From: Greg Kroah-Hartman Date: Mon, 6 Jun 2022 13:49:12 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.10.121~86 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=37d18a8e60456a0941943a710b120010f2430dbc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch md-fix-an-incorrect-null-check-in-md_reload_sb.patch --- diff --git a/queue-4.14/drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch b/queue-4.14/drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch new file mode 100644 index 00000000000..2270eca0c78 --- /dev/null +++ b/queue-4.14/drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch @@ -0,0 +1,64 @@ +From 31ab27b14daaa75541a415c6794d6f3567fea44a Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Mon, 23 May 2022 10:24:18 +1000 +Subject: drm/amdgpu/cs: make commands with 0 chunks illegal behaviour. + +From: Dave Airlie + +commit 31ab27b14daaa75541a415c6794d6f3567fea44a upstream. + +Submitting a cs with 0 chunks, causes an oops later, found trying +to execute the wrong userspace driver. + +MESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo + +[172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8 +[172536.665188] #PF: supervisor read access in kernel mode +[172536.665189] #PF: error_code(0x0000) - not-present page +[172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0 +[172536.665195] Oops: 0000 [#1] SMP NOPTI +[172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P O 5.10.81 #1-NixOS +[172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015 +[172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu] +[172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 <48> 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10 +[172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246 +[172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68 +[172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38 +[172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40 +[172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28 +[172536.665283] FS: 00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000 +[172536.665284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0 +[172536.665287] Call Trace: +[172536.665322] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu] +[172536.665332] drm_ioctl_kernel+0xaa/0xf0 [drm] +[172536.665338] drm_ioctl+0x201/0x3b0 [drm] +[172536.665369] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu] +[172536.665372] ? selinux_file_ioctl+0x135/0x230 +[172536.665399] amdgpu_drm_ioctl+0x49/0x80 [amdgpu] +[172536.665403] __x64_sys_ioctl+0x83/0xb0 +[172536.665406] do_syscall_64+0x33/0x40 +[172536.665409] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2018 +Signed-off-by: Dave Airlie +Cc: stable@vger.kernel.org +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -84,7 +84,7 @@ static int amdgpu_cs_parser_init(struct + int ret; + + if (cs->in.num_chunks == 0) +- return 0; ++ return -EINVAL; + + chunk_array = kmalloc_array(cs->in.num_chunks, sizeof(uint64_t), GFP_KERNEL); + if (!chunk_array) diff --git a/queue-4.14/drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch b/queue-4.14/drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch new file mode 100644 index 00000000000..4ea8b20d032 --- /dev/null +++ b/queue-4.14/drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch @@ -0,0 +1,54 @@ +From 8fb6c44fe8468f92ac7b8bbfcca4404a4e88645f Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 1 Mar 2022 18:11:38 -0800 +Subject: drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX + +From: Brian Norris + +commit 8fb6c44fe8468f92ac7b8bbfcca4404a4e88645f upstream. + +If the display is not enable()d, then we aren't holding a runtime PM +reference here. Thus, it's easy to accidentally cause a hang, if user +space is poking around at /dev/drm_dp_aux0 at the "wrong" time. + +Let's get a runtime PM reference, and check that we "see" the panel. +Don't force any panel power-up, etc., because that can be intrusive, and +that's not what other drivers do (see +drivers/gpu/drm/bridge/ti-sn65dsi86.c and +drivers/gpu/drm/bridge/parade-ps8640.c.) + +Fixes: 0d97ad03f422 ("drm/bridge: analogix_dp: Remove duplicated code") +Cc: +Cc: Tomeu Vizoso +Signed-off-by: Brian Norris +Reviewed-by: Douglas Anderson +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20220301181107.v4.1.I773a08785666ebb236917b0c8e6c05e3de471e75@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c ++++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c +@@ -1279,8 +1279,19 @@ static ssize_t analogix_dpaux_transfer(s + struct drm_dp_aux_msg *msg) + { + struct analogix_dp_device *dp = to_dp(aux); ++ int ret; + +- return analogix_dp_transfer(dp, msg); ++ pm_runtime_get_sync(dp->dev); ++ ++ ret = analogix_dp_detect_hpd(dp); ++ if (ret) ++ goto out; ++ ++ ret = analogix_dp_transfer(dp, msg); ++out: ++ pm_runtime_put(dp->dev); ++ ++ return ret; + } + + int analogix_dp_bind(struct device *dev, struct drm_device *drm_dev, diff --git a/queue-4.14/drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch b/queue-4.14/drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch new file mode 100644 index 00000000000..2266618d286 --- /dev/null +++ b/queue-4.14/drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch @@ -0,0 +1,58 @@ +From 1c3b2a27def609473ed13b1cd668cb10deab49b4 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Sun, 27 Mar 2022 15:58:24 +0800 +Subject: drm/nouveau/clk: Fix an incorrect NULL check on list iterator + +From: Xiaomeng Tong + +commit 1c3b2a27def609473ed13b1cd668cb10deab49b4 upstream. + +The bug is here: + if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp)) + return cstate; + +The list iterator value 'cstate' will *always* be set and non-NULL +by