5.4-stable patches

added patches:
	btrfs-free-btrfs_path-before-copying-fspath-to-userspace.patch
	btrfs-free-btrfs_path-before-copying-root-refs-to-userspace.patch
	btrfs-free-btrfs_path-before-copying-subvol-info-to-userspace.patch
	btrfs-sysfs-normalize-the-error-handling-branch-in-btrfs_init_sysfs.patch
	drm-amd-dc-dce120-fix-audio-register-mapping-stop-triggering-kasan.patch
	drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch

diff --git a/queue-5.4/btrfs-free-btrfs_path-before-copying-fspath-to-userspace.patch b/queue-5.4/btrfs-free-btrfs_path-before-copying-fspath-to-userspace.patch
new file mode 100644 (file)
index 0000000..1137aaa
--- /dev/null
+++ b/queue-5.4/btrfs-free-btrfs_path-before-copying-fspath-to-userspace.patch
@@ -0,0 +1,35 @@
+From 8cf96b409d9b3946ece58ced13f92d0f775b0442 Mon Sep 17 00:00:00 2001
+From: Anand Jain <anand.jain@oracle.com>
+Date: Thu, 10 Nov 2022 11:36:29 +0530
+Subject: btrfs: free btrfs_path before copying fspath to userspace
+
+From: Anand Jain <anand.jain@oracle.com>
+
+commit 8cf96b409d9b3946ece58ced13f92d0f775b0442 upstream.
+
+btrfs_ioctl_ino_to_path() frees the search path after the userspace copy
+from the temp buffer @ipath->fspath. Which potentially can lead to a lock
+splat warning.
+
+Fix this by freeing the path before we copy it to userspace.
+
+CC: stable@vger.kernel.org # 4.19+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -4516,6 +4516,8 @@ static long btrfs_ioctl_ino_to_path(stru
+               ipath->fspath->val[i] = rel_ptr;
+       }
+ 
++      btrfs_free_path(path);
++      path = NULL;
+       ret = copy_to_user((void __user *)(unsigned long)ipa->fspath,
+                          ipath->fspath, size);
+       if (ret) {

diff --git a/queue-5.4/btrfs-free-btrfs_path-before-copying-root-refs-to-userspace.patch b/queue-5.4/btrfs-free-btrfs_path-before-copying-root-refs-to-userspace.patch
new file mode 100644 (file)
index 0000000..25829ed
--- /dev/null
+++ b/queue-5.4/btrfs-free-btrfs_path-before-copying-root-refs-to-userspace.patch
@@ -0,0 +1,210 @@
+From b740d806166979488e798e41743aaec051f2443f Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 7 Nov 2022 11:44:51 -0500
+Subject: btrfs: free btrfs_path before copying root refs to userspace
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit b740d806166979488e798e41743aaec051f2443f upstream.
