--- /dev/null
+From e910c8e3aa02dc456e2f4c32cb479523c326b534 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 23 May 2023 10:19:35 +0200
+Subject: autofs: use flexible array in ioctl structure
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit e910c8e3aa02dc456e2f4c32cb479523c326b534 upstream.
+
+Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") introduced a warning
+for the autofs_dev_ioctl structure:
+
+In function 'check_name',
+ inlined from 'validate_dev_ioctl' at fs/autofs/dev-ioctl.c:131:9,
+ inlined from '_autofs_dev_ioctl' at fs/autofs/dev-ioctl.c:624:8:
+fs/autofs/dev-ioctl.c:33:14: error: 'strchr' reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread]
+ 33 | if (!strchr(name, '/'))
+ | ^~~~~~~~~~~~~~~~~
+In file included from include/linux/auto_dev-ioctl.h:10,
+ from fs/autofs/autofs_i.h:10,
+ from fs/autofs/dev-ioctl.c:14:
+include/uapi/linux/auto_dev-ioctl.h: In function '_autofs_dev_ioctl':
+include/uapi/linux/auto_dev-ioctl.h:112:14: note: source object 'path' of size 0
+ 112 | char path[0];
+ | ^~~~
+
+This is easily fixed by changing the gnu 0-length array into a c99
+flexible array. Since this is a uapi structure, we have to be careful
+about possible regressions but this one should be fine as they are
+equivalent here. While it would break building with ancient gcc versions
+that predate c99, it helps building with --std=c99 and -Wpedantic builds
+in user space, as well as non-gnu compilers. This means we probably
+also want it fixed in stable kernels.
+
+Cc: stable@vger.kernel.org
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Gustavo A. R. Silva" <gustavoars@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230523081944.581710-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/filesystems/autofs-mount-control.rst | 2 +-
+ Documentation/filesystems/autofs.rst | 2 +-
+ include/uapi/linux/auto_dev-ioctl.h | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/Documentation/filesystems/autofs-mount-control.rst
++++ b/Documentation/filesystems/autofs-mount-control.rst
+@@ -196,7 +196,7 @@ information and return operation results
+ struct args_ismountpoint ismountpoint;
+ };
+
+- char path[0];
++ char path[];
+ };
+
+ The ioctlfd field is a mount point file descriptor of an autofs mount
+--- a/Documentation/filesystems/autofs.rst
++++ b/Documentation/filesystems/autofs.rst
+@@ -467,7 +467,7 @@ Each ioctl is passed a pointer to an `au
+ struct args_ismountpoint ismountpoint;
+ };
+
+- char path[0];
++ char path[];
+ };
+
+ For the **OPEN_MOUNT** and **IS_MOUNTPOINT** commands, the target
+--- a/include/uapi/linux/auto_dev-ioctl.h
++++ b/include/uapi/linux/auto_dev-ioctl.h
+@@ -109,7 +109,7 @@ struct autofs_dev_ioctl {
+ struct args_ismountpoint ismountpoint;
+ };
+
+- char path[0];
++ char path[];
+ };
+
+ static inline void init_autofs_dev_ioctl(struct autofs_dev_ioctl *in)
--- /dev/null
+From 80fca8a10b604afad6c14213fdfd816c4eda3ee4 Mon Sep 17 00:00:00 2001
+From: Zheng Wang <zyytlz.wz@163.com>
+Date: Thu, 15 Jun 2023 20:12:22 +0800
+Subject: bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+commit 80fca8a10b604afad6c14213fdfd816c4eda3ee4 upstream.
+
+In some specific situations, the return value of __bch_btree_node_alloc
+may be NULL. This may lead to a potential NULL pointer dereference in
+caller function like a calling chain :
+btree_split->bch_btree_node_alloc->__bch_btree_node_alloc.
+
+Fix it by initializing the return value in __bch_btree_node_alloc.
+
+Fixes: cafe56359144 ("bcache: A block layer cache")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Link: https://lore.kernel.org/r/20230615121223.22502-6-colyli@suse.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/btree.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -1090,10 +1090,12 @@ struct btree *__bch_btree_node_alloc(str
+ struct btree *parent)
+ {
+ BKEY_PADDED(key) k;
+- struct btree *b = ERR_PTR(-EAGAIN);
++ struct btree *b;
+
+ mutex_lock(&c->bucket_lock);
+ retry:
++ /* return ERR_PTR(-EAGAIN) when it fails */
++ b = ERR_PTR(-EAGAIN);
+ if (__bch_bucket_alloc_set(c, RESERVE_BTREE, &k.key, wait))
+ goto err;
+
--- /dev/null
+From f0854489fc07d2456f7cc71a63f4faf9c716ffbe Mon Sep 17 00:00:00 2001
+From: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Date: Thu, 15 Jun 2023 20:12:23 +0800
+Subject: bcache: fixup btree_cache_wait list damage
+
+From: Mingzhe Zou <mingzhe.zou@easystack.cn>
+
+commit f0854489fc07d2456f7cc71a63f4faf9c716ffbe upstream.
+
+We get a kernel crash about "list_add corruption. next->prev should be
+prev (ffff9c801bc01210), but was ffff9c77b688237c.
+(next=ffffae586d8afe68)."
+
+crash> struct list_head 0xffff9c801bc01210
+struct list_head {
+ next = 0xffffae586d8afe68,
+ prev = 0xffffae586d8afe68
+}
+crash> struct list_head 0xffff9c77b688237c
+struct list_head {
+ next = 0x0,
+ prev = 0x0
+}
+crash> struct list_head 0xffffae586d8afe68
+struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback"
+Cannot access memory at address 0xffffae586d8afe68
+
+[230469.019492] Call Trace:
+[230469.032041] prepare_to_wait+0x8a/0xb0
+[230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache]
+[230469.056533] mca_cannibalize_lock+0x72/0x90 [escache]
+[230469.068788] mca_alloc+0x2ae/0x450 [escache]
+[230469.080790] bch_btree_node_get+0x136/0x2d0 [escache]
+[230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache]
+[230469.104382] ? finish_wait+0x80/0x80
+[230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache]
+[230469.127259] kthread+0x112/0x130
+[230469.138448] ? kthread_flush_work_fn+0x10/0x10
+[230469.149477] ret_from_fork+0x35/0x40
+
+bch_btree_check_thread() and bch_dirty_init_thread() may call
+mca_cannibalize() to cannibalize other cached btree nodes. Only one thread
+can do it at a time, so the op of other threads will be added to the
+btree_cache_wait list.
+
+We must call finish_wait() to remove op from btree_cache_wait before free
+it's memory address. Otherwise, the list will be damaged. Also should call
+bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up
+other waiters.
+
+Fixes: 8e7102273f59 ("bcache: make bch_btree_check() to be multithreaded")
+Fixes: b144e45fc576 ("bcache: make bch_sectors_dirty_init() to be multithreaded")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Signed-off-by: Coly Li <colyli@suse.de>
+Link: https://lore.kernel.org/r/20230615121223.22502-7-colyli@suse.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/btree.c | 11 ++++++++++-
+ drivers/md/bcache/btree.h | 1 +
+ drivers/md/bcache/writeback.c | 10 ++++++++++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -885,7 +885,7 @@ static struct btree *mca_cannibalize(str
+ * cannibalize_bucket() will take. This means every time we unlock the root of
+ * the btree, we need to release this lock if we have it held.
+ */
+-static void bch_cannibalize_unlock(struct cache_set *c)
++void bch_cannibalize_unlock(struct cache_set *c)
+ {
+ spin_lock(&c->btree_cannibalize_lock);
+ if (c->btree_cache_alloc_lock == current) {
+@@ -1968,6 +1968,15 @@ static int bch_btree_check_thread(void *
+ c->gc_stats.nodes++;
+ bch_btree_op_init(&op, 0);
+ ret = bcache_btree(check_recurse, p, c->root, &op);
++ /*
++ * The op may be added to cache_set's btree_cache_wait
++ * in mca_cannibalize(), must ensure it is removed from
++ * the list and release btree_cache_alloc_lock before
++ * free op memory.
++ * Otherwise, the btree_cache_wait will be damaged.
++ */
++ bch_cannibalize_unlock(c);
++ finish_wait(&c->btree_cache_wait, &(&op)->wait);
+ if (ret)
+ goto out;
+ }
+--- a/drivers/md/bcache/btree.h
++++ b/drivers/md/bcache/btree.h
+@@ -282,6 +282,7 @@ void bch_initial_gc_finish(struct cache_
+ void bch_moving_gc(struct cache_set *c);
+ int bch_btree_check(struct cache_set *c);
+ void bch_initial_mark_key(struct cache_set *c, int level, struct bkey *k);
++void bch_cannibalize_unlock(struct cache_set *c);
+
+ static inline void wake_up_gc(struct cache_set *c)
+ {
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -890,6 +890,16 @@ static int bch_root_node_dirty_init(stru
+ if (ret < 0)
+ pr_warn("sectors dirty init failed, ret=%d!\n", ret);
+
++ /*
++ * The op may be added to cache_set's btree_cache_wait
++ * in mca_cannibalize(), must ensure it is removed from
++ * the list and release btree_cache_alloc_lock before
++ * free op memory.
++ * Otherwise, the btree_cache_wait will be damaged.
++ */
++ bch_cannibalize_unlock(c);
++ finish_wait(&c->btree_cache_wait, &(&op.op)->wait);
++
+ return ret;
+ }
+
--- /dev/null
+From 028ddcac477b691dd9205c92f991cc15259d033e Mon Sep 17 00:00:00 2001
+From: Zheng Wang <zyytlz.wz@163.com>
+Date: Thu, 15 Jun 2023 20:12:21 +0800
+Subject: bcache: Remove unnecessary NULL point check in node allocations
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+commit 028ddcac477b691dd9205c92f991cc15259d033e upstream.
+
+Due to the previous fix of __bch_btree_node_alloc, the return value will
+never be a NULL pointer. So IS_ERR is enough to handle the failure
+situation. Fix it by replacing IS_ERR_OR_NULL check by an IS_ERR check.
