Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-6.1/binfmt_flat-fix-corruption-when-not-offsetting-data-.patch b/queue-6.1/binfmt_flat-fix-corruption-when-not-offsetting-data-.patch
new file mode 100644 (file)
index 0000000..cf61f4a
--- /dev/null
+++ b/queue-6.1/binfmt_flat-fix-corruption-when-not-offsetting-data-.patch
@@ -0,0 +1,60 @@
+From 1e701790ab1ebf26d9cc8df8a547636836d4cee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 12:51:23 -0700
+Subject: binfmt_flat: Fix corruption when not offsetting data start
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 3eb3cd5992f7a0c37edc8d05b4c38c98758d8671 ]
+
+Commit 04d82a6d0881 ("binfmt_flat: allow not offsetting data start")
+introduced a RISC-V specific variant of the FLAT format which does
+not allocate any space for the (obsolete) array of shared library
+pointers. However, it did not disable the code which initializes the
+array, resulting in the corruption of sizeof(long) bytes before the DATA
+segment, generally the end of the TEXT segment.
+
+Introduce MAX_SHARED_LIBS_UPDATE which depends on the state of
+CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET to guard the initialization of
+the shared library pointer region so that it will only be initialized
+if space is reserved for it.
+
+Fixes: 04d82a6d0881 ("binfmt_flat: allow not offsetting data start")
+Co-developed-by: Stefan O'Rear <sorear@fastmail.com>
+Signed-off-by: Stefan O'Rear <sorear@fastmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Acked-by: Greg Ungerer <gerg@linux-m68k.org>
+Link: https://lore.kernel.org/r/20240807195119.it.782-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_flat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
+index c26545d71d39a..cd6d5bbb4b9df 100644
+--- a/fs/binfmt_flat.c
++++ b/fs/binfmt_flat.c
+@@ -72,8 +72,10 @@
+ 
+ #ifdef CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET
+ #define DATA_START_OFFSET_WORDS               (0)
++#define MAX_SHARED_LIBS_UPDATE                (0)
+ #else
+ #define DATA_START_OFFSET_WORDS               (MAX_SHARED_LIBS)
++#define MAX_SHARED_LIBS_UPDATE                (MAX_SHARED_LIBS)
+ #endif
+ 
+ struct lib_info {
+@@ -880,7 +882,7 @@ static int load_flat_binary(struct linux_binprm *bprm)
+               return res;
+ 
+       /* Update data segment pointers for all libraries */
+-      for (i = 0; i < MAX_SHARED_LIBS; i++) {
++      for (i = 0; i < MAX_SHARED_LIBS_UPDATE; i++) {
+               if (!libinfo.lib_list[i].loaded)
+                       continue;
+               for (j = 0; j < MAX_SHARED_LIBS; j++) {
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-i915-add-a-function-to-mmap-framebuffer-obj.patch b/queue-6.1/drm-i915-add-a-function-to-mmap-framebuffer-obj.patch
new file mode 100644 (file)
index 0000000..cc76b9f
--- /dev/null
+++ b/queue-6.1/drm-i915-add-a-function-to-mmap-framebuffer-obj.patch
@@ -0,0 +1,212 @@
+From e4326f4ff3f7053c02b4100594472db7f7a2bd35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Apr 2023 16:30:58 +0200
+Subject: drm/i915: Add a function to mmap framebuffer obj
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@intel.com>
+
+[ Upstream commit eaee1c08586395182e0004b3512a2f83570ea461 ]
+
+Implement i915_gem_fb_mmap() to enable fb_ops.fb_mmap()
+callback for i915's framebuffer objects.
+
+v2: add a comment why i915_gem_object_get() needed(Andi).
+v3: mmap also ttm objects.
