mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Zack Rusin 2f527e3efd drm/vmwgfx: Fix invalid reads in fence signaled events 
commit a37ef7613c upstream.

Correctly set the length of the drm_event to the size of the structure
that's actually used.

The length of the drm_event was set to the parent structure instead of
to the drm_vmw_event_fence which is supposed to be read. drm_read
uses the length parameter to copy the event to the user space thus
resuling in oob reads.

Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Fixes: 8b7de6aa84 ("vmwgfx: Rework fence event action")
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23566
Cc: David Airlie <airlied@gmail.com>
CC: Daniel Vetter <daniel@ffwll.ch>
Cc: Zack Rusin <zack.rusin@broadcom.com>
Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
Cc: dri-devel@lists.freedesktop.org
Cc: linux-kernel@vger.kernel.org
Cc: <stable@vger.kernel.org> # v3.4+
Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack.rusin@broadcom.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-05-17 11:42:43 +02:00
..
accessibility
acpi ACPI: scan: Fix device check notification handling 2024-03-26 18:22:35 -04:00
amba amba: bus: fix refcount leak 2023-09-23 10:48:09 +02:00
android binder: signal epoll threads of self-work 2024-02-23 08:12:57 +01:00
ata ata: sata_gemini: Check clk_enable() result 2024-05-17 11:42:39 +02:00
atm atm: idt77252: fix a memleak in open_card_ubr0 2024-02-23 08:12:53 +01:00
auxdisplay
base PM: sleep: wakeirq: fix wake irq warning in system suspend 2024-04-13 12:50:05 +02:00
bcma
block Revert "loop: Remove sector_t truncation checks" 2024-05-02 16:17:14 +02:00
bluetooth Bluetooth: btintel: Fixe build regression 2024-04-13 12:50:17 +02:00
bus bus: tegra-aconnect: Update dependency to ARCH_TEGRA 2024-03-26 18:22:35 -04:00
cdrom
char hwrng: core - Fix page fault dead lock on mmap-ed hwrng 2024-02-23 08:12:40 +01:00
clk clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays 2024-04-13 12:50:05 +02:00
clocksource clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware 2023-11-28 16:46:31 +00:00
connector
cpufreq cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily 2023-12-08 08:43:26 +01:00
cpuidle sched,idle,rcu: Push rcu_idle deeper into the idle path 2023-10-25 11:16:26 +02:00
crypto crypto: qat - resolve race condition during AER recovery 2024-04-13 12:50:04 +02:00
dax
dca
devfreq PM / devfreq: Fix leak in devfreq_dev_release() 2023-09-23 10:48:10 +02:00
dio
dma dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state" 2024-05-17 11:42:36 +02:00
dma-buf dma-buf/sw_sync: Avoid recursive lock during fence signal 2023-08-30 16:31:56 +02:00
edac EDAC/thunderx: Fix possible out-of-bounds string access 2024-01-25 14:33:31 -08:00
eisa
extcon extcon: Fix kernel doc of property capability fields to avoid warnings 2023-08-11 11:45:12 +02:00
firewire firewire: nosy: ensure user_length is taken into account when fetching packet contents 2024-05-17 11:42:42 +02:00
firmware efivarfs: Request at most 512 bytes for variable names 2024-04-13 12:50:10 +02:00
fmc
fpga fpga: bridge: fix kernel-doc parameter description 2023-05-17 11:13:15 +02:00
fsi fsi: master-ast-cf: Add MODULE_FIRMWARE macro 2023-09-23 10:47:57 +02:00
gnss
gpio gpio: crystalcove: Use -ENOTSUPP consistently 2024-05-17 11:42:41 +02:00
gpu drm/vmwgfx: Fix invalid reads in fence signaled events 2024-05-17 11:42:43 +02:00
hid HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up 2024-05-02 16:17:14 +02:00
hsi
hv Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs 2023-06-28 10:15:28 +02:00
hwmon hwmon: (amc6821) add of_match table 2024-04-13 12:50:06 +02:00
hwspinlock
hwtracing coresight: etm4x: Fix width of CCITMIN field 2024-01-25 14:33:31 -08:00
i2c i2c: smbus: fix NULL function pointer dereference 2024-05-02 16:17:14 +02:00
ide treewide: Remove uninitialized_var() usage 2023-08-11 11:45:01 +02:00
idle
iio iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table 2024-01-08 11:27:35 +01:00
infiniband RDMA/mlx5: Fix port number for counter query in multi-port configuration 2024-05-02 16:17:09 +02:00
input Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails 2024-04-13 12:50:15 +02:00
iommu iommu/amd: Mark interrupt as managed 2024-03-26 18:22:35 -04:00
ipack
irqchip irqchip/gic-v3-its: Prevent double free on error 2024-05-02 16:17:13 +02:00
isdn mISDN: Update parameter type of dsp_cmx_send() 2023-08-16 18:13:00 +02:00
leds leds: trigger: panic: Don't register panic notifier if creating the trigger failed 2024-02-23 08:12:50 +01:00
lightnvm
macintosh macintosh: via-pmu-led: requires ATA to be set 2023-05-17 11:13:18 +02:00