+
+Syzbot reported the following lockdep splat
+
+======================================================
+WARNING: possible circular locking dependency detected
+6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Not tainted
+------------------------------------------------------
+syz-executor307/3029 is trying to acquire lock:
+ffff0000c02525d8 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0x54/0xb4 mm/memory.c:5576
+
+but task is already holding lock:
+ffff0000c958a608 (btrfs-root-00){++++}-{3:3}, at: __btrfs_tree_read_lock fs/btrfs/locking.c:134 [inline]
+ffff0000c958a608 (btrfs-root-00){++++}-{3:3}, at: btrfs_tree_read_lock fs/btrfs/locking.c:140 [inline]
+ffff0000c958a608 (btrfs-root-00){++++}-{3:3}, at: btrfs_read_lock_root_node+0x13c/0x1c0 fs/btrfs/locking.c:279
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #3 (btrfs-root-00){++++}-{3:3}:
+       down_read_nested+0x64/0x84 kernel/locking/rwsem.c:1624
+       __btrfs_tree_read_lock fs/btrfs/locking.c:134 [inline]
+       btrfs_tree_read_lock fs/btrfs/locking.c:140 [inline]
+       btrfs_read_lock_root_node+0x13c/0x1c0 fs/btrfs/locking.c:279
+       btrfs_search_slot_get_root+0x74/0x338 fs/btrfs/ctree.c:1637
+       btrfs_search_slot+0x1b0/0xfd8 fs/btrfs/ctree.c:1944
+       btrfs_update_root+0x6c/0x5a0 fs/btrfs/root-tree.c:132
+       commit_fs_roots+0x1f0/0x33c fs/btrfs/transaction.c:1459
+       btrfs_commit_transaction+0x89c/0x12d8 fs/btrfs/transaction.c:2343
+       flush_space+0x66c/0x738 fs/btrfs/space-info.c:786
+       btrfs_async_reclaim_metadata_space+0x43c/0x4e0 fs/btrfs/space-info.c:1059
+       process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
+       worker_thread+0x340/0x610 kernel/workqueue.c:2436
+       kthread+0x12c/0x158 kernel/kthread.c:376
+       ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
+
+-> #2 (&fs_info->reloc_mutex){+.+.}-{3:3}:
+       __mutex_lock_common+0xd4/0xca8 kernel/locking/mutex.c:603
+       __mutex_lock kernel/locking/mutex.c:747 [inline]
+       mutex_lock_nested+0x38/0x44 kernel/locking/mutex.c:799
+       btrfs_record_root_in_trans fs/btrfs/transaction.c:516 [inline]
+       start_transaction+0x248/0x944 fs/btrfs/transaction.c:752
+       btrfs_start_transaction+0x34/0x44 fs/btrfs/transaction.c:781
+       btrfs_create_common+0xf0/0x1b4 fs/btrfs/inode.c:6651
+       btrfs_create+0x8c/0xb0 fs/btrfs/inode.c:6697
+       lookup_open fs/namei.c:3413 [inline]
+       open_last_lookups fs/namei.c:3481 [inline]
+       path_openat+0x804/0x11c4 fs/namei.c:3688
+       do_filp_open+0xdc/0x1b8 fs/namei.c:3718
+       do_sys_openat2+0xb8/0x22c fs/open.c:1313
+       do_sys_open fs/open.c:1329 [inline]
+       __do_sys_openat fs/open.c:1345 [inline]
+       __se_sys_openat fs/open.c:1340 [inline]
+       __arm64_sys_openat+0xb0/0xe0 fs/open.c:1340
+       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
+       invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
+       el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
+       do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
+       el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
+       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
+       el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
+
+-> #1 (sb_internal#2){.+.+}-{0:0}:
+       percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
+       __sb_start_write include/linux/fs.h:1826 [inline]
+       sb_start_intwrite include/linux/fs.h:1948 [inline]
+       start_transaction+0x360/0x944 fs/btrfs/transaction.c:683
+       btrfs_join_transaction+0x30/0x40 fs/btrfs/transaction.c:795
+       btrfs_dirty_inode+0x50/0x140 fs/btrfs/inode.c:6103
+       btrfs_update_time+0x1c0/0x1e8 fs/btrfs/inode.c:6145
+       inode_update_time fs/inode.c:1872 [inline]
+       touch_atime+0x1f0/0x4a8 fs/inode.c:1945
+       file_accessed include/linux/fs.h:2516 [inline]
+       btrfs_file_mmap+0x50/0x88 fs/btrfs/file.c:2407
+       call_mmap include/linux/fs.h:2192 [inline]
+       mmap_region+0x7fc/0xc14 mm/mmap.c:1752
+       do_mmap+0x644/0x97c mm/mmap.c:1540
+       vm_mmap_pgoff+0xe8/0x1d0 mm/util.c:552
+       ksys_mmap_pgoff+0x1cc/0x278 mm/mmap.c:1586
+       __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
+       __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
+       __arm64_sys_mmap+0x58/0x6c arch/arm64/kernel/sys.c:21
+       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
+       invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
+       el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
+       do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
+       el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
+       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
+       el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
+
+-> #0 (&mm->mmap_lock){++++}-{3:3}:
+       check_prev_add kernel/locking/lockdep.c:3095 [inline]
+       check_prevs_add kernel/locking/lockdep.c:3214 [inline]
+       validate_chain kernel/locking/lockdep.c:3829 [inline]
+       __lock_acquire+0x1530/0x30a4 kernel/locking/lockdep.c:5053
+       lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5666
+       __might_fault+0x7c/0xb4 mm/memory.c:5577
+       _copy_to_user include/linux/uaccess.h:134 [inline]
+       copy_to_user include/linux/uaccess.h:160 [inline]
+       btrfs_ioctl_get_subvol_rootref+0x3a8/0x4bc fs/btrfs/ioctl.c:3203
+       btrfs_ioctl+0xa08/0xa64 fs/btrfs/ioctl.c:5556
+       vfs_ioctl fs/ioctl.c:51 [inline]
+       __do_sys_ioctl fs/ioctl.c:870 [inline]
+       __se_sys_ioctl fs/ioctl.c:856 [inline]
+       __arm64_sys_ioctl+0xd0/0x140 fs/ioctl.c:856
+       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
+       invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
+       el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
+       do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
+       el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
+       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
+       el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
+
+other info that might help us debug this:
+
+Chain exists of:
+  &mm->mmap_lock --> &fs_info->reloc_mutex --> btrfs-root-00
+
+ Possible unsafe locking scenario:
+
+       CPU0                    CPU1
+       ----                    ----
+  lock(btrfs-root-00);
+                               lock(&fs_info->reloc_mutex);
+                               lock(btrfs-root-00);
+  lock(&mm->mmap_lock);
+
+ *** DEADLOCK ***
+
+1 lock held by syz-executor307/3029:
+ #0: ffff0000c958a608 (btrfs-root-00){++++}-{3:3}, at: __btrfs_tree_read_lock fs/btrfs/locking.c:134 [inline]
+ #0: ffff0000c958a608 (btrfs-root-00){++++}-{3:3}, at: btrfs_tree_read_lock fs/btrfs/locking.c:140 [inline]
+ #0: ffff0000c958a608 (btrfs-root-00){++++}-{3:3}, at: btrfs_read_lock_root_node+0x13c/0x1c0 fs/btrfs/locking.c:279
+
+stack backtrace:
+CPU: 0 PID: 3029 Comm: syz-executor307 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
+Call trace:
+ dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
+ show_stack+0x2c/0x54 arch/arm64/kernel/stacktrace.c:163
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
+ dump_stack+0x1c/0x58 lib/dump_stack.c:113
+ print_circular_bug+0x2c4/0x2c8 kernel/locking/lockdep.c:2053
+ check_noncircular+0x14c/0x154 kernel/locking/lockdep.c:2175
+ check_prev_add kernel/locking/lockdep.c:3095 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3214 [inline]
+ validate_chain kernel/locking/lockdep.c:3829 [inline]
+ __lock_acquire+0x1530/0x30a4 kernel/locking/lockdep.c:5053
+ lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5666
+ __might_fault+0x7c/0xb4 mm/memory.c:5577
+ _copy_to_user include/linux/uaccess.h:134 [inline]
+ copy_to_user include/linux/uaccess.h:160 [inline]
+ btrfs_ioctl_get_subvol_rootref+0x3a8/0x4bc fs/btrfs/ioctl.c:3203
+ btrfs_ioctl+0xa08/0xa64 fs/btrfs/ioctl.c:5556
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __arm64_sys_ioctl+0xd0/0x140 fs/ioctl.c:856
+ __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
+ invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
+ el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
+ do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
+ el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
+ el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
+ el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
+
+We do generally the right thing here, copying the references into a
+temporary buffer, however we are still holding the path when we do
+copy_to_user from the temporary buffer.  Fix this by freeing the path
+before we copy to user space.
