1. 19 Oct, 2023 2 commits
  2. 18 Oct, 2023 2 commits
  3. 16 Oct, 2023 2 commits
  4. 12 Oct, 2023 6 commits
  5. 10 Oct, 2023 2 commits
  6. 09 Oct, 2023 2 commits
    • Zack Rusin's avatar
      drm/vmwgfx: Keep a gem reference to user bos in surfaces · 91398b41
      Zack Rusin authored
      Surfaces can be backed (i.e. stored in) memory objects (mob's) which
      are created and managed by the userspace as GEM buffers. Surfaces
      grab only a ttm reference which means that the gem object can
      be deleted underneath us, especially in cases where prime buffer
      export is used.
      
      Make sure that all userspace surfaces which are backed by gem objects
      hold a gem reference to make sure they're not deleted before vmw
      surfaces are done with them, which fixes:
      ------------[ cut here ]------------
      refcount_t: underflow; use-after-free.
      WARNING: CPU: 2 PID: 2632 at lib/refcount.c:28 refcount_warn_saturate+0xfb/0x150
      Modules linked in: overlay vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock snd_ens1371 snd_ac97_codec ac97_bus snd_pcm gameport>
      CPU: 2 PID: 2632 Comm: vmw_ref_count Not tainted 6.5.0-rc2-vmwgfx #1
      Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
      RIP: 0010:refcount_warn_saturate+0xfb/0x150
      Code: eb 9e 0f b6 1d 8b 5b a6 01 80 fb 01 0f 87 ba e4 80 00 83 e3 01 75 89 48 c7 c7 c0 3c f9 a3 c6 05 6f 5b a6 01 01 e8 15 81 98 ff <0f> 0b e9 6f ff ff ff 0f b>
      RSP: 0018:ffffbdc34344bba0 EFLAGS: 00010286
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027
      RDX: ffff960475ea1548 RSI: 0000000000000001 RDI: ffff960475ea1540
      RBP: ffffbdc34344bba8 R08: 0000000000000003 R09: 65646e75203a745f
      R10: ffffffffa5b32b20 R11: 72657466612d6573 R12: ffff96037d6a6400
      R13: ffff9603484805b0 R14: 000000000000000b R15: ffff9603bed06060
      FS:  00007f5fd8520c40(0000) GS:ffff960475e80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f5fda755000 CR3: 000000010d012005 CR4: 00000000003706e0
      Call Trace:
       <TASK>
       ? show_regs+0x6e/0x80
       ? refcount_warn_saturate+0xfb/0x150
       ? __warn+0x91/0x150
       ? refcount_warn_saturate+0xfb/0x150
       ? report_bug+0x19d/0x1b0
       ? handle_bug+0x46/0x80
       ? exc_invalid_op+0x1d/0x80
       ? asm_exc_invalid_op+0x1f/0x30
       ? refcount_warn_saturate+0xfb/0x150
       drm_gem_object_handle_put_unlocked+0xba/0x110 [drm]
       drm_gem_object_release_handle+0x6e/0x80 [drm]
       drm_gem_handle_delete+0x6a/0xc0 [drm]
       ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx]
       vmw_bo_unref_ioctl+0x33/0x40 [vmwgfx]
       drm_ioctl_kernel+0xbc/0x160 [drm]
       drm_ioctl+0x2d2/0x580 [drm]
       ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx]
       ? do_vmi_munmap+0xee/0x180
       vmw_generic_ioctl+0xbd/0x180 [vmwgfx]
       vmw_unlocked_ioctl+0x19/0x20 [vmwgfx]
       __x64_sys_ioctl+0x99/0xd0
       do_syscall_64+0x5d/0x90
       ? syscall_exit_to_user_mode+0x2a/0x50
       ? do_syscall_64+0x6d/0x90
       ? handle_mm_fault+0x16e/0x2f0
       ? exit_to_user_mode_prepare+0x34/0x170
       ? irqentry_exit_to_user_mode+0xd/0x20
       ? irqentry_exit+0x3f/0x50
       ? exc_page_fault+0x8e/0x190
       entry_SYSCALL_64_after_hwframe+0x6e/0xd8
      RIP: 0033:0x7f5fda51aaff
      Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 7>
      RSP: 002b:00007ffd536a4d30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 00007ffd536a4de0 RCX: 00007f5fda51aaff
      RDX: 00007ffd536a4de0 RSI: 0000000040086442 RDI: 0000000000000003
      RBP: 0000000040086442 R08: 000055fa603ada50 R09: 0000000000000000
      R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffd536a51b8
      R13: 0000000000000003 R14: 000055fa5ebb4c80 R15: 00007f5fda90f040
       </TASK>
      ---[ end trace 0000000000000000 ]---
      
