github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 07:03:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
1a97987f76
linux/drivers/gpu/drm
History
Mastan Katragadda 312d3d4f49 drm/i915/gem: add missing boundary check in vm_access 
commit 3886a86e7e upstream.

A missing bounds check in vm_access() can lead to an out-of-bounds read
or write in the adjacent memory area, since the len attribute is not
validated before the memcpy later in the function, potentially hitting:

[  183.637831] BUG: unable to handle page fault for address: ffffc90000c86000
[  183.637934] #PF: supervisor read access in kernel mode
[  183.637997] #PF: error_code(0x0000) - not-present page
[  183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0
[  183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI
[  183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G      D           5.17.0-rc6-ci-drm-11296+ #1
[  183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019
[  183.638430] RIP: 0010:memcpy_erms+0x6/0x10
[  183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246
[  183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc
[  183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004
[  183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000
[  183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000
[  183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000
[  183.645653] FS:  00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000
[  183.646570] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0
[  183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  183.650142] Call Trace:
[  183.650988]  <TASK>
[  183.651793]  vm_access+0x1f0/0x2a0 [i915]
[  183.652726]  __access_remote_vm+0x224/0x380
[  183.653561]  mem_rw.isra.0+0xf9/0x190
[  183.654402]  vfs_read+0x9d/0x1b0
[  183.655238]  ksys_read+0x63/0xe0
[  183.656065]  do_syscall_64+0x38/0xc0
[  183.656882]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  183.657663] RIP: 0033:0x7fe5ef725142
[  183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142
[  183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005
[  183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046
[  183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0
[  183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000

Changes since v1:
     - Updated if condition with range_overflows_t [Chris Wilson]

Fixes: 9f909e215f ("drm/i915: Implement vm_ops->access for gdb access into mmaps")
Signed-off-by: Mastan Katragadda <mastanx.katragadda@intel.com>
Suggested-by: Adam Zabrocki <adamza@microsoft.com>
Reported-by: Jackson Cody <cody.jackson@intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Sudeep Dutt <sudeep.dutt@intel.com>
Cc: <stable@vger.kernel.org> # v5.8+
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
[mauld: tidy up the commit message and add Cc: stable]
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220303060428.1668844-1-mastanx.katragadda@intel.com
(cherry picked from commit 661412e301)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-04-08 14:23:04 +02:00
..
amd drm/amdgpu: only check for _PR3 on dGPUs 2022-04-08 14:22:48 +02:00
arm drm/arm/hdlcd: Convert to Linux IRQ interfaces 2021-08-10 20:00:51 +02:00
armada drm/aperture: Pass DRM driver structure instead of driver name 2021-07-01 11:11:55 +02:00
aspeed drm/aspeed: Fix vga_pw sysfs output 2021-12-01 09:04:47 +01:00
ast Revert "drm/ast: Support 1600x900 with 108MHz PCLK" 2022-02-01 17:27:13 +01:00
atmel-hlcdc drm/atmel-hlcdc: Convert to Linux IRQ interfaces 2021-08-10 20:00:58 +02:00
bridge drm: Don't make DRM_PANEL_BRIDGE dependent on DRM_KMS_HELPERS 2022-03-23 09:16:42 +01:00
etnaviv drm/etnaviv: relax submit size limits 2022-02-01 17:27:01 +01:00
exynos drm/exynos: Make use of the helper function devm_platform_ioremap_resource() 2021-09-16 14:05:07 +09:00
fsl-dcu drm/fsl-dcu: Convert to Linux IRQ interfaces 2021-08-10 20:13:25 +02:00
gma500 drm/gma500: Convert to Linux IRQ interfaces 2021-08-10 20:13:32 +02:00
gud drm/gud: Get offset-adjusted mapping from drm_gem_fb_vmap() 2021-08-08 20:27:24 +02:00
hisilicon drm-misc-next for v5.15: 2021-07-30 14:52:00 +10:00
hyperv drm/hyperv: Fix device removal on Gen1 VMs 2021-12-01 09:04:51 +01:00
i2c
i810 drm: IRQ midlayer is now legacy 2021-08-10 20:14:01 +02:00
i915 drm/i915/gem: add missing boundary check in vm_access 2022-04-08 14:23:04 +02:00
imx drm/imx: parallel-display: Remove bus flags check in imx_pd_bridge_atomic_check() 2022-03-23 09:16:42 +01:00
