diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-02-20 09:37:52 -0600 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-02-20 09:37:52 -0600 |
commit | ddfd56365fc9edeff1bf2e76931f1247bbdc795a (patch) | |
tree | 4719adaddfbb3f17af1c1003fa19bd8c8595cf00 | |
parent | 742215ba5157f9c0cf261ea5bd3b4e728e3e8955 (diff) | |
download | kernel-ddfd56365fc9edeff1bf2e76931f1247bbdc795a.tar.gz kernel-ddfd56365fc9edeff1bf2e76931f1247bbdc795a.tar.xz kernel-ddfd56365fc9edeff1bf2e76931f1247bbdc795a.zip |
Add aarch64 heap fix and i915 fix from upstream
-rw-r--r-- | 0001-drm-i915-Serialise-i915_active_acquire-with-__active.patch | 79 | ||||
-rw-r--r-- | 0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch | 95 | ||||
-rw-r--r-- | kernel.spec | 12 |
3 files changed, 185 insertions, 1 deletions
diff --git a/0001-drm-i915-Serialise-i915_active_acquire-with-__active.patch b/0001-drm-i915-Serialise-i915_active_acquire-with-__active.patch new file mode 100644 index 000000000..7270eda24 --- /dev/null +++ b/0001-drm-i915-Serialise-i915_active_acquire-with-__active.patch @@ -0,0 +1,79 @@ +From bbca083de291a03ffe1a1eb0832a0d74f8b64898 Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Thu, 5 Dec 2019 18:33:32 +0000 +Subject: [PATCH] drm/i915: Serialise i915_active_acquire() with + __active_retire() + +As __active_retire() does it's final atomic_dec() under the +ref->tree_lock spinlock, in order to prevent ourselves from reusing the +ref->cache and ref->tree as they are being destroyed, we need to +serialise with the retirement during i915_active_acquire(). + +[ +0.000005] kernel BUG at drivers/gpu/drm/i915/i915_active.c:157! +[ +0.000011] invalid opcode: 0000 [#1] SMP +[ +0.000004] CPU: 7 PID: 188 Comm: kworker/u16:4 Not tainted 5.4.0-rc8-03070-gac5e57322614 #89 +[ +0.000002] Hardware name: Razer Razer Blade Stealth 13 Late 2019/LY320, BIOS 1.02 09/10/2019 +[ +0.000082] Workqueue: events_unbound active_work [i915] +[ +0.000059] RIP: 0010:__active_retire+0x115/0x120 [i915] +[ +0.000003] Code: 75 28 48 8b 3d 8c 6e 1a 00 48 89 ee e8 e4 5f a5 c0 48 8b 44 24 10 65 48 33 04 25 28 00 00 00 75 0f 48 83 c4 18 5b 5d 41 5c c3 <0f> 0b 0f 0b 0f 0b e8 a0 90 87 c0 0f 1f 44 00 00 48 8b 3d 54 6e 1a +[ +0.000002] RSP: 0018:ffffb833003f7e48 EFLAGS: 00010286 +[ +0.000003] RAX: ffff8d6e8d726d00 RBX: ffff8d6f9db4e840 RCX: 0000000000000000 +[ +0.000001] RDX: ffffffff82605930 RSI: ffff8d6f9adc4908 RDI: ffff8d6e96cefe28 +[ +0.000002] RBP: ffff8d6e96cefe00 R08: 0000000000000000 R09: ffff8d6f9ffe9a50 +[ +0.000002] R10: 0000000000000048 R11: 0000000000000018 R12: ffff8d6f9adc4930 +[ +0.000001] R13: ffff8d6f9e04fb00 R14: 0000000000000000 R15: ffff8d6f9adc4988 +[ +0.000002] FS: 0000000000000000(0000) GS:ffff8d6f9ffc0000(0000) knlGS:0000000000000000 +[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0.000002] CR2: 000055eb5a34cf10 CR3: 000000018d609002 CR4: 0000000000760ee0 +[ +0.000002] PKRU: 55555554 +[ +0.000001] Call Trace: +[ +0.000010] process_one_work+0x1aa/0x350 +[ +0.000004] worker_thread+0x4d/0x3a0 +[ +0.000004] kthread+0xfb/0x130 +[ +0.000004] ? process_one_work+0x350/0x350 +[ +0.000003] ? kthread_park+0x90/0x90 +[ +0.000005] ret_from_fork+0x1f/0x40 + +Reported-by: Kenneth Graunke <kenneth@whitecape.org> +Fixes: c9ad602feabe ("drm/i915: Split i915_active.mutex into an irq-safe spinlock for the rbtree") +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> +Cc: Kenneth Graunke <kenneth@whitecape.org> +Cc: Matthew Auld <matthew.auld@intel.com> +Tested-by: Kenneth Graunke <kenneth@whitecape.org> +Reviewed-by: Kenneth Graunke <kenneth@whitecape.org> +Link: https://patchwork.freedesktop.org/patch/msgid/20191205183332.801237-1-chris@chris-wilson.co.uk +--- + drivers/gpu/drm/i915/i915_active.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_active.c b/drivers/gpu/drm/i915/i915_active.c +index e3fcec4834c2..3d0edde84705 100644 +--- a/drivers/gpu/drm/i915/i915_active.c ++++ b/drivers/gpu/drm/i915/i915_active.c +@@ -91,10 +91,9 @@ static void debug_active_init(struct i915_active *ref) + + static void debug_active_activate(struct i915_active *ref) + { +- spin_lock_irq(&ref->tree_lock); ++ lockdep_assert_held(&ref->tree_lock); + if (!atomic_read(&ref->count)) /* before the first inc */ + debug_object_activate(ref, &active_debug_desc); +- spin_unlock_irq(&ref->tree_lock); + } + + static void debug_active_deactivate(struct i915_active *ref) +@@ -419,8 +418,10 @@ int i915_active_acquire(struct i915_active *ref) + if (!atomic_read(&ref->count) && ref->active) + err = ref->active(ref); + if (!err) { ++ spin_lock_irq(&ref->tree_lock); /* vs __active_retire() */ + debug_active_activate(ref); + atomic_inc(&ref->count); ++ spin_unlock_irq(&ref->tree_lock); + } + + mutex_unlock(&ref->mutex); +-- +2.24.1 + diff --git a/0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch b/0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch new file mode 100644 index 000000000..6f3bd3c72 --- /dev/null +++ b/0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch @@ -0,0 +1,95 @@ +From a34309d16f41c48ffd90e56a6f865d6a1a8c49f0 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas <catalin.marinas@arm.com> +Date: Wed, 19 Feb 2020 12:31:56 +0000 +Subject: [PATCH] mm: Avoid creating virtual address aliases in + brk()/mmap()/mremap() + +Currently the arm64 kernel ignores the top address byte passed to brk(), +mmap() and mremap(). When the user is not aware of the 56-bit address +limit or relies on the kernel to return an error, untagging such +pointers has the potential to create address aliases in user-space. +Passing a tagged address to munmap(), madvise() is permitted since the +tagged pointer is expected to be inside an existing mapping. + +The current behaviour breaks the existing glibc malloc() implementation +which relies on brk() with an address beyond 56-bit to be rejected by +the kernel. + +Remove untagging in the above functions by partially reverting commit +ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In +addition, update the arm64 tagged-address-abi.rst document accordingly. + +Link: https://bugzilla.redhat.com/1797052 +Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk") +Cc: <stable@vger.kernel.org> # 5.4.x- +Cc: Andrew Morton <akpm@linux-foundation.org> +Cc: Florian Weimer <fweimer@redhat.com> +Reported-by: Victor Stinner <vstinner@redhat.com> +Acked-by: Will Deacon <will@kernel.org> +Acked-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> +--- + Documentation/arm64/tagged-address-abi.rst | 11 +++++++++-- + mm/mmap.c | 4 ---- + mm/mremap.c | 1 - + 3 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/Documentation/arm64/tagged-address-abi.rst b/Documentation/arm64/tagged-address-abi.rst +index d4a85d535bf9..f6289116893c 100644 +--- a/Documentation/arm64/tagged-address-abi.rst ++++ b/Documentation/arm64/tagged-address-abi.rst +@@ -44,8 +44,15 @@ The AArch64 Tagged Address ABI has two stages of relaxation depending + how the user addresses are used by the kernel: + + 1. User addresses not accessed by the kernel but used for address space +- management (e.g. ``mmap()``, ``mprotect()``, ``madvise()``). The use +- of valid tagged pointers in this context is always allowed. ++ management (e.g. ``mprotect()``, ``madvise()``). The use of valid ++ tagged pointers in this context is allowed with the exception of ++ ``brk()``, ``mmap()`` and the ``new_address`` argument to ++ ``mremap()`` as these have the potential of aliasing with existing ++ user addresses. ++ ++ NOTE: This behaviour changed in v5.6 and so some earlier kernels may ++ incorrectly accept valid tagged pointers for the ``brk()``, ++ ``mmap()`` and ``mremap()`` system calls. + + 2. User addresses accessed by the kernel (e.g. ``write()``). This ABI + relaxation is disabled by default and the application thread needs to +diff --git a/mm/mmap.c b/mm/mmap.c +index 4390dbea4aa5..514cc19c5916 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -195,8 +195,6 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) + bool downgraded = false; + LIST_HEAD(uf); + +- brk = untagged_addr(brk); +- + if (down_write_killable(&mm->mmap_sem)) + return -EINTR; + +@@ -1583,8 +1581,6 @@ unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len, + struct file *file = NULL; + unsigned long retval; + +- addr = untagged_addr(addr); +- + if (!(flags & MAP_ANONYMOUS)) { + audit_mmap_fd(fd, flags); + file = fget(fd); +diff --git a/mm/mremap.c b/mm/mremap.c +index 1fc8a29fbe3f..1d98281f7204 100644 +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -607,7 +607,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, + LIST_HEAD(uf_unmap); + + addr = untagged_addr(addr); +- new_addr = untagged_addr(new_addr); + + if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE)) + return ret; +-- +2.24.1 + diff --git a/kernel.spec b/kernel.spec index 7ce052ba4..b03610cc2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -857,7 +857,13 @@ Patch504: 0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch Patch505: ARM-fix-__get_user_check-in-case-uaccess_-calls-are-not-inlined.patch # ALSA code from v5.6 (Intel ASoC Sound Open Firmware driver support) -Patch527: alsa-5.6.patch +Patch506: alsa-5.6.patch + +# rhbz 1797052 +Patch507: 0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch + +# i915 "critical" patch from upstream +Patch508: 0001-drm-i915-Serialise-i915_active_acquire-with-__active.patch # END OF PATCH DEFINITIONS @@ -2888,6 +2894,10 @@ fi # # %changelog +* Thu Feb 20 2020 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix aarch64 heap corruption issue (rhbz 1797052) +- Add i915 fix from upstream + * Wed Feb 19 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.5.5-200 - Linux v5.5.5 |