--- /dev/null
+From c4a32b266da7bb702e60381ca0c35eaddbc89a6c Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Mon, 7 Jan 2019 15:51:15 -0700
+Subject: drm/amdgpu: validate user GEM object size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Zhao <yuzhao@google.com>
+
+commit c4a32b266da7bb702e60381ca0c35eaddbc89a6c upstream.
+
+When creating frame buffer, userspace may request to attach to a
+previously allocated GEM object that is smaller than what GPU
+requires. Validation must be done to prevent out-of-bound DMA,
+otherwise it could be exploited to reveal sensitive data.
+
+This fix is not done in a common code path because individual
+driver might have different requirement.
+
+Cc: stable@vger.kernel.org # v4.2+
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+@@ -552,6 +552,7 @@ amdgpu_user_framebuffer_create(struct dr
+ struct drm_gem_object *obj;
+ struct amdgpu_framebuffer *amdgpu_fb;
+ int ret;
++ int height;
+ struct amdgpu_device *adev = dev->dev_private;
+ int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
+ int pitch = mode_cmd->pitches[0] / cpp;
+@@ -576,6 +577,13 @@ amdgpu_user_framebuffer_create(struct dr
+ return ERR_PTR(-EINVAL);
+ }
+
++ height = ALIGN(mode_cmd->height, 8);
++ if (obj->size < pitch * height) {
++ DRM_DEBUG_KMS("Invalid GEM size: expecting >= %d but got %zu\n",
++ pitch * height, obj->size);
++ return ERR_PTR(-EINVAL);
++ }
++
+ amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL);
+ if (amdgpu_fb == NULL) {
+ drm_gem_object_unreference_unlocked(obj);
--- /dev/null
+From 89f23b6efef554766177bf51aa754bce14c3e7da Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Mon, 7 Jan 2019 15:51:14 -0700
+Subject: drm/amdgpu: validate user pitch alignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Zhao <yuzhao@google.com>
+
+commit 89f23b6efef554766177bf51aa754bce14c3e7da upstream.
+
+Userspace may request pitch alignment that is not supported by GPU.
+Some requests 32, but GPU ignores it and uses default 64 when cpp is
+4. If GEM object is allocated based on the smaller alignment, GPU
+DMA will go out of bound.
+
+Cc: stable@vger.kernel.org # v4.2+
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+@@ -552,6 +552,16 @@ amdgpu_user_framebuffer_create(struct dr
+ struct drm_gem_object *obj;
+ struct amdgpu_framebuffer *amdgpu_fb;
+ int ret;
++ struct amdgpu_device *adev = dev->dev_private;
++ int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
++ int pitch = mode_cmd->pitches[0] / cpp;
++
++ pitch = amdgpu_align_pitch(adev, pitch, cpp, false);
++ if (mode_cmd->pitches[0] != pitch) {
++ DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n",
++ pitch, mode_cmd->pitches[0]);
++ return ERR_PTR(-EINVAL);
++ }
+
+ obj = drm_gem_object_lookup(dev, file_priv, mode_cmd->handles[0]);
+ if (obj == NULL) {
--- /dev/null
+From 2b08b1f12cd664dc7d5c84ead9ff25ae97ad5491 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 25 Dec 2018 00:56:33 -0500
+Subject: ext4: fix a potential fiemap/page fault deadlock w/ inline_data
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 2b08b1f12cd664dc7d5c84ead9ff25ae97ad5491 upstream.
+
+The ext4_inline_data_fiemap() function calls fiemap_fill_next_extent()
+while still holding the xattr semaphore. This is not necessary and it
+triggers a circular lockdep warning. This is because
+fiemap_fill_next_extent() could trigger a page fault when it writes
+into page which triggers a page fault. If that page is mmaped from
+the inline file in question, this could very well result in a
+deadlock.
+
+This problem can be reproduced using generic/519 with a file system
+configuration which has the inline_data feature enabled.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inline.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1861,12 +1861,12 @@ int ext4_inline_data_fiemap(struct inode
+ physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data;
+ physical += offsetof(struct ext4_inode, i_block);
+
+- if (physical)
+- error = fiemap_fill_next_extent(fieinfo, start, physical,
+- inline_len, flags);
+ brelse(iloc.bh);
+ out:
+ up_read(&EXT4_I(inode)->xattr_sem);
++ if (physical)
++ error = fiemap_fill_next_extent(fieinfo, start, physical,
++ inline_len, flags);
+ return (error < 0 ? error : 0);
+ }
+
--- /dev/null
+From 95cb67138746451cc84cf8e516e14989746e93b0 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 31 Dec 2018 00:11:07 -0500
+Subject: ext4: track writeback errors using the generic tracking infrastructure
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 95cb67138746451cc84cf8e516e14989746e93b0 upstream.
+
+We already using mapping_set_error() in fs/ext4/page_io.c, so all we
+need to do is to use file_check_and_advance_wb_err() when handling
+fsync() requests in ext4_sync_file().
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/fsync.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ext4/fsync.c
++++ b/fs/ext4/fsync.c
+@@ -145,6 +145,9 @@ int ext4_sync_file(struct file *file, lo
+ ret = err;
+ }
+ out:
++ err = file_check_and_advance_wb_err(file);
++ if (ret == 0)
++ ret = err;
+ trace_ext4_sync_file_exit(inode, ret);
+ return ret;
+ }
acpi-power-skip-duplicate-power-resource-references-in-_prx.patch
i2c-dev-prevent-adapter-retries-and-timeout-being-set-as-minus-value.patch
crypto-cts-fix-crash-on-short-inputs.patch
+drm-amdgpu-validate-user-pitch-alignment.patch
+drm-amdgpu-validate-user-gem-object-size.patch
+ext4-fix-a-potential-fiemap-page-fault-deadlock-w-inline_data.patch
+ext4-track-writeback-errors-using-the-generic-tracking-infrastructure.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
