--- /dev/null
+From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri, 21 Jul 2023 15:58:38 +0200
+Subject: drm/atomic: Fix potential use-after-free in nonblocking commits
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream.
+
+This requires a bit of background. Properly done a modeset driver's
+unload/remove sequence should be
+
+ drm_dev_unplug();
+ drm_atomic_helper_shutdown();
+ drm_dev_put();
+
+The trouble is that the drm_dev_unplugged() checks are by design racy,
+they do not synchronize against all outstanding ioctl. This is because
+those ioctl could block forever (both for modeset and for driver
+specific ioctls), leading to deadlocks in hotunplug. Instead the code
+sections that touch the hardware need to be annotated with
+drm_dev_enter/exit, to avoid accessing hardware resources after the
+unload/remove has finished.
+
+To avoid use-after-free issues all the involved userspace visible
+objects are supposed to hold a reference on the underlying drm_device,
+like drm_file does.
+
+The issue now is that we missed one, the atomic modeset ioctl can be run
+in a nonblocking fashion, and in that case it cannot rely on the implied
+drm_device reference provided by the ioctl calling context. This can
+result in a use-after-free if an nonblocking atomic commit is carefully
+raced against a driver unload.
+
+Fix this by unconditionally grabbing a drm_device reference for any
+drm_atomic_state structures. Strictly speaking this isn't required for
+blocking commits and TEST_ONLY calls, but it's the simpler approach.
+
+Thanks to shanzhulig for the initial idea of grabbing an unconditional
+reference, I just added comments, a condensed commit message and fixed a
+minor potential issue in where exactly we drop the final reference.
+
+Reported-by: shanzhulig <shanzhulig@gmail.com>
+Suggested-by: shanzhulig <shanzhulig@gmail.com>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_atomic.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -87,6 +87,12 @@ drm_atomic_state_init(struct drm_device
+ if (!state->planes)
+ goto fail;
+
++ /*
++ * Because drm_atomic_state can be committed asynchronously we need our
++ * own reference and cannot rely on the on implied by drm_file in the
++ * ioctl call.
++ */
++ drm_dev_get(dev);
+ state->dev = dev;
+
+ DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state);
+@@ -246,7 +252,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear);
+ void __drm_atomic_state_free(struct kref *ref)
+ {
+ struct drm_atomic_state *state = container_of(ref, typeof(*state), ref);
+- struct drm_mode_config *config = &state->dev->mode_config;
++ struct drm_device *dev = state->dev;
++ struct drm_mode_config *config = &dev->mode_config;
+
+ drm_atomic_state_clear(state);
+
+@@ -258,6 +265,8 @@ void __drm_atomic_state_free(struct kref
+ drm_atomic_state_default_release(state);
+ kfree(state);
+ }
++
++ drm_dev_put(dev);
+ }
+ EXPORT_SYMBOL(__drm_atomic_state_free);
+
scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
scsi-qla2xxx-pointer-may-be-dereferenced.patch
+drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
serial-atmel-don-t-enable-irqs-prematurely.patch
--- /dev/null
+From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri, 21 Jul 2023 15:58:38 +0200
+Subject: drm/atomic: Fix potential use-after-free in nonblocking commits
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream.
+
+This requires a bit of background. Properly done a modeset driver's
+unload/remove sequence should be
+
+ drm_dev_unplug();
+ drm_atomic_helper_shutdown();
+ drm_dev_put();
+
+The trouble is that the drm_dev_unplugged() checks are by design racy,
+they do not synchronize against all outstanding ioctl. This is because
+those ioctl could block forever (both for modeset and for driver
+specific ioctls), leading to deadlocks in hotunplug. Instead the code
+sections that touch the hardware need to be annotated with
+drm_dev_enter/exit, to avoid accessing hardware resources after the
+unload/remove has finished.
+
+To avoid use-after-free issues all the involved userspace visible
+objects are supposed to hold a reference on the underlying drm_device,
+like drm_file does.
+
+The issue now is that we missed one, the atomic modeset ioctl can be run
+in a nonblocking fashion, and in that case it cannot rely on the implied
+drm_device reference provided by the ioctl calling context. This can
+result in a use-after-free if an nonblocking atomic commit is carefully
+raced against a driver unload.
+
+Fix this by unconditionally grabbing a drm_device reference for any
+drm_atomic_state structures. Strictly speaking this isn't required for
+blocking commits and TEST_ONLY calls, but it's the simpler approach.
