Update to 2.4.120

Resolves: https://issues.redhat.com/browse/RHEL-24145
Resolves: https://issues.redhat.com/browse/RHEL-29916

.gitignore

@@ -8,3 +8,4 @@
 /libdrm-2.4.114.tar.xz
 /libdrm-2.4.115.tar.xz
 /libdrm-2.4.117.tar.xz
+/libdrm-2.4.120.tar.xz

0001-amdgpu-Make-amdgpu_cs_signal_semaphore-thread-safe.patch

@@ -0,0 +1,94 @@
+From 4df9173595dcc65662516b634f9d10001fd060e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
+Date: Thu, 21 Mar 2024 11:41:18 +0100
+Subject: [PATCH] amdgpu: Make amdgpu_cs_signal_semaphore() thread-safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The issue was found by a static analysis tool:
+
+    Error: LOCK_EVASION (CWE-543):
+    libdrm-2.4.115/amdgpu/amdgpu_cs.c:596: thread1_checks_field:
+        Thread1 uses the value read from field "context" in the
+        condition "sem->signal_fence.context". It sees that the
+        condition is false. Control is switched to Thread2.
+    libdrm-2.4.115/amdgpu/amdgpu_cs.c:596: thread2_checks_field:
+        Thread2 uses the value read from field "context" in the
+        condition "sem->signal_fence.context". It sees that the
+        condition is false.
+    libdrm-2.4.115/amdgpu/amdgpu_cs.c:598: thread2_acquires_lock:
+        Thread2 acquires lock "amdgpu_context.sequence_mutex".
+    libdrm-2.4.115/amdgpu/amdgpu_cs.c:599: thread2_modifies_field:
+        Thread2 sets "context" to a new value. Note that this write can
+        be reordered at runtime to occur before instructions that do
+        not access this field within this locked region. After Thread2
+        leaves the critical section, control is switched back to
+        Thread1.
+    libdrm-2.4.115/amdgpu/amdgpu_cs.c:598: thread1_acquires_lock:
+        Thread1 acquires lock "amdgpu_context.sequence_mutex".
+    libdrm-2.4.115/amdgpu/amdgpu_cs.c:599: thread1_overwrites_value_in_field:
+        Thread1 sets "context" to a new value. Now the two threads have
+        an inconsistent view of "context" and updates to fields of
+        "context" or fields correlated with "context" may be lost.
+    libdrm-2.4.115/amdgpu/amdgpu_cs.c:596: use_same_locks_for_read_and_modify:
+        Guard the modification of "context" and the read used to decide
+        whether to modify "context" with the same set of locks.
+    #  597|                   return -EINVAL;
+    #  598|           pthread_mutex_lock(&ctx->sequence_mutex);
+    #  599|->         sem->signal_fence.context = ctx;
+    #  600|           sem->signal_fence.ip_type = ip_type;
+    #  601|           sem->signal_fence.ip_instance = ip_instance;
+
+Check `sem->signal_fence.context` in the locked region to avoid a race
+condition.
+
+Reviewed-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
+Signed-off-by: José Expósito <jexposit@redhat.com>
+---
+ amdgpu/amdgpu_cs.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/amdgpu/amdgpu_cs.c b/amdgpu/amdgpu_cs.c
+index 49fc16c3..2db49675 100644
+--- a/amdgpu/amdgpu_cs.c
++++ b/amdgpu/amdgpu_cs.c
+@@ -598,24 +598,31 @@ drm_public int amdgpu_cs_signal_semaphore(amdgpu_context_handle ctx,
+ 			       uint32_t ring,
+ 			       amdgpu_semaphore_handle sem)
+ {
++	int ret;
++
+ 	if (!ctx || !sem)
+ 		return -EINVAL;
+ 	if (ip_type >= AMDGPU_HW_IP_NUM)
+ 		return -EINVAL;
+ 	if (ring >= AMDGPU_CS_MAX_RINGS)
+ 		return -EINVAL;
+-	/* sem has been signaled */
+-	if (sem->signal_fence.context)
+-		return -EINVAL;
++
+ 	pthread_mutex_lock(&ctx->sequence_mutex);
++	/* sem has been signaled */
++	if (sem->signal_fence.context) {
++		ret = -EINVAL;
++		goto unlock;
++	}
+ 	sem->signal_fence.context = ctx;
+ 	sem->signal_fence.ip_type = ip_type;
+ 	sem->signal_fence.ip_instance = ip_instance;
+ 	sem->signal_fence.ring = ring;
+ 	sem->signal_fence.fence = ctx->last_seq[ip_type][ip_instance][ring];
+ 	update_references(NULL, &sem->refcount);
++	ret = 0;
++unlock:
+ 	pthread_mutex_unlock(&ctx->sequence_mutex);
+-	return 0;
++	return ret;
+ }
+ 
+ drm_public int amdgpu_cs_wait_semaphore(amdgpu_context_handle ctx,
+-- 
+2.45.1
+

libdrm.spec

@@ -53,7 +53,7 @@ end}
 
 Name:           libdrm
 Summary:        Direct Rendering Manager runtime library
-Version:        2.4.117
+Version:        2.4.120
 Release:        1%{?dist}
 License:        MIT
 
@@ -88,6 +88,8 @@ BuildRequires:  chrpath
 Patch1001:      libdrm-make-dri-perms-okay.patch
 # remove backwards compat not needed on Fedora
 Patch1002:      libdrm-2.4.0-no-bc.patch
+# Fix findings from static application security testing (SAST)
+Patch1003:      0001-amdgpu-Make-amdgpu_cs_signal_semaphore-thread-safe.patch
 
 %description
 Direct Rendering Manager runtime library
@@ -279,6 +281,10 @@ cp %{SOURCE1} %{buildroot}%{_docdir}/libdrm
 %endif
 
 %changelog
+* Mon May 27 2024 José Expósito <jexposit@redhat.com> - 2.4.120-1
+- Update to 2.4.120
+- Fix findings from static application security testing (SAST)
+
 * Mon Nov 06 2023 José Expósito <jexposit@redhat.com> - 2.4.117-1
 - Update to 2.4.117
 

sources

@@ -1 +1 @@
-SHA512 (libdrm-2.4.117.tar.xz) = 326cf565548fb9d50a321562c13acb2a2f5ad5915ffdc2b08ef812fbac887f5b3d271cb2ce8c483633edddf2c55064d55810ff6697f713c179e2d0c8048eb544
+SHA512 (libdrm-2.4.120.tar.xz) = 6dc16e5134a669eeb59debb1dc2d15b857483ab7476dc2b94bd05a32d8953f046f5656f6cf9e1a63e97e7156fb65ebb58b6a29fe45cb6326058baaf820626e70