--- /dev/null
+From c4a32b266da7bb702e60381ca0c35eaddbc89a6c Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Mon, 7 Jan 2019 15:51:15 -0700
+Subject: drm/amdgpu: validate user GEM object size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Zhao <yuzhao@google.com>
+
+commit c4a32b266da7bb702e60381ca0c35eaddbc89a6c upstream.
+
+When creating frame buffer, userspace may request to attach to a
+previously allocated GEM object that is smaller than what GPU
+requires. Validation must be done to prevent out-of-bound DMA,
+otherwise it could be exploited to reveal sensitive data.
+
+This fix is not done in a common code path because individual
+driver might have different requirement.
+
+Cc: stable@vger.kernel.org # v4.2+
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+@@ -525,6 +525,7 @@ amdgpu_user_framebuffer_create(struct dr
+ struct drm_gem_object *obj;
+ struct amdgpu_framebuffer *amdgpu_fb;
+ int ret;
++ int height;
+ struct amdgpu_device *adev = dev->dev_private;
+ int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
+ int pitch = mode_cmd->pitches[0] / cpp;
+@@ -549,6 +550,13 @@ amdgpu_user_framebuffer_create(struct dr
+ return ERR_PTR(-EINVAL);
+ }
+
++ height = ALIGN(mode_cmd->height, 8);
++ if (obj->size < pitch * height) {
++ DRM_DEBUG_KMS("Invalid GEM size: expecting >= %d but got %zu\n",
++ pitch * height, obj->size);
++ return ERR_PTR(-EINVAL);
++ }
++
+ amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL);
+ if (amdgpu_fb == NULL) {
+ drm_gem_object_unreference_unlocked(obj);
--- /dev/null
+From 89f23b6efef554766177bf51aa754bce14c3e7da Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Mon, 7 Jan 2019 15:51:14 -0700
+Subject: drm/amdgpu: validate user pitch alignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Zhao <yuzhao@google.com>
+
+commit 89f23b6efef554766177bf51aa754bce14c3e7da upstream.
+
+Userspace may request pitch alignment that is not supported by GPU.
+Some requests 32, but GPU ignores it and uses default 64 when cpp is
+4. If GEM object is allocated based on the smaller alignment, GPU
+DMA will go out of bound.
+
+Cc: stable@vger.kernel.org # v4.2+
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+@@ -525,6 +525,16 @@ amdgpu_user_framebuffer_create(struct dr
+ struct drm_gem_object *obj;
+ struct amdgpu_framebuffer *amdgpu_fb;
+ int ret;
++ struct amdgpu_device *adev = dev->dev_private;
++ int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
++ int pitch = mode_cmd->pitches[0] / cpp;
++
++ pitch = amdgpu_align_pitch(adev, pitch, cpp, false);
++ if (mode_cmd->pitches[0] != pitch) {
++ DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n",
++ pitch, mode_cmd->pitches[0]);
++ return ERR_PTR(-EINVAL);
++ }
+
+ obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]);
+ if (obj == NULL) {
--- /dev/null
+From e86807862e6880809f191c4cea7f88a489f0ed34 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 30 Dec 2018 23:20:39 -0500
+Subject: ext4: avoid kernel warning when writing the superblock to a dead device
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit e86807862e6880809f191c4cea7f88a489f0ed34 upstream.
+
+The xfstests generic/475 test switches the underlying device with
+dm-error while running a stress test. This results in a large number
+of file system errors, and since we can't lock the buffer head when
+marking the superblock dirty in the ext4_grp_locked_error() case, it's
+possible the superblock to be !buffer_uptodate() without
+buffer_write_io_error() being true.
+
+We need to set buffer_uptodate() before we call mark_buffer_dirty() or
+this will trigger a WARN_ON. It's safe to do this since the
+superblock must have been properly read into memory or the mount would
+have been successful. So if buffer_uptodate() is not set, we can
+safely assume that this happened due to a failed attempt to write the
+superblock.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4679,7 +4679,7 @@ static int ext4_commit_super(struct supe
+ ext4_superblock_csum_set(sb);
+ if (sync)
+ lock_buffer(sbh);
+- if (buffer_write_io_error(sbh)) {
++ if (buffer_write_io_error(sbh) || !buffer_uptodate(sbh)) {
+ /*
+ * Oh, dear. A previous attempt to write the
+ * superblock failed. This could happen because the
--- /dev/null
+From 2b08b1f12cd664dc7d5c84ead9ff25ae97ad5491 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 25 Dec 2018 00:56:33 -0500
+Subject: ext4: fix a potential fiemap/page fault deadlock w/ inline_data
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 2b08b1f12cd664dc7d5c84ead9ff25ae97ad5491 upstream.
+
+The ext4_inline_data_fiemap() function calls fiemap_fill_next_extent()
+while still holding the xattr semaphore. This is not necessary and it
+triggers a circular lockdep warning. This is because
+fiemap_fill_next_extent() could trigger a page fault when it writes
+into page which triggers a page fault. If that page is mmaped from
+the inline file in question, this could very well result in a
+deadlock.
