This is a note to let you know that I've just added the patch titled
fbdev: fix incorrect address computation in deferred IO
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
fbdev-fix-incorrect-address-computation-in-deferred-io.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 78d9161d2bcd442d93d917339297ffa057dbee8c Mon Sep 17 00:00:00 2001
From: Nam Cao <namcao@xxxxxxxxxxxxx>
Date: Tue, 23 Apr 2024 13:50:53 +0200
Subject: fbdev: fix incorrect address computation in deferred IO
From: Nam Cao <namcao@xxxxxxxxxxxxx>
commit 78d9161d2bcd442d93d917339297ffa057dbee8c upstream.
With deferred IO enabled, a page fault happens when data is written to the
framebuffer device. Then driver determines which page is being updated by
calculating the offset of the written virtual address within the virtual
memory area, and uses this offset to get the updated page within the
internal buffer. This page is later copied to hardware (thus the name
"deferred IO").
This offset calculation is only correct if the virtual memory area is
mapped to the beginning of the internal buffer. Otherwise this is wrong.
For example, if users do:
mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000);
Then the virtual memory area will mapped at offset 0xff000 within the
internal buffer. This offset 0xff000 is not accounted for, and wrong page
is updated.
Correct the calculation by using vmf->pgoff instead. With this change, the
variable "offset" will no longer hold the exact offset value, but it is
rounded down to multiples of PAGE_SIZE. But this is still correct, because
this variable is only used to calculate the page offset.
Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@xxxxxxxxxx
Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Nam Cao <namcao@xxxxxxxxxxxxx>
Reviewed-by: Thomas Zimmermann <tzimmermann@xxxxxxx>
Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
Signed-off-by: Thomas Zimmermann <tzimmermann@xxxxxxx>
Link: https://patchwork.freedesktop.org/patch/msgid/20240423115053.4490-1-namcao@xxxxxxxxxxxxx
[rebase to v5.15]
Signed-off-by: Nam Cao <namcao@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/video/fbdev/core/fb_defio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -149,7 +149,7 @@ static vm_fault_t fb_deferred_io_mkwrite
unsigned long offset;
vm_fault_t ret;
- offset = (vmf->address - vmf->vma->vm_start);
+ offset = vmf->pgoff << PAGE_SHIFT;
/* this is a callback we get when userspace first tries to
write to the page. we schedule a workqueue. that workqueue
Patches currently in stable-queue which might be from namcao@xxxxxxxxxxxxx are
queue-5.15/fbdev-fix-incorrect-address-computation-in-deferred-io.patch
