iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers/gpu/drm
History
Rob Clark 19ec87d06a drm/virtio: Fix GEM handle creation UAF 
[ Upstream commit 52531258318ed59a2dc5a43df2eaf0eb1d65438e ]

Userspace can guess the handle value and try to race GEM object creation
with handle close, resulting in a use-after-free if we dereference the
object after dropping the handle's reference.  For that reason, dropping
the handle's reference must be done *after* we are done dereferencing
the object.

Signed-off-by: Rob Clark <robdclark@chromium.org>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
Fixes: 62fb7a5e1096 ("virtio-gpu: add 3d/virgl support")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221216233355.542197-2-robdclark@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-01-18 11:30:56 +01:00
..
amd
drm/amdgpu: Fix type of second parameter in trans_msg() callback
2023-01-18 11:30:35 +01:00
arc
drm: drop _mode_ from drm_mode_connector_attach_encoder
2018-07-13 18:40:27 +02:00
arm
drm/arm: fix unintentional integer overflow on left shift
2020-08-19 08:14:54 +02:00
armada
drm/armada: remove obsolete fb unreferencing kfifo and workqueue
2018-07-30 11:53:06 +01:00
ast
drm/ast: Fixed reboot test may cause system hanged
2019-09-06 10:21:59 +02:00
atmel-hlcdc
drm: atmel-hlcdc: enable clock before configuring timing engine
2020-02-11 04:34:16 -08:00
bochs
drm/bochs: downgrade pci_request_region failure from error to warning
2020-04-13 10:44:59 +02:00
bridge
drm/bridge: megachips: Fix a null pointer dereference bug
2022-10-26 13:19:27 +02:00
cirrus
drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up
2019-04-20 09:16:00 +02:00
etnaviv
drm/etnaviv: relax submit size limits
2022-02-08 18:23:03 +01:00
exynos
drm/exynos: fix ref count leak in mic_pre_enable
2020-07-22 09:32:01 +02:00
fsl-dcu
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
2023-01-18 11:30:37 +01:00
gma500
gma500: fix an incorrect NULL check on list iterator
2022-06-14 16:59:30 +02:00
hisilicon
drm/hisilicon: hibmc: Don't overwrite fb helper surface depth
2020-01-27 14:49:55 +01:00
i2c
Merge branch 'drm-tda9950-fixes' of git://git.armlinux.org.uk/~rmk/linux-arm into drm-fixes
2018-10-04 10:32:14 +10:00
i810
drm/i810: Prevent underflow in ioctl
2019-12-13 08:52:44 +01:00
i915
drm/i915/dmabuf: fix sg_table handling in map_dma_buf
2022-11-25 17:40:19 +01:00
imx
drm/imx: imx-tve: Fix return type of imx_tve_connector_mode_valid
2022-11-25 17:40:22 +01:00
lib
mediatek
drm/mediatek: dpi: Remove output format of YUV
2022-08-25 11:15:05 +02:00
meson
drm/meson: Correct OSD1 global alpha value
2022-09-28 11:02:52 +02:00
mga
mgag200
drm: drop _mode_ from drm_mode_connector_attach_encoder
2018-07-13 18:40:27 +02:00
msm
drm/msm: Fix return type of mdp4_lvds_connector_mode_valid
2022-11-03 23:52:30 +09:00
mxsfb
drm/mxsfb: Don't select DRM_KMS_FB_HELPER
2021-07-20 16:15:58 +02:00
nouveau
drm/nouveau: fix another off-by-one in nvbios_addr
2022-08-25 11:14:54 +02:00
omapdrm
drm/omap: dmm_tiler: fix return error code in omap_dmm_probe()
2020-12-30 11:25:54 +01:00
panel
drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare
2022-04-27 13:39:44 +02:00
pl111
drm/pl111: Initialize clock spinlock early
2019-06-15 11:54:00 +02:00
qxl
drm: qxl: ensure surf.data is ininitialized
2021-07-20 16:15:49 +02:00
r128
radeon
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
2023-01-18 11:30:14 +01:00
rcar-du
drm: rcar-du: Fix build error
2020-06-30 23:17:17 -04:00
rockchip
drm/rockchip: Fix return type of cdn_dp_connector_mode_valid
2022-09-28 11:02:58 +02:00
savage
scheduler
drm/scheduler: fix param documentation
2018-08-09 11:57:39 -05:00
selftests
shmobile
drm/shmob: Fix return value check in shmob_drm_probe
2020-01-27 14:50:12 +01:00
sis
sti
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
2023-01-18 11:30:37 +01:00
stm
drm/stm: attach gem fence to atomic state
2019-10-07 18:56:31 +02:00
sun4i
drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind()
2020-11-24 13:27:22 +01:00
tdfx
tegra
drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
2023-01-18 11:30:13 +01:00
tilcdc
tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator
2022-07-29 17:10:35 +02:00
tinydrm
tinydrm/mipi-dbi: Use dma-safe buffers for all SPI transfers
2019-05-31 06:46:32 -07:00
ttm
drm/ttm: fix eviction valuable range check.
2020-11-05 11:08:54 +01:00
tve200
drm/tve200: Fix handling of platform_get_irq() error
2020-12-30 11:25:49 +01:00
udl
drm/udl: fix control-message timeout
2021-11-26 11:36:24 +01:00
v3d
drm/v3d: Handle errors from IRQ setup.
2019-05-31 06:46:34 -07:00
vc4
drm/vc4: Fix missing platform_unregister_drivers() call in vc4_drm_register()
2022-11-25 17:40:17 +01:00
vgem
drm/vgem: Close use-after-free race in vgem_gem_create
2022-05-12 12:20:23 +02:00
via
virtio
drm/virtio: Fix GEM handle creation UAF
2023-01-18 11:30:56 +01:00
vkms
drm/vkms: Hold gem object while still in-use
2020-06-22 09:05:08 +02:00
vmwgfx
drm/vmwgfx: Validate the box size for the snooped cursor
2023-01-18 11:30:45 +01:00
xen
drm/xen-front: Fix misused IS_ERR_OR_NULL checks
2020-12-30 11:25:43 +01:00
zte
drm/zte: Don't select DRM_KMS_FB_HELPER
2021-07-20 16:15:58 +02:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic_helper.c
drm/atomic: put state on error path
2021-01-27 11:05:36 +01:00
drm_atomic.c
drm/atomic_helper: Stop modesets on unregistered connectors harder
2020-12-02 08:48:08 +01:00
drm_auth.c
drm: Lock pointer access in drm_master_release()
2021-06-16 11:54:59 +02:00
drm_blend.c
drm_bridge.c
drm_bufs.c
drm: return -EFAULT if copy_to_user() fails
2019-07-14 08:11:14 +02:00
drm_cache.c
drm_client.c
drm/cma-helper: Fix crash in fbdev error path
2018-10-02 13:03:34 +02:00
drm_color_mgmt.c
drm_connector.c
drm/connector: send hotplug uevent on connector cleanup
2023-01-18 11:30:44 +01:00
drm_context.c
drm: Fix error handling in drm_legacy_addctx
2020-01-27 14:50:10 +01:00
drm_crtc_helper_internal.h
drm: remove drm_fb_helper_modinit
2022-07-02 16:27:38 +02:00
drm_crtc_helper.c
drm_crtc_internal.h
drm: drop _mode_ from remaining connector functions
2018-07-13 18:40:27 +02:00
drm_crtc.c
drm/lease: Make sure implicit planes are leased
2019-06-09 09:17:23 +02:00
drm_debugfs_crc.c
drm: remove the newline for CRC source name.
2020-02-24 08:34:45 +01:00
drm_debugfs.c
drm/debugfs: fix plain echo to connector "force" attribute
2020-08-19 08:14:52 +02:00
drm_dma.c
drm_dp_aux_dev.c
drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor()
2020-12-30 11:26:13 +01:00
drm_dp_cec.c
drm_dp_cec.c: fix formatting typo: %pdH -> %phD
2018-07-28 15:50:40 -03:00
drm_dp_dual_mode_helper.c
drm_dp_helper.c
drm/dp_helper: Add DP aux channel tracing
2018-07-16 11:47:53 -04:00
drm_dp_mst_topology.c
drm/dp/mst: fix a possible memory leak in fetch_monitor_name()
2022-05-25 09:10:38 +02:00
drm_drv.c
drm/drv: Hold ref on parent device during drm_device lifetime
2019-05-31 06:46:34 -07:00
drm_dumb_buffers.c
drm_edid_load.c
drm/edid: Fix a missing-check bug in drm_load_edid_firmware()
2019-07-31 07:26:58 +02:00
drm_edid.c
drm/edid: fix invalid EDID extension block filtering
2022-06-14 16:59:19 +02:00
drm_encoder_slave.c
drm: encoder_slave: fix refcouting error for modules
2020-06-25 15:33:06 +02:00
drm_encoder.c
drm_fb_cma_helper.c
drm/cma-helper: Fix crash in fbdev error path
2018-10-02 13:03:34 +02:00
drm_fb_helper.c
drm: remove drm_fb_helper_modinit
2022-07-02 16:27:38 +02:00
drm_file.c
drm: Wake up next in drm_read() chain if we are forced to putback the event
2019-05-31 06:46:34 -07:00
drm_flip_work.c
drm_fourcc.c
drm/fourcc: Add is_yuv field to drm_format_info to denote if the format is yuv
2018-07-18 16:56:45 +01:00
drm_framebuffer.c
drm: silence variable 'conn' set but not used
2019-08-16 10:12:46 +02:00
drm_gem_cma_helper.c
drm_gem_framebuffer_helper.c
drm_gem.c
drm: hold gem reference until object is no longer accessed
2020-08-05 10:06:01 +02:00
drm_global.c
drm_hashtab.c
drm_info.c
drm_internal.h
drm/lease: Send a distinct uevent
2018-12-13 09:16:21 +01:00
drm_ioc32.c
drm: Copy drm_wait_vblank to user before returning
2021-09-03 09:58:02 +02:00
drm_ioctl.c
drm: Prevent drm_copy_field() to attempt copying a NULL pointer
2022-10-26 13:19:38 +02:00
drm_irq.c
drm_kms_helper_common.c
drm: remove drm_fb_helper_modinit
2022-07-02 16:27:38 +02:00
drm_lease.c
drm/lease: fix WARNING in idr_destroy
2020-03-25 08:06:12 +01:00
drm_legacy.h
drm_lock.c
drm_memory.c
drm_mipi_dsi.c
drm/mipi-dsi: Detach devices when removing the host
2022-10-26 13:19:27 +02:00
drm_mm.c
drm_mode_config.c
drm_mode_object.c
drm: Reorder set_property_atomic to avoid returning with an active ww_ctx
2019-03-27 14:14:42 +09:00
drm_modes.c
drm/modes: Prevent division by zero htotal
2019-02-15 08:10:12 +01:00
drm_modeset_helper.c
drm_modeset_lock.c
drm_of.c
drm/doc: Include drm_of.c helpers
2018-07-13 18:40:28 +02:00
drm_panel_orientation_quirks.c
drm: panel-orientation-quirks: Add quirk for Acer Switch V 10 (SW5-017)
2022-12-08 11:18:28 +01:00
drm_panel.c
Revert "drm/panel: Add device_link from panel device to DRM device"
2018-09-27 11:00:42 -04:00
drm_pci.c
drm: Remove PageReserved manipulation from drm_pci_alloc
2020-04-17 10:48:55 +02:00
drm_plane_helper.c
drm/plane-helper: fix uninitialized variable reference
2021-11-26 11:36:14 +01:00
drm_plane.c
drm/plane: Move range check for format_count earlier
2022-06-14 16:59:16 +02:00
drm_prime.c
drm_print.c
drm: Add puts callback for the coredump printer
2018-07-30 08:49:41 -04:00
drm_probe_helper.c
drm: Flush output polling on shutdown
2019-10-01 08:26:11 +02:00
drm_property.c
drm: limit to INT_MAX in create_blob ioctl
2020-01-09 10:18:59 +01:00
drm_rect.c
drm/rect: Avoid division by zero
2020-02-11 04:34:07 -08:00
drm_scatter.c
drm_scdc_helper.c
drm_simple_kms_helper.c
drm: drop _mode_ from drm_mode_connector_attach_encoder
2018-07-13 18:40:27 +02:00
drm_syncobj.c
drm/syncobj: Don't leak fences when WAIT_FOR_SUBMIT is set
2018-09-26 10:39:14 -04:00
drm_sysfs.c
drm/lease: Send a distinct uevent
2018-12-13 09:16:21 +01:00
drm_trace_points.c
drm_trace.h
drm_vblank.c
drm/drm_vblank: Change EINVAL by the correct errno
2019-12-31 16:35:01 +01:00
drm_vm.c
drm_vma_manager.c
drm_writeback.c
drm: writeback: Fix doc that says connector should be disconnected
2018-07-16 16:35:27 +01:00
Kconfig
drm/radeon: fix AGP dependency
2021-03-30 14:36:58 +02:00
Makefile
drm: add support for DisplayPort CEC-Tunneling-over-AUX
2018-07-13 17:58:19 +03:00