--- /dev/null
+From 4ecce4118e71bd069019bc05c539842350b18b6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2019 20:36:55 +0800
+Subject: blk-mq: move cancel of requeue_work to the front of blk_exit_queue
+
+From: zhengbin <zhengbin13@huawei.com>
+
+[ Upstream commit e26cc08265dda37d2acc8394604f220ef412299d ]
+
+blk_exit_queue will free elevator_data, while blk_mq_requeue_work
+will access it. Move cancel of requeue_work to the front of
+blk_exit_queue to avoid use-after-free.
+
+blk_exit_queue blk_mq_requeue_work
+ __elevator_exit blk_mq_run_hw_queues
+ blk_mq_exit_sched blk_mq_run_hw_queue
+ dd_exit_queue blk_mq_hctx_has_pending
+ kfree(elevator_data) blk_mq_sched_has_work
+ dd_has_work
+
+Fixes: fbc2a15e3433 ("blk-mq: move cancel of requeue_work into blk_mq_release")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: zhengbin <zhengbin13@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 2 --
+ block/blk-sysfs.c | 3 +++
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 55139d2fca3e0..eac4448047366 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2294,8 +2294,6 @@ void blk_mq_release(struct request_queue *q)
+ struct blk_mq_hw_ctx *hctx;
+ unsigned int i;
+
+- cancel_delayed_work_sync(&q->requeue_work);
+-
+ /* hctx kobj stays in hctx */
+ queue_for_each_hw_ctx(q, hctx, i) {
+ if (!hctx)
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index e54be402899da..9caf96c2c1081 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -811,6 +811,9 @@ static void __blk_release_queue(struct work_struct *work)
+
+ blk_free_queue_stats(q->stats);
+
++ if (q->mq_ops)
++ cancel_delayed_work_sync(&q->requeue_work);
++
+ blk_exit_rl(q, &q->root_rl);
+
+ if (q->queue_tags)
+--
+2.20.1
+
--- /dev/null
+From d63455fd23aabbbbca8df04d212d7eea03bcc692 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2019 02:41:17 -0400
+Subject: dm zoned: fix invalid memory access
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 0c8e9c2d668278652af028c3cc068c65f66342f4 ]
+
+Commit 75d66ffb48efb30f2dd42f041ba8b39c5b2bd115 ("dm zoned: properly
+handle backing device failure") triggers a coverity warning:
+
+*** CID 1452808: Memory - illegal accesses (USE_AFTER_FREE)
+/drivers/md/dm-zoned-target.c: 137 in dmz_submit_bio()
+131 clone->bi_private = bioctx;
+132
+133 bio_advance(bio, clone->bi_iter.bi_size);
+134
+135 refcount_inc(&bioctx->ref);
+136 generic_make_request(clone);
+>>> CID 1452808: Memory - illegal accesses (USE_AFTER_FREE)
+>>> Dereferencing freed pointer "clone".
+137 if (clone->bi_status == BLK_STS_IOERR)
+138 return -EIO;
+139
+140 if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone))
+141 zone->wp_block += nr_blocks;
+142
+
+The "clone" bio may be processed and freed before the check
+"clone->bi_status == BLK_STS_IOERR" - so this check can access invalid
+memory.
+
+Fixes: 75d66ffb48efb3 ("dm zoned: properly handle backing device failure")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-zoned-target.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c
+index 1e004d975e786..4694763f9d404 100644
+--- a/drivers/md/dm-zoned-target.c
++++ b/drivers/md/dm-zoned-target.c
+@@ -133,8 +133,6 @@ static int dmz_submit_bio(struct dmz_target *dmz, struct dm_zone *zone,
+
+ atomic_inc(&bioctx->ref);
+ generic_make_request(clone);
+- if (clone->bi_status == BLK_STS_IOERR)
+- return -EIO;
+
+ if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone))
+ zone->wp_block += nr_blocks;
+--
+2.20.1
+
--- /dev/null
+From 5a8bd11faba2e12406a9f5a934e5478f6b731be0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Aug 2019 15:40:45 -0700
+Subject: f2fs: check all the data segments against all node ones
+
+From: Surbhi Palande <f2fsnewbie@gmail.com>
+
+[ Upstream commit 1166c1f2f69117ad254189ca781287afa6e550b6 ]
+
+As a part of the sanity checking while mounting, distinct segment number
+assignment to data and node segments is verified. Fixing a small bug in
+this verification between node and data segments. We need to check all
+the data segments with all the node segments.
+
+Fixes: 042be0f849e5f ("f2fs: fix to do sanity check with current segment number")
+Signed-off-by: Surbhi Palande <csurbhi@gmail.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 4c169ba50c0f4..ad839a7996e9b 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2027,11 +2027,11 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
+ }
+ }
+ for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
+- for (j = i; j < NR_CURSEG_DATA_TYPE; j++) {
++ for (j = 0; j < NR_CURSEG_DATA_TYPE; j++) {
+ if (le32_to_cpu(ckpt->cur_node_segno[i]) ==
+ le32_to_cpu(ckpt->cur_data_segno[j])) {
+ f2fs_msg(sbi->sb, KERN_ERR,
+- "Data segment (%u) and Data segment (%u)"
++ "Node segment (%u) and Data segment (%u)"
+ " has the same segno: %u", i, j,
+ le32_to_cpu(ckpt->cur_node_segno[i]));
+ return 1;
+--
+2.20.1
+
--- /dev/null
+From 767bfcca0fc42a1c56fae83f4b8ac7c7bd80b5af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2019 14:56:47 +0100
+Subject: irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit c9c96e30ecaa0aafa225aa1a5392cb7db17c7a82 ]
+
+When allocating a range of LPIs for a Multi-MSI capable device,
+this allocation extended to the closest power of 2.