ingenic drm/ingenic: Use standard drm_atomic_helper_commit_tail 2021-08-11 15:49:15 +02:00
kmb drm/kmb: Fix for build errors with Warray-bounds 2022-02-08 18:34:09 +01:00
lib
lima drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y 2022-01-27 11:04:23 +01:00
mcde drm-misc-next for v5.15: 2021-07-30 14:52:00 +10:00
mediatek drm/mediatek: mtk_dsi: Reset the dsi0 hardware 2022-03-08 19:12:41 +01:00
meson drm for v5.15-rc1 2021-09-01 11:26:46 -07:00
mga drm: IRQ midlayer is now legacy 2021-08-10 20:14:01 +02:00
mgag200 mgag200 fix memmapsl configuration in GCTL6 register 2022-04-08 14:23:00 +02:00
msm drm/msm/a6xx: Add missing suspend_count increment 2022-02-01 17:27:13 +01:00
mxsfb drm: mxsfb: Fix NULL pointer dereference 2022-03-08 19:12:40 +01:00
nouveau drm/nouveau/backlight: Just set all backlight types as RAW 2022-04-08 14:23:03 +02:00
omapdrm drm/bridge: Centralize error message when bridge attach fails 2021-07-28 16:33:12 +03:00
panel drm: Don't make DRM_PANEL_BRIDGE dependent on DRM_KMS_HELPERS 2022-03-23 09:16:42 +01:00
panfrost drm/panfrost: Clamp lock region to Bifrost minimum 2021-08-25 15:40:19 +01:00
pl111 drm/pl111: Remove unused including <linux/version.h> 2021-07-31 20:52:01 +02:00
qxl drm-misc-next for v5.15: 2021-07-21 11:58:28 +10:00
r128 drm/r128: fix build for UML 2021-10-15 15:05:10 +10:00
radeon drm/radeon: Fix backlight control on iMac 12,1 2022-02-23 12:03:08 +01:00
rcar-du drm: rcar-du: Fix CRTC timings when CMM is used 2022-01-27 11:04:35 +01:00
rockchip drm/rockchip: dw_hdmi: Do not leave clock enabled in error case 2022-02-23 12:03:19 +01:00
savage
scheduler drm/sched: Allow using a dedicated workqueue for the timeout/fault tdr 2021-07-01 08:53:25 +02:00
selftests drm/i915/selftests: Properly reset mock object propers for each test 2021-10-22 11:09:45 +02:00
shmobile drm/shmobile: Convert to Linux IRQ interfaces 2021-07-25 11:01:12 +02:00
sis
sti drm/bridge: Centralize error message when bridge attach fails 2021-07-28 16:33:12 +03:00
stm drm/stm: dsi: compute the transition time from LP to HS and back 2021-07-19 15:35:55 +02:00
sun4i drm/sun4i: mixer: Fix P010 and P210 format numbers 2022-03-16 14:23:37 +01:00
tdfx
tegra drm/tegra: submit: Add missing pm_runtime_mark_last_busy() 2022-01-27 11:05:11 +01:00
tidss drm/tidss: Convert to Linux IRQ interfaces 2021-08-10 20:13:49 +02:00
tilcdc drm/tilcdc: Convert to Linux IRQ interfaces 2021-08-10 20:13:53 +02:00
tiny drm/simpledrm: Add "panel orientation" property on non-upright mounted LCD panels 2022-04-08 14:22:56 +02:00
ttm drm/ttm: Put BO in its memory manager's lru list 2022-01-27 11:03:01 +01:00
tve200 drm/tiny: drm_gem_simple_display_pipe_prepare_fb is the default 2021-06-24 15:40:11 +02:00
udl drm/udl: fix control-message timeout 2021-11-25 09:49:05 +01:00
v3d drm/v3d: fix wait for TMU write combiner flush 2021-11-18 19:16:23 +01:00
vboxvideo drm/vboxvideo: fix a NULL vs IS_ERR() check 2022-01-27 11:03:13 +01:00
vc4 drm/vc4: hdmi: Unregister codec device on unbind 2022-03-16 14:23:40 +01:00
vgem Revert "drm/vgem: Implement mmap as GEM object function" 2021-07-13 13:15:52 +02:00
via drm: IRQ midlayer is now legacy 2021-08-10 20:14:01 +02:00
virtio drm/virtio: Ensure that objs is not NULL in virtio_gpu_array_put_free() 2022-03-28 09:58:45 +02:00
vkms drm/vkms: Use offset-adjusted shadow-plane mappings and output 2021-08-08 20:27:52 +02:00
vmwgfx drm/vmwgfx: Fix stale file descriptors on failed usercopy 2022-01-29 10:58:25 +01:00
xen drm/tiny: drm_gem_simple_display_pipe_prepare_fb is the default 2021-06-24 15:40:11 +02:00
xlnx drm/xlnx/zynqmp_disp: Fix incorrectly named enum 'zynqmp_disp_layer_id' 2021-08-09 02:28:05 +03:00
zte drm/zte: Don't set struct drm_device.irq_enabled 2021-06-29 15:40:53 +02:00
drm_agpsupport.c
drm_aperture.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_atomic_helper.c drm/atomic: Check new_crtc_state->active to determine if CRTC needs disable in self refresh mode 2022-03-08 19:12:37 +01:00
drm_atomic_state_helper.c
drm_atomic_uapi.c drm/atomic: Don't pollute crtc_state->mode_blob with error pointers 2022-02-23 12:03:08 +01:00
drm_atomic.c drm/atomic: Add the crtc to affected crtc only if uapi.enable = true 2022-02-01 17:27:01 +01:00
drm_auth.c drm: add lockdep assert to drm_is_current_master_locked 2021-08-05 12:08:15 +02:00
drm_blend.c
drm_bridge_connector.c
drm_bridge.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_bufs.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_cache.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_client_modeset.c
