start,
+ eb->start + eb->len - 1, EXTENT_DIRTY);
+- memzero_extent_buffer(eb, 0, eb->len);
+- set_bit(EXTENT_BUFFER_NO_CHECK, &eb->bflags);
+
+ spin_lock(&trans->releasing_ebs_lock);
+ list_add_tail(&eb->release_list, &trans->releasing_ebs);
--- /dev/null
+From 02ca9e6fb5f66a031df4fac508b8e477ca69e918 Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <Naohiro.Aota@wdc.com>
+Date: Tue, 9 May 2023 18:29:15 +0000
+Subject: btrfs: zoned: fix full zone super block reading on ZNS
+
+From: Naohiro Aota <Naohiro.Aota@wdc.com>
+
+commit 02ca9e6fb5f66a031df4fac508b8e477ca69e918 upstream.
+
+When both of the superblock zones are full, we need to check which
+superblock is newer. The calculation of last superblock position is wrong
+as it does not consider zone_capacity and uses the length.
+
+Fixes: 9658b72ef300 ("btrfs: zoned: locate superblock position using zone capacity")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zoned.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -122,10 +122,9 @@ static int sb_write_pointer(struct block
+ int i;
+
+ for (i = 0; i < BTRFS_NR_SB_LOG_ZONES; i++) {
+- u64 bytenr;
+-
+- bytenr = ((zones[i].start + zones[i].len)
+- << SECTOR_SHIFT) - BTRFS_SUPER_INFO_SIZE;
++ u64 zone_end = (zones[i].start + zones[i].capacity) << SECTOR_SHIFT;
++ u64 bytenr = ALIGN_DOWN(zone_end, BTRFS_SUPER_INFO_SIZE) -
++ BTRFS_SUPER_INFO_SIZE;
+
+ page[i] = read_cache_page_gfp(mapping,
+ bytenr >> PAGE_SHIFT, GFP_NOFS);
--- /dev/null
+From 631003e2333c12cc1b52df06a707365b7363a159 Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Tue, 18 Apr 2023 17:45:24 +0900
+Subject: btrfs: zoned: fix wrong use of bitops API in btrfs_ensure_empty_zones
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit 631003e2333c12cc1b52df06a707365b7363a159 upstream.
+
+find_next_bit and find_next_zero_bit take @size as the second parameter and
+@offset as the third parameter. They are specified opposite in
+btrfs_ensure_empty_zones(). Thanks to the later loop, it never failed to
+detect the empty zones. Fix them and (maybe) return the result a bit
+faster.
+
+Note: the naming is a bit confusing, size has two meanings here, bitmap
+and our range size.
+
+Fixes: 1cd6121f2a38 ("btrfs: zoned: implement zoned chunk allocator")
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zoned.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -1168,12 +1168,12 @@ int btrfs_ensure_empty_zones(struct btrf
+ return -ERANGE;
+
+ /* All the zones are conventional */
+- if (find_next_bit(zinfo->seq_zones, begin, end) == end)
++ if (find_next_bit(zinfo->seq_zones, end, begin) == end)
+ return 0;
+
+ /* All the zones are sequential and empty */
+- if (find_next_zero_bit(zinfo->seq_zones, begin, end) == end &&
+- find_next_zero_bit(zinfo->empty_zones, begin, end) == end)
++ if (find_next_zero_bit(zinfo->seq_zones, end, begin) == end &&
++ find_next_zero_bit(zinfo->empty_zones, end, begin) == end)
+ return 0;
+
+ for (pos = start; pos < start + size; pos += zinfo->zone_size) {
--- /dev/null
+From f84353c7c20536ea7e01eca79430eccdf3cc7348 Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <Naohiro.Aota@wdc.com>
+Date: Mon, 8 May 2023 22:14:20 +0000
+Subject: btrfs: zoned: zone finish data relocation BG with last IO
+
+From: Naohiro Aota <Naohiro.Aota@wdc.com>
+
+commit f84353c7c20536ea7e01eca79430eccdf3cc7348 upstream.
+
+For data block groups, we zone finish a zone (or, just deactivate it) when
+seeing the last IO in btrfs_finish_ordered_io(). That is only called for
+IOs using ZONE_APPEND, but we use a regular WRITE command for data
+relocation IOs. Detect it and call btrfs_zone_finish_endio() properly.
+
+Fixes: be1a1d7a5d24 ("btrfs: zoned: finish fully written block group")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -3167,6 +3167,9 @@ int btrfs_finish_ordered_io(struct btrfs
+ btrfs_rewrite_logical_zoned(ordered_extent);
+ btrfs_zone_finish_endio(fs_info, ordered_extent->disk_bytenr,
+ ordered_extent->disk_num_bytes);
++ } else if (btrfs_is_data_reloc_root(inode->root)) {
++ btrfs_zone_finish_endio(fs_info, ordered_extent->disk_bytenr,
++ ordered_extent->disk_num_bytes);
+ }
+
+ if (test_bit(BTRFS_ORDERED_TRUNCATED, &ordered_extent->flags)) {
--- /dev/null
+From d66cde50c3c868af7abddafce701bb86e4a93039 Mon Sep 17 00:00:00 2001
+From: Pawel Witek <pawel.ireneusz.witek@gmail.com>
+Date: Fri, 5 May 2023 17:14:59 +0200
+Subject: cifs: fix pcchunk length type in smb2_copychunk_range
+
+From: Pawel Witek <pawel.ireneusz.witek@gmail.com>
+
+commit d66cde50c3c868af7abddafce701bb86e4a93039 upstream.
+
+Change type of pcchunk->Length from u32 to u64 to match
+smb2_copychunk_range arguments type. Fixes the problem where performing
+server-side copy with CIFS_IOC_COPYCHUNK_FILE ioctl resulted in incomplete
+copy of large files while returning -EINVAL.
+
+Fixes: 9bf0c9cd4314 ("CIFS: Fix SMB2/SMB3 Copy offload support (refcopy) for large files")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pawel Witek <pawel.ireneusz.witek@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1682,7 +1682,7 @@ smb2_copychunk_range(const unsigned int
+ pcchunk->SourceOffset = cpu_to_le64(src_off);
+ pcchunk->TargetOffset = cpu_to_le64(dest_off);
+ pcchunk->Length =
+- cpu_to_le32(min_t(u32, len, tcon->max_bytes_chunk));
++ cpu_to_le32(min_t(u64, len, tcon->max_bytes_chunk));
+
+ /* Request server copy to target from src identified by key */
+ kfree(retbuf);
--- /dev/null
+From d39fc592ef8ae9a89c5e85c8d9f760937a57d5ba Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Wed, 10 May 2023 17:42:21 -0500
+Subject: cifs: release leases for deferred close handles when freezing
+
+From: Steve French <stfrench@microsoft.com>
+
+commit d39fc592ef8ae9a89c5e85c8d9f760937a57d5ba upstream.
+
+We should not be caching closed files when freeze is invoked on an fs
+(so we can release resources more gracefully).
+
+Fixes xfstests generic/068 generic/390 generic/491
+
+Reviewed-by: David Howells <dhowells@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsfs.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -759,6 +759,20 @@ static void cifs_umount_begin(struct sup
+ return;
+ }
+
++static int cifs_freeze(struct super_block *sb)
++{
++ struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
++ struct cifs_tcon *tcon;
++
++ if (cifs_sb == NULL)
++ return 0;
++
++ tcon = cifs_sb_master_tcon(cifs_sb);
++
++ cifs_close_all_deferred_files(tcon);
++ return 0;
++}
++
+ #ifdef CONFIG_CIFS_STATS2
+ static int cifs_show_stats(struct seq_file *s, struct dentry *root)
+ {
+@@ -797,6 +811,7 @@ static const struct super_operations cif
+ as opens */
+ .show_options = cifs_show_options,
+ .umount_begin = cifs_umount_begin,
++ .freeze_fs = cifs_freeze,
+ #ifdef CONFIG_CIFS_STATS2
+ .show_stats = cifs_show_stats,
+ #endif
--- /dev/null
+From f435b7ef3b360d689df2ffa8326352cd07940d92 Mon Sep 17 00:00:00 2001
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+Date: Thu, 30 Mar 2023 11:31:31 +0200
+Subject: drm/bridge: lt8912b: Fix DSI Video Mode
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+commit f435b7ef3b360d689df2ffa8326352cd07940d92 upstream.
+
+LT8912 DSI port supports only Non-Burst mode video operation with Sync
+Events and continuous clock on clock lane, correct dsi mode flags
+according to that removing MIPI_DSI_MODE_VIDEO_BURST flag.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge")
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Reviewed-by: Robert Foss <rfoss@kernel.org>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230330093131.424828-1-francesco@dolcini.it
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/lontium-lt8912b.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/gpu/drm/bridge/lontium-lt8912b.c
++++ b/drivers/gpu/drm/bridge/lontium-lt8912b.c
+@@ -504,7 +504,6 @@ static int lt8912_attach_dsi(struct lt89
+ dsi->format = MIPI_DSI_FMT_RGB888;
+
+ dsi->mode_flags = MIPI_DSI_MODE_VIDEO |
+- MIPI_DSI_MODE_VIDEO_BURST |
+ MIPI_DSI_MODE_LPM |
+ MIPI_DSI_MODE_NO_EOT_PACKET;
+
--- /dev/null
+From 13525645e2246ebc8a21bd656248d86022a6ee8f Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Thu, 6 Apr 2023 16:46:14 +0300
+Subject: drm/dsc: fix drm_edp_dsc_sink_output_bpp() DPCD high byte usage
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit 13525645e2246ebc8a21bd656248d86022a6ee8f upstream.
+
+The operator precedence between << and & is wrong, leading to the high
+byte being completely ignored. For example, with the 6.4 format, 32
+becomes 0 and 24 becomes 8. Fix it, and remove the slightly confusing
+and unnecessary DP_DSC_MAX_BITS_PER_PIXEL_HI_SHIFT macro while at it.
+
+Fixes: 0575650077ea ("drm/dp: DRM DP helper/macros to get DP sink DSC parameters")
+Cc: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Cc: Manasi Navare <navaremanasi@google.com>
+Cc: Anusha Srivatsa <anusha.srivatsa@intel.com>
+Cc: <stable@vger.kernel.org> # v5.0+
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230406134615.1422509-1-jani.nikula@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/drm/display/drm_dp.h | 1 -
+ include/drm/display/drm_dp_helper.h | 5 ++---
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/include/drm/display/drm_dp.h
++++ b/include/drm/display/drm_dp.h
+@@ -286,7 +286,6 @@
+
+ #define DP_DSC_MAX_BITS_PER_PIXEL_HI 0x068 /* eDP 1.4 */
+ # define DP_DSC_MAX_BITS_PER_PIXEL_HI_MASK (0x3 << 0)
+-# define DP_DSC_MAX_BITS_PER_PIXEL_HI_SHIFT 8
+ # define DP_DSC_MAX_BPP_DELTA_VERSION_MASK 0x06
+ # define DP_DSC_MAX_BPP_DELTA_AVAILABILITY 0x08
+
+--- a/include/drm/display/drm_dp_helper.h
++++ b/include/drm/display/drm_dp_helper.h
+@@ -181,9 +181,8 @@ static inline u16
+ drm_edp_dsc_sink_output_bpp(const u8 dsc_dpcd[DP_DSC_RECEIVER_CAP_SIZE])
+ {
+ return dsc_dpcd[DP_DSC_MAX_BITS_PER_PIXEL_LOW - DP_DSC_SUPPORT] |
+- (dsc_dpcd[DP_DSC_MAX_BITS_PER_PIXEL_HI - DP_DSC_SUPPORT] &
+- DP_DSC_MAX_BITS_PER_PIXEL_HI_MASK <<
+- DP_DSC_MAX_BITS_PER_PIXEL_HI_SHIFT);
++ ((dsc_dpcd[DP_DSC_MAX_BITS_PER_PIXEL_HI - DP_DSC_SUPPORT] &
++ DP_DSC_MAX_BITS_PER_PIXEL_HI_MASK) << 8);
+ }
+
+ static inline u32
--- /dev/null
+From d944eafed618a8507270b324ad9d5405bb7f0b3e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Tue, 18 Apr 2023 20:55:14 +0300
+Subject: drm/i915: Check pipe source size when using skl+ scalers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit d944eafed618a8507270b324ad9d5405bb7f0b3e upstream.
+
+The skl+ scalers only sample 12 bits of PIPESRC so we can't
+do any plane scaling at all when the pipe source size is >4k.
+
+Make sure the pipe source size is also below the scaler's src
+size limits. Might not be 100% accurate, but should at least be
+safe. We can refine the limits later if we discover that recent
+hw is less restricted.
+
+Cc: stable@vger.kernel.org
+Tested-by: Ross Zwisler <zwisler@google.com>
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8357
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230418175528.13117-2-ville.syrjala@linux.intel.com
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 691248d4135fe3fae64b4ee0676bc96a7fd6950c)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/skl_scaler.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/skl_scaler.c
++++ b/drivers/gpu/drm/i915/display/skl_scaler.c
+@@ -111,6 +111,8 @@ skl_update_scaler(struct intel_crtc_stat
+ struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
+ const struct drm_display_mode *adjusted_mode =
+ &crtc_state->hw.adjusted_mode;
++ int pipe_src_w = drm_rect_width(&crtc_state->pipe_src);
++ int pipe_src_h = drm_rect_height(&crtc_state->pipe_src);
+ int min_src_w, min_src_h, min_dst_w, min_dst_h;
+ int max_src_w, max_src_h, max_dst_w, max_dst_h;
+
+@@ -207,6 +209,21 @@ skl_update_scaler(struct intel_crtc_stat
+ return -EINVAL;
+ }
+
++ /*
++ * The pipe scaler does not use all the bits of PIPESRC, at least
++ * on the earlier platforms. So even when we're scaling a plane
++ * the *pipe* source size must not be too large. For simplicity
++ * we assume the limits match the scaler source size limits. Might
++ * not be 100% accurate on all platforms, but good enough for now.
++ */
++ if (pipe_src_w > max_src_w || pipe_src_h > max_src_h) {
++ drm_dbg_kms(&dev_priv->drm,
++ "scaler_user index %u.%u: pipe src size %ux%u "
++ "is out of scaler range\n",
++ crtc->pipe, scaler_user, pipe_src_w, pipe_src_h);
++ return -EINVAL;
++ }
++
+ /* mark this plane as a scaler user in crtc_state */
+ scaler_state->scaler_users |= (1 << scaler_user);
+ drm_dbg_kms(&dev_priv->drm, "scaler_user index %u.%u: "
--- /dev/null
+From 2efc8e1001acfdc143cf2d25a08a4974c322e2a8 Mon Sep 17 00:00:00 2001
+From: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
+Date: Thu, 30 Mar 2023 20:31:04 +0530
+Subject: drm/i915/color: Fix typo for Plane CSC indexes
+
+From: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
+
+commit 2efc8e1001acfdc143cf2d25a08a4974c322e2a8 upstream.
+
+Replace _PLANE_INPUT_CSC_RY_GY_2_* with _PLANE_CSC_RY_GY_2_*
+for Plane CSC
+
+Fixes: 6eba56f64d5d ("drm/i915/pxp: black pixels on pxp disabled")
+
+Cc: <stable@vger.kernel.org>
+
+Signed-off-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
+Reviewed-by: Uma Shankar <uma.shankar@intel.com>
+Signed-off-by: Animesh Manna <animesh.manna@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230330150104.2923519-1-chaitanya.kumar.borah@intel.com
+(cherry picked from commit e39c76b2160bbd005587f978d29603ef790aefcd)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_reg.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -7596,8 +7596,8 @@ enum skl_power_gate {
+
+ #define _PLANE_CSC_RY_GY_1(pipe) _PIPE(pipe, _PLANE_CSC_RY_GY_1_A, \
+ _PLANE_CSC_RY_GY_1_B)
+-#define _PLANE_CSC_RY_GY_2(pipe) _PIPE(pipe, _PLANE_INPUT_CSC_RY_GY_2_A, \
+- _PLANE_INPUT_CSC_RY_GY_2_B)
++#define _PLANE_CSC_RY_GY_2(pipe) _PIPE(pipe, _PLANE_CSC_RY_GY_2_A, \
++ _PLANE_CSC_RY_GY_2_B)
+ #define PLANE_CSC_COEFF(pipe, plane, index) _MMIO_PLANE(plane, \
+ _PLANE_CSC_RY_GY_1(pipe) + (index) * 4, \
+ _PLANE_CSC_RY_GY_2(pipe) + (index) * 4)
--- /dev/null
+From c8c2969bfcba5fcba3a5b078315c1b586d927d9f Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 25 Apr 2023 21:44:41 +0200
+Subject: drm/i915/dsi: Use unconditional msleep() instead of intel_dsi_msleep()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit c8c2969bfcba5fcba3a5b078315c1b586d927d9f upstream.
+
+The intel_dsi_msleep() helper skips sleeping if the MIPI-sequences have
+a version of 3 or newer and the panel is in vid-mode.
+
+This is based on the big comment around line 730 which starts with
+"Panel enable/disable sequences from the VBT spec.", where
+the "v3 video mode seq" column does not have any wait t# entries.
+
+Checking the Windows driver shows that it does always honor
+the VBT delays independent of the version of the VBT sequences.
+
+Commit 6fdb335f1c9c ("drm/i915/dsi: Use unconditional msleep for
+the panel_on_delay when there is no reset-deassert MIPI-sequence")
+switched to a direct msleep() instead of intel_dsi_msleep()
+when there is no MIPI_SEQ_DEASSERT_RESET sequence, to fix
+the panel on an Acer Aspire Switch 10 E SW3-016 not turning on.
+
+And now testing on a Nextbook Ares 8A shows that panel_on_delay
+must always be honored otherwise the panel will not turn on.
+
+Instead of only always using regular msleep() for panel_on_delay
+do as Windows does and always use regular msleep() everywhere
+were intel_dsi_msleep() is used and drop the intel_dsi_msleep()
+helper.
+
+Changes in v2:
+- Replace all intel_dsi_msleep() calls instead of just
+ the intel_dsi_msleep(panel_on_delay) call
+
+Cc: stable@vger.kernel.org
+Fixes: 6fdb335f1c9c ("drm/i915/dsi: Use unconditional msleep for the panel_on_delay when there is no reset-deassert MIPI-sequence")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230425194441.68086-1-hdegoede@redhat.com
+(cherry picked from commit fa83c12132f71302f7d4b02758dc0d46048d3f5f)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/icl_dsi.c | 2 +-
+ drivers/gpu/drm/i915/display/intel_dsi_vbt.c | 11 -----------
+ drivers/gpu/drm/i915/display/intel_dsi_vbt.h | 1 -
+ drivers/gpu/drm/i915/display/vlv_dsi.c | 22 +++++-----------------
+ 4 files changed, 6 insertions(+), 30 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/icl_dsi.c
++++ b/drivers/gpu/drm/i915/display/icl_dsi.c
+@@ -1211,7 +1211,7 @@ static void gen11_dsi_powerup_panel(stru
+
+ /* panel power on related mipi dsi vbt sequences */
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_POWER_ON);
+- intel_dsi_msleep(intel_dsi, intel_dsi->panel_on_delay);
++ msleep(intel_dsi->panel_on_delay);
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_DEASSERT_RESET);
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_INIT_OTP);
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_DISPLAY_ON);
+--- a/drivers/gpu/drm/i915/display/intel_dsi_vbt.c
++++ b/drivers/gpu/drm/i915/display/intel_dsi_vbt.c
+@@ -762,17 +762,6 @@ void intel_dsi_vbt_exec_sequence(struct
+ gpiod_set_value_cansleep(intel_dsi->gpio_backlight, 0);
+ }
+
+-void intel_dsi_msleep(struct intel_dsi *intel_dsi, int msec)
+-{
+- struct intel_connector *connector = intel_dsi->attached_connector;
+-
+- /* For v3 VBTs in vid-mode the delays are part of the VBT sequences */
+- if (is_vid_mode(intel_dsi) && connector->panel.vbt.dsi.seq_version >= 3)
+- return;
+-
+- msleep(msec);
+-}
+-
+ void intel_dsi_log_params(struct intel_dsi *intel_dsi)
+ {
+ struct drm_i915_private *i915 = to_i915(intel_dsi->base.base.dev);
+--- a/drivers/gpu/drm/i915/display/intel_dsi_vbt.h
++++ b/drivers/gpu/drm/i915/display/intel_dsi_vbt.h
+@@ -16,7 +16,6 @@ void intel_dsi_vbt_gpio_init(struct inte
+ void intel_dsi_vbt_gpio_cleanup(struct intel_dsi *intel_dsi);
+ void intel_dsi_vbt_exec_sequence(struct intel_dsi *intel_dsi,
+ enum mipi_seq seq_id);
+-void intel_dsi_msleep(struct intel_dsi *intel_dsi, int msec);
+ void intel_dsi_log_params(struct intel_dsi *intel_dsi);
+
+ #endif /* __INTEL_DSI_VBT_H__ */
+--- a/drivers/gpu/drm/i915/display/vlv_dsi.c
++++ b/drivers/gpu/drm/i915/display/vlv_dsi.c
+@@ -783,7 +783,6 @@ static void intel_dsi_pre_enable(struct
+ {
+ struct intel_dsi *intel_dsi = enc_to_intel_dsi(encoder);
+ struct intel_crtc *crtc = to_intel_crtc(pipe_config->uapi.crtc);
+- struct intel_connector *connector = to_intel_connector(conn_state->connector);
+ struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
+ enum pipe pipe = crtc->pipe;
+ enum port port;
+@@ -831,21 +830,10 @@ static void intel_dsi_pre_enable(struct
+ if (!IS_GEMINILAKE(dev_priv))
+ intel_dsi_prepare(encoder, pipe_config);
+
++ /* Give the panel time to power-on and then deassert its reset */
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_POWER_ON);
+-
+- /*
+- * Give the panel time to power-on and then deassert its reset.
+- * Depending on the VBT MIPI sequences version the deassert-seq
+- * may contain the necessary delay, intel_dsi_msleep() will skip
+- * the delay in that case. If there is no deassert-seq, then an
+- * unconditional msleep is used to give the panel time to power-on.
+- */
+- if (connector->panel.vbt.dsi.sequence[MIPI_SEQ_DEASSERT_RESET]) {
+- intel_dsi_msleep(intel_dsi, intel_dsi->panel_on_delay);
+- intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_DEASSERT_RESET);
+- } else {
+- msleep(intel_dsi->panel_on_delay);
+- }
++ msleep(intel_dsi->panel_on_delay);
++ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_DEASSERT_RESET);
+
+ if (IS_GEMINILAKE(dev_priv)) {
+ glk_cold_boot = glk_dsi_enable_io(encoder);
+@@ -879,7 +867,7 @@ static void intel_dsi_pre_enable(struct
+ msleep(20); /* XXX */
+ for_each_dsi_port(port, intel_dsi->ports)
+ dpi_send_cmd(intel_dsi, TURN_ON, false, port);
+- intel_dsi_msleep(intel_dsi, 100);
++ msleep(100);
+
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_DISPLAY_ON);
+
+@@ -1007,7 +995,7 @@ static void intel_dsi_post_disable(struc
+ /* Assert reset */
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_ASSERT_RESET);
+
+- intel_dsi_msleep(intel_dsi, intel_dsi->panel_off_delay);
++ msleep(intel_dsi->panel_off_delay);
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_POWER_OFF);
+
+ intel_dsi->panel_power_off_time = ktime_get_boottime();
--- /dev/null
+From 0d997f95b70f98987ae031a89677c13e0e223670 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Fri, 3 Mar 2023 17:48:05 +0100
+Subject: drm/msm/adreno: fix runtime PM imbalance at gpu load
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 0d997f95b70f98987ae031a89677c13e0e223670 upstream.
+
+A recent commit moved enabling of runtime PM to GPU load time (first
+open()) but failed to update the error paths so that runtime PM is
+disabled if initialisation of the GPU fails. This would trigger a
+warning about the unbalanced disable count on the next open() attempt.
+
+Note that pm_runtime_put_noidle() is sufficient to balance the usage
+count when pm_runtime_put_sync() fails (and is chosen over
+pm_runtime_resume_and_get() for consistency reasons).
+
+Fixes: 4b18299b3365 ("drm/msm/adreno: Defer enabling runpm until hw_init()")
+Cc: stable@vger.kernel.org # 6.0
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Patchwork: https://patchwork.freedesktop.org/patch/524971/
+Link: https://lore.kernel.org/r/20230303164807.13124-3-johan+linaro@kernel.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/adreno/adreno_device.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/msm/adreno/adreno_device.c
++++ b/drivers/gpu/drm/msm/adreno/adreno_device.c
+@@ -440,20 +440,21 @@ struct msm_gpu *adreno_load_gpu(struct d
+
+ ret = pm_runtime_get_sync(&pdev->dev);
+ if (ret < 0) {
+- pm_runtime_put_sync(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
+ DRM_DEV_ERROR(dev->dev, "Couldn't power up the GPU: %d\n", ret);
+- return NULL;
++ goto err_disable_rpm;
+ }
+
+ mutex_lock(&gpu->lock);
+ ret = msm_gpu_hw_init(gpu);
+ mutex_unlock(&gpu->lock);
+- pm_runtime_put_autosuspend(&pdev->dev);
+ if (ret) {
+ DRM_DEV_ERROR(dev->dev, "gpu hw init failed: %d\n", ret);
+- return NULL;
++ goto err_put_rpm;
+ }
+
++ pm_runtime_put_autosuspend(&pdev->dev);
++
+ #ifdef CONFIG_DEBUG_FS
+ if (gpu->funcs->debugfs_init) {
+ gpu->funcs->debugfs_init(gpu, dev->primary);
+@@ -462,6 +463,13 @@ struct msm_gpu *adreno_load_gpu(struct d
+ #endif
+
+ return gpu;
++
++err_put_rpm:
++ pm_runtime_put_sync(&pdev->dev);
++err_disable_rpm:
++ pm_runtime_disable(&pdev->dev);
++
++ return NULL;
+ }
+
+ static int find_chipid(struct device *dev, struct adreno_rev *rev)
--- /dev/null
+From 214b09db61978497df24efcb3959616814bca46b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 6 Mar 2023 11:07:17 +0100
+Subject: drm/msm: fix drm device leak on bind errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 214b09db61978497df24efcb3959616814bca46b upstream.
+
+Make sure to free the DRM device also in case of early errors during
+bind().
+
+Fixes: 2027e5b3413d ("drm/msm: Initialize MDSS irq domain at probe time")
+Cc: stable@vger.kernel.org # 5.17
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/525097/
+Link: https://lore.kernel.org/r/20230306100722.28485-6-johan+linaro@kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -444,12 +444,12 @@ static int msm_drm_init(struct device *d
+
+ ret = msm_init_vram(ddev);
+ if (ret)
+- return ret;
++ goto err_put_dev;
+
+ /* Bind all our sub-components: */
+ ret = component_bind_all(dev, ddev);
+ if (ret)
+- return ret;
++ goto err_put_dev;
+
+ dma_set_max_seg_size(dev, UINT_MAX);
+
+@@ -544,6 +544,12 @@ static int msm_drm_init(struct device *d
+
+ err_msm_uninit:
+ msm_drm_uninit(dev);
++
++ return ret;
++
++err_put_dev:
++ drm_dev_put(ddev);
++
+ return ret;
+ }
+
--- /dev/null
+From ca090c837b430752038b24e56dd182010d77f6f6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 6 Mar 2023 11:07:19 +0100
+Subject: drm/msm: fix missing wq allocation error handling
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit ca090c837b430752038b24e56dd182010d77f6f6 upstream.
+
+Add the missing sanity check to handle workqueue allocation failures.
+
+Fixes: c8afe684c95c ("drm/msm: basic KMS driver for snapdragon")
+Cc: stable@vger.kernel.org # 3.12
+Cc: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/525102/
+Link: https://lore.kernel.org/r/20230306100722.28485-8-johan+linaro@kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -432,6 +432,10 @@ static int msm_drm_init(struct device *d
+ priv->dev = ddev;
+
+ priv->wq = alloc_ordered_workqueue("msm", 0);
++ if (!priv->wq) {
++ ret = -ENOMEM;
++ goto err_put_dev;
++ }
+
+ INIT_LIST_HEAD(&priv->objects);
+ mutex_init(&priv->obj_lock);
--- /dev/null
+From cd459c005de3e2b855a8cc7768e633ce9d018e9f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 6 Mar 2023 11:07:16 +0100
+Subject: drm/msm: fix NULL-deref on irq uninstall
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit cd459c005de3e2b855a8cc7768e633ce9d018e9f upstream.
+
+In case of early initialisation errors and on platforms that do not use
+the DPU controller, the deinitilisation code can be called with the kms
+pointer set to NULL.
+
+Fixes: f026e431cf86 ("drm/msm: Convert to Linux IRQ interfaces")
+Cc: stable@vger.kernel.org # 5.14
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/525104/
+Link: https://lore.kernel.org/r/20230306100722.28485-5-johan+linaro@kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -251,9 +251,11 @@ static int msm_drm_uninit(struct device
+ drm_bridge_remove(priv->bridges[i]);
+ priv->num_bridges = 0;
+
+- pm_runtime_get_sync(dev);
+- msm_irq_uninstall(ddev);
+- pm_runtime_put_sync(dev);
++ if (kms) {
++ pm_runtime_get_sync(dev);
++ msm_irq_uninstall(ddev);
++ pm_runtime_put_sync(dev);
++ }
+
+ if (kms && kms->funcs)
+ kms->funcs->destroy(kms);
--- /dev/null
+From a465353b9250802f87b97123e33a17f51277f0b1 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 6 Mar 2023 11:07:15 +0100
+Subject: drm/msm: fix NULL-deref on snapshot tear down
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit a465353b9250802f87b97123e33a17f51277f0b1 upstream.
+
+In case of early initialisation errors and on platforms that do not use
+the DPU controller, the deinitilisation code can be called with the kms
+pointer set to NULL.
+
+Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot")
+Cc: stable@vger.kernel.org # 5.14
+Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/525099/
+Link: https://lore.kernel.org/r/20230306100722.28485-4-johan+linaro@kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -242,7 +242,8 @@ static int msm_drm_uninit(struct device
+ msm_fbdev_free(ddev);
+ #endif
+
+- msm_disp_snapshot_destroy(ddev);
++ if (kms)
++ msm_disp_snapshot_destroy(ddev);
+
+ drm_mode_config_cleanup(ddev);
+
--- /dev/null
+From 60d476af96015891c7959f30838ae7a9749932bf Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 6 Mar 2023 11:07:18 +0100
+Subject: drm/msm: fix vram leak on bind errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 60d476af96015891c7959f30838ae7a9749932bf upstream.
+
+Make sure to release the VRAM buffer also in a case a subcomponent fails
+to bind.
+
+Fixes: d863f0c7b536 ("drm/msm: Call msm_init_vram before binding the gpu")
+Cc: stable@vger.kernel.org # 5.11
+Cc: Craig Tatlor <ctatlor97@gmail.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/525094/
+Link: https://lore.kernel.org/r/20230306100722.28485-7-johan+linaro@kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -51,6 +51,8 @@
+ #define MSM_VERSION_MINOR 10
+ #define MSM_VERSION_PATCHLEVEL 0
+
++static void msm_deinit_vram(struct drm_device *ddev);
++
+ static const struct drm_mode_config_funcs mode_config_funcs = {
+ .fb_create = msm_framebuffer_create,
+ .output_poll_changed = drm_fb_helper_output_poll_changed,
+@@ -260,12 +262,7 @@ static int msm_drm_uninit(struct device
+ if (kms && kms->funcs)
+ kms->funcs->destroy(kms);
+
+- if (priv->vram.paddr) {
+- unsigned long attrs = DMA_ATTR_NO_KERNEL_MAPPING;
+- drm_mm_takedown(&priv->vram.mm);
+- dma_free_attrs(dev, priv->vram.size, NULL,
+- priv->vram.paddr, attrs);
+- }
++ msm_deinit_vram(ddev);
+
+ component_unbind_all(dev, ddev);
+
+@@ -403,6 +400,19 @@ static int msm_init_vram(struct drm_devi
+ return ret;
+ }
+
++static void msm_deinit_vram(struct drm_device *ddev)
++{
++ struct msm_drm_private *priv = ddev->dev_private;
++ unsigned long attrs = DMA_ATTR_NO_KERNEL_MAPPING;
++
++ if (!priv->vram.paddr)
++ return;
++
++ drm_mm_takedown(&priv->vram.mm);
++ dma_free_attrs(ddev->dev, priv->vram.size, NULL, priv->vram.paddr,
++ attrs);
++}
++
+ static int msm_drm_init(struct device *dev, const struct drm_driver *drv)
+ {
+ struct msm_drm_private *priv = dev_get_drvdata(dev);
+@@ -449,7 +459,7 @@ static int msm_drm_init(struct device *d
+ /* Bind all our sub-components: */
+ ret = component_bind_all(dev, ddev);
+ if (ret)
+- goto err_put_dev;
++ goto err_deinit_vram;
+
+ dma_set_max_seg_size(dev, UINT_MAX);
+
+@@ -547,6 +557,8 @@ err_msm_uninit:
+
+ return ret;
+
++err_deinit_vram:
++ msm_deinit_vram(ddev);
+ err_put_dev:
+ drm_dev_put(ddev);
+
--- /dev/null
+From a75b49db6529b2af049eafd938fae888451c3685 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 6 Mar 2023 11:07:20 +0100
+Subject: drm/msm: fix workqueue leak on bind errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit a75b49db6529b2af049eafd938fae888451c3685 upstream.
+
+Make sure to destroy the workqueue also in case of early errors during
+bind (e.g. a subcomponent failing to bind).
+
+Since commit c3b790ea07a1 ("drm: Manage drm_mode_config_init with
+drmm_") the mode config will be freed when the drm device is released
+also when using the legacy interface, but add an explicit cleanup for
+consistency and to facilitate backporting.
+
+Fixes: 060530f1ea67 ("drm/msm: use componentised device support")
+Cc: stable@vger.kernel.org # 3.15
+Cc: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/525093/
+Link: https://lore.kernel.org/r/20230306100722.28485-9-johan+linaro@kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -458,7 +458,7 @@ static int msm_drm_init(struct device *d
+
+ ret = msm_init_vram(ddev);
+ if (ret)
+- goto err_put_dev;
++ goto err_cleanup_mode_config;
+
+ /* Bind all our sub-components: */
+ ret = component_bind_all(dev, ddev);
+@@ -563,6 +563,9 @@ err_msm_uninit:
+
+ err_deinit_vram:
+ msm_deinit_vram(ddev);
++err_cleanup_mode_config:
++ drm_mode_config_cleanup(ddev);
++ destroy_workqueue(priv->wq);
+ err_put_dev:
+ drm_dev_put(ddev);
+
--- /dev/null
+From ab4f869fba6119997f7630d600049762a2b014fa Mon Sep 17 00:00:00 2001
+From: James Cowgill <james.cowgill@blaize.com>
+Date: Wed, 12 Apr 2023 17:35:07 +0000
+Subject: drm/panel: otm8009a: Set backlight parent to panel device
+
+From: James Cowgill <james.cowgill@blaize.com>
+
+commit ab4f869fba6119997f7630d600049762a2b014fa upstream.
+
+This is the logical place to put the backlight device, and it also
+fixes a kernel crash if the MIPI host is removed. Previously the
+backlight device would be unregistered twice when this happened - once
+as a child of the MIPI host through `mipi_dsi_host_unregister`, and
+once when the panel device is destroyed.
+
+Fixes: 12a6cbd4f3f1 ("drm/panel: otm8009a: Use new backlight API")
+Signed-off-by: James Cowgill <james.cowgill@blaize.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230412173450.199592-1-james.cowgill@blaize.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/panel-orisetech-otm8009a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c
++++ b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c
+@@ -471,7 +471,7 @@ static int otm8009a_probe(struct mipi_ds
+ DRM_MODE_CONNECTOR_DSI);
+
+ ctx->bl_dev = devm_backlight_device_register(dev, dev_name(dev),
+- dsi->host->dev, ctx,
++ dev, ctx,
+ &otm8009a_backlight_ops,
+ NULL);
+ if (IS_ERR(ctx->bl_dev)) {
--- /dev/null
+From f69475dd4878e5f2e316a6573044d55f294baa51 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Fri, 10 Mar 2023 11:12:35 -0800
+Subject: f2fs: factor out discard_cmd usage from general rb_tree use
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit f69475dd4878e5f2e316a6573044d55f294baa51 upstream.
+
+This is a second part to remove the mixed use of rb_tree in discard_cmd from
+extent_cache.
+
+This should also fix arm32 memory alignment issue caused by shared rb_entry.
