Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.19.302 2023-01-18T10:30:28+00:00 2023-01-18T10:30:28+00:00 Shang XiaoJing shangxiaojing@huawei.com 2022-12-08T01:33:41+00:00 urn:sha1:933cd25ce439b487ca69a3e8b564be1799f4b4a7 [ Upstream commit d1f0f50fbbbbca1e3e8157e51934613bf88f6d44 ] Add missing pci_disable_device() in fail path of mdpy_fb_probe(). Besides, fix missing release functions in mdpy_fb_remove(). Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver") Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com> Link: https://lore.kernel.org/r/20221208013341.3999-1-shangxiaojing@huawei.com Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-06-10T11:24:04+00:00 Wei Yongjun weiyongjun1@huawei.com 2021-05-20T13:36:41+00:00 urn:sha1:f12bd9caafedebd8e468cc3ec1dcee1920d7a9d2 [ Upstream commit 752774ce7793a1f8baa55aae31f3b4caac49cbe4 ] Fix to return a negative error code from the framebuffer_alloc() error handling case instead of 0, also release regions in some error handing cases. Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Message-Id: <20210520133641.1421378-1-weiyongjun1@huawei.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-04-29T14:31:27+00:00 Jann Horn jannh@google.com 2020-04-21T01:14:11+00:00 urn:sha1:d8da38eafa38b03c741aa63f688e5a77343a77be commit bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 upstream. remap_vmalloc_range() has had various issues with the bounds checks it promises to perform ("This function checks that addr is a valid vmalloc'ed area, and that it is big enough to cover the vma") over time, e.g.: - not detecting pgoff<<PAGE_SHIFT overflow - not detecting (pgoff<<PAGE_SHIFT)+usize overflow - not checking whether addr and addr+(pgoff<<PAGE_SHIFT) are the same vmalloc allocation - comparing a potentially wildly out-of-bounds pointer with the end of the vmalloc region In particular, since commit fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY"), unprivileged users can cause kernel null pointer dereferences by calling mmap() on a BPF map with a size that is bigger than the distance from the start of the BPF map to the end of the address space. This could theoretically be used as a kernel ASLR bypass, by using whether mmap() with a given offset oopses or returns an error code to perform a binary search over the possible address range. To allow remap_vmalloc_range_partial() to verify that addr and addr+(pgoff<<PAGE_SHIFT) are in the same vmalloc region, pass the offset to remap_vmalloc_range_partial() instead of adding it to the pointer in remap_vmalloc_range(). In remap_vmalloc_range_partial(), fix the check against get_vm_area_size() by using size comparisons instead of pointer comparisons, and add checks for pgoff. Fixes: 833423143c3a ("[PATCH] mm: introduce remap_vmalloc_range()") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: stable@vger.kernel.org Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <kafai@fb.com> Cc: Song Liu <songliubraving@fb.com> Cc: Yonghong Song <yhs@fb.com> Cc: Andrii Nakryiko <andriin@fb.com> Cc: John Fastabend <john.fastabend@gmail.com> Cc: KP Singh <kpsingh@chromium.org> Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-12-05T08:20:28+00:00 Nathan Chancellor natechancellor@gmail.com 2018-10-19T18:04:27+00:00 urn:sha1:005874c5170e70c92010a23d766f76f721ae52ba [ Upstream commit 8ba35b3a0046d6573c98f00461d9bd1b86250d35 ] Clang warns: samples/vfio-mdev/mtty.c:592:39: warning: implicit conversion from 'int' to 'char' changes value from 162 to -94 [-Wconstant-conversion] *buf = UART_MSR_DSR | UART_MSR_DDSR | UART_MSR_DCD; ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~ 1 warning generated. Turns out that all uses of buf in this function ultimately end up stored or cast to an unsigned type. Just use u8, which has the same number of bits but can store this larger number so Clang no longer warns. Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2018-07-11T19:22:41+00:00 Alexey Khoroshilov khoroshilov@ispras.ru 2018-07-06T20:50:06+00:00 urn:sha1:498e8bf51c633cc4496343e6113f340f8e9301ae mdev_access() calls mbochs_get_page() with mdev_state->ops_lock held, while mbochs_get_page() locks the mutex by itself. It leads to unavoidable deadlock. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2018-07-04T16:42:04+00:00 Souptick Joarder jrdr.linux@gmail.com 2018-07-04T15:30:14+00:00 urn:sha1:d7ef4899d7182f9d4267b4e4a5cc3689c1a04f25 convert mbochs_region_vm_fault and mbochs_dmabuf_vm_fault to return vm_fault_t type. Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2018-06-26T06:27:23+00:00 Gerd Hoffmann kraxel@redhat.com 2018-06-25T06:44:52+00:00 urn:sha1:7733e05b34f5d855c5590d816b41ddfee972d188 There is no default implementation for dma_buf_ops->unmap. So add a function unmapping the page, otherwise we'll leak them. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2018-06-26T06:27:22+00:00 Gerd Hoffmann kraxel@redhat.com 2018-06-25T06:44:51+00:00 urn:sha1:2203d8a76ea3b962559acfe3bb80eddfdfbc9cee Atomic mapping interface for dmabufs will be removed. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2018-06-08T16:24:16+00:00 Gerd Hoffmann kraxel@redhat.com 2018-05-11T15:05:04+00:00 urn:sha1:a5e6e6505f38f7bce1d3576503a2bffff3fa888c Display device, demo-ing the vfio dmabuf display interface (VFIO_GFX_PLANE_TYPE_DMABUF). Compatible enough to qemu stdvga that bochs-drm.ko can be used as guest driver. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2018-06-08T16:24:13+00:00 Gerd Hoffmann kraxel@redhat.com 2018-05-11T15:05:04+00:00 urn:sha1:cacade1946a41b38dcdf3defb0f931453587eac9 Guest fbdev driver for CONFIG_SAMPLE_VFIO_MDEV_MDPY. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>