drm_client.c
drm_color_mgmt.c
drm_connector.c drm/vrr: Set VRR capable prop only if it is attached to connector 2022-03-19 13:47:49 +01:00
drm_context.c
drm_crtc_helper_internal.h
drm_crtc_helper.c
drm_crtc_internal.h Backmerge remote-tracking branch 'drm/drm-next' into drm-misc-next 2021-07-27 12:48:17 +02:00
drm_crtc.c
drm_damage_helper.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_debugfs_crc.c drm/doc: document how userspace should find out CRTC index 2021-06-10 19:14:47 +02:00
drm_debugfs.c drm: avoid blocking in drm_clients_info's rcu section 2021-07-20 20:14:42 +02:00
drm_displayid.c
drm_dma.c
drm_dp_aux_bus.c Bus: Make remove callback return void tag 2021-08-11 08:47:08 +10:00
drm_dp_aux_dev.c
drm_dp_cec.c
drm_dp_dual_mode_helper.c
drm_dp_helper.c drm/dp: Don't read back backlight mode in drm_edp_backlight_enable() 2022-01-27 11:03:13 +01:00
drm_dp_mst_topology_internal.h
drm_dp_mst_topology.c drm/dp_mst: Fix return code on sideband message failure 2021-07-27 18:58:28 -04:00
drm_drv.c drm: fix null-ptr-deref in drm_dev_init_release() 2022-01-27 11:03:01 +01:00
drm_dsc.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_dumb_buffers.c
drm_edid_load.c
drm_edid.c drm/edid: check basic audio support on CEA extension block 2022-04-08 14:22:59 +02:00
drm_encoder_slave.c
drm_encoder.c
drm_fb_cma_helper.c
drm_fb_helper.c drm/fb-helper: Mark screen buffers in system memory with FBINFO_VIRTFB 2022-04-08 14:23:03 +02:00
drm_file.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_flip_work.c
drm_format_helper.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_fourcc.c
drm_framebuffer.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_gem_atomic_helper.c drm/gem: Provide offset-adjusted framebuffer BO mappings 2021-08-08 20:26:16 +02:00
drm_gem_cma_helper.c drm/cma-helper: Set VM_DONTEXPAND for mmap 2022-02-23 12:03:09 +01:00
drm_gem_framebuffer_helper.c drm/gem: Provide offset-adjusted framebuffer BO mappings 2021-08-08 20:26:16 +02:00
drm_gem_shmem_helper.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_gem_ttm_helper.c
drm_gem_vram_helper.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_gem.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_hashtab.c
drm_hdcp.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_internal.h
drm_ioc32.c drm: Copy drm_wait_vblank to user before returning 2021-08-17 13:56:03 -04:00
drm_ioctl.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_irq.c drm: IRQ midlayer is now legacy 2021-08-10 20:14:01 +02:00
drm_kms_helper_common.c
drm_lease.c drm: clean up unused kerneldoc in drm_lease.c 2021-07-30 11:55:41 +02:00
drm_legacy_misc.c drm: IRQ midlayer is now legacy 2021-08-10 20:14:01 +02:00
drm_legacy.h
drm_lock.c
drm_managed.c
drm_memory.c
drm_mipi_dbi.c drm/mipi-dbi: Use framebuffer dma-buf helpers 2021-07-23 20:17:59 +02:00
drm_mipi_dsi.c
drm_mm.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_mode_config.c
drm_mode_object.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_modes.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_modeset_helper.c
drm_modeset_lock.c
drm_of.c drm/of: free the iterator object on failure 2021-07-15 10:54:04 +01:00
drm_panel_orientation_quirks.c drm: panel-orientation-quirks: Add quirk for the 1Netbook OneXPlayer 2022-02-16 12:56:12 +01:00
drm_panel.c drm/dp: Move panel DP AUX backlight support to drm_dp_helper 2021-07-13 06:38:37 -07:00
drm_pci.c
drm_plane_helper.c drm/plane-helper: fix uninitialized variable reference 2021-11-18 19:17:00 +01:00
drm_plane.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_prime.c drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap 2021-11-25 09:49:05 +01:00
drm_print.c isystem: ship and use stdarg.h 2021-08-19 09:02:55 +09:00
drm_probe_helper.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_property.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_rect.c
drm_scatter.c
drm_scdc_helper.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_self_refresh_helper.c
drm_simple_kms_helper.c drm/simple-kms: Support custom CRTC state 2021-08-08 20:14:08 +02:00
drm_syncobj.c drm/syncobj: flatten dma_fence_chains on transfer 2022-04-08 14:23:03 +02:00
drm_sysfs.c
drm_trace_points.c
drm_trace.h
drm_vblank_work.c
drm_vblank.c drm: IRQ midlayer is now legacy 2021-08-10 20:14:01 +02:00
drm_vm.c
drm_vma_manager.c drm: Fix typo in comments 2021-08-02 10:19:43 +02:00
drm_writeback.c
Kconfig Revert "drm: fb_helper: fix CONFIG_FB dependency" 2021-11-21 13:44:12 +01:00
Makefile drm/bochs: Move to tiny/ 2021-07-05 08:54:44 +02:00