4.19-stable patches

added patches:
	drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch

diff --git a/queue-4.19/drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch b/queue-4.19/drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch
new file mode 100644 (file)
index 0000000..69d8b64
--- /dev/null
+++ b/queue-4.19/drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch
@@ -0,0 +1,116 @@
+From 8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3 Mon Sep 17 00:00:00 2001
+From: Andi Shyti <andi.shyti@linux.intel.com>
+Date: Fri, 2 Aug 2024 10:38:50 +0200
+Subject: drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
+
+From: Andi Shyti <andi.shyti@linux.intel.com>
+
+commit 8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3 upstream.
+
+Calculating the size of the mapped area as the lesser value
+between the requested size and the actual size does not consider
+the partial mapping offset. This can cause page fault access.
+
+Fix the calculation of the starting and ending addresses, the
+total size is now deduced from the difference between the end and
+start addresses.
+
+Additionally, the calculations have been rewritten in a clearer
+and more understandable form.
+
+Fixes: c58305af1835 ("drm/i915: Use remap_io_mapping() to prefault all PTE in a single pass")
+Reported-by: Jann Horn <jannh@google.com>
+Co-developed-by: Chris Wilson <chris.p.wilson@linux.intel.com>
+Signed-off-by: Chris Wilson <chris.p.wilson@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: <stable@vger.kernel.org> # v4.9+
+Reviewed-by: Jann Horn <jannh@google.com>
+Reviewed-by: Jonathan Cavitt <Jonathan.cavitt@intel.com>
+[Joonas: Add Requires: tag]
+Requires: 60a2066c5005 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset")
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240802083850.103694-3-andi.shyti@linux.intel.com
+(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_gem.c |   48 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 43 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -2009,6 +2009,40 @@ compute_partial_view(struct drm_i915_gem
+       return view;
+ }
+ 
++static void set_address_limits(struct vm_area_struct *area,
++                              struct i915_vma *vma,
++                              unsigned long *start_vaddr,
++                              unsigned long *end_vaddr)
++{
++      unsigned long vm_start, vm_end, vma_size; /* user's memory parameters */
++      long start, end; /* memory boundaries */
++
++      /*
++       * Let's move into the ">> PAGE_SHIFT"
++       * domain to be sure not to lose bits
++       */
++      vm_start = area->vm_start >> PAGE_SHIFT;
++      vm_end = area->vm_end >> PAGE_SHIFT;
++      vma_size = vma->size >> PAGE_SHIFT;
++
++      /*
++       * Calculate the memory boundaries by considering the offset
++       * provided by the user during memory mapping and the offset
++       * provided for the partial mapping.
++       */
++      start = vm_start;
++      start -= obj_offset;
++      start += vma->ggtt_view.partial.offset;
++      end = start + vma_size;
++
++      start = max_t(long, start, vm_start);
++      end = min_t(long, end, vm_end);
++
++      /* Let's move back into the "<< PAGE_SHIFT" domain */
++      *start_vaddr = (unsigned long)start << PAGE_SHIFT;
++      *end_vaddr = (unsigned long)end << PAGE_SHIFT;
++}
++
+ /**
+  * i915_gem_fault - fault a page into the GTT
+  * @vmf: fault info
+@@ -2036,8 +2070,10 @@ vm_fault_t i915_gem_fault(struct vm_faul
+       struct drm_i915_private *dev_priv = to_i915(dev);
+       struct i915_ggtt *ggtt = &dev_priv->ggtt;
+       bool write = !!(vmf->flags & FAULT_FLAG_WRITE);
++      unsigned long start, end; /* memory boundaries */
+       struct i915_vma *vma;
+       pgoff_t page_offset;
++      unsigned long pfn;
+       int ret;
+ 
+       /* Sanity check that we allow writing into this object */
+@@ -2119,12 +2155,14 @@ vm_fault_t i915_gem_fault(struct vm_faul
+       if (ret)
+               goto err_unpin;
+ 
++      set_address_limits(area, vma, &start, &end);
++
++      pfn = (ggtt->gmadr.start + i915_ggtt_offset(vma)) >> PAGE_SHIFT;
++      pfn += (start - area->vm_start) >> PAGE_SHIFT;
++      pfn -= vma->ggtt_view.partial.offset;
++
+       /* Finally, remap it using the new GTT offset */
+-      ret = remap_io_mapping(area,
+-                             area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT),
+-                             (ggtt->gmadr.start + vma->node.start) >> PAGE_SHIFT,
+-                             min_t(u64, vma->size, area->vm_end - area->vm_start),
+-                             &ggtt->iomap);
++      ret = remap_io_mapping(area, start, pfn, end - start, &ggtt->iomap);
+       if (ret)
+               goto err_fence;
+ 

diff --git a/queue-4.19/series b/queue-4.19/series
index 14f2667da3ba0dbe626354dffecbf88e24d57b4d..7b659a4ee65aa6f030d9ac4bcb67dabce65c25a3 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -189,3 +189,4 @@ kbuild-fix-s-c-in-x86-stack-protector-scripts.patch
 netfilter-nf_tables-set-element-extended-ack-reporting-support.patch
 netfilter-nf_tables-use-timestamp-to-check-for-set-element-timeout.patch
 netfilter-nf_tables-prefer-nft_chain_validate.patch
+drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch