Add aarch64 heap fix and i915 fix from upstream

2020-02-20 09:37:52 -06:00 · 2020-02-20 09:37:52 -06:00 · ddfd56365f
commit ddfd56365f
parent 742215ba51
3 changed files with 185 additions and 1 deletions
--- a/0001-drm-i915-Serialise-i915_active_acquire-with-__active.patch
+++ b/0001-drm-i915-Serialise-i915_active_acquire-with-__active.patch
@ -0,0 +1,79 @@
+From bbca083de291a03ffe1a1eb0832a0d74f8b64898 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 5 Dec 2019 18:33:32 +0000
+Subject: [PATCH] drm/i915: Serialise i915_active_acquire() with
+ __active_retire()
+
+As __active_retire() does it's final atomic_dec() under the
+ref->tree_lock spinlock, in order to prevent ourselves from reusing the
+ref->cache and ref->tree as they are being destroyed, we need to
+serialise with the retirement during i915_active_acquire().
+
+[  +0.000005] kernel BUG at drivers/gpu/drm/i915/i915_active.c:157!
+[  +0.000011] invalid opcode: 0000 [#1] SMP
+[  +0.000004] CPU: 7 PID: 188 Comm: kworker/u16:4 Not tainted 5.4.0-rc8-03070-gac5e57322614 #89
+[  +0.000002] Hardware name: Razer Razer Blade Stealth 13 Late 2019/LY320, BIOS 1.02 09/10/2019
+[  +0.000082] Workqueue: events_unbound active_work [i915]
+[  +0.000059] RIP: 0010:__active_retire+0x115/0x120 [i915]
+[  +0.000003] Code: 75 28 48 8b 3d 8c 6e 1a 00 48 89 ee e8 e4 5f a5 c0 48 8b 44 24 10 65 48 33 04 25 28 00 00 00 75 0f 48 83 c4 18 5b 5d 41 5c c3 <0f> 0b 0f 0b 0f 0b e8 a0 90 87 c0 0f 1f 44 00 00 48 8b 3d 54 6e 1a
+[  +0.000002] RSP: 0018:ffffb833003f7e48 EFLAGS: 00010286
+[  +0.000003] RAX: ffff8d6e8d726d00 RBX: ffff8d6f9db4e840 RCX: 0000000000000000
+[  +0.000001] RDX: ffffffff82605930 RSI: ffff8d6f9adc4908 RDI: ffff8d6e96cefe28
+[  +0.000002] RBP: ffff8d6e96cefe00 R08: 0000000000000000 R09: ffff8d6f9ffe9a50
+[  +0.000002] R10: 0000000000000048 R11: 0000000000000018 R12: ffff8d6f9adc4930
+[  +0.000001] R13: ffff8d6f9e04fb00 R14: 0000000000000000 R15: ffff8d6f9adc4988
+[  +0.000002] FS:  0000000000000000(0000) GS:ffff8d6f9ffc0000(0000) knlGS:0000000000000000
+[  +0.000002] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  +0.000002] CR2: 000055eb5a34cf10 CR3: 000000018d609002 CR4: 0000000000760ee0
+[  +0.000002] PKRU: 55555554
+[  +0.000001] Call Trace:
+[  +0.000010]  process_one_work+0x1aa/0x350
+[  +0.000004]  worker_thread+0x4d/0x3a0
+[  +0.000004]  kthread+0xfb/0x130
+[  +0.000004]  ? process_one_work+0x350/0x350
+[  +0.000003]  ? kthread_park+0x90/0x90
+[  +0.000005]  ret_from_fork+0x1f/0x40
+
+Reported-by: Kenneth Graunke <kenneth@whitecape.org>
+Fixes: c9ad602feabe ("drm/i915: Split i915_active.mutex into an irq-safe spinlock for the rbtree")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: Kenneth Graunke <kenneth@whitecape.org>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Tested-by: Kenneth Graunke <kenneth@whitecape.org>
+Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20191205183332.801237-1-chris@chris-wilson.co.uk
+---
+ drivers/gpu/drm/i915/i915_active.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_active.c b/drivers/gpu/drm/i915/i915_active.c
+index e3fcec4834c2..3d0edde84705 100644
+--- a/drivers/gpu/drm/i915/i915_active.c
+++ b/drivers/gpu/drm/i915/i915_active.c
+@@ -91,10 +91,9 @@ static void debug_active_init(struct i915_active *ref)
+
+ static void debug_active_activate(struct i915_active *ref)
+ {
+-	spin_lock_irq(&ref->tree_lock);
+	lockdep_assert_held(&ref->tree_lock);
+ 	if (!atomic_read(&ref->count)) /* before the first inc */
+ 		debug_object_activate(ref, &active_debug_desc);
+-	spin_unlock_irq(&ref->tree_lock);
+ }
+
+ static void debug_active_deactivate(struct i915_active *ref)
+@@ -419,8 +418,10 @@ int i915_active_acquire(struct i915_active *ref)
+ 	if (!atomic_read(&ref->count) && ref->active)
+ 		err = ref->active(ref);
+ 	if (!err) {
+		spin_lock_irq(&ref->tree_lock); /* vs __active_retire() */
+ 		debug_active_activate(ref);
+ 		atomic_inc(&ref->count);
+		spin_unlock_irq(&ref->tree_lock);
+ 	}
+
+ 	mutex_unlock(&ref->mutex);
+-- 
+2.24.1
+
--- a/0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch
+++ b/0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch
@ -0,0 +1,95 @@
+From a34309d16f41c48ffd90e56a6f865d6a1a8c49f0 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Wed, 19 Feb 2020 12:31:56 +0000
+Subject: [PATCH] mm: Avoid creating virtual address aliases in
+ brk()/mmap()/mremap()
+