      A lot of the analyis on the bug was done by Murray McAllister and
      Ian Forbes.
      Reported-by: default avatarMurray McAllister <murray.mcallister@gmail.com>
      Cc: Ian Forbes <iforbes@vmware.com>
      Signed-off-by: default avatarZack Rusin <zackr@vmware.com>
      Fixes: a950b989 ("drm/vmwgfx: Do not drop the reference to the handle too soon")
      Cc: <stable@vger.kernel.org> # v6.2+
      Reviewed-by: default avatarMartin Krastev <krastevm@vmware.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230928041355.737635-1-zack@kde.org
      91398b41
    • Konstantin Meskhidze's avatar
      drm/vmwgfx: fix typo of sizeof argument · 39465cac
      Konstantin Meskhidze authored
      Since size of 'header' pointer and '*header' structure is equal on 64-bit
      machines issue probably didn't cause any wrong behavior. But anyway,
      fixing typo is required.
      
      Fixes: 7a73ba74 ("drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles.")
      Co-developed-by: default avatarIvanov Mikhail <ivanov.mikhail1@huawei-partners.com>
      Signed-off-by: default avatarKonstantin Meskhidze <konstantin.meskhidze@huawei.com>
      Reviewed-by: default avatarZack Rusin <zackr@vmware.com>
      Signed-off-by: default avatarZack Rusin <zackr@vmware.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230905100203.1716731-1-konstantin.meskhidze@huawei.com
      39465cac
  7. 05 Oct, 2023 1 commit
  8. 03 Oct, 2023 4 commits
  9. 30 Sep, 2023 1 commit
  10. 27 Sep, 2023 6 commits
  11. 25 Sep, 2023 1 commit
  12. 21 Sep, 2023 1 commit
    • Thomas Zimmermann's avatar
      fbdev/sh7760fb: Depend on FB=y · f75f71b2
      Thomas Zimmermann authored
      Fix linker error if FB=m about missing fb_io_read and fb_io_write. The
      linker's error message suggests that this config setting has already
      been broken for other symbols.
      
        All errors (new ones prefixed by >>):
      
           sh4-linux-ld: drivers/video/fbdev/sh7760fb.o: in function `sh7760fb_probe':
           sh7760fb.c:(.text+0x374): undefined reference to `framebuffer_alloc'
           sh4-linux-ld: sh7760fb.c:(.text+0x394): undefined reference to `fb_videomode_to_var'
           sh4-linux-ld: sh7760fb.c:(.text+0x39c): undefined reference to `fb_alloc_cmap'
           sh4-linux-ld: sh7760fb.c:(.text+0x3a4): undefined reference to `register_framebuffer'
           sh4-linux-ld: sh7760fb.c:(.text+0x3ac): undefined reference to `fb_dealloc_cmap'
           sh4-linux-ld: sh7760fb.c:(.text+0x434): undefined reference to `framebuffer_release'
           sh4-linux-ld: drivers/video/fbdev/sh7760fb.o: in function `sh7760fb_remove':
           sh7760fb.c:(.text+0x800): undefined reference to `unregister_framebuffer'
           sh4-linux-ld: sh7760fb.c:(.text+0x804): undefined reference to `fb_dealloc_cmap'
           sh4-linux-ld: sh7760fb.c:(.text+0x814): undefined reference to `framebuffer_release'
        >> sh4-linux-ld: drivers/video/fbdev/sh7760fb.o:(.rodata+0xc): undefined reference to `fb_io_read'
        >> sh4-linux-ld: drivers/video/fbdev/sh7760fb.o:(.rodata+0x10): undefined reference to `fb_io_write'
           sh4-linux-ld: drivers/video/fbdev/sh7760fb.o:(.rodata+0x2c): undefined reference to `cfb_fillrect'
           sh4-linux-ld: drivers/video/fbdev/sh7760fb.o:(.rodata+0x30): undefined reference to `cfb_copyarea'
           sh4-linux-ld: drivers/video/fbdev/sh7760fb.o:(.rodata+0x34): undefined reference to `cfb_imageblit'
      Suggested-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202309130632.LS04CPWu-lkp@intel.com/Signed-off-by: default avatarThomas Zimmermann <tzimmermann@suse.de>
      Reviewed-by: default avatarJavier Martinez Canillas <javierm@redhat.com>
      Acked-by: default avatarJohn Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230918090400.13264-1-tzimmermann@suse.de
      f75f71b2
  13. 20 Sep, 2023 3 commits
  14. 19 Sep, 2023 4 commits
  15. 18 Sep, 2023 1 commit
    • Arnd Bergmann's avatar
      drm: fix up fbdev Kconfig defaults · bb6c4507
      Arnd Bergmann authored
      As a result of the recent Kconfig reworks, the default settings for the
      framebuffer interfaces changed in unexpected ways:
      
      Configurations that leave CONFIG_FB disabled but use DRM now get
      DRM_FBDEV_EMULATION by default. This also turns on the deprecated /dev/fb
      device nodes for machines that don't actually want it.
      