+
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Nirmoy Das <nirmoy.das@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230404143100.10452-3-nirmoy.das@intel.com
+Stable-dep-of: 1ac5167b3a90 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_mman.c | 137 +++++++++++++++--------
+ drivers/gpu/drm/i915/gem/i915_gem_mman.h |   2 +-
+ 2 files changed, 93 insertions(+), 46 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+index 1fd704d9cf9a9..180b66f6193cb 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+@@ -969,53 +969,15 @@ static struct file *mmap_singleton(struct drm_i915_private *i915)
+       return file;
+ }
+ 
+-/*
+- * This overcomes the limitation in drm_gem_mmap's assignment of a
+- * drm_gem_object as the vma->vm_private_data. Since we need to
+- * be able to resolve multiple mmap offsets which could be tied
+- * to a single gem object.
+- */
+-int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
++static int
++i915_gem_object_mmap(struct drm_i915_gem_object *obj,
++                   struct i915_mmap_offset *mmo,
++                   struct vm_area_struct *vma)
+ {
+-      struct drm_vma_offset_node *node;
+-      struct drm_file *priv = filp->private_data;
+-      struct drm_device *dev = priv->minor->dev;
+-      struct drm_i915_gem_object *obj = NULL;
+-      struct i915_mmap_offset *mmo = NULL;
++      struct drm_i915_private *i915 = to_i915(obj->base.dev);
++      struct drm_device *dev = &i915->drm;
+       struct file *anon;
+ 
+-      if (drm_dev_is_unplugged(dev))
+-              return -ENODEV;
+-
+-      rcu_read_lock();
+-      drm_vma_offset_lock_lookup(dev->vma_offset_manager);
+-      node = drm_vma_offset_exact_lookup_locked(dev->vma_offset_manager,
+-                                                vma->vm_pgoff,
+-                                                vma_pages(vma));
+-      if (node && drm_vma_node_is_allowed(node, priv)) {
+-              /*
+-               * Skip 0-refcnted objects as it is in the process of being
+-               * destroyed and will be invalid when the vma manager lock
+-               * is released.
+-               */
+-              if (!node->driver_private) {
+-                      mmo = container_of(node, struct i915_mmap_offset, vma_node);
+-                      obj = i915_gem_object_get_rcu(mmo->obj);
+-
+-                      GEM_BUG_ON(obj && obj->ops->mmap_ops);
+-              } else {
+-                      obj = i915_gem_object_get_rcu
+-                              (container_of(node, struct drm_i915_gem_object,
+-                                            base.vma_node));
+-
+-                      GEM_BUG_ON(obj && !obj->ops->mmap_ops);
+-              }
+-      }
+-      drm_vma_offset_unlock_lookup(dev->vma_offset_manager);
+-      rcu_read_unlock();
+-      if (!obj)
+-              return node ? -EACCES : -EINVAL;
+-
+       if (i915_gem_object_is_readonly(obj)) {
+               if (vma->vm_flags & VM_WRITE) {
+                       i915_gem_object_put(obj);
+@@ -1047,7 +1009,7 @@ int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
+       if (obj->ops->mmap_ops) {
+               vma->vm_page_prot = pgprot_decrypted(vm_get_page_prot(vma->vm_flags));
+               vma->vm_ops = obj->ops->mmap_ops;
+-              vma->vm_private_data = node->driver_private;
++              vma->vm_private_data = obj->base.vma_node.driver_private;
+               return 0;
+       }
+ 
+@@ -1085,6 +1047,91 @@ int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
+       return 0;
+ }
+ 
++/*
++ * This overcomes the limitation in drm_gem_mmap's assignment of a
++ * drm_gem_object as the vma->vm_private_data. Since we need to
++ * be able to resolve multiple mmap offsets which could be tied
++ * to a single gem object.
++ */
++int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
++{
++      struct drm_vma_offset_node *node;
++      struct drm_file *priv = filp->private_data;
++      struct drm_device *dev = priv->minor->dev;
++      struct drm_i915_gem_object *obj = NULL;
++      struct i915_mmap_offset *mmo = NULL;
++
++      if (drm_dev_is_unplugged(dev))
++              return -ENODEV;
++
++      rcu_read_lock();
++      drm_vma_offset_lock_lookup(dev->vma_offset_manager);
++      node = drm_vma_offset_exact_lookup_locked(dev->vma_offset_manager,
++                                                vma->vm_pgoff,
++                                                vma_pages(vma));
++      if (node && drm_vma_node_is_allowed(node, priv)) {
++              /*
++               * Skip 0-refcnted objects as it is in the process of being
++               * destroyed and will be invalid when the vma manager lock
++               * is released.
++               */
++              if (!node->driver_private) {
++                      mmo = container_of(node, struct i915_mmap_offset, vma_node);
++                      obj = i915_gem_object_get_rcu(mmo->obj);
++
++                      GEM_BUG_ON(obj && obj->ops->mmap_ops);
++              } else {
++                      obj = i915_gem_object_get_rcu
++                              (container_of(node, struct drm_i915_gem_object,
++                                            base.vma_node));
++
++                      GEM_BUG_ON(obj && !obj->ops->mmap_ops);
++              }
++      }
++      drm_vma_offset_unlock_lookup(dev->vma_offset_manager);
++      rcu_read_unlock();
++      if (!obj)
++              return node ? -EACCES : -EINVAL;
++
++      return i915_gem_object_mmap(obj, mmo, vma);
++}
++
++int i915_gem_fb_mmap(struct drm_i915_gem_object *obj, struct vm_area_struct *vma)
++{
++      struct drm_i915_private *i915 = to_i915(obj->base.dev);
++      struct drm_device *dev = &i915->drm;
++      struct i915_mmap_offset *mmo = NULL;
++      enum i915_mmap_type mmap_type;
++      struct i915_ggtt *ggtt = to_gt(i915)->ggtt;
++
++      if (drm_dev_is_unplugged(dev))
++              return -ENODEV;
++
++      /* handle ttm object */
++      if (obj->ops->mmap_ops) {
++              /*
++               * ttm fault handler, ttm_bo_vm_fault_reserved() uses fake offset
++               * to calculate page offset so set that up.
++               */
++              vma->vm_pgoff += drm_vma_node_start(&obj->base.vma_node);
++      } else {
++              /* handle stolen and smem objects */
++              mmap_type = i915_ggtt_has_aperture(ggtt) ? I915_MMAP_TYPE_GTT : I915_MMAP_TYPE_WC;
++              mmo = mmap_offset_attach(obj, mmap_type, NULL);
++              if (!mmo)
++                      return -ENODEV;
++      }
++
++      /*
++       * When we install vm_ops for mmap we are too late for
++       * the vm_ops->open() which increases the ref_count of
++       * this obj and then it gets decreased by the vm_ops->close().
++       * To balance this increase the obj ref_count here.
++       */
++      obj = i915_gem_object_get(obj);
++      return i915_gem_object_mmap(obj, mmo, vma);
++}
++
+ #if IS_ENABLED(CONFIG_DRM_I915_SELFTEST)
+ #include "selftests/i915_gem_mman.c"
+ #endif
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.h b/drivers/gpu/drm/i915/gem/i915_gem_mman.h
+index 1fa91b3033b35..196417fd0f5c4 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.h
++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.h
+@@ -29,5 +29,5 @@ void i915_gem_object_release_mmap_gtt(struct drm_i915_gem_object *obj);
+ 
+ void i915_gem_object_runtime_pm_release_mmap_offset(struct drm_i915_gem_object *obj);
+ void i915_gem_object_release_mmap_offset(struct drm_i915_gem_object *obj);
+-
++int i915_gem_fb_mmap(struct drm_i915_gem_object *obj, struct vm_area_struct *vma);
+ #endif
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-i915-fix-a-null-vs-is_err-bug.patch b/queue-6.1/drm-i915-fix-a-null-vs-is_err-bug.patch
new file mode 100644 (file)
index 0000000..16d3c6a
--- /dev/null
+++ b/queue-6.1/drm-i915-fix-a-null-vs-is_err-bug.patch
@@ -0,0 +1,42 @@
+From e5b4665e0bdcdc0b79010bc0ff2b98155e44a811 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jun 2023 11:23:56 +0300
+Subject: drm/i915: Fix a NULL vs IS_ERR() bug
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 3a89311387cde27da8e290458b2d037133c1f7b5 ]
+
+The mmap_offset_attach() function returns error pointers, it doesn't
+return NULL.
