git.osdn.net Git - sagit-ice-cold/kernel_xiaomi

Merge "staging: android/sync: Signal fences if timeline is destroyed"

staging: android/sync: Signal fences if timeline is destroyed

The original implementation of sw_sync in 3.14 kernel signaled all
active fences with error status on timeline release. However, after the
conversion to use DMA-buf fence code under the hood, the behavior was
(most likely by mistake) changed and the fences are being left active,
with their users possibly getting stuck in sync_wait().

There is indeed a sign of this not being an intentional behavior change,
as timeline retained its ->destroyed field, which is being set in
sync_timeline_destroy(). However there is no code checking it anymore.

Let's fix this by adding a check for timeline->destroyed in
android_fence_signaled(), so if the fence is neither signaled nor in
error state and timeline was destroyed, it will end up in -ENOENT error
state.

Change-Id: I0313b12b37e9d391d5caf218f381fa4b07a2a5e5
Signed-off-by: Tomasz Figa <tfiga@chromium.org>
Git-commit: 85839014db07d3c675d5a8f2f9f94f2aeb33fc5e
Git-repo: https://chromium.googlesource.com/chromiumos/third_party/kernel
Signed-off-by: Firoz Khan <firozk@codeaurora.org>

Merge "Revert "i2c: add virtual i2c driver""

Merge "Merge android-4.4.171 (b355d4f) into msm-4.4"

Revert "i2c: add virtual i2c driver"

This reverts commit 320b7b16475357b630b5f612bb3ebaf8e5159559.

This change refers to an inappropriate document, so we'd
better revert it first.

Change-Id: Ia7b806e911665d89a84b8d8377c2a5da5982f372
Signed-off-by: xianzhu <xianzhu@codeaurora.org>

Merge "arm64: dts: gvm: Add support for USB Host suspend"

Merge android-4.4.171 (b355d4f) into msm-4.4

* refs/heads/tmp-b355d4f
  Linux 4.4.171
  sunrpc: use-after-free in svc_process_common()
  ext4: fix a potential fiemap/page fault deadlock w/ inline_data
  crypto: cts - fix crash on short inputs
  i2c: dev: prevent adapter retries and timeout being set as minus value
  ACPI: power: Skip duplicate power resource references in _PRx
  PCI: altera: Move retrain from fixup to altera_pcie_host_init()
  PCI: altera: Rework config accessors for use without a struct pci_bus
  PCI: altera: Poll for link training status after retraining the link
  PCI: altera: Poll for link up status after retraining the link
  PCI: altera: Check link status before retrain link
  PCI: altera: Reorder read/write functions
  PCI: altera: Fix altera_pcie_link_is_up()
  slab: alien caches must not be initialized if the allocation of the alien cache failed
  USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB
  USB: storage: add quirk for SMI SM3350
  USB: storage: don't insert sane sense for SPC3+ when bad sense specified
  usb: cdc-acm: send ZLP for Telit 3G Intel based modems
  cifs: Fix potential OOB access of lock element array
  CIFS: Do not hide EINTR after sending network packets
  btrfs: tree-checker: Fix misleading group system information
  btrfs: tree-checker: Check level for leaves and nodes
  btrfs: Verify that every chunk has corresponding block group at mount time
  btrfs: Check that each block group has corresponding chunk at mount time
  btrfs: validate type when reading a chunk
  btrfs: tree-checker: Detect invalid and empty essential trees
  btrfs: tree-checker: Verify block_group_item
  btrfs: tree-check: reduce stack consumption in check_dir_item
  btrfs: tree-checker: use %zu format string for size_t
  btrfs: tree-checker: Add checker for dir item
  btrfs: tree-checker: Fix false panic for sanity test
  btrfs: tree-checker: Enhance btrfs_check_node output
  btrfs: Move leaf and node validation checker to tree-checker.c
  btrfs: Add checker for EXTENT_CSUM
  btrfs: Add sanity check for EXTENT_DATA when reading out leaf
  btrfs: Check if item pointer overlaps with the item itself
  btrfs: Refactor check_leaf function for later expansion
  btrfs: struct-funcs, constify readers
  Btrfs: fix emptiness check for dirtied extent buffers at check_leaf()
  Btrfs: memset to avoid stale content in btree leaf
  Btrfs: kill BUG_ON in run_delayed_tree_ref
  Btrfs: improve check_node to avoid reading corrupted nodes
  Btrfs: memset to avoid stale content in btree node block
  Btrfs: fix BUG_ON in btrfs_mark_buffer_dirty
  Btrfs: check btree node's nritems
  Btrfs: detect corruption when non-root leaf has zero item
  Btrfs: fix em leak in find_first_block_group
  Btrfs: check inconsistence between chunk and block group
  Btrfs: add validadtion checks for chunk loading
  btrfs: Enhance chunk validation check
  btrfs: cleanup, stop casting for extent_map->lookup everywhere
  ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225
  UPSTREAM: virtio: new feature to detect IOMMU device quirk
  UPSTREAM: vring: Use the DMA API on Xen
  UPSTREAM: virtio_ring: Support DMA APIs
  UPSTREAM: vring: Introduce vring_use_dma_api()
  ANDROID: cuttlefish_defconfig: Enable vsock options
  UPSTREAM: vhost/vsock: fix reset orphans race with close timeout
  UPSTREAM: vhost/vsock: fix use-after-free in network stack callers
  UPSTREAM: vhost: correctly check the iova range when waking virtqueue
  UPSTREAM: vhost: synchronize IOTLB message with dev cleanup
  UPSTREAM: vhost: fix info leak due to uninitialized memory
  UPSTREAM: vhost: fix vhost_vq_access_ok() log check
  UPSTREAM: vhost: validate log when IOTLB is enabled
  UPSTREAM: vhost_net: add missing lock nesting notation
  UPSTREAM: vhost: use mutex_lock_nested() in vhost_dev_lock_vqs()
  UPSTREAM: vhost/vsock: fix uninitialized vhost_vsock->guest_cid
  UPSTREAM: vhost_net: correctly check tx avail during rx busy polling
  UPSTREAM: vsock: use new wait API for vsock_stream_sendmsg()
  UPSTREAM: vsock: cancel packets when failing to connect
  UPSTREAM: vhost-vsock: add pkt cancel capability
  UPSTREAM: vsock: track pkt owner vsock
  UPSTREAM: vhost: fix initialization for vq->is_le
  UPSTREAM: vhost/vsock: handle vhost_vq_init_access() error
  UPSTREAM: vsock: lookup and setup guest_cid inside vhost_vsock_lock
  UPSTREAM: vhost-vsock: fix orphan connection reset
  UPSTREAM: vsock/virtio: fix src/dst cid format
  UPSTREAM: VSOCK: Don't dec ack backlog twice for rejected connections
  UPSTREAM: vhost/vsock: drop space available check for TX vq
  UPSTREAM: virtio-vsock: fix include guard typo
  UPSTREAM: vhost/vsock: fix vhost virtio_vsock_pkt use-after-free
  UPSTREAM: VSOCK: Use kvfree()
  BACKPORT: vhost: split out vringh Kconfig
  UPSTREAM: vhost: drop vringh dependency
  UPSTREAM: vhost: drop vringh dependency
  UPSTREAM: vhost: detect 32 bit integer wrap around
  UPSTREAM: VSOCK: Add Makefile and Kconfig
  UPSTREAM: VSOCK: Introduce vhost_vsock.ko
  UPSTREAM: VSOCK: Introduce virtio_transport.ko
  BACKPORT: VSOCK: Introduce virtio_vsock_common.ko
  UPSTREAM: VSOCK: defer sock removal to transports
  UPSTREAM: VSOCK: transport-specific vsock_transport functions
  UPSTREAM: vsock: make listener child lock ordering explicit
  UPSTREAM: vhost: new device IOTLB API
  BACKPORT: vhost: convert pre sorted vhost memory array to interval tree
  UPSTREAM: vhost: introduce vhost memory accessors
  UPSTREAM: vhost_net: stop polling socket during rx processing
  UPSTREAM: VSOCK: constify vsock_transport structure
  UPSTREAM: vhost: lockless enqueuing
  UPSTREAM: vhost: simplify work flushing
  UPSTREAM: VSOCK: Only check error on skb_recv_datagram when skb is NULL
  BACKPORT: AF_VSOCK: Shrink the area influenced by prepare_to_wait
  UPSTREAM: vhost_net: basic polling support
  UPSTREAM: vhost: introduce vhost_vq_avail_empty()
  UPSTREAM: vhost: introduce vhost_has_work()
  UPSTREAM: vhost: rename vhost_init_used()
  UPSTREAM: vhost: rename cross-endian helpers
  UPSTREAM: vhost: fix error path in vhost_init_used()
  UPSTREAM: virtio: make find_vqs() checkpatch.pl-friendly
  UPSTREAM: net: move napi_hash[] into read mostly section
  ANDROID: cuttlefish_defconfig: remove DM_VERITY_HASH_PREFETCH_MIN_SIZE
  Revert "ANDROID: dm verity: add minimum prefetch size"
  ANDROID: f2fs: Complement "android_fs" tracepoint of read path

