From fcdbce9c4809b2a7df2aff9ded6bf9439211ea5c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 28 May 2026 16:00:20 +0200 Subject: [PATCH] drop some patches --- ...ruptible-resv-lock-for-plane-updates.patch | 145 ------------------ queue-5.15/series | 1 - ...insn_text_copy-to-patch-instructions.patch | 71 --------- queue-6.12/series | 1 - ...insn_text_copy-to-patch-instructions.patch | 76 --------- queue-6.6/series | 1 - 6 files changed, 295 deletions(-) delete mode 100644 queue-5.15/drm-virtio-use-uninterruptible-resv-lock-for-plane-updates.patch delete mode 100644 queue-6.12/loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch delete mode 100644 queue-6.6/loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch diff --git a/queue-5.15/drm-virtio-use-uninterruptible-resv-lock-for-plane-updates.patch b/queue-5.15/drm-virtio-use-uninterruptible-resv-lock-for-plane-updates.patch deleted file mode 100644 index 6fd6c349c1..0000000000 --- a/queue-5.15/drm-virtio-use-uninterruptible-resv-lock-for-plane-updates.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 9af1b6e175c82daf4b423da339a722d8e67a735a Mon Sep 17 00:00:00 2001 -From: Deepanshu Kartikey -Date: Tue, 19 May 2026 13:52:47 +0530 -Subject: drm/virtio: use uninterruptible resv lock for plane updates - -From: Deepanshu Kartikey - -commit 9af1b6e175c82daf4b423da339a722d8e67a735a upstream. - -virtio_gpu_cursor_plane_update() and virtio_gpu_resource_flush() lock -the framebuffer BO's dma_resv via virtio_gpu_array_lock_resv() and -ignore its return value. The function can fail with -EINTR from -dma_resv_lock_interruptible() (signal during lock wait) or with --ENOMEM from dma_resv_reserve_fences() (fence slot allocation), -leaving the resv lock not held. The queue path then walks the object -array and calls dma_resv_add_fence(), which requires the lock held; -with lockdep enabled this trips dma_resv_assert_held(): - - WARNING: drivers/dma-buf/dma-resv.c:296 at dma_resv_add_fence+0x71e/0x840 - Call Trace: - virtio_gpu_array_add_fence - virtio_gpu_queue_ctrl_sgs - virtio_gpu_queue_fenced_ctrl_buffer - virtio_gpu_cursor_plane_update - drm_atomic_helper_commit_planes - drm_atomic_helper_commit_tail - commit_tail - drm_atomic_helper_commit - drm_atomic_commit - drm_atomic_helper_update_plane - __setplane_atomic - drm_mode_cursor_universal - drm_mode_cursor_common - drm_mode_cursor_ioctl - drm_ioctl - __x64_sys_ioctl - -Beyond the WARN, mutating the dma_resv fence list without the lock -races with concurrent readers/writers and can corrupt the list. - -Both call sites run inside the .atomic_update plane callback, which -DRM atomic helpers do not allow to fail (by the time it runs, the -commit has been signed off to userspace and there is no clean -rollback path). Moving the lock acquisition to .prepare_fb was -rejected because the broader lock scope deadlocks against other BO -locking paths in the same atomic commit. - -Introduce virtio_gpu_lock_one_resv_uninterruptible() that uses -dma_resv_lock() instead of dma_resv_lock_interruptible(). This -eliminates the -EINTR failure mode -- the realistic syzbot trigger --- without extending the lock hold across the commit. The helper -locks a single BO and rejects nents > 1 with -EINVAL; both fix -sites lock exactly one BO. - -Use it from virtio_gpu_cursor_plane_update() and -virtio_gpu_resource_flush(); check the return value to handle the -remaining -ENOMEM case from dma_resv_reserve_fences() by freeing -the objs and skipping the plane update for that frame. The -framebuffer BOs touched here are not shared with other contexts -and lock contention is expected to be brief, so the loss of -signal-interruptibility is acceptable. - -Other callers of virtio_gpu_array_lock_resv() (the ioctl paths) -continue to use the interruptible variant. - -The bug was reported by syzbot, triggered via fault injection -(fail_nth) on the DRM_IOCTL_MODE_CURSOR path, which forces the --ENOMEM branch in dma_resv_reserve_fences(). - -Reported-by: syzbot+72bd3dd3a5d5f39a0271@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=72bd3dd3a5d5f39a0271 -Fixes: 5cfd31c5b3a3 ("drm/virtio: fix virtio_gpu_cursor_plane_update().") -Cc: stable@vger.kernel.org -Signed-off-by: Deepanshu Kartikey -Signed-off-by: Dmitry Osipenko -Link: https://patch.msgid.link/20260519082247.34470-1-kartikey406@gmail.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/virtio/virtgpu_drv.h | 1 + - drivers/gpu/drm/virtio/virtgpu_gem.c | 17 +++++++++++++++++ - drivers/gpu/drm/virtio/virtgpu_plane.c | 10 ++++++++-- - 3 files changed, 26 insertions(+), 2 deletions(-) - ---- a/drivers/gpu/drm/virtio/virtgpu_drv.h -+++ b/drivers/gpu/drm/virtio/virtgpu_drv.h -@@ -288,6 +288,7 @@ virtio_gpu_array_from_handles(struct drm - void virtio_gpu_array_add_obj(struct virtio_gpu_object_array *objs, - struct drm_gem_object *obj); - int virtio_gpu_array_lock_resv(struct virtio_gpu_object_array *objs); -+int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs); - void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs); - void virtio_gpu_array_add_fence(struct virtio_gpu_object_array *objs, - struct dma_fence *fence); ---- a/drivers/gpu/drm/virtio/virtgpu_gem.c -+++ b/drivers/gpu/drm/virtio/virtgpu_gem.c -@@ -225,6 +225,23 @@ int virtio_gpu_array_lock_resv(struct vi - return ret; - } - -+int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs) -+{ -+ int ret; -+ -+ if (objs->nents != 1) -+ return -EINVAL; -+ -+ dma_resv_lock(objs->objs[0]->resv, NULL); -+ -+ ret = dma_resv_reserve_fences(objs->objs[0]->resv, 1); -+ if (ret) { -+ virtio_gpu_array_unlock_resv(objs); -+ return ret; -+ } -+ return 0; -+} -+ - void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs) - { - if (objs->nents == 1) { ---- a/drivers/gpu/drm/virtio/virtgpu_plane.c -+++ b/drivers/gpu/drm/virtio/virtgpu_plane.c -@@ -147,7 +147,10 @@ static void virtio_gpu_resource_flush(st - if (!objs) - return; - virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]); -- virtio_gpu_array_lock_resv(objs); -+ if (virtio_gpu_lock_one_resv_uninterruptible(objs)) { -+ virtio_gpu_array_put_free(objs); -+ return; -+ } - virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y, - width, height, objs, vgfb->fence); - virtio_gpu_notify(vgdev); -@@ -314,7 +317,10 @@ static void virtio_gpu_cursor_plane_upda - if (!objs) - return; - virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]); -- virtio_gpu_array_lock_resv(objs); -+ if (virtio_gpu_lock_one_resv_uninterruptible(objs)) { -+ virtio_gpu_array_put_free(objs); -+ return; -+ } - virtio_gpu_cmd_transfer_to_host_2d - (vgdev, 0, - plane->state->crtc_w, diff --git a/queue-5.15/series b/queue-5.15/series index 77222808c5..17eacf1679 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -705,7 +705,6 @@ spi-sprd-fix-error-pointer-deref-after-dma-setup-failure.patch spi-ti-qspi-fix-use-after-free-after-dma-setup-failure.patch rdma-siw-reject-mpa-fpdu-length-underflow-before-signed-receive-math.patch device-property-set-fwnode-secondary-to-null-in-fwnode_init.patch -drm-virtio-use-uninterruptible-resv-lock-for-plane-updates.patch drm-bridge-it66121-acquire-reset-gpio-in-probe.patch drm-bridge-megachips-remove-bridge-when-irq-request-fails.patch drm-amd-display-fix-integer-overflow-in-bios_get_image.patch diff --git a/queue-6.12/loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch b/queue-6.12/loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch deleted file