From fde03b71c2d693d24db8f4bd549e10850dad398c Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Fri, 27 Sep 2019 20:58:07 -0400
Subject: [PATCH] fixes for 5.2

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../dm-zoned-fix-invalid-memory-access.patch  | 59 ++++++++++++++++++
 ...mvnic-fix-missing-in-__ibmvnic_reset.patch | 38 ++++++++++++
 ...2fs-avoid-out-of-range-memory-access.patch | 61 +++++++++++++++++++
 queue-5.2/series                              |  3 +
 4 files changed, 161 insertions(+)
 create mode 100644 queue-5.2/dm-zoned-fix-invalid-memory-access.patch
 create mode 100644 queue-5.2/net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch
 create mode 100644 queue-5.2/revert-f2fs-avoid-out-of-range-memory-access.patch

diff --git a/queue-5.2/dm-zoned-fix-invalid-memory-access.patch b/queue-5.2/dm-zoned-fix-invalid-memory-access.patch
new file mode 100644
index 00000000000..3c8e9b460ab
--- /dev/null
+++ b/queue-5.2/dm-zoned-fix-invalid-memory-access.patch
@@ -0,0 +1,59 @@
+From 0349f3e82f07ef6f8201073d4758d8e227de123f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2019 02:41:17 -0400
+Subject: dm zoned: fix invalid memory access
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 0c8e9c2d668278652af028c3cc068c65f66342f4 ]
+
+Commit 75d66ffb48efb30f2dd42f041ba8b39c5b2bd115 ("dm zoned: properly
+handle backing device failure") triggers a coverity warning:
+
+*** CID 1452808:  Memory - illegal accesses  (USE_AFTER_FREE)
+/drivers/md/dm-zoned-target.c: 137 in dmz_submit_bio()
+131             clone->bi_private = bioctx;
+132
+133             bio_advance(bio, clone->bi_iter.bi_size);
+134
+135             refcount_inc(&bioctx->ref);
+136             generic_make_request(clone);
+>>>     CID 1452808:  Memory - illegal accesses  (USE_AFTER_FREE)
+>>>     Dereferencing freed pointer "clone".
+137             if (clone->bi_status == BLK_STS_IOERR)
+138                     return -EIO;
+139
+140             if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone))
+141                     zone->wp_block += nr_blocks;
+142
+
+The "clone" bio may be processed and freed before the check
+"clone->bi_status == BLK_STS_IOERR" - so this check can access invalid
+memory.
+
+Fixes: 75d66ffb48efb3 ("dm zoned: properly handle backing device failure")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-zoned-target.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c
+index ff3fd011796ed..3334f5865de77 100644
+--- a/drivers/md/dm-zoned-target.c
++++ b/drivers/md/dm-zoned-target.c
+@@ -133,8 +133,6 @@ static int dmz_submit_bio(struct dmz_target *dmz, struct dm_zone *zone,
+ 
+ 	refcount_inc(&bioctx->ref);
+ 	generic_make_request(clone);
+-	if (clone->bi_status == BLK_STS_IOERR)
+-		return -EIO;
+ 
+ 	if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone))
+ 		zone->wp_block += nr_blocks;
+-- 
+2.20.1
+
diff --git a/queue-5.2/net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch b/queue-5.2/net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch
new file mode 100644
index 00000000000..2b48831dacb
--- /dev/null
+++ b/queue-5.2/net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch
@@ -0,0 +1,38 @@
+From 3bf463880a5fe5b8909b6349c9a8590251c0a584 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2019 22:44:51 +0200
+Subject: net/ibmvnic: Fix missing { in __ibmvnic_reset
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit c8dc55956b09b53ccffceb6e3146981210e27821 ]
+
+Commit 1c2977c09499 ("net/ibmvnic: free reset work of removed device from queue")
+adds a } without corresponding { causing build break.
+
+Fixes: 1c2977c09499 ("net/ibmvnic: free reset work of removed device from queue")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Reviewed-by: Juliet Kim <julietk@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 6644cabc8e756..5cb55ea671e35 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1984,7 +1984,7 @@ static void __ibmvnic_reset(struct work_struct *work)
+ 	rwi = get_next_rwi(adapter);
+ 	while (rwi) {
+ 		if (adapter->state == VNIC_REMOVING ||
+-		    adapter->state == VNIC_REMOVED)
++		    adapter->state == VNIC_REMOVED) {
+ 			kfree(rwi);
+ 			rc = EBUSY;
+ 			break;
+-- 
+2.20.1
+
diff --git a/queue-5.2/revert-f2fs-avoid-out-of-range-memory-access.patch b/queue-5.2/revert-f2fs-avoid-out-of-range-memory-access.patch
new file mode 100644
index 00000000000..aa9ec3ebc41
--- /dev/null
+++ b/queue-5.2/revert-f2fs-avoid-out-of-range-memory-access.patch
@@ -0,0 +1,61 @@
+From 6d3872ffedabc9c329e9b162a3bde02a0e464eea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2019 18:15:48 +0800
+Subject: Revert "f2fs: avoid out-of-range memory access"
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit a37d0862d17411edb67677a580a6f505ec2225f6 ]
+
+As Pavel Machek reported:
+
+"We normally use -EUCLEAN to signal filesystem corruption. Plus, it is
+good idea to report it to the syslog and mark filesystem as "needing
+fsck" if filesystem can do that."
+
+Still we need improve the original patch with:
+- use unlikely keyword
+- add message print
+- return EUCLEAN
+
+However, after rethink this patch, I don't think we should add such
+condition check here as below reasons:
+- We have already checked the field in f2fs_sanity_check_ckpt(),
+- If there is fs corrupt or security vulnerability, there is nothing
+to guarantee the field is integrated after the check, unless we do
+the check before each of its use, however no filesystem does that.
+- We only have similar check for bitmap, which was added due to there
+is bitmap corruption happened on f2fs' runtime in product.
+- There are so many key fields in SB/CP/NAT did have such check
+after f2fs_sanity_check_{sb,cp,..}.
+
+So I propose to revert this unneeded check.
+
+This reverts commit 56f3ce675103e3fb9e631cfb4131fc768bc23e9a.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index ce15fbcd7cff0..291f7106537c7 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -3403,11 +3403,6 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi)
+ 		seg_i = CURSEG_I(sbi, i);
+ 		segno = le32_to_cpu(ckpt->cur_data_segno[i]);
+ 		blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]);
+-		if (blk_off > ENTRIES_IN_SUM) {
+-			f2fs_bug_on(sbi, 1);
+-			f2fs_put_page(page, 1);
+-			return -EFAULT;
+-		}
+ 		seg_i->next_segno = segno;
+ 		reset_curseg(sbi, i, 0);
+ 		seg_i->alloc_type = ckpt->alloc_type[i];
+-- 
+2.20.1
+
diff --git a/queue-5.2/series b/queue-5.2/series
index 4803e35c441..3c2f369165a 100644
--- a/queue-5.2/series
+++ b/queue-5.2/series
@@ -27,3 +27,6 @@ alsa-hda-add-laptop-imic-fixup-for-asus-m9v-laptop.patch
 alsa-hda-apply-amd-controller-workaround-for-raven-platform.patch
 platform-x86-i2c-multi-instantiate-derive-the-device-name-from-parent.patch
 objtool-clobber-user-cflags-variable.patch
+revert-f2fs-avoid-out-of-range-memory-access.patch
+dm-zoned-fix-invalid-memory-access.patch
+net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch
-- 
2.47.3