Removed config DM_VERITY_HASH_PREFETCH_MIN_SIZE in defconfig files
as this feature got reverted.

Change-Id: I9117e3080eaf0e0c99888468037855fc7713ff88
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

Merge "ARM: dts: msm8996: add the ext node and clock entries for hdmi"

arm64: dts: gvm: Add support for USB Host suspend

Enable USB2 suspend in LA Guest when the touch
is connected to host port.

Change-Id: Id211fc0e170079fadba610617a5faa0f1f96360d
Signed-off-by: Venkata Rao Kakani <vkakani@codeaurora.org>

Merge "soc: qcom: Fix identified corner cases."

Merge "usb: misc: ks_bridge: Enable enumeration on second xHCI port"

Merge "usb: misc: diag_ipc_bridge: Move dev cleanup to delete function"

Merge "ARM: dts: msm: DRM: Change eDRM display pipe"

Merge "drm/msm: Early DRM Driver"

soc: qcom: Fix identified corner cases.

Fix identified corner cases with respect to
early services.

1. Allow hot adding of non-earlydomain cpus.
2. NOP for apis when earlydomain is inactive.
3. Loop for size of cpumask and not cpumask_t

Change-Id: Iad00ee6468232e2072eb3bbcd2e70faedc7c7886
Signed-off-by: Vivek Kumar <vivekuma@codeaurora.org>

Merge "usb: gadget: uac1: Increase number of requests to 8"

Merge android-4.4.170 (241f76b1) into msm-4.4

* refs/heads/tmp-241f76b1
  Linux 4.4.170
  power: supply: olpc_battery: correct the temperature units
  intel_th: msu: Fix an off-by-one in attribute store
  genwqe: Fix size check
  ceph: don't update importing cap's mseq when handing cap export
  iommu/vt-d: Handle domain agaw being less than iommu agaw
  9p/net: put a lower bound on msize
  b43: Fix error in cordic routine
  gfs2: Fix loop in gfs2_rbm_find
  dlm: memory leaks on error path in dlm_user_request()
  dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
  dlm: possible memory leak on error path in create_lkb()
  dlm: fixed memory leaks after failed ls_remove_names allocation
  ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
  ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
  ALSA: cs46xx: Potential NULL dereference in probe
  crypto: x86/chacha20 - avoid sleeping with preemption disabled
  sunrpc: use SVC_NET() in svcauth_gss_* functions
  sunrpc: fix cache_head leak due to queued request
  mm, devm_memremap_pages: kill mapping "System RAM" support
  mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL
  hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined
  fork: record start_time late
  scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown
  Input: omap-keypad - fix idle configuration to not block SoC idle states
  scsi: bnx2fc: Fix NULL dereference in error handling
  xfrm: Fix bucket count reported to userspace
  checkstack.pl: fix for aarch64
  Input: restore EV_ABS ABS_RESERVED
  ARM: imx: update the cpu power up timing setting on i.mx6sx
  powerpc: Fix COFF zImage booting on old powermacs
  spi: bcm2835: Unbreak the build of esoteric configs
  x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested
  CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem
  MIPS: Align kernel load address to 64KB
  MIPS: Ensure pmd_present() returns false after pmd_mknotpresent()
  media: vivid: free bitmap_cap when updating std/timings/etc.
  cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader.
  spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode
  spi: bcm2835: Fix book-keeping of DMA termination
  spi: bcm2835: Fix race on DMA termination
  ext4: force inode writes when nfsd calls commit_metadata()
  ext4: fix EXT4_IOC_GROUP_ADD ioctl
  ext4: missing unlock/put_page() in ext4_try_to_write_inline_data()
  ext4: fix possible use after free in ext4_quota_enable
  perf pmu: Suppress potential format-truncation warning
  KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup
  Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G
  usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()
  USB: serial: option: add Fibocom NL678 series
  USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays
  ALSA: hda/tegra: clear pending irq handlers
  ALSA: hda: add mute LED support for HP EliteBook 840 G4
  ALSA: emux: Fix potential Spectre v1 vulnerabilities
  ALSA: pcm: Fix potential Spectre v1 vulnerability
  ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
  ALSA: rme9652: Fix potential Spectre v1 vulnerability
  sock: Make sock->sk_stamp thread-safe
  gro_cell: add napi_disable in gro_cells_destroy
  xen/netfront: tolerate frags with no data
  VSOCK: Send reset control packet when socket is partially bound
  vhost: make sure used idx is seen before log in vhost_add_used_n()
  sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
  packet: validate address length if non-zero
  packet: validate address length
  netrom: fix locking in nr_find_socket()
  isdn: fix kernel-infoleak in capi_unlocked_ioctl
  ipv6: explicitly initialize udp6_addr in udp_sock_create6()
  ieee802154: lowpan_header_create check must check daddr
  ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
  ax25: fix a use-after-free in ax25_fillin_cb()
  ipv4: Fix potential Spectre v1 vulnerability
  ip6mr: Fix potential Spectre v1 vulnerability
  drm/ioctl: Fix Spectre v1 vulnerabilities
  x86/mtrr: Don't copy uninitialized gentry fields back to userspace
  Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
  gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
  mmc: omap_hsmmc: fix DMA API warning
  mmc: core: Reset HPI enabled state during re-init and in case of errors
  USB: serial: option: add Telit LN940 series
  USB: serial: option: add Fibocom NL668 series
  USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
  USB: serial: option: add HP lt4132
  USB: serial: option: add GosunCn ZTE WeLink ME3630
  xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
  USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
  f2fs: don't access node/meta inode mapping after iput
  f2fs: wait on atomic writes to count F2FS_CP_WB_DATA
  f2fs: sanity check of xattr entry size
  f2fs: fix use-after-free issue when accessing sbi->stat_info
  f2fs: check PageWriteback flag for ordered case
  f2fs: fix validation of the block count in sanity_check_raw_super
  f2fs: fix missing unlock(sbi->gc_mutex)
  f2fs: clean up structure extent_node
  f2fs: fix block address for __check_sit_bitmap
  f2fs: fix sbi->extent_list corruption issue
  f2fs: clean up checkpoint flow
  f2fs: flush stale issued discard candidates
  f2fs: correct wrong spelling, issing_*
  f2fs: use kvmalloc, if kmalloc is failed
  f2fs: remove redundant comment of unused wio_mutex
  f2fs: fix to reorder set_page_dirty and wait_on_page_writeback
  f2fs: clear PG_writeback if IPU failed
  f2fs: add an ioctl() to explicitly trigger fsck later
  f2fs: avoid frequent costly fsck triggers
  f2fs: fix m_may_create to make OPU DIO write correctly
  f2fs: fix to update new block address correctly for OPU
  f2fs: adjust trace print in f2fs_get_victim() to cover all paths
  f2fs: fix to allow node segment for GC by ioctl path
  f2fs: make "f2fs_fault_name[]" const char *
  f2fs: read page index before freeing
  f2fs: fix wrong return value of f2fs_acl_create
  f2fs: avoid build warn of fall_through
  f2fs: fix race between write_checkpoint and write_begin
  f2fs: check memory boundary by insane namelen
  f2fs: only flush the single temp bio cache which owns the target page
  f2fs: fix out-place-update DIO write
  f2fs: fix to be aware discard/preflush/dio command in is_idle()
  f2fs: add to account direct IO
  f2fs: move dir data flush to write checkpoint process
  f2fs: change segment to section in f2fs_ioc_gc_range
  f2fs: export migration_granularity sysfs entry
  f2fs: support subsectional garbage collection
  f2fs: introduce __is_large_section() for cleanup
  f2fs: clean up f2fs_sb_has_##feature_name
  f2fs: remove codes of unused wio_mutex
  f2fs: fix count of seg_freed to make sec_freed correct
  f2fs: fix to account preflush command for noflush_merge mode
  f2fs: avoid GC causing encrypted file corrupted
  ANDROID: cuttlefish_defconfig: Enable VIRTIO_INPUT

Conflicts:
mm/memory_hotplug.c

Change-Id: I8dc4545b59eff285a0fdb22cd06e8d5dffbe1330
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

usb: gadget: uac1: Increase number of requests to 8

Increase number of USB requests from 2 to 8 so as to improve
sound quality.

Change-Id: I0b92c50a4dd62563b2fd31f00d67196edc4e0fba
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>

Merge "ARM: dts: msm: add device tree overlay for 8996"

usb: misc: diag_ipc_bridge: Move dev cleanup to delete function

Currently the driver does the diag_briddge_dev's members' cleanup
in disconnect function. This can lead to race between read/write
and disconnect functions where the read/write mutex is being
destroyed when it is in locked state. Also, the read/write
function can be called after disconnect leading to mutex_lock
warning on a destroyed mutex. Finally, since the close function
can be called after disconnect, it can lead to null pointer
dereference from dev->ifc since it is being assigned null in
disconnect. Also, there can be a use-after-free if the interface
structure is used after disconnect function has been called and
core has freed the intf.
Fix this by moving the dev member cleanup from disconnect to the
delete function. This will ensure that mutex and dev->ifc exists
when the diag core can still queue read/write and call close.
Also do a get and put of interface from probe and delete
respectively to prevent the use-after-free issue.

Change-Id: I1a1fa4440560b0c0b77880fb3f5a37c3c24c7e67
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>

usb: misc: diag_ipc_bridge: Patch debug statements

Remove pr_fmt declaration and add function name and new line
functionality to the debug prints instead. Add more debug logs
where necessary.

Change-Id: Iedf27473174eeae1c8032c133250a190978d38e5
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>

Merge "mmc: host: sdhci-msm: Temperature controlled clock scaling"

Merge "mmc: core: Initialize temperature controlled clock scaling"

Merge "msm-camera: add cx-ipeak support for vfe"

ARM: dts: msm: add device tree overlay for 8996

Add device tree overlay support for 8996.

Change-Id: Ibdeab45acad17d3e487ba1108cd0cc3cff7fb377
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>

Merge "i2c: add virtual i2c driver"

msm-camera: add cx-ipeak support for vfe

Add support in vfe driver to vote for cx_ipeak when moving
to turbo clock and unvote when moving out of turbo.

Change-Id: I6b95594adbf05c0797c2748981a6b06f042adc20
Signed-off-by: Srikanth Uyyala <suyyala@codeaurora.org>

Merge "usb: pd: Don't reject sink request based on max current"

ARM: dts: msm8996: add the ext node and clock entries for hdmi

Add HDMI extension node and clock entries to device tree
for msm8996 device.

Change-Id: I0e4ac2ec66c2be691cbb26dead1fa8093324669c
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>

Merge "cnss2: Return 0 from susped/resume for driver_ops null"

Merge "msm: adsprpc: Fix memory out of bounds error"

ARM: dts: msm: DRM: Change eDRM display pipe

Change eDRM to use VIG display pipe. This allows early application
to display YUV frames.

Change-Id: I16050c3d0d22a84c394a2f13d87e6df77e7c995f
Signed-off-by: Camus Wong <camusw@codeaurora.org>

msm: ekms: Support more Color Format in eDRM

Add more color format into eDRM plane. Add YUV420, NV12, YUYV,
RGB565, RGB888 color to eDRM.

Change-Id: I73aa22e811ca061ea1a59194e4f76ae9fff47f46
Signed-off-by: Camus Wong <camusw@codeaurora.org>

ARM: dts: msm: DRM: Device tree for early DRM

Add device tree setting to enable early DRM probe. Add reserved
pipe into main DRM. Also add assigned display and pipe into
early DRM.

Change-Id: I3163aa808313b10cd2fb3dee156a746ef650bc68
Signed-off-by: Camus Wong <camusw@codeaurora.org>

drm/msm: Early DRM Driver

Add new DRM node to handle early display service. The early DRM
driver is to workaround Andriod display framework long boot time
problem and DRM single master limitation.  The early DRM node provides
display function for early application that is outside Android
framework.  The early application can use early DRM to draw early
UI and bootloader review camera menu function. Android framework will
not use early DRM node.  It will continue to use the main DRM node.

Early DRM is another KMS driver that designed for bootup application.
Early DRM is not based on SDE framework and it will not initialize
display hardware.  Early DRM rely on bootloader to initialize display
hardware and interfaces.  For power and SMMU, early DRM relies on main
DRM to initialize them.  Early DRM only provide limited display
functionality such as RGB buffer display.  Early DRM only expected to
run during bootup time to work with bootloader/early RVC.  When Android
UI is ready, early DRM will handoff all display resource to main DRM.
After that, no application can open early DRM node.

Early DRM is enabled in device tree.  User must specify which display
to enable early DRM and which display pipes are assigned to eDRM.

Change-Id: Ic9f68726677c5db26507caec79c7da1e6d745f44
Signed-off-by: Camus Wong <camusw@codeaurora.org>

Merge "iommu/iommu-debug: fix buffer overflows in debugfs read functions"

cnss2: Return 0 from susped/resume for driver_ops null

During usb suspend/resume call from USB SS, if driver
ops is not present cnss should return success. presently
it is returning -EINVAL if driver_ops is NULL.

Change-Id: I43a268489107bdad1945b4a842bb9ab3abe1b4ea
Signed-off-by: Rajasekaran Kalidoss <rkalidos@codeaurora.org>

Merge "msm: wlan: Update ETSI1 and ETSI13 countries"

usb: pd: Don't reject sink request based on max current

A fixed sink PDO request includes both operating current and
max current. Although the max current requested may be greater
than the available source advertisement, as per spec only the
operating current request needs to be considered. The sink will
likely have also set the Capability Mismatch bit as well. Hence,
don't reject the request otherwise the sink will keep
re-requesting and never enter a contract.

Change-Id: Ia15e2e17abe43f2bcbc1fe7011b70ab0e0f5d9eb
Signed-off-by: Jack Pham <jackp@codeaurora.org>

Merge "msm: wlan: Update regulatory database"

i2c: add virtual i2c driver

add virtual i2c driver for virtualization platform.

Change-Id: I806e49fa99346bddfc66a7153a24cb679b88404a
Signed-off-by: xianzhu <xianzhu@codeaurora.org>

msm: wlan: Update ETSI1 and ETSI13 countries

In db.txt, update ETSI1 and ETSI13 countries with NO-OUTDOOR flag
for frequency ranges: (5170 - 5250) and (5250 - 5330).

CRs-Fixed: 2379868
Change-Id: I8a9ce955e82b14814ead5f0bf118608ea90cbc53
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>

Merge "msm-camera: add support for cx_ipeak"

Merge "soc: qcom: hab: adapt to the new get_user_pages()"

Merge "msm: camera: isp: Fix invalid type conversion"

Merge "defconfig: Enable and disable few configs for MSM8996"

Merge "ARM: dts: msm: msm8996-mtp bringup changes"

Merge "arm: dts: msm: add msm8996-auto.dtsi"

msm-camera: add support for cx_ipeak

camera drivers need to vote when moving to turbo clock
and unvote when moving out of turbo. cx_ipeak driver
then makes sure to limit the current drawn from cx
based on this vote. This dirver provides common utility
functions to track vote and unvote.

Change-Id: I34d860003518924ab3233d8de24ccdb11f513f7e
Signed-off-by: Srikanth Uyyala <suyyala@codeaurora.org>

msm: wlan: Update regulatory database

Update country ETSI13 related country's frequency range and tx
power.

Change-Id: Iae27b12df3b36621c395ef9e8a3b1b46461848b6
CRs-Fixed: 2246140
Signed-off-by: Gaole Zhang <gaolez@codeaurora.org>

ARM: dts: msm: msm8996-mtp bringup changes

Changes done to bringup msm8996 on 4.4 kernel.

Change-Id: Ie0629dddeed2ef861e3b15f47015a7a8fb482ba7
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>

defconfig: Enable and disable few configs for MSM8996

This change enables and disables below list of configs to
address the MSM8996-MTP bootup issue on 4.4 kernel.

Enable configs:
CONFIG_QUOTA
CONFIG_QUOTA_NETLINK_INTERFACE
CONFIG_QFMT_V2
Disable config
CONFIG_PRINT_QUOTA_WARNING

Change-Id: Iccd69be08842926e00c3d24321ec51683fabd406
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>

Merge "msm: drm: add hibernation support"

Merge "fbdev: msm: validate mdp clk rate and cwb for msm8996"

Merge "cnss2: USB:skip ce config for USB transport"

Merge 4.4.171 into android-4.4

Changes in 4.4.171
ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225
btrfs: cleanup, stop casting for extent_map->lookup everywhere
btrfs: Enhance chunk validation check
Btrfs: add validadtion checks for chunk loading
Btrfs: check inconsistence between chunk and block group
Btrfs: fix em leak in find_first_block_group
Btrfs: detect corruption when non-root leaf has zero item
Btrfs: check btree node's nritems
Btrfs: fix BUG_ON in btrfs_mark_buffer_dirty
Btrfs: memset to avoid stale content in btree node block
Btrfs: improve check_node to avoid reading corrupted nodes
Btrfs: kill BUG_ON in run_delayed_tree_ref
Btrfs: memset to avoid stale content in btree leaf
Btrfs: fix emptiness check for dirtied extent buffers at check_leaf()
btrfs: struct-funcs, constify readers
btrfs: Refactor check_leaf function for later expansion
btrfs: Check if item pointer overlaps with the item itself
btrfs: Add sanity check for EXTENT_DATA when reading out leaf
btrfs: Add checker for EXTENT_CSUM
btrfs: Move leaf and node validation checker to tree-checker.c
btrfs: tree-checker: Enhance btrfs_check_node output
btrfs: tree-checker: Fix false panic for sanity test
btrfs: tree-checker: Add checker for dir item
btrfs: tree-checker: use %zu format string for size_t
btrfs: tree-check: reduce stack consumption in check_dir_item
btrfs: tree-checker: Verify block_group_item
btrfs: tree-checker: Detect invalid and empty essential trees
btrfs: validate type when reading a chunk
btrfs: Check that each block group has corresponding chunk at mount time
btrfs: Verify that every chunk has corresponding block group at mount time
btrfs: tree-checker: Check level for leaves and nodes
btrfs: tree-checker: Fix misleading group system information
CIFS: Do not hide EINTR after sending network packets
cifs: Fix potential OOB access of lock element array
usb: cdc-acm: send ZLP for Telit 3G Intel based modems
USB: storage: don't insert sane sense for SPC3+ when bad sense specified
USB: storage: add quirk for SMI SM3350
USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB
slab: alien caches must not be initialized if the allocation of the alien cache failed
PCI: altera: Fix altera_pcie_link_is_up()
PCI: altera: Reorder read/write functions
PCI: altera: Check link status before retrain link
PCI: altera: Poll for link up status after retraining the link
PCI: altera: Poll for link training status after retraining the link
PCI: altera: Rework config accessors for use without a struct pci_bus
PCI: altera: Move retrain from fixup to altera_pcie_host_init()
ACPI: power: Skip duplicate power resource references in _PRx
i2c: dev: prevent adapter retries and timeout being set as minus value
crypto: cts - fix crash on short inputs
ext4: fix a potential fiemap/page fault deadlock w/ inline_data
sunrpc: use-after-free in svc_process_common()
Linux 4.4.171

Change-Id: If59c94897d4f135b24d45772a7db116503695ba7
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

Linux 4.4.171

sunrpc: use-after-free in svc_process_common()

commit d4b09acf924b84bae77cad090a9d108e70b43643 upstream.

if node have NFSv41+ mounts inside several net namespaces
it can lead to use-after-free in svc_process_common()

svc_process_common()
        /* Setup reply header */
        rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE

svc_process_common() can use incorrect rqstp->rq_xprt,
its caller function bc_svc_process() takes it from serv->sv_bc_xprt.
The problem is that serv is global structure but sv_bc_xprt
is assigned per-netnamespace.

According to Trond, the whole "let's set up rqstp->rq_xprt
for the back channel" is nothing but a giant hack in order
to work around the fact that svc_process_common() uses it
to find the xpt_ops, and perform a couple of (meaningless
for the back channel) tests of xpt_flags.

All we really need in svc_process_common() is to be able to run
rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr()

Bruce J Fields points that this xpo_prep_reply_hdr() call
is an awfully roundabout way just to do "svc_putnl(resv, 0);"
in the tcp case.

This patch does not initialiuze rqstp->rq_xprt in bc_svc_process(),
now it calls svc_process_common() with rqstp->rq_xprt = NULL.

To adjust reply header svc_process_common() just check
rqstp->rq_prot and calls svc_tcp_prep_reply_hdr() for tcp case.

To handle rqstp->rq_xprt = NULL case in functions called from
svc_process_common() patch intruduces net namespace pointer
svc_rqst->rq_bc_net and adjust SVC_NET() definition.
Some other function was also adopted to properly handle described case.

Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Cc: stable@vger.kernel.org
Fixes: 23c20ecd4475 ("NFS: callback up - users counting cleanup")
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
v2: - added lost extern svc_tcp_prep_reply_hdr()
    - dropped trace_svc_process() changes
    - context fixes in svc_process_common()
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: fix a potential fiemap/page fault deadlock w/ inline_data

commit 2b08b1f12cd664dc7d5c84ead9ff25ae97ad5491 upstream.

The ext4_inline_data_fiemap() function calls fiemap_fill_next_extent()
while still holding the xattr semaphore.  This is not necessary and it
triggers a circular lockdep warning.  This is because
fiemap_fill_next_extent() could trigger a page fault when it writes
into page which triggers a page fault.  If that page is mmaped from
the inline file in question, this could very well result in a
deadlock.

This problem can be reproduced using generic/519 with a file system
configuration which has the inline_data feature enabled.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

crypto: cts - fix crash on short inputs

[It's a minimal fix for a bug that was fixed incidentally by a large
refactoring in v4.8.]

In the CTS template, when the input length is <= one block cipher block
(e.g. <= 16 bytes for AES) pass the correct length to the underlying CBC
transform rather than one block.  This matches the upstream behavior and
makes the encryption/decryption operation correctly return -EINVAL when
1 <= nbytes < bsize or succeed when nbytes == 0, rather than crashing.

This was fixed upstream incidentally by a large refactoring,
commit 0605c41cc53c ("crypto: cts - Convert to skcipher").  But
syzkaller easily trips over this when running on older kernels, as it's
easily reachable via AF_ALG.  Therefore, this patch makes the minimal
fix for older kernels.

Cc: linux-crypto@vger.kernel.org
Fixes: 76cb9521795a ("[CRYPTO] cts: Add CTS mode required for Kerberos AES support")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

i2c: dev: prevent adapter retries and timeout being set as minus value

commit 6ebec961d59bccf65d08b13fc1ad4e6272a89338 upstream.

If adapter->retries is set to a minus value from user space via ioctl,
it will make __i2c_transfer and __i2c_smbus_xfer skip the calling to
adapter->algo->master_xfer and adapter->algo->smbus_xfer that is
registered by the underlying bus drivers, and return value 0 to all the
callers. The bus driver will never be accessed anymore by all users,
besides, the users may still get successful return value without any
error or information log print out.

If adapter->timeout is set to minus value from user space via ioctl,
it will make the retrying loop in __i2c_transfer and __i2c_smbus_xfer
always break after the the first try, due to the time_after always
returns true.

Signed-off-by: Yi Zeng <yizeng@asrmicro.com>
[wsa: minor grammar updates to commit message]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ACPI: power: Skip duplicate power resource references in _PRx

commit 7d7b467cb95bf29597b417d4990160d4ea6d69b9 upstream.

Some ACPI tables contain duplicate power resource references like this:

        Name (_PR0, Package (0x04)  // _PR0: Power Resources for D0
        {
            P28P,
            P18P,
            P18P,
            CLK4
        })

This causes a WARN_ON in sysfs_add_link_to_group() because we end up
adding a link to the same acpi_device twice:

sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/808622C1:00/OVTI2680:00/power_resources_D0/LNXPOWER:0a'
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.12-301.fc29.x86_64 #1
Hardware name: Insyde CherryTrail/Type2 - Board Product Name, BIOS jumperx.T87.KFBNEEA02 04/13/2016
Call Trace:
dump_stack+0x5c/0x80
sysfs_warn_dup.cold.3+0x17/0x2a
sysfs_do_create_link_sd.isra.2+0xa9/0xb0
sysfs_add_link_to_group+0x30/0x50
acpi_power_expose_list+0x74/0xa0
acpi_power_add_remove_device+0x50/0xa0
acpi_add_single_object+0x26b/0x5f0
acpi_bus_check_add+0xc4/0x250
...

To address this issue, make acpi_extract_power_resources() check for
duplicates and simply skip them when found.

Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
[ rjw: Subject & changelog, comments ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PCI: altera: Move retrain from fixup to altera_pcie_host_init()

commit ce4f1c7ad490aa7129bde5632d6e53943f8a866c upstream.

Previously we used a PCI early fixup to initiate a link retrain on Altera
devices. But Altera PCIe IP can be configured as either a Root Port or an
Endpoint, and they might have same vendor ID, so the fixup would be run for
both.

We only want to initiate a link retrain for Altera Root Port devices, not
for Endpoints, so move the link retrain functionality from the fixup to
altera_pcie_host_init().

[bhelgaas: changelog]
Signed-off-by: Ley Foon Tan <lftan@altera.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Claudius Heine <claudius.heine.ext@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PCI: altera: Rework config accessors for use without a struct pci_bus

commit 31fc0ad47e2e0b8417616aa0f1ddcc67edf1e109 upstream.

Rework configs accessors so a future patch can use them in _probe() with
struct altera_pcie instead of struct pci_bus.

Signed-off-by: Ley Foon Tan <lftan@altera.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Claudius Heine <claudius.heine.ext@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PCI: altera: Poll for link training status after retraining the link

commit 411dc32d8810e0a204c799ce5c97cb56990de1cb upstream.

Poll for link training status is cleared before poll for link up status.
This can help to get the reliable link up status, especially when PCIe is
in Gen 3 speed.

Signed-off-by: Ley Foon Tan <lftan@altera.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Claudius Heine <claudius.heine.ext@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PCI: altera: Poll for link up status after retraining the link

commit 3a928e98a833e1a470a60d2fedf3c55502185fb7 upstream.

Some PCIe devices take a long time to reach link up state after retrain.
Poll for link up status after retraining the link. This is to make sure
the link is up before we access configuration space.

[bhelgaas: changelog]
Signed-off-by: Ley Foon Tan <lftan@altera.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Claudius Heine <claudius.heine.ext@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PCI: altera: Check link status before retrain link

commit c622032ebc538cb3869c312ae3ad235a99da84b6 upstream.

Check the link status before retraining. If the link is not up, don't
bother trying to retrain it.

[bhelgaas: split code move to separate patch, changelog]
Signed-off-by: Ley Foon Tan <lftan@altera.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Claudius Heine <claudius.heine.ext@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PCI: altera: Reorder read/write functions

commit f8be11ae3d2c9a1338da37ff91ff4c65922d21be upstream.

Move cra_writel(), cra_readl(), and altera_pcie_link_is_up() so a future
patch can use them in altera_pcie_retrain(). No functional change
intended.

Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Claudius Heine <claudius.heine.ext@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PCI: altera: Fix altera_pcie_link_is_up()

commit eff31f4002c4e25b9b8c39d0a3a551c6c64c77e8 upstream.

Originally altera_pcie_link_is_up() decided the link was up if any of the
low four bits of the LTSSM register were set. But the link is only up if
the LTSSM state is L0, so check for that exact value.

[bhelgaas: changelog]
Signed-off-by: Ley Foon Tan <lftan@altera.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Claudius Heine <claudius.heine.ext@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

slab: alien caches must not be initialized if the allocation of the alien cache failed

commit 09c2e76ed734a1d36470d257a778aaba28e86531 upstream.

Callers of __alloc_alien() check for NULL. We must do the same check in
__alloc_alien_cache to avoid NULL pointer dereferences on allocation
failures.

Link: http://lkml.kernel.org/r/010001680f42f192-82b4e12e-1565-4ee0-ae1f-1e98974906aa-000000@email.amazonses.com
Fixes: 49dfc304ba241 ("slab: use the lock on alien_cache, instead of the lock on array_cache")
Fixes: c8522a3a5832b ("Slab: introduce alloc_alien")
Signed-off-by: Christoph Lameter <cl@linux.com>
Reported-by: syzbot+d6ed4ec679652b4fd4e4@syzkaller.appspotmail.com
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB

commit 3483254b89438e60f719937376c5e0ce2bc46761 upstream.

To match the Corsair Strafe RGB, the Corsair K70 RGB also requires
USB_QUIRK_DELAY_CTRL_MSG to completely resolve boot connection issues
discussed here: https://github.com/ckb-next/ckb-next/issues/42.
Otherwise roughly 1 in 10 boots the keyboard will fail to be detected.

Patch that applied delay control quirk for Corsair Strafe RGB:
cb88a0588717 ("usb: quirks: add control message delay for 1b1c:1b20")

Previous K70 RGB patch to add delay-init quirk:
7a1646d92257 ("Add delay-init quirk for Corsair K70 RGB keyboards")

Signed-off-by: Jack Stocker <jackstocker.93@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: storage: add quirk for SMI SM3350

commit 0a99cc4b8ee83885ab9f097a3737d1ab28455ac0 upstream.

The SMI SM3350 USB-UFS bridge controller cannot handle long sense request
correctly and will make the chip refuse to do read/write when requested
long sense.

Add a bad sense quirk for it.

Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Cc: stable <stable@vger.kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: storage: don't insert sane sense for SPC3+ when bad sense specified

commit c5603d2fdb424849360fe7e3f8c1befc97571b8c upstream.

Currently the code will set US_FL_SANE_SENSE flag unconditionally if
device claims SPC3+, however we should allow US_FL_BAD_SENSE flag to
prevent this behavior, because SMI SM3350 UFS-USB bridge controller,
which claims SPC4, will show strange behavior with 96-byte sense
(put the chip into a wrong state that cannot read/write anything).

Check the presence of US_FL_BAD_SENSE when assuming US_FL_SANE_SENSE on
SPC4+ devices.

Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Cc: stable <stable@vger.kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: cdc-acm: send ZLP for Telit 3G Intel based modems

commit 34aabf918717dd14e05051896aaecd3b16b53d95 upstream.

Telit 3G Intel based modems require zero packet to be sent if
out data size is equal to the endpoint max packet size.

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

cifs: Fix potential OOB access of lock element array

commit b9a74cde94957d82003fb9f7ab4777938ca851cd upstream.

If maxBuf is small but non-zero, it could result in a zero sized lock
element array which we would then try and access OOB.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

CIFS: Do not hide EINTR after sending network packets

commit ee13919c2e8d1f904e035ad4b4239029a8994131 upstream.

Currently we hide EINTR code returned from sock_sendmsg()
and return 0 instead. This makes a caller think that we
successfully completed the network operation which is not
true. Fix this by properly returning EINTR to callers.

Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-checker: Fix misleading group system information

commit 761333f2f50ccc887aa9957ae829300262c0d15b upstream.

block_group_err shows the group system as a decimal value with a '0x'
prefix, which is somewhat misleading.

Fix it to print hexadecimal, as was intended.

Fixes: fce466eab7ac6 ("btrfs: tree-checker: Verify block_group_item")
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-checker: Check level for leaves and nodes

commit f556faa46eb4e96d0d0772e74ecf66781e132f72 upstream.

Although we have tree level check at tree read runtime, it's completely
based on its parent level.
We still need to do accurate level check to avoid invalid tree blocks
sneak into kernel space.

The check itself is simple, for leaf its level should always be 0.
For nodes its level should be in range [1, BTRFS_MAX_LEVEL - 1].

Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4:
- Pass root instead of fs_info to generic_err()
- Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: Verify that every chunk has corresponding block group at mount time

commit 7ef49515fa6727cb4b6f2f5b0ffbc5fc20a9f8c6 upstream.

If a crafted image has missing block group items, it could cause
unexpected behavior and breaks the assumption of 1:1 chunk<->block group
mapping.

Although we have the block group -> chunk mapping check, we still need
chunk -> block group mapping check.

This patch will do extra check to ensure each chunk has its
corresponding block group.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=199847
Reported-by: Xu Wen <wen.xu@gatech.edu>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Gu Jinxiang <gujx@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4: adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: Check that each block group has corresponding chunk at mount time

commit 514c7dca85a0bf40be984dab0b477403a6db901f upstream.

A crafted btrfs image with incorrect chunk<->block group mapping will
trigger a lot of unexpected things as the mapping is essential.

Although the problem can be caught by block group item checker
added in "btrfs: tree-checker: Verify block_group_item", it's still not
sufficient. A sufficiently valid block group item can pass the check
added by the mentioned patch but could fail to match the existing chunk.

This patch will add extra block group -> chunk mapping check, to ensure
we have a completely matching (start, len, flags) chunk for each block
group at mount time.

Here we reuse the original helper find_first_block_group(), which is
already doing the basic bg -> chunk checks, adding further checks of the
start/len and type flags.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=199837
Reported-by: Xu Wen <wen.xu@gatech.edu>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4: Use root->fs_info instead of fs_info]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: validate type when reading a chunk

commit 315409b0098fb2651d86553f0436b70502b29bb2 upstream.

Reported in https://bugzilla.kernel.org/show_bug.cgi?id=199839, with an
image that has an invalid chunk type but does not return an error.

Add chunk type check in btrfs_check_chunk_valid, to detect the wrong
type combinations.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=199839
Reported-by: Xu Wen <wen.xu@gatech.edu>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Gu Jinxiang <gujx@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4: Use root->fs_info instead of fs_info]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-checker: Detect invalid and empty essential trees

commit ba480dd4db9f1798541eb2d1c423fc95feee8d36 upstream.

A crafted image has empty root tree block, which will later cause NULL
pointer dereference.

The following trees should never be empty:
1) Tree root
   Must contain at least root items for extent tree, device tree and fs
   tree

2) Chunk tree
   Or we can't even bootstrap as it contains the mapping.

3) Fs tree
   At least inode item for top level inode (.).

4) Device tree
   Dev extents for chunks

5) Extent tree
   Must have corresponding extent for each chunk.

If any of them is empty, we are sure the fs is corrupted and no need to
mount it.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=199847
Reported-by: Xu Wen <wen.xu@gatech.edu>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Tested-by: Gu Jinxiang <gujx@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4: Pass root instead of fs_info to generic_err()]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-checker: Verify block_group_item

commit fce466eab7ac6baa9d2dcd88abcf945be3d4a089 upstream.

A crafted image with invalid block group items could make free space cache
code to cause panic.

We could detect such invalid block group item by checking:
1) Item size
   Known fixed value.
2) Block group size (key.offset)
   We have an upper limit on block group item (10G)
3) Chunk objectid
   Known fixed value.
4) Type
   Only 4 valid type values, DATA, METADATA, SYSTEM and DATA|METADATA.
   No more than 1 bit set for profile type.
5) Used space
   No more than the block group size.

This should allow btrfs to detect and refuse to mount the crafted image.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=199849
Reported-by: Xu Wen <wen.xu@gatech.edu>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Gu Jinxiang <gujx@cn.fujitsu.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Tested-by: Gu Jinxiang <gujx@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4:
- In check_leaf_item(), pass root->fs_info to check_block_group_item()
- Include <linux/sizes.h> (in ctree.h, to match upstream)
- Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-check: reduce stack consumption in check_dir_item

commit e2683fc9d219430f5b78889b50cde7f40efeba7b upstream.

I've noticed that the updated item checker stack consumption increased
dramatically in 542f5385e20cf97447 ("btrfs: tree-checker: Add checker
for dir item")

tree-checker.c:check_leaf +552 (176 -> 728)

The array is 255 bytes long, dynamic allocation would slow down the
sanity checks so it's more reasonable to keep it on-stack. Moving the
variable to the scope of use reduces the stack usage again

tree-checker.c:check_leaf -264 (728 -> 464)

Reviewed-by: Josef Bacik <jbacik@fb.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-checker: use %zu format string for size_t

commit 7cfad65297bfe0aa2996cd72d21c898aa84436d9 upstream.

The return value of sizeof() is of type size_t, so we must print it
using the %z format modifier rather than %l to avoid this warning
on some architectures:

fs/btrfs/tree-checker.c: In function 'check_dir_item':
fs/btrfs/tree-checker.c:273:50: error: format '%lu' expects argument of type 'long unsigned int', but argument 5 has type 'u32' {aka 'unsigned int'} [-Werror=format=]

Fixes: 005887f2e3e0 ("btrfs: tree-checker: Add checker for dir item")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-checker: Add checker for dir item

commit ad7b0368f33cffe67fecd302028915926e50ef7e upstream.

Add checker for dir item, for key types DIR_ITEM, DIR_INDEX and
XATTR_ITEM.

This checker does comprehensive checks for:

1) dir_item header and its data size
   Against item boundary and maximum name/xattr length.
   This part is mostly the same as old verify_dir_item().

2) dir_type
   Against maximum file types, and against key type.
   Since XATTR key should only have FT_XATTR dir item, and normal dir
   item type should not have XATTR key.

   The check between key->type and dir_type is newly introduced by this
   patch.