+
+[struct discard_cmd] [struct rb_entry]
+[0] struct rb_node rb_node; [0] struct rb_node rb_node;
+ union { union {
+ struct { struct {
+[16] block_t lstart; [12] unsigned int ofs;
+ block_t len; unsigned int len;
+ };
+ unsigned long long key;
+ } __packed;
+
+Cc: <stable@vger.kernel.org>
+Fixes: 004b68621897 ("f2fs: use rb-tree to track pending discard commands")
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/extent_cache.c | 36 -------
+ fs/f2fs/f2fs.h | 23 ----
+ fs/f2fs/segment.c | 247 ++++++++++++++++++++++++++++++++-----------------
+ 3 files changed, 168 insertions(+), 138 deletions(-)
+
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -192,7 +192,7 @@ static struct rb_entry *__lookup_rb_tree
+ return NULL;
+ }
+
+-struct rb_entry *f2fs_lookup_rb_tree(struct rb_root_cached *root,
++static struct rb_entry *f2fs_lookup_rb_tree(struct rb_root_cached *root,
+ struct rb_entry *cached_re, unsigned int ofs)
+ {
+ struct rb_entry *re;
+@@ -204,7 +204,7 @@ struct rb_entry *f2fs_lookup_rb_tree(str
+ return re;
+ }
+
+-struct rb_node **f2fs_lookup_rb_tree_for_insert(struct f2fs_sb_info *sbi,
++static struct rb_node **f2fs_lookup_rb_tree_for_insert(struct f2fs_sb_info *sbi,
+ struct rb_root_cached *root,
+ struct rb_node **parent,
+ unsigned int ofs, bool *leftmost)
+@@ -238,7 +238,7 @@ struct rb_node **f2fs_lookup_rb_tree_for
+ * in order to simplify the insertion after.
+ * tree must stay unchanged between lookup and insertion.
+ */
+-struct rb_entry *f2fs_lookup_rb_tree_ret(struct rb_root_cached *root,
++static struct rb_entry *f2fs_lookup_rb_tree_ret(struct rb_root_cached *root,
+ struct rb_entry *cached_re,
+ unsigned int ofs,
+ struct rb_entry **prev_entry,
+@@ -311,36 +311,6 @@ lookup_neighbors:
+ return re;
+ }
+
+-bool f2fs_check_rb_tree_consistence(struct f2fs_sb_info *sbi,
+- struct rb_root_cached *root)
+-{
+-#ifdef CONFIG_F2FS_CHECK_FS
+- struct rb_node *cur = rb_first_cached(root), *next;
+- struct rb_entry *cur_re, *next_re;
+-
+- if (!cur)
+- return true;
+-
+- while (cur) {
+- next = rb_next(cur);
+- if (!next)
+- return true;
+-
+- cur_re = rb_entry(cur, struct rb_entry, rb_node);
+- next_re = rb_entry(next, struct rb_entry, rb_node);
+-
+- if (cur_re->ofs + cur_re->len > next_re->ofs) {
+- f2fs_info(sbi, "inconsistent rbtree, cur(%u, %u) next(%u, %u)",
+- cur_re->ofs, cur_re->len,
+- next_re->ofs, next_re->len);
+- return false;
+- }
+- cur = next;
+- }
+-#endif
+- return true;
+-}
+-
+ static struct kmem_cache *extent_tree_slab;
+ static struct kmem_cache *extent_node_slab;
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -353,15 +353,7 @@ struct discard_info {
+
+ struct discard_cmd {
+ struct rb_node rb_node; /* rb node located in rb-tree */
+- union {
+- struct {
+- block_t lstart; /* logical start address */
+- block_t len; /* length */
+- block_t start; /* actual start address in dev */
+- };
+- struct discard_info di; /* discard info */
+-
+- };
++ struct discard_info di; /* discard info */
+ struct list_head list; /* command list */
+ struct completion wait; /* compleation */
+ struct block_device *bdev; /* bdev */
+@@ -4134,19 +4126,6 @@ void f2fs_leave_shrinker(struct f2fs_sb_
+ * extent_cache.c
+ */
+ bool sanity_check_extent_cache(struct inode *inode);
+-struct rb_entry *f2fs_lookup_rb_tree(struct rb_root_cached *root,
+- struct rb_entry *cached_re, unsigned int ofs);
+-struct rb_node **f2fs_lookup_rb_tree_for_insert(struct f2fs_sb_info *sbi,
+- struct rb_root_cached *root,
+- struct rb_node **parent,
+- unsigned int ofs, bool *leftmost);
+-struct rb_entry *f2fs_lookup_rb_tree_ret(struct rb_root_cached *root,
+- struct rb_entry *cached_re, unsigned int ofs,
+- struct rb_entry **prev_entry, struct rb_entry **next_entry,
+- struct rb_node ***insert_p, struct rb_node **insert_parent,
+- bool force, bool *leftmost);
+-bool f2fs_check_rb_tree_consistence(struct f2fs_sb_info *sbi,
+- struct rb_root_cached *root);
+ void f2fs_init_extent_tree(struct inode *inode);
+ void f2fs_drop_extent_tree(struct inode *inode);
+ void f2fs_destroy_extent_node(struct inode *inode);
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -939,9 +939,9 @@ static struct discard_cmd *__create_disc
+ dc = f2fs_kmem_cache_alloc(discard_cmd_slab, GFP_NOFS, true, NULL);
+ INIT_LIST_HEAD(&dc->list);
+ dc->bdev = bdev;
+- dc->lstart = lstart;
+- dc->start = start;
+- dc->len = len;
++ dc->di.lstart = lstart;
++ dc->di.start = start;
++ dc->di.len = len;
+ dc->ref = 0;
+ dc->state = D_PREP;
+ dc->queued = 0;
+@@ -956,20 +956,108 @@ static struct discard_cmd *__create_disc
+ return dc;
+ }
+
+-static struct discard_cmd *__attach_discard_cmd(struct f2fs_sb_info *sbi,
+- struct block_device *bdev, block_t lstart,
+- block_t start, block_t len,
+- struct rb_node *parent, struct rb_node **p,
+- bool leftmost)
++static bool f2fs_check_discard_tree(struct f2fs_sb_info *sbi)
+ {
++#ifdef CONFIG_F2FS_CHECK_FS
+ struct discard_cmd_control *dcc = SM_I(sbi)->dcc_info;
++ struct rb_node *cur = rb_first_cached(&dcc->root), *next;
++ struct discard_cmd *cur_dc, *next_dc;
++
++ while (cur) {
++ next = rb_next(cur);
++ if (!next)
++ return true;
++
++ cur_dc = rb_entry(cur, struct discard_cmd, rb_node);
++ next_dc = rb_entry(next, struct discard_cmd, rb_node);
++
++ if (cur_dc->di.lstart + cur_dc->di.len > next_dc->di.lstart) {
++ f2fs_info(sbi, "broken discard_rbtree, "
++ "cur(%u, %u) next(%u, %u)",
++ cur_dc->di.lstart, cur_dc->di.len,
++ next_dc->di.lstart, next_dc->di.len);
++ return false;
++ }
++ cur = next;
++ }
++#endif
++ return true;
++}
++
++static struct discard_cmd *__lookup_discard_cmd(struct f2fs_sb_info *sbi,
++ block_t blkaddr)
++{
++ struct discard_cmd_control *dcc = SM_I(sbi)->dcc_info;
++ struct rb_node *node = dcc->root.rb_root.rb_node;
+ struct discard_cmd *dc;
+
+- dc = __create_discard_cmd(sbi, bdev, lstart, start, len);
++ while (node) {
++ dc = rb_entry(node, struct discard_cmd, rb_node);
+
+- rb_link_node(&dc->rb_node, parent, p);
+- rb_insert_color_cached(&dc->rb_node, &dcc->root, leftmost);
++ if (blkaddr < dc->di.lstart)
++ node = node->rb_left;
++ else if (blkaddr >= dc->di.lstart + dc->di.len)
++ node = node->rb_right;
++ else
++ return dc;
++ }
++ return NULL;
++}
++
++static struct discard_cmd *__lookup_discard_cmd_ret(struct rb_root_cached *root,
++ block_t blkaddr,
++ struct discard_cmd **prev_entry,
++ struct discard_cmd **next_entry,
++ struct rb_node ***insert_p,
++ struct rb_node **insert_parent)
++{
++ struct rb_node **pnode = &root->rb_root.rb_node;
++ struct rb_node *parent = NULL, *tmp_node;
++ struct discard_cmd *dc;
+
++ *insert_p = NULL;
++ *insert_parent = NULL;
++ *prev_entry = NULL;
++ *next_entry = NULL;
++
++ if (RB_EMPTY_ROOT(&root->rb_root))
++ return NULL;
++
++ while (*pnode) {
++ parent = *pnode;
++ dc = rb_entry(*pnode, struct discard_cmd, rb_node);
++
++ if (blkaddr < dc->di.lstart)
++ pnode = &(*pnode)->rb_left;
++ else if (blkaddr >= dc->di.lstart + dc->di.len)
++ pnode = &(*pnode)->rb_right;
++ else
++ goto lookup_neighbors;
++ }
++
++ *insert_p = pnode;
++ *insert_parent = parent;
++
++ dc = rb_entry(parent, struct discard_cmd, rb_node);
++ tmp_node = parent;
++ if (parent && blkaddr > dc->di.lstart)
++ tmp_node = rb_next(parent);
++ *next_entry = rb_entry_safe(tmp_node, struct discard_cmd, rb_node);
++
++ tmp_node = parent;
++ if (parent && blkaddr < dc->di.lstart)
++ tmp_node = rb_prev(parent);
++ *prev_entry = rb_entry_safe(tmp_node, struct discard_cmd, rb_node);
++ return NULL;
++
++lookup_neighbors:
++ /* lookup prev node for merging backward later */
++ tmp_node = rb_prev(&dc->rb_node);
++ *prev_entry = rb_entry_safe(tmp_node, struct discard_cmd, rb_node);
++
++ /* lookup next node for merging frontward later */
++ tmp_node = rb_next(&dc->rb_node);
++ *next_entry = rb_entry_safe(tmp_node, struct discard_cmd, rb_node);
+ return dc;
+ }
+
+@@ -981,7 +1069,7 @@ static void __detach_discard_cmd(struct
+
+ list_del(&dc->list);
+ rb_erase_cached(&dc->rb_node, &dcc->root);
+- dcc->undiscard_blks -= dc->len;
++ dcc->undiscard_blks -= dc->di.len;
+
+ kmem_cache_free(discard_cmd_slab, dc);
+
+@@ -994,7 +1082,7 @@ static void __remove_discard_cmd(struct
+ struct discard_cmd_control *dcc = SM_I(sbi)->dcc_info;
+ unsigned long flags;
+
+- trace_f2fs_remove_discard(dc->bdev, dc->start, dc->len);
++ trace_f2fs_remove_discard(dc->bdev, dc->di.start, dc->di.len);
+
+ spin_lock_irqsave(&dc->lock, flags);
+ if (dc->bio_ref) {
+@@ -1012,7 +1100,7 @@ static void __remove_discard_cmd(struct
+ printk_ratelimited(
+ "%sF2FS-fs (%s): Issue discard(%u, %u, %u) failed, ret: %d",
+ KERN_INFO, sbi->sb->s_id,
+- dc->lstart, dc->start, dc->len, dc->error);
++ dc->di.lstart, dc->di.start, dc->di.len, dc->error);
+ __detach_discard_cmd(dcc, dc);
+ }
+
+@@ -1128,14 +1216,14 @@ static int __submit_discard_cmd(struct f
+ if (is_sbi_flag_set(sbi, SBI_NEED_FSCK))
+ return 0;
+
+- trace_f2fs_issue_discard(bdev, dc->start, dc->len);
++ trace_f2fs_issue_discard(bdev, dc->di.start, dc->di.len);
+
+- lstart = dc->lstart;
+- start = dc->start;
+- len = dc->len;
++ lstart = dc->di.lstart;
++ start = dc->di.start;
++ len = dc->di.len;
+ total_len = len;
+
+- dc->len = 0;
++ dc->di.len = 0;
+
+ while (total_len && *issued < dpolicy->max_requests && !err) {
+ struct bio *bio = NULL;
+@@ -1151,7 +1239,7 @@ static int __submit_discard_cmd(struct f
+ if (*issued == dpolicy->max_requests)
+ last = true;
+
+- dc->len += len;
++ dc->di.len += len;
+
+ if (time_to_inject(sbi, FAULT_DISCARD)) {
+ err = -EIO;
+@@ -1213,34 +1301,41 @@ static int __submit_discard_cmd(struct f
+ return err;
+ }
+
+-static void __insert_discard_tree(struct f2fs_sb_info *sbi,
++static void __insert_discard_cmd(struct f2fs_sb_info *sbi,
+ struct block_device *bdev, block_t lstart,
+- block_t start, block_t len,
+- struct rb_node **insert_p,
+- struct rb_node *insert_parent)
++ block_t start, block_t len)
+ {
+ struct discard_cmd_control *dcc = SM_I(sbi)->dcc_info;
+- struct rb_node **p;
++ struct rb_node **p = &dcc->root.rb_root.rb_node;
+ struct rb_node *parent = NULL;
++ struct discard_cmd *dc;
+ bool leftmost = true;
+
+- if (insert_p && insert_parent) {
+- parent = insert_parent;
+- p = insert_p;
+- goto do_insert;
++ /* look up rb tree to find parent node */
++ while (*p) {
++ parent = *p;
++ dc = rb_entry(parent, struct discard_cmd, rb_node);
++
++ if (lstart < dc->di.lstart) {
++ p = &(*p)->rb_left;
++ } else if (lstart >= dc->di.lstart + dc->di.len) {
++ p = &(*p)->rb_right;
++ leftmost = false;
++ } else {
++ f2fs_bug_on(sbi, 1);
++ }
+ }
+
+- p = f2fs_lookup_rb_tree_for_insert(sbi, &dcc->root, &parent,
+- lstart, &leftmost);
+-do_insert:
+- __attach_discard_cmd(sbi, bdev, lstart, start, len, parent,
+- p, leftmost);
++ dc = __create_discard_cmd(sbi, bdev, lstart, start, len);
++
++ rb_link_node(&dc->rb_node, parent, p);
++ rb_insert_color_cached(&dc->rb_node, &dcc->root, leftmost);
+ }
+
+ static void __relocate_discard_cmd(struct discard_cmd_control *dcc,
+ struct discard_cmd *dc)
+ {
+- list_move_tail(&dc->list, &dcc->pend_list[plist_idx(dc->len)]);
++ list_move_tail(&dc->list, &dcc->pend_list[plist_idx(dc->di.len)]);
+ }
+
+ static void __punch_discard_cmd(struct f2fs_sb_info *sbi,
+@@ -1250,7 +1345,7 @@ static void __punch_discard_cmd(struct f
+ struct discard_info di = dc->di;
+ bool modified = false;
+
+- if (dc->state == D_DONE || dc->len == 1) {
++ if (dc->state == D_DONE || dc->di.len == 1) {
+ __remove_discard_cmd(sbi, dc);
+ return;
+ }
+@@ -1258,23 +1353,22 @@ static void __punch_discard_cmd(struct f
+ dcc->undiscard_blks -= di.len;
+
+ if (blkaddr > di.lstart) {
+- dc->len = blkaddr - dc->lstart;
+- dcc->undiscard_blks += dc->len;
++ dc->di.len = blkaddr - dc->di.lstart;
++ dcc->undiscard_blks += dc->di.len;
+ __relocate_discard_cmd(dcc, dc);
+ modified = true;
+ }
+
+ if (blkaddr < di.lstart + di.len - 1) {
+ if (modified) {
+- __insert_discard_tree(sbi, dc->bdev, blkaddr + 1,
++ __insert_discard_cmd(sbi, dc->bdev, blkaddr + 1,
+ di.start + blkaddr + 1 - di.lstart,
+- di.lstart + di.len - 1 - blkaddr,
+- NULL, NULL);
++ di.lstart + di.len - 1 - blkaddr);
+ } else {
+- dc->lstart++;
+- dc->len--;
+- dc->start++;
+- dcc->undiscard_blks += dc->len;
++ dc->di.lstart++;
++ dc->di.len--;
++ dc->di.start++;
++ dcc->undiscard_blks += dc->di.len;
+ __relocate_discard_cmd(dcc, dc);
+ }
+ }
+@@ -1293,17 +1387,14 @@ static void __update_discard_tree_range(
+ SECTOR_TO_BLOCK(bdev_max_discard_sectors(bdev));
+ block_t end = lstart + len;
+
+- dc = (struct discard_cmd *)f2fs_lookup_rb_tree_ret(&dcc->root,
+- NULL, lstart,
+- (struct rb_entry **)&prev_dc,
+- (struct rb_entry **)&next_dc,
+- &insert_p, &insert_parent, true, NULL);
++ dc = __lookup_discard_cmd_ret(&dcc->root, lstart,
++ &prev_dc, &next_dc, &insert_p, &insert_parent);
+ if (dc)
+ prev_dc = dc;
+
+ if (!prev_dc) {
+ di.lstart = lstart;
+- di.len = next_dc ? next_dc->lstart - lstart : len;
++ di.len = next_dc ? next_dc->di.lstart - lstart : len;
+ di.len = min(di.len, len);
+ di.start = start;
+ }
+@@ -1314,16 +1405,16 @@ static void __update_discard_tree_range(
+ struct discard_cmd *tdc = NULL;
+
+ if (prev_dc) {
+- di.lstart = prev_dc->lstart + prev_dc->len;
++ di.lstart = prev_dc->di.lstart + prev_dc->di.len;
+ if (di.lstart < lstart)
+ di.lstart = lstart;
+ if (di.lstart >= end)
+ break;
+
+- if (!next_dc || next_dc->lstart > end)
++ if (!next_dc || next_dc->di.lstart > end)
+ di.len = end - di.lstart;
+ else
+- di.len = next_dc->lstart - di.lstart;
++ di.len = next_dc->di.lstart - di.lstart;
+ di.start = start + di.lstart - lstart;
+ }
+
+@@ -1356,10 +1447,9 @@ static void __update_discard_tree_range(
+ merged = true;
+ }
+
+- if (!merged) {
+- __insert_discard_tree(sbi, bdev, di.lstart, di.start,
+- di.len, NULL, NULL);
+- }
++ if (!merged)
++ __insert_discard_cmd(sbi, bdev,
++ di.lstart, di.start, di.len);
+ next:
+ prev_dc = next_dc;
+ if (!prev_dc)
+@@ -1398,15 +1488,11 @@ static void __issue_discard_cmd_orderly(
+ struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct discard_cmd *dc;
+ struct blk_plug plug;
+- unsigned int pos = dcc->next_pos;
+ bool io_interrupted = false;
+
+ mutex_lock(&dcc->cmd_lock);
+- dc = (struct discard_cmd *)f2fs_lookup_rb_tree_ret(&dcc->root,
+- NULL, pos,
+- (struct rb_entry **)&prev_dc,
+- (struct rb_entry **)&next_dc,
+- &insert_p, &insert_parent, true, NULL);
++ dc = __lookup_discard_cmd_ret(&dcc->root, dcc->next_pos,
++ &prev_dc, &next_dc, &insert_p, &insert_parent);
+ if (!dc)
+ dc = next_dc;
+
+@@ -1424,7 +1510,7 @@ static void __issue_discard_cmd_orderly(
+ break;
+ }
+
+- dcc->next_pos = dc->lstart + dc->len;
++ dcc->next_pos = dc->di.lstart + dc->di.len;
+ err = __submit_discard_cmd(sbi, dpolicy, dc, issued);
+
+ if (*issued >= dpolicy->max_requests)
+@@ -1483,8 +1569,7 @@ retry:
+ if (list_empty(pend_list))
+ goto next;
+ if (unlikely(dcc->rbtree_check))
+- f2fs_bug_on(sbi, !f2fs_check_rb_tree_consistence(sbi,
+- &dcc->root));
++ f2fs_bug_on(sbi, !f2fs_check_discard_tree(sbi));
+ blk_start_plug(&plug);
+ list_for_each_entry_safe(dc, tmp, pend_list, list) {
+ f2fs_bug_on(sbi, dc->state != D_PREP);
+@@ -1562,7 +1647,7 @@ static unsigned int __wait_one_discard_b
+ dc->ref--;
+ if (!dc->ref) {
+ if (!dc->error)
+- len = dc->len;
++ len = dc->di.len;
+ __remove_discard_cmd(sbi, dc);
+ }
+ mutex_unlock(&dcc->cmd_lock);
+@@ -1585,14 +1670,15 @@ next:
+
+ mutex_lock(&dcc->cmd_lock);
+ list_for_each_entry_safe(iter, tmp, wait_list, list) {
+- if (iter->lstart + iter->len <= start || end <= iter->lstart)
++ if (iter->di.lstart + iter->di.len <= start ||
++ end <= iter->di.lstart)
+ continue;
+- if (iter->len < dpolicy->granularity)
++ if (iter->di.len < dpolicy->granularity)
+ continue;
+ if (iter->state == D_DONE && !iter->ref) {
+ wait_for_completion_io(&iter->wait);
+ if (!iter->error)
+- trimmed += iter->len;
++ trimmed += iter->di.len;
+ __remove_discard_cmd(sbi, iter);
+ } else {
+ iter->ref++;
+@@ -1636,8 +1722,7 @@ static void f2fs_wait_discard_bio(struct
+ bool need_wait = false;
+
+ mutex_lock(&dcc->cmd_lock);
+- dc = (struct discard_cmd *)f2fs_lookup_rb_tree(&dcc->root,
+- NULL, blkaddr);
++ dc = __lookup_discard_cmd(sbi, blkaddr);
+ if (dc) {
+ if (dc->state == D_PREP) {
+ __punch_discard_cmd(sbi, dc, blkaddr);
+@@ -2970,24 +3055,20 @@ next:
+
+ mutex_lock(&dcc->cmd_lock);
+ if (unlikely(dcc->rbtree_check))
+- f2fs_bug_on(sbi, !f2fs_check_rb_tree_consistence(sbi,
+- &dcc->root));
++ f2fs_bug_on(sbi, !f2fs_check_discard_tree(sbi));
+
+- dc = (struct discard_cmd *)f2fs_lookup_rb_tree_ret(&dcc->root,
+- NULL, start,
+- (struct rb_entry **)&prev_dc,
+- (struct rb_entry **)&next_dc,
+- &insert_p, &insert_parent, true, NULL);
++ dc = __lookup_discard_cmd_ret(&dcc->root, start,
++ &prev_dc, &next_dc, &insert_p, &insert_parent);
+ if (!dc)
+ dc = next_dc;
+
+ blk_start_plug(&plug);
+
+- while (dc && dc->lstart <= end) {
++ while (dc && dc->di.lstart <= end) {
+ struct rb_node *node;
+ int err = 0;
+
+- if (dc->len < dpolicy->granularity)
++ if (dc->di.len < dpolicy->granularity)
+ goto skip;
+
+ if (dc->state != D_PREP) {
+@@ -2998,7 +3079,7 @@ next:
+ err = __submit_discard_cmd(sbi, dpolicy, dc, &issued);
+
+ if (issued >= dpolicy->max_requests) {
+- start = dc->lstart + dc->len;
++ start = dc->di.lstart + dc->di.len;
+
+ if (err)
+ __remove_discard_cmd(sbi, dc);
--- /dev/null
+From 043d2d00b44310f84c0593c63e51fae88c829cdd Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Fri, 10 Mar 2023 10:04:26 -0800
+Subject: f2fs: factor out victim_entry usage from general rb_tree use
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 043d2d00b44310f84c0593c63e51fae88c829cdd upstream.
