1. 05 10月, 2019 18 次提交
  2. 01 10月, 2019 22 次提交
    • G
      Linux 4.19.76 · 555161ee
      Greg Kroah-Hartman 提交于
      555161ee
    • C
      f2fs: use generic EFSBADCRC/EFSCORRUPTED · 59a5cea4
      Chao Yu 提交于
      [ Upstream commit 10f966bbf521bb9b2e497bbca496a5141f4071d0 ]
      
      f2fs uses EFAULT as error number to indicate filesystem is corrupted
      all the time, but generic filesystems use EUCLEAN for such condition,
      we need to change to follow others.
      
      This patch adds two new macros as below to wrap more generic error
      code macros, and spread them in code.
      
      EFSBADCRC	EBADMSG		/* Bad CRC detected */
      EFSCORRUPTED	EUCLEAN		/* Filesystem is corrupted */
      Reported-by: NPavel Machek <pavel@ucw.cz>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Acked-by: NPavel Machek <pavel@ucw.cz>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      59a5cea4
    • K
      net/rds: Check laddr_check before calling it · fc3d2964
      Ka-Cheong Poon 提交于
      [ Upstream commit 05733434ee9ae6548723a808647248583e347cca ]
      
      In rds_bind(), laddr_check is called without checking if it is NULL or
      not.  And rs_transport should be reset if rds_add_bound() fails.
      
      Fixes: c5c1a030a7db ("net/rds: An rds_sock is added too early to the hash table")
      Reported-by: syzbot+fae39afd2101a17ec624@syzkaller.appspotmail.com
      Signed-off-by: NKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fc3d2964
    • K
      net/rds: An rds_sock is added too early to the hash table · 3de749d6
      Ka-Cheong Poon 提交于
      [ Upstream commit c5c1a030a7dbf8dd4e1fa4405ae9a89dc1d2a8db ]
      
      In rds_bind(), an rds_sock is added to the RDS bind hash table before
      rs_transport is set.  This means that the socket can be found by the
      receive code path when rs_transport is NULL.  And the receive code
      path de-references rs_transport for congestion update check.  This can
      cause a panic.  An rds_sock should not be added to the bind hash table
      before all the needed fields are set.
      
      Reported-by: syzbot+4b4f8163c2e246df3c4c@syzkaller.appspotmail.com
      Signed-off-by: NKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3de749d6
    • C
      net_sched: check cops->tcf_block in tc_bind_tclass() · 07f7ec87
      Cong Wang 提交于
      [ Upstream commit 8b142a00edcf8422ca48b8de88d286efb500cb53 ]
      
      At least sch_red and sch_tbf don't implement ->tcf_block()
      while still have a non-zero tc "class".
      
      Instead of adding nop implementations to each of such qdisc's,
      we can just relax the check of cops->tcf_block() in
      tc_bind_tclass(). They don't support TC filter anyway.
      
      Reported-by: syzbot+21b29db13c065852f64b@syzkaller.appspotmail.com
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      07f7ec87
    • J
      Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices · 90b0761c
      Jian-Hong Pan 提交于
      [ Upstream commit 6d0762b19c5963ff9e178e8af3626532ee04d93d ]
      
      The ASUS X412FA laptop contains a Realtek RTL8822CE device with an
      associated BT chip using a USB ID of 04ca:4005. This ID is added to the
      driver.
      
      The /sys/kernel/debug/usb/devices portion for this device is:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=09 Cnt=04 Dev#=  4 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=04ca ProdID=4005 Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      
      Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=204707Signed-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      90b0761c
    • F
      netfilter: nft_socket: fix erroneous socket assignment · 69348094
      Fernando Fernandez Mancera 提交于
      [ Upstream commit 039b1f4f24ecc8493b6bb9d70b4b78750d1b35c2 ]
      
      The socket assignment is wrong, see skb_orphan():
      When skb->destructor callback is not set, but skb->sk is set, this hits BUG().
      
      Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813
      Fixes: 554ced0a ("netfilter: nf_tables: add support for native socket matching")
      Signed-off-by: NFernando Fernandez Mancera <ffmancera@riseup.net>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      69348094
    • D
      xfs: don't crash on null attr fork xfs_bmapi_read · 649836fe
      Darrick J. Wong 提交于
      [ Upstream commit 8612de3f7ba6e900465e340516b8313806d27b2d ]
      
      Zorro Lang reported a crash in generic/475 if we try to inactivate a
      corrupt inode with a NULL attr fork (stack trace shortened somewhat):
      
      RIP: 0010:xfs_bmapi_read+0x311/0xb00 [xfs]
      RSP: 0018:ffff888047f9ed68 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff888047f9f038 RCX: 1ffffffff5f99f51
      RDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000012
      RBP: ffff888002a41f00 R08: ffffed10005483f0 R09: ffffed10005483ef
      R10: ffffed10005483ef R11: ffff888002a41f7f R12: 0000000000000004
      R13: ffffe8fff53b5768 R14: 0000000000000005 R15: 0000000000000001
      FS:  00007f11d44b5b80(0000) GS:ffff888114200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000ef6000 CR3: 000000002e176003 CR4: 00000000001606e0
      Call Trace:
       xfs_dabuf_map.constprop.18+0x696/0xe50 [xfs]
       xfs_da_read_buf+0xf5/0x2c0 [xfs]
       xfs_da3_node_read+0x1d/0x230 [xfs]
       xfs_attr_inactive+0x3cc/0x5e0 [xfs]
       xfs_inactive+0x4c8/0x5b0 [xfs]
       xfs_fs_destroy_inode+0x31b/0x8e0 [xfs]
       destroy_inode+0xbc/0x190
       xfs_bulkstat_one_int+0xa8c/0x1200 [xfs]
       xfs_bulkstat_one+0x16/0x20 [xfs]
       xfs_bulkstat+0x6fa/0xf20 [xfs]
       xfs_ioc_bulkstat+0x182/0x2b0 [xfs]
       xfs_file_ioctl+0xee0/0x12a0 [xfs]
       do_vfs_ioctl+0x193/0x1000
       ksys_ioctl+0x60/0x90
       __x64_sys_ioctl+0x6f/0xb0
       do_syscall_64+0x9f/0x4d0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f11d39a3e5b
      
      The "obvious" cause is that the attr ifork is null despite the inode
      claiming an attr fork having at least one extent, but it's not so
      obvious why we ended up with an inode in that state.
      Reported-by: NZorro Lang <zlang@redhat.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204031Signed-off-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: NBill O'Donnell <billodo@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      649836fe
    • I
      drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling · 91ae8724
      Ilia Mirkin 提交于
      [ Upstream commit 533f4752407543f488a9118d817b8c504352b6fb ]
      
      Previously center scaling would get scaling applied to it (when it was
      only supposed to center the image), and aspect-corrected scaling did not
      always correctly pick whether to reduce width or height for a particular
      combination of inputs/outputs.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110660Signed-off-by: NIlia Mirkin <imirkin@alum.mit.edu>
      Signed-off-by: NBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      91ae8724
    • H
      ACPI: video: Add new hw_changes_brightness quirk, set it on PB Easynote MZ35 · 3717f4a4
      Hans de Goede 提交于
      [ Upstream commit 4f7f96453b462b3de0fa18d18fe983960bb5ee7f ]
      
      Some machines change the brightness themselves when a brightness hotkey
      gets pressed, despite us telling them not to. This causes the brightness to
      go two steps up / down when the hotkey is pressed. This is esp. a problem
      on older machines with only a few brightness levels.
      
      This commit adds a new hw_changes_brightness quirk which makes
      acpi_video_device_notify() only call backlight_force_update(...,
      BACKLIGHT_UPDATE_HOTKEY) and not do anything else, notifying userspace
      that the brightness was changed and leaving it at that fixing the dual
      step problem.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204077Reported-by: NKacper Piwiński <cosiekvfj@o2.pl>
      Tested-by: NKacper Piwiński <cosiekvfj@o2.pl>
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3717f4a4
    • J
      Bluetooth: btrtl: HCI reset on close for Realtek BT chip · 46beb6ea
      Jian-Hong Pan 提交于
      [ Upstream commit 7af3f558aca74f2ee47b173f1c27f6bb9a5b5561 ]
      
      Realtek RTL8822BE BT chip on ASUS X420FA cannot be turned on correctly
      after on-off several times. Bluetooth daemon sets BT mode failed when
      this issue happens. Scanning must be active while turning off for this
      bug to be hit.
      
      bluetoothd[1576]: Failed to set mode: Failed (0x03)
      
      If BT is turned off, then turned on again, it works correctly again.
      
      According to the vendor driver, the HCI_QUIRK_RESET_ON_CLOSE flag is set
      during probing. So, this patch makes Realtek's BT reset on close to fix
      this issue.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=203429Signed-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Reviewed-by: NDaniel Drake <drake@endlessm.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      46beb6ea
    • S
      net: don't warn in inet diag when IPV6 is disabled · 8ffd7ba9
      Stephen Hemminger 提交于
      [ Upstream commit 1e64d7cbfdce4887008314d5b367209582223f27 ]
      
      If IPV6 was disabled, then ss command would cause a kernel warning
      because the command was attempting to dump IPV6 socket information.
      The fix is to just remove the warning.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202249
      Fixes: 432490f9 ("net: ip, diag -- Add diag interface for raw sockets")
      Signed-off-by: NStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8ffd7ba9
    • C
      drm: Flush output polling on shutdown · ff0fbfac
      Chris Wilson 提交于
      [ Upstream commit 3b295cb1a411d9c82bbfaa66bc17a8508716ed07 ]
      
      We need to mark the output polling as disabled to prevent concurrent
      irqs from queuing new work as shutdown the probe -- causing that work to
      execute after we have freed the structs:
      
