1. 05 Oct, 2019 18 commits
  2. 01 Oct, 2019 22 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.19.76 · 555161ee
      Greg Kroah-Hartman authored
      555161ee
    • Chao Yu's avatar
      f2fs: use generic EFSBADCRC/EFSCORRUPTED · 59a5cea4
      Chao Yu authored
      [ Upstream commit 10f966bb ]
      
      f2fs uses EFAULT as error number to indicate filesystem is corrupted
      all the time, but generic filesystems use EUCLEAN for such condition,
      we need to change to follow others.
      
      This patch adds two new macros as below to wrap more generic error
      code macros, and spread them in code.
      
      EFSBADCRC	EBADMSG		/* Bad CRC detected */
      EFSCORRUPTED	EUCLEAN		/* Filesystem is corrupted */
      Reported-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Acked-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      59a5cea4
    • Ka-Cheong Poon's avatar
      net/rds: Check laddr_check before calling it · fc3d2964
      Ka-Cheong Poon authored
      [ Upstream commit 05733434 ]
      
      In rds_bind(), laddr_check is called without checking if it is NULL or
      not.  And rs_transport should be reset if rds_add_bound() fails.
      
      Fixes: c5c1a030 ("net/rds: An rds_sock is added too early to the hash table")
      Reported-by: syzbot+fae39afd2101a17ec624@syzkaller.appspotmail.com
      Signed-off-by: default avatarKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fc3d2964
    • Ka-Cheong Poon's avatar
      net/rds: An rds_sock is added too early to the hash table · 3de749d6
      Ka-Cheong Poon authored
      [ Upstream commit c5c1a030 ]
      
      In rds_bind(), an rds_sock is added to the RDS bind hash table before
      rs_transport is set.  This means that the socket can be found by the
      receive code path when rs_transport is NULL.  And the receive code
      path de-references rs_transport for congestion update check.  This can
      cause a panic.  An rds_sock should not be added to the bind hash table
      before all the needed fields are set.
      
      Reported-by: syzbot+4b4f8163c2e246df3c4c@syzkaller.appspotmail.com
      Signed-off-by: default avatarKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3de749d6
    • Cong Wang's avatar
      net_sched: check cops->tcf_block in tc_bind_tclass() · 07f7ec87
      Cong Wang authored
      [ Upstream commit 8b142a00 ]
      
      At least sch_red and sch_tbf don't implement ->tcf_block()
      while still have a non-zero tc "class".
      
      Instead of adding nop implementations to each of such qdisc's,
      we can just relax the check of cops->tcf_block() in
      tc_bind_tclass(). They don't support TC filter anyway.
      
      Reported-by: syzbot+21b29db13c065852f64b@syzkaller.appspotmail.com
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      07f7ec87
    • Jian-Hong Pan's avatar
      Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices · 90b0761c
      Jian-Hong Pan authored
      [ Upstream commit 6d0762b1 ]
      
      The ASUS X412FA laptop contains a Realtek RTL8822CE device with an
      associated BT chip using a USB ID of 04ca:4005. This ID is added to the
      driver.
      
      The /sys/kernel/debug/usb/devices portion for this device is:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=09 Cnt=04 Dev#=  4 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=04ca ProdID=4005 Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      
      Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=204707Signed-off-by: default avatarJian-Hong Pan <jian-hong@endlessm.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      90b0761c
    • Fernando Fernandez Mancera's avatar
      netfilter: nft_socket: fix erroneous socket assignment · 69348094
      Fernando Fernandez Mancera authored
      [ Upstream commit 039b1f4f ]
      
      The socket assignment is wrong, see skb_orphan():
      When skb->destructor callback is not set, but skb->sk is set, this hits BUG().
      
      Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813
      Fixes: 554ced0a ("netfilter: nf_tables: add support for native socket matching")
      Signed-off-by: default avatarFernando Fernandez Mancera <ffmancera@riseup.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      69348094
    • Darrick J. Wong's avatar
      xfs: don't crash on null attr fork xfs_bmapi_read · 649836fe
      Darrick J. Wong authored
      [ Upstream commit 8612de3f ]
      
      Zorro Lang reported a crash in generic/475 if we try to inactivate a
      corrupt inode with a NULL attr fork (stack trace shortened somewhat):
      