      In turn, configurations that previously had DRM_FBDEV_EMULATION enabled
      now only get the /dev/fb front-end but not the more useful framebuffer
      console, which is not selected any more.
      
      We had previously decided that any combination of the three frontends
      (FB_DEVICE, FRAMEBUFFER_CONSOLE and LOGO) should be selectable, but the
      new default settings mean that a lot of defconfig files would have to
      get adapted.
      
      Change the defaults back to what they were in Linux 6.5:
      
       - Leave DRM_FBDEV_EMULATION turned off unless CONFIG_FB
         is enabled. Previously this was a hard dependency but now the two are
         independent. However, configurations that enable CONFIG_FB probably
         also want to keep the emulation for DRM, while those without FB
         presumably did that intentionally in the past.
      
       - Leave FB_DEVICE turned off for FB=n. Following the same
         logic, the deprecated option should not automatically get enabled
         here, most users that had FB turned off in the past do not want it,
         even if they want the console
      
       - Turn the FRAMEBUFFER_CONSOLE option on if
         DRM_FBDEV_EMULATION is set to avoid having to change defconfig
         files that relied on it being selected unconditionally in the past.
         This also makes sense since both LOGO and FB_DEVICE are now disabled
         by default for builds without CONFIG_FB, but DRM_FBDEV_EMULATION
         would make no sense if all three are disabled.
      
      Fixes: a5ae331e ("drm: Drop select FRAMEBUFFER_CONSOLE for DRM_FBDEV_EMULATION")
      Fixes: 701d2054 ("fbdev: Make support for userspace interfaces configurable")
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarJavier Martinez Canillas <javierm@redhat.com>
      Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Acked-by: default avatarThomas Zimmermann <tzimmermann@suse.de>
      Signed-off-by: default avatarJavier Martinez Canillas <javierm@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230911205338.2385278-1-arnd@kernel.org
      bb6c4507
  16. 15 Sep, 2023 1 commit
  17. 14 Sep, 2023 1 commit
    • Thomas Hellström's avatar
      drm/tests: helpers: Avoid a driver uaf · 139a2785
      Thomas Hellström authored
      when using __drm_kunit_helper_alloc_drm_device() the driver may be
      dereferenced by device-managed resources up until the device is
      freed, which is typically later than the kunit-managed resource code
      frees it. Fix this by simply make the driver device-managed as well.
      
      In short, the sequence leading to the UAF is as follows:
      
      INIT:
      Code allocates a struct device as a kunit-managed resource.
      Code allocates a drm driver as a kunit-managed resource.
      Code allocates a drm device as a device-managed resource.
      
      EXIT:
      Kunit resource cleanup frees the drm driver
      Kunit resource cleanup puts the struct device, which starts a
            device-managed resource cleanup
      device-managed cleanup calls drm_dev_put()
      drm_dev_put() dereferences the (now freed) drm driver -> Boom.
      
      Related KASAN message:
      [55272.551542] ==================================================================
      [55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm]
      [55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353
      
      [55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G     U           N 6.5.0-rc7+ #155
      [55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021
      [55272.551626] Call Trace:
      [55272.551629]  <TASK>
      [55272.551633]  dump_stack_lvl+0x57/0x90
      [55272.551639]  print_report+0xcf/0x630
      [55272.551645]  ? _raw_spin_lock_irqsave+0x5f/0x70
      [55272.551652]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
      [55272.551694]  kasan_report+0xd7/0x110
      [55272.551699]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
      [55272.551742]  drm_dev_put.part.0+0xd4/0xe0 [drm]
      [55272.551783]  devres_release_all+0x15d/0x1f0
      [55272.551790]  ? __pfx_devres_release_all+0x10/0x10
      [55272.551797]  device_unbind_cleanup+0x16/0x1a0
      [55272.551802]  device_release_driver_internal+0x3e5/0x540
      [55272.551808]  ? kobject_put+0x5d/0x4b0
      [55272.551814]  bus_remove_device+0x1f1/0x3f0
      [55272.551819]  device_del+0x342/0x910
      [55272.551826]  ? __pfx_device_del+0x10/0x10
      [55272.551830]  ? lock_release+0x339/0x5e0
      [55272.551836]  ? kunit_remove_resource+0x128/0x290 [kunit]
      [55272.551845]  ? __pfx_lock_release+0x10/0x10
      [55272.551851]  platform_device_del.part.0+0x1f/0x1e0
      [55272.551856]  ? _raw_spin_unlock_irqrestore+0x30/0x60
      [55272.551863]  kunit_remove_resource+0x195/0x290 [kunit]
      [55272.551871]  ? _raw_spin_unlock_irqrestore+0x30/0x60
      [55272.551877]  kunit_cleanup+0x78/0x120 [kunit]
      [55272.551885]  ? __kthread_parkme+0xc1/0x1f0
      [55272.551891]  ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit]
      [55272.551900]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]
      [55272.551909]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
      [55272.551919]  kthread+0x2e7/0x3c0
      [55272.551924]  ? __pfx_kthread+0x10/0x10
      [55272.551929]  ret_from_fork+0x2d/0x70
      [55272.551935]  ? __pfx_kthread+0x10/0x10
      [55272.551940]  ret_from_fork_asm+0x1b/0x30
      [55272.551948]  </TASK>
      