+
+This problem can be reproduced using generic/519 with a file system
+configuration which has the inline_data feature enabled.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inline.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1859,12 +1859,12 @@ int ext4_inline_data_fiemap(struct inode
+ physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data;
+ physical += offsetof(struct ext4_inode, i_block);
+
+- if (physical)
+- error = fiemap_fill_next_extent(fieinfo, start, physical,
+- inline_len, flags);
+ brelse(iloc.bh);
+ out:
+ up_read(&EXT4_I(inode)->xattr_sem);
++ if (physical)
++ error = fiemap_fill_next_extent(fieinfo, start, physical,
++ inline_len, flags);
+ return (error < 0 ? error : 0);
+ }
+
--- /dev/null
+From 812c0cab2c0dfad977605dbadf9148490ca5d93f Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 24 Dec 2018 20:27:08 -0500
+Subject: ext4: make sure enough credits are reserved for dioread_nolock writes
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 812c0cab2c0dfad977605dbadf9148490ca5d93f upstream.
+
+There are enough credits reserved for most dioread_nolock writes;
+however, if the extent tree is sufficiently deep, and/or quota is
+enabled, the code was not allowing for all eventualities when
+reserving journal credits for the unwritten extent conversion.
+
+This problem can be seen using xfstests ext4/034:
+
+ WARNING: CPU: 1 PID: 257 at fs/ext4/ext4_jbd2.c:271 __ext4_handle_dirty_metadata+0x10c/0x180
+ Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
+ RIP: 0010:__ext4_handle_dirty_metadata+0x10c/0x180
+ ...
+ EXT4-fs: ext4_free_blocks:4938: aborting transaction: error 28 in __ext4_handle_dirty_metadata
+ EXT4: jbd2_journal_dirty_metadata failed: handle type 11 started at line 4921, credits 4/0, errcode -28
+ EXT4-fs error (device dm-1) in ext4_free_blocks:4950: error 28
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -2698,7 +2698,8 @@ static int ext4_writepages(struct addres
+ * We may need to convert up to one extent per block in
+ * the page and we may dirty the inode.
+ */
+- rsv_blocks = 1 + (PAGE_SIZE >> inode->i_blkbits);
++ rsv_blocks = 1 + ext4_chunk_trans_blocks(inode,
++ PAGE_SIZE >> inode->i_blkbits);
+ }
+
+ /*
--- /dev/null
+From 95cb67138746451cc84cf8e516e14989746e93b0 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 31 Dec 2018 00:11:07 -0500
+Subject: ext4: track writeback errors using the generic tracking infrastructure
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 95cb67138746451cc84cf8e516e14989746e93b0 upstream.
+
+We already using mapping_set_error() in fs/ext4/page_io.c, so all we
+need to do is to use file_check_and_advance_wb_err() when handling
+fsync() requests in ext4_sync_file().
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/fsync.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ext4/fsync.c
++++ b/fs/ext4/fsync.c
+@@ -155,6 +155,9 @@ int ext4_sync_file(struct file *file, lo
+ ret = err;
+ }
+ out:
++ err = file_check_and_advance_wb_err(file);
++ if (ret == 0)
++ ret = err;
+ trace_ext4_sync_file_exit(inode, ret);
+ return ret;
+ }
--- /dev/null
+From 85f5a4d666fd9be73856ed16bb36c5af5b406b29 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 8 Jan 2019 19:47:38 +0100
+Subject: rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 85f5a4d666fd9be73856ed16bb36c5af5b406b29 upstream.
+
+There is a window between when RBD_DEV_FLAG_REMOVING is set and when
+the device is removed from rbd_dev_list. During this window, we set
+"already" and return 0.
+
+Returning 0 from write(2) can confuse userspace tools because
+0 indicates that nothing was written. In particular, "rbd unmap"
+will retry the write multiple times a second:
+
+ 10:28:05.463299 write(4, "0", 1) = 0
+ 10:28:05.463509 write(4, "0", 1) = 0
+ 10:28:05.463720 write(4, "0", 1) = 0
+ 10:28:05.463942 write(4, "0", 1) = 0
+ 10:28:05.464155 write(4, "0", 1) = 0
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Tested-by: Dongsheng Yang <dongsheng.yang@easystack.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/rbd.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -6346,7 +6346,6 @@ static ssize_t do_rbd_remove(struct bus_
+ struct list_head *tmp;
+ int dev_id;
+ char opt_buf[6];
+- bool already = false;
+ bool force = false;
+ int ret;
+
+@@ -6379,13 +6378,13 @@ static ssize_t do_rbd_remove(struct bus_
+ spin_lock_irq(&rbd_dev->lock);
+ if (rbd_dev->open_count && !force)
+ ret = -EBUSY;
+- else
+- already = test_and_set_bit(RBD_DEV_FLAG_REMOVING,
+- &rbd_dev->flags);
++ else if (test_and_set_bit(RBD_DEV_FLAG_REMOVING,
++ &rbd_dev->flags))
++ ret = -EINPROGRESS;
+ spin_unlock_irq(&rbd_dev->lock);
+ }
+ spin_unlock(&rbd_dev_list_lock);
+- if (ret < 0 || already)
++ if (ret)
+ return ret;
+
+ if (force) {
mm-page_mapped-don-t-assume-compound-page-is-huge-or-thp.patch
acpi-power-skip-duplicate-power-resource-references-in-_prx.patch
i2c-dev-prevent-adapter-retries-and-timeout-being-set-as-minus-value.patch
+drm-amdgpu-validate-user-pitch-alignment.patch
+drm-amdgpu-validate-user-gem-object-size.patch
+rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch
+ext4-make-sure-enough-credits-are-reserved-for-dioread_nolock-writes.patch
+ext4-fix-a-potential-fiemap-page-fault-deadlock-w-inline_data.patch
+ext4-avoid-kernel-warning-when-writing-the-superblock-to-a-dead-device.patch
+ext4-track-writeback-errors-using-the-generic-tracking-infrastructure.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