+
+Fixes: cafe56359144 ("bcache: A block layer cache")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Link: https://lore.kernel.org/r/20230615121223.22502-5-colyli@suse.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/btree.c | 10 +++++-----
+ drivers/md/bcache/super.c | 4 ++--
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -1138,7 +1138,7 @@ static struct btree *btree_node_alloc_re
+ {
+ struct btree *n = bch_btree_node_alloc(b->c, op, b->level, b->parent);
+
+- if (!IS_ERR_OR_NULL(n)) {
++ if (!IS_ERR(n)) {
+ mutex_lock(&n->write_lock);
+ bch_btree_sort_into(&b->keys, &n->keys, &b->c->sort);
+ bkey_copy_key(&n->key, &b->key);
+@@ -1340,7 +1340,7 @@ static int btree_gc_coalesce(struct btre
+ memset(new_nodes, 0, sizeof(new_nodes));
+ closure_init_stack(&cl);
+
+- while (nodes < GC_MERGE_NODES && !IS_ERR_OR_NULL(r[nodes].b))
++ while (nodes < GC_MERGE_NODES && !IS_ERR(r[nodes].b))
+ keys += r[nodes++].keys;
+
+ blocks = btree_default_blocks(b->c) * 2 / 3;
+@@ -1352,7 +1352,7 @@ static int btree_gc_coalesce(struct btre
+
+ for (i = 0; i < nodes; i++) {
+ new_nodes[i] = btree_node_alloc_replacement(r[i].b, NULL);
+- if (IS_ERR_OR_NULL(new_nodes[i]))
++ if (IS_ERR(new_nodes[i]))
+ goto out_nocoalesce;
+ }
+
+@@ -1487,7 +1487,7 @@ out_nocoalesce:
+ bch_keylist_free(&keylist);
+
+ for (i = 0; i < nodes; i++)
+- if (!IS_ERR_OR_NULL(new_nodes[i])) {
++ if (!IS_ERR(new_nodes[i])) {
+ btree_node_free(new_nodes[i]);
+ rw_unlock(true, new_nodes[i]);
+ }
+@@ -1669,7 +1669,7 @@ static int bch_btree_gc_root(struct btre
+ if (should_rewrite) {
+ n = btree_node_alloc_replacement(b, NULL);
+
+- if (!IS_ERR_OR_NULL(n)) {
++ if (!IS_ERR(n)) {
+ bch_btree_node_write_sync(n);
+
+ bch_btree_set_root(n);
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1724,7 +1724,7 @@ static void cache_set_flush(struct closu
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+- if (!IS_ERR_OR_NULL(c->root))
++ if (!IS_ERR(c->root))
+ list_add(&c->root->list, &c->btree_cache);
+
+ /*
+@@ -2088,7 +2088,7 @@ static int run_cache_set(struct cache_se
+
+ err = "cannot allocate new btree root";
+ c->root = __bch_btree_node_alloc(c, NULL, 0, true, NULL);
+- if (IS_ERR_OR_NULL(c->root))
++ if (IS_ERR(c->root))
+ goto err;
+
+ mutex_lock(&c->root->write_lock);
--- /dev/null
+From 3658840cd363f2be094f5dfd2f0b174a9055dd0f Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 1 Jun 2023 12:58:21 +0200
+Subject: ext4: Remove ext4 locking of moved directory
+
+From: Jan Kara <jack@suse.cz>
+
+commit 3658840cd363f2be094f5dfd2f0b174a9055dd0f upstream.
+
+Remove locking of moved directory in ext4_rename2(). We will take care
+of it in VFS instead. This effectively reverts commit 0813299c586b
+("ext4: Fix possible corruption when moving a directory") and followup
+fixes.
+
+CC: Ted Tso <tytso@mit.edu>
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-Id: <20230601105830.13168-1-jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/namei.c | 17 ++---------------
+ 1 file changed, 2 insertions(+), 15 deletions(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -3834,19 +3834,10 @@ static int ext4_rename(struct user_names
+ return retval;
+ }
+
+- /*
+- * We need to protect against old.inode directory getting converted
+- * from inline directory format into a normal one.
+- */
+- if (S_ISDIR(old.inode->i_mode))
+- inode_lock_nested(old.inode, I_MUTEX_NONDIR2);
+-
+ old.bh = ext4_find_entry(old.dir, &old.dentry->d_name, &old.de,
+ &old.inlined);
+- if (IS_ERR(old.bh)) {
+- retval = PTR_ERR(old.bh);
+- goto unlock_moved_dir;
+- }
++ if (IS_ERR(old.bh))
++ return PTR_ERR(old.bh);
+
+ /*
+ * Check for inode number is _not_ due to possible IO errors.
+@@ -4043,10 +4034,6 @@ release_bh:
+ brelse(old.bh);
+ brelse(new.bh);
+
+-unlock_moved_dir:
+- if (S_ISDIR(old.inode->i_mode))
+- inode_unlock(old.inode);
+-
+ return retval;
+ }
+
--- /dev/null
+From 62176420274db5b5127cd7a0083a9aeb461756ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
+Date: Wed, 7 Jun 2023 19:28:48 +0200
+Subject: fs: avoid empty option when generating legacy mount string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+commit 62176420274db5b5127cd7a0083a9aeb461756ee upstream.
+
+As each option string fragment is always prepended with a comma it would
+happen that the whole string always starts with a comma. This could be
+interpreted by filesystem drivers as an empty option and may produce
+errors.
+
+For example the NTFS driver from ntfs.ko behaves like this and fails
+when mounted via the new API.
+
+Link: https://github.com/util-linux/util-linux/issues/2298
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Fixes: 3e1aeb00e6d1 ("vfs: Implement a filesystem superblock creation/configuration context")
+Cc: stable@vger.kernel.org
+Message-Id: <20230607-fs-empty-option-v1-1-20c8dbf4671b@weissschuh.net>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fs_context.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/fs_context.c
++++ b/fs/fs_context.c
+@@ -561,7 +561,8 @@ static int legacy_parse_param(struct fs_
+ return -ENOMEM;
+ }
+
+- ctx->legacy_data[size++] = ',';
++ if (size)
++ ctx->legacy_data[size++] = ',';
+ len = strlen(param->key);
+ memcpy(ctx->legacy_data + size, param->key, len);
+ size += len;
--- /dev/null
+From f23ce757185319886ca80c4864ce5f81ac6cc9e9 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 1 Jun 2023 12:58:24 +0200
+Subject: fs: Establish locking order for unrelated directories
+
+From: Jan Kara <jack@suse.cz>
+
+commit f23ce757185319886ca80c4864ce5f81ac6cc9e9 upstream.
+
+Currently the locking order of inode locks for directories that are not
+in ancestor relationship is not defined because all operations that
+needed to lock two directories like this were serialized by
+sb->s_vfs_rename_mutex. However some filesystems need to lock two
+subdirectories for RENAME_EXCHANGE operations and for this we need the
+locking order established even for two tree-unrelated directories.
+Provide a helper function lock_two_inodes() that establishes lock
+ordering for any two inodes and use it in lock_two_directories().
+
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-Id: <20230601105830.13168-4-jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/inode.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ fs/internal.h | 2 ++
+ fs/namei.c | 4 ++--
+ 3 files changed, 46 insertions(+), 2 deletions(-)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1104,6 +1104,48 @@ void discard_new_inode(struct inode *ino
+ EXPORT_SYMBOL(discard_new_inode);
+
+ /**
++ * lock_two_inodes - lock two inodes (may be regular files but also dirs)
++ *
++ * Lock any non-NULL argument. The caller must make sure that if he is passing
++ * in two directories, one is not ancestor of the other. Zero, one or two
++ * objects may be locked by this function.
++ *
++ * @inode1: first inode to lock
++ * @inode2: second inode to lock
++ * @subclass1: inode lock subclass for the first lock obtained
++ * @subclass2: inode lock subclass for the second lock obtained
++ */
++void lock_two_inodes(struct inode *inode1, struct inode *inode2,
++ unsigned subclass1, unsigned subclass2)
++{
++ if (!inode1 || !inode2) {
++ /*
++ * Make sure @subclass1 will be used for the acquired lock.
++ * This is not strictly necessary (no current caller cares) but
++ * let's keep things consistent.
++ */
++ if (!inode1)
++ swap(inode1, inode2);
++ goto lock;
++ }
++
++ /*
++ * If one object is directory and the other is not, we must make sure
++ * to lock directory first as the other object may be its child.
++ */
++ if (S_ISDIR(inode2->i_mode) == S_ISDIR(inode1->i_mode)) {
++ if (inode1 > inode2)
++ swap(inode1, inode2);
++ } else if (!S_ISDIR(inode1->i_mode))
++ swap(inode1, inode2);
++lock:
++ if (inode1)
++ inode_lock_nested(inode1, subclass1);
++ if (inode2 && inode2 != inode1)
++ inode_lock_nested(inode2, subclass2);
++}
++
++/**
+ * lock_two_nondirectories - take two i_mutexes on non-directory objects
+ *
+ * Lock any non-NULL argument that is not a directory.
+--- a/fs/internal.h
++++ b/fs/internal.h
+@@ -153,6 +153,8 @@ extern long prune_icache_sb(struct super
+ int dentry_needs_remove_privs(struct user_namespace *, struct dentry *dentry);
+ bool in_group_or_capable(struct user_namespace *mnt_userns,
+ const struct inode *inode, vfsgid_t vfsgid);
++void lock_two_inodes(struct inode *inode1, struct inode *inode2,
++ unsigned subclass1, unsigned subclass2);
+
+ /*
+ * fs-writeback.c
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3007,8 +3007,8 @@ struct dentry *lock_rename(struct dentry
+ return p;
+ }
+
+- inode_lock_nested(p1->d_inode, I_MUTEX_PARENT);
+- inode_lock_nested(p2->d_inode, I_MUTEX_PARENT2);
++ lock_two_inodes(p1->d_inode, p2->d_inode,
++ I_MUTEX_PARENT, I_MUTEX_PARENT2);
+ return NULL;
+ }
+ EXPORT_SYMBOL(lock_rename);
--- /dev/null
+From 28eceeda130f5058074dd007d9c59d2e8bc5af2e Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 1 Jun 2023 12:58:25 +0200
+Subject: fs: Lock moved directories
+
+From: Jan Kara <jack@suse.cz>
+
+commit 28eceeda130f5058074dd007d9c59d2e8bc5af2e upstream.
+
+When a directory is moved to a different directory, some filesystems
+(udf, ext4, ocfs2, f2fs, and likely gfs2, reiserfs, and others) need to
+update their pointer to the parent and this must not race with other
+operations on the directory. Lock the directories when they are moved.
+Although not all filesystems need this locking, we perform it in
+vfs_rename() because getting the lock ordering right is really difficult
+and we don't want to expose these locking details to filesystems.
+
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-Id: <20230601105830.13168-5-jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/filesystems/directory-locking.rst | 26 ++++++++++++------------
+ fs/namei.c | 22 ++++++++++++--------
+ 2 files changed, 28 insertions(+), 20 deletions(-)
+
+--- a/Documentation/filesystems/directory-locking.rst
++++ b/Documentation/filesystems/directory-locking.rst
+@@ -22,12 +22,11 @@ exclusive.
+ 3) object removal. Locking rules: caller locks parent, finds victim,
+ locks victim and calls the method. Locks are exclusive.
+
+-4) rename() that is _not_ cross-directory. Locking rules: caller locks
+-the parent and finds source and target. In case of exchange (with
+-RENAME_EXCHANGE in flags argument) lock both. In any case,
+-if the target already exists, lock it. If the source is a non-directory,
+-lock it. If we need to lock both, lock them in inode pointer order.
+-Then call the method. All locks are exclusive.
++4) rename() that is _not_ cross-directory. Locking rules: caller locks the
++parent and finds source and target. We lock both (provided they exist). If we
++need to lock two inodes of different type (dir vs non-dir), we lock directory
++first. If we need to lock two inodes of the same type, lock them in inode
++pointer order. Then call the method. All locks are exclusive.
+ NB: we might get away with locking the source (and target in exchange
+ case) shared.
+
+@@ -44,15 +43,17 @@ All locks are exclusive.
+ rules:
+
+ * lock the filesystem
+- * lock parents in "ancestors first" order.
++ * lock parents in "ancestors first" order. If one is not ancestor of
++ the other, lock them in inode pointer order.
+ * find source and target.
+ * if old parent is equal to or is a descendent of target
+ fail with -ENOTEMPTY
+ * if new parent is equal to or is a descendent of source
+ fail with -ELOOP
+- * If it's an exchange, lock both the source and the target.
+- * If the target exists, lock it. If the source is a non-directory,
+- lock it. If we need to lock both, do so in inode pointer order.
++ * Lock both the source and the target provided they exist. If we
++ need to lock two inodes of different type (dir vs non-dir), we lock
++ the directory first. If we need to lock two inodes of the same type,
++ lock them in inode pointer order.
+ * call the method.
+
+ All ->i_rwsem are taken exclusive. Again, we might get away with locking
+@@ -66,8 +67,9 @@ If no directory is its own ancestor, the
+
+ Proof:
+
+- First of all, at any moment we have a partial ordering of the
+- objects - A < B iff A is an ancestor of B.
++ First of all, at any moment we have a linear ordering of the
++ objects - A < B iff (A is an ancestor of B) or (B is not an ancestor
++ of A and ptr(A) < ptr(B)).
+
+ That ordering can change. However, the following is true:
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -4661,7 +4661,7 @@ SYSCALL_DEFINE2(link, const char __user
+ * sb->s_vfs_rename_mutex. We might be more accurate, but that's another
+ * story.
+ * c) we have to lock _four_ objects - parents and victim (if it exists),
+- * and source (if it is not a directory).
++ * and source.
+ * And that - after we got ->i_mutex on parents (until then we don't know
+ * whether the target exists). Solution: try to be smart with locking
+ * order for inodes. We rely on the fact that tree topology may change
+@@ -4745,10 +4745,16 @@ int vfs_rename(struct renamedata *rd)
+
+ take_dentry_name_snapshot(&old_name, old_dentry);
+ dget(new_dentry);
+- if (!is_dir || (flags & RENAME_EXCHANGE))
+- lock_two_nondirectories(source, target);
+- else if (target)
+- inode_lock(target);
++ /*
++ * Lock all moved children. Moved directories may need to change parent
++ * pointer so they need the lock to prevent against concurrent
++ * directory changes moving parent pointer. For regular files we've
++ * historically always done this. The lockdep locking subclasses are
++ * somewhat arbitrary but RENAME_EXCHANGE in particular can swap
++ * regular files and directories so it's difficult to tell which
++ * subclasses to use.
++ */
++ lock_two_inodes(source, target, I_MUTEX_NORMAL, I_MUTEX_NONDIR2);
+
+ error = -EPERM;
+ if (IS_SWAPFILE(source) || (target && IS_SWAPFILE(target)))
+@@ -4796,9 +4802,9 @@ int vfs_rename(struct renamedata *rd)
+ d_exchange(old_dentry, new_dentry);
+ }
+ out:
+- if (!is_dir || (flags & RENAME_EXCHANGE))
+- unlock_two_nondirectories(source, target);
+- else if (target)
++ if (source)
++ inode_unlock(source);
++ if (target)
+ inode_unlock(target);
+ dput(new_dentry);
+ if (!error) {
--- /dev/null
+From f510b0a3565b9231e828e23a7e0f9790b97edf96 Mon Sep 17 00:00:00 2001
+From: Wayne Chang <waynec@nvidia.com>
+Date: Tue, 31 Jan 2023 17:57:44 +0000
+Subject: i2c: nvidia-gpu: Add ACPI property to align with device-tree
+
+From: Wayne Chang <waynec@nvidia.com>
+
+commit f510b0a3565b9231e828e23a7e0f9790b97edf96 upstream.
+
+Device-tree uses the 'firmware-name' string property to pass a name of
+the firmware build to the Cypress CCGx driver. Add a new ACPI string
+property to the NVIDIA GPU I2C driver to align with device-tree so that
+we can migrate to using a common property name for both ACPI and
+device-tree.
+
+Signed-off-by: Wayne Chang <waynec@nvidia.com>
+Co-developed-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Acked-by: Ajay Gupta <ajayg@nvidia.com>
+Acked-by: Wolfram Sang <wsa@kernel.org>
+Link: https://lore.kernel.org/r/20230131175748.256423-3-jonathanh@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-nvidia-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/i2c/busses/i2c-nvidia-gpu.c
++++ b/drivers/i2c/busses/i2c-nvidia-gpu.c
+@@ -261,6 +261,7 @@ MODULE_DEVICE_TABLE(pci, gpu_i2c_ids);
+ static const struct property_entry ccgx_props[] = {
+ /* Use FW built for NVIDIA (nv) only */
+ PROPERTY_ENTRY_U16("ccgx,firmware-build", ('n' << 8) | 'v'),
++ PROPERTY_ENTRY_STRING("firmware-name", "nvidia,gpu"),
+ { }
+ };
+
--- /dev/null
+From 430b38764fbb931c6dbd1af13c8b2e4508994662 Mon Sep 17 00:00:00 2001
+From: Wayne Chang <waynec@nvidia.com>
+Date: Tue, 31 Jan 2023 17:57:46 +0000
+Subject: i2c: nvidia-gpu: Remove ccgx,firmware-build property
+
+From: Wayne Chang <waynec@nvidia.com>
+
+commit 430b38764fbb931c6dbd1af13c8b2e4508994662 upstream.
+
+Now the Cypress CCG driver has been updated to support the
+'firmware-name' property to align with device-tree, remove the
+'ccgx,firmware-build' property as this is no longer needed.
+
+Signed-off-by: Wayne Chang <waynec@nvidia.com>
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Ajay Gupta <ajayg@nvidia.com>
+Acked-by: Wolfram Sang <wsa@kernel.org>
+Link: https://lore.kernel.org/r/20230131175748.256423-5-jonathanh@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-nvidia-gpu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-nvidia-gpu.c
++++ b/drivers/i2c/busses/i2c-nvidia-gpu.c
+@@ -259,8 +259,7 @@ static const struct pci_device_id gpu_i2
+ MODULE_DEVICE_TABLE(pci, gpu_i2c_ids);
+
+ static const struct property_entry ccgx_props[] = {
+- /* Use FW built for NVIDIA (nv) only */
+- PROPERTY_ENTRY_U16("ccgx,firmware-build", ('n' << 8) | 'v'),
++ /* Use FW built for NVIDIA GPU only */
+ PROPERTY_ENTRY_STRING("firmware-name", "nvidia,gpu"),
+ { }
+ };
--- /dev/null
+From 9df6a4870dc371136e90330cfbbc51464ee66993 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Thu, 1 Jun 2023 14:42:44 +0800
+Subject: integrity: Fix possible multiple allocation in integrity_inode_get()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+commit 9df6a4870dc371136e90330cfbbc51464ee66993 upstream.
+
+When integrity_inode_get() is querying and inserting the cache, there
+is a conditional race in the concurrent environment.
+
+The race condition is the result of not properly implementing
+"double-checked locking". In this case, it first checks to see if the
+iint cache record exists before taking the lock, but doesn't check
+again after taking the integrity_iint_lock.
+
+Fixes: bf2276d10ce5 ("ima: allocating iint improvements")
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
+Cc: <stable@vger.kernel.org> # v3.10+
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/iint.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/security/integrity/iint.c
++++ b/security/integrity/iint.c
+@@ -43,12 +43,10 @@ static struct integrity_iint_cache *__in
+ else if (inode > iint->inode)
+ n = n->rb_right;
+ else
+- break;
++ return iint;
+ }
+- if (!n)
+- return NULL;
+
+- return iint;
++ return NULL;
+ }
+
+ /*
+@@ -121,10 +119,15 @@ struct integrity_iint_cache *integrity_i
+ parent = *p;
+ test_iint = rb_entry(parent, struct integrity_iint_cache,
+ rb_node);
+- if (inode < test_iint->inode)
++ if (inode < test_iint->inode) {
+ p = &(*p)->rb_left;
+- else
++ } else if (inode > test_iint->inode) {
+ p = &(*p)->rb_right;
++ } else {
++ write_unlock(&integrity_iint_lock);
++ kmem_cache_free(iint_cache, iint);
++ return test_iint;
++ }
+ }
+
+ iint->inode = inode;
--- /dev/null
+From 4826c59453b3b4677d6bf72814e7ababdea86949 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Sun, 11 Jun 2023 21:14:09 -0600
+Subject: io_uring: wait interruptibly for request completions on exit
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 4826c59453b3b4677d6bf72814e7ababdea86949 upstream.
+
+WHen the ring exits, cleanup is done and the final cancelation and
+waiting on completions is done by io_ring_exit_work. That function is
+invoked by kworker, which doesn't take any signals. Because of that, it
+doesn't really matter if we wait for completions in TASK_INTERRUPTIBLE
+or TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task
+detection checker!
+
+Normally we expect cancelations and completions to happen rather
+quickly. Some test cases, however, will exit the ring and park the
+owning task stopped (eg via SIGSTOP). If the owning task needs to run
+task_work to complete requests, then io_ring_exit_work won't make any
+progress until the task is runnable again. Hence io_ring_exit_work can
+trigger the hung task detection, which is particularly problematic if
+panic-on-hung-task is enabled.
+
+As the ring exit doesn't take signals to begin with, have it wait
+interruptibly rather than uninterruptibly. io_uring has a separate
+stuck-exit warning that triggers independently anyway, so we're not
+really missing anything by making this switch.
+
+Cc: stable@vger.kernel.org # 5.10+
+Link: https://lore.kernel.org/r/b0e4aaef-7088-56ce-244c-976edeac0e66@kernel.dk
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -2748,7 +2748,18 @@ static __cold void io_ring_exit_work(str
+ /* there is little hope left, don't run it too often */
+ interval = HZ * 60;
+ }
+- } while (!wait_for_completion_timeout(&ctx->ref_comp, interval));
++ /*
++ * This is really an uninterruptible wait, as it has to be
++ * complete. But it's also run from a kworker, which doesn't
++ * take signals, so it's fine to make it interruptible. This
++ * avoids scenarios where we knowingly can wait much longer
++ * on completions, for example if someone does a SIGSTOP on
++ * a task that needs to finish task_work to make this loop
++ * complete. That's a synthetic situation that should not
++ * cause a stuck task backtrace, and hence a potential panic
++ * on stuck tasks if that is enabled.
++ */
++ } while (!wait_for_completion_interruptible_timeout(&ctx->ref_comp, interval));
+
+ init_completion(&exit.completion);
+ init_task_work(&exit.task_work, io_tctx_exit_cb);
+@@ -2772,7 +2783,12 @@ static __cold void io_ring_exit_work(str
+ continue;
+
+ mutex_unlock(&ctx->uring_lock);
+- wait_for_completion(&exit.completion);
++ /*
++ * See comment above for
++ * wait_for_completion_interruptible_timeout() on why this
++ * wait is marked as interruptible.
++ */
++ wait_for_completion_interruptible(&exit.completion);
+ mutex_lock(&ctx->uring_lock);
+ }
+ mutex_unlock(&ctx->uring_lock);
--- /dev/null
+From f679616565f1cf1a4acb245dbc0032dafcd40637 Mon Sep 17 00:00:00 2001
+From: Jianmin Lv <lvjianmin@loongson.cn>
+Date: Wed, 14 Jun 2023 19:59:32 +0800
+Subject: irqchip/loongson-pch-pic: Fix initialization of HT vector register
+
+From: Jianmin Lv <lvjianmin@loongson.cn>
+
+commit f679616565f1cf1a4acb245dbc0032dafcd40637 upstream.
+
+In an ACPI-based dual-bridge system, IRQ of each bridge's
+PCH PIC sent to CPU is always a zero-based number, which
+means that the IRQ on PCH PIC of each bridge is mapped into
+vector range from 0 to 63 of upstream irqchip(e.g. EIOINTC).
+
+ EIOINTC N: [0 ... 63 | 64 ... 255]
+ -------- ----------
+ ^ ^
+ | |
+ PCH PIC N |
+ PCH MSI N
+
+For example, the IRQ vector number of sata controller on
+PCH PIC of each bridge is 16, which is sent to upstream
+irqchip of EIOINTC when an interrupt occurs, which will set
+bit 16 of EIOINTC. Since hwirq of 16 on EIOINTC has been
+mapped to a irq_desc for sata controller during hierarchy
+irq allocation, the related mapped IRQ will be found through
+irq_resolve_mapping() in the IRQ domain of EIOINTC.
+
+So, the IRQ number set in HT vector register should be fixed
+to be a zero-based number.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
+Co-developed-by: liuyun <liuyun@loongson.cn>
+Signed-off-by: liuyun <liuyun@loongson.cn>
+Signed-off-by: Jianmin Lv <lvjianmin@loongson.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230614115936.5950-2-lvjianmin@loongson.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-loongson-pch-pic.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-loongson-pch-pic.c
++++ b/drivers/irqchip/irq-loongson-pch-pic.c
+@@ -350,14 +350,12 @@ static int __init acpi_cascade_irqdomain
+ int __init pch_pic_acpi_init(struct irq_domain *parent,
+ struct acpi_madt_bio_pic *acpi_pchpic)
+ {
+- int ret, vec_base;
++ int ret;
+ struct fwnode_handle *domain_handle;
+
+ if (find_pch_pic(acpi_pchpic->gsi_base) >= 0)
+ return 0;
+
+- vec_base = acpi_pchpic->gsi_base - GSI_MIN_PCH_IRQ;
+-
+ domain_handle = irq_domain_alloc_fwnode(&acpi_pchpic->address);
+ if (!domain_handle) {
+ pr_err("Unable to allocate domain handle\n");
+@@ -365,7 +363,7 @@ int __init pch_pic_acpi_init(struct irq_
+ }
+
+ ret = pch_pic_init(acpi_pchpic->address, acpi_pchpic->size,
+- vec_base, parent, domain_handle, acpi_pchpic->gsi_base);
++ 0, parent, domain_handle, acpi_pchpic->gsi_base);
+
+ if (ret < 0) {
+ irq_domain_free_fwnode(domain_handle);
--- /dev/null
+From 783422e704ca0fa41cb2fe9ed79e46b6fe7eae29 Mon Sep 17 00:00:00 2001
+From: Liu Peibao <liupeibao@loongson.cn>
+Date: Wed, 14 Jun 2023 19:59:33 +0800
+Subject: irqchip/loongson-pch-pic: Fix potential incorrect hwirq assignment
+
+From: Liu Peibao <liupeibao@loongson.cn>
+
+commit 783422e704ca0fa41cb2fe9ed79e46b6fe7eae29 upstream.
+
+In DeviceTree path, when ht_vec_base is not zero, the hwirq of PCH PIC
+will be assigned incorrectly. Because when pch_pic_domain_translate()
+adds the ht_vec_base to hwirq, the hwirq does not have the ht_vec_base
+subtracted when calling irq_domain_set_info().
+
+The ht_vec_base is designed for the parent irq chip/domain of the PCH PIC.
+It seems not proper to deal this in callbacks of the PCH PIC domain and
+let's put this back like the initial commit ef8c01eb64ca ("irqchip: Add
+Loongson PCH PIC controller").
+
+Fixes: bcdd75c596c8 ("irqchip/loongson-pch-pic: Add ACPI init support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Liu Peibao <liupeibao@loongson.cn>
+Signed-off-by: Jianmin Lv <lvjianmin@loongson.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230614115936.5950-3-lvjianmin@loongson.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-loongson-pch-pic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/irqchip/irq-loongson-pch-pic.c
++++ b/drivers/irqchip/irq-loongson-pch-pic.c
+@@ -162,7 +162,7 @@ static int pch_pic_domain_translate(stru
+ if (fwspec->param_count < 2)
+ return -EINVAL;
+
+- *hwirq = fwspec->param[0] + priv->ht_vec_base;
++ *hwirq = fwspec->param[0];
+ *type = fwspec->param[1] & IRQ_TYPE_SENSE_MASK;
+ } else {
+ *hwirq = fwspec->param[0] - priv->gsi_base;
+@@ -188,7 +188,7 @@ static int pch_pic_alloc(struct irq_doma
+
+ parent_fwspec.fwnode = domain->parent->fwnode;
+ parent_fwspec.param_count = 1;
+- parent_fwspec.param[0] = hwirq;
++ parent_fwspec.param[0] = hwirq + priv->ht_vec_base;
+
+ err = irq_domain_alloc_irqs_parent(domain, virq, 1, &parent_fwspec);
+ if (err)
--- /dev/null
+From 1168f095417643f663caa341211e117db552989f Mon Sep 17 00:00:00 2001
+From: Fabian Frederick <fabf@skynet.be>
+Date: Sat, 6 May 2023 06:56:12 +0200
+Subject: jffs2: reduce stack usage in jffs2_build_xattr_subsystem()
+
+From: Fabian Frederick <fabf@skynet.be>
+
+commit 1168f095417643f663caa341211e117db552989f upstream.
+
+Use kcalloc() for allocation/flush of 128 pointers table to
+reduce stack usage.
+
+Function now returns -ENOMEM or 0 on success.
+
+stackusage
+Before:
+./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 1208
+dynamic,bounded
+
+After:
+./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 192
+dynamic,bounded
+
+Also update definition when CONFIG_JFFS2_FS_XATTR is not enabled
+
+Tested with an MTD mount point and some user set/getfattr.
+
+Many current target on OpenWRT also suffer from a compilation warning
+(that become an error with CONFIG_WERROR) with the following output:
+
+fs/jffs2/xattr.c: In function 'jffs2_build_xattr_subsystem':
+fs/jffs2/xattr.c:887:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+ 887 | }
+ | ^
+
+Using dynamic allocation fix this compilation warning.
