Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.19.265 2020-08-05T08:06:01+00:00 2020-08-05T08:06:01+00:00 Steve Cohen cohens@codeaurora.org 2020-07-20T22:30:50+00:00 urn:sha1:80512b95fc8b372bb312a6a36aea1435ebb69761 commit 8490d6a7e0a0a6fab5c2d82d57a3937306660864 upstream. A use-after-free in drm_gem_open_ioctl can happen if the GEM object handle is closed between the idr lookup and retrieving the size from said object since a local reference is not being held at that point. Hold the local reference while the object can still be accessed to fix this and plug the potential security hole. Signed-off-by: Steve Cohen <cohens@codeaurora.org> Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/1595284250-31580-1-git-send-email-cohens@codeaurora.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-13T15:14:04+00:00 Chris Wilson chris@chris-wilson.co.uk 2018-07-12T18:53:13+00:00 urn:sha1:3e977ac6179b39faa3c0eda5fce4f00663ae298d If the user has created a read-only object, they should not be allowed to circumvent the write protection by using a GGTT mmapping. Deny it. Also most machines do not support read-only GGTT PTEs, so again we have to reject attempted writes. Fortunately, this is known a priori, so we can at least reject in the call to create the mmap (with a sanity check in the fault handler). v2: Check the vma->vm_flags during mmap() to allow readonly access. v3: Remove VM_MAYWRITE to curtail mprotect() Testcase: igt/gem_userptr_blits/readonly_mmap* Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Jon Bloomfield <jon.bloomfield@intel.com> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Cc: Matthew Auld <matthew.william.auld@gmail.com> Cc: David Herrmann <dh.herrmann@gmail.com> Reviewed-by: Matthew Auld <matthew.william.auld@gmail.com> #v1 Reviewed-by: Jon Bloomfield <jon.bloomfield@intel.com> Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20180712185315.3288-4-chris@chris-wilson.co.uk 2018-03-26T15:42:06+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2018-03-22T08:02:33+00:00 urn:sha1:3903117609f40a0bc21b8c48533ac07a574c4cdc It published the gem object to userspace, by that point other threads can guess the id and start using it. And gem IDs are _very_ easy to guess (it's just an idr). Since gem objects is the only thing we allow drivers to create themselves (all the kms/prime/syncobj stuff is handled by the core) no other functions seem to be in need of this clarification. Motivated by reviewing the xen-front kms driver. Cc: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com> Reviewed-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20180322080233.17266-1-daniel.vetter@ffwll.ch 2018-02-19T12:21:24+00:00 Chris Wilson chris@chris-wilson.co.uk 2018-02-12T14:55:33+00:00 urn:sha1:e86584c5377f4219781492ca164664bce40c0090 Use the new idr_init_base() function to create an IDR that knows id==0 is never allocated as it maps to an invalid identifier. By knowing that id==0 is invalid, the IDR can start from id=1 instead avoiding the issue of having to start each lookup from the zeroth leaf as id==0 is always unused (and thus the tree-of-bitmaps indicate that is the first available). References: 6ce711f27500 ("idr: Make 1-based IDRs more efficient") Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Christian Konig <christian.koenig@amd.com> Cc: Dave Airlie <airlied@redhat.com> Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Acked-by: Christian König <christian.koenig@amd.com> as well. Link: https://patchwork.freedesktop.org/patch/msgid/20180212145533.30046-1-chris@chris-wilson.co.uk 2017-11-11T10:21:19+00:00 Noralf Trønnes noralf@tronnes.org 2017-11-07T19:13:40+00:00 urn:sha1:45d58b40292b16ab847497dcd299e315a2ad7956 Add debugfs file that dumps info about the framebuffers and its planes. Also dump info about any connected gem object(s). Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Noralf Trønnes <noralf@tronnes.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Link: https://patchwork.freedesktop.org/patch/msgid/20171107191348.17555-5-noralf@tronnes.org 2017-10-27T15:20:09+00:00 Noralf Trønnes noralf@tronnes.org 2017-10-26T16:57:26+00:00 urn:sha1:1dd3a060c7d01c00a3c2b18eff5a3428b9e2c28f Remove two trailing spaces. Signed-off-by: Noralf Trønnes <noralf@tronnes.org> Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20171026165731.5793-4-noralf@tronnes.org 2017-10-04T16:04:28+00:00 Jordan Crouse jcrouse@codeaurora.org 2017-10-03T15:38:10+00:00 urn:sha1:5b9fbfff7644f2d3f42a6c105587b86e29ca9c48 I spent an embarrassingly long time looking for drm_gem_init_object() before I realized I was actually looking for drm_gem_object_init(). Fix the typo to keep other poor developers from suffering the same fate. Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/1507045091-6550-1-git-send-email-jcrouse@codeaurora.org 2017-10-03T09:09:16+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2017-10-03T09:09:16+00:00 urn:sha1:0d3c24e936feefeca854073ccb40613cd6eba9a9 Just catching up with upstream. Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> 2017-09-27T19:46:15+00:00 Dave Airlie airlied@redhat.com 2017-09-27T19:45:27+00:00 urn:sha1:29baa82aa55f40d67cfc8138c944fd8880c27e8e UAPI Changes: Cross-subsystem Changes: Core Changes: - DP SDP defines (Ville) - polish for scdc helpers (Thierry Reding) - fix lifetimes for connector/plane state across crtc changes (Maarten Lankhorst). - sparse fixes (Ville+Thierry) - make legacy kms ioctls all interruptible (Maarten) - push edid override into the edid helpers (out of probe helpers) (Jani) - DP ESI defines for link status (DK) Driver Changes: - drm-panel is now in drm-misc! - minor panel-simple cleanups/refactoring by various folks - drm_bridge_add cleanup (Inki Dae) - constify a few i2c_device_id structs (Arvind Yadav) - More patches from Noralf's fb/gem helper cleanup - bridge/synopsis: reset fix (Philippe Cornu) - fix tracepoint include handling in drivers (Thierry) - rockchip: lvds support (Sandy Huang) - move sun4i into drm-misc fold (Maxime Ripard) - sun4i: refactor driver load + support TCON backend/layer muxing (Chen-Yu Tsai) - pl111: support more pl11x variants (Linus Walleij) - bridge/adv7511: robustify probing/edid handling (Lars-Petersen Clausen) New hw support: - S6E63J0X03 panel (Hoegeun Kwon) - OTM8009A panel (Philippe CORNU) - Seiko 43WVF1G panel (Marco Franchi) - tve200 driver (Linus Walleij) Plus assorted of tiny patches all over, including our first outreachy patches from applicants for the winter round! * tag 'drm-misc-next-2017-09-20' of git://anongit.freedesktop.org/git/drm-misc: (101 commits) drm: add backwards compatibility support for drm_kms_helper.edid_firmware drm: handle override and firmware EDID at drm_do_get_edid() level drm/dp: DPCD register defines for link status within ESI field drm/rockchip: Replace dev_* with DRM_DEV_* drm/tinydrm: Drop driver registered message drm/gem-fb-helper: Use debug message on gem lookup failure drm/imx: Use drm_gem_fb_create() and drm_gem_fb_prepare_fb() drm/bridge: adv7511: Constify HDMI CODEC platform data drm/bridge: adv7511: Enable connector polling when no interrupt is specified drm/bridge: adv7511: Remove private copy of the EDID drm/bridge: adv7511: Properly update EDID when no EDID was found drm/crtc: Convert setcrtc ioctl locking to interruptible. drm/atomic: Convert pageflip ioctl locking to interruptible. drm/legacy: Convert setplane ioctl locking to interruptible. drm/legacy: Convert cursor ioctl locking to interruptible. drm/atomic: Convert atomic ioctl locking to interruptible. drm/atomic: Prepare drm_modeset_lock infrastructure for interruptible waiting, v2. drm/tve200: Clean up panel bridging drm/doc: Update todo.rst drm/dp/mst: Sideband message transaction to power up/down nodes ... 2017-09-26T05:23:18+00:00 Haneen Mohammed hamohammed.sa@gmail.com 2017-09-21T21:04:24+00:00 urn:sha1:3fbe2e184d2fbc353425efa7b788aba64374119b Remove obsolete comment which was initially added in 2008 to annotate that idr_find() was used before idr_remove() since idr_remove() didn't use to return feedback. The comment now is irrelevant with commit f6cd7daecff5 ("drm: Release driver references to handle before making it available again"). Signed-off-by: Haneen Mohammed <hamohammed.sa@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20170921210424.GA21951@Haneen