From: Greg Kroah-Hartman Date: Tue, 25 Jan 2022 12:41:07 +0000 (+0100) Subject: drop drm-etnaviv-limit-submit-sizes.patch from 4.14 and 4.9 X-Git-Tag: v4.4.300~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=46d17edb62e347c4004d7dd449b77cb14cd4141e;p=thirdparty%2Fkernel%2Fstable-queue.git drop drm-etnaviv-limit-submit-sizes.patch from 4.14 and 4.9 --- diff --git a/queue-4.14/drm-etnaviv-limit-submit-sizes.patch b/queue-4.14/drm-etnaviv-limit-submit-sizes.patch deleted file mode 100644 index 566ed808c44..00000000000 --- a/queue-4.14/drm-etnaviv-limit-submit-sizes.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 6dfa2fab8ddd46faa771a102672176bee7a065de Mon Sep 17 00:00:00 2001 -From: Lucas Stach -Date: Fri, 17 Dec 2021 11:59:28 +0100 -Subject: drm/etnaviv: limit submit sizes - -From: Lucas Stach - -commit 6dfa2fab8ddd46faa771a102672176bee7a065de upstream. - -Currently we allow rediculous amounts of kernel memory being allocated -via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put -some reasonable limits in to fix this. - -The commandstream size is limited to 64KB, which was already a soft limit -on older kernels after which the kernel only took submits on a best effort -base, so there is no userspace that tries to submit commandstreams larger -than this. Even if the whole commandstream is a single incrementing address -load, the size limit also limits the number of potential relocs and -referenced buffers to slightly under 64K, so use the same limit for those -arguments. The performance monitoring infrastructure currently supports -less than 50 performance counter signals, so limiting them to 128 on a -single submit seems like a reasonably future-proof number for now. This -number can be bumped if needed without breaking the interface. - -Cc: stable@vger.kernel.org -Reported-by: Dan Carpenter -Signed-off-by: Lucas Stach -Reviewed-by: Christian Gmeiner -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c -+++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c -@@ -341,6 +341,12 @@ int etnaviv_ioctl_gem_submit(struct drm_ - return -EINVAL; - } - -+ if (args->stream_size > SZ_64K || args->nr_relocs > SZ_64K || -+ args->nr_bos > SZ_64K || args->nr_pmrs > 128) { -+ DRM_ERROR("submit arguments out of size limits\n"); -+ return -EINVAL; -+ } -+ - /* - * Copy the command submission and bo array to kernel space in - * one go, and do this outside of any locks. diff --git a/queue-4.14/series b/queue-4.14/series index d3cfe48d132..aaac6154e9e 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -148,7 +148,6 @@ ubifs-error-path-in-ubifs_remount_rw-seems-to-wrongly-free-write-buffers.patch serial-fix-incorrect-rs485-polarity-on-uart-open.patch cputime-cpuacct-include-guest-time-in-user-time-in-cpuacct.stat.patch iwlwifi-mvm-increase-the-scan-timeout-guard-to-30-seconds.patch -drm-etnaviv-limit-submit-sizes.patch ext4-make-sure-quota-gets-properly-shutdown-on-error.patch ext4-set-csum-seed-in-tmp-inode-while-migrating-to-extents.patch ext4-fix-bug_on-in-ext4_bread-when-write-quota-data.patch diff --git a/queue-4.9/drm-etnaviv-limit-submit-sizes.patch b/queue-4.9/drm-etnaviv-limit-submit-sizes.patch deleted file mode 100644 index 1ed52d1e957..00000000000 --- a/queue-4.9/drm-etnaviv-limit-submit-sizes.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 6dfa2fab8ddd46faa771a102672176bee7a065de Mon Sep 17 00:00:00 2001 -From: Lucas Stach -Date: Fri, 17 Dec 2021 11:59:28 +0100 -Subject: drm/etnaviv: limit submit sizes - -From: Lucas Stach - -commit 6dfa2fab8ddd46faa771a102672176bee7a065de upstream. - -Currently we allow rediculous amounts of kernel memory being allocated -via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put -some reasonable limits in to fix this. - -The commandstream size is limited to 64KB, which was already a soft limit -on older kernels after which the kernel only took submits on a best effort -base, so there is no userspace that tries to submit commandstreams larger -than this. Even if the whole commandstream is a single incrementing address -load, the size limit also limits the number of potential relocs and -referenced buffers to slightly under 64K, so use the same limit for those -arguments. The performance monitoring infrastructure currently supports -less than 50 performance counter signals, so limiting them to 128 on a -single submit seems like a reasonably future-proof number for now. This -number can be bumped if needed without breaking the interface. - -Cc: stable@vger.kernel.org -Reported-by: Dan Carpenter -Signed-off-by: Lucas Stach -Reviewed-by: Christian Gmeiner -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c -+++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c -@@ -325,6 +325,12 @@ int etnaviv_ioctl_gem_submit(struct drm_ - return -EINVAL; - } - -+ if (args->stream_size > SZ_64K || args->nr_relocs > SZ_64K || -+ args->nr_bos > SZ_64K || args->nr_pmrs > 128) { -+ DRM_ERROR("submit arguments out of size limits\n"); -+ return -EINVAL; -+ } -+ - /* - * Copy the command submission and bo array to kernel space in - * one go, and do this outside of any locks. diff --git a/queue-4.9/series b/queue-4.9/series index 2253ed3d69e..62039c96886 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -117,7 +117,6 @@ asoc-mediatek-mt8173-fix-device_node-leak.patch power-bq25890-enable-continuous-conversion-for-adc-a.patch ubifs-error-path-in-ubifs_remount_rw-seems-to-wrongly-free-write-buffers.patch iwlwifi-mvm-increase-the-scan-timeout-guard-to-30-seconds.patch -drm-etnaviv-limit-submit-sizes.patch ext4-set-csum-seed-in-tmp-inode-while-migrating-to-extents.patch ext4-fix-bug_on-in-ext4_bread-when-write-quota-data.patch ext4-don-t-use-the-orphan-list-when-migrating-an-inode.patch