+
+But on the release path, the interrupts are released one by
+one. This results in not releasing the "extra" range, leaking
+the its_device. Trying to reprobe the device will then fail.
+
+Fix it by releasing the LPIs the same way we allocate them.
+
+Fixes: 8208d1708b88 ("irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size")
+Reported-by: Jiaxing Luo <luojiaxing@huawei.com>
+Tested-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/f5e948aa-e32f-3f74-ae30-31fee06c2a74@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index f80666acb9efd..52238e6bed392 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -2269,14 +2269,13 @@ static void its_irq_domain_free(struct irq_domain *domain, unsigned int virq,
+ struct its_node *its = its_dev->its;
+ int i;
+
++ bitmap_release_region(its_dev->event_map.lpi_map,
++ its_get_event_id(irq_domain_get_irq_data(domain, virq)),
++ get_count_order(nr_irqs));
++
+ for (i = 0; i < nr_irqs; i++) {
+ struct irq_data *data = irq_domain_get_irq_data(domain,
+ virq + i);
+- u32 event = its_get_event_id(data);
+-
+- /* Mark interrupt index as unused */
+- clear_bit(event, its_dev->event_map.lpi_map);
+-
+ /* Nuke the entry in the domain */
+ irq_domain_reset_irq_data(data);
+ }
+--
+2.20.1
+
--- /dev/null
+From 4d225f8942e4b1c591ad502c702c0ff4d9c388ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2019 22:50:20 +0000
+Subject: PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 533ca1feed98b0bf024779a14760694c7cb4d431 ]
+
+The slot must be removed before the pci_dev is removed, otherwise a panic
+can happen due to use-after-free.
+
+Fixes: 15becc2b56c6 ("PCI: hv: Add hv_pci_remove_slots() when we unload the driver")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/host/pci-hyperv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c
+index 5a9d945122327..70825689e5a08 100644
+--- a/drivers/pci/host/pci-hyperv.c
++++ b/drivers/pci/host/pci-hyperv.c
+@@ -2740,8 +2740,8 @@ static int hv_pci_remove(struct hv_device *hdev)
+ /* Remove the bus from PCI's point of view. */
+ pci_lock_rescan_remove();
+ pci_stop_root_bus(hbus->pci_bus);
+- pci_remove_root_bus(hbus->pci_bus);
+ hv_pci_remove_slots(hbus);
++ pci_remove_root_bus(hbus->pci_bus);
+ pci_unlock_rescan_remove();
+ hbus->state = hv_pcibus_removed;
+ }
+--
+2.20.1
+
--- /dev/null
+From d76993baff0c41138fda34c891077bea365f9bc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2019 18:15:48 +0800
+Subject: Revert "f2fs: avoid out-of-range memory access"
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit a37d0862d17411edb67677a580a6f505ec2225f6 ]
+
+As Pavel Machek reported:
+
+"We normally use -EUCLEAN to signal filesystem corruption. Plus, it is
+good idea to report it to the syslog and mark filesystem as "needing
+fsck" if filesystem can do that."
+
+Still we need improve the original patch with:
+- use unlikely keyword
+- add message print
+- return EUCLEAN
+
+However, after rethink this patch, I don't think we should add such
+condition check here as below reasons:
+- We have already checked the field in f2fs_sanity_check_ckpt(),
+- If there is fs corrupt or security vulnerability, there is nothing
+to guarantee the field is integrated after the check, unless we do
+the check before each of its use, however no filesystem does that.
+- We only have similar check for bitmap, which was added due to there
+is bitmap corruption happened on f2fs' runtime in product.
+- There are so many key fields in SB/CP/NAT did have such check
+after f2fs_sanity_check_{sb,cp,..}.
+
+So I propose to revert this unneeded check.
+
+This reverts commit 56f3ce675103e3fb9e631cfb4131fc768bc23e9a.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 18d51c36a5e32..70bd15cadb44e 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2612,11 +2612,6 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi)
+ seg_i = CURSEG_I(sbi, i);
+ segno = le32_to_cpu(ckpt->cur_data_segno[i]);
+ blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]);
+- if (blk_off > ENTRIES_IN_SUM) {
+- f2fs_bug_on(sbi, 1);
+- f2fs_put_page(page, 1);
+- return -EFAULT;
+- }
+ seg_i->next_segno = segno;
+ reset_curseg(sbi, i, 0);
+ seg_i->alloc_type = ckpt->alloc_type[i];
+--
+2.20.1
+
power-supply-sysfs-ratelimit-property-read-error-mes.patch
locking-lockdep-add-debug_locks-check-in-__lock_down.patch
locking-lockdep-add-debug_locks-check-in-__lock_down.patch-14091
+irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch
+f2fs-check-all-the-data-segments-against-all-node-on.patch
+pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch
+blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch
+revert-f2fs-avoid-out-of-range-memory-access.patch
+dm-zoned-fix-invalid-memory-access.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
