From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 13 Aug 2024 15:28:01 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v6.1.105~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a96149686c189ca692c36301da29e9a29f941736;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch
---

diff --git a/queue-4.19/drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch b/queue-4.19/drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch
new file mode 100644
index 00000000000..69d8b64e2d6
--- /dev/null
+++ b/queue-4.19/drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch
@@ -0,0 +1,116 @@
+From 8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3 Mon Sep 17 00:00:00 2001
+From: Andi Shyti <andi.shyti@linux.intel.com>
+Date: Fri, 2 Aug 2024 10:38:50 +0200
+Subject: drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
+
+From: Andi Shyti <andi.shyti@linux.intel.com>
+
+commit 8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3 upstream.
+
+Calculating the size of the mapped area as the lesser value
+between the requested size and the actual size does not consider
+the partial mapping offset. This can cause page fault access.
+
+Fix the calculation of the starting and ending addresses, the
+total size is now deduced from the difference between the end and
+start addresses.
+
+Additionally, the calculations have been rewritten in a clearer
+and more understandable form.
+
+Fixes: c58305af1835 ("drm/i915: Use remap_io_mapping() to prefault all PTE in a single pass")
+Reported-by: Jann Horn <jannh@google.com>
+Co-developed-by: Chris Wilson <chris.p.wilson@linux.intel.com>
+Signed-off-by: Chris Wilson <chris.p.wilson@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: <stable@vger.kernel.org> # v4.9+
+Reviewed-by: Jann Horn <jannh@google.com>
+Reviewed-by: Jonathan Cavitt <Jonathan.cavitt@intel.com>
+[Joonas: Add Requires: tag]
+Requires: 60a2066c5005 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset")
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240802083850.103694-3-andi.shyti@linux.intel.com
+(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_gem.c |   48 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 43 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -2009,6 +2009,40 @@ compute_partial_view(struct drm_i915_gem
+ 	return view;
+ }
+ 
++static void set_address_limits(struct vm_area_struct *area,
++                              struct i915_vma *vma,
++                              unsigned long *start_vaddr,
++                              unsigned long *end_vaddr)
++{
++	unsigned long vm_start, vm_end, vma_size; /* user's memory parameters */
++	long start, end; /* memory boundaries */
++
++	/*
++	 * Let's move into the ">> PAGE_SHIFT"
++	 * domain to be sure not to lose bits
++	 */
++	vm_start = area->vm_start >> PAGE_SHIFT;
++	vm_end = area->vm_end >> PAGE_SHIFT;
++	vma_size = vma->size >> PAGE_SHIFT;
++
++	/*
++	 * Calculate the memory boundaries by considering the offset
++	 * provided by the user during memory mapping and the offset
++	 * provided for the partial mapping.
++	 */
++	start = vm_start;
++	start -= obj_offset;
++	start += vma->ggtt_view.partial.offset;
++	end = start + vma_size;
++
++	start = max_t(long, start, vm_start);
++	end = min_t(long, end, vm_end);
++
++	/* Let's move back into the "<< PAGE_SHIFT" domain */
++	*start_vaddr = (unsigned long)start << PAGE_SHIFT;
++	*end_vaddr = (unsigned long)end << PAGE_SHIFT;
++}
++
+ /**
+  * i915_gem_fault - fault a page into the GTT
+  * @vmf: fault info
+@@ -2036,8 +2070,10 @@ vm_fault_t i915_gem_fault(struct vm_faul
+ 	struct drm_i915_private *dev_priv = to_i915(dev);
+ 	struct i915_ggtt *ggtt = &dev_priv->ggtt;
+ 	bool write = !!(vmf->flags & FAULT_FLAG_WRITE);
++	unsigned long start, end; /* memory boundaries */
+ 	struct i915_vma *vma;
+ 	pgoff_t page_offset;
++	unsigned long pfn;
+ 	int ret;
+ 
+ 	/* Sanity check that we allow writing into this object */
+@@ -2119,12 +2155,14 @@ vm_fault_t i915_gem_fault(struct vm_faul
+ 	if (ret)
+ 		goto err_unpin;
+ 
++	set_address_limits(area, vma, &start, &end);
++
++	pfn = (ggtt->gmadr.start + i915_ggtt_offset(vma)) >> PAGE_SHIFT;
++	pfn += (start - area->vm_start) >> PAGE_SHIFT;
++	pfn -= vma->ggtt_view.partial.offset;
++
+ 	/* Finally, remap it using the new GTT offset */
+-	ret = remap_io_mapping(area,
+-			       area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT),
+-			       (ggtt->gmadr.start + vma->node.start) >> PAGE_SHIFT,
+-			       min_t(u64, vma->size, area->vm_end - area->vm_start),
+-			       &ggtt->iomap);
++	ret = remap_io_mapping(area, start, pfn, end - start, &ggtt->iomap);
+ 	if (ret)
+ 		goto err_fence;
+ 
diff --git a/queue-4.19/series b/queue-4.19/series
index 14f2667da3b..7b659a4ee65 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -189,3 +189,4 @@ kbuild-fix-s-c-in-x86-stack-protector-scripts.patch
 netfilter-nf_tables-set-element-extended-ack-reporting-support.patch
 netfilter-nf_tables-use-timestamp-to-check-for-set-element-timeout.patch
 netfilter-nf_tables-prefer-nft_chain_validate.patch
+drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch