--- /dev/null
+From 7c544739dbf37efc316d4f6a05de72224846c4b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Jan 2021 17:28:04 +0800
+Subject: btrfs: tree-checker: check if chunk item end overflows
+
+From: Su Yue <l@damenly.su>
+
+[ Upstream commit 347fb0cfc9bab5195c6701e62eda488310d7938f ]
+
+While mounting a crafted image provided by user, kernel panics due to
+the invalid chunk item whose end is less than start.
+
+ [66.387422] loop: module loaded
+ [66.389773] loop0: detected capacity change from 262144 to 0
+ [66.427708] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 12 /dev/loop0 scanned by mount (613)
+ [66.431061] BTRFS info (device loop0): disk space caching is enabled
+ [66.431078] BTRFS info (device loop0): has skinny extents
+ [66.437101] BTRFS error: insert state: end < start 29360127 37748736
+ [66.437136] ------------[ cut here ]------------
+ [66.437140] WARNING: CPU: 16 PID: 613 at fs/btrfs/extent_io.c:557 insert_state.cold+0x1a/0x46 [btrfs]
+ [66.437369] CPU: 16 PID: 613 Comm: mount Tainted: G O 5.11.0-rc1-custom #45
+ [66.437374] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
+ [66.437378] RIP: 0010:insert_state.cold+0x1a/0x46 [btrfs]
+ [66.437420] RSP: 0018:ffff93e5414c3908 EFLAGS: 00010286
+ [66.437427] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
+ [66.437431] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
+ [66.437434] RBP: ffff93e5414c3938 R08: 0000000000000001 R09: 0000000000000001
+ [66.437438] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d72aa0
+ [66.437441] R13: ffff8ec78bc71628 R14: 0000000000000000 R15: 0000000002400000
+ [66.437447] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
+ [66.437451] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [66.437455] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
+ [66.437460] PKRU: 55555554
+ [66.437464] Call Trace:
+ [66.437475] set_extent_bit+0x652/0x740 [btrfs]
+ [66.437539] set_extent_bits_nowait+0x1d/0x20 [btrfs]
+ [66.437576] add_extent_mapping+0x1e0/0x2f0 [btrfs]
+ [66.437621] read_one_chunk+0x33c/0x420 [btrfs]
+ [66.437674] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
+ [66.437708] ? kvm_sched_clock_read+0x18/0x40
+ [66.437739] open_ctree+0xb32/0x1734 [btrfs]
+ [66.437781] ? bdi_register_va+0x1b/0x20
+ [66.437788] ? super_setup_bdi_name+0x79/0xd0
+ [66.437810] btrfs_mount_root.cold+0x12/0xeb [btrfs]
+ [66.437854] ? __kmalloc_track_caller+0x217/0x3b0
+ [66.437873] legacy_get_tree+0x34/0x60
+ [66.437880] vfs_get_tree+0x2d/0xc0
+ [66.437888] vfs_kern_mount.part.0+0x78/0xc0
+ [66.437897] vfs_kern_mount+0x13/0x20
+ [66.437902] btrfs_mount+0x11f/0x3c0 [btrfs]
+ [66.437940] ? kfree+0x5ff/0x670
+ [66.437944] ? __kmalloc_track_caller+0x217/0x3b0
+ [66.437962] legacy_get_tree+0x34/0x60
+ [66.437974] vfs_get_tree+0x2d/0xc0
+ [66.437983] path_mount+0x48c/0xd30
+ [66.437998] __x64_sys_mount+0x108/0x140
+ [66.438011] do_syscall_64+0x38/0x50
+ [66.438018] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [66.438023] RIP: 0033:0x7f0138827f6e
+ [66.438033] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
+ [66.438040] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
+ [66.438044] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
+ [66.438047] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
+ [66.438050] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ [66.438054] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
+ [66.438078] irq event stamp: 18169
+ [66.438082] hardirqs last enabled at (18175): [<ffffffffb81154bf>] console_unlock+0x4ff/0x5f0
+ [66.438088] hardirqs last disabled at (18180): [<ffffffffb8115427>] console_unlock+0x467/0x5f0
+ [66.438092] softirqs last enabled at (16910): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
+ [66.438097] softirqs last disabled at (16905): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
+ [66.438103] ---[ end trace e114b111db64298b ]---
+ [66.438107] BTRFS error: found node 12582912 29360127 on insert of 37748736 29360127
+ [66.438127] BTRFS critical: panic in extent_io_tree_panic:679: locking error: extent tree was modified by another thread while locked (errno=-17 Object already exists)
+ [66.441069] ------------[ cut here ]------------
+ [66.441072] kernel BUG at fs/btrfs/extent_io.c:679!
