+++ /dev/null
-From 9af1b6e175c82daf4b423da339a722d8e67a735a Mon Sep 17 00:00:00 2001
-From: Deepanshu Kartikey <kartikey406@gmail.com>
-Date: Tue, 19 May 2026 13:52:47 +0530
-Subject: drm/virtio: use uninterruptible resv lock for plane updates
-
-From: Deepanshu Kartikey <kartikey406@gmail.com>
-
-commit 9af1b6e175c82daf4b423da339a722d8e67a735a upstream.
-
-virtio_gpu_cursor_plane_update() and virtio_gpu_resource_flush() lock
-the framebuffer BO's dma_resv via virtio_gpu_array_lock_resv() and
-ignore its return value. The function can fail with -EINTR from
-dma_resv_lock_interruptible() (signal during lock wait) or with
--ENOMEM from dma_resv_reserve_fences() (fence slot allocation),
-leaving the resv lock not held. The queue path then walks the object
-array and calls dma_resv_add_fence(), which requires the lock held;
-with lockdep enabled this trips dma_resv_assert_held():
-
- WARNING: drivers/dma-buf/dma-resv.c:296 at dma_resv_add_fence+0x71e/0x840
- Call Trace:
- virtio_gpu_array_add_fence
- virtio_gpu_queue_ctrl_sgs
- virtio_gpu_queue_fenced_ctrl_buffer
- virtio_gpu_cursor_plane_update
- drm_atomic_helper_commit_planes
- drm_atomic_helper_commit_tail
- commit_tail
- drm_atomic_helper_commit
- drm_atomic_commit
- drm_atomic_helper_update_plane
- __setplane_atomic
- drm_mode_cursor_universal
- drm_mode_cursor_common
- drm_mode_cursor_ioctl
- drm_ioctl
- __x64_sys_ioctl
-
-Beyond the WARN, mutating the dma_resv fence list without the lock
-races with concurrent readers/writers and can corrupt the list.
-
-Both call sites run inside the .atomic_update plane callback, which
-DRM atomic helpers do not allow to fail (by the time it runs, the
-commit has been signed off to userspace and there is no clean
-rollback path). Moving the lock acquisition to .prepare_fb was
-rejected because the broader lock scope deadlocks against other BO
-locking paths in the same atomic commit.
-
-Introduce virtio_gpu_lock_one_resv_uninterruptible() that uses
-dma_resv_lock() instead of dma_resv_lock_interruptible(). This
-eliminates the -EINTR failure mode -- the realistic syzbot trigger
--- without extending the lock hold across the commit. The helper
-locks a single BO and rejects nents > 1 with -EINVAL; both fix
-sites lock exactly one BO.
-
-Use it from virtio_gpu_cursor_plane_update() and
-virtio_gpu_resource_flush(); check the return value to handle the
-remaining -ENOMEM case from dma_resv_reserve_fences() by freeing
-the objs and skipping the plane update for that frame. The
-framebuffer BOs touched here are not shared with other contexts
-and lock contention is expected to be brief, so the loss of
-signal-interruptibility is acceptable.
-
-Other callers of virtio_gpu_array_lock_resv() (the ioctl paths)
-continue to use the interruptible variant.
-
-The bug was reported by syzbot, triggered via fault injection
-(fail_nth) on the DRM_IOCTL_MODE_CURSOR path, which forces the
--ENOMEM branch in dma_resv_reserve_fences().
-
-Reported-by: syzbot+72bd3dd3a5d5f39a0271@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=72bd3dd3a5d5f39a0271
-Fixes: 5cfd31c5b3a3 ("drm/virtio: fix virtio_gpu_cursor_plane_update().")
-Cc: stable@vger.kernel.org
-Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
-Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
-Link: https://patch.msgid.link/20260519082247.34470-1-kartikey406@gmail.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/virtio/virtgpu_drv.h | 1 +
- drivers/gpu/drm/virtio/virtgpu_gem.c | 17 +++++++++++++++++
- drivers/gpu/drm/virtio/virtgpu_plane.c | 10 ++++++++--
- 3 files changed, 26 insertions(+), 2 deletions(-)
-
---- a/drivers/gpu/drm/virtio/virtgpu_drv.h
-+++ b/drivers/gpu/drm/virtio/virtgpu_drv.h
-@@ -288,6 +288,7 @@ virtio_gpu_array_from_handles(struct drm
- void virtio_gpu_array_add_obj(struct virtio_gpu_object_array *objs,
- struct drm_gem_object *obj);
- int virtio_gpu_array_lock_resv(struct virtio_gpu_object_array *objs);
-+int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs);
- void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs);
- void virtio_gpu_array_add_fence(struct virtio_gpu_object_array *objs,
- struct dma_fence *fence);
---- a/drivers/gpu/drm/virtio/virtgpu_gem.c
-+++ b/drivers/gpu/drm/virtio/virtgpu_gem.c
-@@ -225,6 +225,23 @@ int virtio_gpu_array_lock_resv(struct vi
- return ret;
- }
-
-+int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs)
-+{
-+ int ret;
-+
-+ if (objs->nents != 1)
-+ return -EINVAL;
-+
-+ dma_resv_lock(objs->objs[0]->resv, NULL);
-+
-+ ret = dma_resv_reserve_fences(objs->objs[0]->resv, 1);
-+ if (ret) {
-+ virtio_gpu_array_unlock_resv(objs);
-+ return ret;
-+ }
-+ return 0;
-+}
-+
- void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs)
- {
- if (objs->nents == 1) {
---- a/drivers/gpu/drm/virtio/virtgpu_plane.c
-+++ b/drivers/gpu/drm/virtio/virtgpu_plane.c
-@@ -147,7 +147,10 @@ static void virtio_gpu_resource_flush(st
- if (!objs)
- return;
- virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
-- virtio_gpu_array_lock_resv(objs);
-+ if (virtio_gpu_lock_one_resv_uninterruptible(objs)) {
-+ virtio_gpu_array_put_free(objs);
-+ return;
-+ }
- virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y,
- width, height, objs, vgfb->fence);
- virtio_gpu_notify(vgdev);
-@@ -314,7 +317,10 @@ static void virtio_gpu_cursor_plane_upda
- if (!objs)
- return;
- virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
-- virtio_gpu_array_lock_resv(objs);
-+ if (virtio_gpu_lock_one_resv_uninterruptible(objs)) {
-+ virtio_gpu_array_put_free(objs);
-+ return;
-+ }
- virtio_gpu_cmd_transfer_to_host_2d
- (vgdev, 0,
- plane->state->crtc_w,
spi-ti-qspi-fix-use-after-free-after-dma-setup-failure.patch
rdma-siw-reject-mpa-fpdu-length-underflow-before-signed-receive-math.patch
device-property-set-fwnode-secondary-to-null-in-fwnode_init.patch
-drm-virtio-use-uninterruptible-resv-lock-for-plane-updates.patch
drm-bridge-it66121-acquire-reset-gpio-in-probe.patch
drm-bridge-megachips-remove-bridge-when-irq-request-fails.patch
drm-amd-display-fix-integer-overflow-in-bios_get_image.patch
+++ /dev/null
-From e3ef9a28f558d1cbf0b42d6dcd16c60da557562b Mon Sep 17 00:00:00 2001
-From: Tiezhu Yang <yangtiezhu@loongson.cn>
-Date: Fri, 22 May 2026 15:05:07 +0800
-Subject: LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions
-
-From: Tiezhu Yang <yangtiezhu@loongson.cn>
-
-commit e3ef9a28f558d1cbf0b42d6dcd16c60da557562b upstream.
-
-On SMP systems, kprobe handlers would occasionally fail to execute on
-certain CPU cores. The issue is hard to reproduce and typically occurs
-randomly under high system load.
-
-The root cause is a software-side instruction hazard. According to the
-LoongArch Reference Manual, while the cache coherency is maintained by
-hardware, software must explicitly use the "IBAR" instruction to ensure
-the instruction fetch unit (IFU) observes the effects of recent stores.
-
-The current arch_arm_kprobe() and arch_disarm_kprobe() only execute the
-"IBAR" barrier (via flush_insn_slot -> local_flush_icache_range) on the
-local CPU. This leaves a vulnerable window where remote CPU cores may
-continue executing stale instructions from their pipelines or prefetch
-buffers, as they have not executed an "IBAR" since the code modification.
-
-Switch to larch_insn_text_copy() to fix this:
-1. Synchronization: It uses stop_machine_cpuslocked() to synchronize all
- online CPUs, ensuring no CPU is executing the target code area during
- modification.
-2. Visibility: By passing cpu_online_mask to stop_machine_cpuslocked(),
- the callback text_copy_cb() is executed on all online cores. Each CPU
- core invokes local_flush_icache_range() to execute "IBAR", clearing
- instruction hazards system-wide and ensuring the "break" instruction
- is visible to the fetch units of all cores.
-3. Robustness: It properly manages memory write permissions (ROX/RW) for
- the kernel text segment during patching, ensuring compatibility with
- CONFIG_STRICT_KERNEL_RWX.
