Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
kernel-fxtec-pro1x/drivers/gpu/drm
History
Vasily Averin 0d28ac49eb drm/qxl: qxl_release use after free 
commit 933db73351d359f74b14f4af095808260aff11f9 upstream.

qxl_release should not be accesses after qxl_push_*_ring_release() calls:
userspace driver can process submitted command quickly, move qxl_release
into release_ring, generate interrupt and trigger garbage collector.

It can lead to crashes in qxl driver or trigger memory corruption
in some kmalloc-192 slab object

Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
qxl_push_{cursor,command}_ring_release() calls to close that race window.

cc: stable@vger.kernel.org
Fixes: f64122c1f6 ("drm: add new QXL driver. (v1.4)")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
[backported to v.4.19 stable]
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-06 08:13:27 +02:00
..
amd drm/amd/display: Not doing optimize bandwidth if flip pending. 2020-04-29 16:31:15 +02:00
arc
arm drm/arm/mali: make malidp_mw_connector_helper_funcs static 2020-01-17 19:47:15 +01:00
armada
ast drm/ast: Fixed reboot test may cause system hanged 2019-09-06 10:21:59 +02:00
atmel-hlcdc drm: atmel-hlcdc: enable clock before configuring timing engine 2020-02-11 04:34:16 -08:00
bochs drm/bochs: downgrade pci_request_region failure from error to warning 2020-04-13 10:44:59 +02:00
bridge drm/bridge: dw-hdmi: fix AVI frame colorimetry 2020-03-25 08:06:15 +01:00
cirrus drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up 2019-04-20 09:16:00 +02:00
etnaviv etnaviv: perfmon: fix total and idle HI cyleces readout 2020-04-17 10:48:55 +02:00
exynos drm/exynos: dsi: fix workaround for the legacy clock name 2020-03-25 08:06:06 +01:00
fsl-dcu
gma500 drm/gma500: Fixup fbdev stolen size usage evaluation 2020-02-24 08:34:35 +01:00
hisilicon drm/hisilicon: hibmc: Don't overwrite fb helper surface depth 2020-01-27 14:49:55 +01:00
i2c Merge branch 'drm-tda9950-fixes' of git://git.armlinux.org.uk/~rmk/linux-arm into drm-fixes 2018-10-04 10:32:14 +10:00
i810 drm/i810: Prevent underflow in ioctl 2019-12-13 08:52:44 +01:00
i915 drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits 2020-03-18 07:14:23 +01:00
imx drm/imx: only send event on crtc disable if kept disabled 2019-07-10 09:53:44 +02:00
lib
mediatek drm/mediatek: Find the cursor plane instead of hard coding it 2020-03-25 08:06:05 +01:00
meson drm: meson: venc: cvbs: fix CVBS mode matching 2019-12-21 10:57:39 +01:00
mga
mgag200
msm drm/msm: Use the correct dma_sync calls harder 2020-04-29 16:31:07 +02:00
mxsfb
nouveau drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets 2020-02-28 16:38:55 +01:00
omapdrm drm/omap: fix max fclk divider for omap36xx 2019-10-11 18:21:01 +02:00
panel drm: panel-lvds: Potential Oops in probe error handling 2020-01-27 14:51:20 +01:00
pl111 drm/pl111: Initialize clock spinlock early 2019-06-15 11:54:00 +02:00
qxl drm/qxl: qxl_release use after free 2020-05-06 08:13:27 +02:00
r128
radeon radeon: insert 10ms sleep in dce5_crtc_load_lut 2020-02-24 08:34:52 +01:00
rcar-du drm: rcar-du: lvds: Fix bridge_to_rcar_lvds 2020-01-27 14:51:05 +01:00
rockchip drm/rockchip: Suspend DP late 2019-08-29 08:28:40 +02:00
savage
scheduler drm/scheduler: fix param documentation 2018-08-09 11:57:39 -05:00
selftests
shmobile drm/shmob: Fix return value check in shmob_drm_probe 2020-01-27 14:50:12 +01:00
sis
sti drm/sti: do not remove the drm_bridge that was never added 2020-01-27 14:49:53 +01:00
stm drm/stm: attach gem fence to atomic state 2019-10-07 18:56:31 +02:00
sun4i drm/sun4i: de2/de3: Remove unsupported VI layer formats 2020-03-11 14:15:10 +01:00
tdfx
tegra drm/tegra: sor: Use correct SOR index on Tegra210 2019-12-31 16:35:27 +01:00
tilcdc drm/tilcdc: Register cpufreq notifier after we have initialized crtc 2019-09-06 10:22:03 +02:00
tinydrm tinydrm/mipi-dbi: Use dma-safe buffers for all SPI transfers 2019-05-31 06:46:32 -07:00
ttm drm/ttm: fix incrementing the page pointer for huge pages 2020-01-17 19:47:02 +01:00
tve200
udl drm/udl: move to embedding drm device inside udl device. 2019-07-21 09:03:18 +02:00
v3d drm/v3d: Handle errors from IRQ setup. 2019-05-31 06:46:34 -07:00
vc4 drm/vc4: Fix HDMI mode validation 2020-04-23 10:30:21 +02:00
vgem drm/vgem: fix use-after-free when drm_gem_handle_create() fails 2019-04-03 06:26:26 +02:00
via
virtio drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset() 2020-01-27 14:49:54 +01:00
vkms drm/vkms: Bugfix extra vblank frame 2019-04-05 22:33:12 +02:00
vmwgfx drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add 2020-02-24 08:34:48 +01:00
xen drm/xen-front: Fix mmap attributes for display buffers 2020-01-27 14:50:19 +01:00
zte
ati_pcigart.c
drm_agpsupport.c
drm_atomic.c drm/atomic_helper: Allow DPMS On<->Off changes for unregistered connectors 2019-09-16 08:22:23 +02:00
drm_atomic_helper.c drm/atomic_helper: Allow DPMS On<->Off changes for unregistered connectors 2019-09-16 08:22:23 +02:00
drm_auth.c drm: set is_master to 0 upon drm_new_set_master() failure 2018-12-08 12:59:07 +01:00
drm_blend.c
drm_bridge.c
drm_bufs.c drm: return -EFAULT if copy_to_user() fails 2019-07-14 08:11:14 +02:00
drm_cache.c
drm_client.c drm/cma-helper: Fix crash in fbdev error path 2018-10-02 13:03:34 +02:00
drm_color_mgmt.c
drm_connector.c
drm_context.c drm: Fix error handling in drm_legacy_addctx 2020-01-27 14:50:10 +01:00
drm_crtc.c drm/lease: Make sure implicit planes are leased 2019-06-09 09:17:23 +02:00
drm_crtc_helper.c
drm_crtc_helper_internal.h
drm_crtc_internal.h
drm_debugfs.c drm/atomic: Use drm_drv_uses_atomic_modeset() for debugfs creation 2018-09-17 19:24:37 -04:00
drm_debugfs_crc.c drm: remove the newline for CRC source name. 2020-02-24 08:34:45 +01:00
drm_dma.c
drm_dp_aux_dev.c
drm_dp_cec.c
drm_dp_dual_mode_helper.c
drm_dp_helper.c
drm_dp_mst_topology.c drm/dp_mst: Fix clearing payload state on topology disable 2020-04-17 10:48:54 +02:00
drm_drv.c drm/drv: Hold ref on parent device during drm_device lifetime 2019-05-31 06:46:34 -07:00
drm_dumb_buffers.c
drm_edid.c drm/edid: Fix off-by-one in DispID DTD pixel clock 2020-05-06 08:13:26 +02:00
drm_edid_load.c drm/edid: Fix a missing-check bug in drm_load_edid_firmware() 2019-07-31 07:26:58 +02:00
drm_encoder.c
drm_encoder_slave.c
drm_fb_cma_helper.c drm/cma-helper: Fix crash in fbdev error path 2018-10-02 13:03:34 +02:00
drm_fb_helper.c drm/fb-helper: generic: Call drm_client_add() after setup is done 2020-01-27 14:50:36 +01:00
drm_file.c drm: Wake up next in drm_read() chain if we are forced to putback the event 2019-05-31 06:46:34 -07:00
drm_flip_work.c
drm_fourcc.c
drm_framebuffer.c drm: silence variable 'conn' set but not used 2019-08-16 10:12:46 +02:00
drm_gem.c
drm_gem_cma_helper.c
drm_gem_framebuffer_helper.c
drm_global.c
drm_hashtab.c
drm_info.c
drm_internal.h drm/lease: Send a distinct uevent 2018-12-13 09:16:21 +01:00
drm_ioc32.c drm: add __user attribute to ptr_to_compat() 2019-09-16 08:22:08 +02:00
drm_ioctl.c drm/ioctl: Fix Spectre v1 vulnerabilities 2018-12-29 13:37:59 +01:00
drm_irq.c
drm_kms_helper_common.c
drm_lease.c drm/lease: fix WARNING in idr_destroy 2020-03-25 08:06:12 +01:00
drm_legacy.h
drm_lock.c
drm_memory.c
drm_mipi_dsi.c
drm_mm.c
drm_mode_config.c
drm_mode_object.c drm: Reorder set_property_atomic to avoid returning with an active ww_ctx 2019-03-27 14:14:42 +09:00
drm_modes.c drm/modes: Prevent division by zero htotal 2019-02-15 08:10:12 +01:00
drm_modeset_helper.c
drm_modeset_lock.c
drm_of.c
drm_panel.c Revert "drm/panel: Add device_link from panel device to DRM device" 2018-09-27 11:00:42 -04:00
drm_panel_orientation_quirks.c drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC 2019-09-19 09:09:39 +02:00
drm_pci.c drm: Remove PageReserved manipulation from drm_pci_alloc 2020-04-17 10:48:55 +02:00
drm_plane.c drm/lease: Make sure implicit planes are leased 2019-06-09 09:17:23 +02:00
drm_plane_helper.c
drm_prime.c
drm_print.c
drm_probe_helper.c drm: Flush output polling on shutdown 2019-10-01 08:26:11 +02:00
drm_property.c drm: limit to INT_MAX in create_blob ioctl 2020-01-09 10:18:59 +01:00
drm_rect.c drm/rect: Avoid division by zero 2020-02-11 04:34:07 -08:00
drm_scatter.c
drm_scdc_helper.c
drm_simple_kms_helper.c
drm_syncobj.c drm/syncobj: Don't leak fences when WAIT_FOR_SUBMIT is set 2018-09-26 10:39:14 -04:00
drm_sysfs.c drm/lease: Send a distinct uevent 2018-12-13 09:16:21 +01:00
drm_trace.h
drm_trace_points.c
drm_vblank.c drm/drm_vblank: Change EINVAL by the correct errno 2019-12-31 16:35:01 +01:00
drm_vm.c
drm_vma_manager.c
drm_writeback.c
Kconfig drm/fb_helper: Allow leaking fbdev smem_start 2019-01-16 22:04:35 +01:00
Makefile