--- /dev/null
+From 6c950c20da38debf1ed531e0b972bd8b53d1c11f Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Fri, 17 Feb 2023 16:06:27 +0100
+Subject: ARM: dts: exynos: fix WM8960 clock name in Itop Elite
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 6c950c20da38debf1ed531e0b972bd8b53d1c11f upstream.
+
+The WM8960 Linux driver expects the clock to be named "mclk". Otherwise
+the clock will be ignored and not prepared/enabled by the driver.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 339b2fb36a67 ("ARM: dts: exynos: Add TOPEET itop elite based board")
+Link: https://lore.kernel.org/r/20230217150627.779764-3-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/exynos4412-itop-elite.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/exynos4412-itop-elite.dts
++++ b/arch/arm/boot/dts/exynos4412-itop-elite.dts
+@@ -179,7 +179,7 @@
+ compatible = "wlf,wm8960";
+ reg = <0x1a>;
+ clocks = <&pmu_system_controller 0>;
+- clock-names = "MCLK1";
++ clock-names = "mclk";
+ wlf,shared-lrclk;
+ #sound-dai-cells = <0>;
+ };
--- /dev/null
+From 665b9459bb53b8f19bd1541567e1fe9782c83c4b Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Sun, 12 Feb 2023 19:58:18 +0100
+Subject: ARM: dts: s5pv210: correct MIPI CSIS clock name
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 665b9459bb53b8f19bd1541567e1fe9782c83c4b upstream.
+
+The Samsung S5P/Exynos MIPI CSIS bindings and Linux driver expect first
+clock name to be "csis". Otherwise the driver fails to probe.
+
+Fixes: 94ad0f6d9278 ("ARM: dts: Add Device tree for s5pv210 SoC")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230212185818.43503-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/s5pv210.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/s5pv210.dtsi
++++ b/arch/arm/boot/dts/s5pv210.dtsi
+@@ -582,7 +582,7 @@
+ interrupts = <29>;
+ clocks = <&clocks CLK_CSIS>,
+ <&clocks SCLK_CSIS>;
+- clock-names = "clk_csis",
++ clock-names = "csis",
+ "sclk_csis";
+ bus-width = <4>;
+ status = "disabled";
--- /dev/null
+From d246331b78cbef86237f9c22389205bc9b4e1cc1 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Tue, 2 May 2023 16:00:06 -0400
+Subject: btrfs: don't free qgroup space unless specified
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit d246331b78cbef86237f9c22389205bc9b4e1cc1 upstream.
+
+Boris noticed in his simple quotas testing that he was getting a leak
+with Sweet Tea's change to subvol create that stopped doing a
+transaction commit. This was just a side effect of that change.
+
+In the delayed inode code we have an optimization that will free extra
+reservations if we think we can pack a dir item into an already modified
+leaf. Previously this wouldn't be triggered in the subvolume create
+case because we'd commit the transaction, it was still possible but
+much harder to trigger. It could actually be triggered if we did a
+mkdir && subvol create with qgroups enabled.
+
+This occurs because in btrfs_insert_delayed_dir_index(), which gets
+called when we're adding the dir item, we do the following:
+
+ btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL);
+
+if we're able to skip reserving space.
+
+The problem here is that trans->block_rsv points at the temporary block
+rsv for the subvolume create, which has qgroup reservations in the block
+rsv.
+
+This is a problem because btrfs_block_rsv_release() will do the
+following:
+
+ if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {
+ qgroup_to_release = block_rsv->qgroup_rsv_reserved -
+ block_rsv->qgroup_rsv_size;
+ block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size;
+ }
+
+The temporary block rsv just has ->qgroup_rsv_reserved set,
+->qgroup_rsv_size == 0. The optimization in
+btrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then
+later on when we call btrfs_subvolume_release_metadata() which has
+
+ btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release);
+ btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release);
+
+qgroup_to_release is set to 0, and we do not convert the reserved
+metadata space.
+
+The problem here is that the block rsv code has been unconditionally
+messing with ->qgroup_rsv_reserved, because the main place this is used
+is delalloc, and any time we call btrfs_block_rsv_release() we do it
+with qgroup_to_release set, and thus do the proper accounting.
+
+The subvolume code is the only other code that uses the qgroup
+reservation stuff, but it's intermingled with the above optimization,
+and thus was getting its reservation freed out from underneath it and
+thus leaking the reserved space.
+
+The solution is to simply not mess with the qgroup reservations if we
+don't have qgroup_to_release set. This works with the existing code as
+anything that messes with the delalloc reservations always have
+qgroup_to_release set. This fixes the leak that Boris was observing.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/block-rsv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/block-rsv.c
++++ b/fs/btrfs/block-rsv.c
+@@ -121,7 +121,8 @@ static u64 block_rsv_release_bytes(struc
+ } else {
+ num_bytes = 0;
+ }
+- if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {
++ if (qgroup_to_release_ret &&
++ block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {
+ qgroup_to_release = block_rsv->qgroup_rsv_reserved -
+ block_rsv->qgroup_rsv_size;
+ block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size;
--- /dev/null
+From 6f932d4ef007d6a4ae03badcb749fbb8f49196f6 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 12 Apr 2023 11:33:09 +0100
+Subject: btrfs: fix btrfs_prev_leaf() to not return the same key twice
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 6f932d4ef007d6a4ae03badcb749fbb8f49196f6 upstream.
+
+A call to btrfs_prev_leaf() may end up returning a path that points to the
+same item (key) again. This happens if while btrfs_prev_leaf(), after we
+release the path, a concurrent insertion happens, which moves items off
+from a sibling into the front of the previous leaf, and an item with the
+computed previous key does not exists.
+
+For example, suppose we have the two following leaves:
+
+ Leaf A
+
+ -------------------------------------------------------------
+ | ... key (300 96 10) key (300 96 15) key (300 96 16) |
+ -------------------------------------------------------------
+ slot 20 slot 21 slot 22
+
+ Leaf B
+
+ -------------------------------------------------------------
+ | key (300 96 20) key (300 96 21) key (300 96 22) ... |
+ -------------------------------------------------------------
+ slot 0 slot 1 slot 2
+
+If we call btrfs_prev_leaf(), from btrfs_previous_item() for example, with
+a path pointing to leaf B and slot 0 and the following happens:
+
+1) At btrfs_prev_leaf() we compute the previous key to search as:
+ (300 96 19), which is a key that does not exists in the tree;
+
+2) Then we call btrfs_release_path() at btrfs_prev_leaf();
+
+3) Some other task inserts a key at leaf A, that sorts before the key at
+ slot 20, for example it has an objectid of 299. In order to make room
+ for the new key, the key at slot 22 is moved to the front of leaf B.
+ This happens at push_leaf_right(), called from split_leaf().