      <4> [341.846490] DEBUG_LOCKS_WARN_ON(mutex_is_locked(lock))
      <4> [341.846497] WARNING: CPU: 3 PID: 3300 at kernel/locking/mutex-debug.c:103 mutex_destroy+0x49/0x50
      <4> [341.846508] Modules linked in: i915(-) vgem thunderbolt snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic mei_hdcp x86_pkg_temp_thermal coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm mcs7830 btusb usbnet btrtl mii btbcm btintel bluetooth ecdh_generic ecc mei_me mei prime_numbers i2c_hid pinctrl_sunrisepoint pinctrl_intel [last unloaded: i915]
      <4> [341.846546] CPU: 3 PID: 3300 Comm: i915_module_loa Tainted: G     U            5.2.0-rc2-CI-CI_DRM_6175+ #1
      <4> [341.846553] Hardware name: Dell Inc. XPS 13 9360/0823VW, BIOS 2.9.0 07/09/2018
      <4> [341.846560] RIP: 0010:mutex_destroy+0x49/0x50
      <4> [341.846565] Code: 00 00 5b c3 e8 a8 9f 3b 00 85 c0 74 ed 8b 05 3e 55 23 01 85 c0 75 e3 48 c7 c6 00 d0 08 82 48 c7 c7 a8 aa 07 82 e8 e7 08 fa ff <0f> 0b eb cc 0f 1f 00 48 b8 11 11 11 11 11 11 11 11 48 89 76 20 48
      <4> [341.846578] RSP: 0018:ffffc900006cfdb0 EFLAGS: 00010286
      <4> [341.846583] RAX: 0000000000000000 RBX: ffff88826759a168 RCX: 0000000000000000
      <4> [341.846589] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffffffff8112844c
      <4> [341.846595] RBP: ffff8882708fa548 R08: 0000000000000000 R09: 0000000000039600
      <4> [341.846601] R10: 0000000000000000 R11: 0000000000000ce4 R12: ffffffffa07de1e0
      <4> [341.846607] R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffa07de2d0
      <4> [341.846613] FS:  00007f62b5ae0e40(0000) GS:ffff888276380000(0000) knlGS:0000000000000000
      <4> [341.846620] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      <4> [341.846626] CR2: 000055a4e064f4a0 CR3: 0000000266b16006 CR4: 00000000003606e0
      <4> [341.846632] Call Trace:
      <4> [341.846639]  drm_fb_helper_fini.part.17+0xb3/0x100
      <4> [341.846682]  intel_fbdev_fini+0x20/0x80 [i915]
      <4> [341.846722]  intel_modeset_cleanup+0x9a/0x140 [i915]
      <4> [341.846750]  i915_driver_unload+0xa3/0x100 [i915]
      <4> [341.846778]  i915_pci_remove+0x19/0x30 [i915]
      <4> [341.846784]  pci_device_remove+0x36/0xb0
      <4> [341.846790]  device_release_driver_internal+0xd3/0x1b0
      <4> [341.846795]  driver_detach+0x3f/0x80
      <4> [341.846800]  bus_remove_driver+0x53/0xd0
      <4> [341.846805]  pci_unregister_driver+0x25/0xa0
      <4> [341.846843]  i915_exit+0x16/0x1c [i915]
      <4> [341.846849]  __se_sys_delete_module+0x162/0x210
      <4> [341.846855]  ? trace_hardirqs_off_thunk+0x1a/0x1c
      <4> [341.846859]  ? do_syscall_64+0xd/0x1c0
      <4> [341.846864]  do_syscall_64+0x55/0x1c0
      <4> [341.846869]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      <4> [341.846875] RIP: 0033:0x7f62b51871b7
      <4> [341.846881] Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48
      <4> [341.846897] RSP: 002b:00007ffe7a227138 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      <4> [341.846904] RAX: ffffffffffffffda RBX: 00007ffe7a2272b0 RCX: 00007f62b51871b7
      <4> [341.846910] RDX: 0000000000000001 RSI: 0000000000000800 RDI: 0000557cd6b55948
      <4> [341.846916] RBP: 0000557cd6b558e0 R08: 0000557cd6b5594c R09: 00007ffe7a227160
      <4> [341.846922] R10: 00007ffe7a226134 R11: 0000000000000206 R12: 0000000000000000
      <4> [341.846927] R13: 00007ffe7a227820 R14: 0000000000000000 R15: 0000000000000000
      <4> [341.846936] irq event stamp: 3547847
      <4> [341.846940] hardirqs last  enabled at (3547847): [<ffffffff819aad2c>] _raw_spin_unlock_irqrestore+0x4c/0x60