mailbox mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 2023-08-11 11:45:13 +02:00
mcb mcb: fix error handling for different scenarios when parsing 2023-11-28 16:46:35 +00:00
md dm-raid: fix lockdep waring in "pers->hot_add_disk" 2024-04-13 12:50:06 +02:00
media media: sta2x11: fix irq handler cast 2024-04-13 12:50:15 +02:00
memory
memstick memstick r592: make memstick_debug_get_tpc_name() static 2023-08-11 11:45:06 +02:00
message scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition 2023-05-30 12:42:09 +01:00
mfd mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref 2024-03-26 18:22:40 -04:00
misc VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() 2024-04-13 12:50:17 +02:00
mmc mmc: core: Fix switch on gp3 partition 2024-04-13 12:50:06 +02:00
mtd mtd: diskonchip: work around ubsan link failure 2024-05-02 16:17:13 +02:00
mux
net net:usb:qmi_wwan: support Rolling modules 2024-05-17 11:42:41 +02:00
nfc NFC: trf7970a: disable all regulators on removal 2024-05-02 16:17:11 +02:00
ntb ntb: Fix calculation ntb_transport_tx_free_entry() 2023-09-23 10:48:10 +02:00
nubus
nvdimm nd_btt: Make BTT lanes preemptible 2023-11-20 10:29:18 +01:00
nvme nvme-pci: do not set the NUMA node of device if it has none 2023-10-10 21:44:59 +02:00
nvmem nvmem: imx: correct nregs for i.MX6UL 2023-11-08 11:22:16 +01:00
of of: unittest: Fix of_count_phandle_with_args() expected value message 2024-01-25 14:33:36 -08:00
opp
oprofile
parisc parisc: iosapic.c: Fix sparse warnings 2023-10-10 21:44:58 +02:00
parport parport: Add support for Brainboxes IX/UC/PX parallel cards 2023-12-13 17:42:19 +01:00
pci PCI/PM: Drain runtime-idle callbacks before driver removal 2024-04-13 12:50:06 +02:00
pcmcia pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() 2023-11-20 10:29:20 +01:00
perf
phy phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP 2024-02-23 08:12:53 +01:00
pinctrl pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() 2024-05-17 11:42:37 +02:00
platform platform/x86: intel_telemetry: Fix kernel doc descriptions 2023-12-20 15:38:02 +01:00
pnp PNP: ACPI: fix fortify warning 2024-02-23 08:12:44 +01:00
power power: rt9455: hide unused rt9455_boost_voltage_values 2024-05-17 11:42:37 +02:00
powercap
pps
ps3
ptp ptp: annotate data-race around q->head and q->tail 2023-11-28 16:46:33 +00:00
pwm pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume 2023-11-20 10:29:20 +01:00
rapidio
ras
regulator regulator: pwm-regulator: Add validity checks in continuous .get_voltage 2024-03-01 13:06:09 +01:00
remoteproc
reset reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning 2024-01-25 14:33:30 -08:00
rpmsg rpmsg: virtio: Free driver_override when rpmsg_remove() 2024-02-23 08:12:40 +01:00
rtc rtc: mt6397: select IRQ_DOMAIN instead of depending on it 2024-03-26 18:22:42 -04:00
s390 s390/zcrypt: fix reference counting on zcrypt card objects 2024-04-13 12:50:07 +02:00
sbus
scsi scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload 2024-05-17 11:42:39 +02:00
sfi
sh
siox
slimbus slimbus: core: Remove usage of the deprecated ida_simple_xx() API 2024-04-13 12:50:06 +02:00
sn
soc soc: fsl: qbman: Use raw spinlock for cgr_lock 2024-04-13 12:50:07 +02:00
soundwire
spi spi: spi-mt65xx: Fix NULL pointer access in interrupt handler 2024-03-26 18:22:43 -04:00
spmi spmi: Add a check for remove callback when removing a SPMI driver 2023-05-17 11:13:17 +02:00
ssb treewide: Remove uninitialized_var() usage 2023-08-11 11:45:01 +02:00
staging speakup: Avoid crash on very long word 2024-05-02 16:17:10 +02:00
target scsi: target: Fix SELinux error when systemd-modules loads the target module 2024-05-17 11:42:40 +02:00
tc
tee
thermal thermal: core: prevent potential string overflow 2023-11-20 10:29:17 +01:00
thunderbolt thunderbolt: Use const qualifier for `ring_interrupt_index` 2023-04-05 11:15:35 +02:00
tty serial: mxs-auart: add spinlock around changing cts state 2024-05-02 16:17:12 +02:00
uio uio: Fix use-after-free in uio_open 2024-01-25 14:33:30 -08:00
usb usb: gadget: f_fs: Fix a race condition when processing setup packets. 2024-05-17 11:42:43 +02:00
uwb
vfio vfio/platform: Disable virqfds on cleanup 2024-04-13 12:50:06 +02:00
vhost vhost: Add smp_rmb() in vhost_vq_avail_empty() 2024-05-02 16:17:08 +02:00
video fbmon: prevent division by zero in fb_videomode_from_videomode() 2024-04-13 12:50:16 +02:00
virt
virtio virtio: reenable config if freezing device failed 2024-04-13 12:50:16 +02:00
visorbus
vlynq
vme
w1 w1: fix loop in w1_fini() 2023-08-11 11:45:11 +02:00
watchdog watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling 2024-01-25 14:33:36 -08:00
xen xen/events: fix delayed eoi list handling 2023-11-28 16:46:33 +00:00
zorro
Kconfig
Makefile