3) name hash
   For XATTR and DIR_ITEM key, key->offset is name hash (crc32c).
   Check the hash of the name against the key to ensure it's correct.

   The name hash check is only found in btrfs-progs before this patch.

Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4: BTRFS_MAX_XATTR_SIZE() takes a root instead of an
fs_info, and yields a value of type size_t instead of unsigned int]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-checker: Fix false panic for sanity test

commit 69fc6cbbac542c349b3d350d10f6e394c253c81d upstream.

[BUG]
If we run btrfs with CONFIG_BTRFS_FS_RUN_SANITY_TESTS=y, it will
instantly cause kernel panic like:

------
...
assertion failed: 0, file: fs/btrfs/disk-io.c, line: 3853
...
Call Trace:
btrfs_mark_buffer_dirty+0x187/0x1f0 [btrfs]
setup_items_for_insert+0x385/0x650 [btrfs]
__btrfs_drop_extents+0x129a/0x1870 [btrfs]
...
-----

[Cause]
Btrfs will call btrfs_check_leaf() in btrfs_mark_buffer_dirty() to check
if the leaf is valid with CONFIG_BTRFS_FS_RUN_SANITY_TESTS=y.

However quite some btrfs_mark_buffer_dirty() callers(*) don't really
initialize its item data but only initialize its item pointers, leaving
item data uninitialized.

This makes tree-checker catch uninitialized data as error, causing
such panic.

*: These callers include but not limited to
setup_items_for_insert()
btrfs_split_item()
btrfs_expand_item()

[Fix]
Add a new parameter @check_item_data to btrfs_check_leaf().
With @check_item_data set to false, item data check will be skipped and
fallback to old btrfs_check_leaf() behavior.

So we can still get early warning if we screw up item pointers, and
avoid false panic.

Cc: Filipe Manana <fdmanana@gmail.com>
Reported-by: Lakshmipathi.G <lakshmipathi.g@gmail.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4: adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-checker: Enhance btrfs_check_node output

commit bba4f29896c986c4cec17bc0f19f2ce644fceae1 upstream.

Use inline function to replace macro since we don't need
stringification.
(Macro still exists until all callers get updated)

And add more info about the error, and replace EIO with EUCLEAN.

For nr_items error, report if it's too large or too small, and output
the valid value range.

For node block pointer, added a new alignment checker.

For key order, also output the next key to make the problem more
obvious.

Signed-off-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
[ wording adjustments, unindented long strings ]
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4:
- Use root->sectorsize instead of root->fs_info->sectorsize
- BTRFS_NODEPTRS_PER_BLOCK() takes a root instead of an fs_info, and yields
a value of type size_t instead of unsigned int]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: Move leaf and node validation checker to tree-checker.c

commit 557ea5dd003d371536f6b4e8f7c8209a2b6fd4e3 upstream.

It's no doubt the comprehensive tree block checker will become larger,
so moving them into their own files is quite reasonable.

Signed-off-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
[ wording adjustments ]
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4:
- The moved code is slightly different
- Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: Add checker for EXTENT_CSUM

commit 4b865cab96fe2a30ed512cf667b354bd291b3b0a upstream.

EXTENT_CSUM checker is a relatively easy one, only needs to check:

1) Objectid
   Fixed to BTRFS_EXTENT_CSUM_OBJECTID

2) Key offset alignment
   Must be aligned to sectorsize

3) Item size alignedment
   Must be aligned to csum size

Signed-off-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4: Use root->sectorsize instead of
root->fs_info->sectorsize]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: Add sanity check for EXTENT_DATA when reading out leaf

commit 40c3c40947324d9f40bf47830c92c59a9bbadf4a upstream.

Add extra checks for item with EXTENT_DATA type.  This checks the
following thing:

0) Key offset
   All key offsets must be aligned to sectorsize.
   Inline extent must have 0 for key offset.

1) Item size
   Uncompressed inline file extent size must match item size.
   (Compressed inline file extent has no information about its on-disk size.)
   Regular/preallocated file extent size must be a fixed value.

2) Every member of regular file extent item
   Including alignment for bytenr and offset, possible value for
   compression/encryption/type.

3) Type/compression/encode must be one of the valid values.

This should be the most comprehensive and strict check in the context
of btrfs_item for EXTENT_DATA.

Signed-off-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ switch to BTRFS_FILE_EXTENT_TYPES, similar to what
  BTRFS_COMPRESS_TYPES does ]
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4:
- Use root->sectorsize instead of root->fs_info->sectorsize
- Adjust filename]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: Check if item pointer overlaps with the item itself

commit 7f43d4affb2a254d421ab20b0cf65ac2569909fb upstream.

Function check_leaf() checks if any item pointer points outside of the
leaf, but it doesn't check if the pointer overlaps with the item itself.

Normally only the last item may be the victim, but adding such check is
never a bad idea anyway.

Signed-off-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: Refactor check_leaf function for later expansion

commit c3267bbaa9cae09b62960eafe33ad19196803285 upstream.

Current check_leaf() function does a good job checking key order and
item offset/size.

However it only checks from slot 0 to the last but one slot, this is
good but makes later expansion hard.

So this refactoring iterates from slot 0 to the last slot.
For key comparison, it uses a key with all 0 as initial key, so all
valid keys should be larger than that.

And for item size/offset checks, it compares current item end with
previous item offset.
For slot 0, use leaf end as a special case.

This makes later item/key offset checks and item size checks easier to
be implemented.

Also, makes check_leaf() to return -EUCLEAN other than -EIO to indicate
error.

Signed-off-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 4.4:
- BTRFS_LEAF_DATA_SIZE() takes a root rather than an fs_info
- Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: struct-funcs, constify readers

commit 1cbb1f454e5321e47fc1e6b233066c7ccc979d15 upstream.

We have reader helpers for most of the on-disk structures that use
an extent_buffer and pointer as offset into the buffer that are
read-only. We should mark them as const and, in turn, allow consumers
of these interfaces to mark the buffers const as well.

No impact on code, but serves as documentation that a buffer is intended
not to be modified.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Btrfs: fix emptiness check for dirtied extent buffers at check_leaf()

commit f177d73949bf758542ca15a1c1945bd2e802cc65 upstream.

We can not simply use the owner field from an extent buffer's header to
get the id of the respective tree when the extent buffer is from a
relocation tree. When we create the root for a relocation tree we leave
(on purpose) the owner field with the same value as the subvolume's tree
root (we do this at ctree.c:btrfs_copy_root()). So we must ignore extent
buffers from relocation trees, which have the BTRFS_HEADER_FLAG_RELOC
flag set, because otherwise we will always consider the extent buffer
as not being the root of the tree (the root of original subvolume tree
is always different from the root of the respective relocation tree).

