From: Sasha Levin Date: Mon, 29 Apr 2024 01:53:55 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.1.89~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c032f04467908e6af5a2adf3998d496c781da5a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch b/queue-5.4/amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch new file mode 100644 index 00000000000..f196b46be80 --- /dev/null +++ b/queue-5.4/amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch @@ -0,0 +1,74 @@ +From 5af6b0a05b441e1bb8bbe0bf10a8ebb60f7dc6f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 15:44:12 -0700 +Subject: amdgpu: validate offset_in_bo of drm_amdgpu_gem_va +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chia-I Wu + +[ Upstream commit 9f0bcf49e9895cb005d78b33a5eebfa11711b425 ] + +This is motivated by OOB access in amdgpu_vm_update_range when +offset_in_bo+map_size overflows. + +v2: keep the validations in amdgpu_vm_bo_map +v3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map + rather than to amdgpu_gem_va_ioctl + +Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters") +Reviewed-by: Christian König +Signed-off-by: Chia-I Wu +Signed-off-by: Alex Deucher +Stable-dep-of: 6fef2d4c00b5 ("drm/amdgpu: validate the parameters of bo mapping operations more clearly") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index 88f2707c69ce7..dfec651ec0b45 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -2123,14 +2123,14 @@ int amdgpu_vm_bo_map(struct amdgpu_device *adev, + uint64_t eaddr; + + /* validate the parameters */ +- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || +- size == 0 || size & ~PAGE_MASK) ++ if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || size & ~PAGE_MASK) ++ return -EINVAL; ++ if (saddr + size <= saddr || offset + size <= offset) + return -EINVAL; + + /* make sure object fit at this offset */ + eaddr = saddr + size - 1; +- if (saddr >= eaddr || +- (bo && offset + size > amdgpu_bo_size(bo)) || ++ if ((bo && offset + size > amdgpu_bo_size(bo)) || + (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT)) + return -EINVAL; + +@@ -2189,14 +2189,14 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev, + int r; + + /* validate the parameters */ +- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || +- size == 0 || size & ~PAGE_MASK) ++ if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || size & ~PAGE_MASK) ++ return -EINVAL; ++ if (saddr + size <= saddr || offset + size <= offset) + return -EINVAL; + + /* make sure object fit at this offset */ + eaddr = saddr + size - 1; +- if (saddr >= eaddr || +- (bo && offset + size > amdgpu_bo_size(bo)) || ++ if ((bo && offset + size > amdgpu_bo_size(bo)) || + (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT)) + return -EINVAL; + +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-restrict-bo-mapping-within-gpu-address-li.patch b/queue-5.4/drm-amdgpu-restrict-bo-mapping-within-gpu-address-li.patch new file mode 100644 index 00000000000..5d75be68b6d --- /dev/null +++ b/queue-5.4/drm-amdgpu-restrict-bo-mapping-within-gpu-address-li.patch @@ -0,0 +1,58 @@ +From 3624709478999bd014a55c32b0abfecf8c8fed59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Apr 2020 01:01:12 -0400 +Subject: drm/amdgpu: restrict bo mapping within gpu address limits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rajneesh Bhardwaj + +[ Upstream commit 8b80d74bdb2285d3022b349c8451eb16535f7906 ] + +Have strict check on bo mapping since on some systems, such as A+A or +hybrid, the cpu might support 5 level paging or can address memory above +48 bits but gpu might be limited by hardware to just use 48 bits. In +general, this applies to all asics where this limitation can be checked +against their max_pfn range. This restricts the range to map bo within +pratical limits of cpu and gpu for shared virtual memory access. + +Reviewed-by: Oak Zeng +Reviewed-by: Christian König +Reviewed-by: Hawking Zhang +Acked-by: Alex Deucher +Signed-off-by: Rajneesh Bhardwaj +Signed-off-by: Alex Deucher +Stable-dep-of: 6fef2d4c00b5 ("drm/amdgpu: validate the parameters of bo mapping operations more clearly") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index dcf23b43f323c..88f2707c69ce7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -2130,7 +2130,8 @@ int amdgpu_vm_bo_map(struct amdgpu_device *adev, + /* make sure object fit at this offset */ + eaddr = saddr + size - 1; + if (saddr >= eaddr || +- (bo && offset + size > amdgpu_bo_size(bo))) ++ (bo && offset + size > amdgpu_bo_size(bo)) || ++ (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT)) + return -EINVAL; + + saddr /= AMDGPU_GPU_PAGE_SIZE; +@@ -2195,7 +2196,8 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev, + /* make sure object fit at this offset */ + eaddr = saddr + size - 1; + if (saddr >= eaddr || +- (bo && offset + size > amdgpu_bo_size(bo))) ++ (bo && offset + size > amdgpu_bo_size(bo)) || ++ (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT)) + return -EINVAL; + + /* Allocate all the needed memory */ +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-validate-the-parameters-of-bo-mapping-ope.patch b/queue-5.4/drm-amdgpu-validate-the-parameters-of-bo-mapping-ope.patch new file mode 100644 index 00000000000..15f7d2d0546 --- /dev/null +++ b/queue-5.4/drm-amdgpu-validate-the-parameters-of-bo-mapping-ope.patch @@ -0,0 +1,147 @@ +From 9a1cd92ac3e2f4e6d5d7826ee1a1ddcfb946dbdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 11:11:38 +0800 +Subject: drm/amdgpu: validate the parameters of bo mapping operations more + clearly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: xinhui pan + +[ Upstream commit 6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75 ] + +Verify the parameters of +amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place. + +Fixes: dc54d3d1744d ("drm/amdgpu: implement AMDGPU_VA_OP_CLEAR v2") +Cc: stable@vger.kernel.org +Reported-by: Vlad Stolyarov +Suggested-by: Christian König +Signed-off-by: xinhui pan +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 72 ++++++++++++++++---------- + 1 file changed, 46 insertions(+), 26 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index dfec651ec0b45..1da72ecf0facb 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -2095,6 +2095,37 @@ static void amdgpu_vm_bo_insert_map(struct amdgpu_device *adev, + trace_amdgpu_vm_bo_map(bo_va, mapping); + } + ++/* Validate operation parameters to prevent potential abuse */ ++static int amdgpu_vm_verify_parameters(struct amdgpu_device *adev, ++ struct amdgpu_bo *bo, ++ uint64_t saddr, ++ uint64_t offset, ++ uint64_t size) ++{ ++ uint64_t tmp, lpfn; ++ ++ if (saddr & AMDGPU_GPU_PAGE_MASK ++ || offset & AMDGPU_GPU_PAGE_MASK ++ || size & AMDGPU_GPU_PAGE_MASK) ++ return -EINVAL; ++ ++ if (check_add_overflow(saddr, size, &tmp) ++ || check_add_overflow(offset, size, &tmp) ++ || size == 0 /* which also leads to end < begin */) ++ return -EINVAL; ++ ++ /* make sure object fit at this offset */ ++ if (bo && offset + size > amdgpu_bo_size(bo)) ++ return -EINVAL; ++ ++ /* Ensure last pfn not exceed max_pfn */ ++ lpfn = (saddr + size - 1) >> AMDGPU_GPU_PAGE_SHIFT; ++ if (lpfn >= adev->vm_manager.max_pfn) ++ return -EINVAL; ++ ++ return 0; ++} ++ + /** + * amdgpu_vm_bo_map - map bo inside a vm + * +@@ -2121,21 +2152,14 @@ int amdgpu_vm_bo_map(struct amdgpu_device *adev, + struct amdgpu_bo *bo = bo_va->base.bo; + struct amdgpu_vm *vm = bo_va->base.vm; + uint64_t eaddr; ++ int r; + +- /* validate the parameters */ +- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || size & ~PAGE_MASK) +- return -EINVAL; +- if (saddr + size <= saddr || offset + size <= offset) +- return -EINVAL; +- +- /* make sure object fit at this offset */ +- eaddr = saddr + size - 1; +- if ((bo && offset + size > amdgpu_bo_size(bo)) || +- (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT)) +- return -EINVAL; ++ r = amdgpu_vm_verify_parameters(adev, bo, saddr, offset, size); ++ if (r) ++ return r; + + saddr /= AMDGPU_GPU_PAGE_SIZE; +- eaddr /= AMDGPU_GPU_PAGE_SIZE; ++ eaddr = saddr + (size - 1) / AMDGPU_GPU_PAGE_SIZE; + + tmp = amdgpu_vm_it_iter_first(&vm->va, saddr, eaddr); + if (tmp) { +@@ -2188,17 +2212,9 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev, + uint64_t eaddr; + int r; + +- /* validate the parameters */ +- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || size & ~PAGE_MASK) +- return -EINVAL; +- if (saddr + size <= saddr || offset + size <= offset) +- return -EINVAL; +- +- /* make sure object fit at this offset */ +- eaddr = saddr + size - 1; +- if ((bo && offset + size > amdgpu_bo_size(bo)) || +- (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT)) +- return -EINVAL; ++ r = amdgpu_vm_verify_parameters(adev, bo, saddr, offset, size); ++ if (r) ++ return r; + + /* Allocate all the needed memory */ + mapping = kmalloc(sizeof(*mapping), GFP_KERNEL); +@@ -2212,7 +2228,7 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev, + } + + saddr /= AMDGPU_GPU_PAGE_SIZE; +- eaddr /= AMDGPU_GPU_PAGE_SIZE; ++ eaddr = saddr + (size - 1) / AMDGPU_GPU_PAGE_SIZE; + + mapping->start = saddr; + mapping->last = eaddr; +@@ -2299,10 +2315,14 @@ int amdgpu_vm_bo_clear_mappings(struct amdgpu_device *adev, + struct amdgpu_bo_va_mapping *before, *after, *tmp, *next; + LIST_HEAD(removed); + uint64_t eaddr; ++ int r; ++ ++ r = amdgpu_vm_verify_parameters(adev, NULL, saddr, 0, size); ++ if (r) ++ return r; + +- eaddr = saddr + size - 1; + saddr /= AMDGPU_GPU_PAGE_SIZE; +- eaddr /= AMDGPU_GPU_PAGE_SIZE; ++ eaddr = saddr + (size - 1) / AMDGPU_GPU_PAGE_SIZE; + + /* Allocate all the needed memory */ + before = kzalloc(sizeof(*before), GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-5.4/serial-core-provide-port-lock-wrappers.patch b/queue-5.4/serial-core-provide-port-lock-wrappers.patch new file mode 100644 index 00000000000..50c4629c991 --- /dev/null +++ b/queue-5.4/serial-core-provide-port-lock-wrappers.patch @@ -0,0 +1,136 @@ +From 99fd9c978ec0b1f31eac0436e3532304b8b571ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Sep 2023 20:43:18 +0206 +Subject: serial: core: Provide port lock wrappers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Gleixner + +[ Upstream commit b0af4bcb49464c221ad5f95d40f2b1b252ceedcc ] + +When a serial port is used for kernel console output, then all +modifications to the UART registers which are done from other contexts, +e.g. getty, termios, are interference points for the kernel console. + +So far this has been ignored and the printk output is based on the +principle of hope. The rework of the console infrastructure which aims to +support threaded and atomic consoles, requires to mark sections which +modify the UART registers as unsafe. This allows the atomic write function +to make informed decisions and eventually to restore operational state. It +also allows to prevent the regular UART code from modifying UART registers +while printk output is in progress. + +All modifications of UART registers are guarded by the UART port lock, +which provides an obvious synchronization point with the console +infrastructure. + +Provide wrapper functions for spin_[un]lock*(port->lock) invocations so +that the console mechanics can be applied later on at a single place and +does not require to copy the same logic all over the drivers. + +Signed-off-by: Thomas Gleixner +Reviewed-by: Ilpo Järvinen +Signed-off-by: John Ogness +Link: https://lore.kernel.org/r/20230914183831.587273-2-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 54c4ec5f8c47 ("serial: mxs-auart: add spinlock around changing cts state") +Signed-off-by: Sasha Levin +--- + include/linux/serial_core.h | 79 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 79 insertions(+) + +diff --git a/include/linux/serial_core.h b/include/linux/serial_core.h +index 10f209d54f18a..bc374d9df99fe 100644 +--- a/include/linux/serial_core.h ++++ b/include/linux/serial_core.h +@@ -255,6 +255,85 @@ struct uart_port { + void *private_data; /* generic platform data pointer */ + }; + ++/** ++ * uart_port_lock - Lock the UART port ++ * @up: Pointer to UART port structure ++ */ ++static inline void uart_port_lock(struct uart_port *up) ++{ ++ spin_lock(&up->lock); ++} ++ ++/** ++ * uart_port_lock_irq - Lock the UART port and disable interrupts ++ * @up: Pointer to UART port structure ++ */ ++static inline void uart_port_lock_irq(struct uart_port *up) ++{ ++ spin_lock_irq(&up->lock); ++} ++ ++/** ++ * uart_port_lock_irqsave - Lock the UART port, save and disable interrupts ++ * @up: Pointer to UART port structure ++ * @flags: Pointer to interrupt flags storage ++ */ ++static inline void uart_port_lock_irqsave(struct uart_port *up, unsigned long *flags) ++{ ++ spin_lock_irqsave(&up->lock, *flags); ++} ++ ++/** ++ * uart_port_trylock - Try to lock the UART port ++ * @up: Pointer to UART port structure ++ * ++ * Returns: True if lock was acquired, false otherwise ++ */ ++static inline bool uart_port_trylock(struct uart_port *up) ++{ ++ return spin_trylock(&up->lock); ++} ++ ++/** ++ * uart_port_trylock_irqsave - Try to lock the UART port, save and disable interrupts ++ * @up: Pointer to UART port structure ++ * @flags: Pointer to interrupt flags storage ++ * ++ * Returns: True if lock was acquired, false otherwise ++ */ ++static inline bool uart_port_trylock_irqsave(struct uart_port *up, unsigned long *flags) ++{ ++ return spin_trylock_irqsave(&up->lock, *flags); ++} ++ ++/** ++ * uart_port_unlock - Unlock the UART port ++ * @up: Pointer to UART port structure ++ */ ++static inline void uart_port_unlock(struct uart_port *up) ++{ ++ spin_unlock(&up->lock); ++} ++ ++/** ++ * uart_port_unlock_irq - Unlock the UART port and re-enable interrupts ++ * @up: Pointer to UART port structure ++ */ ++static inline void uart_port_unlock_irq(struct uart_port *up) ++{ ++ spin_unlock_irq(&up->lock); ++} ++ ++/** ++ * uart_port_lock_irqrestore - Unlock the UART port, restore interrupts ++ * @up: Pointer to UART port structure ++ * @flags: The saved interrupt flags for restore ++ */ ++static inline void uart_port_unlock_irqrestore(struct uart_port *up, unsigned long flags) ++{ ++ spin_unlock_irqrestore(&up->lock, flags); ++} ++ + static inline int serial_port_in(struct uart_port *up, int offset) + { + return up->serial_in(up, offset); +-- +2.43.0 + diff --git a/queue-5.4/serial-mxs-auart-add-spinlock-around-changing-cts-st.patch b/queue-5.4/serial-mxs-auart-add-spinlock-around-changing-cts-st.patch new file mode 100644 index 00000000000..6907ffb5795 --- /dev/null +++ b/queue-5.4/serial-mxs-auart-add-spinlock-around-changing-cts-st.patch @@ -0,0 +1,67 @@ +From a415cab513a700c984ba88682b1541856db3dcb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 12:15:36 +0000 +Subject: serial: mxs-auart: add spinlock around changing cts state + +From: Emil Kronborg + +[ Upstream commit 54c4ec5f8c471b7c1137a1f769648549c423c026 ] + +The uart_handle_cts_change() function in serial_core expects the caller +to hold uport->lock. For example, I have seen the below kernel splat, +when the Bluetooth driver is loaded on an i.MX28 board. + + [ 85.119255] ------------[ cut here ]------------ + [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec + [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs + [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1 + [ 85.151396] Hardware name: Freescale MXS (Device Tree) + [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth] + (...) + [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4 + [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210 + (...) + +Cc: stable@vger.kernel.org +Fixes: 4d90bb147ef6 ("serial: core: Document and assert lock requirements for irq helpers") +Reviewed-by: Frank Li +Signed-off-by: Emil Kronborg +Link: https://lore.kernel.org/r/20240320121530.11348-1-emil.kronborg@protonmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/mxs-auart.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c +index 5d483e996514f..a8eb98e37af48 100644 +--- a/drivers/tty/serial/mxs-auart.c ++++ b/drivers/tty/serial/mxs-auart.c +@@ -1126,11 +1126,13 @@ static void mxs_auart_set_ldisc(struct uart_port *port, + + static irqreturn_t mxs_auart_irq_handle(int irq, void *context) + { +- u32 istat; ++ u32 istat, stat; + struct mxs_auart_port *s = context; + u32 mctrl_temp = s->mctrl_prev; +- u32 stat = mxs_read(s, REG_STAT); + ++ uart_port_lock(&s->port); ++ ++ stat = mxs_read(s, REG_STAT); + istat = mxs_read(s, REG_INTR); + + /* ack irq */ +@@ -1166,6 +1168,8 @@ static irqreturn_t mxs_auart_irq_handle(int irq, void *context) + istat &= ~AUART_INTR_TXIS; + } + ++ uart_port_unlock(&s->port); ++ + return IRQ_HANDLED; + } + +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 35eafdf619b..3dd2607cde7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -76,3 +76,8 @@ mlxsw-spectrum_acl_tcam-fix-memory-leak-when-canceli.patch i40e-do-not-use-wq_mem_reclaim-flag-for-workqueue.patch iavf-fix-tc-config-comparison-with-existing-adapter-.patch af_unix-suppress-false-positive-lockdep-splat-for-sp.patch +serial-core-provide-port-lock-wrappers.patch +serial-mxs-auart-add-spinlock-around-changing-cts-st.patch +drm-amdgpu-restrict-bo-mapping-within-gpu-address-li.patch +amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch +drm-amdgpu-validate-the-parameters-of-bo-mapping-ope.patch