--- /dev/null
+From c4a32b266da7bb702e60381ca0c35eaddbc89a6c Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Mon, 7 Jan 2019 15:51:15 -0700
+Subject: drm/amdgpu: validate user GEM object size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Zhao <yuzhao@google.com>
+
+commit c4a32b266da7bb702e60381ca0c35eaddbc89a6c upstream.
+
+When creating frame buffer, userspace may request to attach to a
+previously allocated GEM object that is smaller than what GPU
+requires. Validation must be done to prevent out-of-bound DMA,
+otherwise it could be exploited to reveal sensitive data.
+
+This fix is not done in a common code path because individual
+driver might have different requirement.
+
+Cc: stable@vger.kernel.org # v4.2+
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+@@ -526,6 +526,7 @@ amdgpu_user_framebuffer_create(struct dr
+ struct drm_gem_object *obj;
+ struct amdgpu_framebuffer *amdgpu_fb;
+ int ret;
++ int height;
+ struct amdgpu_device *adev = dev->dev_private;
+ int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
+ int pitch = mode_cmd->pitches[0] / cpp;
+@@ -550,6 +551,13 @@ amdgpu_user_framebuffer_create(struct dr
+ return ERR_PTR(-EINVAL);
+ }
+
++ height = ALIGN(mode_cmd->height, 8);
++ if (obj->size < pitch * height) {
++ DRM_DEBUG_KMS("Invalid GEM size: expecting >= %d but got %zu\n",
++ pitch * height, obj->size);
++ return ERR_PTR(-EINVAL);
++ }
++
+ amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL);
+ if (amdgpu_fb == NULL) {
+ drm_gem_object_put_unlocked(obj);
--- /dev/null
+From 89f23b6efef554766177bf51aa754bce14c3e7da Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Mon, 7 Jan 2019 15:51:14 -0700
+Subject: drm/amdgpu: validate user pitch alignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Zhao <yuzhao@google.com>
+
+commit 89f23b6efef554766177bf51aa754bce14c3e7da upstream.
+
+Userspace may request pitch alignment that is not supported by GPU.
+Some requests 32, but GPU ignores it and uses default 64 when cpp is
+4. If GEM object is allocated based on the smaller alignment, GPU
+DMA will go out of bound.
+
+Cc: stable@vger.kernel.org # v4.2+
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+@@ -526,6 +526,16 @@ amdgpu_user_framebuffer_create(struct dr
+ struct drm_gem_object *obj;
+ struct amdgpu_framebuffer *amdgpu_fb;
+ int ret;
++ struct amdgpu_device *adev = dev->dev_private;
++ int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
++ int pitch = mode_cmd->pitches[0] / cpp;
++
++ pitch = amdgpu_align_pitch(adev, pitch, cpp, false);
++ if (mode_cmd->pitches[0] != pitch) {
++ DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n",
++ pitch, mode_cmd->pitches[0]);
++ return ERR_PTR(-EINVAL);
++ }
+
+ obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]);
+ if (obj == NULL) {
--- /dev/null
+From 62d85b3bf9d978ed4b6b2aeef5cf0ccf1423906e Mon Sep 17 00:00:00 2001
+From: Ivan Mironov <mironov.ivan@gmail.com>
+Date: Tue, 8 Jan 2019 12:23:52 +0500
+Subject: drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2
+
+From: Ivan Mironov <mironov.ivan@gmail.com>
+
+commit 62d85b3bf9d978ed4b6b2aeef5cf0ccf1423906e upstream.
+
+SDL 1.2 sets all fields related to the pixel format to zero in some
+cases[1]. Prior to commit db05c48197759 ("drm: fb-helper: Reject all
+pixel format changing requests"), there was an unintentional workaround
+for this that existed for more than a decade. First in device-specific DRM
+drivers, then here in drm_fb_helper.c.
+
+Previous code containing this workaround just ignores pixel format fields
+from userspace code. Not a good thing either, as this way, driver may
+silently use pixel format different from what client actually requested,
+and this in turn will lead to displaying garbage on the screen. I think
+that returning EINVAL to userspace in this particular case is the right
+option, so I decided to left code from problematic commit untouched
+instead of just reverting it entirely.
+
+Here is the steps required to reproduce this problem exactly:
+ 1) Compile fceux[2] with SDL 1.2.15 and without GTK or OpenGL
+ support. SDL should be compiled with fbdev support (which is
+ on by default).
+ 2) Create /etc/fb.modes with following contents (values seems
+ not used, and just required to trigger problematic code in
+ SDL):
+
+ mode "test"
+ geometry 1 1 1 1 1
+ timings 1 1 1 1 1 1 1
+ endmode
+
+ 3) Create ~/.fceux/fceux.cfg with following contents:
+
+ SDL.Hotkeys.Quit = 27
+ SDL.DoubleBuffering = 1
+
+ 4) Ensure that screen resolution is at least 1280x960 (e.g.
+ append "video=Virtual-1:1280x960-32" to the kernel cmdline
+ for qemu/QXL).
+
+ 5) Try to run fceux on VT with some ROM file[3]:
+
+ # ./fceux color_test.nes
+
+[1] SDL 1.2.15 source code, src/video/fbcon/SDL_fbvideo.c,
+ FB_SetVideoMode()
+[2] http://www.fceux.com
+[3] Example ROM: https://github.com/bokuweb/rustynes/blob/master/roms/color_test.nes
+
+Reported-by: saahriktu <mail@saahriktu.org>
+Suggested-by: saahriktu <mail@saahriktu.org>
+Cc: stable@vger.kernel.org
+Fixes: db05c48197759 ("drm: fb-helper: Reject all pixel format changing requests")
+Signed-off-by: Ivan Mironov <mironov.ivan@gmail.com>
+[danvet: Delete misleading comment.]
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190108072353.28078-2-mironov.ivan@gmail.com
+Link: https://patchwork.freedesktop.org/patch/msgid/20190108072353.28078-2-mironov.ivan@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_fb_helper.c | 126 +++++++++++++++++++++++-----------------
+ 1 file changed, 73 insertions(+), 53 deletions(-)
+
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -1509,6 +1509,64 @@ static bool drm_fb_pixel_format_equal(co
+ var_1->transp.msb_right == var_2->transp.msb_right;
+ }
+
++static void drm_fb_helper_fill_pixel_fmt(struct fb_var_screeninfo *var,
++ u8 depth)
++{
++ switch (depth) {
++ case 8:
++ var->red.offset = 0;
++ var->green.offset = 0;
++ var->blue.offset = 0;
++ var->red.length = 8; /* 8bit DAC */
++ var->green.length = 8;
++ var->blue.length = 8;
++ var->transp.offset = 0;
++ var->transp.length = 0;
++ break;
++ case 15:
++ var->red.offset = 10;
++ var->green.offset = 5;
++ var->blue.offset = 0;
++ var->red.length = 5;
++ var->green.length = 5;
++ var->blue.length = 5;
++ var->transp.offset = 15;
++ var->transp.length = 1;
++ break;
++ case 16:
++ var->red.offset = 11;
++ var->green.offset = 5;
++ var->blue.offset = 0;
++ var->red.length = 5;
++ var->green.length = 6;
++ var->blue.length = 5;
++ var->transp.offset = 0;
++ break;
++ case 24:
++ var->red.offset = 16;
++ var->green.offset = 8;
++ var->blue.offset = 0;
++ var->red.length = 8;
++ var->green.length = 8;
++ var->blue.length = 8;
++ var->transp.offset = 0;
++ var->transp.length = 0;
++ break;
++ case 32:
++ var->red.offset = 16;
++ var->green.offset = 8;
++ var->blue.offset = 0;
++ var->red.length = 8;
++ var->green.length = 8;
++ var->blue.length = 8;
++ var->transp.offset = 24;
++ var->transp.length = 8;
++ break;
++ default:
++ break;
++ }
++}
++
+ /**
+ * drm_fb_helper_check_var - implementation for &fb_ops.fb_check_var
+ * @var: screeninfo to check
+@@ -1539,6 +1597,20 @@ int drm_fb_helper_check_var(struct fb_va
+ }
+
+ /*
++ * Workaround for SDL 1.2, which is known to be setting all pixel format
++ * fields values to zero in some cases. We treat this situation as a
++ * kind of "use some reasonable autodetected values".
++ */
++ if (!var->red.offset && !var->green.offset &&
++ !var->blue.offset && !var->transp.offset &&
++ !var->red.length && !var->green.length &&
++ !var->blue.length && !var->transp.length &&
++ !var->red.msb_right && !var->green.msb_right &&
++ !var->blue.msb_right && !var->transp.msb_right) {
++ drm_fb_helper_fill_pixel_fmt(var, fb->format->depth);
++ }
++
++ /*
+ * drm fbdev emulation doesn't support changing the pixel format at all,
+ * so reject all pixel format changing requests.
+ */
+@@ -1848,59 +1920,7 @@ void drm_fb_helper_fill_var(struct fb_in
+ info->var.yoffset = 0;
+ info->var.activate = FB_ACTIVATE_NOW;
+
+- switch (fb->format->depth) {
+- case 8:
+- info->var.red.offset = 0;
+- info->var.green.offset = 0;
+- info->var.blue.offset = 0;
+- info->var.red.length = 8; /* 8bit DAC */
+- info->var.green.length = 8;
+- info->var.blue.length = 8;
+- info->var.transp.offset = 0;
+- info->var.transp.length = 0;
+- break;
+- case 15:
+- info->var.red.offset = 10;
+- info->var.green.offset = 5;
+- info->var.blue.offset = 0;
+- info->var.red.length = 5;
+- info->var.green.length = 5;
+- info->var.blue.length = 5;
+- info->var.transp.offset = 15;
+- info->var.transp.length = 1;
+- break;
+- case 16:
+- info->var.red.offset = 11;
+- info->var.green.offset = 5;
+- info->var.blue.offset = 0;
+- info->var.red.length = 5;
+- info->var.green.length = 6;
+- info->var.blue.length = 5;
+- info->var.transp.offset = 0;
+- break;
+- case 24:
+- info->var.red.offset = 16;
+- info->var.green.offset = 8;
+- info->var.blue.offset = 0;
+- info->var.red.length = 8;
+- info->var.green.length = 8;
+- info->var.blue.length = 8;
+- info->var.transp.offset = 0;
+- info->var.transp.length = 0;
+- break;
+- case 32:
+- info->var.red.offset = 16;
+- info->var.green.offset = 8;
+- info->var.blue.offset = 0;
+- info->var.red.length = 8;
+- info->var.green.length = 8;
+- info->var.blue.length = 8;
+- info->var.transp.offset = 24;
+- info->var.transp.length = 8;
+- break;
+- default:
+- break;
+- }
++ drm_fb_helper_fill_pixel_fmt(&info->var, fb->format->depth);
+
+ info->var.xres = fb_width;
+ info->var.yres = fb_height;
--- /dev/null
+From e86807862e6880809f191c4cea7f88a489f0ed34 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 30 Dec 2018 23:20:39 -0500
+Subject: ext4: avoid kernel warning when writing the superblock to a dead device
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit e86807862e6880809f191c4cea7f88a489f0ed34 upstream.
+
+The xfstests generic/475 test switches the underlying device with
+dm-error while running a stress test. This results in a large number
+of file system errors, and since we can't lock the buffer head when
+marking the superblock dirty in the ext4_grp_locked_error() case, it's
+possible the superblock to be !buffer_uptodate() without
+buffer_write_io_error() being true.
+
+We need to set buffer_uptodate() before we call mark_buffer_dirty() or
+this will trigger a WARN_ON. It's safe to do this since the
+superblock must have been properly read into memory or the mount would
+have been successful. So if buffer_uptodate() is not set, we can
+safely assume that this happened due to a failed attempt to write the
+superblock.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4844,7 +4844,7 @@ static int ext4_commit_super(struct supe
+ ext4_superblock_csum_set(sb);
+ if (sync)
+ lock_buffer(sbh);
+- if (buffer_write_io_error(sbh)) {
++ if (buffer_write_io_error(sbh) || !buffer_uptodate(sbh)) {
+ /*
+ * Oh, dear. A previous attempt to write the
+ * superblock failed. This could happen because the
--- /dev/null
+From 2b08b1f12cd664dc7d5c84ead9ff25ae97ad5491 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 25 Dec 2018 00:56:33 -0500
+Subject: ext4: fix a potential fiemap/page fault deadlock w/ inline_data
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 2b08b1f12cd664dc7d5c84ead9ff25ae97ad5491 upstream.
+
+The ext4_inline_data_fiemap() function calls fiemap_fill_next_extent()
+while still holding the xattr semaphore. This is not necessary and it
+triggers a circular lockdep warning. This is because
+fiemap_fill_next_extent() could trigger a page fault when it writes
+into page which triggers a page fault. If that page is mmaped from
+the inline file in question, this could very well result in a
+deadlock.
+
+This problem can be reproduced using generic/519 with a file system
+configuration which has the inline_data feature enabled.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inline.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1864,12 +1864,12 @@ int ext4_inline_data_fiemap(struct inode
+ physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data;
+ physical += offsetof(struct ext4_inode, i_block);
+
+- if (physical)
+- error = fiemap_fill_next_extent(fieinfo, start, physical,
+- inline_len, flags);
+ brelse(iloc.bh);
+ out:
+ up_read(&EXT4_I(inode)->xattr_sem);
++ if (physical)
++ error = fiemap_fill_next_extent(fieinfo, start, physical,
++ inline_len, flags);
+ return (error < 0 ? error : 0);
+ }
+
--- /dev/null
+From 812c0cab2c0dfad977605dbadf9148490ca5d93f Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 24 Dec 2018 20:27:08 -0500
+Subject: ext4: make sure enough credits are reserved for dioread_nolock writes
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 812c0cab2c0dfad977605dbadf9148490ca5d93f upstream.
+
+There are enough credits reserved for most dioread_nolock writes;
+however, if the extent tree is sufficiently deep, and/or quota is
+enabled, the code was not allowing for all eventualities when
+reserving journal credits for the unwritten extent conversion.
+
+This problem can be seen using xfstests ext4/034:
+
+ WARNING: CPU: 1 PID: 257 at fs/ext4/ext4_jbd2.c:271 __ext4_handle_dirty_metadata+0x10c/0x180
+ Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
+ RIP: 0010:__ext4_handle_dirty_metadata+0x10c/0x180
+ ...
+ EXT4-fs: ext4_free_blocks:4938: aborting transaction: error 28 in __ext4_handle_dirty_metadata
+ EXT4: jbd2_journal_dirty_metadata failed: handle type 11 started at line 4921, credits 4/0, errcode -28
+ EXT4-fs error (device dm-1) in ext4_free_blocks:4950: error 28
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -2776,7 +2776,8 @@ static int ext4_writepages(struct addres
+ * We may need to convert up to one extent per block in
+ * the page and we may dirty the inode.
+ */
+- rsv_blocks = 1 + (PAGE_SIZE >> inode->i_blkbits);
++ rsv_blocks = 1 + ext4_chunk_trans_blocks(inode,
++ PAGE_SIZE >> inode->i_blkbits);
+ }
+
+ /*
--- /dev/null
+From 95cb67138746451cc84cf8e516e14989746e93b0 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 31 Dec 2018 00:11:07 -0500
+Subject: ext4: track writeback errors using the generic tracking infrastructure
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 95cb67138746451cc84cf8e516e14989746e93b0 upstream.
+
+We already using mapping_set_error() in fs/ext4/page_io.c, so all we
+need to do is to use file_check_and_advance_wb_err() when handling
+fsync() requests in ext4_sync_file().
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/fsync.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ext4/fsync.c
++++ b/fs/ext4/fsync.c
+@@ -164,6 +164,9 @@ int ext4_sync_file(struct file *file, lo
+ ret = err;
+ }
+ out:
++ err = file_check_and_advance_wb_err(file);
++ if (ret == 0)
++ ret = err;
+ trace_ext4_sync_file_exit(inode, ret);
+ return ret;
+ }
--- /dev/null
+From ad211f3e94b314a910d4af03178a0b52a7d1ee0a Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 31 Dec 2018 00:10:48 -0500
+Subject: ext4: use ext4_write_inode() when fsyncing w/o a journal
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit ad211f3e94b314a910d4af03178a0b52a7d1ee0a upstream.
+
+In no-journal mode, we previously used __generic_file_fsync() in
+no-journal mode. This triggers a lockdep warning, and in addition,
+it's not safe to depend on the inode writeback mechanism in the case
+ext4. We can solve both problems by calling ext4_write_inode()
+directly.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/fsync.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/fsync.c
++++ b/fs/ext4/fsync.c
+@@ -116,8 +116,16 @@ int ext4_sync_file(struct file *file, lo
+ goto out;
+ }
+
++ ret = file_write_and_wait_range(file, start, end);
++ if (ret)
++ return ret;
++
+ if (!journal) {
+- ret = __generic_file_fsync(file, start, end, datasync);
++ struct writeback_control wbc = {
++ .sync_mode = WB_SYNC_ALL
++ };
++
++ ret = ext4_write_inode(inode, &wbc);
+ if (!ret)
+ ret = ext4_sync_parent(inode);
+ if (test_opt(inode->i_sb, BARRIER))
+@@ -125,9 +133,6 @@ int ext4_sync_file(struct file *file, lo
+ goto out;
+ }
+
+- ret = file_write_and_wait_range(file, start, end);
+- if (ret)
+- return ret;
+ /*
+ * data=writeback,ordered:
+ * The caller's filemap_fdatawrite()/wait will sync the data.
--- /dev/null
+From 85f5a4d666fd9be73856ed16bb36c5af5b406b29 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 8 Jan 2019 19:47:38 +0100
+Subject: rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 85f5a4d666fd9be73856ed16bb36c5af5b406b29 upstream.
+
+There is a window between when RBD_DEV_FLAG_REMOVING is set and when
+the device is removed from rbd_dev_list. During this window, we set
+"already" and return 0.
+
+Returning 0 from write(2) can confuse userspace tools because
+0 indicates that nothing was written. In particular, "rbd unmap"
+will retry the write multiple times a second:
+
+ 10:28:05.463299 write(4, "0", 1) = 0
+ 10:28:05.463509 write(4, "0", 1) = 0
+ 10:28:05.463720 write(4, "0", 1) = 0
+ 10:28:05.463942 write(4, "0", 1) = 0
+ 10:28:05.464155 write(4, "0", 1) = 0
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Tested-by: Dongsheng Yang <dongsheng.yang@easystack.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/rbd.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -6308,7 +6308,6 @@ static ssize_t do_rbd_remove(struct bus_
+ struct list_head *tmp;
+ int dev_id;
+ char opt_buf[6];
+- bool already = false;
+ bool force = false;
+ int ret;
+
+@@ -6341,13 +6340,13 @@ static ssize_t do_rbd_remove(struct bus_
+ spin_lock_irq(&rbd_dev->lock);
+ if (rbd_dev->open_count && !force)
+ ret = -EBUSY;
+- else
+- already = test_and_set_bit(RBD_DEV_FLAG_REMOVING,
+- &rbd_dev->flags);
++ else if (test_and_set_bit(RBD_DEV_FLAG_REMOVING,
++ &rbd_dev->flags))
++ ret = -EINPROGRESS;
+ spin_unlock_irq(&rbd_dev->lock);
+ }
+ spin_unlock(&rbd_dev_list_lock);
+- if (ret < 0 || already)
++ if (ret)
+ return ret;
+
+ if (force) {
acpi-power-skip-duplicate-power-resource-references-in-_prx.patch
acpi-pmic-xpower-fix-ts-pin-current-source-handling.patch
i2c-dev-prevent-adapter-retries-and-timeout-being-set-as-minus-value.patch
+drm-fb-helper-partially-bring-back-workaround-for-bugs-of-sdl-1.2.patch
+drm-amdgpu-validate-user-pitch-alignment.patch
+drm-amdgpu-validate-user-gem-object-size.patch
+rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch
+ext4-make-sure-enough-credits-are-reserved-for-dioread_nolock-writes.patch
+ext4-fix-a-potential-fiemap-page-fault-deadlock-w-inline_data.patch
+ext4-avoid-kernel-warning-when-writing-the-superblock-to-a-dead-device.patch
+ext4-use-ext4_write_inode-when-fsyncing-w-o-a-journal.patch
+ext4-track-writeback-errors-using-the-generic-tracking-infrastructure.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
