Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.16.61 2018-10-21T07:45:32+00:00 2018-10-21T07:45:32+00:00 Ben Hutchings ben.hutchings@codethink.co.uk 2018-04-03T22:38:45+00:00 urn:sha1:c8c5f27c65b455c88467ca1d27ddd3d8627de510 commit 3976626ea3d2011f8fd3f3a47070a8b792018253 upstream. Commit 62e3a3e342af changed get_pages() to initialise msm_gem_object::pages before trying to initialise msm_gem_object::sgt, so that put_pages() would properly clean up pages in the failure case. However, this means that put_pages() now needs to check that msm_gem_object::sgt is not null before trying to clean it up, and this check was only applied to part of the cleanup code. Move it all into the conditional block. (Strictly speaking we don't need to make the kfree() conditional, but since we can't avoid checking for null ourselves we may as well do so.) Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages") Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org> Signed-off-by: Rob Clark <robdclark@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2018-10-21T07:45:32+00:00 Prakash Kamliya pkamliya@codeaurora.org 2017-12-04T13:40:15+00:00 urn:sha1:8dcde37f36dfc26a28701529041b4f5d1e9c7919 commit 62e3a3e342af3c313ab38603811ecdb1fcc79edb upstream. get_pages doesn't keep a reference of the pages allocated when it fails later in the code path. This can lead to a memory leak. Keep reference of the allocated pages so that it can be freed when msm_gem_free_object gets called later during cleanup. Signed-off-by: Prakash Kamliya <pkamliya@codeaurora.org> Signed-off-by: Sharat Masetty <smasetty@codeaurora.org> Signed-off-by: Rob Clark <robdclark@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2017-11-11T13:33:13+00:00 Dan Carpenter dan.carpenter@oracle.com 2017-06-30T07:59:15+00:00 urn:sha1:7bdb3e7e18fefdf70fc821763395f715ecfc0827 commit 65e93108891e571f177c202add9288eda9ac4100 upstream. We recently added an integer overflow check but it needs an additional tweak to work properly on 32 bit systems. The problem is that we're doing the right hand side of the assignment as type unsigned long so the max it will have an integer overflow instead of being larger than SIZE_MAX. That means the "sz > SIZE_MAX" condition is never true even on 32 bit systems. We need to first cast it to u64 and then do the math. Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Jordan Crouse <jcrouse@codeaurora.org> Signed-off-by: Rob Clark <robdclark@gmail.com> [bwh: Backported to 3.16: submit_create() only supports a variable number of bos] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2017-11-11T13:33:12+00:00 Kasin Li donglil@codeaurora.org 2017-06-19T21:36:53+00:00 urn:sha1:c73391e6723e4117c79970e6fa6540797c09f6f4 commit 4a630fadbb29d9efaedb525f1a8f7449ad107641 upstream. In function submit_create, if nr_cmds or nr_bos is assigned with negative value, the allocated buffer may be small than intended. Using this buffer will lead to buffer overflow issue. Signed-off-by: Kasin Li <donglil@codeaurora.org> Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org> Signed-off-by: Rob Clark <robdclark@gmail.com> [bwh: Backported to 3.16: submit_create() only supports a variable number of bos] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2017-10-12T14:27:50+00:00 Liviu Dudau Liviu.Dudau@arm.com 2017-06-15T14:13:46+00:00 urn:sha1:6d8c76588c1b03d63c8b76eaabac7a537e2d6714 commit ffe8f53f9cc73fb25c8f78d4aed7ddf285503a60 upstream. Commit c0c0d9eeeb8d ("drm/msm: hdmi audio support") uses logical OR operators to build up a value to be written in the REG_HDMI_AUDIO_INFO0 and REG_HDMI_AUDIO_INFO1 registers when it should have used bitwise operators. Signed-off-by: Liviu Dudau <liviu.dudau@arm.com> Fixes: c0c0d9eeeb8d ("drm/msm: hdmi audio support") Signed-off-by: Rob Clark <robdclark@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2016-11-20T01:17:19+00:00 Rob Clark robdclark@gmail.com 2016-08-22T19:28:38+00:00 urn:sha1:1cc8a445b03b92080db94c268abe2bdbbcd95257 commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream. An evil userspace could try to cause deadlock by passing an unfaulted-in GEM bo as submit->bos (or submit->cmds) table. Which will trigger msm_gem_fault() while we already hold struct_mutex. See: https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c Signed-off-by: Rob Clark <robdclark@gmail.com> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2016-11-20T01:17:19+00:00 Rob Clark robdclark@gmail.com 2016-08-22T19:15:23+00:00 urn:sha1:b7ba904bad346d696713970413ac97c3f7fb8215 commit 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 upstream. Use instead __copy_from_user_inatomic() and fallback to slow-path where we drop and re-aquire the lock in case of fault. Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com> Signed-off-by: Rob Clark <robdclark@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2016-11-20T01:17:19+00:00 Rob Clark robdclark@gmail.com 2016-05-17T19:43:35+00:00 urn:sha1:cc5fdd0cc3ed004df9f15f5ce3c9f2432fc037c5 commit b5b4c264df4d270819676b290cef9a11d04c35f0 upstream. Be kinder to things that do lots of signal handling (ie. Xorg) Signed-off-by: Rob Clark <robdclark@gmail.com> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2014-06-22T12:32:10+00:00 Stephane Viau sviau@codeaurora.org 2014-06-17T14:32:37+00:00 urn:sha1:87e956e9be0cdb832e90a4731b620286a8826842 If probe fails after IOMMU is attached, we need to detach in order to clean up properly. Before this change, IOMMU faults would occur if the probe failed (-EPROBE_DEFER). Signed-off-by: Stephane Viau <sviau@codeaurora.org> Signed-off-by: Rob Clark <robdclark@gmail.com> 2014-06-22T12:32:10+00:00 Fabian Frederick fabf@skynet.be 2014-06-14T22:24:26+00:00 urn:sha1:cf3198c2051a180d0cb469b275b2fb30a0533772 use mm.h definition Cc: David Airlie <airlied@linux.ie> Cc: Rob Clark <robdclark@gmail.com> Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Rob Clark <robdclark@gmail.com>