4.19-stable patches

added patches:
	drm-compat-clear-bounce-structures.patch

diff --git a/queue-4.19/drm-compat-clear-bounce-structures.patch b/queue-4.19/drm-compat-clear-bounce-structures.patch
new file mode 100644 (file)
index 0000000..4c36d7f
--- /dev/null
+++ b/queue-4.19/drm-compat-clear-bounce-structures.patch
@@ -0,0 +1,79 @@
+From de066e116306baf3a6a62691ac63cfc0b1dabddb Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Mon, 22 Feb 2021 11:06:43 +0100
+Subject: drm/compat: Clear bounce structures
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit de066e116306baf3a6a62691ac63cfc0b1dabddb upstream.
+
+Some of them have gaps, or fields we don't clear. Native ioctl code
+does full copies plus zero-extends on size mismatch, so nothing can
+leak. But compat is more hand-rolled so need to be careful.
+
+None of these matter for performance, so just memset.
+
+Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those
+are security holes anyway.
+
+Acked-by: Maxime Ripard <mripard@kernel.org>
+Reported-by: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com # vblank ioctl
+Cc: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210222100643.400935-1-daniel.vetter@ffwll.ch
+(cherry picked from commit e926c474ebee404441c838d18224cd6f246a71b7)
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_ioc32.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/gpu/drm/drm_ioc32.c
++++ b/drivers/gpu/drm/drm_ioc32.c
+@@ -96,6 +96,8 @@ static int compat_drm_version(struct fil
+       if (copy_from_user(&v32, (void __user *)arg, sizeof(v32)))
+               return -EFAULT;
+ 
++      memset(&v, 0, sizeof(v));
++
+       v = (struct drm_version) {
+               .name_len = v32.name_len,
+               .name = compat_ptr(v32.name),
+@@ -134,6 +136,9 @@ static int compat_drm_getunique(struct f
+ 
+       if (copy_from_user(&uq32, (void __user *)arg, sizeof(uq32)))
+               return -EFAULT;
++
++      memset(&uq, 0, sizeof(uq));
++
+       uq = (struct drm_unique){
+               .unique_len = uq32.unique_len,
+               .unique = compat_ptr(uq32.unique),
+@@ -260,6 +265,8 @@ static int compat_drm_getclient(struct f
+       if (copy_from_user(&c32, argp, sizeof(c32)))
+               return -EFAULT;
+ 
++      memset(&client, 0, sizeof(client));
++
+       client.idx = c32.idx;
+ 
+       err = drm_ioctl_kernel(file, drm_getclient, &client, DRM_UNLOCKED);
+@@ -842,6 +849,8 @@ static int compat_drm_wait_vblank(struct
+       if (copy_from_user(&req32, argp, sizeof(req32)))
+               return -EFAULT;
+ 
++      memset(&req, 0, sizeof(req));
++
+       req.request.type = req32.request.type;
+       req.request.sequence = req32.request.sequence;
+       req.request.signal = req32.request.signal;
+@@ -879,6 +888,8 @@ static int compat_drm_mode_addfb2(struct
+       struct drm_mode_fb_cmd2 req64;
+       int err;
+ 
++      memset(&req64, 0, sizeof(req64));
++
+       if (copy_from_user(&req64, argp,
+                          offsetof(drm_mode_fb_cmd232_t, modifier)))
+               return -EFAULT;

diff --git a/queue-4.19/series b/queue-4.19/series
index 592f955857aa3e833f666db1da3640847500012d..2aafb66448422f668b75bd89c2ecc940eba630fb 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -31,3 +31,4 @@ net-stmmac-fix-watchdog-timeout-during-suspend-resume-stress-test.patch
 selftests-forwarding-fix-race-condition-in-mirror-installation.patch
 perf-traceevent-ensure-read-cmdlines-are-null-terminated.patch
 s390-cio-return-efault-if-copy_to_user-fails.patch
+drm-compat-clear-bounce-structures.patch