Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.11.5 2017-06-14T13:07:49+00:00 2017-06-14T13:07:49+00:00 Sinclair Yeh syeh@vmware.com 2017-06-02T05:50:57+00:00 urn:sha1:3bc7a4a5643e79a819ac56132826480d5102d48c commit 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c upstream. When vmw_gb_surface_define_ioctl() is called with an existing buffer, we end up returning an uninitialized variable in the backup_handle. The fix is to first initialize backup_handle to 0 just to be sure, and second, when a user-provided buffer is found, we will use the req->buffer_handle as the backup_handle. Reported-by: Murray McAllister <murray.mcallister@insomniasec.com> Signed-off-by: Sinclair Yeh <syeh@vmware.com> Reviewed-by: Deepak Rawat <drawat@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-06-14T13:07:49+00:00 Vladis Dronov vdronov@redhat.com 2017-06-02T05:42:09+00:00 urn:sha1:6a6a4857199fb593b2e14621304546977a5acff3 commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf upstream. The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is a user-controlled 'uint32_t' value which is used as a loop count limit. This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'. References: https://bugzilla.redhat.com/show_bug.cgi?id=1437431 Signed-off-by: Vladis Dronov <vdronov@redhat.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-06-14T13:07:49+00:00 Dan Carpenter dan.carpenter@oracle.com 2017-04-27T09:12:08+00:00 urn:sha1:8c704276e2441a9c90845751c5adc023a8cb719b commit f0c62e9878024300319ba2438adc7b06c6b9c448 upstream. If vmalloc() fails then we need to a bit of cleanup before returning. Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-03-30T09:46:26+00:00 Li Qiang liq3ea@gmail.com 2017-03-28T03:10:53+00:00 urn:sha1:e7e11f99564222d82f0ce84bd521e57d78a6b678 In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the 'req->mip_levels' array. This array can be assigned any value from the user space. As both the 'num_sizes' and the array is uint32_t, it is easy to make 'num_sizes' overflow. The later 'mip_levels' is used as the loop count. This can lead an oob write. Add the check of 'req->mip_levels' to avoid this. Cc: <stable@vger.kernel.org> Signed-off-by: Li Qiang <liqiang6-s@360.cn> Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com> 2017-03-30T09:43:40+00:00 Thomas Hellstrom thellstrom@vmware.com 2017-03-27T11:06:05+00:00 urn:sha1:53e16798b0864464c5444a204e1bb93ae246c429 The mesa winsys sometimes uses unimplemented parameter requests to check for features. Remove the error message to avoid bloating the kernel log. Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Reviewed-by: Brian Paul <brianp@vmware.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> 2017-03-30T09:43:39+00:00 Thomas Hellstrom thellstrom@vmware.com 2017-03-27T09:21:25+00:00 urn:sha1:fe25deb7737ce6c0879ccf79c99fa1221d428bf2 Previously, when a surface was opened using a legacy (non prime) handle, it was verified to have been created by a client in the same master realm. Relax this so that opening is also allowed recursively if the client already has the surface open. This works around a regression in svga mesa where opening of a shared surface is used recursively to obtain surface information. Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> 2017-03-30T09:43:37+00:00 Murray McAllister murray.mcallister@insomniasec.com 2017-03-27T09:15:12+00:00 urn:sha1:63774069d9527a1aeaa4aa20e929ef5e8e9ecc38 In vmw_get_cap_3d_ioctl(), a user can supply 0 for a size that is used in vzalloc(). This eventually calls dump_stack() (in warn_alloc()), which can leak useful addresses to dmesg. Add check to avoid a size of 0. Cc: <stable@vger.kernel.org> Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> 2017-03-30T09:43:23+00:00 Murray McAllister murray.mcallister@insomniasec.com 2017-03-27T09:12:53+00:00 urn:sha1:36274ab8c596f1240c606bb514da329add2a1bcd Before memory allocations vmw_surface_define_ioctl() checks the upper-bounds of a user-supplied size, but does not check if the supplied size is 0. Add check to avoid NULL pointer dereferences. Cc: <stable@vger.kernel.org> Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> 2017-03-30T09:42:54+00:00 Thomas Hellstrom thellstrom@vmware.com 2017-03-27T09:09:08+00:00 urn:sha1:f7652afa8eadb416b23eb57dec6f158529942041 A malicious caller could otherwise hand over handles to other objects causing all sorts of interesting problems. Testing done: Ran a Fedora 25 desktop using both Xorg and gnome-shell/Wayland. Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> 2017-02-26T21:52:28+00:00 Thomas Hellstrom thellstrom@vmware.com 2017-02-21T10:42:27+00:00 urn:sha1:31788ca803a0c89078f9e604e64286fbd9077926 vmware tools has a daemon that gets layout information from the GUI and forwards it to DRM so that the modesetting code can set preferred connector locations and modes. This daemon was using control nodes but since control nodes were just removed, make it possible for the daemon to use render- or primary nodes instead. This is a bit ugly but will allow drm to proceed with removal of the mostly unused control-node code and allow vmware to proceed with fixing up automatic layout settings for gnome-shell/wayland. We bump minor to inform user-space about the api change. Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/20170221104227.2854-1-thellstrom@vmware.com