Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.9.218 2018-12-29T12:40:16+00:00 2018-12-29T12:40:16+00:00 Gustavo A. R. Silva gustavo@embeddedor.com 2018-12-20T00:00:15+00:00 urn:sha1:00279b505289f7529d9be2e78915d0483ffbd314 commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream. nr is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r] drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap) drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap) Fix this by sanitizing nr before using it to index dev->driver->ioctls and drm_ioctls. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20181220000015.GA18973@embeddedor Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-11-30T09:13:00+00:00 Michel Dänzer michel.daenzer@amd.com 2016-11-30T08:30:01+00:00 urn:sha1:e94bd1736f1f60e916a85a80c0b0ebeaae36cce5 Fixes oops if userspace calls DRM_IOCTL_GET_CAP for DRM_CAP_PAGE_FLIP_TARGET on a non-KMS device node. (Normal userspace doesn't do that, discovered by syzkaller) Reported-by: Dmitry Vyukov <dvyukov@google.com> Fixes: f837297ad824 ("drm: Add DRM_MODE_PAGE_FLIP_TARGET_ABSOLUTE/RELATIVE flags v2") Cc: stable@vger.kernel.org Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/20161130083002.1520-1-michel@daenzer.net 2016-09-19T11:57:38+00:00 David Herrmann dh.herrmann@gmail.com 2016-09-01T12:48:36+00:00 urn:sha1:82d5e73f6b7955867fc86314430bf923ab9cc485 The drm_core.h header contains a set of constants meant to be used throughout DRM. However, as it turns out, they're each used just once and don't bring any benefit. They're also grossly mis-named and lack name-spacing. This patch inlines them, or moves them into drm_internal.h as appropriate: - CORE_AUTHOR and CORE_DESC are inlined into corresponding MODULE_*() macros. It's just confusing having to follow 2 pointers when trying to find the definition of these fields. Grep'ping for MODULE_AUTHOR() should reveal the full information, if there's no strong reason not to. - CORE_NAME, CORE_DATE, CORE_MAJOR, CORE_MINOR, and CORE_PATCHLEVEL are inlined into the sysfs 'version' attribute. They're stripped everywhere else (which is just some printk() statements). CORE_NAME just doesn't make *any* sense, as we hard-code it in many places, anyway. The other constants are outdated and just serve binary-compatibility purposes. Hence, inline them in 'version' sysfs attribute (we might even try dropping it..). - DRM_IF_MAJOR and DRM_IF_MINOR are moved into drm_internal.h as they're only used by the global ioctl handlers. Furthermore, versioning interfaces breaks backports and as such is deprecated, anyway. We just keep them for historic reasons. I doubt anyone will ever modify them again. Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/20160901124837.680-6-dh.herrmann@gmail.com 2016-08-31T20:15:38+00:00 Dave Airlie airlied@redhat.com 2016-08-31T20:15:38+00:00 urn:sha1:5e7a1d0170b06b1557768d6ddc93da1aed02961a More -misc stuff - moar drm_crtc.c split up&documentation - some fixes for the simple kms helpers (Andrea) - I included all the dri1 patches from David - we're not removing any code or drivers, and it seems to have worked as a wake-up call to motivate a few more people to upstream kms conversions for these. Feel free to revert if you disagree strongly. - a few other single patches * tag 'topic/drm-misc-2016-08-31' of git://anongit.freedesktop.org/drm-intel: (24 commits) drm: drm_probe_helper: Fix output_poll_work scheduling drm: bridge/dw-hdmi: Fix colorspace and scan information registers values drm/doc: Polish docs for drm_property&drm_property_blob drm: Unify handling of blob and object properties drm: Extract drm_property.[hc] drm: move drm_mode_legacy_fb_format to drm_fourcc.c drm/doc: Polish docs for drm_mode_object drm: Remove drm_mode_object->atomic_count drm: Extract drm_mode_object.[hc] drm/doc: Polish kerneldoc for encoders drm: Extract drm_encoder.[hc] drm/fb-helper: don't call remove_conflicting_framebuffers for FB=m && DRM=y drm/atomic-helper: Add NO_DISABLE_AFTER_MODESET flag support for plane commit drm/atomic-helper: Disable appropriate planes in disable_planes_on_crtc() drm/atomic-helper: Add atomic_disable CRTC helper callback drm: simple_kms_helper: add support for bridges drm: simple_kms_helper: make connector optional at init time drm/bridge: introduce bridge detaching mechanism drm/simple-helpers: Always add planes to the state update drm: reduce GETCLIENT to a minimum ... 2016-08-25T14:57:26+00:00 David Herrmann dh.herrmann@gmail.com 2016-08-25T14:35:05+00:00 urn:sha1:a8c798186b932e048abfd0adbec295e9a0cc847a The *only* known user of GETCLIENT is libva, which uses it to check whether its own context is authenticated. It used to iterate all clients, look for one that matches its own pid and then check its state. The entire purpose for us to still have a GETCLIENT implementation is to serve libva. So lets not pretend we do anything else: Make this function return information on the caller's context only, fake the PID to the caller's pid so they always match, and just fill in the "authenticated" bit, nothing else. This patch reduces the complexity of GETCLIENT to a bare minimum, avoids any dependency on priv->uid or priv->pid (allows us to get rid of them), and makes libva happy by always *exactly* returning the information it wants. Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/20160825143505.7447-1-dh.herrmann@gmail.com 2016-08-25T02:59:50+00:00 Dave Airlie airlied@redhat.com 2016-08-25T02:59:50+00:00 urn:sha1:e9c3ddee6a08c5b25cdb06b524320a5a98250513 First drm-next pull for radeon and amdgpu for 4.9. Highlights: - powerplay support for iceland asics - improved GPU reset (both full asic and per block) - UVD and VCE powergating for CZ and ST - VCE clockgating for CZ and ST - Support for pre-initialized (e.g., zeroed) vram buffers - ttm cleanups - virtual display support - core and radeon/amdgpu support for page_flip_target - lots of bug fixes and clean ups * 'drm-next-4.9' of git://people.freedesktop.org/~agd5f/linux: (171 commits) drm/amdgpu: use memcpy_toio for VCE firmware upload drm/amdgpu: use memcpy_to/fromio for UVD fw upload drm/amd/powerplay: delete useless code in iceland_hwmgr.c. drm/radeon: switch UVD code to use UVD_NO_OP for padding drm/amdgpu: switch UVD code to use UVD_NO_OP for padding drm/radeon: add support for UVD_NO_OP register drm/amdgpu: add support for UVD_NO_OP register drm/amdgpu: fix VCE ib alignment value drm/amdgpu: fix IB alignment for UVD drm/amd/amdgpu: Print ring name in amdgpu_ib_schedule() drm/radeon: remove dead code, si_mc_load_microcode (v2) drm/radeon/cik: remove dead code (v2) drm/amd/powerplay: avoid NULL dereference, cz_hwmgr.c drm/amd/powerplay: avoid NULL pointer dereference drm/amdgpu/gmc8: remove dead code (v2) drm/amdgpu/gmc7: remove dead code (v2) drm/amdgpu: Fix indentation in dce_v8_0_audio_write_sad_regs() drm/amdgpu: Use correct mask in dce_v8_0_afmt_setmode() and fix comment typos. drm/amdgpu: cleanup amdgpu_vm_bo_update params drm/amdgpu: stop adding dummy entry in amdgpu_ttm_placement_init ... 2016-08-10T18:28:09+00:00 Michel Dänzer michel.daenzer@amd.com 2016-08-08T07:23:39+00:00 urn:sha1:f837297ad82480024d3ad08cd84f6670bcafa862 These flags allow userspace to explicitly specify the target vertical blank period when a flip should take effect. v2: * Add new struct drm_mode_crtc_page_flip_target instead of modifying struct drm_mode_crtc_page_flip, to make sure all existing userspace code keeps compiling (Daniel Vetter) Acked-by: Christian König <christian.koenig@amd.com> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> 2016-08-08T08:05:23+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2016-08-03T19:11:10+00:00 urn:sha1:fa5386459f06dc3b9181d4c954f980b127d1a32f Except for nouveau, only legacy drivers need this really. And nouveau is already marked up with DRIVER_KMS_LEGACY_CONTEXT as the special case. I've tried to be careful to leave everything related to modeset still using the DRIVER_MODESET flag. Otherwise it's a direct replacement of !DRIVER_MODESET with DRIVER_LEGACY checks. Also helps readability since fewer negative checks overall. Reviewed-by: David Herrmann <dh.herrmann@gmail.com> Reviewed-by: Frank Binns <frank.binns@imgtec.com> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/1470251470-30830-2-git-send-email-daniel.vetter@ffwll.ch 2016-07-14T08:12:50+00:00 Chris Wilson chris@chris-wilson.co.uk 2016-07-12T14:59:50+00:00 urn:sha1:01d3434a565ada5ca084c68ec1e087ada5a7b157 Currently, we completely ignore the user when it comes to the in/out direction of the ioctl argument, as we simply cannot trust userspace. (For example, they might request a copy of the modified ioctl argument when the driver is not expecting such and so leak kernel stack.) However, blindly copying over the target address may also lead to a spurious EFAULT, and a failure after the ioctl was completed successfully. This is important in order to avoid an ABI break when extending an ioctl from IOR to IORW. Similar to how we only copy the intersection of the kernel arg size and the user arg size, we only want to copy back the kernel arg data iff both the kernel and userspace request the copy. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/1468335590-21023-1-git-send-email-chris@chris-wilson.co.uk 2016-06-30T09:04:44+00:00 Masanari Iida standby24x7@gmail.com 2016-06-29T23:47:06+00:00 urn:sha1:2ae995887830b335f9bdab3040018071da54bcdb This patch fix a spelling typo found in Documentation/DocBook/gpu/API-drm-ioctl-flags.html It is because the html file was created from comments in source, I have to fix the source. Signed-off-by: Masanari Iida <standby24x7@gmail.com> Signed-off-by: Jani Nikula <jani.nikula@intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/20160629234706.31209-1-standby24x7@gmail.com