From: Sasha Levin <sashal@kernel.org>
Date: Thu, 15 Aug 2024 12:20:07 +0000 (-0400)
Subject: Fixes for 6.1
X-Git-Tag: v4.19.320~29
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c6431deedff7f3a4b44854d7f583b32e0750a301;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-6.1/binfmt_flat-fix-corruption-when-not-offsetting-data-.patch b/queue-6.1/binfmt_flat-fix-corruption-when-not-offsetting-data-.patch
new file mode 100644
index 00000000000..cf61f4a25b9
--- /dev/null
+++ b/queue-6.1/binfmt_flat-fix-corruption-when-not-offsetting-data-.patch
@@ -0,0 +1,60 @@
+From 1e701790ab1ebf26d9cc8df8a547636836d4cee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 12:51:23 -0700
+Subject: binfmt_flat: Fix corruption when not offsetting data start
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 3eb3cd5992f7a0c37edc8d05b4c38c98758d8671 ]
+
+Commit 04d82a6d0881 ("binfmt_flat: allow not offsetting data start")
+introduced a RISC-V specific variant of the FLAT format which does
+not allocate any space for the (obsolete) array of shared library
+pointers. However, it did not disable the code which initializes the
+array, resulting in the corruption of sizeof(long) bytes before the DATA
+segment, generally the end of the TEXT segment.
+
+Introduce MAX_SHARED_LIBS_UPDATE which depends on the state of
+CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET to guard the initialization of
+the shared library pointer region so that it will only be initialized
+if space is reserved for it.
+
+Fixes: 04d82a6d0881 ("binfmt_flat: allow not offsetting data start")
+Co-developed-by: Stefan O'Rear <sorear@fastmail.com>
+Signed-off-by: Stefan O'Rear <sorear@fastmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Acked-by: Greg Ungerer <gerg@linux-m68k.org>
+Link: https://lore.kernel.org/r/20240807195119.it.782-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_flat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
+index c26545d71d39a..cd6d5bbb4b9df 100644
+--- a/fs/binfmt_flat.c
++++ b/fs/binfmt_flat.c
+@@ -72,8 +72,10 @@
+ 
+ #ifdef CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET
+ #define DATA_START_OFFSET_WORDS		(0)
++#define MAX_SHARED_LIBS_UPDATE		(0)
+ #else
+ #define DATA_START_OFFSET_WORDS		(MAX_SHARED_LIBS)
++#define MAX_SHARED_LIBS_UPDATE		(MAX_SHARED_LIBS)
+ #endif
+ 
+ struct lib_info {
+@@ -880,7 +882,7 @@ static int load_flat_binary(struct linux_binprm *bprm)
+ 		return res;
+ 
+ 	/* Update data segment pointers for all libraries */
+-	for (i = 0; i < MAX_SHARED_LIBS; i++) {
++	for (i = 0; i < MAX_SHARED_LIBS_UPDATE; i++) {
+ 		if (!libinfo.lib_list[i].loaded)
+ 			continue;
+ 		for (j = 0; j < MAX_SHARED_LIBS; j++) {
+-- 
+2.43.0
+
diff --git a/queue-6.1/drm-i915-add-a-function-to-mmap-framebuffer-obj.patch b/queue-6.1/drm-i915-add-a-function-to-mmap-framebuffer-obj.patch
new file mode 100644
index 00000000000..cc76b9f8525
--- /dev/null
+++ b/queue-6.1/drm-i915-add-a-function-to-mmap-framebuffer-obj.patch
@@ -0,0 +1,212 @@
+From e4326f4ff3f7053c02b4100594472db7f7a2bd35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Apr 2023 16:30:58 +0200
+Subject: drm/i915: Add a function to mmap framebuffer obj
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@intel.com>
+
+[ Upstream commit eaee1c08586395182e0004b3512a2f83570ea461 ]
+
+Implement i915_gem_fb_mmap() to enable fb_ops.fb_mmap()
+callback for i915's framebuffer objects.
+
+v2: add a comment why i915_gem_object_get() needed(Andi).
+v3: mmap also ttm objects.