+
+ After this leaf B now looks like:
+
+ --------------------------------------------------------------------------------
+ | key (300 96 16) key (300 96 20) key (300 96 21) key (300 96 22) ... |
+ --------------------------------------------------------------------------------
+ slot 0 slot 1 slot 2 slot 3
+
+4) At btrfs_prev_leaf() we call btrfs_search_slot() for the computed
+ previous key: (300 96 19). Since the key does not exists,
+ btrfs_search_slot() returns 1 and with a path pointing to leaf B
+ and slot 1, the item with key (300 96 20);
+
+5) This makes btrfs_prev_leaf() return a path that points to slot 1 of
+ leaf B, the same key as before it was called, since the key at slot 0
+ of leaf B (300 96 16) is less than the computed previous key, which is
+ (300 96 19);
+
+6) As a consequence btrfs_previous_item() returns a path that points again
+ to the item with key (300 96 20).
+
+For some users of btrfs_prev_leaf() or btrfs_previous_item() this may not
+be functional a problem, despite not making sense to return a new path
+pointing again to the same item/key. However for a caller such as
+tree-log.c:log_dir_items(), this has a bad consequence, as it can result
+in not logging some dir index deletions in case the directory is being
+logged without holding the inode's VFS lock (logging triggered while
+logging a child inode for example) - for the example scenario above, in
+case the dir index keys 17, 18 and 19 were deleted in the current
+transaction.
+
+CC: stable@vger.kernel.org # 4.14+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.c | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -4189,10 +4189,12 @@ int btrfs_del_items(struct btrfs_trans_h
+ int btrfs_prev_leaf(struct btrfs_root *root, struct btrfs_path *path)
+ {
+ struct btrfs_key key;
++ struct btrfs_key orig_key;
+ struct btrfs_disk_key found_key;
+ int ret;
+
+ btrfs_item_key_to_cpu(path->nodes[0], &key, 0);
++ orig_key = key;
+
+ if (key.offset > 0) {
+ key.offset--;
+@@ -4209,8 +4211,36 @@ int btrfs_prev_leaf(struct btrfs_root *r
+
+ btrfs_release_path(path);
+ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
+- if (ret < 0)
++ if (ret <= 0)
+ return ret;
++
++ /*
++ * Previous key not found. Even if we were at slot 0 of the leaf we had
++ * before releasing the path and calling btrfs_search_slot(), we now may
++ * be in a slot pointing to the same original key - this can happen if
++ * after we released the path, one of more items were moved from a
++ * sibling leaf into the front of the leaf we had due to an insertion
++ * (see push_leaf_right()).
++ * If we hit this case and our slot is > 0 and just decrement the slot
++ * so that the caller does not process the same key again, which may or
++ * may not break the caller, depending on its logic.
++ */
++ if (path->slots[0] < btrfs_header_nritems(path->nodes[0])) {
++ btrfs_item_key(path->nodes[0], &found_key, path->slots[0]);
++ ret = comp_keys(&found_key, &orig_key);
++ if (ret == 0) {
++ if (path->slots[0] > 0) {
++ path->slots[0]--;
++ return 0;
++ }
++ /*
++ * At slot 0, same key as before, it means orig_key is
++ * the lowest, leftmost, key in the tree. We're done.
++ */
++ return 1;
++ }
++ }
++
+ btrfs_item_key(path->nodes[0], &found_key, 0);
+ ret = comp_keys(&found_key, &key);
+ /*
--- /dev/null
+From e7db9e5c6b9615b287d01f0231904fbc1fbde9c5 Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Fri, 28 Apr 2023 14:02:11 -0700
+Subject: btrfs: fix encoded write i_size corruption with no-holes
+
+From: Boris Burkov <boris@bur.io>
+
+commit e7db9e5c6b9615b287d01f0231904fbc1fbde9c5 upstream.
+
+We have observed a btrfs filesystem corruption on workloads using
+no-holes and encoded writes via send stream v2. The symptom is that a
+file appears to be truncated to the end of its last aligned extent, even
+though the final unaligned extent and even the file extent and otherwise
+correctly updated inode item have been written.
+
+So if we were writing out a 1MiB+X file via 8 128K extents and one
+extent of length X, i_size would be set to 1MiB, but the ninth extent,
+nbyte, etc. would all appear correct otherwise.
+
+The source of the race is a narrow (one line of code) window in which a
+no-holes fs has read in an updated i_size, but has not yet set a shared
+disk_i_size variable to write. Therefore, if two ordered extents run in
+parallel (par for the course for receive workloads), the following
+sequence can play out: (following "threads" a bit loosely, since there
+are callbacks involved for endio but extra threads aren't needed to
+cause the issue)
+
+ ENC-WR1 (second to last) ENC-WR2 (last)
+ ------- -------
+ btrfs_do_encoded_write
+ set i_size = 1M
+ submit bio B1 ending at 1M
+ endio B1
+ btrfs_inode_safe_disk_i_size_write
+ local i_size = 1M
+ falls off a cliff for some reason
+ btrfs_do_encoded_write
+ set i_size = 1M+X
+ submit bio B2 ending at 1M+X
+ endio B2
+ btrfs_inode_safe_disk_i_size_write
+ local i_size = 1M+X
+ disk_i_size = 1M+X
+ disk_i_size = 1M
+ btrfs_delayed_update_inode
+ btrfs_delayed_update_inode
+
+And the delayed inode ends up filled with nbytes=1M+X and isize=1M, and
+writes respect i_size and present a corrupted file missing its last
+extents.
+
+Fix this by holding the inode lock in the no-holes case so that a thread
+can't sneak in a write to disk_i_size that gets overwritten with an out
+of date i_size.
+
+Fixes: 41a2ee75aab0 ("btrfs: introduce per-inode file extent tree")
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file-item.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/file-item.c
++++ b/fs/btrfs/file-item.c
+@@ -47,13 +47,13 @@ void btrfs_inode_safe_disk_i_size_write(
+ u64 start, end, i_size;
+ int ret;
+
++ spin_lock(&inode->lock);
+ i_size = new_i_size ?: i_size_read(&inode->vfs_inode);
+ if (btrfs_fs_incompat(fs_info, NO_HOLES)) {
+ inode->disk_i_size = i_size;
+- return;
++ goto out_unlock;
+ }
+
+- spin_lock(&inode->lock);
+ ret = find_contiguous_extent_bit(&inode->file_extent_tree, 0, &start,
+ &end, EXTENT_DIRTY);
+ if (!ret && start == 0)
+@@ -61,6 +61,7 @@ void btrfs_inode_safe_disk_i_size_write(
+ else
+ i_size = 0;
+ inode->disk_i_size = i_size;
++out_unlock:
+ spin_unlock(&inode->lock);
+ }
+
--- /dev/null
+From 0004ff15ea26015a0a3a6182dca3b9d1df32e2b7 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 4 May 2023 12:04:18 +0100
+Subject: btrfs: fix space cache inconsistency after error loading it from disk
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 0004ff15ea26015a0a3a6182dca3b9d1df32e2b7 upstream.
+
+When loading a free space cache from disk, at __load_free_space_cache(),
+if we fail to insert a bitmap entry, we still increment the number of
+total bitmaps in the btrfs_free_space_ctl structure, which is incorrect
+since we failed to add the bitmap entry. On error we then empty the
+cache by calling __btrfs_remove_free_space_cache(), which will result
+in getting the total bitmaps counter set to 1.