+
+Let's reduce the complexity of mixed use of rb_tree in victim_entry from
+extent_cache and discard_cmd.
+
+This should fix arm32 memory alignment issue caused by shared rb_entry.
+
+[struct victim_entry] [struct rb_entry]
+[0] struct rb_node rb_node; [0] struct rb_node rb_node;
+ union {
+ struct {
+ unsigned int ofs;
+ unsigned int len;
+ };
+[16] unsigned long long mtime; [12] unsigned long long key;
+ } __packed;
+
+Cc: <stable@vger.kernel.org>
+Fixes: 093749e296e2 ("f2fs: support age threshold based garbage collection")
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/extent_cache.c | 36 ------------
+ fs/f2fs/f2fs.h | 15 +----
+ fs/f2fs/gc.c | 139 +++++++++++++++++++++++++++++--------------------
+ fs/f2fs/gc.h | 14 ----
+ fs/f2fs/segment.c | 4 -
+ 5 files changed, 93 insertions(+), 115 deletions(-)
+
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -204,29 +204,6 @@ struct rb_entry *f2fs_lookup_rb_tree(str
+ return re;
+ }
+
+-struct rb_node **f2fs_lookup_rb_tree_ext(struct f2fs_sb_info *sbi,
+- struct rb_root_cached *root,
+- struct rb_node **parent,
+- unsigned long long key, bool *leftmost)
+-{
+- struct rb_node **p = &root->rb_root.rb_node;
+- struct rb_entry *re;
+-
+- while (*p) {
+- *parent = *p;
+- re = rb_entry(*parent, struct rb_entry, rb_node);
+-
+- if (key < re->key) {
+- p = &(*p)->rb_left;
+- } else {
+- p = &(*p)->rb_right;
+- *leftmost = false;
+- }
+- }
+-
+- return p;
+-}
+-
+ struct rb_node **f2fs_lookup_rb_tree_for_insert(struct f2fs_sb_info *sbi,
+ struct rb_root_cached *root,
+ struct rb_node **parent,
+@@ -335,7 +312,7 @@ lookup_neighbors:
+ }
+
+ bool f2fs_check_rb_tree_consistence(struct f2fs_sb_info *sbi,
+- struct rb_root_cached *root, bool check_key)
++ struct rb_root_cached *root)
+ {
+ #ifdef CONFIG_F2FS_CHECK_FS
+ struct rb_node *cur = rb_first_cached(root), *next;
+@@ -352,23 +329,12 @@ bool f2fs_check_rb_tree_consistence(stru
+ cur_re = rb_entry(cur, struct rb_entry, rb_node);
+ next_re = rb_entry(next, struct rb_entry, rb_node);
+
+- if (check_key) {
+- if (cur_re->key > next_re->key) {
+- f2fs_info(sbi, "inconsistent rbtree, "
+- "cur(%llu) next(%llu)",
+- cur_re->key, next_re->key);
+- return false;
+- }
+- goto next;
+- }
+-
+ if (cur_re->ofs + cur_re->len > next_re->ofs) {
+ f2fs_info(sbi, "inconsistent rbtree, cur(%u, %u) next(%u, %u)",
+ cur_re->ofs, cur_re->len,
+ next_re->ofs, next_re->len);
+ return false;
+ }
+-next:
+ cur = next;
+ }
+ #endif
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -630,13 +630,8 @@ enum extent_type {
+
+ struct rb_entry {
+ struct rb_node rb_node; /* rb node located in rb-tree */
+- union {
+- struct {
+- unsigned int ofs; /* start offset of the entry */
+- unsigned int len; /* length of the entry */
+- };
+- unsigned long long key; /* 64-bits key */
+- } __packed;
++ unsigned int ofs; /* start offset of the entry */
++ unsigned int len; /* length of the entry */
+ };
+
+ struct extent_info {
+@@ -4141,10 +4136,6 @@ void f2fs_leave_shrinker(struct f2fs_sb_
+ bool sanity_check_extent_cache(struct inode *inode);
+ struct rb_entry *f2fs_lookup_rb_tree(struct rb_root_cached *root,
+ struct rb_entry *cached_re, unsigned int ofs);
+-struct rb_node **f2fs_lookup_rb_tree_ext(struct f2fs_sb_info *sbi,
+- struct rb_root_cached *root,
+- struct rb_node **parent,
+- unsigned long long key, bool *left_most);
+ struct rb_node **f2fs_lookup_rb_tree_for_insert(struct f2fs_sb_info *sbi,
+ struct rb_root_cached *root,
+ struct rb_node **parent,
+@@ -4155,7 +4146,7 @@ struct rb_entry *f2fs_lookup_rb_tree_ret
+ struct rb_node ***insert_p, struct rb_node **insert_parent,
+ bool force, bool *leftmost);
+ bool f2fs_check_rb_tree_consistence(struct f2fs_sb_info *sbi,
+- struct rb_root_cached *root, bool check_key);
++ struct rb_root_cached *root);
+ void f2fs_init_extent_tree(struct inode *inode);
+ void f2fs_drop_extent_tree(struct inode *inode);
+ void f2fs_destroy_extent_node(struct inode *inode);
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -390,40 +390,95 @@ static unsigned int count_bits(const uns
+ return sum;
+ }
+
+-static struct victim_entry *attach_victim_entry(struct f2fs_sb_info *sbi,
+- unsigned long long mtime, unsigned int segno,
+- struct rb_node *parent, struct rb_node **p,
+- bool left_most)
++static bool f2fs_check_victim_tree(struct f2fs_sb_info *sbi,
++ struct rb_root_cached *root)
++{
++#ifdef CONFIG_F2FS_CHECK_FS
++ struct rb_node *cur = rb_first_cached(root), *next;
++ struct victim_entry *cur_ve, *next_ve;
++
++ while (cur) {
++ next = rb_next(cur);
++ if (!next)
++ return true;
++
++ cur_ve = rb_entry(cur, struct victim_entry, rb_node);
++ next_ve = rb_entry(next, struct victim_entry, rb_node);
++
++ if (cur_ve->mtime > next_ve->mtime) {
++ f2fs_info(sbi, "broken victim_rbtree, "
++ "cur_mtime(%llu) next_mtime(%llu)",
++ cur_ve->mtime, next_ve->mtime);
++ return false;
++ }
++ cur = next;
++ }
++#endif
++ return true;
++}
++
++static struct victim_entry *__lookup_victim_entry(struct f2fs_sb_info *sbi,
++ unsigned long long mtime)
++{
++ struct atgc_management *am = &sbi->am;
++ struct rb_node *node = am->root.rb_root.rb_node;
++ struct victim_entry *ve = NULL;
++
++ while (node) {
++ ve = rb_entry(node, struct victim_entry, rb_node);
++
++ if (mtime < ve->mtime)
++ node = node->rb_left;
++ else
++ node = node->rb_right;
++ }
++ return ve;
++}
++
++static struct victim_entry *__create_victim_entry(struct f2fs_sb_info *sbi,
++ unsigned long long mtime, unsigned int segno)
+ {
+ struct atgc_management *am = &sbi->am;
+ struct victim_entry *ve;
+
+- ve = f2fs_kmem_cache_alloc(victim_entry_slab,
+- GFP_NOFS, true, NULL);
++ ve = f2fs_kmem_cache_alloc(victim_entry_slab, GFP_NOFS, true, NULL);
+
+ ve->mtime = mtime;
+ ve->segno = segno;
+
+- rb_link_node(&ve->rb_node, parent, p);
+- rb_insert_color_cached(&ve->rb_node, &am->root, left_most);
+-
+ list_add_tail(&ve->list, &am->victim_list);
+-
+ am->victim_count++;
+
+ return ve;
+ }
+
+-static void insert_victim_entry(struct f2fs_sb_info *sbi,
++static void __insert_victim_entry(struct f2fs_sb_info *sbi,
+ unsigned long long mtime, unsigned int segno)
+ {
+ struct atgc_management *am = &sbi->am;
+- struct rb_node **p;
++ struct rb_root_cached *root = &am->root;
++ struct rb_node **p = &root->rb_root.rb_node;
+ struct rb_node *parent = NULL;
++ struct victim_entry *ve;
+ bool left_most = true;
+
+- p = f2fs_lookup_rb_tree_ext(sbi, &am->root, &parent, mtime, &left_most);
+- attach_victim_entry(sbi, mtime, segno, parent, p, left_most);
++ /* look up rb tree to find parent node */
++ while (*p) {
++ parent = *p;
++ ve = rb_entry(parent, struct victim_entry, rb_node);
++
++ if (mtime < ve->mtime) {
++ p = &(*p)->rb_left;
++ } else {
++ p = &(*p)->rb_right;
++ left_most = false;
++ }
++ }
++
++ ve = __create_victim_entry(sbi, mtime, segno);
++
++ rb_link_node(&ve->rb_node, parent, p);
++ rb_insert_color_cached(&ve->rb_node, root, left_most);
+ }
+
+ static void add_victim_entry(struct f2fs_sb_info *sbi,
+@@ -459,19 +514,7 @@ static void add_victim_entry(struct f2fs
+ if (sit_i->dirty_max_mtime - mtime < p->age_threshold)
+ return;
+
+- insert_victim_entry(sbi, mtime, segno);
+-}
+-
+-static struct rb_node *lookup_central_victim(struct f2fs_sb_info *sbi,
+- struct victim_sel_policy *p)
+-{
+- struct atgc_management *am = &sbi->am;
+- struct rb_node *parent = NULL;
+- bool left_most;
+-
+- f2fs_lookup_rb_tree_ext(sbi, &am->root, &parent, p->age, &left_most);
+-
+- return parent;
++ __insert_victim_entry(sbi, mtime, segno);
+ }
+
+ static void atgc_lookup_victim(struct f2fs_sb_info *sbi,
+@@ -481,7 +524,6 @@ static void atgc_lookup_victim(struct f2
+ struct atgc_management *am = &sbi->am;
+ struct rb_root_cached *root = &am->root;
+ struct rb_node *node;
+- struct rb_entry *re;
+ struct victim_entry *ve;
+ unsigned long long total_time;
+ unsigned long long age, u, accu;
+@@ -508,12 +550,10 @@ static void atgc_lookup_victim(struct f2
+
+ node = rb_first_cached(root);
+ next:
+- re = rb_entry_safe(node, struct rb_entry, rb_node);
+- if (!re)
++ ve = rb_entry_safe(node, struct victim_entry, rb_node);
++ if (!ve)
+ return;
+
+- ve = (struct victim_entry *)re;
+-
+ if (ve->mtime >= max_mtime || ve->mtime < min_mtime)
+ goto skip;
+
+@@ -555,8 +595,6 @@ static void atssr_lookup_victim(struct f
+ {
+ struct sit_info *sit_i = SIT_I(sbi);
+ struct atgc_management *am = &sbi->am;
+- struct rb_node *node;
+- struct rb_entry *re;
+ struct victim_entry *ve;
+ unsigned long long age;
+ unsigned long long max_mtime = sit_i->dirty_max_mtime;
+@@ -566,25 +604,22 @@ static void atssr_lookup_victim(struct f
+ unsigned int dirty_threshold = max(am->max_candidate_count,
+ am->candidate_ratio *
+ am->victim_count / 100);
+- unsigned int cost;
+- unsigned int iter = 0;
++ unsigned int cost, iter;
+ int stage = 0;
+
+ if (max_mtime < min_mtime)
+ return;
+ max_mtime += 1;
+ next_stage:
+- node = lookup_central_victim(sbi, p);
++ iter = 0;
++ ve = __lookup_victim_entry(sbi, p->age);
+ next_node:
+- re = rb_entry_safe(node, struct rb_entry, rb_node);
+- if (!re) {
+- if (stage == 0)
+- goto skip_stage;
++ if (!ve) {
++ if (stage++ == 0)
++ goto next_stage;
+ return;
+ }
+
+- ve = (struct victim_entry *)re;
+-
+ if (ve->mtime >= max_mtime || ve->mtime < min_mtime)
+ goto skip_node;
+
+@@ -610,24 +645,20 @@ next_node:
+ }
+ skip_node:
+ if (iter < dirty_threshold) {
+- if (stage == 0)
+- node = rb_prev(node);
+- else if (stage == 1)
+- node = rb_next(node);
++ ve = rb_entry(stage == 0 ? rb_prev(&ve->rb_node) :
++ rb_next(&ve->rb_node),
++ struct victim_entry, rb_node);
+ goto next_node;
+ }
+-skip_stage:
+- if (stage < 1) {
+- stage++;
+- iter = 0;
++
++ if (stage++ == 0)
+ goto next_stage;
+- }
+ }
++
+ static void lookup_victim_by_age(struct f2fs_sb_info *sbi,
+ struct victim_sel_policy *p)
+ {
+- f2fs_bug_on(sbi, !f2fs_check_rb_tree_consistence(sbi,
+- &sbi->am.root, true));
++ f2fs_bug_on(sbi, !f2fs_check_victim_tree(sbi, &sbi->am.root));
+
+ if (p->gc_mode == GC_AT)
+ atgc_lookup_victim(sbi, p);
+--- a/fs/f2fs/gc.h
++++ b/fs/f2fs/gc.h
+@@ -55,20 +55,10 @@ struct gc_inode_list {
+ struct radix_tree_root iroot;
+ };
+
+-struct victim_info {
+- unsigned long long mtime; /* mtime of section */
+- unsigned int segno; /* section No. */
+-};
+-
+ struct victim_entry {
+ struct rb_node rb_node; /* rb node located in rb-tree */
+- union {
+- struct {
+- unsigned long long mtime; /* mtime of section */
+- unsigned int segno; /* segment No. */
+- };
+- struct victim_info vi; /* victim info */
+- };
++ unsigned long long mtime; /* mtime of section */
++ unsigned int segno; /* segment No. */
+ struct list_head list;
+ };
+
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -1484,7 +1484,7 @@ retry:
+ goto next;
+ if (unlikely(dcc->rbtree_check))
+ f2fs_bug_on(sbi, !f2fs_check_rb_tree_consistence(sbi,
+- &dcc->root, false));
++ &dcc->root));
+ blk_start_plug(&plug);
+ list_for_each_entry_safe(dc, tmp, pend_list, list) {
+ f2fs_bug_on(sbi, dc->state != D_PREP);
+@@ -2971,7 +2971,7 @@ next:
+ mutex_lock(&dcc->cmd_lock);
+ if (unlikely(dcc->rbtree_check))
+ f2fs_bug_on(sbi, !f2fs_check_rb_tree_consistence(sbi,
+- &dcc->root, false));
++ &dcc->root));
+
+ dc = (struct discard_cmd *)f2fs_lookup_rb_tree_ret(&dcc->root,
+ NULL, start,
--- /dev/null
+From da6ea0b050fa720302b56fbb59307e7c7531a342 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Mon, 3 Apr 2023 09:37:24 -0700
+Subject: f2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit da6ea0b050fa720302b56fbb59307e7c7531a342 upstream.
+
+We got a kernel panic if old_addr is NULL.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=217266
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+ Call Trace:
+ <TASK>
+ f2fs_commit_atomic_write+0x619/0x990 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43]
+ __f2fs_ioctl+0xd8e/0x4080 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43]
+ ? vfs_write+0x2ae/0x3f0
+ ? vfs_write+0x2ae/0x3f0
+ __x64_sys_ioctl+0x91/0xd0
+ do_syscall_64+0x5c/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+ RIP: 0033:0x7f69095fe53f
+
+Fixes: 2f3a9ae990a7 ("f2fs: introduce trace_f2fs_replace_atomic_write_block")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/segment.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -263,7 +263,7 @@ retry:
+ f2fs_put_dnode(&dn);
+
+ trace_f2fs_replace_atomic_write_block(inode, F2FS_I(inode)->cow_inode,
+- index, *old_addr, new_addr, recover);
++ index, old_addr ? *old_addr : 0, new_addr, recover);
+ return 0;
+ }
+
--- /dev/null
+From d94772154e524b329a168678836745d2773a6e02 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Thu, 6 Apr 2023 11:18:48 -0700
+Subject: f2fs: fix potential corruption when moving a directory
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit d94772154e524b329a168678836745d2773a6e02 upstream.
+
+F2FS has the same issue in ext4_rename causing crash revealed by
+xfstests/generic/707.
+
+See also commit 0813299c586b ("ext4: Fix possible corruption when moving a directory")
+
+CC: stable@vger.kernel.org
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/namei.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -995,12 +995,20 @@ static int f2fs_rename(struct mnt_idmap
+ goto out;
+ }
+
++ /*
++ * Copied from ext4_rename: we need to protect against old.inode
++ * directory getting converted from inline directory format into
++ * a normal one.
++ */
++ if (S_ISDIR(old_inode->i_mode))
++ inode_lock_nested(old_inode, I_MUTEX_NONDIR2);
++
+ err = -ENOENT;
+ old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page);
+ if (!old_entry) {
+ if (IS_ERR(old_page))
+ err = PTR_ERR(old_page);
+- goto out;
++ goto out_unlock_old;
+ }
+
+ if (S_ISDIR(old_inode->i_mode)) {
+@@ -1108,6 +1116,9 @@ static int f2fs_rename(struct mnt_idmap
+
+ f2fs_unlock_op(sbi);
+
++ if (S_ISDIR(old_inode->i_mode))
++ inode_unlock(old_inode);
++
+ if (IS_DIRSYNC(old_dir) || IS_DIRSYNC(new_dir))
+ f2fs_sync_fs(sbi->sb, 1);
+
+@@ -1122,6 +1133,9 @@ out_dir:
+ f2fs_put_page(old_dir_page, 0);
+ out_old:
+ f2fs_put_page(old_page, 0);
++out_unlock_old:
++ if (S_ISDIR(old_inode->i_mode))
++ inode_unlock(old_inode);
+ out:
+ iput(whiteout);
+ return err;
--- /dev/null
+From bf21acf9959a48d90dd32869a0649525eb21be56 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Fri, 10 Mar 2023 11:49:57 -0800
+Subject: f2fs: remove entire rb_entry sharing
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit bf21acf9959a48d90dd32869a0649525eb21be56 upstream.
+
+This is a last part to remove the memory sharing for rb_tree in extent_cache.
+
+This should also fix arm32 memory alignment issue.
+
+[struct extent_node] [struct rb_entry]
+[0] struct rb_node rb_node; [0] struct rb_node rb_node;
+ union { union {
+ struct { struct {
+[16] unsigned int fofs; [12] unsigned int ofs;
+ unsigned int len; unsigned int len;
+ };
+ unsigned long long key;
+ } __packed;
+
+Cc: <stable@vger.kernel.org>
+Fixes: 13054c548a1c ("f2fs: introduce infra macro and data structure of rb-tree extent cache")
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/extent_cache.c | 177 +++++++++++++++++++------------------------------
+ fs/f2fs/f2fs.h | 6 -
+ 2 files changed, 71 insertions(+), 112 deletions(-)
+
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -161,95 +161,52 @@ static bool __is_front_mergeable(struct
+ return __is_extent_mergeable(cur, front, type);
+ }
+
+-static struct rb_entry *__lookup_rb_tree_fast(struct rb_entry *cached_re,
+- unsigned int ofs)
+-{
+- if (cached_re) {
+- if (cached_re->ofs <= ofs &&
+- cached_re->ofs + cached_re->len > ofs) {
+- return cached_re;
+- }
+- }
+- return NULL;
+-}
+-
+-static struct rb_entry *__lookup_rb_tree_slow(struct rb_root_cached *root,
+- unsigned int ofs)
++static struct extent_node *__lookup_extent_node(struct rb_root_cached *root,
++ struct extent_node *cached_en, unsigned int fofs)
+ {
+ struct rb_node *node = root->rb_root.rb_node;
+- struct rb_entry *re;
++ struct extent_node *en;
++
++ /* check a cached entry */
++ if (cached_en && cached_en->ei.fofs <= fofs &&
++ cached_en->ei.fofs + cached_en->ei.len > fofs)
++ return cached_en;
+
++ /* check rb_tree */
+ while (node) {
+- re = rb_entry(node, struct rb_entry, rb_node);
++ en = rb_entry(node, struct extent_node, rb_node);
+
+- if (ofs < re->ofs)
++ if (fofs < en->ei.fofs)
+ node = node->rb_left;
+- else if (ofs >= re->ofs + re->len)
++ else if (fofs >= en->ei.fofs + en->ei.len)
+ node = node->rb_right;
+ else
+- return re;
++ return en;
+ }
+ return NULL;
+ }
+
+-static struct rb_entry *f2fs_lookup_rb_tree(struct rb_root_cached *root,
+- struct rb_entry *cached_re, unsigned int ofs)
+-{
+- struct rb_entry *re;
+-
+- re = __lookup_rb_tree_fast(cached_re, ofs);
+- if (!re)
+- return __lookup_rb_tree_slow(root, ofs);
+-
+- return re;
+-}
+-
+-static struct rb_node **f2fs_lookup_rb_tree_for_insert(struct f2fs_sb_info *sbi,
+- struct rb_root_cached *root,
+- struct rb_node **parent,
+- unsigned int ofs, bool *leftmost)
+-{
+- struct rb_node **p = &root->rb_root.rb_node;
+- struct rb_entry *re;
+-
+- while (*p) {
+- *parent = *p;
+- re = rb_entry(*parent, struct rb_entry, rb_node);
+-
+- if (ofs < re->ofs) {
+- p = &(*p)->rb_left;
+- } else if (ofs >= re->ofs + re->len) {
+- p = &(*p)->rb_right;
+- *leftmost = false;
+- } else {
+- f2fs_bug_on(sbi, 1);
+- }
+- }
+-
+- return p;
+-}
+-
+ /*
+- * lookup rb entry in position of @ofs in rb-tree,
++ * lookup rb entry in position of @fofs in rb-tree,
+ * if hit, return the entry, otherwise, return NULL
+- * @prev_ex: extent before ofs
+- * @next_ex: extent after ofs
+- * @insert_p: insert point for new extent at ofs
++ * @prev_ex: extent before fofs
++ * @next_ex: extent after fofs
++ * @insert_p: insert point for new extent at fofs
+ * in order to simplify the insertion after.
+ * tree must stay unchanged between lookup and insertion.
+ */
+-static struct rb_entry *f2fs_lookup_rb_tree_ret(struct rb_root_cached *root,
+- struct rb_entry *cached_re,
+- unsigned int ofs,
+- struct rb_entry **prev_entry,
+- struct rb_entry **next_entry,
++static struct extent_node *__lookup_extent_node_ret(struct rb_root_cached *root,
++ struct extent_node *cached_en,
++ unsigned int fofs,
++ struct extent_node **prev_entry,
++ struct extent_node **next_entry,
+ struct rb_node ***insert_p,
+ struct rb_node **insert_parent,
+- bool force, bool *leftmost)
++ bool *leftmost)
+ {
+ struct rb_node **pnode = &root->rb_root.rb_node;
+ struct rb_node *parent = NULL, *tmp_node;
+- struct rb_entry *re = cached_re;
++ struct extent_node *en = cached_en;
+
+ *insert_p = NULL;
+ *insert_parent = NULL;
+@@ -259,24 +216,20 @@ static struct rb_entry *f2fs_lookup_rb_t
+ if (RB_EMPTY_ROOT(&root->rb_root))
+ return NULL;
+
+- if (re) {
+- if (re->ofs <= ofs && re->ofs + re->len > ofs)
+- goto lookup_neighbors;
+- }
++ if (en && en->ei.fofs <= fofs && en->ei.fofs + en->ei.len > fofs)
++ goto lookup_neighbors;
+
+- if (leftmost)
+- *leftmost = true;
++ *leftmost = true;
+
+ while (*pnode) {
+ parent = *pnode;
+- re = rb_entry(*pnode, struct rb_entry, rb_node);
++ en = rb_entry(*pnode, struct extent_node, rb_node);
+
+- if (ofs < re->ofs) {
++ if (fofs < en->ei.fofs) {
+ pnode = &(*pnode)->rb_left;
+- } else if (ofs >= re->ofs + re->len) {
++ } else if (fofs >= en->ei.fofs + en->ei.len) {
+ pnode = &(*pnode)->rb_right;
+- if (leftmost)
+- *leftmost = false;
++ *leftmost = false;
+ } else {
+ goto lookup_neighbors;
+ }
+@@ -285,30 +238,32 @@ static struct rb_entry *f2fs_lookup_rb_t
+ *insert_p = pnode;
+ *insert_parent = parent;
+
+- re = rb_entry(parent, struct rb_entry, rb_node);
++ en = rb_entry(parent, struct extent_node, rb_node);
+ tmp_node = parent;
+- if (parent && ofs > re->ofs)
++ if (parent && fofs > en->ei.fofs)
+ tmp_node = rb_next(parent);
+- *next_entry = rb_entry_safe(tmp_node, struct rb_entry, rb_node);
++ *next_entry = rb_entry_safe(tmp_node, struct extent_node, rb_node);
+
+ tmp_node = parent;
+- if (parent && ofs < re->ofs)
++ if (parent && fofs < en->ei.fofs)
+ tmp_node = rb_prev(parent);
+- *prev_entry = rb_entry_safe(tmp_node, struct rb_entry, rb_node);
++ *prev_entry = rb_entry_safe(tmp_node, struct extent_node, rb_node);
+ return NULL;
+
+ lookup_neighbors:
+- if (ofs == re->ofs || force) {
++ if (fofs == en->ei.fofs) {
+ /* lookup prev node for merging backward later */
+- tmp_node = rb_prev(&re->rb_node);
+- *prev_entry = rb_entry_safe(tmp_node, struct rb_entry, rb_node);
++ tmp_node = rb_prev(&en->rb_node);
++ *prev_entry = rb_entry_safe(tmp_node,
++ struct extent_node, rb_node);
+ }
+- if (ofs == re->ofs + re->len - 1 || force) {
++ if (fofs == en->ei.fofs + en->ei.len - 1) {
+ /* lookup next node for merging frontward later */
+- tmp_node = rb_next(&re->rb_node);
+- *next_entry = rb_entry_safe(tmp_node, struct rb_entry, rb_node);
++ tmp_node = rb_next(&en->rb_node);
++ *next_entry = rb_entry_safe(tmp_node,
++ struct extent_node, rb_node);
+ }
+- return re;
++ return en;
+ }
+
+ static struct kmem_cache *extent_tree_slab;
+@@ -523,8 +478,7 @@ static bool __lookup_extent_tree(struct
+ goto out;
+ }
+
+- en = (struct extent_node *)f2fs_lookup_rb_tree(&et->root,
+- (struct rb_entry *)et->cached_en, pgofs);
++ en = __lookup_extent_node(&et->root, et->cached_en, pgofs);
+ if (!en)
+ goto out;
+
+@@ -598,7 +552,7 @@ static struct extent_node *__insert_exte
+ bool leftmost)
+ {
+ struct extent_tree_info *eti = &sbi->extent_tree[et->type];
+- struct rb_node **p;
++ struct rb_node **p = &et->root.rb_root.rb_node;
+ struct rb_node *parent = NULL;
+ struct extent_node *en = NULL;
+
+@@ -610,8 +564,21 @@ static struct extent_node *__insert_exte
+
+ leftmost = true;
+
+- p = f2fs_lookup_rb_tree_for_insert(sbi, &et->root, &parent,
+- ei->fofs, &leftmost);
++ /* look up extent_node in the rb tree */
++ while (*p) {
++ parent = *p;
++ en = rb_entry(parent, struct extent_node, rb_node);
++
++ if (ei->fofs < en->ei.fofs) {
++ p = &(*p)->rb_left;
++ } else if (ei->fofs >= en->ei.fofs + en->ei.len) {
++ p = &(*p)->rb_right;
++ leftmost = false;
++ } else {
++ f2fs_bug_on(sbi, 1);
++ }
++ }
++
+ do_insert:
+ en = __attach_extent_node(sbi, et, ei, parent, p, leftmost);
+ if (!en)
+@@ -670,11 +637,10 @@ static void __update_extent_tree_range(s
+ }
+
+ /* 1. lookup first extent node in range [fofs, fofs + len - 1] */
+- en = (struct extent_node *)f2fs_lookup_rb_tree_ret(&et->root,
+- (struct rb_entry *)et->cached_en, fofs,
+- (struct rb_entry **)&prev_en,
+- (struct rb_entry **)&next_en,
+- &insert_p, &insert_parent, false,
++ en = __lookup_extent_node_ret(&et->root,
++ et->cached_en, fofs,
++ &prev_en, &next_en,
++ &insert_p, &insert_parent,
+ &leftmost);
+ if (!en)
+ en = next_en;
+@@ -812,12 +778,11 @@ void f2fs_update_read_extent_tree_range_
+
+ write_lock(&et->lock);
+
+- en = (struct extent_node *)f2fs_lookup_rb_tree_ret(&et->root,
+- (struct rb_entry *)et->cached_en, fofs,
+- (struct rb_entry **)&prev_en,
+- (struct rb_entry **)&next_en,
+- &insert_p, &insert_parent, false,
+- &leftmost);
++ en = __lookup_extent_node_ret(&et->root,
++ et->cached_en, fofs,
++ &prev_en, &next_en,
++ &insert_p, &insert_parent,
++ &leftmost);
+ if (en)
+ goto unlock_out;
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -620,12 +620,6 @@ enum extent_type {
+ NR_EXTENT_CACHES,
+ };
+
+-struct rb_entry {
+- struct rb_node rb_node; /* rb node located in rb-tree */
+- unsigned int ofs; /* start offset of the entry */
+- unsigned int len; /* length of the entry */
+-};
+-
+ struct extent_info {
+ unsigned int fofs; /* start offset in a file */
+ unsigned int len; /* length of the extent */
--- /dev/null
+From c915d8f5918bea7c3962b09b8884ca128bfd9b0c Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 24 Apr 2023 18:32:19 +0200
+Subject: inotify: Avoid reporting event with invalid wd
+
+From: Jan Kara <jack@suse.cz>
+
+commit c915d8f5918bea7c3962b09b8884ca128bfd9b0c upstream.
+
+When inotify_freeing_mark() races with inotify_handle_inode_event() it
+can happen that inotify_handle_inode_event() sees that i_mark->wd got
+already reset to -1 and reports this value to userspace which can
+confuse the inotify listener. Avoid the problem by validating that wd is
+sensible (and pretend the mark got removed before the event got
+generated otherwise).
+
+CC: stable@vger.kernel.org
+Fixes: 7e790dd5fc93 ("inotify: fix error paths in inotify_update_watch")
+Message-Id: <20230424163219.9250-1-jack@suse.cz>
+Reported-by: syzbot+4a06d4373fd52f0b2f9c@syzkaller.appspotmail.com
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/inotify/inotify_fsnotify.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/notify/inotify/inotify_fsnotify.c
++++ b/fs/notify/inotify/inotify_fsnotify.c
+@@ -65,7 +65,7 @@ int inotify_handle_inode_event(struct fs
+ struct fsnotify_event *fsn_event;
+ struct fsnotify_group *group = inode_mark->group;
+ int ret;
+- int len = 0;
++ int len = 0, wd;
+ int alloc_len = sizeof(struct inotify_event_info);
+ struct mem_cgroup *old_memcg;
+
+@@ -81,6 +81,13 @@ int inotify_handle_inode_event(struct fs
+ fsn_mark);
+
+ /*
++ * We can be racing with mark being detached. Don't report event with
++ * invalid wd.
++ */
++ wd = READ_ONCE(i_mark->wd);
++ if (wd == -1)
++ return 0;
++ /*
+ * Whoever is interested in the event, pays for the allocation. Do not
+ * trigger OOM killer in the target monitoring memcg as it may have
+ * security repercussion.
+@@ -110,7 +117,7 @@ int inotify_handle_inode_event(struct fs
+ fsn_event = &event->fse;
+ fsnotify_init_event(fsn_event);
+ event->mask = mask;
+- event->wd = i_mark->wd;
++ event->wd = wd;
+ event->sync_cookie = cookie;
+ event->name_len = len;
+ if (len)
--- /dev/null
+From 64cc451e45e146b2140211b4f45f278b93b24ac0 Mon Sep 17 00:00:00 2001
+From: Jianmin Lv <lvjianmin@loongson.cn>
+Date: Fri, 7 Apr 2023 16:34:50 +0800
+Subject: irqchip/loongson-eiointc: Fix incorrect use of acpi_get_vec_parent
+
+From: Jianmin Lv <lvjianmin@loongson.cn>
+
+commit 64cc451e45e146b2140211b4f45f278b93b24ac0 upstream.
+
+In eiointc_acpi_init(), a *eiointc* node is passed into
+acpi_get_vec_parent() instead of a required *NUMA* node (on some chip
+like 3C5000L, a *NUMA* node means a *eiointc* node, but on some chip
+like 3C5000, a *NUMA* node contains 4 *eiointc* nodes), and node in
+struct acpi_vector_group is essentially a *NUMA* node, which will
+lead to no parent matched for passed *eiointc* node. so the patch
+adjusts code to use *NUMA* node for parameter node of
+acpi_set_vec_parent/acpi_get_vec_parent.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jianmin Lv <lvjianmin@loongson.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230407083453.6305-3-lvjianmin@loongson.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-loongson-eiointc.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/irqchip/irq-loongson-eiointc.c
++++ b/drivers/irqchip/irq-loongson-eiointc.c
+@@ -280,9 +280,6 @@ static void acpi_set_vec_parent(int node
+ {
+ int i;
+
+- if (cpu_has_flatmode)
+- node = cpu_to_node(node * CORES_PER_EIO_NODE);
+-
+ for (i = 0; i < MAX_IO_PICS; i++) {
+ if (node == vec_group[i].node) {
+ vec_group[i].parent = parent;
+@@ -349,8 +346,16 @@ static int __init pch_pic_parse_madt(uni
+ static int __init pch_msi_parse_madt(union acpi_subtable_headers *header,
+ const unsigned long end)
+ {
++ struct irq_domain *parent;
+ struct acpi_madt_msi_pic *pchmsi_entry = (struct acpi_madt_msi_pic *)header;
+- struct irq_domain *parent = acpi_get_vec_parent(eiointc_priv[nr_pics - 1]->node, msi_group);
++ int node;
++
++ if (cpu_has_flatmode)
++ node = cpu_to_node(eiointc_priv[nr_pics - 1]->node * CORES_PER_EIO_NODE);
++ else
++ node = eiointc_priv[nr_pics - 1]->node;
++
++ parent = acpi_get_vec_parent(node, msi_group);
+
+ if (parent)
+ return pch_msi_acpi_init(parent, pchmsi_entry);
+@@ -379,6 +384,7 @@ int __init eiointc_acpi_init(struct irq_
+ int i, ret, parent_irq;
+ unsigned long node_map;
+ struct eiointc_priv *priv;
++ int node;
+
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+@@ -421,8 +427,12 @@ int __init eiointc_acpi_init(struct irq_
+ "irqchip/loongarch/intc:starting",
+ eiointc_router_init, NULL);
+
+- acpi_set_vec_parent(acpi_eiointc->node, priv->eiointc_domain, pch_group);
+- acpi_set_vec_parent(acpi_eiointc->node, priv->eiointc_domain, msi_group);
++ if (cpu_has_flatmode)
++ node = cpu_to_node(acpi_eiointc->node * CORES_PER_EIO_NODE);
++ else
++ node = acpi_eiointc->node;
++ acpi_set_vec_parent(node, priv->eiointc_domain, pch_group);
++ acpi_set_vec_parent(node, priv->eiointc_domain, msi_group);
+ ret = acpi_cascade_irqdomain_init();
+
+ return ret;
--- /dev/null
+From bdd60211eebb43ba1c4c14704965f4d4b628b931 Mon Sep 17 00:00:00 2001
+From: Jianmin Lv <lvjianmin@loongson.cn>
+Date: Fri, 7 Apr 2023 16:34:51 +0800
+Subject: irqchip/loongson-eiointc: Fix registration of syscore_ops
+
+From: Jianmin Lv <lvjianmin@loongson.cn>
+
+commit bdd60211eebb43ba1c4c14704965f4d4b628b931 upstream.
+
+When support suspend/resume for loongson-eiointc, the syscore_ops
+is registered twice in dual-bridges machines where there are two
+eiointc IRQ domains. Repeated registration of an same syscore_ops
+broke syscore_ops_list. Also, cpuhp_setup_state_nocalls is only
+needed to call for once. So the patch will corret them.
+
+Fixes: a90335c2dfb4 ("irqchip/loongson-eiointc: Add suspend/resume support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jianmin Lv <lvjianmin@loongson.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230407083453.6305-4-lvjianmin@loongson.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-loongson-eiointc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/irqchip/irq-loongson-eiointc.c
++++ b/drivers/irqchip/irq-loongson-eiointc.c
+@@ -422,10 +422,12 @@ int __init eiointc_acpi_init(struct irq_
+ parent_irq = irq_create_mapping(parent, acpi_eiointc->cascade);
+ irq_set_chained_handler_and_data(parent_irq, eiointc_irq_dispatch, priv);
+
+- register_syscore_ops(&eiointc_syscore_ops);
+- cpuhp_setup_state_nocalls(CPUHP_AP_IRQ_LOONGARCH_STARTING,
++ if (nr_pics == 1) {
++ register_syscore_ops(&eiointc_syscore_ops);
++ cpuhp_setup_state_nocalls(CPUHP_AP_IRQ_LOONGARCH_STARTING,
+ "irqchip/loongarch/intc:starting",
+ eiointc_router_init, NULL);
++ }
+
+ if (cpu_has_flatmode)
+ node = cpu_to_node(acpi_eiointc->node * CORES_PER_EIO_NODE);
--- /dev/null
+From 112eaa8fec5ea75f1be003ec55760b09a86799f8 Mon Sep 17 00:00:00 2001
+From: Jianmin Lv <lvjianmin@loongson.cn>
+Date: Fri, 7 Apr 2023 16:34:49 +0800
+Subject: irqchip/loongson-eiointc: Fix returned value on parsing MADT
+
+From: Jianmin Lv <lvjianmin@loongson.cn>
+
+commit 112eaa8fec5ea75f1be003ec55760b09a86799f8 upstream.
+
+In pch_pic_parse_madt(), a NULL parent pointer will be
+returned from acpi_get_vec_parent() for second pch-pic domain
+related to second bridge while calling eiointc_acpi_init() at
+first time, where the parent of it has not been initialized
+yet, and will be initialized during second time calling
+eiointc_acpi_init(). So, it's reasonable to return zero so
+that failure of acpi_table_parse_madt() will be avoided, or else
+acpi_cascade_irqdomain_init() will return and initialization of
+followed pch_msi domain will be skipped.
+
+Although it does not matter when pch_msi_parse_madt() returns
+-EINVAL if no invalid parent is found, it's also reasonable to
+return zero for that.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jianmin Lv <lvjianmin@loongson.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230407083453.6305-2-lvjianmin@loongson.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-loongson-eiointc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/irqchip/irq-loongson-eiointc.c
++++ b/drivers/irqchip/irq-loongson-eiointc.c
+@@ -343,7 +343,7 @@ static int __init pch_pic_parse_madt(uni
+ if (parent)
+ return pch_pic_acpi_init(parent, pchpic_entry);
+
+- return -EINVAL;
++ return 0;
+ }
+
+ static int __init pch_msi_parse_madt(union acpi_subtable_headers *header,
+@@ -355,7 +355,7 @@ static int __init pch_msi_parse_madt(uni
+ if (parent)
+ return pch_msi_acpi_init(parent, pchmsi_entry);
+
+- return -EINVAL;
++ return 0;
+ }
+
+ static int __init acpi_cascade_irqdomain_init(void)
--- /dev/null
+From 48ce2d722f7f108f27bedddf54bee3423a57ce57 Mon Sep 17 00:00:00 2001
+From: Jianmin Lv <lvjianmin@loongson.cn>
+Date: Fri, 7 Apr 2023 16:34:53 +0800
+Subject: irqchip/loongson-pch-pic: Fix pch_pic_acpi_init calling
+
+From: Jianmin Lv <lvjianmin@loongson.cn>
+
+commit 48ce2d722f7f108f27bedddf54bee3423a57ce57 upstream.
+
+For dual-bridges scenario, pch_pic_acpi_init() will be called
+in following path:
+
+cpuintc_acpi_init
+ acpi_cascade_irqdomain_init(in cpuintc driver)
+ acpi_table_parse_madt
+ eiointc_parse_madt
+ eiointc_acpi_init /* this will be called two times
+ correspondingto parsing two
+ eiointc entries in MADT under
+ dual-bridges scenario*/
+ acpi_cascade_irqdomain_init(in eiointc driver)
+ acpi_table_parse_madt
+ pch_pic_parse_madt
+ pch_pic_acpi_init /* this will be called depend
+ on valid parent IRQ domain
+ handle for one or two times
+ corresponding to parsing
+ two pchpic entries in MADT
+ druring calling
+ eiointc_acpi_init() under
+ dual-bridges scenario*/
+
+During the first eiointc_acpi_init() calling, the
+pch_pic_acpi_init() will be called just one time since only
+one valid parent IRQ domain handle will be found for current
+eiointc IRQ domain.
+
+During the second eiointc_acpi_init() calling, the
+pch_pic_acpi_init() will be called two times since two valid
+parent IRQ domain handles will be found. So in pch_pic_acpi_init(),
+we must have a reasonable way to prevent from creating second same
+pch_pic IRQ domain.
+
+The patch matches gsi base information in created pch_pic IRQ
+domains to check if the target domain has been created to avoid the
+bug mentioned above.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jianmin Lv <lvjianmin@loongson.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230407083453.6305-6-lvjianmin@loongson.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-loongson-pch-pic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/irqchip/irq-loongson-pch-pic.c
++++ b/drivers/irqchip/irq-loongson-pch-pic.c
+@@ -403,6 +403,9 @@ int __init pch_pic_acpi_init(struct irq_
+ int ret, vec_base;
+ struct fwnode_handle *domain_handle;
+
++ if (find_pch_pic(acpi_pchpic->gsi_base) >= 0)
++ return 0;
++
+ vec_base = acpi_pchpic->gsi_base - GSI_MIN_PCH_IRQ;
+
+ domain_handle = irq_domain_alloc_fwnode(&acpi_pchpic->address);
--- /dev/null
+From c84efbba46901b187994558ee0edb15f7076c9a7 Mon Sep 17 00:00:00 2001
+From: Jianmin Lv <lvjianmin@loongson.cn>
+Date: Fri, 7 Apr 2023 16:34:52 +0800
+Subject: irqchip/loongson-pch-pic: Fix registration of syscore_ops
+
+From: Jianmin Lv <lvjianmin@loongson.cn>
+
+commit c84efbba46901b187994558ee0edb15f7076c9a7 upstream.
+
+When support suspend/resume for loongson-pch-pic, the syscore_ops
+is registered twice in dual-bridges machines where there are two
+pch-pic IRQ domains. Repeated registration of an same syscore_ops
+broke syscore_ops_list, so the patch will corret it.
+
+Fixes: 1ed008a2c331 ("irqchip/loongson-pch-pic: Add suspend/resume support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jianmin Lv <lvjianmin@loongson.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230407083453.6305-5-lvjianmin@loongson.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-loongson-pch-pic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-loongson-pch-pic.c
++++ b/drivers/irqchip/irq-loongson-pch-pic.c
+@@ -311,7 +311,8 @@ static int pch_pic_init(phys_addr_t addr
+ pch_pic_handle[nr_pics] = domain_handle;
+ pch_pic_priv[nr_pics++] = priv;
+
+- register_syscore_ops(&pch_pic_syscore_ops);
++ if (nr_pics == 1)
++ register_syscore_ops(&pch_pic_syscore_ops);
+
+ return 0;
+
--- /dev/null
+From decab2825c3ef9b154c6f76bce40872ffb41c36f Mon Sep 17 00:00:00 2001
+From: Fae <faenkhauser@gmail.com>
+Date: Tue, 25 Apr 2023 01:36:44 -0500
+Subject: platform/x86: hp-wmi: add micmute to hp_wmi_keymap struct
+
+From: Fae <faenkhauser@gmail.com>
+
+commit decab2825c3ef9b154c6f76bce40872ffb41c36f upstream.
+
+Fixes micmute key of HP Envy X360 ey0xxx.
+
+Signed-off-by: Fae <faenkhauser@gmail.com>
+Link: https://lore.kernel.org/r/20230425063644.11828-1-faenkhauser@gmail.com
+Cc: stable@vger.kernel.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/hp/hp-wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/platform/x86/hp/hp-wmi.c
++++ b/drivers/platform/x86/hp/hp-wmi.c
+@@ -211,6 +211,7 @@ struct bios_rfkill2_state {
+ static const struct key_entry hp_wmi_keymap[] = {
+ { KE_KEY, 0x02, { KEY_BRIGHTNESSUP } },
+ { KE_KEY, 0x03, { KEY_BRIGHTNESSDOWN } },
++ { KE_KEY, 0x270, { KEY_MICMUTE } },
+ { KE_KEY, 0x20e6, { KEY_PROG1 } },
+ { KE_KEY, 0x20e8, { KEY_MEDIA } },
+ { KE_KEY, 0x2142, { KEY_MEDIA } },
--- /dev/null
+From 75e406b540c3eca67625d97bbefd4e3787eafbfe Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Tue, 18 Apr 2023 08:32:30 -0700
+Subject: platform/x86/intel-uncore-freq: Return error on write frequency
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit 75e406b540c3eca67625d97bbefd4e3787eafbfe upstream.
+
+Currently when the uncore_write() returns error, it is silently
+ignored. Return error to user space when uncore_write() fails.
+
+Fixes: 49a474c7ba51 ("platform/x86: Add support for Uncore frequency control")
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Wendy Wang <wendy.wang@intel.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20230418153230.679094-1-srinivas.pandruvada@linux.intel.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.c
++++ b/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.c
+@@ -44,14 +44,18 @@ static ssize_t store_min_max_freq_khz(st
+ int min_max)
+ {
+ unsigned int input;
++ int ret;
+
+ if (kstrtouint(buf, 10, &input))
+ return -EINVAL;
+
+ mutex_lock(&uncore_lock);
+- uncore_write(data, input, min_max);
++ ret = uncore_write(data, input, min_max);
+ mutex_unlock(&uncore_lock);
+
++ if (ret)
++ return ret;
++
+ return count;
+ }
+
--- /dev/null
+From 1684878952929e20a864af5df7b498941c750f45 Mon Sep 17 00:00:00 2001
+From: Mark Pearson <mpearson-lenovo@squebb.ca>
+Date: Fri, 5 May 2023 09:25:23 -0400
+Subject: platform/x86: thinkpad_acpi: Add profile force ability
+
+From: Mark Pearson <mpearson-lenovo@squebb.ca>
+
+commit 1684878952929e20a864af5df7b498941c750f45 upstream.
+
+There has been a lot of confusion around which platform profiles are
+supported on various platforms and it would be useful to have a debug
+method to be able to override the profile mode that is selected.
+
+I don't expect this to be used in anything other than debugging in
+conjunction with Lenovo engineers - but it does give a way to get a
+system working whilst we wait for either FW fixes, or a driver fix
+to land upstream, if something is wonky in the mode detection logic
+
+Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Link: https://lore.kernel.org/r/20230505132523.214338-2-mpearson-lenovo@squebb.ca
+Cc: stable@vger.kernel.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -10318,6 +10318,7 @@ static atomic_t dytc_ignore_event = ATOM
+ static DEFINE_MUTEX(dytc_mutex);
+ static int dytc_capabilities;
+ static bool dytc_mmc_get_available;
++static int profile_force;
+
+ static int convert_dytc_to_profile(int funcmode, int dytcmode,
+ enum platform_profile_option *profile)
+@@ -10580,6 +10581,21 @@ static int tpacpi_dytc_profile_init(stru
+ if (err)
+ return err;
+
++ /* Check if user wants to override the profile selection */
++ if (profile_force) {
++ switch (profile_force) {
++ case -1:
++ dytc_capabilities = 0;
++ break;
++ case 1:
++ dytc_capabilities = BIT(DYTC_FC_MMC);
++ break;
++ case 2:
++ dytc_capabilities = BIT(DYTC_FC_PSC);
++ break;
++ }
++ pr_debug("Profile selection forced: 0x%x\n", dytc_capabilities);
++ }
+ if (dytc_capabilities & BIT(DYTC_FC_MMC)) { /* MMC MODE */
+ pr_debug("MMC is supported\n");
+ /*
+@@ -11641,6 +11657,9 @@ MODULE_PARM_DESC(uwb_state,
+ "Initial state of the emulated UWB switch");
+ #endif
+
++module_param(profile_force, int, 0444);
++MODULE_PARM_DESC(profile_force, "Force profile mode. -1=off, 1=MMC, 2=PSC");
++
+ static void thinkpad_acpi_module_exit(void)
+ {
+ struct ibm_struct *ibm, *itmp;
--- /dev/null
+From 0c0cd3e25a5b64b541dd83ba6e032475a9d77432 Mon Sep 17 00:00:00 2001
+From: Mark Pearson <mpearson-lenovo@squebb.ca>
+Date: Fri, 5 May 2023 09:25:22 -0400
+Subject: platform/x86: thinkpad_acpi: Fix platform profiles on T490
+
+From: Mark Pearson <mpearson-lenovo@squebb.ca>
+
+commit 0c0cd3e25a5b64b541dd83ba6e032475a9d77432 upstream.
+
+I had incorrectly thought that PSC profiles were not usable on Intel
+platforms so had blocked them in the driver initialistion. This broke
+platform profiles on the T490.
+
+After discussion with the FW team PSC does work on Intel platforms and
+should be allowed.
+
+Note - it's possible this may impact other platforms where it is advertised
+but special driver support that only Windows has is needed. But if it does
+then they will need fixing via quirks. Please report any issues to me so I
+can get them addressed - but I haven't found any problems in testing...yet
+
+Fixes: bce6243f767f ("platform/x86: thinkpad_acpi: do not use PSC mode on Intel platforms")
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2177962
+Cc: stable@vger.kernel.org
+Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Link: https://lore.kernel.org/r/20230505132523.214338-1-mpearson-lenovo@squebb.ca
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -10593,11 +10593,6 @@ static int tpacpi_dytc_profile_init(stru
+ dytc_mmc_get_available = true;
+ }
+ } else if (dytc_capabilities & BIT(DYTC_FC_PSC)) { /* PSC MODE */
+- /* Support for this only works on AMD platforms */
+- if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) {
+- dbg_printk(TPACPI_DBG_INIT, "PSC not support on Intel platforms\n");
+- return -ENODEV;
+- }
+ pr_debug("PSC is supported\n");
+ } else {
+ dbg_printk(TPACPI_DBG_INIT, "No DYTC support available\n");
--- /dev/null
+From 4b65f95c87c35699bc6ad540d6b9dd7f950d0924 Mon Sep 17 00:00:00 2001
+From: Andrey Avdeev <jamesstoun@gmail.com>
+Date: Sun, 30 Apr 2023 11:01:10 +0300
+Subject: platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i
+
+From: Andrey Avdeev <jamesstoun@gmail.com>
+
+commit 4b65f95c87c35699bc6ad540d6b9dd7f950d0924 upstream.
