mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-22 17:01:14 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Mathias Krause e8d092a624 drm/vmwgfx: Fix stale file descriptors on failed usercopy 
commit a0f90c8815 upstream.

A failing usercopy of the fence_rep object will lead to a stale entry in
the file descriptor table as put_unused_fd() won't release it. This
enables userland to refer to a dangling 'file' object through that still
valid file descriptor, leading to all kinds of use-after-free
exploitation scenarios.

Fix this by deferring the call to fd_install() until after the usercopy
has succeeded.

Fixes: c906965dee ("drm/vmwgfx: Add export fence to file descriptor support")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-01-29 10:17:07 +01:00
..
accessibility
acpi ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 2022-01-27 09:00:56 +01:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-12 14:28:22 +01:00
android binder: fix async_free_space accounting for empty parcels 2022-01-05 12:33:49 +01:00
ata libata: if T_LENGTH is zero, dma direction should be DMA_NONE 2021-12-22 09:18:00 +01:00
atm atm: nicstar: register the interrupt handler in the right place 2021-07-20 16:17:44 +02:00
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-26 11:40:35 +01:00
base regmap: Fix possible double-free in regcache_rbtree_exit() 2021-11-02 18:25:12 +01:00
bcma bcma: Fix memory leak for internally-handled cores 2021-09-22 11:45:22 +02:00
block floppy: Add max size check for user space request 2022-01-27 09:00:54 +01:00
bluetooth Bluetooth: bfusb: fix division by zero in send path 2022-01-27 09:00:46 +01:00
bus bus: qcom: Put child node before return 2021-05-22 10:57:28 +02:00
cdrom cdrom: gdrom: initialize global variable at init time 2021-05-26 11:47:00 +02:00
char char/mwave: Adjust io port register size 2022-01-27 09:00:52 +01:00
clk clk: bcm-2835: Remove rounding up the dividers 2022-01-27 09:00:49 +01:00
clocksource clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel 2021-09-22 11:45:19 +02:00
connector
cpufreq cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory 2021-10-06 15:05:08 +02:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-26 11:40:29 +01:00
crypto crypto: stm32/crc32 - Fix kernel BUG triggered in probe() 2022-01-27 09:00:59 +01:00
dax
dca
devfreq
dio
dma dmaengine: at_xdmac: Fix at_xdmac_lld struct definition 2022-01-27 09:01:01 +01:00
dma-buf dma-buf/sync_file: Don't leak fences on merge failure 2021-07-28 11:12:16 +02:00
edac EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell 2021-11-26 11:40:23 +01:00
eisa
extcon extcon: max8997: Add missing modalias string 2021-07-20 16:17:41 +02:00
firewire firewire: nosy: Fix a use-after-free bug in nosy_ioctl() 2021-04-07 12:47:03 +02:00
firmware firmware: Update Kconfig help text for Google firmware 2022-01-27 09:00:59 +01:00
fmc
fpga
fsi
gpio gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use 2022-01-27 09:00:54 +01:00
gpu drm/vmwgfx: Fix stale file descriptors on failed usercopy 2022-01-29 10:17:07 +01:00
hid HID: apple: Do not reset quirks when the Fn key is not found 2022-01-27 09:00:54 +01:00
hsi HSI: core: Fix return freed object in hsi_new_client 2022-01-27 09:00:54 +01:00
hv hyperv/vmbus: include linux/bitops.h 2021-11-26 11:40:22 +01:00
hwmon hwmon: (lm90) Do not report 'busy' status bit as alarm 2021-12-29 12:17:36 +01:00
hwspinlock
hwtracing intel_th: Wait until port is in reset before programming it 2021-07-20 16:17:51 +02:00
i2c i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters 2022-01-27 09:00:58 +01:00
ide
idle
iio iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove 2021-12-14 10:16:57 +01:00
infiniband RDMA/rxe: Fix a typo in opcode name 2022-01-27 09:01:00 +01:00
input Input: spaceball - fix parsing of movement data packets 2022-01-05 12:33:49 +01:00
iommu iommu/iova: Fix race between FQ timeout and teardown 2022-01-27 09:00:53 +01:00
ipack ipack: ipoctal: fix module reference leak 2021-10-06 15:05:09 +02:00
irqchip irqchip: nvic: Fix offset for Interrupt Priority Offsets 2021-12-14 10:16:57 +01:00
isdn mISDN: change function names to avoid conflicts 2022-01-11 13:57:38 +01:00
leds leds: ktd2692: Fix an error handling path 2021-07-20 16:17:41 +02:00
lightnvm
macintosh
mailbox
mcb mcb: fix error handling in mcb_alloc_bus() 2021-10-06 15:05:05 +02:00
md dm space map common: add bounds check to sm_ll_lookup_bitmap() 2022-01-27 09:00:57 +01:00
media media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() 2022-01-27 09:00:55 +01:00
memory memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe 2021-11-26 11:40:33 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-26 11:40:30 +01:00
message
mfd mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe() 2022-01-27 09:00:46 +01:00
misc misc: lattice-ecp3-config: Fix task hung when firmware load failed 2022-01-27 09:00:53 +01:00
mmc mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO 2022-01-27 09:00:55 +01:00
mtd mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare() 2021-11-26 11:40:34 +01:00
mux
net gianfar: fix jumbo packets+napi+rx overrun crash 2022-01-27 09:01:02 +01:00
nfc NFC: st21nfca: Fix memory leak in device probe and remove 2022-01-05 12:33:48 +01:00
ntb
nubus
nvdimm libnvdimm/dimm: Avoid race between probe and available_slots_show() 2021-03-03 18:22:54 +01:00
nvme nvme-rdma: don't update queue count when failing to set io queues 2021-09-22 11:45:17 +02:00
nvmem nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells 2021-10-20 10:42:04 +02:00
of of: Fix truncation of memory sizes on 32-bit platforms 2021-07-20 16:17:40 +02:00
oprofile
parisc parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries 2022-01-27 09:01:00 +01:00
parport parport: remove non-zero check on count 2021-09-22 11:45:31 +02:00
pci PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller 2022-01-27 09:00:48 +01:00
pcmcia pcmcia: fix setting of kthread task states 2022-01-27 09:00:51 +01:00
perf perf/arm_pmu_platform: Fix error handling 2021-05-22 10:57:17 +02:00
phy phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe() 2021-07-20 16:17:41 +02:00
pinctrl pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines 2021-12-29 12:17:35 +01:00
platform platform/x86: apple-gmux: use resource_size() with res 2022-01-05 12:33:48 +01:00
pnp
power power: bq25890: Enable continuous conversion for ADC at charging 2022-01-27 09:00:58 +01:00
powercap
pps
ps3
ptp ptp_pch: Load module automatically if ID matches 2021-10-17 10:08:33 +02:00
pwm pwm: rockchip: Don't modify HW state in .remove() callback 2021-09-26 13:37:30 +02:00
rapidio rapidio: handle create_workqueue() failure 2021-05-26 11:46:59 +02:00
ras
regulator regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled 2021-11-26 11:40:23 +01:00
remoteproc remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load 2021-02-23 14:00:29 +01:00
reset reset: ti-syscon: fix to_ti_syscon_reset_data macro 2021-07-28 11:12:14 +02:00
rpmsg rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() 2021-05-22 10:57:38 +02:00
rtc rtc: cmos: take rtc_lock while reading from CMOS 2022-01-27 09:00:47 +01:00
s390 s390/cio: check the subchannel validity for dev_busid 2021-11-26 11:40:37 +01:00
sbus
scsi scsi: sr: Don't use GFP_DMA 2022-01-27 09:00:58 +01:00
sfi
sh maple: fix wrong return value of maple_bus_init(). 2021-11-26 11:40:39 +01:00
sn
soc soc/tegra: fuse: Fix bitwise vs. logical OR warning 2021-12-22 09:17:59 +01:00
spi spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe 2022-01-27 09:00:51 +01:00
spmi
ssb ssb: sdio: Don't overwrite const buffer if block_write fails 2021-07-20 16:17:30 +02:00
staging staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn() 2022-01-27 09:00:46 +01:00
target scsi: target: Fix alua_tg_pt_gps_count tracking 2021-11-26 11:40:38 +01:00
tc
tee tee: handle lookup of shm with reference count 0 2022-01-05 12:33:48 +01:00
thermal thermal: core: Reset previous low and high trip during thermal zone init 2021-12-08 08:46:54 +01:00
thunderbolt thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue 2021-06-03 08:36:15 +02:00
tty serial: Fix incorrect rs485 polarity on uart open 2022-01-27 09:00:59 +01:00
uio
usb usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0 2022-01-27 09:00:55 +01:00
uwb
vfio vfio: Use config not menuconfig for VFIO_NOIOMMU 2021-09-22 11:45:26 +02:00
vhost vhost/vsock: fix incorrect used length reported to the guest 2021-12-08 08:46:49 +01:00
video vgacon: Propagate console boot parameters before calling `vc_resize' 2021-12-08 08:46:56 +01:00
virt
virtio virtio_pci: Support surprise removal of virtio pci device 2022-01-11 13:57:35 +01:00
vlynq
vme
w1 w1: Misuse of get_user()/put_user() reported by sparse 2022-01-27 09:00:58 +01:00
watchdog ar7: fix kernel builds for compiler test 2021-11-26 11:40:35 +01:00
xen xen: detect uninitialized xenbus in xenbus_init 2021-12-08 08:46:48 +01:00
zorro
Kconfig
Makefile