+
+Thanks to shanzhulig for the initial idea of grabbing an unconditional
+reference, I just added comments, a condensed commit message and fixed a
+minor potential issue in where exactly we drop the final reference.
+
+Reported-by: shanzhulig <shanzhulig@gmail.com>
+Suggested-by: shanzhulig <shanzhulig@gmail.com>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_atomic.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -91,6 +91,12 @@ drm_atomic_state_init(struct drm_device
+ if (!state->planes)
+ goto fail;
+
++ /*
++ * Because drm_atomic_state can be committed asynchronously we need our
++ * own reference and cannot rely on the on implied by drm_file in the
++ * ioctl call.
++ */
++ drm_dev_get(dev);
+ state->dev = dev;
+
+ DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state);
+@@ -250,7 +256,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear);
+ void __drm_atomic_state_free(struct kref *ref)
+ {
+ struct drm_atomic_state *state = container_of(ref, typeof(*state), ref);
+- struct drm_mode_config *config = &state->dev->mode_config;
++ struct drm_device *dev = state->dev;
++ struct drm_mode_config *config = &dev->mode_config;
+
+ drm_atomic_state_clear(state);
+
+@@ -262,6 +269,8 @@ void __drm_atomic_state_free(struct kref
+ drm_atomic_state_default_release(state);
+ kfree(state);
+ }
++
++ drm_dev_put(dev);
+ }
+ EXPORT_SYMBOL(__drm_atomic_state_free);
+
scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
scsi-qla2xxx-pointer-may-be-dereferenced.patch
+drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
--- /dev/null
+From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri, 21 Jul 2023 15:58:38 +0200
+Subject: drm/atomic: Fix potential use-after-free in nonblocking commits
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream.
+
+This requires a bit of background. Properly done a modeset driver's
+unload/remove sequence should be
+
+ drm_dev_unplug();
+ drm_atomic_helper_shutdown();
+ drm_dev_put();
+
+The trouble is that the drm_dev_unplugged() checks are by design racy,
+they do not synchronize against all outstanding ioctl. This is because
+those ioctl could block forever (both for modeset and for driver
+specific ioctls), leading to deadlocks in hotunplug. Instead the code
+sections that touch the hardware need to be annotated with
+drm_dev_enter/exit, to avoid accessing hardware resources after the
+unload/remove has finished.
+
+To avoid use-after-free issues all the involved userspace visible
+objects are supposed to hold a reference on the underlying drm_device,
+like drm_file does.
+
+The issue now is that we missed one, the atomic modeset ioctl can be run
+in a nonblocking fashion, and in that case it cannot rely on the implied
+drm_device reference provided by the ioctl calling context. This can
+result in a use-after-free if an nonblocking atomic commit is carefully
+raced against a driver unload.
+
+Fix this by unconditionally grabbing a drm_device reference for any
+drm_atomic_state structures. Strictly speaking this isn't required for
+blocking commits and TEST_ONLY calls, but it's the simpler approach.
+
+Thanks to shanzhulig for the initial idea of grabbing an unconditional
+reference, I just added comments, a condensed commit message and fixed a
+minor potential issue in where exactly we drop the final reference.
+
+Reported-by: shanzhulig <shanzhulig@gmail.com>
+Suggested-by: shanzhulig <shanzhulig@gmail.com>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_atomic.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -98,6 +98,12 @@ drm_atomic_state_init(struct drm_device
+ if (!state->planes)
+ goto fail;
+
++ /*
++ * Because drm_atomic_state can be committed asynchronously we need our
++ * own reference and cannot rely on the on implied by drm_file in the
++ * ioctl call.
++ */
++ drm_dev_get(dev);
+ state->dev = dev;
+
+ DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state);
+@@ -257,7 +263,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear);
+ void __drm_atomic_state_free(struct kref *ref)
+ {
+ struct drm_atomic_state *state = container_of(ref, typeof(*state), ref);
+- struct drm_mode_config *config = &state->dev->mode_config;
++ struct drm_device *dev = state->dev;
++ struct drm_mode_config *config = &dev->mode_config;
+
+ drm_atomic_state_clear(state);
+
+@@ -269,6 +276,8 @@ void __drm_atomic_state_free(struct kref
+ drm_atomic_state_default_release(state);
+ kfree(state);
+ }
++
++ drm_dev_put(dev);
+ }
+ EXPORT_SYMBOL(__drm_atomic_state_free);
+
scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch
net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch
rdma-cma-ensure-rdma_addr_cancel-happens-before-issuing-more-requests.patch
+drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
--- /dev/null
+From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri, 21 Jul 2023 15:58:38 +0200
+Subject: drm/atomic: Fix potential use-after-free in nonblocking commits
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream.
+
+This requires a bit of background. Properly done a modeset driver's
+unload/remove sequence should be
+
+ drm_dev_unplug();
+ drm_atomic_helper_shutdown();
+ drm_dev_put();
+
+The trouble is that the drm_dev_unplugged() checks are by design racy,
+they do not synchronize against all outstanding ioctl. This is because
+those ioctl could block forever (both for modeset and for driver
+specific ioctls), leading to deadlocks in hotunplug. Instead the code
+sections that touch the hardware need to be annotated with
+drm_dev_enter/exit, to avoid accessing hardware resources after the
+unload/remove has finished.
+
+To avoid use-after-free issues all the involved userspace visible
+objects are supposed to hold a reference on the underlying drm_device,
+like drm_file does.
+
+The issue now is that we missed one, the atomic modeset ioctl can be run
+in a nonblocking fashion, and in that case it cannot rely on the implied
+drm_device reference provided by the ioctl calling context. This can
+result in a use-after-free if an nonblocking atomic commit is carefully
+raced against a driver unload.
+
+Fix this by unconditionally grabbing a drm_device reference for any
+drm_atomic_state structures. Strictly speaking this isn't required for
+blocking commits and TEST_ONLY calls, but it's the simpler approach.
+
+Thanks to shanzhulig for the initial idea of grabbing an unconditional
+reference, I just added comments, a condensed commit message and fixed a
+minor potential issue in where exactly we drop the final reference.
+
+Reported-by: shanzhulig <shanzhulig@gmail.com>
+Suggested-by: shanzhulig <shanzhulig@gmail.com>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_atomic.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -138,6 +138,12 @@ drm_atomic_state_init(struct drm_device
+ if (!state->planes)
+ goto fail;
+
++ /*
++ * Because drm_atomic_state can be committed asynchronously we need our
++ * own reference and cannot rely on the on implied by drm_file in the
++ * ioctl call.
++ */
++ drm_dev_get(dev);
+ state->dev = dev;
+
+ DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state);
+@@ -297,7 +303,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear);
+ void __drm_atomic_state_free(struct kref *ref)
+ {
+ struct drm_atomic_state *state = container_of(ref, typeof(*state), ref);
+- struct drm_mode_config *config = &state->dev->mode_config;
++ struct drm_device *dev = state->dev;
++ struct drm_mode_config *config = &dev->mode_config;
+
+ drm_atomic_state_clear(state);
+
+@@ -309,6 +316,8 @@ void __drm_atomic_state_free(struct kref
+ drm_atomic_state_default_release(state);
+ kfree(state);
+ }
++
++ drm_dev_put(dev);
+ }
+ EXPORT_SYMBOL(__drm_atomic_state_free);
+
+++ /dev/null
-From a2848d08742c8e8494675892c02c0d22acbe3cf8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
-Date: Fri, 7 Jul 2023 11:25:00 +0200
-Subject: drm/ttm: never consider pinned BOs for eviction&swap
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Christian König <christian.koenig@amd.com>
-
-commit a2848d08742c8e8494675892c02c0d22acbe3cf8 upstream.
-
-There is a small window where we have already incremented the pin count
-but not yet moved the bo from the lru to the pinned list.