+Currently the arm64 kernel ignores the top address byte passed to brk(),
+mmap() and mremap(). When the user is not aware of the 56-bit address
+limit or relies on the kernel to return an error, untagging such
+pointers has the potential to create address aliases in user-space.
+Passing a tagged address to munmap(), madvise() is permitted since the
+tagged pointer is expected to be inside an existing mapping.
+
+The current behaviour breaks the existing glibc malloc() implementation
+which relies on brk() with an address beyond 56-bit to be rejected by
+the kernel.
+
+Remove untagging in the above functions by partially reverting commit
+ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
+addition, update the arm64 tagged-address-abi.rst document accordingly.
+
+Link: https://bugzilla.redhat.com/1797052
+Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
+Cc: <stable@vger.kernel.org> # 5.4.x-
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Florian Weimer <fweimer@redhat.com>
+Reported-by: Victor Stinner <vstinner@redhat.com>
+Acked-by: Will Deacon <will@kernel.org>
+Acked-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+---
+ Documentation/arm64/tagged-address-abi.rst | 11 +++++++++--
+ mm/mmap.c                                  |  4 ----
+ mm/mremap.c                                |  1 -
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/Documentation/arm64/tagged-address-abi.rst b/Documentation/arm64/tagged-address-abi.rst
+index d4a85d535bf9..f6289116893c 100644
+--- a/Documentation/arm64/tagged-address-abi.rst
+++ b/Documentation/arm64/tagged-address-abi.rst
+@@ -44,8 +44,15 @@ The AArch64 Tagged Address ABI has two stages of relaxation depending
+ how the user addresses are used by the kernel:
+ 
+ 1. User addresses not accessed by the kernel but used for address space
+-   management (e.g. ``mmap()``, ``mprotect()``, ``madvise()``). The use
+-   of valid tagged pointers in this context is always allowed.
+   management (e.g. ``mprotect()``, ``madvise()``). The use of valid
+   tagged pointers in this context is allowed with the exception of
+   ``brk()``, ``mmap()`` and the ``new_address`` argument to
+   ``mremap()`` as these have the potential of aliasing with existing
+   user addresses.
+
+   NOTE: This behaviour changed in v5.6 and so some earlier kernels may
+   incorrectly accept valid tagged pointers for the ``brk()``,
+   ``mmap()`` and ``mremap()`` system calls.
+ 
+ 2. User addresses accessed by the kernel (e.g. ``write()``). This ABI
+    relaxation is disabled by default and the application thread needs to
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 4390dbea4aa5..514cc19c5916 100644
+--- a/mm/mmap.c
+++ b/mm/mmap.c
+@@ -195,8 +195,6 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
+ 	bool downgraded = false;
+ 	LIST_HEAD(uf);
+ 
+-	brk = untagged_addr(brk);
+-
+ 	if (down_write_killable(&mm->mmap_sem))
+ 		return -EINTR;
+ 
+@@ -1583,8 +1581,6 @@ unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
+ 	struct file *file = NULL;
+ 	unsigned long retval;
+ 
+-	addr = untagged_addr(addr);
+-
+ 	if (!(flags & MAP_ANONYMOUS)) {
+ 		audit_mmap_fd(fd, flags);
+ 		file = fget(fd);
+diff --git a/mm/mremap.c b/mm/mremap.c
+index 1fc8a29fbe3f..1d98281f7204 100644
+--- a/mm/mremap.c
+++ b/mm/mremap.c
+@@ -607,7 +607,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
+ 	LIST_HEAD(uf_unmap);
+ 
+ 	addr = untagged_addr(addr);
+-	new_addr = untagged_addr(new_addr);
+ 
+ 	if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
+ 		return ret;
+-- 
+2.24.1
+
--- a/kernel.spec
+++ b/kernel.spec
@ -857,7 +857,13 @@ Patch504: 0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch
 Patch505: ARM-fix-__get_user_check-in-case-uaccess_-calls-are-not-inlined.patch

 # ALSA code from v5.6 (Intel ASoC Sound Open Firmware driver support)
-Patch527: alsa-5.6.patch
+Patch506: alsa-5.6.patch
+
+# rhbz 1797052
+Patch507: 0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch
+
+# i915 "critical" patch from upstream
+Patch508: 0001-drm-i915-Serialise-i915_active_acquire-with-__active.patch

 # END OF PATCH DEFINITIONS

@ -2888,6 +2894,10 @@ fi
 #
 #
 %changelog
+* Thu Feb 20 2020 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix aarch64 heap corruption issue (rhbz 1797052)
+- Add i915 fix from upstream
+
 * Wed Feb 19 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.5.5-200
 - Linux v5.5.5