+
+Fixes: c9f700f840bd ("[JFFS2][XATTR] using 'delete marker' for xdatum/xref deletion")
+Reported-by: Tim Gardner <tim.gardner@canonical.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Ron Economos <re@w6rz.net>
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Fabian Frederick <fabf@skynet.be>
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Cc: stable@vger.kernel.org
+Message-Id: <20230506045612.16616-1-ansuelsmth@gmail.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jffs2/build.c | 5 ++++-
+ fs/jffs2/xattr.c | 13 +++++++++----
+ fs/jffs2/xattr.h | 4 ++--
+ 3 files changed, 15 insertions(+), 7 deletions(-)
+
+--- a/fs/jffs2/build.c
++++ b/fs/jffs2/build.c
+@@ -211,7 +211,10 @@ static int jffs2_build_filesystem(struct
+ ic->scan_dents = NULL;
+ cond_resched();
+ }
+- jffs2_build_xattr_subsystem(c);
++ ret = jffs2_build_xattr_subsystem(c);
++ if (ret)
++ goto exit;
++
+ c->flags &= ~JFFS2_SB_FLAG_BUILDING;
+
+ dbg_fsbuild("FS build complete\n");
+--- a/fs/jffs2/xattr.c
++++ b/fs/jffs2/xattr.c
+@@ -772,10 +772,10 @@ void jffs2_clear_xattr_subsystem(struct
+ }
+
+ #define XREF_TMPHASH_SIZE (128)
+-void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c)
++int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c)
+ {
+ struct jffs2_xattr_ref *ref, *_ref;
+- struct jffs2_xattr_ref *xref_tmphash[XREF_TMPHASH_SIZE];
++ struct jffs2_xattr_ref **xref_tmphash;
+ struct jffs2_xattr_datum *xd, *_xd;
+ struct jffs2_inode_cache *ic;
+ struct jffs2_raw_node_ref *raw;
+@@ -784,9 +784,12 @@ void jffs2_build_xattr_subsystem(struct
+
+ BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
+
++ xref_tmphash = kcalloc(XREF_TMPHASH_SIZE,
++ sizeof(struct jffs2_xattr_ref *), GFP_KERNEL);
++ if (!xref_tmphash)
++ return -ENOMEM;
++
+ /* Phase.1 : Merge same xref */
+- for (i=0; i < XREF_TMPHASH_SIZE; i++)
+- xref_tmphash[i] = NULL;
+ for (ref=c->xref_temp; ref; ref=_ref) {
+ struct jffs2_xattr_ref *tmp;
+
+@@ -884,6 +887,8 @@ void jffs2_build_xattr_subsystem(struct
+ "%u of xref (%u dead, %u orphan) found.\n",
+ xdatum_count, xdatum_unchecked_count, xdatum_orphan_count,
+ xref_count, xref_dead_count, xref_orphan_count);
++ kfree(xref_tmphash);
++ return 0;
+ }
+
+ struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c,
+--- a/fs/jffs2/xattr.h
++++ b/fs/jffs2/xattr.h
+@@ -71,7 +71,7 @@ static inline int is_xattr_ref_dead(stru
+ #ifdef CONFIG_JFFS2_FS_XATTR
+
+ extern void jffs2_init_xattr_subsystem(struct jffs2_sb_info *c);
+-extern void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c);
++extern int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c);
+ extern void jffs2_clear_xattr_subsystem(struct jffs2_sb_info *c);
+
+ extern struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c,
+@@ -103,7 +103,7 @@ extern ssize_t jffs2_listxattr(struct de
+ #else
+
+ #define jffs2_init_xattr_subsystem(c)
+-#define jffs2_build_xattr_subsystem(c)
++#define jffs2_build_xattr_subsystem(c) (0)
+ #define jffs2_clear_xattr_subsystem(c)
+
+ #define jffs2_xattr_do_crccheck_inode(c, ic)
--- /dev/null
+From c11d34fa139e4b0fb4249a30f37b178353533fa1 Mon Sep 17 00:00:00 2001
+From: Ryan Roberts <ryan.roberts@arm.com>
+Date: Fri, 2 Jun 2023 10:29:47 +0100
+Subject: mm/damon/ops-common: atomically test and clear young on ptes and pmds
+
+From: Ryan Roberts <ryan.roberts@arm.com>
+
+commit c11d34fa139e4b0fb4249a30f37b178353533fa1 upstream.
+
+It is racy to non-atomically read a pte, then clear the young bit, then
+write it back as this could discard dirty information. Further, it is bad
+practice to directly set a pte entry within a table. Instead clearing
+young must go through the arch-provided helper,
+ptep_test_and_clear_young() to ensure it is modified atomically and to
+give the arch code visibility and allow it to check (and potentially
+modify) the operation.
+
+Link: https://lkml.kernel.org/r/20230602092949.545577-3-ryan.roberts@arm.com
+Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces").
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Reviewed-by: Zi Yan <ziy@nvidia.com>
+Reviewed-by: SeongJae Park <sj@kernel.org>
+Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/ops-common.c | 16 ++++++----------
+ mm/damon/ops-common.h | 4 ++--
+ mm/damon/paddr.c | 4 ++--
+ mm/damon/vaddr.c | 4 ++--
+ 4 files changed, 12 insertions(+), 16 deletions(-)
+
+--- a/mm/damon/ops-common.c
++++ b/mm/damon/ops-common.c
+@@ -33,7 +33,7 @@ struct page *damon_get_page(unsigned lon
+ return page;
+ }
+
+-void damon_ptep_mkold(pte_t *pte, struct mm_struct *mm, unsigned long addr)
++void damon_ptep_mkold(pte_t *pte, struct vm_area_struct *vma, unsigned long addr)
+ {
+ bool referenced = false;
+ struct page *page = damon_get_page(pte_pfn(*pte));
+@@ -41,13 +41,11 @@ void damon_ptep_mkold(pte_t *pte, struct
+ if (!page)
+ return;
+
+- if (pte_young(*pte)) {
++ if (ptep_test_and_clear_young(vma, addr, pte))
+ referenced = true;
+- *pte = pte_mkold(*pte);
+- }
+
+ #ifdef CONFIG_MMU_NOTIFIER
+- if (mmu_notifier_clear_young(mm, addr, addr + PAGE_SIZE))
++ if (mmu_notifier_clear_young(vma->vm_mm, addr, addr + PAGE_SIZE))
+ referenced = true;
+ #endif /* CONFIG_MMU_NOTIFIER */
+
+@@ -58,7 +56,7 @@ void damon_ptep_mkold(pte_t *pte, struct
+ put_page(page);
+ }
+
+-void damon_pmdp_mkold(pmd_t *pmd, struct mm_struct *mm, unsigned long addr)
++void damon_pmdp_mkold(pmd_t *pmd, struct vm_area_struct *vma, unsigned long addr)
+ {
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ bool referenced = false;
+@@ -67,13 +65,11 @@ void damon_pmdp_mkold(pmd_t *pmd, struct
+ if (!page)
+ return;
+
+- if (pmd_young(*pmd)) {
++ if (pmdp_test_and_clear_young(vma, addr, pmd))
+ referenced = true;
+- *pmd = pmd_mkold(*pmd);
+- }
+
+ #ifdef CONFIG_MMU_NOTIFIER
+- if (mmu_notifier_clear_young(mm, addr, addr + HPAGE_PMD_SIZE))
++ if (mmu_notifier_clear_young(vma->vm_mm, addr, addr + HPAGE_PMD_SIZE))
+ referenced = true;
+ #endif /* CONFIG_MMU_NOTIFIER */
+
+--- a/mm/damon/ops-common.h
++++ b/mm/damon/ops-common.h
+@@ -9,8 +9,8 @@
+
+ struct page *damon_get_page(unsigned long pfn);
+
+-void damon_ptep_mkold(pte_t *pte, struct mm_struct *mm, unsigned long addr);
+-void damon_pmdp_mkold(pmd_t *pmd, struct mm_struct *mm, unsigned long addr);
++void damon_ptep_mkold(pte_t *pte, struct vm_area_struct *vma, unsigned long addr);
++void damon_pmdp_mkold(pmd_t *pmd, struct vm_area_struct *vma, unsigned long addr);
+
+ int damon_cold_score(struct damon_ctx *c, struct damon_region *r,
+ struct damos *s);
+--- a/mm/damon/paddr.c
++++ b/mm/damon/paddr.c
+@@ -24,9 +24,9 @@ static bool __damon_pa_mkold(struct foli
+ while (page_vma_mapped_walk(&pvmw)) {
+ addr = pvmw.address;
+ if (pvmw.pte)
+- damon_ptep_mkold(pvmw.pte, vma->vm_mm, addr);
++ damon_ptep_mkold(pvmw.pte, vma, addr);
+ else
+- damon_pmdp_mkold(pvmw.pmd, vma->vm_mm, addr);
++ damon_pmdp_mkold(pvmw.pmd, vma, addr);
+ }
+ return true;
+ }
+--- a/mm/damon/vaddr.c
++++ b/mm/damon/vaddr.c
+@@ -311,7 +311,7 @@ static int damon_mkold_pmd_entry(pmd_t *
+ }
+
+ if (pmd_trans_huge(*pmd)) {
+- damon_pmdp_mkold(pmd, walk->mm, addr);
++ damon_pmdp_mkold(pmd, walk->vma, addr);
+ spin_unlock(ptl);
+ return 0;
+ }
+@@ -323,7 +323,7 @@ static int damon_mkold_pmd_entry(pmd_t *
+ pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
+ if (!pte_present(*pte))
+ goto out;
+- damon_ptep_mkold(pte, walk->mm, addr);
++ damon_ptep_mkold(pte, walk->vma, addr);
+ out:
+ pte_unmap_unlock(pte, ptl);
+ return 0;
--- /dev/null
+From f1738a1f816233e6dfc2407f24a31d596643fd90 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Mon, 19 Jun 2023 21:35:58 +0200
+Subject: mmc: core: disable TRIM on Kingston EMMC04G-M627
+
+From: Robert Marko <robimarko@gmail.com>
+
+commit f1738a1f816233e6dfc2407f24a31d596643fd90 upstream.
+
+It seems that Kingston EMMC04G-M627 despite advertising TRIM support does
+not work when the core is trying to use REQ_OP_WRITE_ZEROES.
+
+We are seeing I/O errors in OpenWrt under 6.1 on Zyxel NBG7815 that we did
+not previously have and tracked it down to REQ_OP_WRITE_ZEROES.
+
+Trying to use fstrim seems to also throw errors like:
+[93010.835112] I/O error, dev loop0, sector 16902 op 0x3:(DISCARD) flags 0x800 phys_seg 1 prio class 2
+
+Disabling TRIM makes the error go away, so lets add a quirk for this eMMC
+to disable TRIM.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230619193621.437358-1-robimarko@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/quirks.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/mmc/core/quirks.h
++++ b/drivers/mmc/core/quirks.h
+@@ -110,6 +110,13 @@ static const struct mmc_fixup __maybe_un
+ MMC_QUIRK_TRIM_BROKEN),
+
+ /*
++ * Kingston EMMC04G-M627 advertises TRIM but it does not seems to
++ * support being used to offload WRITE_ZEROES.
++ */
++ MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc,
++ MMC_QUIRK_TRIM_BROKEN),
++
++ /*
+ * Some SD cards reports discard support while they don't
+ */
+ MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd,
--- /dev/null
+From dbfbddcddcebc9ce8a08757708d4e4a99d238e44 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Tue, 30 May 2023 23:32:59 +0200
+Subject: mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M
+
+From: Robert Marko <robimarko@gmail.com>
+
+commit dbfbddcddcebc9ce8a08757708d4e4a99d238e44 upstream.
+
+It seems that Micron MTFC4GACAJCN-1M despite advertising TRIM support does
+not work when the core is trying to use REQ_OP_WRITE_ZEROES.
+
+We are seeing the following errors in OpenWrt under 6.1 on Qnap Qhora 301W
+that we did not previously have and tracked it down to REQ_OP_WRITE_ZEROES:
+[ 18.085950] I/O error, dev loop0, sector 596 op 0x9:(WRITE_ZEROES) flags 0x800 phys_seg 0 prio class 2
+
+Disabling TRIM makes the error go away, so lets add a quirk for this eMMC
+to disable TRIM.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230530213259.1776512-1-robimarko@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/quirks.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/mmc/core/quirks.h
++++ b/drivers/mmc/core/quirks.h
+@@ -117,6 +117,13 @@ static const struct mmc_fixup __maybe_un
+ MMC_QUIRK_TRIM_BROKEN),
+
+ /*
++ * Micron MTFC4GACAJCN-1M advertises TRIM but it does not seems to
++ * support being used to offload WRITE_ZEROES.