+
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Nirmoy Das <nirmoy.das@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230404143100.10452-3-nirmoy.das@intel.com
+Stable-dep-of: 1ac5167b3a90 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_mman.c | 137 +++++++++++++++--------
+ drivers/gpu/drm/i915/gem/i915_gem_mman.h |   2 +-
+ 2 files changed, 93 insertions(+), 46 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+index 1fd704d9cf9a9..180b66f6193cb 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+@@ -969,53 +969,15 @@ static struct file *mmap_singleton(struct drm_i915_private *i915)
+ 	return file;
+ }
+ 
+-/*
+- * This overcomes the limitation in drm_gem_mmap's assignment of a
+- * drm_gem_object as the vma->vm_private_data. Since we need to
+- * be able to resolve multiple mmap offsets which could be tied
+- * to a single gem object.
+- */
+-int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
++static int
++i915_gem_object_mmap(struct drm_i915_gem_object *obj,
++		     struct i915_mmap_offset *mmo,
++		     struct vm_area_struct *vma)
+ {
+-	struct drm_vma_offset_node *node;
+-	struct drm_file *priv = filp->private_data;
+-	struct drm_device *dev = priv->minor->dev;
+-	struct drm_i915_gem_object *obj = NULL;
+-	struct i915_mmap_offset *mmo = NULL;
++	struct drm_i915_private *i915 = to_i915(obj->base.dev);
++	struct drm_device *dev = &i915->drm;
+ 	struct file *anon;
+ 
+-	if (drm_dev_is_unplugged(dev))
+-		return -ENODEV;
+-
+-	rcu_read_lock();
+-	drm_vma_offset_lock_lookup(dev->vma_offset_manager);
+-	node = drm_vma_offset_exact_lookup_locked(dev->vma_offset_manager,
+-						  vma->vm_pgoff,
+-						  vma_pages(vma));
+-	if (node && drm_vma_node_is_allowed(node, priv)) {
+-		/*
+-		 * Skip 0-refcnted objects as it is in the process of being
+-		 * destroyed and will be invalid when the vma manager lock
+-		 * is released.
+-		 */
+-		if (!node->driver_private) {
+-			mmo = container_of(node, struct i915_mmap_offset, vma_node);
+-			obj = i915_gem_object_get_rcu(mmo->obj);
+-
+-			GEM_BUG_ON(obj && obj->ops->mmap_ops);
+-		} else {
+-			obj = i915_gem_object_get_rcu
+-				(container_of(node, struct drm_i915_gem_object,
+-					      base.vma_node));
+-
+-			GEM_BUG_ON(obj && !obj->ops->mmap_ops);
+-		}
+-	}
+-	drm_vma_offset_unlock_lookup(dev->vma_offset_manager);
+-	rcu_read_unlock();
+-	if (!obj)
+-		return node ? -EACCES : -EINVAL;
+-
+ 	if (i915_gem_object_is_readonly(obj)) {
+ 		if (vma->vm_flags & VM_WRITE) {
+ 			i915_gem_object_put(obj);
+@@ -1047,7 +1009,7 @@ int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
+ 	if (obj->ops->mmap_ops) {
+ 		vma->vm_page_prot = pgprot_decrypted(vm_get_page_prot(vma->vm_flags));
+ 		vma->vm_ops = obj->ops->mmap_ops;
+-		vma->vm_private_data = node->driver_private;
++		vma->vm_private_data = obj->base.vma_node.driver_private;
+ 		return 0;
+ 	}
+ 
+@@ -1085,6 +1047,91 @@ int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
+ 	return 0;
+ }
+ 
++/*
++ * This overcomes the limitation in drm_gem_mmap's assignment of a
++ * drm_gem_object as the vma->vm_private_data. Since we need to
++ * be able to resolve multiple mmap offsets which could be tied
++ * to a single gem object.
++ */
++int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
++{
++	struct drm_vma_offset_node *node;
++	struct drm_file *priv = filp->private_data;
++	struct drm_device *dev = priv->minor->dev;
++	struct drm_i915_gem_object *obj = NULL;
++	struct i915_mmap_offset *mmo = NULL;
++
++	if (drm_dev_is_unplugged(dev))
++		return -ENODEV;
++
++	rcu_read_lock();
++	drm_vma_offset_lock_lookup(dev->vma_offset_manager);
++	node = drm_vma_offset_exact_lookup_locked(dev->vma_offset_manager,
++						  vma->vm_pgoff,
++						  vma_pages(vma));
++	if (node && drm_vma_node_is_allowed(node, priv)) {
++		/*
++		 * Skip 0-refcnted objects as it is in the process of being
++		 * destroyed and will be invalid when the vma manager lock
++		 * is released.
++		 */
++		if (!node->driver_private) {
++			mmo = container_of(node, struct i915_mmap_offset, vma_node);
++			obj = i915_gem_object_get_rcu(mmo->obj);
++
++			GEM_BUG_ON(obj && obj->ops->mmap_ops);
++		} else {
++			obj = i915_gem_object_get_rcu
++				(container_of(node, struct drm_i915_gem_object,
++					      base.vma_node));
++
++			GEM_BUG_ON(obj && !obj->ops->mmap_ops);
++		}
++	}
++	drm_vma_offset_unlock_lookup(dev->vma_offset_manager);
++	rcu_read_unlock();
++	if (!obj)
++		return node ? -EACCES : -EINVAL;
++
++	return i915_gem_object_mmap(obj, mmo, vma);
++}
++
++int i915_gem_fb_mmap(struct drm_i915_gem_object *obj, struct vm_area_struct *vma)
++{
++	struct drm_i915_private *i915 = to_i915(obj->base.dev);
++	struct drm_device *dev = &i915->drm;
++	struct i915_mmap_offset *mmo = NULL;
++	enum i915_mmap_type mmap_type;
++	struct i915_ggtt *ggtt = to_gt(i915)->ggtt;
++
++	if (drm_dev_is_unplugged(dev))
++		return -ENODEV;
++
++	/* handle ttm object */
++	if (obj->ops->mmap_ops) {
++		/*
++		 * ttm fault handler, ttm_bo_vm_fault_reserved() uses fake offset
++		 * to calculate page offset so set that up.
++		 */
++		vma->vm_pgoff += drm_vma_node_start(&obj->base.vma_node);
++	} else {
++		/* handle stolen and smem objects */
++		mmap_type = i915_ggtt_has_aperture(ggtt) ? I915_MMAP_TYPE_GTT : I915_MMAP_TYPE_WC;
++		mmo = mmap_offset_attach(obj, mmap_type, NULL);
++		if (!mmo)
++			return -ENODEV;
++	}
++
++	/*
++	 * When we install vm_ops for mmap we are too late for
++	 * the vm_ops->open() which increases the ref_count of
++	 * this obj and then it gets decreased by the vm_ops->close().
++	 * To balance this increase the obj ref_count here.
++	 */
++	obj = i915_gem_object_get(obj);
++	return i915_gem_object_mmap(obj, mmo, vma);
++}
++
+ #if IS_ENABLED(CONFIG_DRM_I915_SELFTEST)
+ #include "selftests/i915_gem_mman.c"
+ #endif
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.h b/drivers/gpu/drm/i915/gem/i915_gem_mman.h
+index 1fa91b3033b35..196417fd0f5c4 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.h
++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.h
+@@ -29,5 +29,5 @@ void i915_gem_object_release_mmap_gtt(struct drm_i915_gem_object *obj);
+ 
+ void i915_gem_object_runtime_pm_release_mmap_offset(struct drm_i915_gem_object *obj);
+ void i915_gem_object_release_mmap_offset(struct drm_i915_gem_object *obj);
+-
++int i915_gem_fb_mmap(struct drm_i915_gem_object *obj, struct vm_area_struct *vma);
+ #endif
+-- 
+2.43.0
+
diff --git a/queue-6.1/drm-i915-fix-a-null-vs-is_err-bug.patch b/queue-6.1/drm-i915-fix-a-null-vs-is_err-bug.patch
new file mode 100644
index 00000000000..16d3c6af5c5
--- /dev/null
+++ b/queue-6.1/drm-i915-fix-a-null-vs-is_err-bug.patch
@@ -0,0 +1,42 @@
+From e5b4665e0bdcdc0b79010bc0ff2b98155e44a811 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jun 2023 11:23:56 +0300
+Subject: drm/i915: Fix a NULL vs IS_ERR() bug
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 3a89311387cde27da8e290458b2d037133c1f7b5 ]
+
+The mmap_offset_attach() function returns error pointers, it doesn't
+return NULL.