+
+A failure to load a free space cache is not critical, so if a failure
+happens we just rebuild the cache by scanning the extent tree, which
+happens at block-group.c:caching_thread(). Yet the failure will result
+in having the total bitmaps of the btrfs_free_space_ctl always bigger
+by 1 then the number of bitmap entries we have. So fix this by having
+the total bitmaps counter be incremented only if we successfully added
+the bitmap entry.
+
+Fixes: a67509c30079 ("Btrfs: add a io_ctl struct and helpers for dealing with the space cache")
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/free-space-cache.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/free-space-cache.c
++++ b/fs/btrfs/free-space-cache.c
+@@ -825,15 +825,16 @@ static int __load_free_space_cache(struc
+ }
+ spin_lock(&ctl->tree_lock);
+ ret = link_free_space(ctl, e);
+- ctl->total_bitmaps++;
+- recalculate_thresholds(ctl);
+- spin_unlock(&ctl->tree_lock);
+ if (ret) {
++ spin_unlock(&ctl->tree_lock);
+ btrfs_err(fs_info,
+ "Duplicate entries in free space cache, dumping");
+ kmem_cache_free(btrfs_free_space_cachep, e);
+ goto free_cache;
+ }
++ ctl->total_bitmaps++;
++ recalculate_thresholds(ctl);
++ spin_unlock(&ctl->tree_lock);
+ list_add_tail(&e->list, &bitmaps);
+ }
+
--- /dev/null
+From c87f318e6f47696b4040b58f460d5c17ea0280e6 Mon Sep 17 00:00:00 2001
+From: Anastasia Belova <abelova@astralinux.ru>
+Date: Wed, 26 Apr 2023 14:53:23 +0300
+Subject: btrfs: print-tree: parent bytenr must be aligned to sector size
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+commit c87f318e6f47696b4040b58f460d5c17ea0280e6 upstream.
+
+Check nodesize to sectorsize in alignment check in print_extent_item.
+The comment states that and this is correct, similar check is done
+elsewhere in the functions.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: ea57788eb76d ("btrfs: require only sector size alignment for parent eb bytenr")
+CC: stable@vger.kernel.org # 4.14+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/print-tree.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -147,10 +147,10 @@ static void print_extent_item(struct ext
+ pr_cont("shared data backref parent %llu count %u\n",
+ offset, btrfs_shared_data_ref_count(eb, sref));
+ /*
+- * offset is supposed to be a tree block which
+- * must be aligned to nodesize.
++ * Offset is supposed to be a tree block which must be
++ * aligned to sectorsize.
+ */
+- if (!IS_ALIGNED(offset, eb->fs_info->nodesize))
++ if (!IS_ALIGNED(offset, eb->fs_info->sectorsize))
+ pr_info(
+ "\t\t\t(parent %llu not aligned to sectorsize %u)\n",
+ offset, eb->fs_info->sectorsize);
--- /dev/null
+From c83b56d1dd87cf67492bb770c26d6f87aee70ed6 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 8 May 2023 07:58:37 -0700
+Subject: btrfs: zero the buffer before marking it dirty in btrfs_redirty_list_add
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit c83b56d1dd87cf67492bb770c26d6f87aee70ed6 upstream.
+
+btrfs_redirty_list_add zeroes the buffer data and sets the
+EXTENT_BUFFER_NO_CHECK to make sure writeback is fine with a bogus
+header. But it does that after already marking the buffer dirty, which
+means that writeback could already be looking at the buffer.
+
+Switch the order of operations around so that the buffer is only marked
+dirty when we're ready to write it.
+
+Fixes: d3575156f662 ("btrfs: zoned: redirty released extent buffers")
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zoned.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -1347,11 +1347,11 @@ void btrfs_redirty_list_add(struct btrfs
+ !list_empty(&eb->release_list))
+ return;
+
++ memzero_extent_buffer(eb, 0, eb->len);
++ set_bit(EXTENT_BUFFER_NO_CHECK, &eb->bflags);
+ set_extent_buffer_dirty(eb);
+ set_extent_bits_nowait(&trans->dirty_pages, eb->start,
+ eb->start + eb->len - 1, EXTENT_DIRTY);
+- memzero_extent_buffer(eb, 0, eb->len);
+- set_bit(EXTENT_BUFFER_NO_CHECK, &eb->bflags);
+
+ spin_lock(&trans->releasing_ebs_lock);
+ list_add_tail(&eb->release_list, &trans->releasing_ebs);
--- /dev/null
+From 631003e2333c12cc1b52df06a707365b7363a159 Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Tue, 18 Apr 2023 17:45:24 +0900
+Subject: btrfs: zoned: fix wrong use of bitops API in btrfs_ensure_empty_zones
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit 631003e2333c12cc1b52df06a707365b7363a159 upstream.
+
+find_next_bit and find_next_zero_bit take @size as the second parameter and
+@offset as the third parameter. They are specified opposite in
+btrfs_ensure_empty_zones(). Thanks to the later loop, it never failed to
+detect the empty zones. Fix them and (maybe) return the result a bit
+faster.
+
+Note: the naming is a bit confusing, size has two meanings here, bitmap
+and our range size.
+
+Fixes: 1cd6121f2a38 ("btrfs: zoned: implement zoned chunk allocator")
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zoned.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -1014,12 +1014,12 @@ int btrfs_ensure_empty_zones(struct btrf
+ return -ERANGE;
+
+ /* All the zones are conventional */
+- if (find_next_bit(zinfo->seq_zones, begin, end) == end)
++ if (find_next_bit(zinfo->seq_zones, end, begin) == end)
+ return 0;
+
+ /* All the zones are sequential and empty */
+- if (find_next_zero_bit(zinfo->seq_zones, begin, end) == end &&
+- find_next_zero_bit(zinfo->empty_zones, begin, end) == end)
++ if (find_next_zero_bit(zinfo->seq_zones, end, begin) == end &&
++ find_next_zero_bit(zinfo->empty_zones, end, begin) == end)
+ return 0;
+
+ for (pos = start; pos < start + size; pos += zinfo->zone_size) {
--- /dev/null
+From d66cde50c3c868af7abddafce701bb86e4a93039 Mon Sep 17 00:00:00 2001
+From: Pawel Witek <pawel.ireneusz.witek@gmail.com>
+Date: Fri, 5 May 2023 17:14:59 +0200
+Subject: cifs: fix pcchunk length type in smb2_copychunk_range
+
+From: Pawel Witek <pawel.ireneusz.witek@gmail.com>
+
+commit d66cde50c3c868af7abddafce701bb86e4a93039 upstream.
+
+Change type of pcchunk->Length from u32 to u64 to match
+smb2_copychunk_range arguments type. Fixes the problem where performing
+server-side copy with CIFS_IOC_COPYCHUNK_FILE ioctl resulted in incomplete
+copy of large files while returning -EINVAL.
