Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.9.289 2019-02-12T18:44:50+00:00 2019-02-12T18:44:50+00:00 Gustavo A. R. Silva gustavo@embeddedor.com 2018-10-16T09:55:49+00:00 urn:sha1:9b3e959d46e37597fd2b9c68e3133a5b49d6da6c [ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ] idx can be indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential spectre issue 'dma->buflist' [r] (local cap) Fix this by sanitizing idx before using it to index dma->buflist Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com Signed-off-by: Sasha Levin <sashal@kernel.org> 2016-09-21T11:24:27+00:00 Markus Elfring elfring@users.sourceforge.net 2016-09-19T15:30:31+00:00 urn:sha1:b5a2ecd857a224c4fbeeaa4f60f09bea3fc1837e The script "checkpatch.pl" can point information out like the following. WARNING: Prefer kcalloc over kzalloc with multiply Thus fix the affected source code place. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/b340d1ca-f114-a523-e6d1-afe7fd6c3826@users.sourceforge.net 2016-09-21T11:24:27+00:00 Markus Elfring elfring@users.sourceforge.net 2016-09-19T15:24:20+00:00 urn:sha1:81a441378d6e5b030af5429fe2ca1763de0f053a The script "checkpatch.pl" can point information out like the following. WARNING: Prefer kcalloc over kzalloc with multiply Thus fix the affected source code place. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/606c22f3-5da5-2e84-783d-bfe5289b4a01@users.sourceforge.net 2016-09-21T11:24:27+00:00 Markus Elfring elfring@users.sourceforge.net 2016-09-19T15:17:34+00:00 urn:sha1:ed6dee41927b6acad9f209899f360d4167f3f452 The script "checkpatch.pl" can point information out like the following. WARNING: Prefer kcalloc over kzalloc with multiply Thus fix the affected source code places. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/51f88f44-130d-48ac-f531-32ca9ae3919f@users.sourceforge.net 2016-09-21T11:24:27+00:00 Markus Elfring elfring@users.sourceforge.net 2016-09-19T15:07:06+00:00 urn:sha1:2027400893a2fa03d764f62ca8e0c677d7691234 A multiplication for the size determination of a memory allocation indicated that an array data structure should be processed. Thus use the corresponding function "kmalloc_array". This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/b71c8fee-8e84-9f1b-8569-f1ae8b879cc5@users.sourceforge.net 2016-08-08T08:05:23+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2016-08-03T19:11:10+00:00 urn:sha1:fa5386459f06dc3b9181d4c954f980b127d1a32f Except for nouveau, only legacy drivers need this really. And nouveau is already marked up with DRIVER_KMS_LEGACY_CONTEXT as the special case. I've tried to be careful to leave everything related to modeset still using the DRIVER_MODESET flag. Otherwise it's a direct replacement of !DRIVER_MODESET with DRIVER_LEGACY checks. Also helps readability since fewer negative checks overall. Reviewed-by: David Herrmann <dh.herrmann@gmail.com> Reviewed-by: Frank Binns <frank.binns@imgtec.com> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/1470251470-30830-2-git-send-email-daniel.vetter@ffwll.ch 2016-06-21T19:43:24+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2016-06-21T08:54:12+00:00 urn:sha1:95c081c17f284de50eaca60d4d55643a64d39019 There can only be one current master, and it's for the overall device. Render/control minors don't support master-based auth at all. This simplifies the master logic a lot, at least in my eyes: All these additional pointer chases are just confusing. While doing the conversion I spotted some locking fail: - drm_lock/drm_auth check dev->master without holding the master_mutex. This is fallout from commit c996fd0b956450563454e7ccc97a82ca31f9d043 Author: Thomas Hellstrom <thellstrom@vmware.com> Date: Tue Feb 25 19:57:44 2014 +0100 drm: Protect the master management with a drm_device::master_mutex v3 but I honestly don't care one bit about those old legacy drivers using this. - debugfs name info should just grab master_mutex. - And the fbdev helper looked at it to figure out whether someone is using KMS. We just need a consistent value, so READ_ONCE. Aside: We should probably check if anyone has opened a control node too, but I guess current userspace doesn't really do that yet. v2: Balance locking, reported by Julia. v3: Rebase on top of Chris' oops fixes. Cc: Julia Lawall <julia.lawall@lip6.fr> Cc: Chris Wilson <chris@chris-wilson.co.uk> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> (v2) Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com> (v2) Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/1466499262-18717-1-git-send-email-daniel.vetter@ffwll.ch 2016-04-27T08:14:17+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2016-04-27T07:20:18+00:00 urn:sha1:40647e45b92b1da599048332ec8fbd40d8d29457 And again make sure it's a no-op for modern drivers. Another case of dev->struct_mutex gone for modern drivers! Note that the entirety of the legacy addmap interface is now protected by DRIVER_MODESET. Note that just auditing kernel code is not enough, since userspace loves to set up legacy maps on it's own for various things - with ums userspace and kernel space share control over resources. v2: Also add a DRIVER_* check like for all other maps functions to really short-circuit the code. And give drm_legacy_rmmap used by the dev unregister code the same treatment. v3: - remove redundant return; (Alex, Chris) - don't special case nouveau with DRIVER_KMS_LEGACY_CONTEXT. v4: Again special case nouveau. The problem is not directly in the ddx, but that it calls dri1 functions from the X server. And those do call drmAddMap. Fixed only in commit b1a630b48210d6a3c44994fce1b73273000ace5c Author: Dave Airlie <airlied@redhat.com> Date: Wed Nov 7 14:45:14 2012 +1000 nouveau: drop DRI1 device open interface. Acked-by: Alex Deucher <alexander.deucher@amd.com> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Alex Deucher <alexander.deucher@amd.com> Cc: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/1461741618-12679-1-git-send-email-daniel.vetter@ffwll.ch 2016-04-27T08:05:54+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2016-04-26T17:29:37+00:00 urn:sha1:e975eef07cbca53691f504318609bb95c7e5f1ac Like in commit 0e975980d435d58df2d430d688b8c18778b42218 Author: Peter Antoine <peter.antoine@intel.com> Date: Tue Jun 23 08:18:49 2015 +0100 drm: Turn off Legacy Context Functions we need to again make an exception for nouveau, but everyone else really doesn't need this. Dave Airlie dug out again why we need this: The problem is the legacy dri1 open function the nouveau ddx called, and the problematic code is actually in the X server itself. It was only fixed in commit b1a630b48210d6a3c44994fce1b73273000ace5c Author: Dave Airlie <airlied@redhat.com> Date: Wed Nov 7 14:45:14 2012 +1000 nouveau: drop DRI1 device open interface. Cc: Peter Antoine <peter.antoine@intel.com> Cc: Ben Skeggs <bskeggs@redhat.com> Acked-by: Alex Deucher <alexander.deucher@amd.com> Acked-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/1461691808-12414-5-git-send-email-daniel.vetter@ffwll.ch Link: http://patchwork.freedesktop.org/patch/msgid/1461691808-12414-6-git-send-email-daniel.vetter@ffwll.ch 2016-04-27T06:42:48+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2016-04-26T17:29:36+00:00 urn:sha1:ec1f52efc0406a72870a1fcb859f18dea24bcd8b It belongs right next to the addmap and rmmap functions really. And for OCD consistency name it drm_legacy_getmap_ioctl. Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/1461691808-12414-4-git-send-email-daniel.vetter@ffwll.ch