+
+Reported-by: syzbot+4ef9e52e464c6ff47d9d@syzkaller.appspotmail.com
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2914,6 +2914,8 @@ static int btrfs_ioctl_get_subvol_rootre
+       }
+ 
+ out:
++      btrfs_free_path(path);
++
+       if (!ret || ret == -EOVERFLOW) {
+               rootrefs->num_items = found;
+               /* update min_treeid for next search */
+@@ -2925,7 +2927,6 @@ out:
+       }
+ 
+       kfree(rootrefs);
+-      btrfs_free_path(path);
+ 
+       return ret;
+ }

diff --git a/queue-5.4/btrfs-free-btrfs_path-before-copying-subvol-info-to-userspace.patch b/queue-5.4/btrfs-free-btrfs_path-before-copying-subvol-info-to-userspace.patch
new file mode 100644 (file)
index 0000000..428ff31
--- /dev/null
+++ b/queue-5.4/btrfs-free-btrfs_path-before-copying-subvol-info-to-userspace.patch
@@ -0,0 +1,35 @@
+From 013c1c5585ebcfb19c88efe79063d0463b1b6159 Mon Sep 17 00:00:00 2001
+From: Anand Jain <anand.jain@oracle.com>
+Date: Thu, 10 Nov 2022 11:36:31 +0530
+Subject: btrfs: free btrfs_path before copying subvol info to userspace
+
+From: Anand Jain <anand.jain@oracle.com>
+
+commit 013c1c5585ebcfb19c88efe79063d0463b1b6159 upstream.
+
+btrfs_ioctl_get_subvol_info() frees the search path after the userspace
+copy from the temp buffer @subvol_info. This can lead to a lock splat
+warning.
+
+Fix this by freeing the path before we copy it to userspace.
+
+CC: stable@vger.kernel.org # 4.19+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2824,6 +2824,8 @@ static int btrfs_ioctl_get_subvol_info(s
+               }
+       }
+ 
++      btrfs_free_path(path);
++      path = NULL;
+       if (copy_to_user(argp, subvol_info, sizeof(*subvol_info)))
+               ret = -EFAULT;
+ 

diff --git a/queue-5.4/btrfs-sysfs-normalize-the-error-handling-branch-in-btrfs_init_sysfs.patch b/queue-5.4/btrfs-sysfs-normalize-the-error-handling-branch-in-btrfs_init_sysfs.patch
new file mode 100644 (file)
index 0000000..61a3d97
--- /dev/null
+++ b/queue-5.4/btrfs-sysfs-normalize-the-error-handling-branch-in-btrfs_init_sysfs.patch
@@ -0,0 +1,39 @@
+From ffdbb44f2f23f963b8f5672e35c3a26088177a62 Mon Sep 17 00:00:00 2001
+From: Zhen Lei <thunder.leizhen@huawei.com>
+Date: Tue, 22 Nov 2022 19:50:02 +0800
+Subject: btrfs: sysfs: normalize the error handling branch in btrfs_init_sysfs()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+commit ffdbb44f2f23f963b8f5672e35c3a26088177a62 upstream.
+
+Although kset_unregister() can eventually remove all attribute files,
+explicitly rolling back with the matching function makes the code logic
+look clearer.