+ [66.442064] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+ [66.443018] CPU: 16 PID: 613 Comm: mount Tainted: G W O 5.11.0-rc1-custom #45
+ [66.444538] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
+ [66.446223] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
+ [66.450878] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
+ [66.451840] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
+ [66.453141] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
+ [66.454445] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
+ [66.455743] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
+ [66.457055] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
+ [66.458356] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
+ [66.459841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [66.460895] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
+ [66.462196] PKRU: 55555554
+ [66.462692] Call Trace:
+ [66.463139] set_extent_bit.cold+0x30/0x98 [btrfs]
+ [66.464049] set_extent_bits_nowait+0x1d/0x20 [btrfs]
+ [66.490466] add_extent_mapping+0x1e0/0x2f0 [btrfs]
+ [66.514097] read_one_chunk+0x33c/0x420 [btrfs]
+ [66.534976] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
+ [66.555718] ? kvm_sched_clock_read+0x18/0x40
+ [66.575758] open_ctree+0xb32/0x1734 [btrfs]
+ [66.595272] ? bdi_register_va+0x1b/0x20
+ [66.614638] ? super_setup_bdi_name+0x79/0xd0
+ [66.633809] btrfs_mount_root.cold+0x12/0xeb [btrfs]
+ [66.652938] ? __kmalloc_track_caller+0x217/0x3b0
+ [66.671925] legacy_get_tree+0x34/0x60
+ [66.690300] vfs_get_tree+0x2d/0xc0
+ [66.708221] vfs_kern_mount.part.0+0x78/0xc0
+ [66.725808] vfs_kern_mount+0x13/0x20
+ [66.742730] btrfs_mount+0x11f/0x3c0 [btrfs]
+ [66.759350] ? kfree+0x5ff/0x670
+ [66.775441] ? __kmalloc_track_caller+0x217/0x3b0
+ [66.791750] legacy_get_tree+0x34/0x60
+ [66.807494] vfs_get_tree+0x2d/0xc0
+ [66.823349] path_mount+0x48c/0xd30
+ [66.838753] __x64_sys_mount+0x108/0x140
+ [66.854412] do_syscall_64+0x38/0x50
+ [66.869673] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [66.885093] RIP: 0033:0x7f0138827f6e
+ [66.945613] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
+ [66.977214] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
+ [66.994266] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
+ [67.011544] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
+ [67.028836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ [67.045812] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
+ [67.216138] ---[ end trace e114b111db64298c ]---
+ [67.237089] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
+ [67.325317] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
+ [67.347946] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
+ [67.371343] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
+ [67.394757] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
+ [67.418409] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
+ [67.441906] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
+ [67.465436] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
+ [67.511660] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [67.535047] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
+ [67.558449] PKRU: 55555554
+ [67.581146] note: mount[613] exited with preempt_count 2
+
+The image has a chunk item which has a logical start 37748736 and length
+18446744073701163008 (-8M). The calculated end 29360127 overflows.
+EEXIST was caught by insert_state() because of the duplicate end and
+extent_io_tree_panic() was called.
+
+Add overflow check of chunk item end to tree checker so it can be
+detected early at mount time.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208929
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Su Yue <l@damenly.su>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-checker.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
+index 9feb8a1793efb..7d06842a3d747 100644
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -571,6 +571,7 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf,
+ {
+ struct btrfs_fs_info *fs_info = leaf->fs_info;
+ u64 length;
++ u64 chunk_end;
+ u64 stripe_len;
+ u16 num_stripes;
+ u16 sub_stripes;
+@@ -625,6 +626,12 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf,
+ "invalid chunk length, have %llu", length);
+ return -EUCLEAN;
+ }
++ if (unlikely(check_add_overflow(logical, length, &chunk_end))) {
++ chunk_err(leaf, chunk, logical,
++"invalid chunk logical start and length, have logical start %llu length %llu",
++ logical, length);
++ return -EUCLEAN;
++ }
+ if (!is_power_of_2(stripe_len) || stripe_len != BTRFS_STRIPE_LEN) {
+ chunk_err(leaf, chunk, logical,
+ "invalid chunk stripe length: %llu",
+--
+2.27.0
+
--- /dev/null
+From d8e3fed8950829cc065c408a739984e6a196a45b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jan 2021 14:16:16 -0300
+Subject: cifs: fix interrupted close commands
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+[ Upstream commit 2659d3bff3e1b000f49907d0839178b101a89887 ]
+
+Retry close command if it gets interrupted to not leak open handles on
+the server.
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Reported-by: Duncan Findlay <duncf@duncf.ca>
+Suggested-by: Pavel Shilovsky <pshilov@microsoft.com>
+Fixes: 6988a619f5b7 ("cifs: allow syscalls to be restarted in __smb_send_rqst()")
+Cc: stable@vger.kernel.org
+Reviewd-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index c095f2e6b0825..be06b26d6ca03 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -2996,7 +2996,7 @@ close_exit:
+ free_rsp_buf(resp_buftype, rsp);
+
+ /* retry close in a worker thread if this one is interrupted */
+- if (rc == -EINTR) {
++ if (is_interrupt_error(rc)) {
+ int tmp_rc;
+
+ tmp_rc = smb2_handle_cancelled_close(tcon, persistent_fid,
+--
+2.27.0
+
--- /dev/null
+From 562a7803c8beda1f39205e802047f61e1e404fc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Jan 2021 11:15:56 -0500
+Subject: dm integrity: fix flush with external metadata device
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 9b5948267adc9e689da609eb61cf7ed49cae5fa8 ]
+
+With external metadata device, flush requests are not passed down to the
+data device.
+
+Fix this by submitting the flush request in dm_integrity_flush_buffers. In
+order to not degrade performance, we overlap the data device flush with
+the metadata device flush.
+
+Reported-by: Lukas Straub <lukasstraub2@web.de>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-bufio.c | 6 +++++
+ drivers/md/dm-integrity.c | 56 +++++++++++++++++++++++++++++++++------
+ include/linux/dm-bufio.h | 1 +
+ 3 files changed, 55 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
+index 2d519c2235626..a9529dc2b26e6 100644
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -1446,6 +1446,12 @@ sector_t dm_bufio_get_device_size(struct dm_bufio_client *c)
+ }
+ EXPORT_SYMBOL_GPL(dm_bufio_get_device_size);
+
++struct dm_io_client *dm_bufio_get_dm_io_client(struct dm_bufio_client *c)
++{
++ return c->dm_io;
++}
++EXPORT_SYMBOL_GPL(dm_bufio_get_dm_io_client);
++
+ sector_t dm_bufio_get_block_number(struct dm_buffer *b)
+ {
+ return b->block;
+diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
+index d99cd45874531..25efe382e78fa 100644
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -1343,12 +1343,52 @@ static int dm_integrity_rw_tag(struct dm_integrity_c *ic, unsigned char *tag, se
+ return 0;
+ }
+
+-static void dm_integrity_flush_buffers(struct dm_integrity_c *ic)
++struct flush_request {
++ struct dm_io_request io_req;
++ struct dm_io_region io_reg;
++ struct dm_integrity_c *ic;
++ struct completion comp;
++};
++
++static void flush_notify(unsigned long error, void *fr_)
++{
++ struct flush_request *fr = fr_;
++ if (unlikely(error != 0))
++ dm_integrity_io_error(fr->ic, "flusing disk cache", -EIO);
++ complete(&fr->comp);
++}
++
++static void dm_integrity_flush_buffers(struct dm_integrity_c *ic, bool flush_data)
+ {
+ int r;
++
++ struct flush_request fr;
++
++ if (!ic->meta_dev)
++ flush_data = false;
++ if (flush_data) {
++ fr.io_req.bi_op = REQ_OP_WRITE,
++ fr.io_req.bi_op_flags = REQ_PREFLUSH | REQ_SYNC,
++ fr.io_req.mem.type = DM_IO_KMEM,
++ fr.io_req.mem.ptr.addr = NULL,
++ fr.io_req.notify.fn = flush_notify,
++ fr.io_req.notify.context = &fr;
++ fr.io_req.client = dm_bufio_get_dm_io_client(ic->bufio),
++ fr.io_reg.bdev = ic->dev->bdev,
++ fr.io_reg.sector = 0,
++ fr.io_reg.count = 0,
++ fr.ic = ic;
++ init_completion(&fr.comp);
++ r = dm_io(&fr.io_req, 1, &fr.io_reg, NULL);
++ BUG_ON(r);
++ }
++
+ r = dm_bufio_write_dirty_buffers(ic->bufio);
+ if (unlikely(r))
+ dm_integrity_io_error(ic, "writing tags", r);
++
++ if (flush_data)
++ wait_for_completion(&fr.comp);
+ }
+
+ static void sleep_on_endio_wait(struct dm_integrity_c *ic)
+@@ -2077,7 +2117,7 @@ static void integrity_commit(struct work_struct *w)
+ flushes = bio_list_get(&ic->flush_bio_list);
+ if (unlikely(ic->mode != 'J')) {
+ spin_unlock_irq(&ic->endio_wait.lock);
+- dm_integrity_flush_buffers(ic);
++ dm_integrity_flush_buffers(ic, true);
+ goto release_flush_bios;
+ }
+
+@@ -2287,7 +2327,7 @@ skip_io:
+ complete_journal_op(&comp);
+ wait_for_completion_io(&comp.comp);
+
+- dm_integrity_flush_buffers(ic);
++ dm_integrity_flush_buffers(ic, true);
+ }
+
+ static void integrity_writer(struct work_struct *w)
+@@ -2329,7 +2369,7 @@ static void recalc_write_super(struct dm_integrity_c *ic)
+ {
+ int r;
+
+- dm_integrity_flush_buffers(ic);
++ dm_integrity_flush_buffers(ic, false);
+ if (dm_integrity_failed(ic))
+ return;
+
+@@ -2532,7 +2572,7 @@ static void bitmap_flush_work(struct work_struct *work)
+ unsigned long limit;
+ struct bio *bio;
+
+- dm_integrity_flush_buffers(ic);
++ dm_integrity_flush_buffers(ic, false);
+
+ range.logical_sector = 0;
+ range.n_sectors = ic->provided_data_sectors;
+@@ -2541,7 +2581,7 @@ static void bitmap_flush_work(struct work_struct *work)
+ add_new_range_and_wait(ic, &range);
+ spin_unlock_irq(&ic->endio_wait.lock);
+
+- dm_integrity_flush_buffers(ic);
++ dm_integrity_flush_buffers(ic, true);
+ if (ic->meta_dev)
+ blkdev_issue_flush(ic->dev->bdev, GFP_NOIO, NULL);
+
+@@ -2812,11 +2852,11 @@ static void dm_integrity_postsuspend(struct dm_target *ti)
+ if (ic->meta_dev)
+ queue_work(ic->writer_wq, &ic->writer_work);
+ drain_workqueue(ic->writer_wq);
+- dm_integrity_flush_buffers(ic);
++ dm_integrity_flush_buffers(ic, true);
+ }
+
+ if (ic->mode == 'B') {
+- dm_integrity_flush_buffers(ic);
++ dm_integrity_flush_buffers(ic, true);
+ #if 1
+ /* set to 0 to test bitmap replay code */
+ init_journal(ic, 0, ic->journal_sections, 0);
+diff --git a/include/linux/dm-bufio.h b/include/linux/dm-bufio.h
+index 3c8b7d274bd9b..45ba37aaf6b78 100644
+--- a/include/linux/dm-bufio.h
++++ b/include/linux/dm-bufio.h
+@@ -138,6 +138,7 @@ void dm_bufio_set_minimum_buffers(struct dm_bufio_client *c, unsigned n);
+
+ unsigned dm_bufio_get_block_size(struct dm_bufio_client *c);
+ sector_t dm_bufio_get_device_size(struct dm_bufio_client *c);
++struct dm_io_client *dm_bufio_get_dm_io_client(struct dm_bufio_client *c);
+ sector_t dm_bufio_get_block_number(struct dm_buffer *b);
+ void *dm_bufio_get_block_data(struct dm_buffer *b);
+ void *dm_bufio_get_aux_data(struct dm_buffer *b);
+--
+2.27.0
+
--- /dev/null
+From e5d967ad5d3f69c75edd3efac9763eac25c81550 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Jan 2021 17:28:41 +0200
+Subject: drm/i915/backlight: fix CPU mode backlight takeover on LPT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+[ Upstream commit bb83d5fb550bb7db75b29e6342417fda2bbb691c ]
+
+The pch_get_backlight(), lpt_get_backlight(), and lpt_set_backlight()
+functions operate directly on the hardware registers. If inverting the
+value is needed, using intel_panel_compute_brightness(), it should only
+be done in the interface between hardware registers and
+panel->backlight.level.
+
+The CPU mode takeover code added in commit 5b1ec9ac7ab5
+("drm/i915/backlight: Fix backlight takeover on LPT, v3.") reads the
+hardware register and converts to panel->backlight.level correctly,
+however the value written back should remain in the hardware register
+"domain".
+
+This hasn't been an issue, because GM45 machines are the only known
+users of i915.invert_brightness and the brightness invert quirk, and
+without one of them no conversion is made. It's likely nobody's ever hit
+the problem.
+
+Fixes: 5b1ec9ac7ab5 ("drm/i915/backlight: Fix backlight takeover on LPT, v3.")
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: <stable@vger.kernel.org> # v5.1+
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210108152841.6944-1-jani.nikula@intel.com
+(cherry picked from commit 0d4ced1c5bfe649196877d90442d4fd618e19153)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_panel.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_panel.c b/drivers/gpu/drm/i915/display/intel_panel.c
+index bc14e9c0285a0..23edc1b8e43fa 100644
+--- a/drivers/gpu/drm/i915/display/intel_panel.c
++++ b/drivers/gpu/drm/i915/display/intel_panel.c
+@@ -1603,20 +1603,21 @@ static int lpt_setup_backlight(struct intel_connector *connector, enum pipe unus
+ val = pch_get_backlight(connector);
+ else
+ val = lpt_get_backlight(connector);
+- val = intel_panel_compute_brightness(connector, val);
+- panel->backlight.level = clamp(val, panel->backlight.min,
+- panel->backlight.max);
+
+ if (cpu_mode) {
+ DRM_DEBUG_KMS("CPU backlight register was enabled, switching to PCH override\n");
+
+ /* Write converted CPU PWM value to PCH override register */
+- lpt_set_backlight(connector->base.state, panel->backlight.level);
++ lpt_set_backlight(connector->base.state, val);
+ I915_WRITE(BLC_PWM_PCH_CTL1, pch_ctl1 | BLM_PCH_OVERRIDE_ENABLE);
+
+ I915_WRITE(BLC_PWM_CPU_CTL2, cpu_ctl2 & ~BLM_PWM_ENABLE);
+ }
+
++ val = intel_panel_compute_brightness(connector, val);
++ panel->backlight.level = clamp(val, panel->backlight.min,
++ panel->backlight.max);
++
+ return 0;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 2125e9acc4133362d63a38ad557607e99be0fbe7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Dec 2020 13:24:15 -0500
+Subject: ext4: don't leak old mountpoint samples
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+[ Upstream commit 5a3b590d4b2db187faa6f06adc9a53d6199fb1f9 ]
+
+When the first file is opened, ext4 samples the mountpoint of the
+filesystem in 64 bytes of the super block. It does so using
+strlcpy(), this means that the remaining bytes in the super block
+string buffer are untouched. If the mount point before had a longer
+path than the current one, it can be reconstructed.
+
+Consider the case where the fs was mounted to "/media/johnjdeveloper"
+and later to "/". The super block buffer then contains
+"/\x00edia/johnjdeveloper".
+
+This case was seen in the wild and caused confusion how the name
+of a developer ands up on the super block of a filesystem used
+in production...
+
+Fix this by using strncpy() instead of strlcpy(). The superblock
+field is defined to be a fixed-size char array, and it is already
+marked using __nonstring in fs/ext4/ext4.h. The consumer of the field
+in e2fsprogs already assumes that in the case of a 64+ byte mount
+path, that s_last_mounted will not be NUL terminated.
