From: Greg Kroah-Hartman Date: Mon, 29 Apr 2024 14:57:19 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.19.313~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=68d2d740c89689bb6a230cd541bb8b72e3d0b9f4;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: fbdev-fix-incorrect-address-computation-in-deferred-io.patch --- diff --git a/queue-5.15/fbdev-fix-incorrect-address-computation-in-deferred-io.patch b/queue-5.15/fbdev-fix-incorrect-address-computation-in-deferred-io.patch new file mode 100644 index 00000000000..6428a83b66c --- /dev/null +++ b/queue-5.15/fbdev-fix-incorrect-address-computation-in-deferred-io.patch @@ -0,0 +1,57 @@ +From 78d9161d2bcd442d93d917339297ffa057dbee8c Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Tue, 23 Apr 2024 13:50:53 +0200 +Subject: fbdev: fix incorrect address computation in deferred IO + +From: Nam Cao + +commit 78d9161d2bcd442d93d917339297ffa057dbee8c upstream. + +With deferred IO enabled, a page fault happens when data is written to the +framebuffer device. Then driver determines which page is being updated by +calculating the offset of the written virtual address within the virtual +memory area, and uses this offset to get the updated page within the +internal buffer. This page is later copied to hardware (thus the name +"deferred IO"). + +This offset calculation is only correct if the virtual memory area is +mapped to the beginning of the internal buffer. Otherwise this is wrong. +For example, if users do: + mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000); + +Then the virtual memory area will mapped at offset 0xff000 within the +internal buffer. This offset 0xff000 is not accounted for, and wrong page +is updated. + +Correct the calculation by using vmf->pgoff instead. With this change, the +variable "offset" will no longer hold the exact offset value, but it is +rounded down to multiples of PAGE_SIZE. But this is still correct, because +this variable is only used to calculate the page offset. + +Reported-by: Harshit Mogalapalli +Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com +Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct") +Cc: +Signed-off-by: Nam Cao +Reviewed-by: Thomas Zimmermann +Tested-by: Harshit Mogalapalli +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20240423115053.4490-1-namcao@linutronix.de +[rebase to v5.15] +Signed-off-by: Nam Cao +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fb_defio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/fb_defio.c ++++ b/drivers/video/fbdev/core/fb_defio.c +@@ -149,7 +149,7 @@ static vm_fault_t fb_deferred_io_mkwrite + unsigned long offset; + vm_fault_t ret; + +- offset = (vmf->address - vmf->vma->vm_start); ++ offset = vmf->pgoff << PAGE_SHIFT; + + /* this is a callback we get when userspace first tries to + write to the page. we schedule a workqueue. that workqueue diff --git a/queue-5.15/series b/queue-5.15/series index 9bc3f3a334d..65159315497 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -73,3 +73,4 @@ dmaengine-idxd-fix-oops-during-rmmod-on-single-cpu-p.patch riscv-fix-vmalloc_start-definition.patch riscv-fix-task_size-on-64-bit-nommu.patch i2c-smbus-fix-null-function-pointer-dereference.patch +fbdev-fix-incorrect-address-computation-in-deferred-io.patch