mode 100644 index 303468ca98..0000000000 --- a/queue-6.12/loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch +++ /dev/null @@ -1,71 +0,0 @@ -From e3ef9a28f558d1cbf0b42d6dcd16c60da557562b Mon Sep 17 00:00:00 2001 -From: Tiezhu Yang -Date: Fri, 22 May 2026 15:05:07 +0800 -Subject: LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions - -From: Tiezhu Yang - -commit e3ef9a28f558d1cbf0b42d6dcd16c60da557562b upstream. - -On SMP systems, kprobe handlers would occasionally fail to execute on -certain CPU cores. The issue is hard to reproduce and typically occurs -randomly under high system load. - -The root cause is a software-side instruction hazard. According to the -LoongArch Reference Manual, while the cache coherency is maintained by -hardware, software must explicitly use the "IBAR" instruction to ensure -the instruction fetch unit (IFU) observes the effects of recent stores. - -The current arch_arm_kprobe() and arch_disarm_kprobe() only execute the -"IBAR" barrier (via flush_insn_slot -> local_flush_icache_range) on the -local CPU. This leaves a vulnerable window where remote CPU cores may -continue executing stale instructions from their pipelines or prefetch -buffers, as they have not executed an "IBAR" since the code modification. - -Switch to larch_insn_text_copy() to fix this: -1. Synchronization: It uses stop_machine_cpuslocked() to synchronize all - online CPUs, ensuring no CPU is executing the target code area during - modification. -2. Visibility: By passing cpu_online_mask to stop_machine_cpuslocked(), - the callback text_copy_cb() is executed on all online cores. Each CPU - core invokes local_flush_icache_range() to execute "IBAR", clearing - instruction hazards system-wide and ensuring the "break" instruction - is visible to the fetch units of all cores. -3. Robustness: It properly manages memory write permissions (ROX/RW) for - the kernel text segment during patching, ensuring compatibility with - CONFIG_STRICT_KERNEL_RWX. - -Cc: # 6.18+ -Fixes: 6d4cc40fb5f5 ("LoongArch: Add kprobes support") -Signed-off-by: Tiezhu Yang -Signed-off-by: Huacai Chen -Signed-off-by: Greg Kroah-Hartman ---- - arch/loongarch/kernel/kprobes.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - ---- a/arch/loongarch/kernel/kprobes.c -+++ b/arch/loongarch/kernel/kprobes.c -@@ -60,16 +60,18 @@ NOKPROBE_SYMBOL(arch_prepare_kprobe); - /* Install breakpoint in text */ - void arch_arm_kprobe(struct kprobe *p) - { -- *p->addr = KPROBE_BP_INSN; -- flush_insn_slot(p); -+ u32 insn = KPROBE_BP_INSN; -+ -+ larch_insn_text_copy(p->addr, &insn, LOONGARCH_INSN_SIZE); - } - NOKPROBE_SYMBOL(arch_arm_kprobe); - - /* Remove breakpoint from text */ - void arch_disarm_kprobe(struct kprobe *p) - { -- *p->addr = p->opcode; -- flush_insn_slot(p); -+ u32 insn = p->opcode; -+ -+ larch_insn_text_copy(p->addr, &insn, LOONGARCH_INSN_SIZE); - } - NOKPROBE_SYMBOL(arch_disarm_kprobe); - diff --git a/queue-6.12/series b/queue-6.12/series index 5405477f96..647ae16b7e 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -109,7 +109,6 @@ spi-ep93xx-fix-error-pointer-deref-after-dma-setup-failure.patch spi-sprd-fix-error-pointer-deref-after-dma-setup-failure.patch spi-ti-qspi-fix-use-after-free-after-dma-setup-failure.patch rdma-siw-reject-mpa-fpdu-length-underflow-before-signed-receive-math.patch -loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch loongarch-remove-unused-code-to-avoid-build-warning.patch device-property-set-fwnode-secondary-to-null-in-fwnode_init.patch drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on-prior-line-used.patch diff --git a/queue-6.6/loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch b/queue-6.6/loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch deleted file mode 100644 index a7352b64fc..0000000000 --- a/queue-6.6/loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch +++ /dev/null @@ -1,76 +0,0 @@ -From e3ef9a28f558d1cbf0b42d6dcd16c60da557562b Mon Sep 17 00:00:00 2001 -From: Tiezhu Yang -Date: Fri, 22 May 2026 15:05:07 +0800 -Subject: LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions - -From: Tiezhu Yang - -commit e3ef9a28f558d1cbf0b42d6dcd16c60da557562b upstream. - -On SMP systems, kprobe handlers would occasionally fail to execute on -certain CPU cores. The issue is hard to reproduce and typically occurs -randomly under high system load. - -The root cause is a software-side instruction hazard. According to the -LoongArch Reference Manual, while the cache coherency is maintained by -hardware, software must explicitly use the "IBAR" instruction to ensure -the instruction fetch unit (IFU) observes the effects of recent stores. - -The current arch_arm_kprobe() and arch_disarm_kprobe() only execute the -"IBAR" barrier (via flush_insn_slot -> local_flush_icache_range) on the -local CPU. This leaves a vulnerable window where remote CPU cores may -continue executing stale instructions from their pipelines or prefetch -buffers, as they have not executed an "IBAR" since the code modification. - -Switch to larch_insn_text_copy() to fix this: -1. Synchronization: It uses stop_machine_cpuslocked() to synchronize all - online CPUs, ensuring no CPU is executing the target code area during - modification. -2. Visibility: By passing cpu_online_mask to stop_machine_cpuslocked(), - the callback text_copy_cb() is executed on all online cores. Each CPU - core invokes local_flush_icache_range() to execute "IBAR", clearing - instruction hazards system-wide and ensuring the "break" instruction - is visible to the fetch units of all cores. -3. Robustness: It properly manages memory write permissions (ROX/RW) for - the kernel text segment during patching, ensuring compatibility with - CONFIG_STRICT_KERNEL_RWX. - -Cc: # 6.18+ -Fixes: 6d4cc40fb5f5 ("LoongArch: Add kprobes support") -Signed-off-by: Tiezhu Yang -Signed-off-by: Huacai Chen -Signed-off-by: Greg Kroah-Hartman ---- - arch/loongarch/kernel/kprobes.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/arch/loongarch/kernel/kprobes.c b/arch/loongarch/kernel/kprobes.c -index 8ba391cfabb0..04b5b05715cd 100644 ---- a/arch/loongarch/kernel/kprobes.c -+++ b/arch/loongarch/kernel/kprobes.c -@@ -60,16 +60,18 @@ NOKPROBE_SYMBOL(arch_prepare_kprobe); - /* Install breakpoint in text */ - void arch_arm_kprobe(struct kprobe *p) - { -- *p->addr = KPROBE_BP_INSN; -- flush_insn_slot(p); -+ u32 insn = KPROBE_BP_INSN; -+ -+ larch_insn_text_copy(p->addr, &insn, LOONGARCH_INSN_SIZE); - } - NOKPROBE_SYMBOL(arch_arm_kprobe); - - /* Remove breakpoint from text */ - void arch_disarm_kprobe(struct kprobe *p) - { -- *p->addr = p->opcode; -- flush_insn_slot(p); -+ u32 insn = p->opcode; -+ -+ larch_insn_text_copy(p->addr, &insn, LOONGARCH_INSN_SIZE); - } - NOKPROBE_SYMBOL(arch_disarm_kprobe); - --- -2.54.0 - diff --git a/queue-6.6/series b/queue-6.6/series index 000ad6fcc7..81b6807ebf 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -65,7 +65,6 @@ scsi-isci-fix-use-after-free-in-device-removal-path.patch spi-sprd-fix-error-pointer-deref-after-dma-setup-failure.patch spi-ti-qspi-fix-use-after-free-after-dma-setup-failure.patch rdma-siw-reject-mpa-fpdu-length-underflow-before-signed-receive-math.patch -loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch loongarch-remove-unused-code-to-avoid-build-warning.patch device-property-set-fwnode-secondary-to-null-in-fwnode_init.patch drm-virtio-use-uninterruptible-resv-lock-for-plane-updates.patch -- 2.47.3