-
-Signed-off-by: Christian König <christian.koenig@amd.com>
-Reported-by: Pelloux-Prayer, Pierre-Eric <Pierre-eric.Pelloux-prayer@amd.com>
-Tested-by: Pelloux-Prayer, Pierre-Eric <Pierre-eric.Pelloux-prayer@amd.com>
-Acked-by: Alex Deucher <alexander.deucher@amd.com>
-Cc: stable@vger.kernel.org
-Link: https://patchwork.freedesktop.org/patch/msgid/20230707120826.3701-1-christian.koenig@amd.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/ttm/ttm_bo.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/drivers/gpu/drm/ttm/ttm_bo.c
-+++ b/drivers/gpu/drm/ttm/ttm_bo.c
-@@ -603,6 +603,12 @@ static bool ttm_bo_evict_swapout_allowab
- {
- bool ret = false;
-
-+ if (bo->pin_count) {
-+ *locked = false;
-+ *busy = false;
-+ return false;
-+ }
-+
- if (bo->base.resv == ctx->resv) {
- dma_resv_assert_held(bo->base.resv);
- if (ctx->allow_res_evict)
drm-amd-display-correct-dmub_fw_version-macro.patch
drm-amdgpu-avoid-restore-process-run-into-dead-loop.patch
drm-ttm-don-t-leak-a-resource-on-swapout-move-error.patch
-drm-ttm-never-consider-pinned-bos-for-eviction-swap.patch
serial-atmel-don-t-enable-irqs-prematurely.patch
tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch
tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch
scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch
mips-kvm-fix-build-error-with-kvm_mips_debug_cop0_counters-enabled.patch
net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch
+drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
--- /dev/null
+From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri, 21 Jul 2023 15:58:38 +0200
+Subject: drm/atomic: Fix potential use-after-free in nonblocking commits
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream.
+
+This requires a bit of background. Properly done a modeset driver's
+unload/remove sequence should be
+
+ drm_dev_unplug();
+ drm_atomic_helper_shutdown();
+ drm_dev_put();
+
+The trouble is that the drm_dev_unplugged() checks are by design racy,
+they do not synchronize against all outstanding ioctl. This is because
+those ioctl could block forever (both for modeset and for driver
+specific ioctls), leading to deadlocks in hotunplug. Instead the code
+sections that touch the hardware need to be annotated with
+drm_dev_enter/exit, to avoid accessing hardware resources after the
+unload/remove has finished.
+
+To avoid use-after-free issues all the involved userspace visible
+objects are supposed to hold a reference on the underlying drm_device,
+like drm_file does.
+
+The issue now is that we missed one, the atomic modeset ioctl can be run
+in a nonblocking fashion, and in that case it cannot rely on the implied
+drm_device reference provided by the ioctl calling context. This can
+result in a use-after-free if an nonblocking atomic commit is carefully
+raced against a driver unload.
+
+Fix this by unconditionally grabbing a drm_device reference for any
+drm_atomic_state structures. Strictly speaking this isn't required for
+blocking commits and TEST_ONLY calls, but it's the simpler approach.
+
+Thanks to shanzhulig for the initial idea of grabbing an unconditional
+reference, I just added comments, a condensed commit message and fixed a
+minor potential issue in where exactly we drop the final reference.
+
+Reported-by: shanzhulig <shanzhulig@gmail.com>
+Suggested-by: shanzhulig <shanzhulig@gmail.com>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_atomic.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -97,6 +97,12 @@ drm_atomic_state_init(struct drm_device
+ if (!state->planes)
+ goto fail;
+
++ /*
++ * Because drm_atomic_state can be committed asynchronously we need our
++ * own reference and cannot rely on the on implied by drm_file in the
++ * ioctl call.
++ */
++ drm_dev_get(dev);
+ state->dev = dev;
+
+ DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state);
+@@ -256,7 +262,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear);
+ void __drm_atomic_state_free(struct kref *ref)
+ {
+ struct drm_atomic_state *state = container_of(ref, typeof(*state), ref);
+- struct drm_mode_config *config = &state->dev->mode_config;
++ struct drm_device *dev = state->dev;
++ struct drm_mode_config *config = &dev->mode_config;
+
+ drm_atomic_state_clear(state);
+
+@@ -268,6 +275,8 @@ void __drm_atomic_state_free(struct kref
+ drm_atomic_state_default_release(state);
+ kfree(state);
+ }
++
++ drm_dev_put(dev);
+ }
+ EXPORT_SYMBOL(__drm_atomic_state_free);
+
scsi-qla2xxx-correct-the-index-of-array.patch
scsi-qla2xxx-pointer-may-be-dereferenced.patch
scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch
+drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
--- /dev/null
+From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri, 21 Jul 2023 15:58:38 +0200
+Subject: drm/atomic: Fix potential use-after-free in nonblocking commits
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream.
+
+This requires a bit of background. Properly done a modeset driver's
+unload/remove sequence should be
+
+ drm_dev_unplug();
+ drm_atomic_helper_shutdown();
+ drm_dev_put();
+
+The trouble is that the drm_dev_unplugged() checks are by design racy,
+they do not synchronize against all outstanding ioctl. This is because
+those ioctl could block forever (both for modeset and for driver
+specific ioctls), leading to deadlocks in hotunplug. Instead the code
+sections that touch the hardware need to be annotated with
+drm_dev_enter/exit, to avoid accessing hardware resources after the
+unload/remove has finished.
+
+To avoid use-after-free issues all the involved userspace visible
+objects are supposed to hold a reference on the underlying drm_device,
+like drm_file does.
+
+The issue now is that we missed one, the atomic modeset ioctl can be run
+in a nonblocking fashion, and in that case it cannot rely on the implied
+drm_device reference provided by the ioctl calling context. This can
+result in a use-after-free if an nonblocking atomic commit is carefully
+raced against a driver unload.
+
+Fix this by unconditionally grabbing a drm_device reference for any
+drm_atomic_state structures. Strictly speaking this isn't required for
+blocking commits and TEST_ONLY calls, but it's the simpler approach.
+
+Thanks to shanzhulig for the initial idea of grabbing an unconditional
+reference, I just added comments, a condensed commit message and fixed a
+minor potential issue in where exactly we drop the final reference.
+
+Reported-by: shanzhulig <shanzhulig@gmail.com>
+Suggested-by: shanzhulig <shanzhulig@gmail.com>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_atomic.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -140,6 +140,12 @@ drm_atomic_state_init(struct drm_device
+ if (!state->planes)
+ goto fail;
+
++ /*
++ * Because drm_atomic_state can be committed asynchronously we need our
++ * own reference and cannot rely on the on implied by drm_file in the
++ * ioctl call.
++ */
++ drm_dev_get(dev);
+ state->dev = dev;
+
+ drm_dbg_atomic(dev, "Allocated atomic state %p\n", state);
+@@ -299,7 +305,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear);
+ void __drm_atomic_state_free(struct kref *ref)
+ {
+ struct drm_atomic_state *state = container_of(ref, typeof(*state), ref);
+- struct drm_mode_config *config = &state->dev->mode_config;
++ struct drm_device *dev = state->dev;
++ struct drm_mode_config *config = &dev->mode_config;
+
+ drm_atomic_state_clear(state);
+
+@@ -311,6 +318,8 @@ void __drm_atomic_state_free(struct kref
+ drm_atomic_state_default_release(state);
+ kfree(state);
+ }
++
++ drm_dev_put(dev);
+ }
+ EXPORT_SYMBOL(__drm_atomic_state_free);
+
+++ /dev/null
-From a2848d08742c8e8494675892c02c0d22acbe3cf8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
-Date: Fri, 7 Jul 2023 11:25:00 +0200
-Subject: drm/ttm: never consider pinned BOs for eviction&swap
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Christian König <christian.koenig@amd.com>
-
-commit a2848d08742c8e8494675892c02c0d22acbe3cf8 upstream.
-
-There is a small window where we have already incremented the pin count
-but not yet moved the bo from the lru to the pinned list.
-
-Signed-off-by: Christian König <christian.koenig@amd.com>
-Reported-by: Pelloux-Prayer, Pierre-Eric <Pierre-eric.Pelloux-prayer@amd.com>
-Tested-by: Pelloux-Prayer, Pierre-Eric <Pierre-eric.Pelloux-prayer@amd.com>
-Acked-by: Alex Deucher <alexander.deucher@amd.com>
-Cc: stable@vger.kernel.org
-Link: https://patchwork.freedesktop.org/patch/msgid/20230707120826.3701-1-christian.koenig@amd.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/ttm/ttm_bo.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/drivers/gpu/drm/ttm/ttm_bo.c
-+++ b/drivers/gpu/drm/ttm/ttm_bo.c
-@@ -549,6 +549,12 @@ static bool ttm_bo_evict_swapout_allowab
- {
- bool ret = false;
-
-+ if (bo->pin_count) {
-+ *locked = false;
-+ *busy = false;
-+ return false;
-+ }
-+
- if (bo->base.resv == ctx->resv) {
- dma_resv_assert_held(bo->base.resv);
- if (ctx->allow_res_evict)
drm-amd-display-add-monitor-specific-edid-quirk.patch
drm-amdgpu-avoid-restore-process-run-into-dead-loop.patch
drm-ttm-don-t-leak-a-resource-on-swapout-move-error.patch
-drm-ttm-never-consider-pinned-bos-for-eviction-swap.patch
serial-atmel-don-t-enable-irqs-prematurely.patch
tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch
tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch
revert-drm-amd-disable-psr-su-on-parade-0803-tcon.patch
swiotlb-mark-swiotlb_memblock_alloc-as-__init.patch
net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch
+drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
--- /dev/null
+From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri, 21 Jul 2023 15:58:38 +0200
+Subject: drm/atomic: Fix potential use-after-free in nonblocking commits
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream.
+
+This requires a bit of background. Properly done a modeset driver's
+unload/remove sequence should be
+
+ drm_dev_unplug();
+ drm_atomic_helper_shutdown();
+ drm_dev_put();
+
+The trouble is that the drm_dev_unplugged() checks are by design racy,
+they do not synchronize against all outstanding ioctl. This is because
+those ioctl could block forever (both for modeset and for driver
+specific ioctls), leading to deadlocks in hotunplug. Instead the code
+sections that touch the hardware need to be annotated with
+drm_dev_enter/exit, to avoid accessing hardware resources after the
+unload/remove has finished.
+
+To avoid use-after-free issues all the involved userspace visible
+objects are supposed to hold a reference on the underlying drm_device,
+like drm_file does.
+
+The issue now is that we missed one, the atomic modeset ioctl can be run
+in a nonblocking fashion, and in that case it cannot rely on the implied
+drm_device reference provided by the ioctl calling context. This can
+result in a use-after-free if an nonblocking atomic commit is carefully
+raced against a driver unload.
+
+Fix this by unconditionally grabbing a drm_device reference for any
+drm_atomic_state structures. Strictly speaking this isn't required for
+blocking commits and TEST_ONLY calls, but it's the simpler approach.
+
+Thanks to shanzhulig for the initial idea of grabbing an unconditional
+reference, I just added comments, a condensed commit message and fixed a
+minor potential issue in where exactly we drop the final reference.
+
+Reported-by: shanzhulig <shanzhulig@gmail.com>
+Suggested-by: shanzhulig <shanzhulig@gmail.com>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_atomic.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -140,6 +140,12 @@ drm_atomic_state_init(struct drm_device
+ if (!state->planes)
+ goto fail;
+
++ /*
++ * Because drm_atomic_state can be committed asynchronously we need our
++ * own reference and cannot rely on the on implied by drm_file in the
++ * ioctl call.
++ */
++ drm_dev_get(dev);
+ state->dev = dev;
+
+ drm_dbg_atomic(dev, "Allocated atomic state %p\n", state);
+@@ -299,7 +305,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear);
+ void __drm_atomic_state_free(struct kref *ref)
+ {
+ struct drm_atomic_state *state = container_of(ref, typeof(*state), ref);
+- struct drm_mode_config *config = &state->dev->mode_config;
++ struct drm_device *dev = state->dev;
++ struct drm_mode_config *config = &dev->mode_config;
+
+ drm_atomic_state_clear(state);
+
+@@ -311,6 +318,8 @@ void __drm_atomic_state_free(struct kref
+ drm_atomic_state_default_release(state);
+ kfree(state);
+ }
++
++ drm_dev_put(dev);
+ }
+ EXPORT_SYMBOL(__drm_atomic_state_free);
+
+++ /dev/null
-From a2848d08742c8e8494675892c02c0d22acbe3cf8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
-Date: Fri, 7 Jul 2023 11:25:00 +0200
-Subject: drm/ttm: never consider pinned BOs for eviction&swap
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Christian König <christian.koenig@amd.com>
-
-commit a2848d08742c8e8494675892c02c0d22acbe3cf8 upstream.
-
-There is a small window where we have already incremented the pin count
-but not yet moved the bo from the lru to the pinned list.
-
-Signed-off-by: Christian König <christian.koenig@amd.com>
-Reported-by: Pelloux-Prayer, Pierre-Eric <Pierre-eric.Pelloux-prayer@amd.com>
-Tested-by: Pelloux-Prayer, Pierre-Eric <Pierre-eric.Pelloux-prayer@amd.com>
-Acked-by: Alex Deucher <alexander.deucher@amd.com>
-Cc: stable@vger.kernel.org
-Link: https://patchwork.freedesktop.org/patch/msgid/20230707120826.3701-1-christian.koenig@amd.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/ttm/ttm_bo.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/drivers/gpu/drm/ttm/ttm_bo.c
-+++ b/drivers/gpu/drm/ttm/ttm_bo.c
-@@ -517,6 +517,12 @@ static bool ttm_bo_evict_swapout_allowab
- {
- bool ret = false;
-
-+ if (bo->pin_count) {
-+ *locked = false;
-+ *busy = false;
-+ return false;
-+ }
-+
- if (bo->base.resv == ctx->resv) {
- dma_resv_assert_held(bo->base.resv);
- if (ctx->allow_res_evict)
ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch
hid-hyperv-avoid-struct-memcpy-overrun-warning.patch
net-dsa-qca8k-add-check-for-skb_copy.patch
-x86-fineibt-poison-endbr-at-0.patch
platform-x86-wmi-break-possible-infinite-loop-when-p.patch
net-sched-taprio-replace-tc_taprio_qopt_offload-enab.patch
igc-rename-qbv_enable-to-taprio_offload_enable.patch
drm-amd-pm-fix-smu-i2c-data-read-risk.patch
drm-ttm-don-t-leak-a-resource-on-eviction-error.patch
drm-ttm-don-t-leak-a-resource-on-swapout-move-error.patch
-drm-ttm-never-consider-pinned-bos-for-eviction-swap.patch
serial-atmel-don-t-enable-irqs-prematurely.patch
tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch
tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch
net-dsa-ocelot-unlock-on-error-in-vsc9959_qos_port_tas_set.patch
mips-kvm-fix-build-error-with-kvm_mips_debug_cop0_counters-enabled.patch
revert-drm-amd-disable-psr-su-on-parade-0803-tcon.patch
+drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
+++ /dev/null
-From 79f7f4bdb8ae801346e94933d8c848c76e4ea88b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 15 Jun 2023 21:35:48 +0200
-Subject: x86/fineibt: Poison ENDBR at +0
-
-From: Peter Zijlstra <peterz@infradead.org>
-
-[ Upstream commit 04505bbbbb15da950ea0239e328a76a3ad2376e0 ]
-
-Alyssa noticed that when building the kernel with CFI_CLANG+IBT and
-booting on IBT enabled hardware to obtain FineIBT, the indirect
-functions look like:
-
- __cfi_foo:
- endbr64
- subl $hash, %r10d
- jz 1f
- ud2
- nop
- 1:
- foo:
- endbr64
-
-This is because the compiler generates code for kCFI+IBT. In that case
-the caller does the hash check and will jump to +0, so there must be
-an ENDBR there. The compiler doesn't know about FineIBT at all; also
-it is possible to actually use kCFI+IBT when booting with 'cfi=kcfi'
-on IBT enabled hardware.
-
-Having this second ENDBR however makes it possible to elide the CFI
-check. Therefore, we should poison this second ENDBR when switching to
-FineIBT mode.
-
-Fixes: 931ab63664f0 ("x86/ibt: Implement FineIBT")
-Reported-by: "Milburn, Alyssa" <alyssa.milburn@intel.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
-Link: https://lore.kernel.org/r/20230615193722.194131053@infradead.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kernel/alternative.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
-index f615e0cb6d932..4e2c70f88e05b 100644
---- a/arch/x86/kernel/alternative.c
-+++ b/arch/x86/kernel/alternative.c
-@@ -940,6 +940,17 @@ static int cfi_rewrite_preamble(s32 *start, s32 *end)
- return 0;
- }
-
-+static void cfi_rewrite_endbr(s32 *start, s32 *end)
-+{
-+ s32 *s;
-+
-+ for (s = start; s < end; s++) {
-+ void *addr = (void *)s + *s;
-+
-+ poison_endbr(addr+16, false);
-+ }
-+}
-+
- /* .retpoline_sites */
- static int cfi_rand_callers(s32 *start, s32 *end)
- {
-@@ -1034,14 +1045,19 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
- return;
-
- case CFI_FINEIBT:
-+ /* place the FineIBT preamble at func()-16 */
- ret = cfi_rewrite_preamble(start_cfi, end_cfi);
- if (ret)
- goto err;
-
-+ /* rewrite the callers to target func()-16 */
- ret = cfi_rewrite_callers(start_retpoline, end_retpoline);
- if (ret)
- goto err;
-
-+ /* now that nobody targets func()+0, remove ENDBR there */
-+ cfi_rewrite_endbr(start_cfi, end_cfi);
-+
- if (builtin)
- pr_info("Using FineIBT CFI\n");
- return;
---
-2.39.2
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