      <4> [341.846949] hardirqs last disabled at (3547846): [<ffffffff819aab9d>] _raw_spin_lock_irqsave+0xd/0x50
      <4> [341.846957] softirqs last  enabled at (3547376): [<ffffffff81c0033a>] __do_softirq+0x33a/0x4b9
      <4> [341.846966] softirqs last disabled at (3547367): [<ffffffff810b6379>] irq_exit+0xa9/0xc0
      <4> [341.846973] WARNING: CPU: 3 PID: 3300 at kernel/locking/mutex-debug.c:103 mutex_destroy+0x49/0x50
      <4> [341.846980] ---[ end trace ba94ca8952ba970e ]---
      <7> [341.866547] [drm:intel_dp_detect [i915]] MST support? port A: no, sink: no, modparam: yes
      <7> [341.890480] [drm:drm_add_display_info] non_desktop set to 0
      <7> [341.890530] [drm:drm_add_edid_modes] ELD: no CEA Extension found
      <7> [341.890537] [drm:drm_add_display_info] non_desktop set to 0
      <7> [341.890578] [drm:drm_helper_probe_single_connector_modes] [CONNECTOR:86:eDP-1] probed modes :
      <7> [341.890589] [drm:drm_mode_debug_printmodeline] Modeline "3200x1800": 60 373250 3200 3248 3280 3360 1800 1803 1808 1852 0x48 0xa
      <7> [341.890602] [drm:drm_mode_debug_printmodeline] Modeline "3200x1800": 48 298600 3200 3248 3280 3360 1800 1803 1808 1852 0x40 0xa
      <4> [341.890628] general protection fault: 0000 [#1] PREEMPT SMP PTI
      <4> [341.890636] CPU: 0 PID: 508 Comm: kworker/0:4 Tainted: G     U  W         5.2.0-rc2-CI-CI_DRM_6175+ #1
      <4> [341.890646] Hardware name: Dell Inc. XPS 13 9360/0823VW, BIOS 2.9.0 07/09/2018
      <4> [341.890655] Workqueue: events output_poll_execute
      <4> [341.890663] RIP: 0010:drm_setup_crtcs+0x13e/0xbe0
      <4> [341.890669] Code: 00 41 8b 44 24 58 85 c0 0f 8e f9 01 00 00 44 8b 6c 24 20 44 8b 74 24 28 31 db 31 ed 49 8b 44 24 60 48 63 d5 44 89 ee 83 c5 01 <48> 8b 04 d0 44 89 f2 48 8b 38 48 8b 87 88 01 00 00 48 8b 40 20 e8
      <4> [341.890686] RSP: 0018:ffffc9000033fd40 EFLAGS: 00010202
      <4> [341.890692] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000002 RCX: 0000000000000000
      <4> [341.890700] RDX: 0000000000000001 RSI: 0000000000000c80 RDI: 00000000ffffffff
      <4> [341.890707] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
      <4> [341.890715] R10: 0000000000000c80 R11: 0000000000000000 R12: ffff888267599fe8
      <4> [341.890722] R13: 0000000000000c80 R14: 0000000000000708 R15: 0000000000000007
      <4> [341.890730] FS:  0000000000000000(0000) GS:ffff888276200000(0000) knlGS:0000000000000000
      <4> [341.890739] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      <4> [341.890745] CR2: 000055a4e064f4a0 CR3: 000000026d234003 CR4: 00000000003606f0
      <4> [341.890752] Call Trace:
      <4> [341.890760]  drm_fb_helper_hotplug_event.part.24+0x89/0xb0
      <4> [341.890768]  drm_kms_helper_hotplug_event+0x21/0x30
      <4> [341.890774]  output_poll_execute+0x9d/0x1a0
      <4> [341.890782]  process_one_work+0x245/0x610
      <4> [341.890790]  worker_thread+0x37/0x380
      <4> [341.890796]  ? process_one_work+0x610/0x610
      <4> [341.890802]  kthread+0x119/0x130
      <4> [341.890808]  ? kthread_park+0x80/0x80
      <4> [341.890815]  ret_from_fork+0x3a/0x50
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109964Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NImre Deak <imre.deak@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190603135910.15979-2-chris@chris-wilson.co.ukSigned-off-by: NSasha Levin <sashal@kernel.org>
      ff0fbfac
    • C
      f2fs: fix to do sanity check on segment bitmap of LFS curseg · 303f6d6b
      Chao Yu 提交于
      [ Upstream commit c854f4d681365498f53ba07843a16423625aa7e9 ]
      
      As Jungyeon Reported in bugzilla:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=203233
      
      - Reproduces
      gcc poc_13.c
      ./run.sh f2fs
      
      - Kernel messages
       F2FS-fs (sdb): Bitmap was wrongly set, blk:4608
       kernel BUG at fs/f2fs/segment.c:2133!
       RIP: 0010:update_sit_entry+0x35d/0x3e0
       Call Trace:
        f2fs_allocate_data_block+0x16c/0x5a0
        do_write_page+0x57/0x100
        f2fs_do_write_node_page+0x33/0xa0
        __write_node_page+0x270/0x4e0
        f2fs_sync_node_pages+0x5df/0x670
        f2fs_write_checkpoint+0x364/0x13a0
        f2fs_sync_fs+0xa3/0x130
        f2fs_do_sync_file+0x1a6/0x810
        do_fsync+0x33/0x60
        __x64_sys_fsync+0xb/0x10
        do_syscall_64+0x43/0x110
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The testcase fails because that, in fuzzed image, current segment was
      allocated with LFS type, its .next_blkoff should point to an unused
      block address, but actually, its bitmap shows it's not. So during
      allocation, f2fs crash when setting bitmap.
      
      Introducing sanity_check_curseg() to check such inconsistence of
      current in-used segment.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      303f6d6b
    • M
      net/ibmvnic: Fix missing { in __ibmvnic_reset · dec09554
      Michal Suchanek 提交于
      [ Upstream commit c8dc55956b09b53ccffceb6e3146981210e27821 ]
      
      Commit 1c2977c09499 ("net/ibmvnic: free reset work of removed device from queue")
      adds a } without corresponding { causing build break.
      
      Fixes: 1c2977c09499 ("net/ibmvnic: free reset work of removed device from queue")
      Signed-off-by: NMichal Suchanek <msuchanek@suse.de>
      Reviewed-by: NTyrel Datwyler <tyreld@linux.ibm.com>
      Reviewed-by: NJuliet Kim <julietk@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      dec09554
    • M
      dm zoned: fix invalid memory access · dc9118fe
      Mikulas Patocka 提交于
      [ Upstream commit 0c8e9c2d668278652af028c3cc068c65f66342f4 ]
      
      Commit 75d66ffb48efb30f2dd42f041ba8b39c5b2bd115 ("dm zoned: properly
      handle backing device failure") triggers a coverity warning:
      
      *** CID 1452808:  Memory - illegal accesses  (USE_AFTER_FREE)
      /drivers/md/dm-zoned-target.c: 137 in dmz_submit_bio()
      131             clone->bi_private = bioctx;
      132
      133             bio_advance(bio, clone->bi_iter.bi_size);
      134
      135             refcount_inc(&bioctx->ref);
      136             generic_make_request(clone);
      >>>     CID 1452808:  Memory - illegal accesses  (USE_AFTER_FREE)
      >>>     Dereferencing freed pointer "clone".
      137             if (clone->bi_status == BLK_STS_IOERR)
      138                     return -EIO;
      139
      140             if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone))
      141                     zone->wp_block += nr_blocks;
      142
      
      The "clone" bio may be processed and freed before the check
      "clone->bi_status == BLK_STS_IOERR" - so this check can access invalid
      memory.
      
      Fixes: 75d66ffb48efb3 ("dm zoned: properly handle backing device failure")
      Cc: stable@vger.kernel.org
      Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
      Reviewed-by: NDamien Le Moal <damien.lemoal@wdc.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      dc9118fe
    • C
      Revert "f2fs: avoid out-of-range memory access" · 73d90f57
      Chao Yu 提交于
      [ Upstream commit a37d0862d17411edb67677a580a6f505ec2225f6 ]
      
      As Pavel Machek reported:
      
      "We normally use -EUCLEAN to signal filesystem corruption. Plus, it is
      good idea to report it to the syslog and mark filesystem as "needing
      fsck" if filesystem can do that."
      
      Still we need improve the original patch with:
      - use unlikely keyword
      - add message print
      - return EUCLEAN
      
      However, after rethink this patch, I don't think we should add such
      condition check here as below reasons:
      - We have already checked the field in f2fs_sanity_check_ckpt(),
      - If there is fs corrupt or security vulnerability, there is nothing
      to guarantee the field is integrated after the check, unless we do
      the check before each of its use, however no filesystem does that.
      - We only have similar check for bitmap, which was added due to there
      is bitmap corruption happened on f2fs' runtime in product.
      - There are so many key fields in SB/CP/NAT did have such check
      after f2fs_sanity_check_{sb,cp,..}.
      
      So I propose to revert this unneeded check.
      