+
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/sysfs.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/sysfs.c
++++ b/fs/btrfs/sysfs.c
+@@ -1154,8 +1154,11 @@ int __init btrfs_init_sysfs(void)
+ 
+ #ifdef CONFIG_BTRFS_DEBUG
+       ret = sysfs_create_group(&btrfs_kset->kobj, &btrfs_debug_feature_attr_group);
+-      if (ret)
+-              goto out2;
++      if (ret) {
++              sysfs_unmerge_group(&btrfs_kset->kobj,
++                                  &btrfs_static_feature_attr_group);
++              goto out_remove_group;
++      }
+ #endif
+ 
+       return 0;

diff --git a/queue-5.4/drm-amd-dc-dce120-fix-audio-register-mapping-stop-triggering-kasan.patch b/queue-5.4/drm-amd-dc-dce120-fix-audio-register-mapping-stop-triggering-kasan.patch
new file mode 100644 (file)
index 0000000..75e8905
--- /dev/null
+++ b/queue-5.4/drm-amd-dc-dce120-fix-audio-register-mapping-stop-triggering-kasan.patch
@@ -0,0 +1,43 @@
+From 44035ec2fde1114254ee465f9ba3bb246b0b6283 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Mon, 14 Nov 2022 17:20:45 -0500
+Subject: drm/amd/dc/dce120: Fix audio register mapping, stop triggering KASAN
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 44035ec2fde1114254ee465f9ba3bb246b0b6283 upstream.
+
+There's been a very long running bug that seems to have been neglected for
+a while, where amdgpu consistently triggers a KASAN error at start:
+
+  BUG: KASAN: global-out-of-bounds in read_indirect_azalia_reg+0x1d4/0x2a0 [amdgpu]
+  Read of size 4 at addr ffffffffc2274b28 by task modprobe/1889
+
+After digging through amd's rather creative method for accessing registers,
+I eventually discovered the problem likely has to do with the fact that on
+my dce120 GPU there are supposedly 7 sets of audio registers. But we only
+define a register mapping for 6 sets.
+
+So, fix this and fix the KASAN warning finally.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c
+@@ -340,7 +340,8 @@ static const struct dce_audio_registers
+       audio_regs(2),
+       audio_regs(3),
+       audio_regs(4),
+-      audio_regs(5)
++      audio_regs(5),
++      audio_regs(6),
+ };
+ 
+ #define DCE120_AUD_COMMON_MASK_SH_LIST(mask_sh)\

diff --git a/queue-5.4/drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch b/queue-5.4/drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch
new file mode 100644 (file)
index 0000000..09ecdc6
--- /dev/null
+++ b/queue-5.4/drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch
@@ -0,0 +1,42 @@
+From b39df63b16b64a3af42695acb9bc567aad144776 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Wed, 9 Nov 2022 12:14:44 +0100
+Subject: drm/amdgpu: always register an MMU notifier for userptr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit b39df63b16b64a3af42695acb9bc567aad144776 upstream.
+
+Since switching to HMM we always need that because we no longer grab
+references to the pages.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c |    8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+@@ -329,11 +329,9 @@ int amdgpu_gem_userptr_ioctl(struct drm_
+       if (r)
+               goto release_object;
+ 
+-      if (args->flags & AMDGPU_GEM_USERPTR_REGISTER) {
+-              r = amdgpu_mn_register(bo, args->addr);
+-              if (r)
+-                      goto release_object;
+-      }
++      r = amdgpu_mn_register(bo, args->addr);
++      if (r)
++              goto release_object;
+ 
+       if (args->flags & AMDGPU_GEM_USERPTR_VALIDATE) {
+               r = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages);

diff --git a/queue-5.4/series b/queue-5.4/series
index 7dc6b11a62e0e13940fa946236852919c85e6b89..e5add3c490085e33373fa37883ad99f1fc7167ff 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -78,3 +78,9 @@ binder-defer-copies-of-pre-patched-txn-data.patch
 binder-fix-pointer-cast-warning.patch
 binder-address-corner-cases-in-deferred-copy-and-fixup.patch
 binder-gracefully-handle-binder_type_fda-objects-with-num_fds-0.patch
+btrfs-free-btrfs_path-before-copying-root-refs-to-userspace.patch
+btrfs-free-btrfs_path-before-copying-fspath-to-userspace.patch
+btrfs-free-btrfs_path-before-copying-subvol-info-to-userspace.patch
+btrfs-sysfs-normalize-the-error-handling-branch-in-btrfs_init_sysfs.patch
+drm-amd-dc-dce120-fix-audio-register-mapping-stop-triggering-kasan.patch
+drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch