+++ /dev/null
-From 9dbaab56ac09f07a73fe83bf69bec3e31060080a Mon Sep 17 00:00:00 2001
-From: Chris Wilson <chris@chris-wilson.co.uk>
-Date: Mon, 14 Mar 2016 09:01:57 +0000
-Subject: drm/i915: Exit cherryview_irq_handler() after one pass
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Chris Wilson <chris@chris-wilson.co.uk>
-
-commit 9dbaab56ac09f07a73fe83bf69bec3e31060080a upstream.
-
-This effectively reverts
-
-commit 8e5fd599eb219f1054e39b40d18b217af669eea9
-Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
-Date: Wed Apr 9 13:28:50 2014 +0300
-
- drm/i915/chv: Make CHV irq handler loop until all interrupts are consumed
-
-as under continuous execlists load we can saturate the IRQ handler,
-destablising the tsc clock and triggering the NMI watchdog to declare a hung
-CPU.
-
-[ 552.756051] clocksource: timekeeping watchdog on CPU0: Marking clocksource 'tsc' as unstable because the skew is too large:
-[ 552.756080] clocksource: 'refined-jiffies' wd_now: 10003b480 wd_last: 10003b28c mask: ffffffff
-[ 552.756091] clocksource: 'tsc' cs_now: d55d31aa50 cs_last: d17446166c mask: ffffffffffffffff
-[ 552.756210] clocksource: Switched to clocksource refined-jiffies
-[ 575.217870] NMI watchdog: Watchdog detected hard LOCKUP on cpu 1
-[ 575.217893] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.5.0-rc7+ #18
-[ 575.217905] Hardware name: /NUC5CPYB, BIOS PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
-[ 575.217915] 0000000000000000 ffff88027fd05bc0 ffffffff81288c6d 0000000000000000
-[ 575.217935] 0000000000000001 ffff88027fd05be0 ffffffff810e72d1 0000000000000000
-[ 575.217951] ffff88027fd05c80 ffff88027fd05c20 ffffffff81114b60 0000000181015f1e
-[ 575.217967] Call Trace:
-[ 575.217973] <NMI> [<ffffffff81288c6d>] dump_stack+0x4f/0x72
-[ 575.217994] [<ffffffff810e72d1>] watchdog_overflow_callback+0x151/0x160
-[ 575.218003] [<ffffffff81114b60>] __perf_event_overflow+0xa0/0x1e0
-[ 575.218016] [<ffffffff811154c4>] perf_event_overflow+0x14/0x20
-[ 575.218028] [<ffffffff8101d2ca>] intel_pmu_handle_irq+0x1da/0x460
-[ 575.218042] [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
-[ 575.218052] [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
-[ 575.218064] [<ffffffff81014ae8>] perf_event_nmi_handler+0x28/0x50
-[ 575.218075] [<ffffffff81007540>] nmi_handle+0x60/0x130
-[ 575.218086] [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
-[ 575.218096] [<ffffffff810079c0>] do_nmi+0x140/0x470
-[ 575.218108] [<ffffffff81559ec7>] end_repeat_nmi+0x1a/0x1e
-[ 575.218119] [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
-[ 575.218129] [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
-[ 575.218139] [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
-[ 575.218148] <<EOE>> [<ffffffff814a8353>] cpuidle_enter_state+0xf3/0x2f0
-[ 575.218164] [<ffffffff814a8587>] cpuidle_enter+0x17/0x20
-[ 575.218175] [<ffffffff810aaa3a>] call_cpuidle+0x2a/0x40
-[ 575.218185] [<ffffffff810aade3>] cpu_startup_entry+0x273/0x330
-[ 575.218196] [<ffffffff81033a1e>] start_secondary+0x10e/0x130
-
-However, not servicing all available IIR within the handler does hurt the
-throughput of pathological nop execbuf by about 20%, with a similar effect
-upon the dispatch latency of a series of execbuf.
-
-v2: use do {} while(0) for a smaller patch, and easier to revert again
-
-I have reasonable confidence that we do not miss GT interrupts (as
-execlists provides a stress case with a failure mechanism easily
-detected by igt), however I have less confidence about all the other
-sources of interrupts and worry that may lose a display hotplug
-interrupt, for example.
-
-Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93467
-Testcase: igt/gem_exec_nop/basic # requires NMI watchdog
-Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
-Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
-Cc: Antti Koskipää <antti.koskipaa@linux.intel.com>
-Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
-Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
-Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
-Link: http://patchwork.freedesktop.org/patch/msgid/1457946117-6714-1-git-send-email-chris@chris-wilson.co.uk
-(cherry picked from commit 579de73b048a0a4c66c25a033ac76a2836e0cf73)
-Signed-off-by: Jani Nikula <jani.nikula@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/gpu/drm/i915/i915_irq.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/gpu/drm/i915/i915_irq.c
-+++ b/drivers/gpu/drm/i915/i915_irq.c
-@@ -1788,7 +1788,7 @@ static irqreturn_t cherryview_irq_handle
- if (!intel_irqs_enabled(dev_priv))
- return IRQ_NONE;
-
-- for (;;) {
-+ do {
- master_ctl = I915_READ(GEN8_MASTER_IRQ) & ~GEN8_MASTER_IRQ_CONTROL;
- iir = I915_READ(VLV_IIR);
-
-@@ -1816,7 +1816,7 @@ static irqreturn_t cherryview_irq_handle
-
- I915_WRITE(GEN8_MASTER_IRQ, DE_MASTER_IRQ_CONTROL);
- POSTING_READ(GEN8_MASTER_IRQ);
-- }
-+ } while (0);
-
- return ret;
- }
futex-acknowledge-a-new-waiter-in-counter-before-plist.patch
drm-nouveau-core-use-vzalloc-for-allocating-ramht.patch
drm-qxl-fix-cursor-position-with-non-zero-hotspot.patch
-drm-i915-exit-cherryview_irq_handler-after-one-pass.patch
drm-i915-fix-race-condition-in-intel_dp_destroy_mst_connector.patch
revert-drm-radeon-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch
revert-drm-amdgpu-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch
mm-vmscan-reclaim-highmem-zone-if-buffer_heads-is-over-limit.patch
mm-hwpoison-fix-wrong-num_poisoned_pages-accounting.patch
cgroup-make-sure-a-parent-css-isn-t-freed-before-its-children.patch
+usb-usbip-fix-potential-out-of-bounds-write.patch
+videobuf2-core-check-user-space-planes-array-in-dqbuf.patch
+videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch
--- /dev/null
+From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001
+From: Ignat Korchagin <ignat.korchagin@gmail.com>
+Date: Thu, 17 Mar 2016 18:00:29 +0000
+Subject: USB: usbip: fix potential out-of-bounds write
+
+From: Ignat Korchagin <ignat.korchagin@gmail.com>
+
+commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream.
+
+Fix potential out-of-bounds write to urb->transfer_buffer
+usbip handles network communication directly in the kernel. When receiving a
+packet from its peer, usbip code parses headers according to protocol. As
+part of this parsing urb->actual_length is filled. Since the input for
+urb->actual_length comes from the network, it should be treated as untrusted.
+Any entity controlling the network may put any value in the input and the
+preallocated urb->transfer_buffer may not be large enough to hold the data.
+Thus, the malicious entity is able to write arbitrary data to kernel memory.
+
+Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/usbip_common.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/usb/usbip/usbip_common.c
++++ b/drivers/usb/usbip/usbip_common.c
+@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device
+ if (!(size > 0))
+ return 0;
+
++ if (size > urb->transfer_buffer_length) {
++ /* should not happen, probably malicious packet */
++ if (ud->side == USBIP_STUB) {
++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
++ return 0;
++ } else {
++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
++ return -EPIPE;
++ }
++ }
++
+ ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
+ if (ret != size) {
+ dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);
--- /dev/null
+From e7e0c3e26587749b62d17b9dd0532874186c77f7 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Sun, 3 Apr 2016 16:15:00 -0300
+Subject: [media] videobuf2-core: Check user space planes array in dqbuf
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit e7e0c3e26587749b62d17b9dd0532874186c77f7 upstream.
+
+The number of planes in videobuf2 is specific to a buffer. In order to
+verify that the planes array provided by the user is long enough, a new
+vb2_buf_op is required.
+
+Call __verify_planes_array() when the dequeued buffer is known. Return an
+error to the caller if there was one, otherwise remove the buffer from the
+done list.
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-core.c | 10 +++++-----
+ include/media/videobuf2-core.h | 1 +
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1502,7 +1502,7 @@ static int __vb2_wait_for_done_vb(struct
+ * Will sleep if required for nonblocking == false.
+ */
+ static int __vb2_get_done_vb(struct vb2_queue *q, struct vb2_buffer **vb,
+- int nonblocking)
++ void *pb, int nonblocking)
+ {
+ unsigned long flags;
+ int ret;
+@@ -1523,10 +1523,10 @@ static int __vb2_get_done_vb(struct vb2_
+ /*
+ * Only remove the buffer from done_list if v4l2_buffer can handle all
+ * the planes.
+- * Verifying planes is NOT necessary since it already has been checked
+- * before the buffer is queued/prepared. So it can never fail.
+ */
+- list_del(&(*vb)->done_entry);
++ ret = call_bufop(q, verify_planes_array, *vb, pb);
++ if (!ret)
++ list_del(&(*vb)->done_entry);
+ spin_unlock_irqrestore(&q->done_lock, flags);
+
+ return ret;
+@@ -1604,7 +1604,7 @@ int vb2_core_dqbuf(struct vb2_queue *q,
+ struct vb2_buffer *vb = NULL;
+ int ret;
+
+- ret = __vb2_get_done_vb(q, &vb, nonblocking);
++ ret = __vb2_get_done_vb(q, &vb, pb, nonblocking);
+ if (ret < 0)
+ return ret;
+
+--- a/include/media/videobuf2-core.h
++++ b/include/media/videobuf2-core.h
+@@ -363,6 +363,7 @@ struct vb2_ops {
+ };
+
+ struct vb2_buf_ops {
++ int (*verify_planes_array)(struct vb2_buffer *vb, const void *pb);
+ int (*fill_user_buffer)(struct vb2_buffer *vb, void *pb);
+ int (*fill_vb2_buffer)(struct vb2_buffer *vb, const void *pb,
+ struct vb2_plane *planes);
--- /dev/null
+From 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Sun, 3 Apr 2016 16:31:03 -0300
+Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab upstream.
+
+When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
+which will be dequeued is not known until the buffer has been removed from
+the queue. The number of planes is specific to a buffer, not to the queue.
+
+This does lead to the situation where multi-plane buffers may be requested
+and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
+struct with fewer planes.
+
+__fill_v4l2_buffer() however uses the number of planes from the dequeued
+videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
+in video_usercopy() in v4l2-ioctl.c) if the user provided fewer
+planes than the dequeued buffer had. Oops!
+
+Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
+@@ -67,6 +67,11 @@ static int __verify_planes_array(struct
+ return 0;
+ }
+
++static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
++{
++ return __verify_planes_array(vb, pb);
++}
++
+ /**
+ * __verify_length() - Verify that the bytesused value for each plane fits in
+ * the plane length and that the data offset doesn't exceed the bytesused value.
+@@ -432,6 +437,7 @@ static int __fill_vb2_buffer(struct vb2_
+ }
+
+ static const struct vb2_buf_ops v4l2_buf_ops = {
++ .verify_planes_array = __verify_planes_array_core,
+ .fill_user_buffer = __fill_v4l2_buffer,
+ .fill_vb2_buffer = __fill_vb2_buffer,
+ .set_timestamp = __set_timestamp,
projects / thirdparty / kernel / stable-queue.git / commitdiff
