Ubuntu
linux package

~tyhicks/ubuntu/+source/linux/+git/bionic:i915

  1. Git
  2. lp:~tyhicks/ubuntu/+source/linux/+git/bionic
  3. i915
Last commit made on 2020-01-14
Get this branch:
git clone -b i915 https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/bionic
Only Tyler Hicks can upload to this branch. If you are Tyler Hicks please log in for upload directions.

Branch merges

Branch information

Name:
i915
Repository:
lp:~tyhicks/ubuntu/+source/linux/+git/bionic

Recent commits

890e5d7... by Tyler Hicks

UBUNTU: SAUCE: drm/i915: Fix use-after-free when destroying GEM context

BugLink: https://bugs.launchpad.net/bugs/1859522

This patch is a simplified fix to address a use-after-free in 4.14.x and
4.19.x stable kernels. The flaw is already fixed upstream, starting in
5.2, by commit 7dc40713618c ("drm/i915: Introduce a mutex for
file_priv->context_idr") as part of a more complex patch series that
isn't appropriate for backporting to stable kernels.

Expand mutex coverage, while destroying the GEM context, to include the
GEM context lookup step. This fixes a use-after-free detected by KASAN:

 ==================================================================
 BUG: KASAN: use-after-free in i915_ppgtt_close+0x2ca/0x2f0
 Write of size 1 at addr ffff8881368a8368 by task i915-poc/3124

 CPU: 0 PID: 3124 Comm: i915-poc Not tainted 4.14.164 #1
 Hardware name: HP HP Elite x2 1012 G1 /80FC, BIOS N85 Ver. 01.20 04/05/2017
 Call Trace:
  dump_stack+0xcd/0x12e
  ? _atomic_dec_and_lock+0x1b2/0x1b2
  ? i915_ppgtt_close+0x2ca/0x2f0
  ? printk+0x8f/0xab
  ? show_regs_print_info+0x53/0x53
  ? i915_ppgtt_close+0x2ca/0x2f0
  print_address_description+0x65/0x270
  ? i915_ppgtt_close+0x2ca/0x2f0
  kasan_report+0x251/0x340
  i915_ppgtt_close+0x2ca/0x2f0
  ? __radix_tree_insert+0x3f0/0x3f0
  ? i915_ppgtt_init_hw+0x7c0/0x7c0
  context_close+0x42e/0x680
  ? i915_gem_context_release+0x230/0x230
  ? kasan_kmalloc+0xa0/0xd0
  ? radix_tree_delete_item+0x1d4/0x250
  ? radix_tree_lookup+0x10/0x10
  ? inet_recvmsg+0x4b0/0x4b0
  ? kasan_slab_free+0x88/0xc0
  i915_gem_context_destroy_ioctl+0x236/0x300
  ? i915_gem_context_create_ioctl+0x360/0x360
  ? drm_dev_printk+0x1d0/0x1d0
  ? memcpy+0x34/0x50
  ? i915_gem_context_create_ioctl+0x360/0x360
  drm_ioctl_kernel+0x1b0/0x2b0
  ? drm_ioctl_permit+0x2a0/0x2a0
  ? avc_ss_reset+0xd0/0xd0
  drm_ioctl+0x6fe/0xa20
  ? i915_gem_context_create_ioctl+0x360/0x360
  ? drm_getstats+0x20/0x20
  ? put_unused_fd+0x260/0x260
  do_vfs_ioctl+0x189/0x12d0
  ? ioctl_preallocate+0x280/0x280
  ? selinux_file_ioctl+0x3a7/0x680
  ? selinux_bprm_set_creds+0xe30/0xe30
  ? security_file_ioctl+0x69/0xa0
  ? selinux_bprm_set_creds+0xe30/0xe30
  SyS_ioctl+0x6f/0x80
  ? __sys_sendmmsg+0x4a0/0x4a0
  ? do_vfs_ioctl+0x12d0/0x12d0
  do_syscall_64+0x214/0x5f0
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x25/0x60
  ? __switch_to_asm+0x31/0x60
  ? syscall_return_slowpath+0x2c0/0x2c0
  ? copy_overflow+0x20/0x20
  ? __switch_to_asm+0x25/0x60
  ? syscall_return_via_sysret+0x2a/0x7a
  ? prepare_exit_to_usermode+0x200/0x200
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x25/0x60
  ? __switch_to_asm+0x25/0x60
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x25/0x60
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x25/0x60
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
 RIP: 0033:0x7f7fda5115d7
 RSP: 002b:00007f7eec317ec8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7fda5115d7
 RDX: 000055b306db9188 RSI: 000000004008646e RDI: 0000000000000003
 RBP: 00007f7eec317ef0 R08: 00007f7eec318700 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000286 R12: 00007f7eec317fc0
 R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffd8007ade0

 Allocated by task 2898:
  save_stack+0x32/0xb0
  kasan_kmalloc+0xa0/0xd0
  kmem_cache_alloc_trace+0x5e/0x180
  i915_ppgtt_create+0xab/0x2510
  i915_gem_create_context+0x981/0xf90
  i915_gem_context_create_ioctl+0x1d7/0x360
  drm_ioctl_kernel+0x1b0/0x2b0
  drm_ioctl+0x6fe/0xa20
  do_vfs_ioctl+0x189/0x12d0
  SyS_ioctl+0x6f/0x80
  do_syscall_64+0x214/0x5f0
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

 Freed by task 104:
  save_stack+0x32/0xb0
  kasan_slab_free+0x72/0xc0
  kfree+0x88/0x190
  i915_ppgtt_release+0x24e/0x460
  i915_gem_context_free+0x90/0x480
  contexts_free_worker+0x54/0x80
  process_one_work+0x876/0x14e0
  worker_thread+0x1b8/0xfd0
  kthread+0x2f8/0x3c0
  ret_from_fork+0x35/0x40

 The buggy address belongs to the object at ffff8881368a8000
  which belongs to the cache kmalloc-8192 of size 8192
 The buggy address is located 872 bytes inside of
  8192-byte region [ffff8881368a8000, ffff8881368aa000)
 The buggy address belongs to the page:
 page:ffffea0004da2a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
 flags: 0x200000000008100(slab|head)
 raw: 0200000000008100 0000000000000000 0000000000000000 0000000100030003
 raw: dead000000000100 dead000000000200 ffff88822a002280 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff8881368a8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881368a8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff8881368a8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                           ^
  ffff8881368a8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881368a8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

Fixes: 1acfc104cdf8 ("drm/i915: Enable rcu-only context lookups")
Reported-by: 罗权 <email address hidden>
Cc: Chris Wilson <email address hidden>
Cc: Jon Bloomfield <email address hidden>
Cc: <email address hidden> # 4.14.x
Cc: <email address hidden> # 4.19.x
Signed-off-by: Tyler Hicks <email address hidden>

CVE-2020-7053

Signed-off-by: Tyler Hicks <email address hidden>

bc429d9... by Akeem G Abodunrin <email address hidden>

drm/i915/gen9: Clear residual context state on context switch

Intel GPU Hardware prior to Gen11 does not clear EU state
during a context switch. This can result in information
leakage between contexts.

For Gen8 and Gen9, hardware provides a mechanism for
fast cleardown of the EU state, by issuing a PIPE_CONTROL
with bit 27 set. We can use this in a context batch buffer
to explicitly cleardown the state on every context switch.

As this workaround is already in place for gen8, we can borrow
the code verbatim for Gen9.

Signed-off-by: Mika Kuoppala <email address hidden>
Signed-off-by: Akeem G Abodunrin <email address hidden>

CVE-2019-14615

(backported from commit bc8a76a152c5f9ef3b48104154a65a68a8b76946)
[tyhicks: Backport to 4.15:
 - Use (i915_scratch_offset(engine->i915) + 2 * CACHELINE_BYTES) in
   place of LRC_PPHWSP_SCRATCH_ADDR and PIPE_CONTROL_GLOBAL_GTT_IVB in
   place of PIPE_CONTROL_STORE_DATA_INDEX since we're missing commit
   e1237523749e ("drm/i915/execlists: Use per-process HWSP as scratch")
 - Context adjustment in gen9_init_indirectctx_bb() due to missing
   commit 5ee4a7a6db8e ("drm/i915/execlists: Pull the w/a LRI emission
   into a helper")
 - Replace the existing WaClearSlmSpaceAtContextSwitch that was being
   used for pre-production Kaby Lake]
Signed-off-by: Tyler Hicks <email address hidden>

e1afa08... by Khaled El Mously

UBUNTU: Ubuntu-4.15.0-74.84

Signed-off-by: Khalid Elmously <email address hidden>

28e699e... by Khaled El Mously

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/1856749
Properties: no-test-build
Signed-off-by: Khalid Elmously <email address hidden>

74b54c0... by Khaled El Mously

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Khalid Elmously <email address hidden>

6c701d7... by Seth Forshee

UBUNTU: [Packaging] bind hv_kvp_daemon startup to hv_kvp device

BugLink: https://bugs.launchpad.net/bugs/1820063

The hv_kvp_daemon service requires the hv_kvp device and should
be started when the device appears and stopped in it disappears.
Solution is based off the one provided at
https://bugzilla.redhat.com/show_bug.cgi?id=1195029#c22.

Signed-off-by: Seth Forshee <email address hidden>
Signed-off-by: Marcelo Henrique Cerri <email address hidden>
Acked-by: Andy Whitcroft <email address hidden>
Acked-by: Kleber Souza <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

bc232b5... by Marc Zyngier

arm64: Use firmware to detect CPUs that are not affected by Spectre-v2

BugLink: https://bugs.launchpad.net/bugs/1854207

[ Upstream commit 517953c2c47f9c00a002f588ac856a5bc70cede3 ]

The SMCCC ARCH_WORKAROUND_1 service can indicate that although the
firmware knows about the Spectre-v2 mitigation, this particular
CPU is not vulnerable, and it is thus not necessary to call
the firmware on this CPU.

Let's use this information to our benefit.

Signed-off-by: Marc Zyngier <email address hidden>
Signed-off-by: Jeremy Linton <email address hidden>
Reviewed-by: Andre Przywara <email address hidden>
Reviewed-by: Catalin Marinas <email address hidden>
Tested-by: Stefan Wahren <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
Signed-off-by: Ard Biesheuvel <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: dann frazier <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Acked-by: Connor Kuehl <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

95e660f... by Marc Zyngier

arm64: Get rid of __smccc_workaround_1_hvc_*

BugLink: https://bugs.launchpad.net/bugs/1854207

[ Upstream commit 22765f30dbaf1118c6ff0fcb8b99c9f2b4d396d5 ]

The very existence of __smccc_workaround_1_hvc_* is a thinko, as
KVM will never use a HVC call to perform the branch prediction
invalidation. Even as a nested hypervisor, it would use an SMC
instruction.

Let's get rid of it.

Signed-off-by: Marc Zyngier <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
Signed-off-by: Ard Biesheuvel <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: dann frazier <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Acked-by: Connor Kuehl <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

1cae744... by Sultan Alsawaf

UBUNTU: SAUCE: irqchip/gic-v3-its: Add missing return value in its_irq_domain_activate()

BugLink: https://bugs.launchpad.net/bugs/1853485

The missing return value in its_irq_domain_activate() would cause IRQs
to be erratically disabled/enabled in unexpected ways on certain Cavium
boards. This caused all sorts of mayhem since the state of IRQs on each
CPU would be unpredictable; maybe they'd be enabled, maybe not.

This bug was introduced by a mismerge of commit d2fd562c0c69
("irqchip/gic-v3-its: Don't bind LPI to unavailable NUMA node") over a
year ago, in Ubuntu-4.15.0-44.47. The missing return value here is
-EINVAL; add it in to fix the wild breakage.

Signed-off-by: Sultan Alsawaf <email address hidden>
Signed-off-by: dann frazier <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Acked-by: Connor Kuehl <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

80e9db2... by Khaled El Mously

UBUNTU: Ubuntu-4.15.0-73.82

Signed-off-by: Khalid Elmously <email address hidden>