+
+Fixes: 9bf0c9cd4314 ("CIFS: Fix SMB2/SMB3 Copy offload support (refcopy) for large files")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pawel Witek <pawel.ireneusz.witek@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1893,7 +1893,7 @@ smb2_copychunk_range(const unsigned int
+ pcchunk->SourceOffset = cpu_to_le64(src_off);
+ pcchunk->TargetOffset = cpu_to_le64(dest_off);
+ pcchunk->Length =
+- cpu_to_le32(min_t(u32, len, tcon->max_bytes_chunk));
++ cpu_to_le32(min_t(u64, len, tcon->max_bytes_chunk));
+
+ /* Request server copy to target from src identified by key */
+ kfree(retbuf);
--- /dev/null
+From d39fc592ef8ae9a89c5e85c8d9f760937a57d5ba Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Wed, 10 May 2023 17:42:21 -0500
+Subject: cifs: release leases for deferred close handles when freezing
+
+From: Steve French <stfrench@microsoft.com>
+
+commit d39fc592ef8ae9a89c5e85c8d9f760937a57d5ba upstream.
+
+We should not be caching closed files when freeze is invoked on an fs
+(so we can release resources more gracefully).
+
+Fixes xfstests generic/068 generic/390 generic/491
+
+Reviewed-by: David Howells <dhowells@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsfs.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -730,6 +730,20 @@ static void cifs_umount_begin(struct sup
+ return;
+ }
+
++static int cifs_freeze(struct super_block *sb)
++{
++ struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
++ struct cifs_tcon *tcon;
++
++ if (cifs_sb == NULL)
++ return 0;
++
++ tcon = cifs_sb_master_tcon(cifs_sb);
++
++ cifs_close_all_deferred_files(tcon);
++ return 0;
++}
++
+ #ifdef CONFIG_CIFS_STATS2
+ static int cifs_show_stats(struct seq_file *s, struct dentry *root)
+ {
+@@ -761,6 +775,7 @@ static const struct super_operations cif
+ as opens */
+ .show_options = cifs_show_options,
+ .umount_begin = cifs_umount_begin,
++ .freeze_fs = cifs_freeze,
+ #ifdef CONFIG_CIFS_STATS2
+ .show_stats = cifs_show_stats,
+ #endif
--- /dev/null
+From f435b7ef3b360d689df2ffa8326352cd07940d92 Mon Sep 17 00:00:00 2001
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+Date: Thu, 30 Mar 2023 11:31:31 +0200
+Subject: drm/bridge: lt8912b: Fix DSI Video Mode
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+commit f435b7ef3b360d689df2ffa8326352cd07940d92 upstream.
+
+LT8912 DSI port supports only Non-Burst mode video operation with Sync
+Events and continuous clock on clock lane, correct dsi mode flags
+according to that removing MIPI_DSI_MODE_VIDEO_BURST flag.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge")
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Reviewed-by: Robert Foss <rfoss@kernel.org>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230330093131.424828-1-francesco@dolcini.it
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/lontium-lt8912b.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/gpu/drm/bridge/lontium-lt8912b.c
++++ b/drivers/gpu/drm/bridge/lontium-lt8912b.c
+@@ -494,7 +494,6 @@ static int lt8912_attach_dsi(struct lt89
+ dsi->format = MIPI_DSI_FMT_RGB888;
+
+ dsi->mode_flags = MIPI_DSI_MODE_VIDEO |
+- MIPI_DSI_MODE_VIDEO_BURST |
+ MIPI_DSI_MODE_LPM |
+ MIPI_DSI_MODE_NO_EOT_PACKET;
+
--- /dev/null
+From cd459c005de3e2b855a8cc7768e633ce9d018e9f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 6 Mar 2023 11:07:16 +0100
+Subject: drm/msm: fix NULL-deref on irq uninstall
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit cd459c005de3e2b855a8cc7768e633ce9d018e9f upstream.
+
+In case of early initialisation errors and on platforms that do not use
+the DPU controller, the deinitilisation code can be called with the kms
+pointer set to NULL.
+
+Fixes: f026e431cf86 ("drm/msm: Convert to Linux IRQ interfaces")
+Cc: stable@vger.kernel.org # 5.14
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/525104/
+Link: https://lore.kernel.org/r/20230306100722.28485-5-johan+linaro@kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -364,9 +364,11 @@ static int msm_drm_uninit(struct device
+
+ drm_mode_config_cleanup(ddev);
+
+- pm_runtime_get_sync(dev);
+- msm_irq_uninstall(ddev);
+- pm_runtime_put_sync(dev);
++ if (kms) {
++ pm_runtime_get_sync(dev);
++ msm_irq_uninstall(ddev);
++ pm_runtime_put_sync(dev);
++ }
+
+ if (kms && kms->funcs)
+ kms->funcs->destroy(kms);
--- /dev/null
+From a465353b9250802f87b97123e33a17f51277f0b1 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 6 Mar 2023 11:07:15 +0100
+Subject: drm/msm: fix NULL-deref on snapshot tear down
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit a465353b9250802f87b97123e33a17f51277f0b1 upstream.
+
+In case of early initialisation errors and on platforms that do not use
+the DPU controller, the deinitilisation code can be called with the kms
+pointer set to NULL.
+
+Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot")
+Cc: stable@vger.kernel.org # 5.14
+Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/525099/
+Link: https://lore.kernel.org/r/20230306100722.28485-4-johan+linaro@kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -359,7 +359,8 @@ static int msm_drm_uninit(struct device
+ msm_fbdev_free(ddev);
+ #endif
+
+- msm_disp_snapshot_destroy(ddev);
++ if (kms)
++ msm_disp_snapshot_destroy(ddev);
+
+ drm_mode_config_cleanup(ddev);
+
--- /dev/null
+From ab4f869fba6119997f7630d600049762a2b014fa Mon Sep 17 00:00:00 2001
+From: James Cowgill <james.cowgill@blaize.com>
+Date: Wed, 12 Apr 2023 17:35:07 +0000
+Subject: drm/panel: otm8009a: Set backlight parent to panel device
+
+From: James Cowgill <james.cowgill@blaize.com>
+
+commit ab4f869fba6119997f7630d600049762a2b014fa upstream.
+
+This is the logical place to put the backlight device, and it also
+fixes a kernel crash if the MIPI host is removed. Previously the
+backlight device would be unregistered twice when this happened - once
+as a child of the MIPI host through `mipi_dsi_host_unregister`, and
+once when the panel device is destroyed.
+
+Fixes: 12a6cbd4f3f1 ("drm/panel: otm8009a: Use new backlight API")
+Signed-off-by: James Cowgill <james.cowgill@blaize.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230412173450.199592-1-james.cowgill@blaize.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/panel-orisetech-otm8009a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c
++++ b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c
+@@ -444,7 +444,7 @@ static int otm8009a_probe(struct mipi_ds
+ DRM_MODE_CONNECTOR_DSI);
+
+ ctx->bl_dev = devm_backlight_device_register(dev, dev_name(dev),
+- dsi->host->dev, ctx,
++ dev, ctx,
+ &otm8009a_backlight_ops,
+ NULL);
+ if (IS_ERR(ctx->bl_dev)) {
--- /dev/null
+From d94772154e524b329a168678836745d2773a6e02 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Thu, 6 Apr 2023 11:18:48 -0700
+Subject: f2fs: fix potential corruption when moving a directory
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit d94772154e524b329a168678836745d2773a6e02 upstream.
+
+F2FS has the same issue in ext4_rename causing crash revealed by
+xfstests/generic/707.
+
+See also commit 0813299c586b ("ext4: Fix possible corruption when moving a directory")
+
+CC: stable@vger.kernel.org
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/namei.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -991,12 +991,20 @@ static int f2fs_rename(struct inode *old
+ goto out;
+ }
+
++ /*
++ * Copied from ext4_rename: we need to protect against old.inode
++ * directory getting converted from inline directory format into
++ * a normal one.
++ */
++ if (S_ISDIR(old_inode->i_mode))
++ inode_lock_nested(old_inode, I_MUTEX_NONDIR2);
++
+ err = -ENOENT;
+ old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page);
+ if (!old_entry) {
+ if (IS_ERR(old_page))
+ err = PTR_ERR(old_page);
+- goto out;
++ goto out_unlock_old;
+ }
+
+ if (S_ISDIR(old_inode->i_mode)) {
+@@ -1104,6 +1112,9 @@ static int f2fs_rename(struct inode *old
+
+ f2fs_unlock_op(sbi);
+
++ if (S_ISDIR(old_inode->i_mode))
++ inode_unlock(old_inode);
++
+ if (IS_DIRSYNC(old_dir) || IS_DIRSYNC(new_dir))
+ f2fs_sync_fs(sbi->sb, 1);
+
+@@ -1118,6 +1129,9 @@ out_dir:
+ f2fs_put_page(old_dir_page, 0);
+ out_old:
+ f2fs_put_page(old_page, 0);
++out_unlock_old:
++ if (S_ISDIR(old_inode->i_mode))
++ inode_unlock(old_inode);
+ out:
+ if (whiteout)
+ iput(whiteout);
--- /dev/null
+From c915d8f5918bea7c3962b09b8884ca128bfd9b0c Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 24 Apr 2023 18:32:19 +0200
+Subject: inotify: Avoid reporting event with invalid wd
+
+From: Jan Kara <jack@suse.cz>
+
+commit c915d8f5918bea7c3962b09b8884ca128bfd9b0c upstream.
+
+When inotify_freeing_mark() races with inotify_handle_inode_event() it
+can happen that inotify_handle_inode_event() sees that i_mark->wd got
+already reset to -1 and reports this value to userspace which can
+confuse the inotify listener. Avoid the problem by validating that wd is
+sensible (and pretend the mark got removed before the event got
+generated otherwise).
+
+CC: stable@vger.kernel.org
+Fixes: 7e790dd5fc93 ("inotify: fix error paths in inotify_update_watch")
+Message-Id: <20230424163219.9250-1-jack@suse.cz>
+Reported-by: syzbot+4a06d4373fd52f0b2f9c@syzkaller.appspotmail.com
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/inotify/inotify_fsnotify.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/notify/inotify/inotify_fsnotify.c
++++ b/fs/notify/inotify/inotify_fsnotify.c
+@@ -65,7 +65,7 @@ int inotify_handle_inode_event(struct fs
+ struct fsnotify_event *fsn_event;
+ struct fsnotify_group *group = inode_mark->group;
+ int ret;
+- int len = 0;
++ int len = 0, wd;
+ int alloc_len = sizeof(struct inotify_event_info);
+ struct mem_cgroup *old_memcg;
+
+@@ -81,6 +81,13 @@ int inotify_handle_inode_event(struct fs
+ fsn_mark);
+
+ /*
++ * We can be racing with mark being detached. Don't report event with
++ * invalid wd.
++ */
++ wd = READ_ONCE(i_mark->wd);
++ if (wd == -1)
++ return 0;
++ /*
+ * Whoever is interested in the event, pays for the allocation. Do not
+ * trigger OOM killer in the target monitoring memcg as it may have
+ * security repercussion.
+@@ -110,7 +117,7 @@ int inotify_handle_inode_event(struct fs
+ fsn_event = &event->fse;
+ fsnotify_init_event(fsn_event);
+ event->mask = mask;
+- event->wd = i_mark->wd;
++ event->wd = wd;
+ event->sync_cookie = cookie;
+ event->name_len = len;
+ if (len)
--- /dev/null
+From 4b65f95c87c35699bc6ad540d6b9dd7f950d0924 Mon Sep 17 00:00:00 2001
+From: Andrey Avdeev <jamesstoun@gmail.com>
+Date: Sun, 30 Apr 2023 11:01:10 +0300
+Subject: platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i
+
+From: Andrey Avdeev <jamesstoun@gmail.com>
+
+commit 4b65f95c87c35699bc6ad540d6b9dd7f950d0924 upstream.
+
+Add touchscreen info for the Dexp Ursus KX210i
+
+Signed-off-by: Andrey Avdeev <jamesstoun@gmail.com>
+Link: https://lore.kernel.org/r/ZE4gRgzRQCjXFYD0@avdeevavpc
+Cc: stable@vger.kernel.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/touchscreen_dmi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/platform/x86/touchscreen_dmi.c
++++ b/drivers/platform/x86/touchscreen_dmi.c
+@@ -327,6 +327,22 @@ static const struct ts_dmi_data dexp_urs
+ .properties = dexp_ursus_7w_props,
+ };
+
++static const struct property_entry dexp_ursus_kx210i_props[] = {
++ PROPERTY_ENTRY_U32("touchscreen-min-x", 5),
++ PROPERTY_ENTRY_U32("touchscreen-min-y", 2),
++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1720),
++ PROPERTY_ENTRY_U32("touchscreen-size-y", 1137),
++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-dexp-ursus-kx210i.fw"),
++ PROPERTY_ENTRY_U32("silead,max-fingers", 10),
++ PROPERTY_ENTRY_BOOL("silead,home-button"),
++ { }
++};
++
++static const struct ts_dmi_data dexp_ursus_kx210i_data = {
++ .acpi_name = "MSSL1680:00",
++ .properties = dexp_ursus_kx210i_props,
++};
++
+ static const struct property_entry digma_citi_e200_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-size-x", 1980),
+ PROPERTY_ENTRY_U32("touchscreen-size-y", 1500),
+@@ -1167,6 +1183,14 @@ const struct dmi_system_id touchscreen_d
+ },
+ },
+ {
++ /* DEXP Ursus KX210i */
++ .driver_data = (void *)&dexp_ursus_kx210i_data,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "INSYDE Corp."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "S107I"),
++ },
++ },
++ {
+ /* Digma Citi E200 */
+ .driver_data = (void *)&digma_citi_e200_data,
+ .matches = {
--- /dev/null
+From 6abfa99ce52f61a31bcfc2aaaae09006f5665495 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 5 May 2023 23:03:23 +0200
+Subject: platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the Juno Tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 6abfa99ce52f61a31bcfc2aaaae09006f5665495 upstream.
+
+The Juno Computers Juno Tablet has an upside-down mounted Goodix
+touchscreen. Add a quirk to invert both axis to correct for this.
+
+Link: https://junocomputers.com/us/product/juno-tablet/
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230505210323.43177-1-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/touchscreen_dmi.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/platform/x86/touchscreen_dmi.c
++++ b/drivers/platform/x86/touchscreen_dmi.c
+@@ -381,6 +381,11 @@ static const struct ts_dmi_data glavey_t
+ .properties = glavey_tm800a550l_props,
+ };
+
++static const struct ts_dmi_data gdix1002_00_upside_down_data = {
++ .acpi_name = "GDIX1002:00",
++ .properties = gdix1001_upside_down_props,
++};
++
+ static const struct property_entry gp_electronic_t701_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-size-x", 960),
+ PROPERTY_ENTRY_U32("touchscreen-size-y", 640),
+@@ -1281,6 +1286,18 @@ const struct dmi_system_id touchscreen_d
+ },
+ },
+ {
++ /* Juno Tablet */
++ .driver_data = (void *)&gdix1002_00_upside_down_data,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Default string"),
++ /* Both product- and board-name being "Default string" is somewhat rare */
++ DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
++ DMI_MATCH(DMI_BOARD_NAME, "Default string"),
++ /* Above matches are too generic, add partial bios-version match */
++ DMI_MATCH(DMI_BIOS_VERSION, "JP2V1."),
++ },
++ },
++ {
+ /* Mediacom WinPad 7.0 W700 (same hw as Wintron surftab 7") */
+ .driver_data = (void *)&trekstor_surftab_wintron70_data,
+ .matches = {
--- /dev/null
+From 5ef074e805ecfd9a16dbb7b6b88bbfa8abad7054 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Mon, 20 Mar 2023 16:18:25 -0600
+Subject: remoteproc: imx_rproc: Call of_node_put() on iteration error
+
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+
+commit 5ef074e805ecfd9a16dbb7b6b88bbfa8abad7054 upstream.
+
+Function of_phandle_iterator_next() calls of_node_put() on the last
+device_node it iterated over, but when the loop exits prematurely it has
+to be called explicitly.
+
+Fixes: b29b4249f8f0 ("remoteproc: imx_rproc: add i.MX specific parse fw hook")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/20230320221826.2728078-5-mathieu.poirier@linaro.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/imx_rproc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -452,6 +452,7 @@ static int imx_rproc_prepare(struct rpro
+
+ rmem = of_reserved_mem_lookup(it.node);
+ if (!rmem) {
++ of_node_put(it.node);
+ dev_err(priv->dev, "unable to acquire memory-region\n");
+ return -EINVAL;
+ }
+@@ -464,10 +465,12 @@ static int imx_rproc_prepare(struct rpro
+ imx_rproc_mem_alloc, imx_rproc_mem_release,
+ it.node->name);
+
+- if (mem)
++ if (mem) {
+ rproc_coredump_add_segment(rproc, da, rmem->size);
+- else
++ } else {
++ of_node_put(it.node);
+ return -ENOMEM;
++ }
+
+ rproc_add_carveout(rproc, mem);
+ }
--- /dev/null
+From 8a74918948b40317a5b5bab9739d13dcb5de2784 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Mon, 20 Mar 2023 16:18:23 -0600
+Subject: remoteproc: st: Call of_node_put() on iteration error
+
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+
+commit 8a74918948b40317a5b5bab9739d13dcb5de2784 upstream.
+
+Function of_phandle_iterator_next() calls of_node_put() on the last
+device_node it iterated over, but when the loop exits prematurely it has
+to be called explicitly.
+
+Fixes: 3df52ed7f269 ("remoteproc: st: add reserved memory support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
+Link: https://lore.kernel.org/r/20230320221826.2728078-3-mathieu.poirier@linaro.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/st_remoteproc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/st_remoteproc.c
++++ b/drivers/remoteproc/st_remoteproc.c
+@@ -129,6 +129,7 @@ static int st_rproc_parse_fw(struct rpro
+ while (of_phandle_iterator_next(&it) == 0) {
+ rmem = of_reserved_mem_lookup(it.node);
+ if (!rmem) {
++ of_node_put(it.node);
+ dev_err(dev, "unable to acquire memory-region\n");
+ return -EINVAL;
+ }
+@@ -150,8 +151,10 @@ static int st_rproc_parse_fw(struct rpro
+ it.node->name);
+ }
+
+- if (!mem)
++ if (!mem) {
++ of_node_put(it.node);
+ return -ENOMEM;
++ }
+
+ rproc_add_carveout(rproc, mem);
+ index++;
--- /dev/null
+From ccadca5baf5124a880f2bb50ed1ec265415f025b Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Mon, 20 Mar 2023 16:18:22 -0600
+Subject: remoteproc: stm32: Call of_node_put() on iteration error
+
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+
+commit ccadca5baf5124a880f2bb50ed1ec265415f025b upstream.
+
+Function of_phandle_iterator_next() calls of_node_put() on the last
+device_node it iterated over, but when the loop exits prematurely it has
+to be called explicitly.
+
+Fixes: 13140de09cc2 ("remoteproc: stm32: add an ST stm32_rproc driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
+Link: https://lore.kernel.org/r/20230320221826.2728078-2-mathieu.poirier@linaro.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/stm32_rproc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/stm32_rproc.c
++++ b/drivers/remoteproc/stm32_rproc.c
+@@ -223,11 +223,13 @@ static int stm32_rproc_prepare(struct rp
+ while (of_phandle_iterator_next(&it) == 0) {
+ rmem = of_reserved_mem_lookup(it.node);
+ if (!rmem) {
++ of_node_put(it.node);
+ dev_err(dev, "unable to acquire memory-region\n");
+ return -EINVAL;
+ }
+
+ if (stm32_rproc_pa_to_da(rproc, rmem->base, &da) < 0) {
++ of_node_put(it.node);
+ dev_err(dev, "memory region not valid %pa\n",
+ &rmem->base);
+ return -EINVAL;
+@@ -254,8 +256,10 @@ static int stm32_rproc_prepare(struct rp
+ it.node->name);
+ }
+
+- if (!mem)
++ if (!mem) {
++ of_node_put(it.node);
+ return -ENOMEM;
++ }
+
+ rproc_add_carveout(rproc, mem);
+ index++;
perf-symbols-fix-return-incorrect-build_id-size-in-e.patch
perf-evlist-refactor-evlist__for_each_cpu.patch
perf-stat-separate-bperf-from-bpf_profiler.patch
+x86-retbleed-fix-return-thunk-alignment.patch
+btrfs-fix-btrfs_prev_leaf-to-not-return-the-same-key-twice.patch
+btrfs-zoned-fix-wrong-use-of-bitops-api-in-btrfs_ensure_empty_zones.patch
+btrfs-fix-encoded-write-i_size-corruption-with-no-holes.patch
+btrfs-don-t-free-qgroup-space-unless-specified.patch
+btrfs-zero-the-buffer-before-marking-it-dirty-in-btrfs_redirty_list_add.patch
+btrfs-print-tree-parent-bytenr-must-be-aligned-to-sector-size.patch
+btrfs-fix-space-cache-inconsistency-after-error-loading-it-from-disk.patch
+cifs-fix-pcchunk-length-type-in-smb2_copychunk_range.patch
+cifs-release-leases-for-deferred-close-handles-when-freezing.patch
+platform-x86-touchscreen_dmi-add-upside-down-quirk-for-gdix1002-ts-on-the-juno-tablet.patch
+platform-x86-touchscreen_dmi-add-info-for-the-dexp-ursus-kx210i.patch
+inotify-avoid-reporting-event-with-invalid-wd.patch
+smb3-fix-problem-remounting-a-share-after-shutdown.patch
+smb3-force-unmount-was-failing-to-close-deferred-close-files.patch
+sh-math-emu-fix-macro-redefined-warning.patch
+sh-mcount.s-fix-build-error-when-printk-is-not-enabled.patch
+sh-init-use-of_early_flattree-for-early-init.patch
+sh-nmi_debug-fix-return-value-of-__setup-handler.patch
+remoteproc-stm32-call-of_node_put-on-iteration-error.patch
+remoteproc-st-call-of_node_put-on-iteration-error.patch
+remoteproc-imx_rproc-call-of_node_put-on-iteration-error.patch
+arm-dts-exynos-fix-wm8960-clock-name-in-itop-elite.patch
+arm-dts-s5pv210-correct-mipi-csis-clock-name.patch
+drm-bridge-lt8912b-fix-dsi-video-mode.patch
+drm-msm-fix-null-deref-on-snapshot-tear-down.patch
+drm-msm-fix-null-deref-on-irq-uninstall.patch
+f2fs-fix-potential-corruption-when-moving-a-directory.patch
+drm-panel-otm8009a-set-backlight-parent-to-panel-device.patch
--- /dev/null
+From 6cba655543c7959f8a6d2979b9d40a6a66b7ed4f Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 5 Mar 2023 20:00:33 -0800
+Subject: sh: init: use OF_EARLY_FLATTREE for early init
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 6cba655543c7959f8a6d2979b9d40a6a66b7ed4f upstream.
+
+When CONFIG_OF_EARLY_FLATTREE and CONFIG_SH_DEVICE_TREE are not set,
+SH3 build fails with a call to early_init_dt_scan(), so in
+arch/sh/kernel/setup.c and arch/sh/kernel/head_32.S, use
+CONFIG_OF_EARLY_FLATTREE instead of CONFIG_OF_FLATTREE.
+
+Fixes this build error:
+../arch/sh/kernel/setup.c: In function 'sh_fdt_init':
+../arch/sh/kernel/setup.c:262:26: error: implicit declaration of function 'early_init_dt_scan' [-Werror=implicit-function-declaration]
+ 262 | if (!dt_virt || !early_init_dt_scan(dt_virt)) {
+
+Fixes: 03767daa1387 ("sh: fix build regression with CONFIG_OF && !CONFIG_OF_FLATTREE")
+Fixes: eb6b6930a70f ("sh: fix memory corruption of unflattened device tree")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Suggested-by: Rob Herring <robh+dt@kernel.org>
+Cc: Frank Rowand <frowand.list@gmail.com>
+Cc: devicetree@vger.kernel.org
+Cc: Rich Felker <dalias@libc.org>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Cc: linux-sh@vger.kernel.org
+Cc: stable@vger.kernel.org
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20230306040037.20350-4-rdunlap@infradead.org
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/kernel/head_32.S | 6 +++---
+ arch/sh/kernel/setup.c | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/sh/kernel/head_32.S
++++ b/arch/sh/kernel/head_32.S
+@@ -64,7 +64,7 @@ ENTRY(_stext)
+ ldc r0, r6_bank
+ #endif
+
+-#ifdef CONFIG_OF_FLATTREE
++#ifdef CONFIG_OF_EARLY_FLATTREE
+ mov r4, r12 ! Store device tree blob pointer in r12
+ #endif
+
+@@ -315,7 +315,7 @@ ENTRY(_stext)
+ 10:
+ #endif
+
+-#ifdef CONFIG_OF_FLATTREE
++#ifdef CONFIG_OF_EARLY_FLATTREE
+ mov.l 8f, r0 ! Make flat device tree available early.
+ jsr @r0
+ mov r12, r4
+@@ -346,7 +346,7 @@ ENTRY(stack_start)
+ 5: .long start_kernel
+ 6: .long cpu_init
+ 7: .long init_thread_union
+-#if defined(CONFIG_OF_FLATTREE)
++#if defined(CONFIG_OF_EARLY_FLATTREE)
+ 8: .long sh_fdt_init
+ #endif
+
+--- a/arch/sh/kernel/setup.c
++++ b/arch/sh/kernel/setup.c
+@@ -244,7 +244,7 @@ void __init __weak plat_early_device_set
+ {
+ }
+
+-#ifdef CONFIG_OF_FLATTREE
++#ifdef CONFIG_OF_EARLY_FLATTREE
+ void __ref sh_fdt_init(phys_addr_t dt_phys)
+ {
+ static int done = 0;
+@@ -326,7 +326,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Let earlyprintk output early console messages */
+ sh_early_platform_driver_probe("earlyprintk", 1, 1);
+
+-#ifdef CONFIG_OF_FLATTREE
++#ifdef CONFIG_OF_EARLY_FLATTREE
+ #ifdef CONFIG_USE_BUILTIN_DTB
+ unflatten_and_copy_device_tree();
+ #else
--- /dev/null
+From 58a49ad90939386a8682e842c474a0d2c00ec39c Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 5 Mar 2023 20:00:34 -0800
+Subject: sh: math-emu: fix macro redefined warning
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 58a49ad90939386a8682e842c474a0d2c00ec39c upstream.
+
+Fix a warning that was reported by the kernel test robot:
+
+In file included from ../include/math-emu/soft-fp.h:27,
+ from ../arch/sh/math-emu/math.c:22:
+../arch/sh/include/asm/sfp-machine.h:17: warning: "__BYTE_ORDER" redefined
+ 17 | #define __BYTE_ORDER __BIG_ENDIAN
+In file included from ../arch/sh/math-emu/math.c:21:
+../arch/sh/math-emu/sfp-util.h:71: note: this is the location of the previous definition
+ 71 | #define __BYTE_ORDER __LITTLE_ENDIAN
+
+Fixes: b929926f01f2 ("sh: define __BIG_ENDIAN for math-emu")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Link: lore.kernel.org/r/202111121827.6v6SXtVv-lkp@intel.com
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Cc: linux-sh@vger.kernel.org
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable@vger.kernel.org
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20230306040037.20350-5-rdunlap@infradead.org
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/math-emu/sfp-util.h | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/arch/sh/math-emu/sfp-util.h
++++ b/arch/sh/math-emu/sfp-util.h
+@@ -67,7 +67,3 @@
+ } while (0)
+
+ #define abort() return 0
+-
+-#define __BYTE_ORDER __LITTLE_ENDIAN
+-
+-
--- /dev/null
+From c2bd1e18c6f85c0027da2e5e7753b9bfd9f8e6dc Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 5 Mar 2023 20:00:37 -0800
+Subject: sh: mcount.S: fix build error when PRINTK is not enabled
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit c2bd1e18c6f85c0027da2e5e7753b9bfd9f8e6dc upstream.
+
+Fix a build error in mcount.S when CONFIG_PRINTK is not enabled.
+Fixes this build error:
+
+sh2-linux-ld: arch/sh/lib/mcount.o: in function `stack_panic':
+(.text+0xec): undefined reference to `dump_stack'
+
+Fixes: e460ab27b6c3 ("sh: Fix up stack overflow check with ftrace disabled.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20230306040037.20350-8-rdunlap@infradead.org
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/Kconfig.debug | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sh/Kconfig.debug
++++ b/arch/sh/Kconfig.debug
+@@ -15,7 +15,7 @@ config SH_STANDARD_BIOS
+
+ config STACK_DEBUG
+ bool "Check for stack overflows"
+- depends on DEBUG_KERNEL
++ depends on DEBUG_KERNEL && PRINTK
+ help
+ This option will cause messages to be printed if free stack space
+ drops below a certain limit. Saying Y here will add overhead to
--- /dev/null
+From d1155e4132de712a9d3066e2667ceaad39a539c5 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 5 Mar 2023 20:00:32 -0800
+Subject: sh: nmi_debug: fix return value of __setup handler
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit d1155e4132de712a9d3066e2667ceaad39a539c5 upstream.
+
+__setup() handlers should return 1 to obsolete_checksetup() in
+init/main.c to indicate that the boot option has been handled.
+A return of 0 causes the boot option/value to be listed as an Unknown
+kernel parameter and added to init's (limited) argument or environment
+strings. Also, error return codes don't mean anything to
+obsolete_checksetup() -- only non-zero (usually 1) or zero.
+So return 1 from nmi_debug_setup().
+
+Fixes: 1e1030dccb10 ("sh: nmi_debug support.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: Igor Zhbanov <izh1979@gmail.com>
+Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Cc: linux-sh@vger.kernel.org
+Cc: stable@vger.kernel.org
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20230306040037.20350-3-rdunlap@infradead.org
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/kernel/nmi_debug.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/sh/kernel/nmi_debug.c
++++ b/arch/sh/kernel/nmi_debug.c
+@@ -49,7 +49,7 @@ static int __init nmi_debug_setup(char *
+ register_die_notifier(&nmi_debug_nb);
+
+ if (*str != '=')
+- return 0;
++ return 1;
+
+ for (p = str + 1; *p; p = sep + 1) {
+ sep = strchr(p, ',');
+@@ -70,6 +70,6 @@ static int __init nmi_debug_setup(char *
+ break;
+ }
+
+- return 0;
++ return 1;
+ }
+ __setup("nmi_debug", nmi_debug_setup);
--- /dev/null
+From 716a3cf317456fa01d54398bb14ab354f50ed6a2 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Tue, 9 May 2023 01:37:19 -0500
+Subject: smb3: fix problem remounting a share after shutdown
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 716a3cf317456fa01d54398bb14ab354f50ed6a2 upstream.
+
+xfstests generic/392 showed a problem where even after a
+shutdown call was made on a mount, we would still attempt
+to use the (now inaccessible) superblock if another mount
+was attempted for the same share.
+
+Reported-by: David Howells <dhowells@redhat.com>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Cc: <stable@vger.kernel.org>
+Fixes: 087f757b0129 ("cifs: add shutdown support")
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/connect.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2474,6 +2474,13 @@ cifs_match_super(struct super_block *sb,
+
+ spin_lock(&cifs_tcp_ses_lock);
+ cifs_sb = CIFS_SB(sb);
++
++ /* We do not want to use a superblock that has been shutdown */
++ if (CIFS_MOUNT_SHUTDOWN & cifs_sb->mnt_cifs_flags) {
++ spin_unlock(&cifs_tcp_ses_lock);
++ return 0;
++ }
++
+ tlink = cifs_get_tlink(cifs_sb_master_tlink(cifs_sb));
+ if (tlink == NULL) {
+ /* can not match superblock if tlink were ever null */
--- /dev/null
+From 2cb6f968775a9fd60c90a6042b9550bcec3ea087 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Tue, 9 May 2023 01:00:42 -0500
+Subject: SMB3: force unmount was failing to close deferred close files
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 2cb6f968775a9fd60c90a6042b9550bcec3ea087 upstream.
+
+In investigating a failure with xfstest generic/392 it
+was noticed that mounts were reusing a superblock that should
+already have been freed. This turned out to be related to
+deferred close files keeping a reference count until the
+closetimeo expired.
+
+Currently the only way an fs knows that mount is beginning is
+when force unmount is called, but when this, ie umount_begin(),
+is called all deferred close files on the share (tree
+connection) should be closed immediately (unless shared by
+another mount) to avoid using excess resources on the server
+and to avoid reusing a superblock which should already be freed.
+
+In umount_begin, close all deferred close handles for that
+share if this is the last mount using that share on this
+client (ie send the SMB3 close request over the wire for those
+that have been already closed by the app but that we have
+kept a handle lease open for and have not sent closes to the
+server for yet).
+
+Reported-by: David Howells <dhowells@redhat.com>
+Acked-by: Bharath SM <bharathsm@microsoft.com>
+Cc: <stable@vger.kernel.org>
+Fixes: 78c09634f7dc ("Cifs: Fix kernel oops caused by deferred close for files.")
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -715,6 +715,7 @@ static void cifs_umount_begin(struct sup
+ tcon->tidStatus = CifsExiting;
+ spin_unlock(&cifs_tcp_ses_lock);
+
++ cifs_close_all_deferred_files(tcon);
+ /* cancel_brl_requests(tcon); */ /* BB mark all brl mids as exiting */
+ /* cancel_notify_requests(tcon); */
+ if (tcon->ses && tcon->ses->server) {
--- /dev/null
+From 9a48d604672220545d209e9996c2a1edbb5637f6 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Fri, 12 May 2023 23:12:26 +0200
+Subject: x86/retbleed: Fix return thunk alignment
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+commit 9a48d604672220545d209e9996c2a1edbb5637f6 upstream.
+
+SYM_FUNC_START_LOCAL_NOALIGN() adds an endbr leading to this layout
+(leaving only the last 2 bytes of the address):
+
+ 3bff <zen_untrain_ret>:
+ 3bff: f3 0f 1e fa endbr64
+ 3c03: f6 test $0xcc,%bl
+
+ 3c04 <__x86_return_thunk>:
+ 3c04: c3 ret
+ 3c05: cc int3
+ 3c06: 0f ae e8 lfence
+
+However, "the RET at __x86_return_thunk must be on a 64 byte boundary,
+for alignment within the BTB."
+
+Use SYM_START instead.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/lib/retpoline.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/lib/retpoline.S
++++ b/arch/x86/lib/retpoline.S
+@@ -86,8 +86,8 @@ SYM_CODE_END(__x86_indirect_thunk_array)
+ */
+ .align 64
+ .skip 63, 0xcc
+-SYM_FUNC_START_NOALIGN(zen_untrain_ret);
+-
++SYM_START(zen_untrain_ret, SYM_L_GLOBAL, SYM_A_NONE)
++ ANNOTATE_NOENDBR
+ /*
+ * As executed from zen_untrain_ret, this is:
+ *
projects / thirdparty / kernel / stable-queue.git / commitdiff
