From bcc94736b2eb095d9d07bdb2c44d49cb7af5844e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 29 Sep 2019 09:22:01 -0400 Subject: [PATCH] fixes for 5.2 Signed-off-by: Sasha Levin --- ...ew-hw_changes_brightness-quirk-set-i.patch | 106 ++++++++++++++ ...additional-realtek-8822ce-bluetooth-.patch | 70 +++++++++ ...hci-reset-on-close-for-realtek-bt-ch.patch | 103 ++++++++++++++ ...m-dp-add-dp_dpcd_quirk_no_sink_count.patch | 65 +++++++++ ...drm-flush-output-polling-on-shutdown.patch | 133 ++++++++++++++++++ ...-nv50-fix-center-aspect-corrected-sc.patch | 68 +++++++++ ...anity-check-on-segment-bitmap-of-lfs.patch | 110 +++++++++++++++ ...n-in-inet-diag-when-ipv6-is-disabled.patch | 39 +++++ ...ock-is-added-too-early-to-the-hash-t.patch | 90 ++++++++++++ ...eck-cops-tcf_block-in-tc_bind_tclass.patch | 42 ++++++ ...cket-fix-erroneous-socket-assignment.patch | 48 +++++++ queue-5.2/series | 13 ++ ...oid-warning-splat-when-merging-nodes.patch | 101 +++++++++++++ ...ash-on-null-attr-fork-xfs_bmapi_read.patch | 99 +++++++++++++ 14 files changed, 1087 insertions(+) create mode 100644 queue-5.2/acpi-video-add-new-hw_changes_brightness-quirk-set-i.patch create mode 100644 queue-5.2/bluetooth-btrtl-additional-realtek-8822ce-bluetooth-.patch create mode 100644 queue-5.2/bluetooth-btrtl-hci-reset-on-close-for-realtek-bt-ch.patch create mode 100644 queue-5.2/drm-dp-add-dp_dpcd_quirk_no_sink_count.patch create mode 100644 queue-5.2/drm-flush-output-polling-on-shutdown.patch create mode 100644 queue-5.2/drm-nouveau-disp-nv50-fix-center-aspect-corrected-sc.patch create mode 100644 queue-5.2/f2fs-fix-to-do-sanity-check-on-segment-bitmap-of-lfs.patch create mode 100644 queue-5.2/net-don-t-warn-in-inet-diag-when-ipv6-is-disabled.patch create mode 100644 queue-5.2/net-rds-an-rds_sock-is-added-too-early-to-the-hash-t.patch create mode 100644 queue-5.2/net_sched-check-cops-tcf_block-in-tc_bind_tclass.patch create mode 100644 queue-5.2/netfilter-nft_socket-fix-erroneous-socket-assignment.patch create mode 100644 queue-5.2/xfrm-policy-avoid-warning-splat-when-merging-nodes.patch create mode 100644 queue-5.2/xfs-don-t-crash-on-null-attr-fork-xfs_bmapi_read.patch diff --git a/queue-5.2/acpi-video-add-new-hw_changes_brightness-quirk-set-i.patch b/queue-5.2/acpi-video-add-new-hw_changes_brightness-quirk-set-i.patch new file mode 100644 index 00000000000..c272012ade7 --- /dev/null +++ b/queue-5.2/acpi-video-add-new-hw_changes_brightness-quirk-set-i.patch @@ -0,0 +1,106 @@ +From a54651fe9302d4e5b90da207b9e504386f1a4a75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jul 2019 12:00:33 +0200 +Subject: ACPI: video: Add new hw_changes_brightness quirk, set it on PB + Easynote MZ35 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit 4f7f96453b462b3de0fa18d18fe983960bb5ee7f ] + +Some machines change the brightness themselves when a brightness hotkey +gets pressed, despite us telling them not to. This causes the brightness to +go two steps up / down when the hotkey is pressed. This is esp. a problem +on older machines with only a few brightness levels. + +This commit adds a new hw_changes_brightness quirk which makes +acpi_video_device_notify() only call backlight_force_update(..., +BACKLIGHT_UPDATE_HOTKEY) and not do anything else, notifying userspace +that the brightness was changed and leaving it at that fixing the dual +step problem. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204077 +Reported-by: Kacper Piwiński +Tested-by: Kacper Piwiński +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index 9489ffc064117..4f325e47519f5 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -60,6 +60,12 @@ module_param(report_key_events, int, 0644); + MODULE_PARM_DESC(report_key_events, + "0: none, 1: output changes, 2: brightness changes, 3: all"); + ++static int hw_changes_brightness = -1; ++module_param(hw_changes_brightness, int, 0644); ++MODULE_PARM_DESC(hw_changes_brightness, ++ "Set this to 1 on buggy hw which changes the brightness itself when " ++ "a hotkey is pressed: -1: auto, 0: normal 1: hw-changes-brightness"); ++ + /* + * Whether the struct acpi_video_device_attrib::device_id_scheme bit should be + * assumed even if not actually set. +@@ -405,6 +411,14 @@ static int video_set_report_key_events(const struct dmi_system_id *id) + return 0; + } + ++static int video_hw_changes_brightness( ++ const struct dmi_system_id *d) ++{ ++ if (hw_changes_brightness == -1) ++ hw_changes_brightness = 1; ++ return 0; ++} ++ + static const struct dmi_system_id video_dmi_table[] = { + /* + * Broken _BQC workaround http://bugzilla.kernel.org/show_bug.cgi?id=13121 +@@ -529,6 +543,21 @@ static const struct dmi_system_id video_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V131"), + }, + }, ++ /* ++ * Some machines change the brightness themselves when a brightness ++ * hotkey gets pressed, despite us telling them not to. In this case ++ * acpi_video_device_notify() should only call backlight_force_update( ++ * BACKLIGHT_UPDATE_HOTKEY) and not do anything else. ++ */ ++ { ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=204077 */ ++ .callback = video_hw_changes_brightness, ++ .ident = "Packard Bell EasyNote MZ35", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Packard Bell"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "EasyNote MZ35"), ++ }, ++ }, + {} + }; + +@@ -1612,6 +1641,14 @@ static void acpi_video_device_notify(acpi_handle handle, u32 event, void *data) + bus = video_device->video; + input = bus->input; + ++ if (hw_changes_brightness > 0) { ++ if (video_device->backlight) ++ backlight_force_update(video_device->backlight, ++ BACKLIGHT_UPDATE_HOTKEY); ++ acpi_notifier_call_chain(device, event, 0); ++ return; ++ } ++ + switch (event) { + case ACPI_VIDEO_NOTIFY_CYCLE_BRIGHTNESS: /* Cycle brightness */ + brightness_switch_event(video_device, event); +-- +2.20.1 + diff --git a/queue-5.2/bluetooth-btrtl-additional-realtek-8822ce-bluetooth-.patch b/queue-5.2/bluetooth-btrtl-additional-realtek-8822ce-bluetooth-.patch new file mode 100644 index 00000000000..8f81fcb3292 --- /dev/null +++ b/queue-5.2/bluetooth-btrtl-additional-realtek-8822ce-bluetooth-.patch @@ -0,0 +1,70 @@ +From e3c533ed2cf05966be5cf3638c04fcd920fe13e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2019 17:10:42 +0800 +Subject: Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices + +From: Jian-Hong Pan + +[ Upstream commit 6d0762b19c5963ff9e178e8af3626532ee04d93d ] + +The ASUS X412FA laptop contains a Realtek RTL8822CE device with an +associated BT chip using a USB ID of 04ca:4005. This ID is added to the +driver. + +The /sys/kernel/debug/usb/devices portion for this device is: + +T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=04 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=04ca ProdID=4005 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=204707 +Signed-off-by: Jian-Hong Pan +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 0f4750322864a..aa6e2f9d48617 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -378,6 +378,9 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x13d3, 0x3526), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8822CE Bluetooth devices */ ++ { USB_DEVICE(0x04ca, 0x4005), .driver_info = BTUSB_REALTEK }, ++ + /* Silicon Wave based devices */ + { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE }, + +-- +2.20.1 + diff --git a/queue-5.2/bluetooth-btrtl-hci-reset-on-close-for-realtek-bt-ch.patch b/queue-5.2/bluetooth-btrtl-hci-reset-on-close-for-realtek-bt-ch.patch new file mode 100644 index 00000000000..0056bce4b66 --- /dev/null +++ b/queue-5.2/bluetooth-btrtl-hci-reset-on-close-for-realtek-bt-ch.patch @@ -0,0 +1,103 @@ +From e0b4b43cae745a2a182dee09944b9a1d341bce60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2019 16:30:51 +0800 +Subject: Bluetooth: btrtl: HCI reset on close for Realtek BT chip + +From: Jian-Hong Pan + +[ Upstream commit 7af3f558aca74f2ee47b173f1c27f6bb9a5b5561 ] + +Realtek RTL8822BE BT chip on ASUS X420FA cannot be turned on correctly +after on-off several times. Bluetooth daemon sets BT mode failed when +this issue happens. Scanning must be active while turning off for this +bug to be hit. + +bluetoothd[1576]: Failed to set mode: Failed (0x03) + +If BT is turned off, then turned on again, it works correctly again. + +According to the vendor driver, the HCI_QUIRK_RESET_ON_CLOSE flag is set +during probing. So, this patch makes Realtek's BT reset on close to fix +this issue. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=203429 +Signed-off-by: Jian-Hong Pan +Reviewed-by: Daniel Drake +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btrtl.c | 20 ++++++++++++++++++++ + drivers/bluetooth/btrtl.h | 6 ++++++ + drivers/bluetooth/btusb.c | 1 + + 3 files changed, 27 insertions(+) + +diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c +index 208feef63de40..d04b443cad1f2 100644 +--- a/drivers/bluetooth/btrtl.c ++++ b/drivers/bluetooth/btrtl.c +@@ -637,6 +637,26 @@ int btrtl_setup_realtek(struct hci_dev *hdev) + } + EXPORT_SYMBOL_GPL(btrtl_setup_realtek); + ++int btrtl_shutdown_realtek(struct hci_dev *hdev) ++{ ++ struct sk_buff *skb; ++ int ret; ++ ++ /* According to the vendor driver, BT must be reset on close to avoid ++ * firmware crash. ++ */ ++ skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); ++ if (IS_ERR(skb)) { ++ ret = PTR_ERR(skb); ++ bt_dev_err(hdev, "HCI reset during shutdown failed"); ++ return ret; ++ } ++ kfree_skb(skb); ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(btrtl_shutdown_realtek); ++ + static unsigned int btrtl_convert_baudrate(u32 device_baudrate) + { + switch (device_baudrate) { +diff --git a/drivers/bluetooth/btrtl.h b/drivers/bluetooth/btrtl.h +index f1676144fce81..10ad40c3e42c2 100644 +--- a/drivers/bluetooth/btrtl.h ++++ b/drivers/bluetooth/btrtl.h +@@ -55,6 +55,7 @@ void btrtl_free(struct btrtl_device_info *btrtl_dev); + int btrtl_download_firmware(struct hci_dev *hdev, + struct btrtl_device_info *btrtl_dev); + int btrtl_setup_realtek(struct hci_dev *hdev); ++int btrtl_shutdown_realtek(struct hci_dev *hdev); + int btrtl_get_uart_settings(struct hci_dev *hdev, + struct btrtl_device_info *btrtl_dev, + unsigned int *controller_baudrate, +@@ -83,6 +84,11 @@ static inline int btrtl_setup_realtek(struct hci_dev *hdev) + return -EOPNOTSUPP; + } + ++static inline int btrtl_shutdown_realtek(struct hci_dev *hdev) ++{ ++ return -EOPNOTSUPP; ++} ++ + static inline int btrtl_get_uart_settings(struct hci_dev *hdev, + struct btrtl_device_info *btrtl_dev, + unsigned int *controller_baudrate, +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 7954a79249235..0f4750322864a 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3181,6 +3181,7 @@ static int btusb_probe(struct usb_interface *intf, + #ifdef CONFIG_BT_HCIBTUSB_RTL + if (id->driver_info & BTUSB_REALTEK) { + hdev->setup = btrtl_setup_realtek; ++ hdev->shutdown = btrtl_shutdown_realtek; + + /* Realtek devices lose their updated firmware over suspend, + * but the USB hub doesn't notice any status change. +-- +2.20.1 + diff --git a/queue-5.2/drm-dp-add-dp_dpcd_quirk_no_sink_count.patch b/queue-5.2/drm-dp-add-dp_dpcd_quirk_no_sink_count.patch new file mode 100644 index 00000000000..df0a9c5da8a --- /dev/null +++ b/queue-5.2/drm-dp-add-dp_dpcd_quirk_no_sink_count.patch @@ -0,0 +1,65 @@ +From 54b5d2776bd2f36085f86f0c87cc798a9c7bf979 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2019 17:06:49 +0300 +Subject: drm/dp: Add DP_DPCD_QUIRK_NO_SINK_COUNT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 7974033e527a5dd12d96126d09d4cff4f9b65c69 ] + +CH7511 eDP->LVDS bridge doesn't seem to set SINK_COUNT properly +causing i915 to detect it as disconnected. Add a quirk to ignore +SINK_COUNT on these devices. + +Cc: David S. +Cc: Peteris Rudzusiks +Tested-by: Peteris Rudzusiks +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105406 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20190528140650.19230-1-ville.syrjala@linux.intel.com +Acked-by: Jani Nikula #irc +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_dp_helper.c | 4 +++- + include/drm/drm_dp_helper.h | 7 +++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_dp_helper.c b/drivers/gpu/drm/drm_dp_helper.c +index 54a6414c5d961..429c58ce56ced 100644 +--- a/drivers/gpu/drm/drm_dp_helper.c ++++ b/drivers/gpu/drm/drm_dp_helper.c +@@ -1278,7 +1278,9 @@ static const struct dpcd_quirk dpcd_quirk_list[] = { + /* LG LP140WF6-SPM1 eDP panel */ + { OUI(0x00, 0x22, 0xb9), DEVICE_ID('s', 'i', 'v', 'a', 'r', 'T'), false, BIT(DP_DPCD_QUIRK_CONSTANT_N) }, + /* Apple panels need some additional handling to support PSR */ +- { OUI(0x00, 0x10, 0xfa), DEVICE_ID_ANY, false, BIT(DP_DPCD_QUIRK_NO_PSR) } ++ { OUI(0x00, 0x10, 0xfa), DEVICE_ID_ANY, false, BIT(DP_DPCD_QUIRK_NO_PSR) }, ++ /* CH7511 seems to leave SINK_COUNT zeroed */ ++ { OUI(0x00, 0x00, 0x00), DEVICE_ID('C', 'H', '7', '5', '1', '1'), false, BIT(DP_DPCD_QUIRK_NO_SINK_COUNT) }, + }; + + #undef OUI +diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h +index 97ce790a5b5aa..d6c89cbe127a3 100644 +--- a/include/drm/drm_dp_helper.h ++++ b/include/drm/drm_dp_helper.h +@@ -1401,6 +1401,13 @@ enum drm_dp_quirk { + * driver still need to implement proper handling for such device. + */ + DP_DPCD_QUIRK_NO_PSR, ++ /** ++ * @DP_DPCD_QUIRK_NO_SINK_COUNT: ++ * ++ * The device does not set SINK_COUNT to a non-zero value. ++ * The driver should ignore SINK_COUNT during detection. ++ */ ++ DP_DPCD_QUIRK_NO_SINK_COUNT, + }; + + /** +-- +2.20.1 + diff --git a/queue-5.2/drm-flush-output-polling-on-shutdown.patch b/queue-5.2/drm-flush-output-polling-on-shutdown.patch new file mode 100644 index 00000000000..f09e617d8fd --- /dev/null +++ b/queue-5.2/drm-flush-output-polling-on-shutdown.patch @@ -0,0 +1,133 @@ +From 4a445b33ca231421ffb8474da81928594466d9ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2019 14:58:57 +0100 +Subject: drm: Flush output polling on shutdown + +From: Chris Wilson + +[ Upstream commit 3b295cb1a411d9c82bbfaa66bc17a8508716ed07 ] + +We need to mark the output polling as disabled to prevent concurrent +irqs from queuing new work as shutdown the probe -- causing that work to +execute after we have freed the structs: + +<4> [341.846490] DEBUG_LOCKS_WARN_ON(mutex_is_locked(lock)) +<4> [341.846497] WARNING: CPU: 3 PID: 3300 at kernel/locking/mutex-debug.c:103 mutex_destroy+0x49/0x50 +<4> [341.846508] Modules linked in: i915(-) vgem thunderbolt snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic mei_hdcp x86_pkg_temp_thermal coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm mcs7830 btusb usbnet btrtl mii btbcm btintel bluetooth ecdh_generic ecc mei_me mei prime_numbers i2c_hid pinctrl_sunrisepoint pinctrl_intel [last unloaded: i915] +<4> [341.846546] CPU: 3 PID: 3300 Comm: i915_module_loa Tainted: G U 5.2.0-rc2-CI-CI_DRM_6175+ #1 +<4> [341.846553] Hardware name: Dell Inc. XPS 13 9360/0823VW, BIOS 2.9.0 07/09/2018 +<4> [341.846560] RIP: 0010:mutex_destroy+0x49/0x50 +<4> [341.846565] Code: 00 00 5b c3 e8 a8 9f 3b 00 85 c0 74 ed 8b 05 3e 55 23 01 85 c0 75 e3 48 c7 c6 00 d0 08 82 48 c7 c7 a8 aa 07 82 e8 e7 08 fa ff <0f> 0b eb cc 0f 1f 00 48 b8 11 11 11 11 11 11 11 11 48 89 76 20 48 +<4> [341.846578] RSP: 0018:ffffc900006cfdb0 EFLAGS: 00010286 +<4> [341.846583] RAX: 0000000000000000 RBX: ffff88826759a168 RCX: 0000000000000000 +<4> [341.846589] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffffffff8112844c +<4> [341.846595] RBP: ffff8882708fa548 R08: 0000000000000000 R09: 0000000000039600 +<4> [341.846601] R10: 0000000000000000 R11: 0000000000000ce4 R12: ffffffffa07de1e0 +<4> [341.846607] R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffa07de2d0 +<4> [341.846613] FS: 00007f62b5ae0e40(0000) GS:ffff888276380000(0000) knlGS:0000000000000000 +<4> [341.846620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +<4> [341.846626] CR2: 000055a4e064f4a0 CR3: 0000000266b16006 CR4: 00000000003606e0 +<4> [341.846632] Call Trace: +<4> [341.846639] drm_fb_helper_fini.part.17+0xb3/0x100 +<4> [341.846682] intel_fbdev_fini+0x20/0x80 [i915] +<4> [341.846722] intel_modeset_cleanup+0x9a/0x140 [i915] +<4> [341.846750] i915_driver_unload+0xa3/0x100 [i915] +<4> [341.846778] i915_pci_remove+0x19/0x30 [i915] +<4> [341.846784] pci_device_remove+0x36/0xb0 +<4> [341.846790] device_release_driver_internal+0xd3/0x1b0 +<4> [341.846795] driver_detach+0x3f/0x80 +<4> [341.846800] bus_remove_driver+0x53/0xd0 +<4> [341.846805] pci_unregister_driver+0x25/0xa0 +<4> [341.846843] i915_exit+0x16/0x1c [i915] +<4> [341.846849] __se_sys_delete_module+0x162/0x210 +<4> [341.846855] ? trace_hardirqs_off_thunk+0x1a/0x1c +<4> [341.846859] ? do_syscall_64+0xd/0x1c0 +<4> [341.846864] do_syscall_64+0x55/0x1c0 +<4> [341.846869] entry_SYSCALL_64_after_hwframe+0x49/0xbe +<4> [341.846875] RIP: 0033:0x7f62b51871b7 +<4> [341.846881] Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48 +<4> [341.846897] RSP: 002b:00007ffe7a227138 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 +<4> [341.846904] RAX: ffffffffffffffda RBX: 00007ffe7a2272b0 RCX: 00007f62b51871b7 +<4> [341.846910] RDX: 0000000000000001 RSI: 0000000000000800 RDI: 0000557cd6b55948 +<4> [341.846916] RBP: 0000557cd6b558e0 R08: 0000557cd6b5594c R09: 00007ffe7a227160 +<4> [341.846922] R10: 00007ffe7a226134 R11: 0000000000000206 R12: 0000000000000000 +<4> [341.846927] R13: 00007ffe7a227820 R14: 0000000000000000 R15: 0000000000000000 +<4> [341.846936] irq event stamp: 3547847 +<4> [341.846940] hardirqs last enabled at (3547847): [] _raw_spin_unlock_irqrestore+0x4c/0x60 +<4> [341.846949] hardirqs last disabled at (3547846): [] _raw_spin_lock_irqsave+0xd/0x50 +<4> [341.846957] softirqs last enabled at (3547376): [] __do_softirq+0x33a/0x4b9 +<4> [341.846966] softirqs last disabled at (3547367): [] irq_exit+0xa9/0xc0 +<4> [341.846973] WARNING: CPU: 3 PID: 3300 at kernel/locking/mutex-debug.c:103 mutex_destroy+0x49/0x50 +<4> [341.846980] ---[ end trace ba94ca8952ba970e ]--- +<7> [341.866547] [drm:intel_dp_detect [i915]] MST support? port A: no, sink: no, modparam: yes +<7> [341.890480] [drm:drm_add_display_info] non_desktop set to 0 +<7> [341.890530] [drm:drm_add_edid_modes] ELD: no CEA Extension found +<7> [341.890537] [drm:drm_add_display_info] non_desktop set to 0 +<7> [341.890578] [drm:drm_helper_probe_single_connector_modes] [CONNECTOR:86:eDP-1] probed modes : +<7> [341.890589] [drm:drm_mode_debug_printmodeline] Modeline "3200x1800": 60 373250 3200 3248 3280 3360 1800 1803 1808 1852 0x48 0xa +<7> [341.890602] [drm:drm_mode_debug_printmodeline] Modeline "3200x1800": 48 298600 3200 3248 3280 3360 1800 1803 1808 1852 0x40 0xa +<4> [341.890628] general protection fault: 0000 [#1] PREEMPT SMP PTI +<4> [341.890636] CPU: 0 PID: 508 Comm: kworker/0:4 Tainted: G U W 5.2.0-rc2-CI-CI_DRM_6175+ #1 +<4> [341.890646] Hardware name: Dell Inc. XPS 13 9360/0823VW, BIOS 2.9.0 07/09/2018 +<4> [341.890655] Workqueue: events output_poll_execute +<4> [341.890663] RIP: 0010:drm_setup_crtcs+0x13e/0xbe0 +<4> [341.890669] Code: 00 41 8b 44 24 58 85 c0 0f 8e f9 01 00 00 44 8b 6c 24 20 44 8b 74 24 28 31 db 31 ed 49 8b 44 24 60 48 63 d5 44 89 ee 83 c5 01 <48> 8b 04 d0 44 89 f2 48 8b 38 48 8b 87 88 01 00 00 48 8b 40 20 e8 +<4> [341.890686] RSP: 0018:ffffc9000033fd40 EFLAGS: 00010202 +<4> [341.890692] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000002 RCX: 0000000000000000 +<4> [341.890700] RDX: 0000000000000001 RSI: 0000000000000c80 RDI: 00000000ffffffff +<4> [341.890707] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 +<4> [341.890715] R10: 0000000000000c80 R11: 0000000000000000 R12: ffff888267599fe8 +<4> [341.890722] R13: 0000000000000c80 R14: 0000000000000708 R15: 0000000000000007 +<4> [341.890730] FS: 0000000000000000(0000) GS:ffff888276200000(0000) knlGS:0000000000000000 +<4> [341.890739] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +<4> [341.890745] CR2: 000055a4e064f4a0 CR3: 000000026d234003 CR4: 00000000003606f0 +<4> [341.890752] Call Trace: +<4> [341.890760] drm_fb_helper_hotplug_event.part.24+0x89/0xb0 +<4> [341.890768] drm_kms_helper_hotplug_event+0x21/0x30 +<4> [341.890774] output_poll_execute+0x9d/0x1a0 +<4> [341.890782] process_one_work+0x245/0x610 +<4> [341.890790] worker_thread+0x37/0x380 +<4> [341.890796] ? process_one_work+0x610/0x610 +<4> [341.890802] kthread+0x119/0x130 +<4> [341.890808] ? kthread_park+0x80/0x80 +<4> [341.890815] ret_from_fork+0x3a/0x50 + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109964 +Signed-off-by: Chris Wilson +Reviewed-by: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/20190603135910.15979-2-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_probe_helper.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_probe_helper.c b/drivers/gpu/drm/drm_probe_helper.c +index dd427c7ff9677..f13d45f40ed17 100644 +--- a/drivers/gpu/drm/drm_probe_helper.c ++++ b/drivers/gpu/drm/drm_probe_helper.c +@@ -581,6 +581,9 @@ static void output_poll_execute(struct work_struct *work) + enum drm_connector_status old_status; + bool repoll = false, changed; + ++ if (!dev->mode_config.poll_enabled) ++ return; ++ + /* Pick up any changes detected by the probe functions. */ + changed = dev->mode_config.delayed_event; + dev->mode_config.delayed_event = false; +@@ -735,7 +738,11 @@ EXPORT_SYMBOL(drm_kms_helper_poll_init); + */ + void drm_kms_helper_poll_fini(struct drm_device *dev) + { +- drm_kms_helper_poll_disable(dev); ++ if (!dev->mode_config.poll_enabled) ++ return; ++ ++ dev->mode_config.poll_enabled = false; ++ cancel_delayed_work_sync(&dev->mode_config.output_poll_work); + } + EXPORT_SYMBOL(drm_kms_helper_poll_fini); + +-- +2.20.1 + diff --git a/queue-5.2/drm-nouveau-disp-nv50-fix-center-aspect-corrected-sc.patch b/queue-5.2/drm-nouveau-disp-nv50-fix-center-aspect-corrected-sc.patch new file mode 100644 index 00000000000..9829986621a --- /dev/null +++ b/queue-5.2/drm-nouveau-disp-nv50-fix-center-aspect-corrected-sc.patch @@ -0,0 +1,68 @@ +From 90a5173b3814c92a38e4ee1441da60f9dd0b25a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 May 2019 18:41:49 -0400 +Subject: drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling + +From: Ilia Mirkin + +[ Upstream commit 533f4752407543f488a9118d817b8c504352b6fb ] + +Previously center scaling would get scaling applied to it (when it was +only supposed to center the image), and aspect-corrected scaling did not +always correctly pick whether to reduce width or height for a particular +combination of inputs/outputs. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110660 +Signed-off-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/dispnv50/head.c | 28 +++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv50/head.c b/drivers/gpu/drm/nouveau/dispnv50/head.c +index 06ee23823a689..acfafc4bda0e1 100644 +--- a/drivers/gpu/drm/nouveau/dispnv50/head.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/head.c +@@ -169,14 +169,34 @@ nv50_head_atomic_check_view(struct nv50_head_atom *armh, + */ + switch (mode) { + case DRM_MODE_SCALE_CENTER: +- asyh->view.oW = min((u16)umode->hdisplay, asyh->view.oW); +- asyh->view.oH = min((u16)umode_vdisplay, asyh->view.oH); +- /* fall-through */ ++ /* NOTE: This will cause scaling when the input is ++ * larger than the output. ++ */ ++ asyh->view.oW = min(asyh->view.iW, asyh->view.oW); ++ asyh->view.oH = min(asyh->view.iH, asyh->view.oH); ++ break; + case DRM_MODE_SCALE_ASPECT: +- if (asyh->view.oH < asyh->view.oW) { ++ /* Determine whether the scaling should be on width or on ++ * height. This is done by comparing the aspect ratios of the ++ * sizes. If the output AR is larger than input AR, that means ++ * we want to change the width (letterboxed on the ++ * left/right), otherwise on the height (letterboxed on the ++ * top/bottom). ++ * ++ * E.g. 4:3 (1.333) AR image displayed on a 16:10 (1.6) AR ++ * screen will have letterboxes on the left/right. However a ++ * 16:9 (1.777) AR image on that same screen will have ++ * letterboxes on the top/bottom. ++ * ++ * inputAR = iW / iH; outputAR = oW / oH ++ * outputAR > inputAR is equivalent to oW * iH > iW * oH ++ */ ++ if (asyh->view.oW * asyh->view.iH > asyh->view.iW * asyh->view.oH) { ++ /* Recompute output width, i.e. left/right letterbox */ + u32 r = (asyh->view.iW << 19) / asyh->view.iH; + asyh->view.oW = ((asyh->view.oH * r) + (r / 2)) >> 19; + } else { ++ /* Recompute output height, i.e. top/bottom letterbox */ + u32 r = (asyh->view.iH << 19) / asyh->view.iW; + asyh->view.oH = ((asyh->view.oW * r) + (r / 2)) >> 19; + } +-- +2.20.1 + diff --git a/queue-5.2/f2fs-fix-to-do-sanity-check-on-segment-bitmap-of-lfs.patch b/queue-5.2/f2fs-fix-to-do-sanity-check-on-segment-bitmap-of-lfs.patch new file mode 100644 index 00000000000..2badefbd5f0 --- /dev/null +++ b/queue-5.2/f2fs-fix-to-do-sanity-check-on-segment-bitmap-of-lfs.patch @@ -0,0 +1,110 @@ +From 47f45602eb5700c5adb79347b3a9c1ddffe1b4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 May 2019 23:07:25 +0800 +Subject: f2fs: fix to do sanity check on segment bitmap of LFS curseg + +From: Chao Yu + +[ Upstream commit c854f4d681365498f53ba07843a16423625aa7e9 ] + +As Jungyeon Reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=203233 + +- Reproduces +gcc poc_13.c +./run.sh f2fs + +- Kernel messages + F2FS-fs (sdb): Bitmap was wrongly set, blk:4608 + kernel BUG at fs/f2fs/segment.c:2133! + RIP: 0010:update_sit_entry+0x35d/0x3e0 + Call Trace: + f2fs_allocate_data_block+0x16c/0x5a0 + do_write_page+0x57/0x100 + f2fs_do_write_node_page+0x33/0xa0 + __write_node_page+0x270/0x4e0 + f2fs_sync_node_pages+0x5df/0x670 + f2fs_write_checkpoint+0x364/0x13a0 + f2fs_sync_fs+0xa3/0x130 + f2fs_do_sync_file+0x1a6/0x810 + do_fsync+0x33/0x60 + __x64_sys_fsync+0xb/0x10 + do_syscall_64+0x43/0x110 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The testcase fails because that, in fuzzed image, current segment was +allocated with LFS type, its .next_blkoff should point to an unused +block address, but actually, its bitmap shows it's not. So during +allocation, f2fs crash when setting bitmap. + +Introducing sanity_check_curseg() to check such inconsistence of +current in-used segment. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 291f7106537c7..0a6be0212e390 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -4242,6 +4242,41 @@ static int build_dirty_segmap(struct f2fs_sb_info *sbi) + return init_victim_secmap(sbi); + } + ++static int sanity_check_curseg(struct f2fs_sb_info *sbi) ++{ ++ int i; ++ ++ /* ++ * In LFS/SSR curseg, .next_blkoff should point to an unused blkaddr; ++ * In LFS curseg, all blkaddr after .next_blkoff should be unused. ++ */ ++ for (i = 0; i < NO_CHECK_TYPE; i++) { ++ struct curseg_info *curseg = CURSEG_I(sbi, i); ++ struct seg_entry *se = get_seg_entry(sbi, curseg->segno); ++ unsigned int blkofs = curseg->next_blkoff; ++ ++ if (f2fs_test_bit(blkofs, se->cur_valid_map)) ++ goto out; ++ ++ if (curseg->alloc_type == SSR) ++ continue; ++ ++ for (blkofs += 1; blkofs < sbi->blocks_per_seg; blkofs++) { ++ if (!f2fs_test_bit(blkofs, se->cur_valid_map)) ++ continue; ++out: ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Current segment's next free block offset is " ++ "inconsistent with bitmap, logtype:%u, " ++ "segno:%u, type:%u, next_blkoff:%u, blkofs:%u", ++ i, curseg->segno, curseg->alloc_type, ++ curseg->next_blkoff, blkofs); ++ return -EINVAL; ++ } ++ } ++ return 0; ++} ++ + /* + * Update min, max modified time for cost-benefit GC algorithm + */ +@@ -4337,6 +4372,10 @@ int f2fs_build_segment_manager(struct f2fs_sb_info *sbi) + if (err) + return err; + ++ err = sanity_check_curseg(sbi); ++ if (err) ++ return err; ++ + init_min_max_mtime(sbi); + return 0; + } +-- +2.20.1 + diff --git a/queue-5.2/net-don-t-warn-in-inet-diag-when-ipv6-is-disabled.patch b/queue-5.2/net-don-t-warn-in-inet-diag-when-ipv6-is-disabled.patch new file mode 100644 index 00000000000..4b17a985349 --- /dev/null +++ b/queue-5.2/net-don-t-warn-in-inet-diag-when-ipv6-is-disabled.patch @@ -0,0 +1,39 @@ +From 9f564abf904f8e51f5531414747b87b5c8cf6907 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2019 15:20:21 -0700 +Subject: net: don't warn in inet diag when IPV6 is disabled + +From: Stephen Hemminger + +[ Upstream commit 1e64d7cbfdce4887008314d5b367209582223f27 ] + +If IPV6 was disabled, then ss command would cause a kernel warning +because the command was attempting to dump IPV6 socket information. +The fix is to just remove the warning. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202249 +Fixes: 432490f9d455 ("net: ip, diag -- Add diag interface for raw sockets") +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/raw_diag.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/ipv4/raw_diag.c b/net/ipv4/raw_diag.c +index 899e34ceb5602..e35736b993003 100644 +--- a/net/ipv4/raw_diag.c ++++ b/net/ipv4/raw_diag.c +@@ -24,9 +24,6 @@ raw_get_hashinfo(const struct inet_diag_req_v2 *r) + return &raw_v6_hashinfo; + #endif + } else { +- pr_warn_once("Unexpected inet family %d\n", +- r->sdiag_family); +- WARN_ON_ONCE(1); + return ERR_PTR(-EINVAL); + } + } +-- +2.20.1 + diff --git a/queue-5.2/net-rds-an-rds_sock-is-added-too-early-to-the-hash-t.patch b/queue-5.2/net-rds-an-rds_sock-is-added-too-early-to-the-hash-t.patch new file mode 100644 index 00000000000..3582731e8f0 --- /dev/null +++ b/queue-5.2/net-rds-an-rds_sock-is-added-too-early-to-the-hash-t.patch @@ -0,0 +1,90 @@ +From 993a415f8d80732e550488e07072b76affc05e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2019 02:58:05 -0700 +Subject: net/rds: An rds_sock is added too early to the hash table + +From: Ka-Cheong Poon + +[ Upstream commit c5c1a030a7dbf8dd4e1fa4405ae9a89dc1d2a8db ] + +In rds_bind(), an rds_sock is added to the RDS bind hash table before +rs_transport is set. This means that the socket can be found by the +receive code path when rs_transport is NULL. And the receive code +path de-references rs_transport for congestion update check. This can +cause a panic. An rds_sock should not be added to the bind hash table +before all the needed fields are set. + +Reported-by: syzbot+4b4f8163c2e246df3c4c@syzkaller.appspotmail.com +Signed-off-by: Ka-Cheong Poon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/bind.c | 40 ++++++++++++++++++---------------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +diff --git a/net/rds/bind.c b/net/rds/bind.c +index 0f4398e7f2a7a..05464fd7c17af 100644 +--- a/net/rds/bind.c ++++ b/net/rds/bind.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2006, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This software is available to you under a choice of one of two + * licenses. You may choose to be licensed under the terms of the GNU +@@ -239,34 +239,30 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + goto out; + } + +- sock_set_flag(sk, SOCK_RCU_FREE); +- ret = rds_add_bound(rs, binding_addr, &port, scope_id); +- if (ret) +- goto out; +- +- if (rs->rs_transport) { /* previously bound */ ++ /* The transport can be set using SO_RDS_TRANSPORT option before the ++ * socket is bound. ++ */ ++ if (rs->rs_transport) { + trans = rs->rs_transport; + if (trans->laddr_check(sock_net(sock->sk), + binding_addr, scope_id) != 0) { + ret = -ENOPROTOOPT; +- rds_remove_bound(rs); +- } else { +- ret = 0; ++ goto out; + } +- goto out; +- } +- trans = rds_trans_get_preferred(sock_net(sock->sk), binding_addr, +- scope_id); +- if (!trans) { +- ret = -EADDRNOTAVAIL; +- rds_remove_bound(rs); +- pr_info_ratelimited("RDS: %s could not find a transport for %pI6c, load rds_tcp or rds_rdma?\n", +- __func__, binding_addr); +- goto out; ++ } else { ++ trans = rds_trans_get_preferred(sock_net(sock->sk), ++ binding_addr, scope_id); ++ if (!trans) { ++ ret = -EADDRNOTAVAIL; ++ pr_info_ratelimited("RDS: %s could not find a transport for %pI6c, load rds_tcp or rds_rdma?