      [55272.551953] Allocated by task 10351:
      [55272.551956]  kasan_save_stack+0x1c/0x40
      [55272.551962]  kasan_set_track+0x21/0x30
      [55272.551966]  __kasan_kmalloc+0x8b/0x90
      [55272.551970]  __kmalloc+0x5e/0x160
      [55272.551976]  kunit_kmalloc_array+0x1c/0x50 [kunit]
      [55272.551984]  drm_exec_test_init+0xfa/0x2c0 [drm_exec_test]
      [55272.551991]  kunit_try_run_case+0xdd/0x250 [kunit]
      [55272.551999]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
      [55272.552008]  kthread+0x2e7/0x3c0
      [55272.552012]  ret_from_fork+0x2d/0x70
      [55272.552017]  ret_from_fork_asm+0x1b/0x30
      
      [55272.552024] Freed by task 10353:
      [55272.552027]  kasan_save_stack+0x1c/0x40
      [55272.552032]  kasan_set_track+0x21/0x30
      [55272.552036]  kasan_save_free_info+0x27/0x40
      [55272.552041]  __kasan_slab_free+0x106/0x180
      [55272.552046]  slab_free_freelist_hook+0xb3/0x160
      [55272.552051]  __kmem_cache_free+0xb2/0x290
      [55272.552056]  kunit_remove_resource+0x195/0x290 [kunit]
      [55272.552064]  kunit_cleanup+0x78/0x120 [kunit]
      [55272.552072]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
      [55272.552080]  kthread+0x2e7/0x3c0
      [55272.552085]  ret_from_fork+0x2d/0x70
      [55272.552089]  ret_from_fork_asm+0x1b/0x30
      
      [55272.552096] The buggy address belongs to the object at ffff888127502800
                      which belongs to the cache kmalloc-512 of size 512
      [55272.552105] The buggy address is located 40 bytes inside of
                      freed 512-byte region [ffff888127502800, ffff888127502a00)
      
      [55272.552115] The buggy address belongs to the physical page:
      [55272.552119] page:00000000af6c70ff refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127500
      [55272.552127] head:00000000af6c70ff order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      [55272.552133] anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
      [55272.552141] page_type: 0xffffffff()
      [55272.552145] raw: 0017ffffc0010200 ffff888100042c80 0000000000000000 dead000000000001
      [55272.552152] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
      [55272.552157] page dumped because: kasan: bad access detected
      
      [55272.552163] Memory state around the buggy address:
      [55272.552167]  ffff888127502700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [55272.552173]  ffff888127502780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [55272.552178] >ffff888127502800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [55272.552184]                                   ^
      [55272.552187]  ffff888127502880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [55272.552193]  ffff888127502900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [55272.552198] ==================================================================
      [55272.552203] Disabling lock debugging due to kernel taint
      
      v2:
      - Update commit message, add Fixes: tag and Cc stable.
      v3:
      - Further commit message updates (Maxime Ripard).
      
      Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Cc: Maxime Ripard <mripard@kernel.org>
      Cc: Thomas Zimmermann <tzimmermann@suse.de>
      Cc: David Airlie <airlied@gmail.com>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: dri-devel@lists.freedesktop.org
      Cc: stable@vger.kernel.org # v6.3+
      Fixes: d9878031 ("drm/tests: helpers: Allow to pass a custom drm_driver")
      Signed-off-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
      Reviewed-by: default avatarFrancois Dugast <francois.dugast@intel.com>
      Acked-by: default avatarMaxime Ripard <mripard@kernel.org>
      Link: https://lore.kernel.org/r/20230907135339.7971-2-thomas.hellstrom@linux.intel.comSigned-off-by: default avatarMaxime Ripard <mripard@kernel.org>
      139a2785