+
+Fixes: eaee1c085863 ("drm/i915: Add a function to mmap framebuffer obj")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Nirmoy Das <nirmoy.das@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/ZH7tHLRZ9oBjedjN@moroto
+Stable-dep-of: 1ac5167b3a90 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_mman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+index 180b66f6193cb..4a291d29c5af5 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+@@ -1118,8 +1118,8 @@ int i915_gem_fb_mmap(struct drm_i915_gem_object *obj, struct vm_area_struct *vma
+ 		/* handle stolen and smem objects */
+ 		mmap_type = i915_ggtt_has_aperture(ggtt) ? I915_MMAP_TYPE_GTT : I915_MMAP_TYPE_WC;
+ 		mmo = mmap_offset_attach(obj, mmap_type, NULL);
+-		if (!mmo)
+-			return -ENODEV;
++		if (IS_ERR(mmo))
++			return PTR_ERR(mmo);
+ 	}
+ 
+ 	/*
+-- 
+2.43.0
+
diff --git a/queue-6.1/drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-.patch b/queue-6.1/drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-.patch
new file mode 100644
index 00000000000..d64a1d228aa
--- /dev/null
+++ b/queue-6.1/drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-.patch
@@ -0,0 +1,49 @@
+From 8e1fbf2c54fddaa7fa2961b397f1e82a8a925bdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 10:38:49 +0200
+Subject: drm/i915/gem: Adjust vma offset for framebuffer mmap offset
+
+From: Andi Shyti <andi.shyti@linux.intel.com>
+
+[ Upstream commit 1ac5167b3a90c9820daa64cc65e319b2d958d686 ]
+
+When mapping a framebuffer object, the virtual memory area (VMA)
+offset ('vm_pgoff') should be adjusted by the start of the
+'vma_node' associated with the object. This ensures that the VMA
+offset is correctly aligned with the corresponding offset within
+the GGTT aperture.
+
+Increment vm_pgoff by the start of the vma_node with the offset=
+provided by the user.
+
+Suggested-by: Chris Wilson <chris.p.wilson@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: <stable@vger.kernel.org> # v4.9+
+[Joonas: Add Cc: stable]
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240802083850.103694-2-andi.shyti@linux.intel.com
+(cherry picked from commit 60a2066c50058086510c91f404eb582029650970)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_mman.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+index 4a291d29c5af5..7e9310d01dfdd 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+@@ -1120,6 +1120,8 @@ int i915_gem_fb_mmap(struct drm_i915_gem_object *obj, struct vm_area_struct *vma
+ 		mmo = mmap_offset_attach(obj, mmap_type, NULL);
+ 		if (IS_ERR(mmo))
+ 			return PTR_ERR(mmo);
++
++		vma->vm_pgoff += drm_vma_node_start(&mmo->vma_node);
+ 	}
+ 
+ 	/*
+-- 
+2.43.0
+
diff --git a/queue-6.1/series b/queue-6.1/series
index 1d54c30dce2..e14e8ccf8d8 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -29,3 +29,7 @@ nvme-pci-add-apst-quirk-for-lenovo-n60z-laptop.patch
 mptcp-fully-established-after-add_addr-echo-on-mpj.patch
 drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch
 cgroup-make-operations-on-the-cgroup-root_list-rcu-safe.patch
+drm-i915-add-a-function-to-mmap-framebuffer-obj.patch
+drm-i915-fix-a-null-vs-is_err-bug.patch
+drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-.patch
+binfmt_flat-fix-corruption-when-not-offsetting-data-.patch