From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 22 Jul 2023 12:15:41 +0000 (+0200)
Subject: drop drm patch from 4.14
X-Git-Tag: v5.15.121~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=282ab3f386f2ea2eeb2470480735168265e6177b;p=thirdparty%2Fkernel%2Fstable-queue.git

drop drm patch from 4.14
---

diff --git a/queue-4.14/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch b/queue-4.14/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
deleted file mode 100644
index ea9567dfdb7..00000000000
--- a/queue-4.14/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001
-From: Daniel Vetter <daniel.vetter@ffwll.ch>
-Date: Fri, 21 Jul 2023 15:58:38 +0200
-Subject: drm/atomic: Fix potential use-after-free in nonblocking commits
-
-From: Daniel Vetter <daniel.vetter@ffwll.ch>
-
-commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream.
-
-This requires a bit of background.  Properly done a modeset driver's
-unload/remove sequence should be
-
-	drm_dev_unplug();
-	drm_atomic_helper_shutdown();
-	drm_dev_put();
-
-The trouble is that the drm_dev_unplugged() checks are by design racy,
-they do not synchronize against all outstanding ioctl.  This is because
-those ioctl could block forever (both for modeset and for driver
-specific ioctls), leading to deadlocks in hotunplug.  Instead the code
-sections that touch the hardware need to be annotated with
-drm_dev_enter/exit, to avoid accessing hardware resources after the
-unload/remove has finished.
-
-To avoid use-after-free issues all the involved userspace visible
-objects are supposed to hold a reference on the underlying drm_device,
-like drm_file does.
-
-The issue now is that we missed one, the atomic modeset ioctl can be run
-in a nonblocking fashion, and in that case it cannot rely on the implied
-drm_device reference provided by the ioctl calling context.  This can
-result in a use-after-free if an nonblocking atomic commit is carefully
-raced against a driver unload.
-
-Fix this by unconditionally grabbing a drm_device reference for any
-drm_atomic_state structures.  Strictly speaking this isn't required for
-blocking commits and TEST_ONLY calls, but it's the simpler approach.
-
-Thanks to shanzhulig for the initial idea of grabbing an unconditional
-reference, I just added comments, a condensed commit message and fixed a
-minor potential issue in where exactly we drop the final reference.
-
-Reported-by: shanzhulig <shanzhulig@gmail.com>
-Suggested-by: shanzhulig <shanzhulig@gmail.com>
-Reviewed-by: Maxime Ripard <mripard@kernel.org>
-Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
-Cc: Thomas Zimmermann <tzimmermann@suse.de>
-Cc: David Airlie <airlied@gmail.com>
-Cc: stable@kernel.org
-Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
-Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/drm_atomic.c |   11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/drm_atomic.c
-+++ b/drivers/gpu/drm/drm_atomic.c
-@@ -87,6 +87,12 @@ drm_atomic_state_init(struct drm_device
- 	if (!state->planes)
- 		goto fail;
- 
-+	/*
-+	 * Because drm_atomic_state can be committed asynchronously we need our
-+	 * own reference and cannot rely on the on implied by drm_file in the
-+	 * ioctl call.
-+	 */
-+	drm_dev_get(dev);
- 	state->dev = dev;
- 
- 	DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state);
-@@ -246,7 +252,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear);
- void __drm_atomic_state_free(struct kref *ref)
- {
- 	struct drm_atomic_state *state = container_of(ref, typeof(*state), ref);
--	struct drm_mode_config *config = &state->dev->mode_config;
-+	struct drm_device *dev = state->dev;
-+	struct drm_mode_config *config = &dev->mode_config;
- 
- 	drm_atomic_state_clear(state);
- 
-@@ -258,6 +265,8 @@ void __drm_atomic_state_free(struct kref
- 		drm_atomic_state_default_release(state);
- 		kfree(state);
- 	}
-+
-+	drm_dev_put(dev);
- }
- EXPORT_SYMBOL(__drm_atomic_state_free);
- 
diff --git a/queue-4.14/series b/queue-4.14/series
index 00294c5ffaa..9652e39578c 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -121,5 +121,4 @@ scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
 scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
 scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
 scsi-qla2xxx-pointer-may-be-dereferenced.patch
-drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
 serial-atmel-don-t-enable-irqs-prematurely.patch