From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 25 Nov 2019 17:49:40 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.204~92
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7f111169d1f96ed6035341b47530391abe94aaf9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	drm-amdgpu-disable-gfxoff-when-using-register-read-interface.patch
	mm-ksm.c-don-t-warn-if-page-is-still-mapped-in-remove_stable_node.patch
	revert-fs-ocfs2-fix-possible-null-pointer-dereferences-in-ocfs2_xa_prepare_entry.patch
---

diff --git a/queue-4.4/drm-amdgpu-disable-gfxoff-when-using-register-read-interface.patch b/queue-4.4/drm-amdgpu-disable-gfxoff-when-using-register-read-interface.patch
new file mode 100644
index 00000000000..1f4c7671ada
--- /dev/null
+++ b/queue-4.4/drm-amdgpu-disable-gfxoff-when-using-register-read-interface.patch
@@ -0,0 +1,46 @@
+From c57040d333c6729ce99c2cb95061045ff84c89ea Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 14 Nov 2019 11:39:05 -0500
+Subject: drm/amdgpu: disable gfxoff when using register read interface
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit c57040d333c6729ce99c2cb95061045ff84c89ea upstream.
+
+When gfxoff is enabled, accessing gfx registers via MMIO
+can lead to a hang.
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=205497
+Acked-by: Xiaojie Yuan <xiaojie.yuan@amd.com>
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -414,15 +414,19 @@ static int amdgpu_info_ioctl(struct drm_
+ 			return -ENOMEM;
+ 		alloc_size = info->read_mmr_reg.count * sizeof(*regs);
+ 
+-		for (i = 0; i < info->read_mmr_reg.count; i++)
++		amdgpu_gfx_off_ctrl(adev, false);
++		for (i = 0; i < info->read_mmr_reg.count; i++) {
+ 			if (amdgpu_asic_read_register(adev, se_num, sh_num,
+ 						      info->read_mmr_reg.dword_offset + i,
+ 						      &regs[i])) {
+ 				DRM_DEBUG_KMS("unallowed offset %#x\n",
+ 					      info->read_mmr_reg.dword_offset + i);
+ 				kfree(regs);
++				amdgpu_gfx_off_ctrl(adev, true);
+ 				return -EFAULT;
+ 			}
++		}
++		amdgpu_gfx_off_ctrl(adev, true);
+ 		n = copy_to_user(out, regs, min(size, alloc_size));
+ 		kfree(regs);
+ 		return n ? -EFAULT : 0;
diff --git a/queue-4.4/mm-ksm.c-don-t-warn-if-page-is-still-mapped-in-remove_stable_node.patch b/queue-4.4/mm-ksm.c-don-t-warn-if-page-is-still-mapped-in-remove_stable_node.patch
new file mode 100644
index 00000000000..94ae2eccd69
--- /dev/null
+++ b/queue-4.4/mm-ksm.c-don-t-warn-if-page-is-still-mapped-in-remove_stable_node.patch
@@ -0,0 +1,63 @@
+From 9a63236f1ad82d71a98aa80320b6cb618fb32f44 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Thu, 21 Nov 2019 17:54:01 -0800
+Subject: mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit 9a63236f1ad82d71a98aa80320b6cb618fb32f44 upstream.
+
+It's possible to hit the WARN_ON_ONCE(page_mapped(page)) in
+remove_stable_node() when it races with __mmput() and squeezes in
+between ksm_exit() and exit_mmap().
+
+  WARNING: CPU: 0 PID: 3295 at mm/ksm.c:888 remove_stable_node+0x10c/0x150
+
+  Call Trace:
+   remove_all_stable_nodes+0x12b/0x330
+   run_store+0x4ef/0x7b0
+   kernfs_fop_write+0x200/0x420
+   vfs_write+0x154/0x450
+   ksys_write+0xf9/0x1d0
+   do_syscall_64+0x99/0x510
+   entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Remove the warning as there is nothing scary going on.
+
+Link: http://lkml.kernel.org/r/20191119131850.5675-1-aryabinin@virtuozzo.com
+Fixes: cbf86cfe04a6 ("ksm: remove old stable nodes more thoroughly")
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/ksm.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -714,13 +714,13 @@ static int remove_stable_node(struct sta
+ 		return 0;
+ 	}
+ 
+-	if (WARN_ON_ONCE(page_mapped(page))) {
+-		/*
+-		 * This should not happen: but if it does, just refuse to let
+-		 * merge_across_nodes be switched - there is no need to panic.
+-		 */
+-		err = -EBUSY;
+-	} else {
++	/*
++	 * Page could be still mapped if this races with __mmput() running in
++	 * between ksm_exit() and exit_mmap(). Just refuse to let
++	 * merge_across_nodes/max_page_sharing be switched.
++	 */
++	err = -EBUSY;
++	if (!page_mapped(page)) {
+ 		/*
+ 		 * The stable node did not yet appear stale to get_ksm_page(),
+ 		 * since that allows for an unmapped ksm page to be recognized
diff --git a/queue-4.4/revert-fs-ocfs2-fix-possible-null-pointer-dereferences-in-ocfs2_xa_prepare_entry.patch b/queue-4.4/revert-fs-ocfs2-fix-possible-null-pointer-dereferences-in-ocfs2_xa_prepare_entry.patch
new file mode 100644
index 00000000000..a3db2a133d0
--- /dev/null
+++ b/queue-4.4/revert-fs-ocfs2-fix-possible-null-pointer-dereferences-in-ocfs2_xa_prepare_entry.patch
@@ -0,0 +1,111 @@
+From 94b07b6f9e2e996afff7395de6b35f34f4cb10bf Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Thu, 21 Nov 2019 17:53:52 -0800
+Subject: Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()"
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit 94b07b6f9e2e996afff7395de6b35f34f4cb10bf upstream.
+
+This reverts commit 56e94ea132bb5c2c1d0b60a6aeb34dcb7d71a53d.
+
+Commit 56e94ea132bb ("fs: ocfs2: fix possible null-pointer dereferences
+in ocfs2_xa_prepare_entry()") introduces a regression that fail to
+create directory with mount option user_xattr and acl.  Actually the
+reported NULL pointer dereference case can be correctly handled by
+loc->xl_ops->xlo_add_entry(), so revert it.
+
+Link: http://lkml.kernel.org/r/1573624916-83825-1-git-send-email-joseph.qi@linux.alibaba.com
+Fixes: 56e94ea132bb ("fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()")
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: Thomas Voegtle <tv@lio96.de>
+Acked-by: Changwei Ge <gechangwei@live.cn>
+Cc: Jia-Ju Bai <baijiaju1990@gmail.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/xattr.c |   56 ++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 33 insertions(+), 23 deletions(-)
+
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -1475,6 +1475,18 @@ static int ocfs2_xa_check_space(struct o
+ 	return loc->xl_ops->xlo_check_space(loc, xi);
+ }
+ 
++static void ocfs2_xa_add_entry(struct ocfs2_xa_loc *loc, u32 name_hash)
++{
++	loc->xl_ops->xlo_add_entry(loc, name_hash);
++	loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash);
++	/*
++	 * We can't leave the new entry's xe_name_offset at zero or
++	 * add_namevalue() will go nuts.  We set it to the size of our
++	 * storage so that it can never be less than any other entry.
++	 */
++	loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size);
++}
++
+ static void ocfs2_xa_add_namevalue(struct ocfs2_xa_loc *loc,
+ 				   struct ocfs2_xattr_info *xi)
+ {
+@@ -2106,31 +2118,29 @@ static int ocfs2_xa_prepare_entry(struct
+ 	if (rc)
+ 		goto out;
+ 
+-	if (!loc->xl_entry) {
+-		rc = -EINVAL;
+-		goto out;
+-	}
+-
+-	if (ocfs2_xa_can_reuse_entry(loc, xi)) {
+-		orig_value_size = loc->xl_entry->xe_value_size;
+-		rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
+-		if (rc)
+-			goto out;
+-		goto alloc_value;
+-	}
++	if (loc->xl_entry) {
++		if (ocfs2_xa_can_reuse_entry(loc, xi)) {
++			orig_value_size = loc->xl_entry->xe_value_size;
++			rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
++			if (rc)
++				goto out;
++			goto alloc_value;
++		}
+ 
+-	if (!ocfs2_xattr_is_local(loc->xl_entry)) {
+-		orig_clusters = ocfs2_xa_value_clusters(loc);
+-		rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
+-		if (rc) {
+-			mlog_errno(rc);
+-			ocfs2_xa_cleanup_value_truncate(loc,
+-							"overwriting",
+-							orig_clusters);
+-			goto out;
++		if (!ocfs2_xattr_is_local(loc->xl_entry)) {
++			orig_clusters = ocfs2_xa_value_clusters(loc);
++			rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
++			if (rc) {
++				mlog_errno(rc);
++				ocfs2_xa_cleanup_value_truncate(loc,
++								"overwriting",
++								orig_clusters);
++				goto out;
++			}
+ 		}
+-	}
+-	ocfs2_xa_wipe_namevalue(loc);
++		ocfs2_xa_wipe_namevalue(loc);
++	} else
++		ocfs2_xa_add_entry(loc, name_hash);
+ 
+ 	/*
+ 	 * If we get here, we have a blank entry.  Fill it.  We grow our
diff --git a/queue-4.4/series b/queue-4.4/series
index b6f193908f1..82174bd3003 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -2,3 +2,6 @@ net-mlx4_en-fix-mlx4-ethtool-n-insertion.patch
 sfc-only-cancel-the-pps-workqueue-if-it-exists.patch
 net-sched-act_pedit-fix-warn-in-the-traffic-path.patch
 net-rtnetlink-prevent-underflows-in-do_setvfinfo.patch
+revert-fs-ocfs2-fix-possible-null-pointer-dereferences-in-ocfs2_xa_prepare_entry.patch
+mm-ksm.c-don-t-warn-if-page-is-still-mapped-in-remove_stable_node.patch
+drm-amdgpu-disable-gfxoff-when-using-register-read-interface.patch