+
+Link: https://lore.kernel.org/r/X9ujIOJG/HqMr88R@mit.edu
+Reported-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/file.c b/fs/ext4/file.c
+index fd7ce3573a00a..1513e90fb6d2f 100644
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -432,7 +432,7 @@ static int ext4_sample_last_mounted(struct super_block *sb,
+ err = ext4_journal_get_write_access(handle, sbi->s_sbh);
+ if (err)
+ goto out_journal;
+- strlcpy(sbi->s_es->s_last_mounted, cp,
++ strncpy(sbi->s_es->s_last_mounted, cp,
+ sizeof(sbi->s_es->s_last_mounted));
+ ext4_handle_dirty_super(handle, sb);
+ out_journal:
+--
+2.27.0
+
--- /dev/null
+From 213e28fc1e517d6aad4e029945bb3b277f16947b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 14:28:57 +0800
+Subject: ext4: fix bug for rename with RENAME_WHITEOUT
+
+From: yangerkun <yangerkun@huawei.com>
+
+[ Upstream commit 6b4b8e6b4ad8553660421d6360678b3811d5deb9 ]
+
+We got a "deleted inode referenced" warning cross our fsstress test. The
+bug can be reproduced easily with following steps:
+
+ cd /dev/shm
+ mkdir test/
+ fallocate -l 128M img
+ mkfs.ext4 -b 1024 img
+ mount img test/
+ dd if=/dev/zero of=test/foo bs=1M count=128
+ mkdir test/dir/ && cd test/dir/
+ for ((i=0;i<1000;i++)); do touch file$i; done # consume all block
+ cd ~ && renameat2(AT_FDCWD, /dev/shm/test/dir/file1, AT_FDCWD,
+ /dev/shm/test/dir/dst_file, RENAME_WHITEOUT) # ext4_add_entry in
+ ext4_rename will return ENOSPC!!
+ cd /dev/shm/ && umount test/ && mount img test/ && ls -li test/dir/file1
+ We will get the output:
+ "ls: cannot access 'test/dir/file1': Structure needs cleaning"
+ and the dmesg show:
+ "EXT4-fs error (device loop0): ext4_lookup:1626: inode #2049: comm ls:
+ deleted inode referenced: 139"
+
+ext4_rename will create a special inode for whiteout and use this 'ino'
+to replace the source file's dir entry 'ino'. Once error happens
+latter(the error above was the ENOSPC return from ext4_add_entry in
+ext4_rename since all space has been consumed), the cleanup do drop the
+nlink for whiteout, but forget to restore 'ino' with source file. This
+will trigger the bug describle as above.
+
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@vger.kernel.org
+Fixes: cd808deced43 ("ext4: support RENAME_WHITEOUT")
+Link: https://lore.kernel.org/r/20210105062857.3566-1-yangerkun@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/namei.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 59038e361337c..f05ec9bfbf4fd 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -3544,8 +3544,6 @@ static int ext4_setent(handle_t *handle, struct ext4_renament *ent,
+ return retval;
+ }
+ }
+- brelse(ent->bh);
+- ent->bh = NULL;
+
+ return 0;
+ }
+@@ -3745,6 +3743,7 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry,
+ }
+ }
+
++ old_file_type = old.de->file_type;
+ if (IS_DIRSYNC(old.dir) || IS_DIRSYNC(new.dir))
+ ext4_handle_sync(handle);
+
+@@ -3772,7 +3771,6 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry,
+ force_reread = (new.dir->i_ino == old.dir->i_ino &&
+ ext4_test_inode_flag(new.dir, EXT4_INODE_INLINE_DATA));
+
+- old_file_type = old.de->file_type;
+ if (whiteout) {
+ /*
+ * Do this before adding a new entry, so the old entry is sure
+@@ -3844,15 +3842,19 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry,
+ retval = 0;
+
+ end_rename:
+- brelse(old.dir_bh);
+- brelse(old.bh);
+- brelse(new.bh);
+ if (whiteout) {
+- if (retval)
++ if (retval) {
++ ext4_setent(handle, &old,
++ old.inode->i_ino, old_file_type);
+ drop_nlink(whiteout);