      This reverts commit 56f3ce675103e3fb9e631cfb4131fc768bc23e9a.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      73d90f57
    • Z
      blk-mq: move cancel of requeue_work to the front of blk_exit_queue · 40cdc71e
      zhengbin 提交于
      [ Upstream commit e26cc08265dda37d2acc8394604f220ef412299d ]
      
      blk_exit_queue will free elevator_data, while blk_mq_requeue_work
      will access it. Move cancel of requeue_work to the front of
      blk_exit_queue to avoid use-after-free.
      
      blk_exit_queue                blk_mq_requeue_work
        __elevator_exit               blk_mq_run_hw_queues
          blk_mq_exit_sched             blk_mq_run_hw_queue
            dd_exit_queue                 blk_mq_hctx_has_pending
              kfree(elevator_data)          blk_mq_sched_has_work
                                              dd_has_work
      
      Fixes: fbc2a15e3433 ("blk-mq: move cancel of requeue_work into blk_mq_release")
      Cc: stable@vger.kernel.org
      Reviewed-by: NMing Lei <ming.lei@redhat.com>
      Signed-off-by: Nzhengbin <zhengbin13@huawei.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      40cdc71e
    • J
      blk-mq: change gfp flags to GFP_NOIO in blk_mq_realloc_hw_ctxs · 313efb25
      Jianchao Wang 提交于
      [ Upstream commit 5b202853ffbc54b29f23c4b1b5f3948efab489a2 ]
      
      blk_mq_realloc_hw_ctxs could be invoked during update hw queues.
      At the momemt, IO is blocked. Change the gfp flags from GFP_KERNEL
      to GFP_NOIO to avoid forever hang during memory allocation in
      blk_mq_realloc_hw_ctxs.
      Signed-off-by: NJianchao Wang <jianchao.w.wang@oracle.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      313efb25
    • S
      initramfs: don't free a non-existent initrd · 75448f40
      Steven Price 提交于
      [ Upstream commit 5d59aa8f9ce972b472201aed86e904bb75879ff0 ]
      
      Since commit 54c7a8916a88 ("initramfs: free initrd memory if opening
      /initrd.image fails"), the kernel has unconditionally attempted to free
      the initrd even if it doesn't exist.
      
      In the non-existent case this causes a boot-time splat if
      CONFIG_DEBUG_VIRTUAL is enabled due to a call to virt_to_phys() with a
      NULL address.
      
      Instead we should check that the initrd actually exists and only attempt
      to free it if it does.
      
      Link: http://lkml.kernel.org/r/20190516143125.48948-1-steven.price@arm.com
      Fixes: 54c7a8916a88 ("initramfs: free initrd memory if opening /initrd.image fails")
      Signed-off-by: NSteven Price <steven.price@arm.com>
      Reported-by: NMark Rutland <mark.rutland@arm.com>
      Tested-by: NMark Rutland <mark.rutland@arm.com>
      Reviewed-by: NMike Rapoport <rppt@linux.ibm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      75448f40
    • C
      bcache: remove redundant LIST_HEAD(journal) from run_cache_set() · ad16dfef
      Coly Li 提交于
      [ Upstream commit cdca22bcbc64fc83dadb8d927df400a8d86ddabb ]
      
      Commit 95f18c9d1310 ("bcache: avoid potential memleak of list of
      journal_replay(s) in the CACHE_SYNC branch of run_cache_set") forgets
      to remove the original define of LIST_HEAD(journal), which makes
      the change no take effect. This patch removes redundant variable
      LIST_HEAD(journal) from run_cache_set(), to make Shenghui's fix
      working.
      
      Fixes: 95f18c9d1310 ("bcache: avoid potential memleak of list of journal_replay(s) in the CACHE_SYNC branch of run_cache_set")
      Reported-by: NJuha Aatrokoski <juha.aatrokoski@aalto.fi>
      Cc: Shenghui Wang <shhuiw@foxmail.com>
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ad16dfef
    • D
      PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it · 08fdaee2
      Dexuan Cui 提交于
      [ Upstream commit 533ca1feed98b0bf024779a14760694c7cb4d431 ]
      
      The slot must be removed before the pci_dev is removed, otherwise a panic
      can happen due to use-after-free.
      
      Fixes: 15becc2b56c6 ("PCI: hv: Add hv_pci_remove_slots() when we unload the driver")
      Signed-off-by: NDexuan Cui <decui@microsoft.com>
      Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      08fdaee2