      RIP: 0010:xfs_bmapi_read+0x311/0xb00 [xfs]
      RSP: 0018:ffff888047f9ed68 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff888047f9f038 RCX: 1ffffffff5f99f51
      RDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000012
      RBP: ffff888002a41f00 R08: ffffed10005483f0 R09: ffffed10005483ef
      R10: ffffed10005483ef R11: ffff888002a41f7f R12: 0000000000000004
      R13: ffffe8fff53b5768 R14: 0000000000000005 R15: 0000000000000001
      FS:  00007f11d44b5b80(0000) GS:ffff888114200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000ef6000 CR3: 000000002e176003 CR4: 00000000001606e0
      Call Trace:
       xfs_dabuf_map.constprop.18+0x696/0xe50 [xfs]
       xfs_da_read_buf+0xf5/0x2c0 [xfs]
       xfs_da3_node_read+0x1d/0x230 [xfs]
       xfs_attr_inactive+0x3cc/0x5e0 [xfs]
       xfs_inactive+0x4c8/0x5b0 [xfs]
       xfs_fs_destroy_inode+0x31b/0x8e0 [xfs]
       destroy_inode+0xbc/0x190
       xfs_bulkstat_one_int+0xa8c/0x1200 [xfs]
       xfs_bulkstat_one+0x16/0x20 [xfs]
       xfs_bulkstat+0x6fa/0xf20 [xfs]
       xfs_ioc_bulkstat+0x182/0x2b0 [xfs]
       xfs_file_ioctl+0xee0/0x12a0 [xfs]
       do_vfs_ioctl+0x193/0x1000
       ksys_ioctl+0x60/0x90
       __x64_sys_ioctl+0x6f/0xb0
       do_syscall_64+0x9f/0x4d0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f11d39a3e5b
      
      The "obvious" cause is that the attr ifork is null despite the inode
      claiming an attr fork having at least one extent, but it's not so
      obvious why we ended up with an inode in that state.
      Reported-by: default avatarZorro Lang <zlang@redhat.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204031Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarBill O'Donnell <billodo@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      649836fe
    • Ilia Mirkin's avatar
      drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling · 91ae8724
      Ilia Mirkin authored
      [ Upstream commit 533f4752 ]
      
      Previously center scaling would get scaling applied to it (when it was
      only supposed to center the image), and aspect-corrected scaling did not
      always correctly pick whether to reduce width or height for a particular
      combination of inputs/outputs.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110660Signed-off-by: default avatarIlia Mirkin <imirkin@alum.mit.edu>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      91ae8724
    • Hans de Goede's avatar
      ACPI: video: Add new hw_changes_brightness quirk, set it on PB Easynote MZ35 · 3717f4a4
      Hans de Goede authored
      [ Upstream commit 4f7f9645 ]
      
      Some machines change the brightness themselves when a brightness hotkey
      gets pressed, despite us telling them not to. This causes the brightness to
      go two steps up / down when the hotkey is pressed. This is esp. a problem
      on older machines with only a few brightness levels.
      
      This commit adds a new hw_changes_brightness quirk which makes
      acpi_video_device_notify() only call backlight_force_update(...,
      BACKLIGHT_UPDATE_HOTKEY) and not do anything else, notifying userspace
      that the brightness was changed and leaving it at that fixing the dual
      step problem.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204077Reported-by: default avatarKacper Piwiński <cosiekvfj@o2.pl>
      Tested-by: default avatarKacper Piwiński <cosiekvfj@o2.pl>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3717f4a4
    • Jian-Hong Pan's avatar
      Bluetooth: btrtl: HCI reset on close for Realtek BT chip · 46beb6ea
      Jian-Hong Pan authored
      [ Upstream commit 7af3f558 ]
      
      Realtek RTL8822BE BT chip on ASUS X420FA cannot be turned on correctly
      after on-off several times. Bluetooth daemon sets BT mode failed when
      this issue happens. Scanning must be active while turning off for this
      bug to be hit.
      
      bluetoothd[1576]: Failed to set mode: Failed (0x03)
      
      If BT is turned off, then turned on again, it works correctly again.
      
      According to the vendor driver, the HCI_QUIRK_RESET_ON_CLOSE flag is set
      during probing. So, this patch makes Realtek's BT reset on close to fix
      this issue.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=203429Signed-off-by: default avatarJian-Hong Pan <jian-hong@endlessm.com>
      Reviewed-by: default avatarDaniel Drake <drake@endlessm.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      46beb6ea
    • Stephen Hemminger's avatar
      net: don't warn in inet diag when IPV6 is disabled · 8ffd7ba9
      Stephen Hemminger authored
      [ Upstream commit 1e64d7cb ]
      
      If IPV6 was disabled, then ss command would cause a kernel warning
      because the command was attempting to dump IPV6 socket information.
      The fix is to just remove the warning.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202249
      Fixes: 432490f9 ("net: ip, diag -- Add diag interface for raw sockets")
      Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8ffd7ba9
    • Chris Wilson's avatar
      drm: Flush output polling on shutdown · ff0fbfac
      Chris Wilson authored
      [ Upstream commit 3b295cb1 ]
      
      We need to mark the output polling as disabled to prevent concurrent
      irqs from queuing new work as shutdown the probe -- causing that work to
      execute after we have freed the structs:
      
      <4> [341.846490] DEBUG_LOCKS_WARN_ON(mutex_is_locked(lock))
      <4> [341.846497] WARNING: CPU: 3 PID: 3300 at kernel/locking/mutex-debug.c:103 mutex_destroy+0x49/0x50
      <4> [341.846508] Modules linked in: i915(-) vgem thunderbolt snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic mei_hdcp x86_pkg_temp_thermal coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm mcs7830 btusb usbnet btrtl mii btbcm btintel bluetooth ecdh_generic ecc mei_me mei prime_numbers i2c_hid pinctrl_sunrisepoint pinctrl_intel [last unloaded: i915]
      <4> [341.846546] CPU: 3 PID: 3300 Comm: i915_module_loa Tainted: G     U            5.2.0-rc2-CI-CI_DRM_6175+ #1
      <4> [341.846553] Hardware name: Dell Inc. XPS 13 9360/0823VW, BIOS 2.9.0 07/09/2018
      <4> [341.846560] RIP: 0010:mutex_destroy+0x49/0x50
      <4> [341.846565] Code: 00 00 5b c3 e8 a8 9f 3b 00 85 c0 74 ed 8b 05 3e 55 23 01 85 c0 75 e3 48 c7 c6 00 d0 08 82 48 c7 c7 a8 aa 07 82 e8 e7 08 fa ff <0f> 0b eb cc 0f 1f 00 48 b8 11 11 11 11 11 11 11 11 48 89 76 20 48
      <4> [341.846578] RSP: 0018:ffffc900006cfdb0 EFLAGS: 00010286
      <4> [341.846583] RAX: 0000000000000000 RBX: ffff88826759a168 RCX: 0000000000000000
      <4> [341.846589] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffffffff8112844c
      <4> [341.846595] RBP: ffff8882708fa548 R08: 0000000000000000 R09: 0000000000039600
      <4> [341.846601] R10: 0000000000000000 R11: 0000000000000ce4 R12: ffffffffa07de1e0
      <4> [341.846607] R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffa07de2d0
      <4> [341.846613] FS:  00007f62b5ae0e40(0000) GS:ffff888276380000(0000) knlGS:0000000000000000
      <4> [341.846620] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      <4> [341.846626] CR2: 000055a4e064f4a0 CR3: 0000000266b16006 CR4: 00000000003606e0
      <4> [341.846632] Call Trace:
      <4> [341.846639]  drm_fb_helper_fini.part.17+0xb3/0x100
      <4> [341.846682]  intel_fbdev_fini+0x20/0x80 [i915]
      <4> [341.846722]  intel_modeset_cleanup+0x9a/0x140 [i915]
      <4> [341.846750]  i915_driver_unload+0xa3/0x100 [i915]
      <4> [341.846778]  i915_pci_remove+0x19/0x30 [i915]
      <4> [341.846784]  pci_device_remove+0x36/0xb0
      <4> [341.846790]  device_release_driver_internal+0xd3/0x1b0
      <4> [341.846795]  driver_detach+0x3f/0x80
      <4> [341.846800]  bus_remove_driver+0x53/0xd0
      <4> [341.846805]  pci_unregister_driver+0x25/0xa0
      <4> [341.846843]  i915_exit+0x16/0x1c [i915]
      <4> [341.846849]  __se_sys_delete_module+0x162/0x210
      <4> [341.846855]  ? trace_hardirqs_off_thunk+0x1a/0x1c
      <4> [341.846859]  ? do_syscall_64+0xd/0x1c0
      <4> [341.846864]  do_syscall_64+0x55/0x1c0
      <4> [341.846869]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      <4> [341.846875] RIP: 0033:0x7f62b51871b7
      <4> [341.846881] Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48
      <4> [341.846897] RSP: 002b:00007ffe7a227138 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      <4> [341.846904] RAX: ffffffffffffffda RBX: 00007ffe7a2272b0 RCX: 00007f62b51871b7
      <4> [341.846910] RDX: 0000000000000001 RSI: 0000000000000800 RDI: 0000557cd6b55948
      <4> [341.846916] RBP: 0000557cd6b558e0 R08: 0000557cd6b5594c R09: 00007ffe7a227160
      <4> [341.846922] R10: 00007ffe7a226134 R11: 0000000000000206 R12: 0000000000000000
      <4> [341.846927] R13: 00007ffe7a227820 R14: 0000000000000000 R15: 0000000000000000
      <4> [341.846936] irq event stamp: 3547847
      <4> [341.846940] hardirqs last  enabled at (3547847): [<ffffffff819aad2c>] _raw_spin_unlock_irqrestore+0x4c/0x60
      <4> [341.846949] hardirqs last disabled at (3547846): [<ffffffff819aab9d>] _raw_spin_lock_irqsave+0xd/0x50
      <4> [341.846957] softirqs last  enabled at (3547376): [<ffffffff81c0033a>] __do_softirq+0x33a/0x4b9
      <4> [341.846966] softirqs last disabled at (3547367): [<ffffffff810b6379>] irq_exit+0xa9/0xc0
      <4> [341.846973] WARNING: CPU: 3 PID: 3300 at kernel/locking/mutex-debug.c:103 mutex_destroy+0x49/0x50
      <4> [341.846980] ---[ end trace ba94ca8952ba970e ]---
      <7> [341.866547] [drm:intel_dp_detect [i915]] MST support? port A: no, sink: no, modparam: yes
      <7> [341.890480] [drm:drm_add_display_info] non_desktop set to 0
      <7> [341.890530] [drm:drm_add_edid_modes] ELD: no CEA Extension found
      <7> [341.890537] [drm:drm_add_display_info] non_desktop set to 0
      <7> [341.890578] [drm:drm_helper_probe_single_connector_modes] [CONNECTOR:86:eDP-1] probed modes :
      <7> [341.890589] [drm:drm_mode_debug_printmodeline] Modeline "3200x1800": 60 373250 3200 3248 3280 3360 1800 1803 1808 1852 0x48 0xa
      <7> [341.890602] [drm:drm_mode_debug_printmodeline] Modeline "3200x1800": 48 298600 3200 3248 3280 3360 1800 1803 1808 1852 0x40 0xa
      <4> [341.890628] general protection fault: 0000 [#1] PREEMPT SMP PTI
      <4> [341.890636] CPU: 0 PID: 508 Comm: kworker/0:4 Tainted: G     U  W         5.2.0-rc2-CI-CI_DRM_6175+ #1
      <4> [341.890646] Hardware name: Dell Inc. XPS 13 9360/0823VW, BIOS 2.9.0 07/09/2018
      <4> [341.890655] Workqueue: events output_poll_execute
      <4> [341.890663] RIP: 0010:drm_setup_crtcs+0x13e/0xbe0
      <4> [341.890669] Code: 00 41 8b 44 24 58 85 c0 0f 8e f9 01 00 00 44 8b 6c 24 20 44 8b 74 24 28 31 db 31 ed 49 8b 44 24 60 48 63 d5 44 89 ee 83 c5 01 <48> 8b 04 d0 44 89 f2 48 8b 38 48 8b 87 88 01 00 00 48 8b 40 20 e8
      <4> [341.890686] RSP: 0018:ffffc9000033fd40 EFLAGS: 00010202
      <4> [341.890692] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000002 RCX: 0000000000000000
      <4> [341.890700] RDX: 0000000000000001 RSI: 0000000000000c80 RDI: 00000000ffffffff
      <4> [341.890707] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
      <4> [341.890715] R10: 0000000000000c80 R11: 0000000000000000 R12: ffff888267599fe8
      <4> [341.890722] R13: 0000000000000c80 R14: 0000000000000708 R15: 0000000000000007
      <4> [341.890730] FS:  0000000000000000(0000) GS:ffff888276200000(0000) knlGS:0000000000000000
      <4> [341.890739] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      <4> [341.890745] CR2: 000055a4e064f4a0 CR3: 000000026d234003 CR4: 00000000003606f0
      <4> [341.890752] Call Trace:
      <4> [341.890760]  drm_fb_helper_hotplug_event.part.24+0x89/0xb0
      <4> [341.890768]  drm_kms_helper_hotplug_event+0x21/0x30
      <4> [341.890774]  output_poll_execute+0x9d/0x1a0
      <4> [341.890782]  process_one_work+0x245/0x610
      <4> [341.890790]  worker_thread+0x37/0x380
      <4> [341.890796]  ? process_one_work+0x610/0x610
      <4> [341.890802]  kthread+0x119/0x130
      <4> [341.890808]  ? kthread_park+0x80/0x80
      <4> [341.890815]  ret_from_fork+0x3a/0x50
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109964Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: default avatarImre Deak <imre.deak@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190603135910.15979-2-chris@chris-wilson.co.ukSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      ff0fbfac
    • Chao Yu's avatar
      f2fs: fix to do sanity check on segment bitmap of LFS curseg · 303f6d6b
      Chao Yu authored
      [ Upstream commit c854f4d6 ]
      
      As Jungyeon Reported in bugzilla:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=203233
      
      - Reproduces
      gcc poc_13.c
      ./run.sh f2fs
      
      - Kernel messages
       F2FS-fs (sdb): Bitmap was wrongly set, blk:4608
       kernel BUG at fs/f2fs/segment.c:2133!
       RIP: 0010:update_sit_entry+0x35d/0x3e0
       Call Trace:
        f2fs_allocate_data_block+0x16c/0x5a0
        do_write_page+0x57/0x100
        f2fs_do_write_node_page+0x33/0xa0
        __write_node_page+0x270/0x4e0
        f2fs_sync_node_pages+0x5df/0x670
        f2fs_write_checkpoint+0x364/0x13a0
        f2fs_sync_fs+0xa3/0x130
        f2fs_do_sync_file+0x1a6/0x810
        do_fsync+0x33/0x60
        __x64_sys_fsync+0xb/0x10
        do_syscall_64+0x43/0x110
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The testcase fails because that, in fuzzed image, current segment was
      allocated with LFS type, its .next_blkoff should point to an unused
      block address, but actually, its bitmap shows it's not. So during
      allocation, f2fs crash when setting bitmap.
      
      Introducing sanity_check_curseg() to check such inconsistence of
      current in-used segment.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      303f6d6b
    • Michal Suchanek's avatar
      net/ibmvnic: Fix missing { in __ibmvnic_reset · dec09554
      Michal Suchanek authored
      [ Upstream commit c8dc5595 ]
      
      Commit 1c2977c0 ("net/ibmvnic: free reset work of removed device from queue")
      adds a } without corresponding { causing build break.
      
      Fixes: 1c2977c0 ("net/ibmvnic: free reset work of removed device from queue")
      Signed-off-by: default avatarMichal Suchanek <msuchanek@suse.de>
      Reviewed-by: default avatarTyrel Datwyler <tyreld@linux.ibm.com>
      Reviewed-by: default avatarJuliet Kim <julietk@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dec09554
    • Mikulas Patocka's avatar
      dm zoned: fix invalid memory access · dc9118fe
      Mikulas Patocka authored
      [ Upstream commit 0c8e9c2d ]
      
      Commit 75d66ffb ("dm zoned: properly
      handle backing device failure") triggers a coverity warning:
      
      *** CID 1452808:  Memory - illegal accesses  (USE_AFTER_FREE)
      /drivers/md/dm-zoned-target.c: 137 in dmz_submit_bio()
      131             clone->bi_private = bioctx;
      132
      133             bio_advance(bio, clone->bi_iter.bi_size);
      134
      135             refcount_inc(&bioctx->ref);
      136             generic_make_request(clone);
      >>>     CID 1452808:  Memory - illegal accesses  (USE_AFTER_FREE)
      >>>     Dereferencing freed pointer "clone".
      137             if (clone->bi_status == BLK_STS_IOERR)
      138                     return -EIO;
      139
      140             if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone))
      141                     zone->wp_block += nr_blocks;
      142
      
      The "clone" bio may be processed and freed before the check
      "clone->bi_status == BLK_STS_IOERR" - so this check can access invalid
      memory.
      
      Fixes: 75d66ffb ("dm zoned: properly handle backing device failure")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Reviewed-by: default avatarDamien Le Moal <damien.lemoal@wdc.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dc9118fe
    • Chao Yu's avatar
      Revert "f2fs: avoid out-of-range memory access" · 73d90f57
      Chao Yu authored
      [ Upstream commit a37d0862 ]
      
      As Pavel Machek reported:
      
      "We normally use -EUCLEAN to signal filesystem corruption. Plus, it is
      good idea to report it to the syslog and mark filesystem as "needing
      fsck" if filesystem can do that."
      
      Still we need improve the original patch with:
      - use unlikely keyword
      - add message print
      - return EUCLEAN
      
      However, after rethink this patch, I don't think we should add such
      condition check here as below reasons:
      - We have already checked the field in f2fs_sanity_check_ckpt(),
      - If there is fs corrupt or security vulnerability, there is nothing
      to guarantee the field is integrated after the check, unless we do
      the check before each of its use, however no filesystem does that.
      - We only have similar check for bitmap, which was added due to there
      is bitmap corruption happened on f2fs' runtime in product.
      - There are so many key fields in SB/CP/NAT did have such check
      after f2fs_sanity_check_{sb,cp,..}.
      
      So I propose to revert this unneeded check.
      
      This reverts commit 56f3ce67.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      73d90f57
    • zhengbin's avatar
      blk-mq: move cancel of requeue_work to the front of blk_exit_queue · 40cdc71e
      zhengbin authored
      [ Upstream commit e26cc082 ]
      
      blk_exit_queue will free elevator_data, while blk_mq_requeue_work
      will access it. Move cancel of requeue_work to the front of
      blk_exit_queue to avoid use-after-free.
      
      blk_exit_queue                blk_mq_requeue_work
        __elevator_exit               blk_mq_run_hw_queues
          blk_mq_exit_sched             blk_mq_run_hw_queue
            dd_exit_queue                 blk_mq_hctx_has_pending
              kfree(elevator_data)          blk_mq_sched_has_work
                                              dd_has_work
      
      Fixes: fbc2a15e ("blk-mq: move cancel of requeue_work into blk_mq_release")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
      Signed-off-by: default avatarzhengbin <zhengbin13@huawei.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      40cdc71e
    • Jianchao Wang's avatar
      blk-mq: change gfp flags to GFP_NOIO in blk_mq_realloc_hw_ctxs · 313efb25
      Jianchao Wang authored
      [ Upstream commit 5b202853 ]
      
      blk_mq_realloc_hw_ctxs could be invoked during update hw queues.
      At the momemt, IO is blocked. Change the gfp flags from GFP_KERNEL
      to GFP_NOIO to avoid forever hang during memory allocation in
      blk_mq_realloc_hw_ctxs.
      Signed-off-by: default avatarJianchao Wang <jianchao.w.wang@oracle.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      313efb25
    • Steven Price's avatar
      initramfs: don't free a non-existent initrd · 75448f40
      Steven Price authored
      [ Upstream commit 5d59aa8f ]
      
      Since commit 54c7a891 ("initramfs: free initrd memory if opening
      /initrd.image fails"), the kernel has unconditionally attempted to free
      the initrd even if it doesn't exist.
      
      In the non-existent case this causes a boot-time splat if
      CONFIG_DEBUG_VIRTUAL is enabled due to a call to virt_to_phys() with a
      NULL address.
      
      Instead we should check that the initrd actually exists and only attempt
      to free it if it does.
      
      Link: http://lkml.kernel.org/r/20190516143125.48948-1-steven.price@arm.com
      Fixes: 54c7a891 ("initramfs: free initrd memory if opening /initrd.image fails")
      Signed-off-by: default avatarSteven Price <steven.price@arm.com>
      Reported-by: default avatarMark Rutland <mark.rutland@arm.com>
      Tested-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      75448f40
    • Coly Li's avatar
      bcache: remove redundant LIST_HEAD(journal) from run_cache_set() · ad16dfef
      Coly Li authored
      [ Upstream commit cdca22bc ]
      
      Commit 95f18c9d ("bcache: avoid potential memleak of list of
      journal_replay(s) in the CACHE_SYNC branch of run_cache_set") forgets
      to remove the original define of LIST_HEAD(journal), which makes
      the change no take effect. This patch removes redundant variable
      LIST_HEAD(journal) from run_cache_set(), to make Shenghui's fix
      working.
      
      Fixes: 95f18c9d ("bcache: avoid potential memleak of list of journal_replay(s) in the CACHE_SYNC branch of run_cache_set")
      Reported-by: default avatarJuha Aatrokoski <juha.aatrokoski@aalto.fi>
      Cc: Shenghui Wang <shhuiw@foxmail.com>
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ad16dfef
    • Dexuan Cui's avatar
      PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it · 08fdaee2
      Dexuan Cui authored
      [ Upstream commit 533ca1fe ]
      
      The slot must be removed before the pci_dev is removed, otherwise a panic
      can happen due to use-after-free.
      
      Fixes: 15becc2b ("PCI: hv: Add hv_pci_remove_slots() when we unload the driver")
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      08fdaee2