++ }
+ unlock_new_inode(whiteout);
+ iput(whiteout);
++
+ }
++ brelse(old.dir_bh);
++ brelse(old.bh);
++ brelse(new.bh);
+ if (handle)
+ ext4_journal_stop(handle);
+ return retval;
+--
+2.27.0
+
dm-snapshot-flush-merged-data-before-committing-metadata.patch
dm-integrity-fix-the-maximum-number-of-arguments.patch
r8152-add-lenovo-powered-usb-c-travel-hub.patch
+btrfs-tree-checker-check-if-chunk-item-end-overflows.patch
+drm-i915-backlight-fix-cpu-mode-backlight-takeover-o.patch
+ext4-fix-bug-for-rename-with-rename_whiteout.patch
+ext4-don-t-leak-old-mountpoint-samples.patch
+smb3-remove-unused-flag-passed-into-close-functions.patch
+cifs-fix-interrupted-close-commands.patch
+dm-integrity-fix-flush-with-external-metadata-device.patch
--- /dev/null
+From 7df363f296664454575bfe39df1a7c172c248b55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 17:55:41 -0600
+Subject: smb3: remove unused flag passed into close functions
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit 9e8fae2597405ab1deac8909928eb8e99876f639 ]
+
+close was relayered to allow passing in an async flag which
+is no longer needed in this path. Remove the unneeded parameter
+"flags" passed in on close.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 19 +++++--------------
+ fs/cifs/smb2proto.h | 2 --
+ 2 files changed, 5 insertions(+), 16 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 7ff05c06f2a4c..c095f2e6b0825 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -2945,8 +2945,8 @@ SMB2_close_free(struct smb_rqst *rqst)
+ }
+
+ int
+-SMB2_close_flags(const unsigned int xid, struct cifs_tcon *tcon,
+- u64 persistent_fid, u64 volatile_fid, int flags)
++SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
++ u64 persistent_fid, u64 volatile_fid)
+ {
+ struct smb_rqst rqst;
+ struct smb2_close_rsp *rsp = NULL;
+@@ -2955,6 +2955,7 @@ SMB2_close_flags(const unsigned int xid, struct cifs_tcon *tcon,
+ struct kvec rsp_iov;
+ int resp_buftype = CIFS_NO_BUFFER;
+ int rc = 0;
++ int flags = 0;
+
+ cifs_dbg(FYI, "Close\n");
+
+@@ -2993,27 +2994,17 @@ SMB2_close_flags(const unsigned int xid, struct cifs_tcon *tcon,
+ close_exit:
+ SMB2_close_free(&rqst);
+ free_rsp_buf(resp_buftype, rsp);
+- return rc;
+-}
+-
+-int
+-SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
+- u64 persistent_fid, u64 volatile_fid)
+-{
+- int rc;
+- int tmp_rc;
+-
+- rc = SMB2_close_flags(xid, tcon, persistent_fid, volatile_fid, 0);
+
+ /* retry close in a worker thread if this one is interrupted */
+ if (rc == -EINTR) {
++ int tmp_rc;
++
+ tmp_rc = smb2_handle_cancelled_close(tcon, persistent_fid,
+ volatile_fid);
+ if (tmp_rc)
+ cifs_dbg(VFS, "handle cancelled close fid 0x%llx returned error %d\n",
+ persistent_fid, tmp_rc);
+ }
+-
+ return rc;
+ }
+
+diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h
+index 2a12a2fa38a22..57f7075a35871 100644
+--- a/fs/cifs/smb2proto.h
++++ b/fs/cifs/smb2proto.h
+@@ -156,8 +156,6 @@ extern int SMB2_change_notify(const unsigned int xid, struct cifs_tcon *tcon,
+
+ extern int SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
+ u64 persistent_file_id, u64 volatile_file_id);
+-extern int SMB2_close_flags(const unsigned int xid, struct cifs_tcon *tcon,
+- u64 persistent_fid, u64 volatile_fid, int flags);
+ extern int SMB2_close_init(struct cifs_tcon *tcon, struct smb_rqst *rqst,
+ u64 persistent_file_id, u64 volatile_file_id);
+ extern void SMB2_close_free(struct smb_rqst *rqst);
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
