superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Zack Rusin 115f2ccd3a drm/vmwgfx: Fix shader stage validation 
commit 14abdfae50 upstream.

For multiple commands the driver was not correctly validating the shader
stages resulting in possible kernel oopses. The validation code was only.
if ever, checking the upper bound on the shader stages but never a lower
bound (valid shader stages start at 1 not 0).

Fixes kernel oopses ending up in vmw_binding_add, e.g.:
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 2443 Comm: testcase Not tainted 6.3.0-rc4-vmwgfx #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
RIP: 0010:vmw_binding_add+0x4c/0x140 [vmwgfx]
Code: 7e 30 49 83 ff 0e 0f 87 ea 00 00 00 4b 8d 04 7f 89 d2 89 cb 48 c1 e0 03 4c 8b b0 40 3d 93 c0 48 8b 80 48 3d 93 c0 49 0f af de <48> 03 1c d0 4c 01 e3 49 8>
RSP: 0018:ffffb8014416b968 EFLAGS: 00010206
RAX: ffffffffc0933ec0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 00000000ffffffff RSI: ffffb8014416b9c0 RDI: ffffb8014316f000
RBP: ffffb8014416b998 R08: 0000000000000003 R09: 746f6c735f726564
R10: ffffffffaaf2bda0 R11: 732e676e69646e69 R12: ffffb8014316f000
R13: ffffb8014416b9c0 R14: 0000000000000040 R15: 0000000000000006
FS:  00007fba8c0af740(0000) GS:ffff8a1277c80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000007c0933eb8 CR3: 0000000118244001 CR4: 00000000003706e0
Call Trace:
 <TASK>
 vmw_view_bindings_add+0xf5/0x1b0 [vmwgfx]
 ? ___drm_dbg+0x8a/0xb0 [drm]
 vmw_cmd_dx_set_shader_res+0x8f/0xc0 [vmwgfx]
 vmw_execbuf_process+0x590/0x1360 [vmwgfx]
 vmw_execbuf_ioctl+0x173/0x370 [vmwgfx]
 ? __drm_dev_dbg+0xb4/0xe0 [drm]
 ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx]
 drm_ioctl_kernel+0xbc/0x160 [drm]
 drm_ioctl+0x2d2/0x580 [drm]
 ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx]
 ? do_fault+0x1a6/0x420
 vmw_generic_ioctl+0xbd/0x180 [vmwgfx]
 vmw_unlocked_ioctl+0x19/0x20 [vmwgfx]
 __x64_sys_ioctl+0x96/0xd0
 do_syscall_64+0x5d/0x90
 ? handle_mm_fault+0xe4/0x2f0
 ? debug_smp_processor_id+0x1b/0x30
 ? fpregs_assert_state_consistent+0x2e/0x50
 ? exit_to_user_mode_prepare+0x40/0x180
 ? irqentry_exit_to_user_mode+0xd/0x20
 ? irqentry_exit+0x3f/0x50
 ? exc_page_fault+0x8b/0x180
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

Signed-off-by: Zack Rusin <zackr@vmware.com>
Cc: security@openanolis.org
Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Testcase-found-by: Niels De Graef <ndegraef@redhat.com>
Fixes: d80efd5cb3 ("drm/vmwgfx: Initial DX support")
Cc: <stable@vger.kernel.org> # v4.3+
Reviewed-by: Maaz Mombasawala<mombasawalam@vmware.com>
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230616190934.54828-1-zack@kde.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-08-30 16:11:09 +02:00
..
accessibility
acpi ACPI: scan: Create platform device for CS35L56 2023-08-16 18:27:31 +02:00
amba
android binder: fix memory leak in binder_init() 2023-08-16 18:27:24 +02:00
ata ata: pata_ns87415: mark ns87560_tf_read static 2023-08-03 10:24:07 +02:00
atm
auxdisplay
base x86/srso: Add a Speculative RAS Overflow mitigation 2023-08-08 20:03:50 +02:00
bcma
block rbd: prevent busy loop when requesting exclusive lock 2023-08-11 12:08:21 +02:00
bluetooth Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally 2023-08-23 17:52:25 +02:00
bus bus: ti-sysc: Flush posted write on enable before reset 2023-08-23 17:52:36 +02:00
cdrom
char tpm: Add a helper for checking hwrng enabled 2023-08-16 18:27:20 +02:00
clk clk: Fix slab-out-of-bounds error in devm_clk_release() 2023-08-30 16:11:06 +02:00
clocksource clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe 2023-07-19 16:20:59 +02:00
comedi
connector
counter
cpufreq cpufreq: intel_pstate: Drop ACPI _PSS states table patching 2023-08-03 10:24:18 +02:00
cpuidle cpuidle: psci: Move enabling OSI mode after power domains creation 2023-08-23 17:52:17 +02:00
crypto crypto: qat - unmap buffers before free for RSA 2023-07-19 16:21:42 +02:00
cxl cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws() 2023-08-03 10:24:04 +02:00
dax dax/kmem: Pass valid argument to memory_group_register_static 2023-07-19 16:21:43 +02:00
dca
devfreq
dio
dma dmaengine: owl-dma: Modify mismatched function name 2023-08-16 18:27:28 +02:00
dma-buf dma-buf: fix an error pointer vs NULL bug 2023-08-03 10:24:19 +02:00
edac EDAC/qcom: Get rid of hardcoded register offsets 2023-06-21 16:00:51 +02:00
eisa
extcon extcon: usbc-tusb320: Unregister typec port on driver removal 2023-07-19 16:22:08 +02:00
firewire firewire: net: fix use after free in fwnet_finish_incoming_packet() 2023-08-23 17:52:24 +02:00
firmware firmware: arm_scmi: Drop OF node reference in the transport channel setup 2023-08-11 12:08:19 +02:00
fpga
fsi
gnss
gpio gpio: sim: mark the GPIO chip as a one that can sleep 2023-08-16 18:27:29 +02:00
gpu drm/vmwgfx: Fix shader stage validation 2023-08-30 16:11:09 +02:00
greybus
hid HID: intel-ish-hid: ipc: Add Arrow Lake PCI device ID 2023-08-23 17:52:22 +02:00
hsi
hte
hv Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs 2023-06-28 11:12:23 +02:00
hwmon hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100 2023-08-16 18:27:22 +02:00
hwspinlock
hwtracing hwtracing: hisi_ptt: Fix potential sleep in atomic context 2023-07-19 16:21:58 +02:00
i2c i2c: designware: Handle invalid SMBus block data response length value 2023-08-23 17:52:31 +02:00
i3c i3c: master: svc: fix cpu schedule in spin lock 2023-07-19 16:21:54 +02:00
idle
iio iio: core: Prevent invalid memory access when there is no parent 2023-08-16 18:27:25 +02:00
infiniband RDMA/mlx5: Return the firmware result upon destroying QP/RQ 2023-08-23 17:52:21 +02:00
input Input: pm8941-powerkey - fix debounce on gen2+ PMICs 2023-07-19 16:21:26 +02:00
interconnect interconnect: qcom: sm8450: add enable_mask for bcm nodes 2023-08-16 18:27:25 +02:00
iommu iommu/amd: Introduce Disable IRTE Caching Support 2023-08-23 17:52:21 +02:00
ipack
irqchip irqchip/gic-v4.1: Properly lock VPEs when doing a directLPI invalidation 2023-08-03 10:24:14 +02:00
isdn mISDN: Update parameter type of dsp_cmx_send() 2023-08-16 18:27:26 +02:00
leds led: qcom-lpg: Fix resource leaks in for_each_available_child_of_node() loops 2023-08-23 17:52:23 +02:00
macintosh
mailbox mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 2023-07-19 16:22:03 +02:00
mcb
md dm cache policy smq: ensure IO doesn't prevent cleaner policy progress 2023-08-03 10:24:17 +02:00
media media: vcodec: Fix potential array out-of-bounds in encoder queue_setup 2023-08-30 16:11:09 +02:00
memory memory: brcmstb_dpfe: fix testing array offset after use 2023-07-19 16:21:24 +02:00
memstick memstick r592: make memstick_debug_get_tpc_name() static 2023-07-19 16:21:08 +02:00
message
mfd mfd: pm8008: Fix module autoloading 2023-07-23 13:49:37 +02:00
misc accel/habanalabs: add pci health check during heartbeat 2023-08-23 17:52:21 +02:00
mmc mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove 2023-08-23 17:52:42 +02:00
most
mtd mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() 2023-08-11 12:08:25 +02:00
mux
net ibmveth: Use dcbf rather than dcbfl 2023-08-30 16:11:05 +02:00
nfc nfcsim.c: Fix error checking for debugfs_create_dir 2023-06-28 11:12:36 +02:00
ntb NTB: ntb_tool: Add check for devm_kcalloc 2023-07-23 13:49:24 +02:00
nubus nubus: Partially revert proc_create_single_data() conversion 2023-07-05 18:27:37 +01:00
nvdimm
nvme nvme-rdma: fix potential unbalanced freeze & unfreeze 2023-08-16 18:27:30 +02:00
nvmem nvmem: rmem: Use NVMEM_DEVID_AUTO 2023-07-19 16:21:57 +02:00
of of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock 2023-08-30 16:11:08 +02:00
opp opp: Fix use-after-free in lazy_opp_tables after probe deferral 2023-07-23 13:49:42 +02:00
parisc
parport
pci PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus 2023-08-30 16:11:09 +02:00
pcmcia pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() 2023-08-23 17:52:24 +02:00
peci
perf perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start() 2023-07-23 13:49:44 +02:00
phy phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() 2023-08-03 10:23:59 +02:00
pinctrl pinctrl: amd: Mask wake bits on probe again 2023-08-30 16:11:08 +02:00
platform platform/x86: ideapad-laptop: Add support for new hotkeys found on ThinkBook 14s Yoga ITL 2023-08-30 16:11:05 +02:00
pnp
power power: supply: Fix logic checking if system is running from battery 2023-06-21 16:00:52 +02:00
powercap powercap: RAPL: Fix CONFIG_IOSF_MBI dependency 2023-07-19 16:21:00 +02:00
pps
ps3
ptp
pwm pwm: meson: fix handling of period/duty if greater than UINT_MAX 2023-07-23 13:49:46 +02:00
rapidio
ras
regulator regulator: tps65219: Fix matching interrupts for their regulators 2023-07-19 16:22:14 +02:00
remoteproc
reset
rpmsg
rtc rtc: st-lpc: Release some resources in st_rtc_probe() in case of error 2023-07-19 16:21:59 +02:00
s390 s390/zcrypt: fix reply buffer calculations for CCA replies 2023-08-30 16:10:59 +02:00
sbus
scsi scsi: qedf: Fix firmware halt over suspend and resume 2023-08-16 18:27:31 +02:00
sh
siox
slimbus
soc soc: aspeed: socinfo: Add kfree for kstrdup 2023-08-23 17:52:38 +02:00
soundwire soundwire: fix enumeration completion 2023-08-03 10:24:15 +02:00
spi spi: dw: Remove misleading comment for Mount Evans SoC 2023-07-27 08:50:50 +02:00
spmi
ssb
staging staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() 2023-08-03 10:24:12 +02:00
target scsi: target: iscsi: Prevent login threads from racing between each other 2023-06-28 11:12:35 +02:00
tc
tee tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta' 2023-06-14 11:15:28 +02:00
thermal thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe() 2023-07-19 16:21:01 +02:00
thunderbolt thunderbolt: Limit Intel Barlow Ridge USB3 bandwidth 2023-08-23 17:52:24 +02:00
tty serial: 8250: Fix oops for port->pm on uart_change_pm() 2023-08-23 17:52:38 +02:00
ufs scsi: ufs: renesas: Fix private allocation 2023-08-16 18:27:30 +02:00
uio
usb usb: chipidea: imx: add missing USB PHY DPDM wakeup setting 2023-08-23 17:52:24 +02:00
vdpa vdpa: Enable strict validation for netlinks ops 2023-08-23 17:52:31 +02:00
vfio vfio/mdev: Move the compat_class initialization to module init 2023-07-19 16:21:41 +02:00
vhost vhost_net: revert upend_idx only on retriable error 2023-06-28 11:12:40 +02:00
video video/aperture: Move vga handling to pci function 2023-08-30 16:10:58 +02:00
virt virt: sevguest: Add CONFIG_CRYPTO dependency 2023-07-19 16:20:55 +02:00
virtio virtio-mmio: don't break lifecycle of vm_dev 2023-08-23 17:52:29 +02:00
vlynq
w1 w1: fix loop in w1_fini() 2023-07-19 16:21:48 +02:00
watchdog watchdog: sp5100_tco: support Hygon FCH/SCH (Server Controller Hub) 2023-08-23 17:52:25 +02:00
xen xen: speed up grant-table reclaim 2023-08-03 10:24:14 +02:00
zorro
Kconfig
Makefile