-
-Cc: <stable@vger.kernel.org> # 6.18+
-Fixes: 6d4cc40fb5f5 ("LoongArch: Add kprobes support")
-Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
-Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/loongarch/kernel/kprobes.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
---- a/arch/loongarch/kernel/kprobes.c
-+++ b/arch/loongarch/kernel/kprobes.c
-@@ -60,16 +60,18 @@ NOKPROBE_SYMBOL(arch_prepare_kprobe);
- /* Install breakpoint in text */
- void arch_arm_kprobe(struct kprobe *p)
- {
-- *p->addr = KPROBE_BP_INSN;
-- flush_insn_slot(p);
-+ u32 insn = KPROBE_BP_INSN;
-+
-+ larch_insn_text_copy(p->addr, &insn, LOONGARCH_INSN_SIZE);
- }
- NOKPROBE_SYMBOL(arch_arm_kprobe);
-
- /* Remove breakpoint from text */
- void arch_disarm_kprobe(struct kprobe *p)
- {
-- *p->addr = p->opcode;
-- flush_insn_slot(p);
-+ u32 insn = p->opcode;
-+
-+ larch_insn_text_copy(p->addr, &insn, LOONGARCH_INSN_SIZE);
- }
- NOKPROBE_SYMBOL(arch_disarm_kprobe);
-
spi-sprd-fix-error-pointer-deref-after-dma-setup-failure.patch
spi-ti-qspi-fix-use-after-free-after-dma-setup-failure.patch
rdma-siw-reject-mpa-fpdu-length-underflow-before-signed-receive-math.patch
-loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch
loongarch-remove-unused-code-to-avoid-build-warning.patch
device-property-set-fwnode-secondary-to-null-in-fwnode_init.patch
drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on-prior-line-used.patch
+++ /dev/null
-From e3ef9a28f558d1cbf0b42d6dcd16c60da557562b Mon Sep 17 00:00:00 2001
-From: Tiezhu Yang <yangtiezhu@loongson.cn>
-Date: Fri, 22 May 2026 15:05:07 +0800
-Subject: LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions
-
-From: Tiezhu Yang <yangtiezhu@loongson.cn>
-
-commit e3ef9a28f558d1cbf0b42d6dcd16c60da557562b upstream.
-
-On SMP systems, kprobe handlers would occasionally fail to execute on
-certain CPU cores. The issue is hard to reproduce and typically occurs
-randomly under high system load.
-
-The root cause is a software-side instruction hazard. According to the
-LoongArch Reference Manual, while the cache coherency is maintained by
-hardware, software must explicitly use the "IBAR" instruction to ensure
-the instruction fetch unit (IFU) observes the effects of recent stores.
-
-The current arch_arm_kprobe() and arch_disarm_kprobe() only execute the
-"IBAR" barrier (via flush_insn_slot -> local_flush_icache_range) on the
-local CPU. This leaves a vulnerable window where remote CPU cores may
-continue executing stale instructions from their pipelines or prefetch
-buffers, as they have not executed an "IBAR" since the code modification.
-
-Switch to larch_insn_text_copy() to fix this:
-1. Synchronization: It uses stop_machine_cpuslocked() to synchronize all
- online CPUs, ensuring no CPU is executing the target code area during
- modification.
-2. Visibility: By passing cpu_online_mask to stop_machine_cpuslocked(),
- the callback text_copy_cb() is executed on all online cores. Each CPU
- core invokes local_flush_icache_range() to execute "IBAR", clearing
- instruction hazards system-wide and ensuring the "break" instruction
- is visible to the fetch units of all cores.
-3. Robustness: It properly manages memory write permissions (ROX/RW) for
- the kernel text segment during patching, ensuring compatibility with
- CONFIG_STRICT_KERNEL_RWX.
-
-Cc: <stable@vger.kernel.org> # 6.18+
-Fixes: 6d4cc40fb5f5 ("LoongArch: Add kprobes support")
-Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
-Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/loongarch/kernel/kprobes.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/arch/loongarch/kernel/kprobes.c b/arch/loongarch/kernel/kprobes.c
-index 8ba391cfabb0..04b5b05715cd 100644
---- a/arch/loongarch/kernel/kprobes.c
-+++ b/arch/loongarch/kernel/kprobes.c
-@@ -60,16 +60,18 @@ NOKPROBE_SYMBOL(arch_prepare_kprobe);
- /* Install breakpoint in text */
- void arch_arm_kprobe(struct kprobe *p)
- {
-- *p->addr = KPROBE_BP_INSN;
-- flush_insn_slot(p);
-+ u32 insn = KPROBE_BP_INSN;
-+
-+ larch_insn_text_copy(p->addr, &insn, LOONGARCH_INSN_SIZE);
- }
- NOKPROBE_SYMBOL(arch_arm_kprobe);
-
- /* Remove breakpoint from text */
- void arch_disarm_kprobe(struct kprobe *p)
- {
-- *p->addr = p->opcode;
-- flush_insn_slot(p);
-+ u32 insn = p->opcode;
-+
-+ larch_insn_text_copy(p->addr, &insn, LOONGARCH_INSN_SIZE);
- }
- NOKPROBE_SYMBOL(arch_disarm_kprobe);
-
---
-2.54.0
-
spi-sprd-fix-error-pointer-deref-after-dma-setup-failure.patch
spi-ti-qspi-fix-use-after-free-after-dma-setup-failure.patch
rdma-siw-reject-mpa-fpdu-length-underflow-before-signed-receive-math.patch
-loongarch-kprobes-use-larch_insn_text_copy-to-patch-instructions.patch
loongarch-remove-unused-code-to-avoid-build-warning.patch
device-property-set-fwnode-secondary-to-null-in-fwnode_init.patch
drm-virtio-use-uninterruptible-resv-lock-for-plane-updates.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