list_for_each_entry_from_reverse(), so it is incorrect to assume +that the iterator value will be unchanged if the list is empty or no +element is found (In fact, it will be a bogus pointer to an invalid +structure object containing the HEAD). Also it missed a NULL check +at callsite and may lead to invalid memory access after that. + +To fix this bug, just return 'encoder' when found, otherwise return +NULL. And add the NULL check. + +Cc: stable@vger.kernel.org +Fixes: 1f7f3d91ad38a ("drm/nouveau/clk: Respect voltage limits in nvkm_cstate_prog") +Signed-off-by: Xiaomeng Tong +Reviewed-by: Lyude Paul +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20220327075824.11806-1-xiam0nd.tong@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c +@@ -136,10 +136,10 @@ nvkm_cstate_find_best(struct nvkm_clk *c + for (cstate = start; &cstate->head != &pstate->list; + cstate = list_entry(cstate->head.prev, typeof(*cstate), head)) { + if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp)) +- break; ++ return cstate; + } + +- return cstate; ++ return NULL; + } + + static struct nvkm_cstate * +@@ -170,6 +170,8 @@ nvkm_cstate_prog(struct nvkm_clk *clk, s + if (!list_empty(&pstate->list)) { + cstate = nvkm_cstate_get(clk, pstate, cstatei); + cstate = nvkm_cstate_find_best(clk, pstate, cstate); ++ if (!cstate) ++ return -EINVAL; + } else { + cstate = &pstate->base; + } diff --git a/queue-4.14/md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch b/queue-4.14/md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch new file mode 100644 index 00000000000..cdbde7e2cdb --- /dev/null +++ b/queue-4.14/md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch @@ -0,0 +1,55 @@ +From fc8738343eefc4ea8afb6122826dea48eacde514 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Fri, 8 Apr 2022 16:37:28 +0800 +Subject: md: fix an incorrect NULL check in does_sb_need_changing + +From: Xiaomeng Tong + +commit fc8738343eefc4ea8afb6122826dea48eacde514 upstream. + +The bug is here: + if (!rdev) + +The list iterator value 'rdev' will *always* be set and non-NULL +by rdev_for_each(), so it is incorrect to assume that the iterator +value will be NULL if the list is empty or no element found. +Otherwise it will bypass the NULL check and lead to invalid memory +access passing the check. + +To fix the bug, use a new variable 'iter' as the list iterator, +while using the original variable 'rdev' as a dedicated pointer to +point to the found element. + +Cc: stable@vger.kernel.org +Fixes: 2aa82191ac36 ("md-cluster: Perform a lazy update") +Acked-by: Guoqing Jiang +Signed-off-by: Xiaomeng Tong +Acked-by: Goldwyn Rodrigues +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2427,14 +2427,16 @@ static void sync_sbs(struct mddev *mddev + + static bool does_sb_need_changing(struct mddev *mddev) + { +- struct md_rdev *rdev; ++ struct md_rdev *rdev = NULL, *iter; + struct mdp_superblock_1 *sb; + int role; + + /* Find a good rdev */ +- rdev_for_each(rdev, mddev) +- if ((rdev->raid_disk >= 0) && !test_bit(Faulty, &rdev->flags)) ++ rdev_for_each(iter, mddev) ++ if ((iter->raid_disk >= 0) && !test_bit(Faulty, &iter->flags)) { ++ rdev = iter; + break; ++ } + + /* No good device found. */ + if (!rdev) diff --git a/queue-4.14/md-fix-an-incorrect-null-check-in-md_reload_sb.patch b/queue-4.14/md-fix-an-incorrect-null-check-in-md_reload_sb.patch new file mode 100644 index 00000000000..bbe70bb3595 --- /dev/null +++ b/queue-4.14/md-fix-an-incorrect-null-check-in-md_reload_sb.patch @@ -0,0 +1,57 @@ +From 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Fri, 8 Apr 2022 16:47:15 +0800 +Subject: md: fix an incorrect NULL check in md_reload_sb + +From: Xiaomeng Tong + +commit 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 upstream. + +The bug is here: + if (!rdev || rdev->desc_nr != nr) { + +The list iterator value 'rdev' will *always* be set and non-NULL +by rdev_for_each_rcu(), so it is incorrect to assume that the +iterator value will be NULL if the list is empty or no element +found (In fact, it will be a bogus pointer to an invalid struct +object containing the HEAD). Otherwise it will bypass the check +and lead to invalid memory access passing the check. + +To fix the bug, use a new variable 'iter' as the list iterator, +while using the original variable 'pdev' as a dedicated pointer to +point to the found element. + +Cc: stable@vger.kernel.org +Fixes: 70bcecdb1534 ("md-cluster: Improve md_reload_sb to be less error prone") +Signed-off-by: Xiaomeng Tong +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -9266,16 +9266,18 @@ static int read_rdev(struct mddev *mddev + + void md_reload_sb(struct mddev *mddev, int nr) + { +- struct md_rdev *rdev; ++ struct md_rdev *rdev = NULL, *iter; + int err; + + /* Find the rdev */ +- rdev_for_each_rcu(rdev, mddev) { +- if (rdev->desc_nr == nr) ++ rdev_for_each_rcu(iter, mddev) { ++ if (iter->desc_nr == nr) { ++ rdev = iter; + break; ++ } + } + +- if (!rdev || rdev->desc_nr != nr) { ++ if (!rdev) { + pr_warn("%s: %d Could not find rdev with nr %d\n", __func__, __LINE__, nr); + return; + } diff --git a/queue-4.14/series b/queue-4.14/series index 09c3b509cb9..1a336c86096 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -114,3 +114,8 @@ dlm-fix-missing-lkb-refcount-handling.patch ocfs2-dlmfs-fix-error-handling-of-user_dlm_destroy_lock.patch scsi-dc395x-fix-a-missing-check-on-list-iterator.patch scsi-ufs-qcom-add-a-readl-to-make-sure-ref_clk-gets-enabled.patch +drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch +drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch +drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch +md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch +md-fix-an-incorrect-null-check-in-md_reload_sb.patch