++ */
++ MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc,
++ MMC_QUIRK_TRIM_BROKEN),
++
++ /*
+ * Some SD cards reports discard support while they don't
+ */
+ MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd,
--- /dev/null
+From 3108eb2e8aa7e955a9dd3a4c1bf19a7898961822 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Mon, 12 Jun 2023 16:37:30 +0200
+Subject: mmc: mmci: Set PROBE_PREFER_ASYNCHRONOUS
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 3108eb2e8aa7e955a9dd3a4c1bf19a7898961822 upstream.
+
+All mmc host drivers should have the asynchronous probe option enabled, but
+it seems like we failed to set it for mmci, so let's do that now.
+
+Fixes: 21b2cec61c04 ("mmc: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in v4.4")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Tested-by: Linus Walleij <linus.walleij@linaro.org>
+Tested-by: Yann Gautier <yann.gautier@foss.st.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230612143730.210390-1-ulf.hansson@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mmci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/mmci.c
++++ b/drivers/mmc/host/mmci.c
+@@ -2456,6 +2456,7 @@ static struct amba_driver mmci_driver =
+ .drv = {
+ .name = DRIVER_NAME,
+ .pm = &mmci_dev_pm_ops,
++ .probe_type = PROBE_PREFER_ASYNCHRONOUS,
+ },
+ .probe = mmci_probe,
+ .remove = mmci_remove,
--- /dev/null
+From 20dbd07ef0a8bc29eb03d6a95258ac8934cbe52d Mon Sep 17 00:00:00 2001
+From: Chevron Li <chevron.li@bayhubtech.com>
+Date: Tue, 23 May 2023 19:11:14 +0800
+Subject: mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used.
+
+From: Chevron Li <chevron.li@bayhubtech.com>
+
+commit 20dbd07ef0a8bc29eb03d6a95258ac8934cbe52d upstream.
+
+Bayhub SD host has hardware limitation:
+1.The upper 32bit address is inhibited to be written at SD Host Register
+ [03E][13]=0 (32bits addressing) mode, is admitted to be written only at
+ SD Host Register [03E][13]=1 (64bits addressing) mode.
+2.Because of above item#1, need to configure SD Host Register [03E][13] to
+ 1(64bits addressing mode) before set 64bit ADMA system address's higher
+ 32bits SD Host Register [05F~05C] if 64 bits addressing mode is used.
+
+The hardware limitation is reasonable for below reasons:
+1.Normal flow should set DMA working mode first, then do
+ DMA-transfer-related configuration, such as system address.
+2.The hardware limitation may avoid the software to configure wrong higher
+ 32bit address at 32bits addressing mode although it is redundant.
+
+The change that set 32bits/64bits addressing mode before set ADMA address,
+ has no side-effect to other host IPs for below reason:
+The setting order is reasonable and standard: DMA Mode setting first and
+ then DMA address setting. It meets all DMA setting sequence.
+
+Signed-off-by: Chevron Li <chevron.li@bayhubtech.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230523111114.18124-1-chevron_li@126.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -1181,6 +1181,8 @@ static void sdhci_prepare_data(struct sd
+ }
+ }
+
++ sdhci_config_dma(host);
++
+ if (host->flags & SDHCI_REQ_USE_DMA) {
+ int sg_cnt = sdhci_pre_dma_transfer(host, data, COOKIE_MAPPED);
+
+@@ -1200,8 +1202,6 @@ static void sdhci_prepare_data(struct sd
+ }
+ }
+
+- sdhci_config_dma(host);
+-
+ if (!(host->flags & SDHCI_REQ_USE_DMA)) {
+ int flags;
+
--- /dev/null
+From 58f5d894006d82ed7335e1c37182fbc5f08c2f51 Mon Sep 17 00:00:00 2001
+From: Dai Ngo <dai.ngo@oracle.com>
+Date: Tue, 6 Jun 2023 16:41:02 -0700
+Subject: NFSD: add encoding of op_recall flag for write delegation
+
+From: Dai Ngo <dai.ngo@oracle.com>
+
+commit 58f5d894006d82ed7335e1c37182fbc5f08c2f51 upstream.
+
+Modified nfsd4_encode_open to encode the op_recall flag properly
+for OPEN result with write delegation granted.
+
+Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4xdr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3872,7 +3872,7 @@ nfsd4_encode_open(struct nfsd4_compoundr
+ p = xdr_reserve_space(xdr, 32);
+ if (!p)
+ return nfserr_resource;
+- *p++ = cpu_to_be32(0);
++ *p++ = cpu_to_be32(open->op_recall);
+
+ /*
+ * TODO: space_limit's in delegations
--- /dev/null
+From cde3c9d7e2a359e337216855dcb333a19daaa436 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 1 Jun 2023 12:58:23 +0200
+Subject: Revert "f2fs: fix potential corruption when moving a directory"
+
+From: Jan Kara <jack@suse.cz>
+
+commit cde3c9d7e2a359e337216855dcb333a19daaa436 upstream.
+
+This reverts commit d94772154e524b329a168678836745d2773a6e02. The
+locking is going to be provided by VFS.
+
+CC: Jaegeuk Kim <jaegeuk@kernel.org>
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-Id: <20230601105830.13168-3-jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/namei.c | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -1002,20 +1002,12 @@ static int f2fs_rename(struct user_names
+ goto out;
+ }
+
+- /*
+- * Copied from ext4_rename: we need to protect against old.inode
+- * directory getting converted from inline directory format into
+- * a normal one.
+- */
+- if (S_ISDIR(old_inode->i_mode))
+- inode_lock_nested(old_inode, I_MUTEX_NONDIR2);
+-
+ err = -ENOENT;
+ old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page);
+ if (!old_entry) {
+ if (IS_ERR(old_page))
+ err = PTR_ERR(old_page);
+- goto out_unlock_old;
++ goto out;
+ }
+
+ if (S_ISDIR(old_inode->i_mode)) {
+@@ -1123,9 +1115,6 @@ static int f2fs_rename(struct user_names
+
+ f2fs_unlock_op(sbi);
+
+- if (S_ISDIR(old_inode->i_mode))
+- inode_unlock(old_inode);
+-
+ if (IS_DIRSYNC(old_dir) || IS_DIRSYNC(new_dir))
+ f2fs_sync_fs(sbi->sb, 1);
+
+@@ -1140,9 +1129,6 @@ out_dir:
+ f2fs_put_page(old_dir_page, 0);
+ out_old:
+ f2fs_put_page(old_page, 0);
+-out_unlock_old:
+- if (S_ISDIR(old_inode->i_mode))
+- inode_unlock(old_inode);
+ out:
+ iput(whiteout);
+ return err;
extcon-usbc-tusb320-unregister-typec-port-on-driver-.patch
btrfs-do-not-bug_on-on-tree-mod-log-failure-at-balan.patch
i2c-qup-add-missing-unwind-goto-in-qup_i2c_probe.patch
+irqchip-loongson-pch-pic-fix-potential-incorrect-hwirq-assignment.patch
+nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch
+irqchip-loongson-pch-pic-fix-initialization-of-ht-vector-register.patch
+io_uring-wait-interruptibly-for-request-completions-on-exit.patch
+mmc-core-disable-trim-on-kingston-emmc04g-m627.patch
+mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch
+mmc-mmci-set-probe_prefer_asynchronous.patch
+mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch
+wifi-cfg80211-fix-regulatory-disconnect-for-non-mlo.patch
+wifi-ath10k-serialize-wake_tx_queue-ops.patch
+wifi-mt76-mt7921e-fix-init-command-fail-with-enabled-device.patch
+bcache-fixup-btree_cache_wait-list-damage.patch
+bcache-remove-unnecessary-null-point-check-in-node-allocations.patch
+bcache-fix-__bch_btree_node_alloc-to-make-the-failure-behavior-consistent.patch
+watch_queue-prevent-dangling-pipe-pointer.patch
+um-use-host_dir-for-mrproper.patch
+integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch
+autofs-use-flexible-array-in-ioctl-structure.patch
+mm-damon-ops-common-atomically-test-and-clear-young-on-ptes-and-pmds.patch
+shmem-use-ramfs_kill_sb-for-kill_sb-method-of-ramfs-based-tmpfs.patch
+jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch
+fs-avoid-empty-option-when-generating-legacy-mount-string.patch
+ext4-remove-ext4-locking-of-moved-directory.patch
+revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch
+fs-establish-locking-order-for-unrelated-directories.patch
+fs-lock-moved-directories.patch
+i2c-nvidia-gpu-add-acpi-property-to-align-with-device-tree.patch
+i2c-nvidia-gpu-remove-ccgx-firmware-build-property.patch
+usb-typec-ucsi-mark-dgpus-as-device-scope.patch
--- /dev/null
+From 36ce9d76b0a93bae799e27e4f5ac35478c676592 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Wed, 7 Jun 2023 18:15:23 +0200
+Subject: shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 36ce9d76b0a93bae799e27e4f5ac35478c676592 upstream.
+
+As the ramfs-based tmpfs uses ramfs_init_fs_context() for the
+init_fs_context method, which allocates fc->s_fs_info, use ramfs_kill_sb()
+to free it and avoid a memory leak.
+
+Link: https://lkml.kernel.org/r/20230607161523.2876433-1-roberto.sassu@huaweicloud.com
+Fixes: c3b1b1cbf002 ("ramfs: add support for "mode=" mount option")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ramfs/inode.c | 2 +-
+ include/linux/ramfs.h | 1 +
+ mm/shmem.c | 2 +-
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ramfs/inode.c
++++ b/fs/ramfs/inode.c
+@@ -278,7 +278,7 @@ int ramfs_init_fs_context(struct fs_cont
+ return 0;
+ }
+
+-static void ramfs_kill_sb(struct super_block *sb)
++void ramfs_kill_sb(struct super_block *sb)
+ {
+ kfree(sb->s_fs_info);
+ kill_litter_super(sb);
+--- a/include/linux/ramfs.h
++++ b/include/linux/ramfs.h
+@@ -7,6 +7,7 @@
+ struct inode *ramfs_get_inode(struct super_block *sb, const struct inode *dir,
+ umode_t mode, dev_t dev);
+ extern int ramfs_init_fs_context(struct fs_context *fc);
++extern void ramfs_kill_sb(struct super_block *sb);
+
+ #ifdef CONFIG_MMU
+ static inline int
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -4137,7 +4137,7 @@ static struct file_system_type shmem_fs_
+ .name = "tmpfs",
+ .init_fs_context = ramfs_init_fs_context,
+ .parameters = ramfs_fs_parameters,
+- .kill_sb = kill_litter_super,
++ .kill_sb = ramfs_kill_sb,
+ .fs_flags = FS_USERNS_MOUNT,
+ };
+
--- /dev/null
+From a5a319ec2c2236bb96d147c16196d2f1f3799301 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 6 Jun 2023 15:24:45 -0700
+Subject: um: Use HOST_DIR for mrproper
+
+From: Kees Cook <keescook@chromium.org>
+
+commit a5a319ec2c2236bb96d147c16196d2f1f3799301 upstream.
+
+When HEADER_ARCH was introduced, the MRPROPER_FILES (then MRPROPER_DIRS)
+list wasn't adjusted, leaving SUBARCH as part of the path argument.
+This resulted in the "mrproper" target not cleaning up arch/x86/... when
+SUBARCH was specified. Since HOST_DIR is arch/$(HEADER_ARCH), use it
+instead to get the correct path.
+
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: Azeem Shaikh <azeemshaikh38@gmail.com>
+Cc: linux-um@lists.infradead.org
+Fixes: 7bbe7204e937 ("um: merge Makefile-{i386,x86_64}")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230606222442.never.807-kees@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/um/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/um/Makefile
++++ b/arch/um/Makefile
+@@ -148,7 +148,7 @@ export LDFLAGS_vmlinux := $(LDFLAGS_EXEC
+ # When cleaning we don't include .config, so we don't include
+ # TT or skas makefiles and don't clean skas_ptregs.h.
+ CLEAN_FILES += linux x.i gmon.out
+-MRPROPER_FILES += arch/$(SUBARCH)/include/generated
++MRPROPER_FILES += $(HOST_DIR)/include/generated
+
+ archclean:
+ @find . \( -name '*.bb' -o -name '*.bbg' -o -name '*.da' \
--- /dev/null
+From a7fbfd44c0204f0629288edfd0d77829edb4a2f8 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 18 May 2023 11:11:50 -0500
+Subject: usb: typec: ucsi: Mark dGPUs as DEVICE scope
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit a7fbfd44c0204f0629288edfd0d77829edb4a2f8 upstream.
+
+power_supply_is_system_supplied() checks whether any power
+supplies are present that aren't batteries to decide whether
+the system is running on DC or AC. Downstream drivers use
+this to make performance decisions.
+
+Navi dGPUs include an UCSI function that has been exported
+since commit 17631e8ca2d3 ("i2c: designware: Add driver
+support for AMD NAVI GPU").
+
+This UCSI function registers a power supply since commit
+992a60ed0d5e ("usb: typec: ucsi: register with power_supply class")
+but this is not a system power supply.
+
+As the power supply for a dGPU is only for powering devices connected
+to dGPU, create a device property to indicate that the UCSI endpoint
+is only for the scope of `POWER_SUPPLY_SCOPE_DEVICE`.
+
+Link: https://lore.kernel.org/lkml/20230516182541.5836-2-mario.limonciello@amd.com/
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Tested-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Acked-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-designware-pcidrv.c | 13 ++++++++++++-
+ drivers/i2c/busses/i2c-nvidia-gpu.c | 3 +++
+ drivers/usb/typec/ucsi/psy.c | 14 ++++++++++++++
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-designware-pcidrv.c
++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c
+@@ -20,6 +20,7 @@
+ #include <linux/module.h>
+ #include <linux/pci.h>
+ #include <linux/pm_runtime.h>
++#include <linux/power_supply.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+
+@@ -234,6 +235,16 @@ static const struct dev_pm_ops i2c_dw_pm
+ SET_RUNTIME_PM_OPS(i2c_dw_pci_runtime_suspend, i2c_dw_pci_runtime_resume, NULL)
+ };
+
++static const struct property_entry dgpu_properties[] = {
++ /* USB-C doesn't power the system */
++ PROPERTY_ENTRY_U8("scope", POWER_SUPPLY_SCOPE_DEVICE),
++ {}
++};
++
++static const struct software_node dgpu_node = {
++ .properties = dgpu_properties,
++};
++
+ static int i2c_dw_pci_probe(struct pci_dev *pdev,
+ const struct pci_device_id *id)
+ {
+@@ -325,7 +336,7 @@ static int i2c_dw_pci_probe(struct pci_d
+ }
+
+ if ((dev->flags & MODEL_MASK) == MODEL_AMD_NAVI_GPU) {
+- dev->slave = i2c_new_ccgx_ucsi(&dev->adapter, dev->irq, NULL);
++ dev->slave = i2c_new_ccgx_ucsi(&dev->adapter, dev->irq, &dgpu_node);
+ if (IS_ERR(dev->slave))
+ return dev_err_probe(dev->dev, PTR_ERR(dev->slave),
+ "register UCSI failed\n");
+--- a/drivers/i2c/busses/i2c-nvidia-gpu.c
++++ b/drivers/i2c/busses/i2c-nvidia-gpu.c
+@@ -14,6 +14,7 @@
+ #include <linux/platform_device.h>
+ #include <linux/pm.h>
+ #include <linux/pm_runtime.h>
++#include <linux/power_supply.h>
+
+ #include <asm/unaligned.h>
+
+@@ -261,6 +262,8 @@ MODULE_DEVICE_TABLE(pci, gpu_i2c_ids);
+ static const struct property_entry ccgx_props[] = {
+ /* Use FW built for NVIDIA GPU only */
+ PROPERTY_ENTRY_STRING("firmware-name", "nvidia,gpu"),
++ /* USB-C doesn't power the system */
++ PROPERTY_ENTRY_U8("scope", POWER_SUPPLY_SCOPE_DEVICE),
+ { }
+ };
+
+--- a/drivers/usb/typec/ucsi/psy.c
++++ b/drivers/usb/typec/ucsi/psy.c
+@@ -27,8 +27,20 @@ static enum power_supply_property ucsi_p
+ POWER_SUPPLY_PROP_VOLTAGE_NOW,
+ POWER_SUPPLY_PROP_CURRENT_MAX,
+ POWER_SUPPLY_PROP_CURRENT_NOW,
++ POWER_SUPPLY_PROP_SCOPE,
+ };
+
++static int ucsi_psy_get_scope(struct ucsi_connector *con,
++ union power_supply_propval *val)
++{
++ u8 scope = POWER_SUPPLY_SCOPE_UNKNOWN;
++ struct device *dev = con->ucsi->dev;
++
++ device_property_read_u8(dev, "scope", &scope);
++ val->intval = scope;
++ return 0;
++}
++
+ static int ucsi_psy_get_online(struct ucsi_connector *con,
+ union power_supply_propval *val)
+ {
+@@ -194,6 +206,8 @@ static int ucsi_psy_get_prop(struct powe
+ return ucsi_psy_get_current_max(con, val);
+ case POWER_SUPPLY_PROP_CURRENT_NOW:
+ return ucsi_psy_get_current_now(con, val);
++ case POWER_SUPPLY_PROP_SCOPE:
++ return ucsi_psy_get_scope(con, val);
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From 943211c87427f25bd22e0e63849fb486bb5f87fa Mon Sep 17 00:00:00 2001
+From: Siddh Raman Pant <code@siddh.me>
+Date: Mon, 5 Jun 2023 20:06:16 +0530
+Subject: watch_queue: prevent dangling pipe pointer
+
+From: Siddh Raman Pant <code@siddh.me>
+
+commit 943211c87427f25bd22e0e63849fb486bb5f87fa upstream.
+
+NULL the dangling pipe reference while clearing watch_queue.
+
+If not done, a reference to a freed pipe remains in the watch_queue,
+as this function is called before freeing a pipe in free_pipe_info()
+(see line 834 of fs/pipe.c).
+
+The sole use of wqueue->defunct is for checking if the watch queue has
+been cleared, but wqueue->pipe is also NULLed while clearing.
+
+Thus, wqueue->defunct is superfluous, as wqueue->pipe can be checked
+for NULL. Hence, the former can be removed.
+
+Tested with keyutils testsuite.
+
+Cc: stable@vger.kernel.org # 6.1
+Signed-off-by: Siddh Raman Pant <code@siddh.me>
+Acked-by: David Howells <dhowells@redhat.com>
+Message-Id: <20230605143616.640517-1-code@siddh.me>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/watch_queue.h | 3 +--
+ kernel/watch_queue.c | 12 ++++++------
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+--- a/include/linux/watch_queue.h
++++ b/include/linux/watch_queue.h
+@@ -38,7 +38,7 @@ struct watch_filter {
+ struct watch_queue {
+ struct rcu_head rcu;
+ struct watch_filter __rcu *filter;
+- struct pipe_inode_info *pipe; /* The pipe we're using as a buffer */
++ struct pipe_inode_info *pipe; /* Pipe we use as a buffer, NULL if queue closed */
+ struct hlist_head watches; /* Contributory watches */
+ struct page **notes; /* Preallocated notifications */
+ unsigned long *notes_bitmap; /* Allocation bitmap for notes */
+@@ -46,7 +46,6 @@ struct watch_queue {
+ spinlock_t lock;
+ unsigned int nr_notes; /* Number of notes */
+ unsigned int nr_pages; /* Number of pages in notes[] */
+- bool defunct; /* T when queues closed */
+ };
+
+ /*
+--- a/kernel/watch_queue.c
++++ b/kernel/watch_queue.c
+@@ -43,7 +43,7 @@ MODULE_LICENSE("GPL");
+ static inline bool lock_wqueue(struct watch_queue *wqueue)
+ {
+ spin_lock_bh(&wqueue->lock);
+- if (unlikely(wqueue->defunct)) {
++ if (unlikely(!wqueue->pipe)) {
+ spin_unlock_bh(&wqueue->lock);
+ return false;
+ }
+@@ -105,9 +105,6 @@ static bool post_one_notification(struct
+ unsigned int head, tail, mask, note, offset, len;
+ bool done = false;
+
+- if (!pipe)
+- return false;
+-
+ spin_lock_irq(&pipe->rd_wait.lock);
+
+ mask = pipe->ring_size - 1;
+@@ -604,8 +601,11 @@ void watch_queue_clear(struct watch_queu
+ rcu_read_lock();
+ spin_lock_bh(&wqueue->lock);
+
+- /* Prevent new notifications from being stored. */
+- wqueue->defunct = true;
++ /*
++ * This pipe can be freed by callers like free_pipe_info().
++ * Removing this reference also prevents new notifications.
++ */
++ wqueue->pipe = NULL;
+
+ while (!hlist_empty(&wqueue->watches)) {
+ watch = hlist_entry(wqueue->watches.first, struct watch, queue_node);
--- /dev/null
+From b719ebc37a1eacd4fd4f1264f731b016e5ec0c6e Mon Sep 17 00:00:00 2001
+From: Alexander Wetzel <alexander@wetzel-home.de>
+Date: Thu, 23 Mar 2023 17:55:27 +0100
+Subject: wifi: ath10k: Serialize wake_tx_queue ops
+
+From: Alexander Wetzel <alexander@wetzel-home.de>
+
+commit b719ebc37a1eacd4fd4f1264f731b016e5ec0c6e upstream.
+
+Serialize the ath10k implementation of the wake_tx_queue ops.
+ath10k_mac_op_wake_tx_queue() must not run concurrent since it's using
+ieee80211_txq_schedule_start().
+
+The intend of this patch is to sort out an issue discovered in the discussion
+referred to by the Link tag.
+
+I can't test it with real hardware and thus just implemented the per-ac queue
+lock Felix suggested. One obvious alternative to the per-ac lock would be to
+bring back the txqs_lock commit bb2edb733586 ("ath10k: migrate to mac80211 txq
+scheduling") dropped.
+
+Fixes: bb2edb733586 ("ath10k: migrate to mac80211 txq scheduling")
+Reported-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/519b5bb9-8899-ae7c-4eff-f3116cdfdb56@nbd.name
+CC: <stable@vger.kernel.org>
+Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230323165527.156414-1-alexander@wetzel-home.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/core.c | 3 +++
+ drivers/net/wireless/ath/ath10k/core.h | 3 +++
+ drivers/net/wireless/ath/ath10k/mac.c | 6 ++++--
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -3634,6 +3634,9 @@ struct ath10k *ath10k_core_create(size_t
+ mutex_init(&ar->dump_mutex);
+ spin_lock_init(&ar->data_lock);
+
++ for (int ac = 0; ac < IEEE80211_NUM_ACS; ac++)
++ spin_lock_init(&ar->queue_lock[ac]);
++
+ INIT_LIST_HEAD(&ar->peers);
+ init_waitqueue_head(&ar->peer_mapping_wq);
+ init_waitqueue_head(&ar->htt.empty_tx_wq);
+--- a/drivers/net/wireless/ath/ath10k/core.h
++++ b/drivers/net/wireless/ath/ath10k/core.h
+@@ -1170,6 +1170,9 @@ struct ath10k {
+ /* protects shared structure data */
+ spinlock_t data_lock;
+
++ /* serialize wake_tx_queue calls per ac */
++ spinlock_t queue_lock[IEEE80211_NUM_ACS];
++
+ struct list_head arvifs;
+ struct list_head peers;
+ struct ath10k_peer *peer_map[ATH10K_MAX_NUM_PEER_IDS];
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -4732,13 +4732,14 @@ static void ath10k_mac_op_wake_tx_queue(
+ {
+ struct ath10k *ar = hw->priv;
+ int ret;
+- u8 ac;
++ u8 ac = txq->ac;
+
+ ath10k_htt_tx_txq_update(hw, txq);
+ if (ar->htt.tx_q_state.mode != HTT_TX_MODE_SWITCH_PUSH)
+ return;
+
+- ac = txq->ac;
++ spin_lock_bh(&ar->queue_lock[ac]);
++
+ ieee80211_txq_schedule_start(hw, ac);
+ txq = ieee80211_next_txq(hw, ac);
+ if (!txq)
+@@ -4753,6 +4754,7 @@ static void ath10k_mac_op_wake_tx_queue(
+ ath10k_htt_tx_txq_update(hw, txq);
+ out:
+ ieee80211_txq_schedule_end(hw, ac);
++ spin_unlock_bh(&ar->queue_lock[ac]);
+ }
+
+ /* Must not be called with conf_mutex held as workers can use that also. */
--- /dev/null
+From b22552fcaf1970360005c805d7fba4046cf2ab4a Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 16 Jun 2023 22:28:44 +0200
+Subject: wifi: cfg80211: fix regulatory disconnect for non-MLO
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b22552fcaf1970360005c805d7fba4046cf2ab4a upstream.
+
+The multi-link loop here broke disconnect when multi-link
+operation (MLO) isn't active for a given interface, since
+in that case valid_links is 0 (indicating no links, i.e.
+no MLO.)
+
+Fix this by taking that into account properly and skipping
+the link only if there are valid_links in the first place.
+
+Cc: stable@vger.kernel.org
+Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20230616222844.eb073d650c75.I72739923ef80919889ea9b50de9e4ba4baa836ae@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/reg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2390,7 +2390,7 @@ static bool reg_wdev_chan_valid(struct w
+
+ if (!wdev->valid_links && link > 0)
+ break;
+- if (!(wdev->valid_links & BIT(link)))
++ if (wdev->valid_links && !(wdev->valid_links & BIT(link)))
+ continue;
+ switch (iftype) {
+ case NL80211_IFTYPE_AP:
--- /dev/null
+From 525c469e5de9bf7e53574396196e80fc716ac9eb Mon Sep 17 00:00:00 2001
+From: Quan Zhou <quan.zhou@mediatek.com>
+Date: Wed, 5 Jul 2023 23:26:38 +0800
+Subject: wifi: mt76: mt7921e: fix init command fail with enabled device
+
+From: Quan Zhou <quan.zhou@mediatek.com>
+
+commit 525c469e5de9bf7e53574396196e80fc716ac9eb upstream.
+
+For some cases as below, we may encounter the unpreditable chip stats
+in driver probe()
+* The system reboot flow do not work properly, such as kernel oops while
+ rebooting, and then the driver do not go back to default status at
+ this moment.
+* Similar to the flow above. If the device was enabled in BIOS or UEFI,
+ the system may switch to Linux without driver fully shutdown.
+
+To avoid the problem, force push the device back to default in probe()
+* mt7921e_mcu_fw_pmctrl() : return control privilege to chip side.
+* mt7921_wfsys_reset() : cleanup chip config before resource init.
+
+Error log
+[59007.600714] mt7921e 0000:02:00.0: ASIC revision: 79220010
+[59010.889773] mt7921e 0000:02:00.0: Message 00000010 (seq 1) timeout
+[59010.889786] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59014.217839] mt7921e 0000:02:00.0: Message 00000010 (seq 2) timeout
+[59014.217852] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59017.545880] mt7921e 0000:02:00.0: Message 00000010 (seq 3) timeout
+[59017.545893] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59020.874086] mt7921e 0000:02:00.0: Message 00000010 (seq 4) timeout
+[59020.874099] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59024.202019] mt7921e 0000:02:00.0: Message 00000010 (seq 5) timeout
+[59024.202033] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59027.530082] mt7921e 0000:02:00.0: Message 00000010 (seq 6) timeout
+[59027.530096] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59030.857888] mt7921e 0000:02:00.0: Message 00000010 (seq 7) timeout
+[59030.857904] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59034.185946] mt7921e 0000:02:00.0: Message 00000010 (seq 8) timeout
+[59034.185961] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59037.514249] mt7921e 0000:02:00.0: Message 00000010 (seq 9) timeout
+[59037.514262] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59040.842362] mt7921e 0000:02:00.0: Message 00000010 (seq 10) timeout
+[59040.842375] mt7921e 0000:02:00.0: Failed to get patch semaphore
+[59040.923845] mt7921e 0000:02:00.0: hardware init failed
+
+Cc: stable@vger.kernel.org
+Fixes: 5c14a5f944b9 ("mt76: mt7921: introduce mt7921e support")
+Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Juan Martinez <juan.martinez@amd.com>
+Co-developed-by: Leon Yen <leon.yen@mediatek.com>
+Signed-off-by: Leon Yen <leon.yen@mediatek.com>
+Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Message-ID: <39fcb7cee08d4ab940d38d82f21897483212483f.1688569385.git.deren.wu@mediatek.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/dma.c | 4 ----
+ drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 8 --------
+ drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 8 ++++++++
+ 3 files changed, 8 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/dma.c
+@@ -231,10 +231,6 @@ int mt7921_dma_init(struct mt7921_dev *d
+ if (ret)
+ return ret;
+
+- ret = mt7921_wfsys_reset(dev);
+- if (ret)
+- return ret;
+-
+ /* init tx queue */
+ ret = mt76_connac_init_tx_queues(dev->phy.mt76, MT7921_TXQ_BAND0,
+ MT7921_TX_RING_SIZE,
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+@@ -449,12 +449,6 @@ static int mt7921_load_firmware(struct m
+ {
+ int ret;
+
+- ret = mt76_get_field(dev, MT_CONN_ON_MISC, MT_TOP_MISC2_FW_N9_RDY);
+- if (ret && mt76_is_mmio(&dev->mt76)) {
+- dev_dbg(dev->mt76.dev, "Firmware is already download\n");
+- goto fw_loaded;
+- }
+-
+ ret = mt76_connac2_load_patch(&dev->mt76, mt7921_patch_name(dev));
+ if (ret)
+ return ret;
+@@ -477,8 +471,6 @@ static int mt7921_load_firmware(struct m
+ return -EIO;
+ }
+
+-fw_loaded:
+-
+ #ifdef CONFIG_PM
+ dev->mt76.hw->wiphy->wowlan = &mt76_connac_wowlan_support;
+ #endif /* CONFIG_PM */
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+@@ -316,6 +316,10 @@ static int mt7921_pci_probe(struct pci_d
+ bus_ops->rmw = mt7921_rmw;
+ dev->mt76.bus = bus_ops;
+
++ ret = mt7921e_mcu_fw_pmctrl(dev);
++ if (ret)
++ goto err_free_dev;
++
+ ret = __mt7921e_mcu_drv_pmctrl(dev);
+ if (ret)
+ goto err_free_dev;
+@@ -324,6 +328,10 @@ static int mt7921_pci_probe(struct pci_d
+ (mt7921_l1_rr(dev, MT_HW_REV) & 0xff);
+ dev_info(mdev->dev, "ASIC revision: %04x\n", mdev->rev);
+
++ ret = mt7921_wfsys_reset(dev);
++ if (ret)
++ goto err_free_dev;
++
+ mt76_wr(dev, MT_WFDMA0_HOST_INT_ENA, 0);
+
+ mt76_wr(dev, MT_PCIE_MAC_INT_ENABLE, 0xff);
projects / thirdparty / kernel / stable-queue.git / commitdiff