This lead to assertion failures when running with the integrity checker
enabled (CONFIG_BTRFS_FS_CHECK_INTEGRITY=y) such as the following:

[  643.393409] BTRFS critical (device sdg): corrupt leaf, non-root leaf's nritems is 0: block=38506496, root=260, slot=0
[  643.397609] BTRFS info (device sdg): leaf 38506496 total ptrs 0 free space 3995
[  643.407075] assertion failed: 0, file: fs/btrfs/disk-io.c, line: 4078
[  643.408425] ------------[ cut here ]------------
[  643.409112] kernel BUG at fs/btrfs/ctree.h:3419!
[  643.409773] invalid opcode: 0000 [#1] PREEMPT SMP
[  643.410447] Modules linked in: dm_flakey dm_mod crc32c_generic btrfs xor raid6_pq ppdev psmouse acpi_cpufreq parport_pc evdev parport tpm_tis tpm_tis_core pcspkr serio_raw i2c_piix4 sg tpm i2c_core button processor loop autofs4 ext4 crc16 jbd2 mbcache sr_mod cdrom sd_mod ata_generic virtio_scsi ata_piix libata virtio_pci virtio_ring scsi_mod virtio e1000 floppy
[  643.414356] CPU: 11 PID: 32726 Comm: btrfs Not tainted 4.8.0-rc8-btrfs-next-35+ #1
[  643.414356] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
[  643.414356] task: ffff880145e95b00 task.stack: ffff88014826c000
[  643.414356] RIP: 0010:[<ffffffffa0352759>]  [<ffffffffa0352759>] assfail.constprop.41+0x1c/0x1e [btrfs]
[  643.414356] RSP: 0018:ffff88014826fa28  EFLAGS: 00010292
[  643.414356] RAX: 0000000000000039 RBX: ffff88014e2d7c38 RCX: 0000000000000001
[  643.414356] RDX: ffff88023f4d2f58 RSI: ffffffff81806c63 RDI: 00000000ffffffff
[  643.414356] RBP: ffff88014826fa28 R08: 0000000000000001 R09: 0000000000000000
[  643.414356] R10: ffff88014826f918 R11: ffffffff82f3c5ed R12: ffff880172910000
[  643.414356] R13: ffff880233992230 R14: ffff8801a68a3310 R15: fffffffffffffff8
[  643.414356] FS:  00007f9ca305e8c0(0000) GS:ffff88023f4c0000(0000) knlGS:0000000000000000
[  643.414356] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  643.414356] CR2: 00007f9ca3071000 CR3: 000000015d01b000 CR4: 00000000000006e0
[  643.414356] Stack:
[  643.414356]  ffff88014826fa50 ffffffffa02d655a 000000000000000a ffff88014e2d7c38
[  643.414356]  0000000000000000 ffff88014826faa8 ffffffffa02b72f3 ffff88014826fab8
[  643.414356]  00ffffffa03228e4 0000000000000000 0000000000000000 ffff8801bbd4e000
[  643.414356] Call Trace:
[  643.414356]  [<ffffffffa02d655a>] btrfs_mark_buffer_dirty+0xdf/0xe5 [btrfs]
[  643.414356]  [<ffffffffa02b72f3>] btrfs_copy_root+0x18a/0x1d1 [btrfs]
[  643.414356]  [<ffffffffa0322921>] create_reloc_root+0x72/0x1ba [btrfs]
[  643.414356]  [<ffffffffa03267c2>] btrfs_init_reloc_root+0x7b/0xa7 [btrfs]
[  643.414356]  [<ffffffffa02d9e44>] record_root_in_trans+0xdf/0xed [btrfs]
[  643.414356]  [<ffffffffa02db04e>] btrfs_record_root_in_trans+0x50/0x6a [btrfs]
[  643.414356]  [<ffffffffa030ad2b>] create_subvol+0x472/0x773 [btrfs]
[  643.414356]  [<ffffffffa030b406>] btrfs_mksubvol+0x3da/0x463 [btrfs]
[  643.414356]  [<ffffffffa030b406>] ? btrfs_mksubvol+0x3da/0x463 [btrfs]
[  643.414356]  [<ffffffff810781ac>] ? preempt_count_add+0x65/0x68
[  643.414356]  [<ffffffff811a6e97>] ? __mnt_want_write+0x62/0x77
[  643.414356]  [<ffffffffa030b55d>] btrfs_ioctl_snap_create_transid+0xce/0x187 [btrfs]
[  643.414356]  [<ffffffffa030b67d>] btrfs_ioctl_snap_create+0x67/0x81 [btrfs]
[  643.414356]  [<ffffffffa030ecfd>] btrfs_ioctl+0x508/0x20dd [btrfs]
[  643.414356]  [<ffffffff81293e39>] ? __this_cpu_preempt_check+0x13/0x15
[  643.414356]  [<ffffffff81155eca>] ? handle_mm_fault+0x976/0x9ab
[  643.414356]  [<ffffffff81091300>] ? arch_local_irq_save+0x9/0xc
[  643.414356]  [<ffffffff8119a2b0>] vfs_ioctl+0x18/0x34
[  643.414356]  [<ffffffff8119a8e8>] do_vfs_ioctl+0x581/0x600
[  643.414356]  [<ffffffff814b9552>] ? entry_SYSCALL_64_fastpath+0x5/0xa8
[  643.414356]  [<ffffffff81093fe9>] ? trace_hardirqs_on_caller+0x17b/0x197
[  643.414356]  [<ffffffff8119a9be>] SyS_ioctl+0x57/0x79
[  643.414356]  [<ffffffff814b9565>] entry_SYSCALL_64_fastpath+0x18/0xa8
[  643.414356]  [<ffffffff81091b08>] ? trace_hardirqs_off_caller+0x3f/0xaa
[  643.414356] Code: 89 83 88 00 00 00 31 c0 5b 41 5c 41 5d 5d c3 55 89 f1 48 c7 c2 98 bc 35 a0 48 89 fe 48 c7 c7 05 be 35 a0 48 89 e5 e8 13 46 dd e0 <0f> 0b 55 89 f1 48 c7 c2 9f d3 35 a0 48 89 fe 48 c7 c7 7a d5 35
[  643.414356] RIP  [<ffffffffa0352759>] assfail.constprop.41+0x1c/0x1e [btrfs]
[  643.414356]  RSP <ffff88014826fa28>
[  643.468267] ---[ end trace 6a1b3fb1a9d7d6e3 ]---

This can be easily reproduced by running xfstests with the integrity
checker enabled.

Fixes: 1ba98d086fe3 (Btrfs: detect corruption when non-root leaf has zero item)
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Btrfs: memset to avoid stale content in btree leaf

commit 851cd173f06045816528176001cf82948282029c upstream.

This is an additional patch to
"Btrfs: memset to avoid stale content in btree node block".

This uses memset to initialize the unused space in a leaf to avoid
potential stale content, which may be incurred by pushing items
between sibling leaves.

Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Btrfs: kill BUG_ON in run_delayed_tree_ref

commit 02794222c4132ac003e7281fb71f4ec1645ffc87 upstream.

In a corrupted btrfs image, we can come across this BUG_ON and
get an unreponsive system, but if we return errors instead,
its caller can handle everything gracefully by aborting the current
transaction.

Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Btrfs: improve check_node to avoid reading corrupted nodes

commit 6b722c1747d533ac6d4df110dc8233db46918b65 upstream.

We need to check items in a node to make sure that we're reading
a valid one, otherwise we could get various crashes while processing
delayed_refs.

Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Btrfs: memset to avoid stale content in btree node block

commit 3eb548ee3a8042d95ad81be254e67a5222c24e03 upstream.

During updating btree, we could push items between sibling
nodes/leaves, for leaves data sections starts reversely from
the end of the block while for nodes we only have key pairs
which are stored one by one from the start of the block.

So we could do try to push key pairs from one node to the next
node right in the tree, and after that, we update the node's
nritems to reflect the correct end while leaving the stale
content in the node. One may intentionally corrupt the fs
image and access the stale content by bumping the nritems and
causes various crashes.

This takes the in-memory @nritems as the correct one and
gets to memset the unused part of a btree node.

Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Btrfs: fix BUG_ON in btrfs_mark_buffer_dirty

commit ef85b25e982b5bba1530b936e283ef129f02ab9d upstream.

This can only happen with CONFIG_BTRFS_FS_CHECK_INTEGRITY=y.

Commit 1ba98d0 ("Btrfs: detect corruption when non-root leaf has zero item")
assumes that a leaf is its root when leaf->bytenr == btrfs_root_bytenr(root),
however, we should not use btrfs_root_bytenr(root) since it's mainly got
updated during committing transaction. So the check can fail when doing
COW on this leaf while it is a root.

This changes to use "if (leaf == btrfs_root_node(root))" instead, just like
how we check whether leaf is a root in __btrfs_cow_block().

Fixes: 1ba98d086fe3 (Btrfs: detect corruption when non-root leaf has zero item)
Reported-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>