+
+Fixes: eaee1c085863 ("drm/i915: Add a function to mmap framebuffer obj")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Nirmoy Das <nirmoy.das@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/ZH7tHLRZ9oBjedjN@moroto
+Stable-dep-of: 1ac5167b3a90 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_mman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+index 180b66f6193cb..4a291d29c5af5 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+@@ -1118,8 +1118,8 @@ int i915_gem_fb_mmap(struct drm_i915_gem_object *obj, struct vm_area_struct *vma
+               /* handle stolen and smem objects */
+               mmap_type = i915_ggtt_has_aperture(ggtt) ? I915_MMAP_TYPE_GTT : I915_MMAP_TYPE_WC;
+               mmo = mmap_offset_attach(obj, mmap_type, NULL);
+-              if (!mmo)
+-                      return -ENODEV;
++              if (IS_ERR(mmo))
++                      return PTR_ERR(mmo);
+       }
+ 
+       /*
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-.patch b/queue-6.1/drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-.patch
new file mode 100644 (file)
index 0000000..d64a1d2
--- /dev/null
+++ b/queue-6.1/drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-.patch
@@ -0,0 +1,49 @@
+From 8e1fbf2c54fddaa7fa2961b397f1e82a8a925bdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 10:38:49 +0200
+Subject: drm/i915/gem: Adjust vma offset for framebuffer mmap offset
+
+From: Andi Shyti <andi.shyti@linux.intel.com>
+
+[ Upstream commit 1ac5167b3a90c9820daa64cc65e319b2d958d686 ]
+
+When mapping a framebuffer object, the virtual memory area (VMA)
+offset ('vm_pgoff') should be adjusted by the start of the
+'vma_node' associated with the object. This ensures that the VMA
+offset is correctly aligned with the corresponding offset within
+the GGTT aperture.
+
+Increment vm_pgoff by the start of the vma_node with the offset=
+provided by the user.
+
+Suggested-by: Chris Wilson <chris.p.wilson@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: <stable@vger.kernel.org> # v4.9+
+[Joonas: Add Cc: stable]
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240802083850.103694-2-andi.shyti@linux.intel.com
+(cherry picked from commit 60a2066c50058086510c91f404eb582029650970)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_mman.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+index 4a291d29c5af5..7e9310d01dfdd 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+@@ -1120,6 +1120,8 @@ int i915_gem_fb_mmap(struct drm_i915_gem_object *obj, struct vm_area_struct *vma
+               mmo = mmap_offset_attach(obj, mmap_type, NULL);
+               if (IS_ERR(mmo))
+                       return PTR_ERR(mmo);
++
++              vma->vm_pgoff += drm_vma_node_start(&mmo->vma_node);
+       }
+ 
+       /*
+-- 
+2.43.0
+

diff --git a/queue-6.1/series b/queue-6.1/series
index 1d54c30dce2b11bb3ea5121d134d6242f979dbab..e14e8ccf8d8ece662fe14b4db975b1ab154948a6 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -29,3 +29,7 @@ nvme-pci-add-apst-quirk-for-lenovo-n60z-laptop.patch
 mptcp-fully-established-after-add_addr-echo-on-mpj.patch
 drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch
 cgroup-make-operations-on-the-cgroup-root_list-rcu-safe.patch
+drm-i915-add-a-function-to-mmap-framebuffer-obj.patch
+drm-i915-fix-a-null-vs-is_err-bug.patch
+drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-.patch
+binfmt_flat-fix-corruption-when-not-offsetting-data-.patch