From 9c46d7053d2526dc57a31a06c1296afc93957d3f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 May 2021 14:39:40 +0200 Subject: [PATCH] 5.10-stable patches added patches: drm-i915-fix-crash-in-auto_retire.patch drm-i915-gt-fix-a-double-free-in-gen8_preallocate_top_level_pdp.patch drm-i915-overlay-fix-active-retire-callback-alignment.patch drm-i915-read-c0drb3-c1drb3-as-16-bits-again.patch --- .../drm-i915-fix-crash-in-auto_retire.patch | 70 +++++++++++++++++++ ...ee-in-gen8_preallocate_top_level_pdp.patch | 42 +++++++++++ ...fix-active-retire-callback-alignment.patch | 39 +++++++++++ ...-read-c0drb3-c1drb3-as-16-bits-again.patch | 39 +++++++++++ queue-5.10/series | 4 ++ 5 files changed, 194 insertions(+) create mode 100644 queue-5.10/drm-i915-fix-crash-in-auto_retire.patch create mode 100644 queue-5.10/drm-i915-gt-fix-a-double-free-in-gen8_preallocate_top_level_pdp.patch create mode 100644 queue-5.10/drm-i915-overlay-fix-active-retire-callback-alignment.patch create mode 100644 queue-5.10/drm-i915-read-c0drb3-c1drb3-as-16-bits-again.patch diff --git a/queue-5.10/drm-i915-fix-crash-in-auto_retire.patch b/queue-5.10/drm-i915-fix-crash-in-auto_retire.patch new file mode 100644 index 00000000000..d401554d378 --- /dev/null +++ b/queue-5.10/drm-i915-fix-crash-in-auto_retire.patch @@ -0,0 +1,70 @@ +From 402be8a101190969fc7ff122d07e262df86e132b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?St=C3=A9phane=20Marchesin?= +Date: Thu, 29 Apr 2021 03:10:21 +0000 +Subject: drm/i915: Fix crash in auto_retire +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stéphane Marchesin + +commit 402be8a101190969fc7ff122d07e262df86e132b upstream. + +The retire logic uses the 2 lower bits of the pointer to the retire +function to store flags. However, the auto_retire function is not +guaranteed to be aligned to a multiple of 4, which causes crashes as +we jump to the wrong address, for example like this: + +2021-04-24T18:03:53.804300Z WARNING kernel: [ 516.876901] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +2021-04-24T18:03:53.804310Z WARNING kernel: [ 516.876906] CPU: 7 PID: 146 Comm: kworker/u16:6 Tainted: G U 5.4.105-13595-g3cd84167b2df #1 +2021-04-24T18:03:53.804311Z WARNING kernel: [ 516.876907] Hardware name: Google Volteer2/Volteer2, BIOS Google_Volteer2.13672.76.0 02/22/2021 +2021-04-24T18:03:53.804312Z WARNING kernel: [ 516.876911] Workqueue: events_unbound active_work +2021-04-24T18:03:53.804313Z WARNING kernel: [ 516.876914] RIP: 0010:auto_retire+0x1/0x20 +2021-04-24T18:03:53.804314Z WARNING kernel: [ 516.876916] Code: e8 01 f2 ff ff eb 02 31 db 48 89 d8 5b 5d c3 0f 1f 44 00 00 55 48 89 e5 f0 ff 87 c8 00 00 00 0f 88 ab 47 4a 00 31 c0 5d c3 0f <1f> 44 00 00 55 48 89 e5 f0 ff 8f c8 00 00 00 0f 88 9a 47 4a 00 74 +2021-04-24T18:03:53.804319Z WARNING kernel: [ 516.876918] RSP: 0018:ffff9b4d809fbe38 EFLAGS: 00010286 +2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876919] RAX: 0000000000000007 RBX: ffff927915079600 RCX: 0000000000000007 +2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876921] RDX: ffff9b4d809fbe40 RSI: 0000000000000286 RDI: ffff927915079600 +2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876922] RBP: ffff9b4d809fbe68 R08: 8080808080808080 R09: fefefefefefefeff +2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876924] R10: 0000000000000010 R11: ffffffff92e44bd8 R12: ffff9279150796a0 +2021-04-24T18:03:53.804322Z WARNING kernel: [ 516.876925] R13: ffff92791c368180 R14: ffff927915079640 R15: 000000001c867605 +2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876926] FS: 0000000000000000(0000) GS:ffff92791ffc0000(0000) knlGS:0000000000000000 +2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +2021-04-24T18:03:53.804324Z WARNING kernel: [ 516.876929] CR2: 0000239514955000 CR3: 00000007f82da001 CR4: 0000000000760ee0 +2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876930] PKRU: 55555554 +2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876931] Call Trace: +2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876935] __active_retire+0x77/0xcf +2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876939] process_one_work+0x1da/0x394 +2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876941] worker_thread+0x216/0x375 +2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876944] kthread+0x147/0x156 +2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876946] ? pr_cont_work+0x58/0x58 +2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876948] ? kthread_blkcg+0x2e/0x2e +2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876950] ret_from_fork+0x1f/0x40 +2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876952] Modules linked in: cdc_mbim cdc_ncm cdc_wdm xt_cgroup rfcomm cmac algif_hash algif_skcipher af_alg xt_MASQUERADE uinput snd_soc_rt5682_sdw snd_soc_rt5682 snd_soc_max98373_sdw snd_soc_max98373 snd_soc_rl6231 regmap_sdw snd_soc_sof_sdw snd_soc_hdac_hdmi snd_soc_dmic snd_hda_codec_hdmi snd_sof_pci snd_sof_intel_hda_common intel_ipu6_psys snd_sof_xtensa_dsp soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core soundwire_bus snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core intel_ipu6_isys videobuf2_dma_contig videobuf2_v4l2 videobuf2_common videobuf2_memops mei_hdcp intel_ipu6 ov2740 ov8856 at24 sx9310 dw9768 v4l2_fwnode cros_ec_typec intel_pmc_mux roles acpi_als typec fuse iio_trig_sysfs cros_ec_light_prox cros_ec_lid_angle cros_ec_sensors cros_ec_sensors_core industrialio_triggered_buffer cros_ec_sensors_ring kfifo_buf industrialio cros_ec_sensorhub +2021-04-24T18:03:53.804337Z WARNING kernel: [ 516.876972] cdc_ether usbnet iwlmvm lzo_rle lzo_compress iwl7000_mac80211 iwlwifi zram cfg80211 r8152 mii btusb btrtl btintel btbcm bluetooth ecdh_generic ecc joydev +2021-04-24T18:03:53.804337Z EMERG kernel: [ 516.879169] gsmi: Log Shutdown Reason 0x03 + +This change fixes this by aligning the function. + +Signed-off-by: Stéphane Marchesin +Fixes: 229007e02d69 ("drm/i915: Wrap i915_active in a simple kreffed struct") +Signed-off-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/20210429031021.1218091-1-marcheu@chromium.org +(cherry picked from commit ca419f407b43cc89942ebc297c7a63d94abbcae4) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/i915_active.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_active.c ++++ b/drivers/gpu/drm/i915/i915_active.c +@@ -1159,7 +1159,8 @@ static int auto_active(struct i915_activ + return 0; + } + +-static void auto_retire(struct i915_active *ref) ++__i915_active_call static void ++auto_retire(struct i915_active *ref) + { + i915_active_put(ref); + } diff --git a/queue-5.10/drm-i915-gt-fix-a-double-free-in-gen8_preallocate_top_level_pdp.patch b/queue-5.10/drm-i915-gt-fix-a-double-free-in-gen8_preallocate_top_level_pdp.patch new file mode 100644 index 00000000000..f1f980a137c --- /dev/null +++ b/queue-5.10/drm-i915-gt-fix-a-double-free-in-gen8_preallocate_top_level_pdp.patch @@ -0,0 +1,42 @@ +From ea995218dddba171fecd05496c69617c5ef3c5b8 Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Mon, 26 Apr 2021 05:43:40 -0700 +Subject: drm/i915/gt: Fix a double free in gen8_preallocate_top_level_pdp + +From: Lv Yunlong + +commit ea995218dddba171fecd05496c69617c5ef3c5b8 upstream. + +Our code analyzer reported a double free bug. + +In gen8_preallocate_top_level_pdp, pde and pde->pt.base are allocated +via alloc_pd(vm) with one reference. If pin_pt_dma() failed, pde->pt.base +is freed by i915_gem_object_put() with a reference dropped. Then free_pd +calls free_px() defined in intel_ppgtt.c, which calls i915_gem_object_put() +to put pde->pt.base again. + +As pde->pt.base is protected by refcount, so the second put will not free +pde->pt.base actually. But, maybe it is better to remove the first put? + +Fixes: 82adf901138cc ("drm/i915/gt: Shrink i915_page_directory's slab bucket") +Signed-off-by: Lv Yunlong +Reviewed-by: Matthew Auld +Signed-off-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20210426124340.4238-1-lyl2019@mail.ustc.edu.cn +(cherry picked from commit ac69496fe65cca0611d5917b7d232730ff605bc7) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/gen8_ppgtt.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gt/gen8_ppgtt.c ++++ b/drivers/gpu/drm/i915/gt/gen8_ppgtt.c +@@ -628,7 +628,6 @@ static int gen8_preallocate_top_level_pd + + err = pin_pt_dma(vm, pde->pt.base); + if (err) { +- i915_gem_object_put(pde->pt.base); + free_pd(vm, pde); + return err; + } diff --git a/queue-5.10/drm-i915-overlay-fix-active-retire-callback-alignment.patch b/queue-5.10/drm-i915-overlay-fix-active-retire-callback-alignment.patch new file mode 100644 index 00000000000..7022980cc12 --- /dev/null +++ b/queue-5.10/drm-i915-overlay-fix-active-retire-callback-alignment.patch @@ -0,0 +1,39 @@ +From a915fe5e9601c632417ef5261af70788d7d23a8a Mon Sep 17 00:00:00 2001 +From: Tvrtko Ursulin +Date: Thu, 29 Apr 2021 09:35:29 +0100 +Subject: drm/i915/overlay: Fix active retire callback alignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tvrtko Ursulin + +commit a915fe5e9601c632417ef5261af70788d7d23a8a upstream. + +__i915_active_call annotation is required on the retire callback to ensure +correct function alignment. + +Signed-off-by: Tvrtko Ursulin +Fixes: a21ce8ad12d2 ("drm/i915/overlay: Switch to using i915_active tracking") +Cc: Chris Wilson +Cc: Matthew Auld +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20210429083530.849546-1-tvrtko.ursulin@linux.intel.com +(cherry picked from commit d8e44e4dd221ee283ea60a6fb87bca08807aa0ab) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_overlay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/display/intel_overlay.c ++++ b/drivers/gpu/drm/i915/display/intel_overlay.c +@@ -382,7 +382,7 @@ static void intel_overlay_off_tail(struc + i830_overlay_clock_gating(dev_priv, true); + } + +-static void ++__i915_active_call static void + intel_overlay_last_flip_retire(struct i915_active *active) + { + struct intel_overlay *overlay = diff --git a/queue-5.10/drm-i915-read-c0drb3-c1drb3-as-16-bits-again.patch b/queue-5.10/drm-i915-read-c0drb3-c1drb3-as-16-bits-again.patch new file mode 100644 index 00000000000..d90995a2271 --- /dev/null +++ b/queue-5.10/drm-i915-read-c0drb3-c1drb3-as-16-bits-again.patch @@ -0,0 +1,39 @@ +From 04d019961fd15de92874575536310243a0d4c5c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 21 Apr 2021 18:33:59 +0300 +Subject: drm/i915: Read C0DRB3/C1DRB3 as 16 bits again +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 04d019961fd15de92874575536310243a0d4c5c5 upstream. + +We've defined C0DRB3/C1DRB3 as 16 bit registers, so access them +as such. + +Fixes: 1c8242c3a4b2 ("drm/i915: Use unchecked writes for setting up the fences") +Reviewed-by: Chris Wilson +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20210421153401.13847-3-ville.syrjala@linux.intel.com +(cherry picked from commit f765a5b48c667bdada5e49d5e0f23f8c0687b21b) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c ++++ b/drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c +@@ -652,8 +652,8 @@ static void detect_bit_6_swizzle(struct + * banks of memory are paired and unswizzled on the + * uneven portion, so leave that as unknown. + */ +- if (intel_uncore_read(uncore, C0DRB3) == +- intel_uncore_read(uncore, C1DRB3)) { ++ if (intel_uncore_read16(uncore, C0DRB3) == ++ intel_uncore_read16(uncore, C1DRB3)) { + swizzle_x = I915_BIT_6_SWIZZLE_9_10; + swizzle_y = I915_BIT_6_SWIZZLE_9; + } diff --git a/queue-5.10/series b/queue-5.10/series index ddb3d0cfb11..b993ddd4a75 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -274,3 +274,7 @@ arm-9020-1-mm-use-correct-section-size-macro-to-describe-the-fdt-virtual-address arm-9027-1-head.s-explicitly-map-dt-even-if-it-lives-in-the-first-physical-section.patch usb-typec-tcpm-fix-error-while-calculating-pps-out-values.patch kobject_uevent-remove-warning-in-init_uevent_argv.patch +drm-i915-gt-fix-a-double-free-in-gen8_preallocate_top_level_pdp.patch +drm-i915-read-c0drb3-c1drb3-as-16-bits-again.patch +drm-i915-overlay-fix-active-retire-callback-alignment.patch +drm-i915-fix-crash-in-auto_retire.patch -- 2.47.3