\n", ++ __func__, binding_addr); ++ goto out; ++ } ++ rs->rs_transport = trans; + } + +- rs->rs_transport = trans; +- ret = 0; ++ sock_set_flag(sk, SOCK_RCU_FREE); ++ ret = rds_add_bound(rs, binding_addr, &port, scope_id); + + out: + release_sock(sk); +-- +2.20.1 + diff --git a/queue-5.2/net_sched-check-cops-tcf_block-in-tc_bind_tclass.patch b/queue-5.2/net_sched-check-cops-tcf_block-in-tc_bind_tclass.patch new file mode 100644 index 00000000000..3c72246a1a2 --- /dev/null +++ b/queue-5.2/net_sched-check-cops-tcf_block-in-tc_bind_tclass.patch @@ -0,0 +1,42 @@ +From 8c14ea9004721b3484b8bb02834e1f0fae06d0d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Sep 2019 12:11:23 -0700 +Subject: net_sched: check cops->tcf_block in tc_bind_tclass() + +From: Cong Wang + +[ Upstream commit 8b142a00edcf8422ca48b8de88d286efb500cb53 ] + +At least sch_red and sch_tbf don't implement ->tcf_block() +while still have a non-zero tc "class". + +Instead of adding nop implementations to each of such qdisc's, +we can just relax the check of cops->tcf_block() in +tc_bind_tclass(). They don't support TC filter anyway. + +Reported-by: syzbot+21b29db13c065852f64b@syzkaller.appspotmail.com +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 04faee7ccbce6..1047825d9f48d 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1920,6 +1920,8 @@ static void tc_bind_tclass(struct Qdisc *q, u32 portid, u32 clid, + cl = cops->find(q, portid); + if (!cl) + return; ++ if (!cops->tcf_block) ++ return; + block = cops->tcf_block(q, cl, NULL); + if (!block) + return; +-- +2.20.1 + diff --git a/queue-5.2/netfilter-nft_socket-fix-erroneous-socket-assignment.patch b/queue-5.2/netfilter-nft_socket-fix-erroneous-socket-assignment.patch new file mode 100644 index 00000000000..e6cd7f35d67 --- /dev/null +++ b/queue-5.2/netfilter-nft_socket-fix-erroneous-socket-assignment.patch @@ -0,0 +1,48 @@ +From 967d87bd7bdf9438e8bd1cafad19539c732aafb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2019 11:48:08 +0200 +Subject: netfilter: nft_socket: fix erroneous socket assignment + +From: Fernando Fernandez Mancera + +[ Upstream commit 039b1f4f24ecc8493b6bb9d70b4b78750d1b35c2 ] + +The socket assignment is wrong, see skb_orphan(): +When skb->destructor callback is not set, but skb->sk is set, this hits BUG(). + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813 +Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_socket.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c +index d7f3776dfd719..637ce3e8c575c 100644 +--- a/net/netfilter/nft_socket.c ++++ b/net/netfilter/nft_socket.c +@@ -47,9 +47,6 @@ static void nft_socket_eval(const struct nft_expr *expr, + return; + } + +- /* So that subsequent socket matching not to require other lookups. */ +- skb->sk = sk; +- + switch(priv->key) { + case NFT_SOCKET_TRANSPARENT: + nft_reg_store8(dest, inet_sk_transparent(sk)); +@@ -66,6 +63,9 @@ static void nft_socket_eval(const struct nft_expr *expr, + WARN_ON(1); + regs->verdict.code = NFT_BREAK; + } ++ ++ if (sk != skb->sk) ++ sock_gen_put(sk); + } + + static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = { +-- +2.20.1 + diff --git a/queue-5.2/series b/queue-5.2/series index 3c2f369165a..fdbce5873b5 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -30,3 +30,16 @@ objtool-clobber-user-cflags-variable.patch revert-f2fs-avoid-out-of-range-memory-access.patch dm-zoned-fix-invalid-memory-access.patch net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch +f2fs-fix-to-do-sanity-check-on-segment-bitmap-of-lfs.patch +drm-flush-output-polling-on-shutdown.patch +drm-dp-add-dp_dpcd_quirk_no_sink_count.patch +net-don-t-warn-in-inet-diag-when-ipv6-is-disabled.patch +bluetooth-btrtl-hci-reset-on-close-for-realtek-bt-ch.patch +acpi-video-add-new-hw_changes_brightness-quirk-set-i.patch +drm-nouveau-disp-nv50-fix-center-aspect-corrected-sc.patch +xfs-don-t-crash-on-null-attr-fork-xfs_bmapi_read.patch +xfrm-policy-avoid-warning-splat-when-merging-nodes.patch +netfilter-nft_socket-fix-erroneous-socket-assignment.patch +bluetooth-btrtl-additional-realtek-8822ce-bluetooth-.patch +net_sched-check-cops-tcf_block-in-tc_bind_tclass.patch +net-rds-an-rds_sock-is-added-too-early-to-the-hash-t.patch diff --git a/queue-5.2/xfrm-policy-avoid-warning-splat-when-merging-nodes.patch b/queue-5.2/xfrm-policy-avoid-warning-splat-when-merging-nodes.patch new file mode 100644 index 00000000000..d3775fab739 --- /dev/null +++ b/queue-5.2/xfrm-policy-avoid-warning-splat-when-merging-nodes.patch @@ -0,0 +1,101 @@ +From 777d87fbc10ce75c8537fa2ba5b0b3cea726f47a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 10:32:13 +0200 +Subject: xfrm: policy: avoid warning splat when merging nodes + +From: Florian Westphal + +[ Upstream commit 769a807d0b41df4201dbeb01c22eaeb3e5905532 ] + +syzbot reported a splat: + xfrm_policy_inexact_list_reinsert+0x625/0x6e0 net/xfrm/xfrm_policy.c:877 + CPU: 1 PID: 6756 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #57 + Call Trace: + xfrm_policy_inexact_node_reinsert net/xfrm/xfrm_policy.c:922 [inline] + xfrm_policy_inexact_node_merge net/xfrm/xfrm_policy.c:958 [inline] + xfrm_policy_inexact_insert_node+0x537/0xb50 net/xfrm/xfrm_policy.c:1023 + xfrm_policy_inexact_alloc_chain+0x62b/0xbd0 net/xfrm/xfrm_policy.c:1139 + xfrm_policy_inexact_insert+0xe8/0x1540 net/xfrm/xfrm_policy.c:1182 + xfrm_policy_insert+0xdf/0xce0 net/xfrm/xfrm_policy.c:1574 + xfrm_add_policy+0x4cf/0x9b0 net/xfrm/xfrm_user.c:1670 + xfrm_user_rcv_msg+0x46b/0x720 net/xfrm/xfrm_user.c:2676 + netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2477 + xfrm_netlink_rcv+0x74/0x90 net/xfrm/xfrm_user.c:2684 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x809/0x9a0 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0xa70/0xd30 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg net/socket.c:657 [inline] + +There is no reproducer, however, the warning can be reproduced +by adding rules with ever smaller prefixes. + +The sanity check ("does the policy match the node") uses the prefix value +of the node before its updated to the smaller value. + +To fix this, update the prefix earlier. The bug has no impact on tree +correctness, this is only to prevent a false warning. + +Reported-by: syzbot+8cc27ace5f6972910b31@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 6 ++++-- + tools/testing/selftests/net/xfrm_policy.sh | 7 +++++++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index d5342687fdcaa..7c2fa80b20bdf 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -915,6 +915,7 @@ static void xfrm_policy_inexact_node_reinsert(struct net *net, + } else if (delta > 0) { + p = &parent->rb_right; + } else { ++ bool same_prefixlen = node->prefixlen == n->prefixlen; + struct xfrm_policy *tmp; + + hlist_for_each_entry(tmp, &n->hhead, bydst) { +@@ -922,9 +923,11 @@ static void xfrm_policy_inexact_node_reinsert(struct net *net, + hlist_del_rcu(&tmp->bydst); + } + ++ node->prefixlen = prefixlen; ++ + xfrm_policy_inexact_list_reinsert(net, node, family); + +- if (node->prefixlen == n->prefixlen) { ++ if (same_prefixlen) { + kfree_rcu(n, rcu); + return; + } +@@ -932,7 +935,6 @@ static void xfrm_policy_inexact_node_reinsert(struct net *net, + rb_erase(*p, new); + kfree_rcu(n, rcu); + n = node; +- n->prefixlen = prefixlen; + goto restart; + } + } +diff --git a/tools/testing/selftests/net/xfrm_policy.sh b/tools/testing/selftests/net/xfrm_policy.sh +index 5445943bf07f2..7a1bf94c5bd38 100755 +--- a/tools/testing/selftests/net/xfrm_policy.sh ++++ b/tools/testing/selftests/net/xfrm_policy.sh +@@ -106,6 +106,13 @@ do_overlap() + # + # 10.0.0.0/24 and 10.0.1.0/24 nodes have been merged as 10.0.0.0/23. + ip -net $ns xfrm policy add src 10.1.0.0/24 dst 10.0.0.0/23 dir fwd priority 200 action block ++ ++ # similar to above: add policies (with partially random address), with shrinking prefixes. ++ for p in 29 28 27;do ++ for k in $(seq 1 32); do ++ ip -net $ns xfrm policy add src 10.253.1.$((RANDOM%255))/$p dst 10.254.1.$((RANDOM%255))/$p dir fwd priority $((200+k)) action block 2>/dev/null ++ done ++ done + } + + do_esp_policy_get_check() { +-- +2.20.1 + diff --git a/queue-5.2/xfs-don-t-crash-on-null-attr-fork-xfs_bmapi_read.patch b/queue-5.2/xfs-don-t-crash-on-null-attr-fork-xfs_bmapi_read.patch new file mode 100644 index 00000000000..3a1b6dd1290 --- /dev/null +++ b/queue-5.2/xfs-don-t-crash-on-null-attr-fork-xfs_bmapi_read.patch @@ -0,0 +1,99 @@ +From c80ef1ba5cf57e7d093132c53207e240ee169878 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Aug 2019 15:52:27 -0700 +Subject: xfs: don't crash on null attr fork xfs_bmapi_read + +From: Darrick J. Wong + +[ Upstream commit 8612de3f7ba6e900465e340516b8313806d27b2d ] + +Zorro Lang reported a crash in generic/475 if we try to inactivate a +corrupt inode with a NULL attr fork (stack trace shortened somewhat): + +RIP: 0010:xfs_bmapi_read+0x311/0xb00 [xfs] +RSP: 0018:ffff888047f9ed68 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: ffff888047f9f038 RCX: 1ffffffff5f99f51 +RDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000012 +RBP: ffff888002a41f00 R08: ffffed10005483f0 R09: ffffed10005483ef +R10: ffffed10005483ef R11: ffff888002a41f7f R12: 0000000000000004 +R13: ffffe8fff53b5768 R14: 0000000000000005 R15: 0000000000000001 +FS: 00007f11d44b5b80(0000) GS:ffff888114200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000ef6000 CR3: 000000002e176003 CR4: 00000000001606e0 +Call Trace: + xfs_dabuf_map.constprop.18+0x696/0xe50 [xfs] + xfs_da_read_buf+0xf5/0x2c0 [xfs] + xfs_da3_node_read+0x1d/0x230 [xfs] + xfs_attr_inactive+0x3cc/0x5e0 [xfs] + xfs_inactive+0x4c8/0x5b0 [xfs] + xfs_fs_destroy_inode+0x31b/0x8e0 [xfs] + destroy_inode+0xbc/0x190 + xfs_bulkstat_one_int+0xa8c/0x1200 [xfs] + xfs_bulkstat_one+0x16/0x20 [xfs] + xfs_bulkstat+0x6fa/0xf20 [xfs] + xfs_ioc_bulkstat+0x182/0x2b0 [xfs] + xfs_file_ioctl+0xee0/0x12a0 [xfs] + do_vfs_ioctl+0x193/0x1000 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x6f/0xb0 + do_syscall_64+0x9f/0x4d0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x7f11d39a3e5b + +The "obvious" cause is that the attr ifork is null despite the inode +claiming an attr fork having at least one extent, but it's not so +obvious why we ended up with an inode in that state. + +Reported-by: Zorro Lang +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204031 +Signed-off-by: Darrick J. Wong +Reviewed-by: Bill O'Donnell +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_bmap.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c +index 356ebd1cbe825..d6fbe487d91ad 100644 +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -3840,15 +3840,28 @@ xfs_bmapi_read( + XFS_STATS_INC(mp, xs_blk_mapr); + + ifp = XFS_IFORK_PTR(ip, whichfork); ++ if (!ifp) { ++ /* No CoW fork? Return a hole. */ ++ if (whichfork == XFS_COW_FORK) { ++ mval->br_startoff = bno; ++ mval->br_startblock = HOLESTARTBLOCK; ++ mval->br_blockcount = len; ++ mval->br_state = XFS_EXT_NORM; ++ *nmap = 1; ++ return 0; ++ } + +- /* No CoW fork? Return a hole. */ +- if (whichfork == XFS_COW_FORK && !ifp) { +- mval->br_startoff = bno; +- mval->br_startblock = HOLESTARTBLOCK; +- mval->br_blockcount = len; +- mval->br_state = XFS_EXT_NORM; +- *nmap = 1; +- return 0; ++ /* ++ * A missing attr ifork implies that the inode says we're in ++ * extents or btree format but failed to pass the inode fork ++ * verifier while trying to load it. Treat that as a file ++ * corruption too. ++ */ ++#ifdef DEBUG ++ xfs_alert(mp, "%s: inode %llu missing fork %d", ++ __func__, ip->i_ino, whichfork); ++#endif /* DEBUG */ ++ return -EFSCORRUPTED; + } + + if (!(ifp->if_flags & XFS_IFEXTENTS)) { +-- +2.20.1 + -- 2.47.3