From ba744e932003830292d37f655b19431b3c8af8f6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 May 2020 18:51:13 +0200 Subject: [PATCH] update queue-4.14/drm-qxl-qxl_release-use-after-free.patch queue-4.19/drm-qxl-qxl_release-use-after-free.patch --- .../drm-qxl-qxl_release-use-after-free.patch | 36 +++++++++++++++++-- .../drm-qxl-qxl_release-use-after-free.patch | 36 +++++++++++++++++-- 2 files changed, 68 insertions(+), 4 deletions(-) diff --git a/queue-4.14/drm-qxl-qxl_release-use-after-free.patch b/queue-4.14/drm-qxl-qxl_release-use-after-free.patch index b0e1e629e33..4a245cd4fc1 100644 --- a/queue-4.14/drm-qxl-qxl_release-use-after-free.patch +++ b/queue-4.14/drm-qxl-qxl_release-use-after-free.patch @@ -22,14 +22,16 @@ Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") Signed-off-by: Vasily Averin Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com Signed-off-by: Gerd Hoffmann +[backported to v4.14-stable] +Signed-off-by: Vasily Averin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/qxl/qxl_cmd.c | 5 ++--- drivers/gpu/drm/qxl/qxl_display.c | 6 +++--- - drivers/gpu/drm/qxl/qxl_draw.c | 2 +- + drivers/gpu/drm/qxl/qxl_draw.c | 8 ++++---- drivers/gpu/drm/qxl/qxl_ioctl.c | 5 +---- - 4 files changed, 7 insertions(+), 11 deletions(-) + 4 files changed, 10 insertions(+), 14 deletions(-) --- a/drivers/gpu/drm/qxl/qxl_cmd.c +++ b/drivers/gpu/drm/qxl/qxl_cmd.c @@ -88,6 +90,16 @@ Signed-off-by: Greg Kroah-Hartman static int qxl_plane_prepare_fb(struct drm_plane *plane, --- a/drivers/gpu/drm/qxl/qxl_draw.c +++ b/drivers/gpu/drm/qxl/qxl_draw.c +@@ -241,8 +241,8 @@ void qxl_draw_opaque_fb(const struct qxl + qxl_bo_physical_address(qdev, dimage->bo, 0); + qxl_release_unmap(qdev, release, &drawable->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_free_palette: + if (palette_bo) @@ -382,8 +382,8 @@ void qxl_draw_dirty_fb(struct qxl_device } qxl_bo_kunmap(clips_bo); @@ -98,6 +110,26 @@ Signed-off-by: Greg Kroah-Hartman out_release_backoff: if (ret) +@@ -433,8 +433,8 @@ void qxl_draw_copyarea(struct qxl_device + drawable->u.copy_bits.src_pos.y = sy; + qxl_release_unmap(qdev, release, &drawable->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_free_release: + if (ret) +@@ -477,8 +477,8 @@ void qxl_draw_fill(struct qxl_draw_fill + + qxl_release_unmap(qdev, release, &drawable->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_free_release: + if (ret) --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -257,11 +257,8 @@ static int qxl_process_single_command(st diff --git a/queue-4.19/drm-qxl-qxl_release-use-after-free.patch b/queue-4.19/drm-qxl-qxl_release-use-after-free.patch index 629d2b1351e..b9337923f12 100644 --- a/queue-4.19/drm-qxl-qxl_release-use-after-free.patch +++ b/queue-4.19/drm-qxl-qxl_release-use-after-free.patch @@ -22,14 +22,16 @@ Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") Signed-off-by: Vasily Averin Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com Signed-off-by: Gerd Hoffmann +[backported to v.4.19 stable] +Signed-off-by: Vasily Averin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/qxl/qxl_cmd.c | 5 ++--- drivers/gpu/drm/qxl/qxl_display.c | 6 +++--- - drivers/gpu/drm/qxl/qxl_draw.c | 2 +- + drivers/gpu/drm/qxl/qxl_draw.c | 8 ++++---- drivers/gpu/drm/qxl/qxl_ioctl.c | 5 +---- - 4 files changed, 7 insertions(+), 11 deletions(-) + 4 files changed, 10 insertions(+), 14 deletions(-) --- a/drivers/gpu/drm/qxl/qxl_cmd.c +++ b/drivers/gpu/drm/qxl/qxl_cmd.c @@ -88,6 +90,16 @@ Signed-off-by: Greg Kroah-Hartman static int qxl_plane_prepare_fb(struct drm_plane *plane, --- a/drivers/gpu/drm/qxl/qxl_draw.c +++ b/drivers/gpu/drm/qxl/qxl_draw.c +@@ -241,8 +241,8 @@ void qxl_draw_opaque_fb(const struct qxl + qxl_bo_physical_address(qdev, dimage->bo, 0); + qxl_release_unmap(qdev, release, &drawable->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_free_palette: + if (palette_bo) @@ -382,8 +382,8 @@ void qxl_draw_dirty_fb(struct qxl_device } qxl_bo_kunmap(clips_bo); @@ -98,6 +110,26 @@ Signed-off-by: Greg Kroah-Hartman out_release_backoff: if (ret) +@@ -433,8 +433,8 @@ void qxl_draw_copyarea(struct qxl_device + drawable->u.copy_bits.src_pos.y = sy; + qxl_release_unmap(qdev, release, &drawable->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_free_release: + if (ret) +@@ -477,8 +477,8 @@ void qxl_draw_fill(struct qxl_draw_fill + + qxl_release_unmap(qdev, release, &drawable->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_free_release: + if (ret) --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -257,11 +257,8 @@ static int qxl_process_single_command(st -- 2.47.3