+
+Add touchscreen info for the Dexp Ursus KX210i
+
+Signed-off-by: Andrey Avdeev <jamesstoun@gmail.com>
+Link: https://lore.kernel.org/r/ZE4gRgzRQCjXFYD0@avdeevavpc
+Cc: stable@vger.kernel.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/touchscreen_dmi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/platform/x86/touchscreen_dmi.c
++++ b/drivers/platform/x86/touchscreen_dmi.c
+@@ -336,6 +336,22 @@ static const struct ts_dmi_data dexp_urs
+ .properties = dexp_ursus_7w_props,
+ };
+
++static const struct property_entry dexp_ursus_kx210i_props[] = {
++ PROPERTY_ENTRY_U32("touchscreen-min-x", 5),
++ PROPERTY_ENTRY_U32("touchscreen-min-y", 2),
++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1720),
++ PROPERTY_ENTRY_U32("touchscreen-size-y", 1137),
++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-dexp-ursus-kx210i.fw"),
++ PROPERTY_ENTRY_U32("silead,max-fingers", 10),
++ PROPERTY_ENTRY_BOOL("silead,home-button"),
++ { }
++};
++
++static const struct ts_dmi_data dexp_ursus_kx210i_data = {
++ .acpi_name = "MSSL1680:00",
++ .properties = dexp_ursus_kx210i_props,
++};
++
+ static const struct property_entry digma_citi_e200_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-size-x", 1980),
+ PROPERTY_ENTRY_U32("touchscreen-size-y", 1500),
+@@ -1191,6 +1207,14 @@ const struct dmi_system_id touchscreen_d
+ },
+ },
+ {
++ /* DEXP Ursus KX210i */
++ .driver_data = (void *)&dexp_ursus_kx210i_data,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "INSYDE Corp."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "S107I"),
++ },
++ },
++ {
+ /* Digma Citi E200 */
+ .driver_data = (void *)&digma_citi_e200_data,
+ .matches = {
--- /dev/null
+From 6abfa99ce52f61a31bcfc2aaaae09006f5665495 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 5 May 2023 23:03:23 +0200
+Subject: platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the Juno Tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 6abfa99ce52f61a31bcfc2aaaae09006f5665495 upstream.
+
+The Juno Computers Juno Tablet has an upside-down mounted Goodix
+touchscreen. Add a quirk to invert both axis to correct for this.
+
+Link: https://junocomputers.com/us/product/juno-tablet/
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230505210323.43177-1-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/touchscreen_dmi.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/platform/x86/touchscreen_dmi.c
++++ b/drivers/platform/x86/touchscreen_dmi.c
+@@ -378,6 +378,11 @@ static const struct ts_dmi_data gdix1001
+ .properties = gdix1001_upside_down_props,
+ };
+
++static const struct ts_dmi_data gdix1002_00_upside_down_data = {
++ .acpi_name = "GDIX1002:00",
++ .properties = gdix1001_upside_down_props,
++};
++
+ static const struct property_entry gp_electronic_t701_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-size-x", 960),
+ PROPERTY_ENTRY_U32("touchscreen-size-y", 640),
+@@ -1296,6 +1301,18 @@ const struct dmi_system_id touchscreen_d
+ },
+ },
+ {
++ /* Juno Tablet */
++ .driver_data = (void *)&gdix1002_00_upside_down_data,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Default string"),
++ /* Both product- and board-name being "Default string" is somewhat rare */
++ DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
++ DMI_MATCH(DMI_BOARD_NAME, "Default string"),
++ /* Above matches are too generic, add partial bios-version match */
++ DMI_MATCH(DMI_BIOS_VERSION, "JP2V1."),
++ },
++ },
++ {
+ /* Mediacom WinPad 7.0 W700 (same hw as Wintron surftab 7") */
+ .driver_data = (void *)&trekstor_surftab_wintron70_data,
+ .matches = {
--- /dev/null
+From 1dc8689e4cc651e21566e10206a84c4006e81fb1 Mon Sep 17 00:00:00 2001
+From: Luis Chamberlain <mcgrof@kernel.org>
+Date: Fri, 10 Mar 2023 13:00:16 -0800
+Subject: proc_sysctl: enhance documentation
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+commit 1dc8689e4cc651e21566e10206a84c4006e81fb1 upstream.
+
+Expand documentation to clarify:
+
+ o that paths don't need to exist for the new API callers
+ o clarify that we *require* callers to keep the memory of
+ the table around during the lifetime of the sysctls
+ o annotate routines we are trying to deprecate and later remove
+
+Cc: stable@vger.kernel.org # v5.17
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_sysctl.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -1287,7 +1287,10 @@ out:
+ * __register_sysctl_table - register a leaf sysctl table
+ * @set: Sysctl tree to register on
+ * @path: The path to the directory the sysctl table is in.
+- * @table: the top-level table structure without any child
++ * @table: the top-level table structure without any child. This table
++ * should not be free'd after registration. So it should not be
++ * used on stack. It can either be a global or dynamically allocated
++ * by the caller and free'd later after sysctl unregistration.
+ *
+ * Register a sysctl table hierarchy. @table should be a filled in ctl_table
+ * array. A completely 0 filled entry terminates the table.
+@@ -1402,8 +1405,15 @@ fail:
+
+ /**
+ * register_sysctl - register a sysctl table
+- * @path: The path to the directory the sysctl table is in.
+- * @table: the table structure
++ * @path: The path to the directory the sysctl table is in. If the path
++ * doesn't exist we will create it for you.
++ * @table: the table structure. The calller must ensure the life of the @table
++ * will be kept during the lifetime use of the syctl. It must not be freed
++ * until unregister_sysctl_table() is called with the given returned table
++ * with this registration. If your code is non modular then you don't need
++ * to call unregister_sysctl_table() and can instead use something like
++ * register_sysctl_init() which does not care for the result of the syctl
++ * registration.
+ *
+ * Register a sysctl table. @table should be a filled in ctl_table
+ * array. A completely 0 filled entry terminates the table.
+@@ -1419,8 +1429,11 @@ EXPORT_SYMBOL(register_sysctl);
+
+ /**
+ * __register_sysctl_init() - register sysctl table to path
+- * @path: path name for sysctl base
+- * @table: This is the sysctl table that needs to be registered to the path
++ * @path: path name for sysctl base. If that path doesn't exist we will create
++ * it for you.
++ * @table: This is the sysctl table that needs to be registered to the path.
++ * The caller must ensure the life of the @table will be kept during the
++ * lifetime use of the sysctl.
+ * @table_name: The name of sysctl table, only used for log printing when
+ * registration fails
+ *
+@@ -1565,6 +1578,7 @@ out:
+ *
+ * Register a sysctl table hierarchy. @table should be a filled in ctl_table
+ * array. A completely 0 filled entry terminates the table.
++ * We are slowly deprecating this call so avoid its use.
+ *
+ * See __register_sysctl_table for more details.
+ */
+@@ -1636,6 +1650,7 @@ err_register_leaves:
+ *
+ * Register a sysctl table hierarchy. @table should be a filled in ctl_table
+ * array. A completely 0 filled entry terminates the table.
++ * We are slowly deprecating this caller so avoid future uses of it.
+ *
+ * See __register_sysctl_paths for more details.
+ */
--- /dev/null
+From 67ff32289acad9ed338cd9f2351b44939e55163e Mon Sep 17 00:00:00 2001
+From: Luis Chamberlain <mcgrof@kernel.org>
+Date: Thu, 2 Mar 2023 12:28:16 -0800
+Subject: proc_sysctl: update docs for __register_sysctl_table()
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+commit 67ff32289acad9ed338cd9f2351b44939e55163e upstream.
+
+Update the docs for __register_sysctl_table() to make it clear no child
+entries can be passed. When the child is true these are non-leaf entries
+on the ctl table and sysctl treats these as directories. The point to
+__register_sysctl_table() is to deal only with directories not part of
+the ctl table where thay may riside, to be simple and avoid recursion.
+
+While at it, hint towards using long on extra1 and extra2 later.
+
+Cc: stable@vger.kernel.org # v5.17
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_sysctl.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -1287,7 +1287,7 @@ out:
+ * __register_sysctl_table - register a leaf sysctl table
+ * @set: Sysctl tree to register on
+ * @path: The path to the directory the sysctl table is in.
+- * @table: the top-level table structure
++ * @table: the top-level table structure without any child
+ *
+ * Register a sysctl table hierarchy. @table should be a filled in ctl_table
+ * array. A completely 0 filled entry terminates the table.
+@@ -1308,9 +1308,12 @@ out:
+ * proc_handler - the text handler routine (described below)
+ *
+ * extra1, extra2 - extra pointers usable by the proc handler routines
++ * XXX: we should eventually modify these to use long min / max [0]
++ * [0] https://lkml.kernel.org/87zgpte9o4.fsf@email.froward.int.ebiederm.org
+ *
+ * Leaf nodes in the sysctl tree will be represented by a single file
+- * under /proc; non-leaf nodes will be represented by directories.
++ * under /proc; non-leaf nodes (where child is not NULL) are not allowed,
++ * sysctl_check_table() verifies this.
+ *
+ * There must be a proc_handler routine for any terminal nodes.
+ * Several default handlers are available to cover common cases -
+@@ -1352,7 +1355,7 @@ struct ctl_table_header *__register_sysc
+
+ spin_lock(&sysctl_lock);
+ dir = &set->dir;
+- /* Reference moved down the diretory tree get_subdir */
++ /* Reference moved down the directory tree get_subdir */
+ dir->header.nreg++;
+ spin_unlock(&sysctl_lock);
+
+@@ -1369,6 +1372,11 @@ struct ctl_table_header *__register_sysc
+ if (namelen == 0)
+ continue;
+
++ /*
++ * namelen ensures if name is "foo/bar/yay" only foo is
++ * registered first. We traverse as if using mkdir -p and
++ * return a ctl_dir for the last directory entry.
++ */
+ dir = get_subdir(dir, name, namelen);
+ if (IS_ERR(dir))
+ goto fail;
--- /dev/null
+From e0e01de8ee146986872e54e8365f4b4654819412 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Mon, 20 Mar 2023 16:18:26 -0600
+Subject: remoteproc: imx_dsp_rproc: Call of_node_put() on iteration error
+
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+
+commit e0e01de8ee146986872e54e8365f4b4654819412 upstream.
+
+Function of_phandle_iterator_next() calls of_node_put() on the last
+device_node it iterated over, but when the loop exits prematurely it has
+to be called explicitly.
+
+Fixes: ec0e5549f358 ("remoteproc: imx_dsp_rproc: Add remoteproc driver for DSP on i.MX")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Acked-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Link: https://lore.kernel.org/r/20230320221826.2728078-6-mathieu.poirier@linaro.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/imx_dsp_rproc.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/remoteproc/imx_dsp_rproc.c
++++ b/drivers/remoteproc/imx_dsp_rproc.c
+@@ -627,15 +627,19 @@ static int imx_dsp_rproc_add_carveout(st
+
+ rmem = of_reserved_mem_lookup(it.node);
+ if (!rmem) {
++ of_node_put(it.node);
+ dev_err(dev, "unable to acquire memory-region\n");
+ return -EINVAL;
+ }
+
+- if (imx_dsp_rproc_sys_to_da(priv, rmem->base, rmem->size, &da))
++ if (imx_dsp_rproc_sys_to_da(priv, rmem->base, rmem->size, &da)) {
++ of_node_put(it.node);
+ return -EINVAL;
++ }
+
+ cpu_addr = devm_ioremap_wc(dev, rmem->base, rmem->size);
+ if (!cpu_addr) {
++ of_node_put(it.node);
+ dev_err(dev, "failed to map memory %p\n", &rmem->base);
+ return -ENOMEM;
+ }
+@@ -644,10 +648,12 @@ static int imx_dsp_rproc_add_carveout(st
+ mem = rproc_mem_entry_init(dev, (void __force *)cpu_addr, (dma_addr_t)rmem->base,
+ rmem->size, da, NULL, NULL, it.node->name);
+
+- if (mem)
++ if (mem) {
+ rproc_coredump_add_segment(rproc, da, rmem->size);
+- else
++ } else {
++ of_node_put(it.node);
+ return -ENOMEM;
++ }
+
+ rproc_add_carveout(rproc, mem);
+ }
--- /dev/null
+From 5ef074e805ecfd9a16dbb7b6b88bbfa8abad7054 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Mon, 20 Mar 2023 16:18:25 -0600
+Subject: remoteproc: imx_rproc: Call of_node_put() on iteration error
+
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+
+commit 5ef074e805ecfd9a16dbb7b6b88bbfa8abad7054 upstream.
+
+Function of_phandle_iterator_next() calls of_node_put() on the last
+device_node it iterated over, but when the loop exits prematurely it has
+to be called explicitly.
+
+Fixes: b29b4249f8f0 ("remoteproc: imx_rproc: add i.MX specific parse fw hook")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/20230320221826.2728078-5-mathieu.poirier@linaro.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/imx_rproc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -541,6 +541,7 @@ static int imx_rproc_prepare(struct rpro
+
+ rmem = of_reserved_mem_lookup(it.node);
+ if (!rmem) {
++ of_node_put(it.node);
+ dev_err(priv->dev, "unable to acquire memory-region\n");
+ return -EINVAL;
+ }
+@@ -553,10 +554,12 @@ static int imx_rproc_prepare(struct rpro
+ imx_rproc_mem_alloc, imx_rproc_mem_release,
+ it.node->name);
+
+- if (mem)
++ if (mem) {
+ rproc_coredump_add_segment(rproc, da, rmem->size);
+- else
++ } else {
++ of_node_put(it.node);
+ return -ENOMEM;
++ }
+
+ rproc_add_carveout(rproc, mem);
+ }
--- /dev/null
+From f8bae637d3d5e082b4ced71e28b16eb3ee0683c1 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Mon, 20 Mar 2023 16:18:24 -0600
+Subject: remoteproc: rcar_rproc: Call of_node_put() on iteration error
+
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+
+commit f8bae637d3d5e082b4ced71e28b16eb3ee0683c1 upstream.
+
+Function of_phandle_iterator_next() calls of_node_put() on the last
+device_node it iterated over, but when the loop exits prematurely it has
+to be called explicitly.
+
+Fixes: 285892a74f13 ("remoteproc: Add Renesas rcar driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20230320221826.2728078-4-mathieu.poirier@linaro.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/rcar_rproc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/remoteproc/rcar_rproc.c
++++ b/drivers/remoteproc/rcar_rproc.c
+@@ -62,13 +62,16 @@ static int rcar_rproc_prepare(struct rpr
+
+ rmem = of_reserved_mem_lookup(it.node);
+ if (!rmem) {
++ of_node_put(it.node);
+ dev_err(&rproc->dev,
+ "unable to acquire memory-region\n");
+ return -EINVAL;
+ }
+
+- if (rmem->base > U32_MAX)
++ if (rmem->base > U32_MAX) {
++ of_node_put(it.node);
+ return -EINVAL;
++ }
+
+ /* No need to translate pa to da, R-Car use same map */
+ da = rmem->base;
+@@ -79,8 +82,10 @@ static int rcar_rproc_prepare(struct rpr
+ rcar_rproc_mem_release,
+ it.node->name);
+
+- if (!mem)
++ if (!mem) {
++ of_node_put(it.node);
+ return -ENOMEM;
++ }
+
+ rproc_add_carveout(rproc, mem);
+ }
--- /dev/null
+From 8a74918948b40317a5b5bab9739d13dcb5de2784 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Mon, 20 Mar 2023 16:18:23 -0600
+Subject: remoteproc: st: Call of_node_put() on iteration error
+
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+
+commit 8a74918948b40317a5b5bab9739d13dcb5de2784 upstream.
+
+Function of_phandle_iterator_next() calls of_node_put() on the last
+device_node it iterated over, but when the loop exits prematurely it has
+to be called explicitly.
+
+Fixes: 3df52ed7f269 ("remoteproc: st: add reserved memory support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
+Link: https://lore.kernel.org/r/20230320221826.2728078-3-mathieu.poirier@linaro.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/st_remoteproc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/st_remoteproc.c
++++ b/drivers/remoteproc/st_remoteproc.c
+@@ -129,6 +129,7 @@ static int st_rproc_parse_fw(struct rpro
+ while (of_phandle_iterator_next(&it) == 0) {
+ rmem = of_reserved_mem_lookup(it.node);
+ if (!rmem) {
++ of_node_put(it.node);
+ dev_err(dev, "unable to acquire memory-region\n");
+ return -EINVAL;
+ }
+@@ -150,8 +151,10 @@ static int st_rproc_parse_fw(struct rpro
+ it.node->name);
+ }
+
+- if (!mem)
++ if (!mem) {
++ of_node_put(it.node);
+ return -ENOMEM;
++ }
+
+ rproc_add_carveout(rproc, mem);
+ index++;
--- /dev/null
+From ccadca5baf5124a880f2bb50ed1ec265415f025b Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Mon, 20 Mar 2023 16:18:22 -0600
+Subject: remoteproc: stm32: Call of_node_put() on iteration error
+
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+
+commit ccadca5baf5124a880f2bb50ed1ec265415f025b upstream.
+
+Function of_phandle_iterator_next() calls of_node_put() on the last
+device_node it iterated over, but when the loop exits prematurely it has
+to be called explicitly.
+
+Fixes: 13140de09cc2 ("remoteproc: stm32: add an ST stm32_rproc driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
+Link: https://lore.kernel.org/r/20230320221826.2728078-2-mathieu.poirier@linaro.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/stm32_rproc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/stm32_rproc.c
++++ b/drivers/remoteproc/stm32_rproc.c
+@@ -223,11 +223,13 @@ static int stm32_rproc_prepare(struct rp
+ while (of_phandle_iterator_next(&it) == 0) {
+ rmem = of_reserved_mem_lookup(it.node);
+ if (!rmem) {
++ of_node_put(it.node);
+ dev_err(dev, "unable to acquire memory-region\n");
+ return -EINVAL;
+ }
+
+ if (stm32_rproc_pa_to_da(rproc, rmem->base, &da) < 0) {
++ of_node_put(it.node);
+ dev_err(dev, "memory region not valid %pa\n",
+ &rmem->base);
+ return -EINVAL;
+@@ -254,8 +256,10 @@ static int stm32_rproc_prepare(struct rp
+ it.node->name);
+ }
+
+- if (!mem)
++ if (!mem) {
++ of_node_put(it.node);
+ return -ENOMEM;
++ }
+
+ rproc_add_carveout(rproc, mem);
+ index++;
kvm-x86-make-use-of-kvm_read_cr-_bits-when-testing-b.patch
kvm-vmx-make-cr0.wp-a-guest-owned-bit.patch
kvm-x86-mmu-refresh-cr0.wp-prior-to-checking-for-emu.patch
+x86-retbleed-fix-return-thunk-alignment.patch
+btrfs-fix-btrfs_prev_leaf-to-not-return-the-same-key-twice.patch
+btrfs-zoned-fix-wrong-use-of-bitops-api-in-btrfs_ensure_empty_zones.patch
+btrfs-properly-reject-clear_cache-and-v1-cache-for-block-group-tree.patch
+btrfs-fix-assertion-of-exclop-condition-when-starting-balance.patch
+btrfs-fix-encoded-write-i_size-corruption-with-no-holes.patch
+btrfs-don-t-free-qgroup-space-unless-specified.patch
+btrfs-zero-the-buffer-before-marking-it-dirty-in-btrfs_redirty_list_add.patch
+btrfs-make-clear_cache-mount-option-to-rebuild-fst-without-disabling-it.patch
+btrfs-print-tree-parent-bytenr-must-be-aligned-to-sector-size.patch
+btrfs-fix-space-cache-inconsistency-after-error-loading-it-from-disk.patch
+btrfs-zoned-zone-finish-data-relocation-bg-with-last-io.patch
+btrfs-zoned-fix-full-zone-super-block-reading-on-zns.patch
+btrfs-fix-backref-walking-not-returning-all-inode-refs.patch
+cifs-fix-pcchunk-length-type-in-smb2_copychunk_range.patch
+cifs-release-leases-for-deferred-close-handles-when-freezing.patch
+platform-x86-intel-uncore-freq-return-error-on-write-frequency.patch
+platform-x86-touchscreen_dmi-add-upside-down-quirk-for-gdix1002-ts-on-the-juno-tablet.patch
+platform-x86-thinkpad_acpi-fix-platform-profiles-on-t490.patch
+platform-x86-hp-wmi-add-micmute-to-hp_wmi_keymap-struct.patch
+platform-x86-touchscreen_dmi-add-info-for-the-dexp-ursus-kx210i.patch
+platform-x86-thinkpad_acpi-add-profile-force-ability.patch
+inotify-avoid-reporting-event-with-invalid-wd.patch
+smb3-fix-problem-remounting-a-share-after-shutdown.patch
+smb3-force-unmount-was-failing-to-close-deferred-close-files.patch
+sh-math-emu-fix-macro-redefined-warning.patch
+sh-mcount.s-fix-build-error-when-printk-is-not-enabled.patch
+sh-init-use-of_early_flattree-for-early-init.patch
+sh-nmi_debug-fix-return-value-of-__setup-handler.patch
+proc_sysctl-update-docs-for-__register_sysctl_table.patch
+proc_sysctl-enhance-documentation.patch
+remoteproc-stm32-call-of_node_put-on-iteration-error.patch
+remoteproc-st-call-of_node_put-on-iteration-error.patch
+remoteproc-imx_dsp_rproc-call-of_node_put-on-iteration-error.patch
+remoteproc-imx_rproc-call-of_node_put-on-iteration-error.patch
+remoteproc-rcar_rproc-call-of_node_put-on-iteration-error.patch
+sysctl-clarify-register_sysctl_init-base-directory-order.patch
+arm-dts-aspeed-asrock-correct-firmware-flash-spi-clocks.patch
+arm-dts-exynos-fix-wm8960-clock-name-in-itop-elite.patch
+arm-dts-s5pv210-correct-mipi-csis-clock-name.patch
+arm-dts-aspeed-romed8hm3-fix-gpio-polarity-of-system-fault-led.patch
+drm-msm-adreno-fix-runtime-pm-imbalance-at-gpu-load.patch
+drm-bridge-lt8912b-fix-dsi-video-mode.patch
+drm-i915-color-fix-typo-for-plane-csc-indexes.patch
+drm-msm-fix-null-deref-on-snapshot-tear-down.patch
+drm-msm-fix-null-deref-on-irq-uninstall.patch
+drm-msm-fix-drm-device-leak-on-bind-errors.patch
+drm-msm-fix-vram-leak-on-bind-errors.patch
+drm-msm-fix-missing-wq-allocation-error-handling.patch
+drm-msm-fix-workqueue-leak-on-bind-errors.patch
+drm-i915-check-pipe-source-size-when-using-skl-scalers.patch
+drm-i915-dsi-use-unconditional-msleep-instead-of-intel_dsi_msleep.patch
+drm-dsc-fix-drm_edp_dsc_sink_output_bpp-dpcd-high-byte-usage.patch
+f2fs-factor-out-victim_entry-usage-from-general-rb_tree-use.patch
+f2fs-factor-out-discard_cmd-usage-from-general-rb_tree-use.patch
+f2fs-remove-entire-rb_entry-sharing.patch
+f2fs-fix-null-pointer-panic-in-tracepoint-in-__replace_atomic_write_block.patch
+f2fs-fix-potential-corruption-when-moving-a-directory.patch
+irqchip-loongson-pch-pic-fix-pch_pic_acpi_init-calling.patch
+irqchip-loongson-pch-pic-fix-registration-of-syscore_ops.patch
+irqchip-loongson-eiointc-fix-returned-value-on-parsing-madt.patch
+irqchip-loongson-eiointc-fix-incorrect-use-of-acpi_get_vec_parent.patch
+irqchip-loongson-eiointc-fix-registration-of-syscore_ops.patch
+drm-panel-otm8009a-set-backlight-parent-to-panel-device.patch
--- /dev/null
+From 6cba655543c7959f8a6d2979b9d40a6a66b7ed4f Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 5 Mar 2023 20:00:33 -0800
+Subject: sh: init: use OF_EARLY_FLATTREE for early init
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 6cba655543c7959f8a6d2979b9d40a6a66b7ed4f upstream.
+
+When CONFIG_OF_EARLY_FLATTREE and CONFIG_SH_DEVICE_TREE are not set,
+SH3 build fails with a call to early_init_dt_scan(), so in
+arch/sh/kernel/setup.c and arch/sh/kernel/head_32.S, use
+CONFIG_OF_EARLY_FLATTREE instead of CONFIG_OF_FLATTREE.
+
+Fixes this build error:
+../arch/sh/kernel/setup.c: In function 'sh_fdt_init':
+../arch/sh/kernel/setup.c:262:26: error: implicit declaration of function 'early_init_dt_scan' [-Werror=implicit-function-declaration]
+ 262 | if (!dt_virt || !early_init_dt_scan(dt_virt)) {
+
+Fixes: 03767daa1387 ("sh: fix build regression with CONFIG_OF && !CONFIG_OF_FLATTREE")
+Fixes: eb6b6930a70f ("sh: fix memory corruption of unflattened device tree")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Suggested-by: Rob Herring <robh+dt@kernel.org>
+Cc: Frank Rowand <frowand.list@gmail.com>
+Cc: devicetree@vger.kernel.org
+Cc: Rich Felker <dalias@libc.org>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Cc: linux-sh@vger.kernel.org
+Cc: stable@vger.kernel.org
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20230306040037.20350-4-rdunlap@infradead.org
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/kernel/head_32.S | 6 +++---
+ arch/sh/kernel/setup.c | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/sh/kernel/head_32.S
++++ b/arch/sh/kernel/head_32.S
+@@ -64,7 +64,7 @@ ENTRY(_stext)
+ ldc r0, r6_bank
+ #endif
+
+-#ifdef CONFIG_OF_FLATTREE
++#ifdef CONFIG_OF_EARLY_FLATTREE
+ mov r4, r12 ! Store device tree blob pointer in r12
+ #endif
+
+@@ -315,7 +315,7 @@ ENTRY(_stext)
+ 10:
+ #endif
+
+-#ifdef CONFIG_OF_FLATTREE
++#ifdef CONFIG_OF_EARLY_FLATTREE
+ mov.l 8f, r0 ! Make flat device tree available early.
+ jsr @r0
+ mov r12, r4
+@@ -346,7 +346,7 @@ ENTRY(stack_start)
+ 5: .long start_kernel
+ 6: .long cpu_init
+ 7: .long init_thread_union
+-#if defined(CONFIG_OF_FLATTREE)
++#if defined(CONFIG_OF_EARLY_FLATTREE)
+ 8: .long sh_fdt_init
+ #endif
+
+--- a/arch/sh/kernel/setup.c
++++ b/arch/sh/kernel/setup.c
+@@ -244,7 +244,7 @@ void __init __weak plat_early_device_set
+ {
+ }
+
+-#ifdef CONFIG_OF_FLATTREE
++#ifdef CONFIG_OF_EARLY_FLATTREE
+ void __ref sh_fdt_init(phys_addr_t dt_phys)
+ {
+ static int done = 0;
+@@ -326,7 +326,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Let earlyprintk output early console messages */
+ sh_early_platform_driver_probe("earlyprintk", 1, 1);
+
+-#ifdef CONFIG_OF_FLATTREE
++#ifdef CONFIG_OF_EARLY_FLATTREE
+ #ifdef CONFIG_USE_BUILTIN_DTB
+ unflatten_and_copy_device_tree();
+ #else
--- /dev/null
+From 58a49ad90939386a8682e842c474a0d2c00ec39c Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 5 Mar 2023 20:00:34 -0800
+Subject: sh: math-emu: fix macro redefined warning
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 58a49ad90939386a8682e842c474a0d2c00ec39c upstream.
+
+Fix a warning that was reported by the kernel test robot:
+
+In file included from ../include/math-emu/soft-fp.h:27,
+ from ../arch/sh/math-emu/math.c:22:
+../arch/sh/include/asm/sfp-machine.h:17: warning: "__BYTE_ORDER" redefined
+ 17 | #define __BYTE_ORDER __BIG_ENDIAN
+In file included from ../arch/sh/math-emu/math.c:21:
+../arch/sh/math-emu/sfp-util.h:71: note: this is the location of the previous definition
+ 71 | #define __BYTE_ORDER __LITTLE_ENDIAN
+
+Fixes: b929926f01f2 ("sh: define __BIG_ENDIAN for math-emu")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Link: lore.kernel.org/r/202111121827.6v6SXtVv-lkp@intel.com
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Cc: linux-sh@vger.kernel.org
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable@vger.kernel.org
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20230306040037.20350-5-rdunlap@infradead.org
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/math-emu/sfp-util.h | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/arch/sh/math-emu/sfp-util.h
++++ b/arch/sh/math-emu/sfp-util.h
+@@ -67,7 +67,3 @@
+ } while (0)
+
+ #define abort() return 0
+-
+-#define __BYTE_ORDER __LITTLE_ENDIAN
+-
+-
--- /dev/null
+From c2bd1e18c6f85c0027da2e5e7753b9bfd9f8e6dc Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 5 Mar 2023 20:00:37 -0800
+Subject: sh: mcount.S: fix build error when PRINTK is not enabled
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit c2bd1e18c6f85c0027da2e5e7753b9bfd9f8e6dc upstream.
+
+Fix a build error in mcount.S when CONFIG_PRINTK is not enabled.
+Fixes this build error:
+
+sh2-linux-ld: arch/sh/lib/mcount.o: in function `stack_panic':
+(.text+0xec): undefined reference to `dump_stack'
+
+Fixes: e460ab27b6c3 ("sh: Fix up stack overflow check with ftrace disabled.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20230306040037.20350-8-rdunlap@infradead.org
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/Kconfig.debug | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sh/Kconfig.debug
++++ b/arch/sh/Kconfig.debug
+@@ -15,7 +15,7 @@ config SH_STANDARD_BIOS
+
+ config STACK_DEBUG
+ bool "Check for stack overflows"
+- depends on DEBUG_KERNEL
++ depends on DEBUG_KERNEL && PRINTK
+ help
+ This option will cause messages to be printed if free stack space
+ drops below a certain limit. Saying Y here will add overhead to
--- /dev/null
+From d1155e4132de712a9d3066e2667ceaad39a539c5 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 5 Mar 2023 20:00:32 -0800
+Subject: sh: nmi_debug: fix return value of __setup handler
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit d1155e4132de712a9d3066e2667ceaad39a539c5 upstream.
+
+__setup() handlers should return 1 to obsolete_checksetup() in
+init/main.c to indicate that the boot option has been handled.
+A return of 0 causes the boot option/value to be listed as an Unknown
+kernel parameter and added to init's (limited) argument or environment
+strings. Also, error return codes don't mean anything to
+obsolete_checksetup() -- only non-zero (usually 1) or zero.
+So return 1 from nmi_debug_setup().
+
+Fixes: 1e1030dccb10 ("sh: nmi_debug support.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: Igor Zhbanov <izh1979@gmail.com>
+Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Cc: linux-sh@vger.kernel.org
+Cc: stable@vger.kernel.org
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20230306040037.20350-3-rdunlap@infradead.org
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/kernel/nmi_debug.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/sh/kernel/nmi_debug.c
++++ b/arch/sh/kernel/nmi_debug.c
+@@ -49,7 +49,7 @@ static int __init nmi_debug_setup(char *
+ register_die_notifier(&nmi_debug_nb);
+
+ if (*str != '=')
+- return 0;
++ return 1;
+
+ for (p = str + 1; *p; p = sep + 1) {
+ sep = strchr(p, ',');
+@@ -70,6 +70,6 @@ static int __init nmi_debug_setup(char *
+ break;
+ }
+
+- return 0;
++ return 1;
+ }
+ __setup("nmi_debug", nmi_debug_setup);
--- /dev/null
+From 716a3cf317456fa01d54398bb14ab354f50ed6a2 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Tue, 9 May 2023 01:37:19 -0500
+Subject: smb3: fix problem remounting a share after shutdown
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 716a3cf317456fa01d54398bb14ab354f50ed6a2 upstream.
+
+xfstests generic/392 showed a problem where even after a
+shutdown call was made on a mount, we would still attempt
+to use the (now inaccessible) superblock if another mount
+was attempted for the same share.
+
+Reported-by: David Howells <dhowells@redhat.com>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Cc: <stable@vger.kernel.org>
+Fixes: 087f757b0129 ("cifs: add shutdown support")
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/connect.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2705,6 +2705,13 @@ cifs_match_super(struct super_block *sb,
+
+ spin_lock(&cifs_tcp_ses_lock);
+ cifs_sb = CIFS_SB(sb);
++
++ /* We do not want to use a superblock that has been shutdown */
++ if (CIFS_MOUNT_SHUTDOWN & cifs_sb->mnt_cifs_flags) {
++ spin_unlock(&cifs_tcp_ses_lock);
++ return 0;
++ }
++
+ tlink = cifs_get_tlink(cifs_sb_master_tlink(cifs_sb));
+ if (tlink == NULL) {
+ /* can not match superblock if tlink were ever null */
--- /dev/null
+From 2cb6f968775a9fd60c90a6042b9550bcec3ea087 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Tue, 9 May 2023 01:00:42 -0500
+Subject: SMB3: force unmount was failing to close deferred close files
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 2cb6f968775a9fd60c90a6042b9550bcec3ea087 upstream.
+
+In investigating a failure with xfstest generic/392 it
+was noticed that mounts were reusing a superblock that should
+already have been freed. This turned out to be related to
+deferred close files keeping a reference count until the
+closetimeo expired.
+
+Currently the only way an fs knows that mount is beginning is
+when force unmount is called, but when this, ie umount_begin(),
+is called all deferred close files on the share (tree
+connection) should be closed immediately (unless shared by
+another mount) to avoid using excess resources on the server
+and to avoid reusing a superblock which should already be freed.
+
+In umount_begin, close all deferred close handles for that
+share if this is the last mount using that share on this
+client (ie send the SMB3 close request over the wire for those
+that have been already closed by the app but that we have
+kept a handle lease open for and have not sent closes to the
+server for yet).
+
+Reported-by: David Howells <dhowells@redhat.com>
+Acked-by: Bharath SM <bharathsm@microsoft.com>
+Cc: <stable@vger.kernel.org>
+Fixes: 78c09634f7dc ("Cifs: Fix kernel oops caused by deferred close for files.")
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -744,6 +744,7 @@ static void cifs_umount_begin(struct sup
+ spin_unlock(&tcon->tc_lock);
+ spin_unlock(&cifs_tcp_ses_lock);
+
++ cifs_close_all_deferred_files(tcon);
+ /* cancel_brl_requests(tcon); */ /* BB mark all brl mids as exiting */
+ /* cancel_notify_requests(tcon); */
+ if (tcon->ses && tcon->ses->server) {
--- /dev/null
+From 228b09de936395ddd740df3522ea35ae934830d8 Mon Sep 17 00:00:00 2001
+From: Luis Chamberlain <mcgrof@kernel.org>
+Date: Thu, 2 Mar 2023 12:28:18 -0800
+Subject: sysctl: clarify register_sysctl_init() base directory order
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+commit 228b09de936395ddd740df3522ea35ae934830d8 upstream.
+
+Relatively new docs which I added which hinted the base directories needed
+to be created before is wrong, remove that incorrect comment. This has been
+hinted before by Eric twice already [0] [1], I had just not verified that
+until now. Now that I've verified that updates the docs to relax the context
+described.
+
+[0] https://lkml.kernel.org/r/875ys0azt8.fsf@email.froward.int.ebiederm.org
+[1] https://lkml.kernel.org/r/87ftbiud6s.fsf@x220.int.ebiederm.org
+
+Cc: stable@vger.kernel.org # v5.17
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_sysctl.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -1445,10 +1445,7 @@ EXPORT_SYMBOL(register_sysctl);
+ * register_sysctl() failing on init are extremely low, and so for both reasons
+ * this function does not return any error as it is used by initialization code.
+ *
+- * Context: Can only be called after your respective sysctl base path has been
+- * registered. So for instance, most base directories are registered early on
+- * init before init levels are processed through proc_sys_init() and
+- * sysctl_init_bases().
++ * Context: if your base directory does not exist it will be created for you.
+ */
+ void __init __register_sysctl_init(const char *path, struct ctl_table *table,
+ const char *table_name)
--- /dev/null
+From 9a48d604672220545d209e9996c2a1edbb5637f6 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Fri, 12 May 2023 23:12:26 +0200
+Subject: x86/retbleed: Fix return thunk alignment
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+commit 9a48d604672220545d209e9996c2a1edbb5637f6 upstream.
+
+SYM_FUNC_START_LOCAL_NOALIGN() adds an endbr leading to this layout
+(leaving only the last 2 bytes of the address):
+
+ 3bff <zen_untrain_ret>:
+ 3bff: f3 0f 1e fa endbr64
+ 3c03: f6 test $0xcc,%bl
+
+ 3c04 <__x86_return_thunk>:
+ 3c04: c3 ret
+ 3c05: cc int3
+ 3c06: 0f ae e8 lfence
+
+However, "the RET at __x86_return_thunk must be on a 64 byte boundary,
+for alignment within the BTB."
+
+Use SYM_START instead.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/lib/retpoline.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/lib/retpoline.S
++++ b/arch/x86/lib/retpoline.S
+@@ -144,8 +144,8 @@ SYM_CODE_END(__x86_indirect_jump_thunk_a
+ */
+ .align 64
+ .skip 63, 0xcc
+-SYM_FUNC_START_NOALIGN(zen_untrain_ret);
+-
++SYM_START(zen_untrain_ret, SYM_L_GLOBAL, SYM_A_NONE)
++ ANNOTATE_NOENDBR
+ /*
+ * As executed from zen_untrain_ret, this is:
+ *
projects / thirdparty / kernel / stable-queue.git / commitdiff
