From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x225c0IImt5/RNLyQyU6Gw1ZYAqNKNnZFLa2Z4EDXVnwp8AXxXfq8JPbuvF6rknBY0p1WRjDM ARC-Seal: i=1; a=rsa-sha256; t=1516611199; cv=none; d=google.com; s=arc-20160816; b=B8SKUkUJcpAGvKvowvPFzWJ4cN26IArJoHALVjOZpoaVLoedhrYCMUa7qUmJwQyO8K SNcgW+fB+BP/MOI4zRD2Wcek2r1vP6wK4hzf0LCmGlmLYL0iRRFIXMFPdJF+mAqgQtUj 088ZYRlYrw0bdVS2ToKu7AGEM177CrXrn06NFdpknYpKQOL78KJthYMkF6uFOXEgFYUh g7NCFgF9d+6RqsHbCG23leOQ0N0O9jP8bqRgbmq1p7EwkyU1Ufo6Y57bV3KvYQR9DE+v bLaOk1Tj95y1t9CzIidFwvROzK88Onz16KyVb7UTyi+q2zkaWysPdKCn0GhJ9DMylBap Q+hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=bj4luFCXKKNf5+bQAMVSnASJ5G3KaM8AbcWjLlrINY0=; b=fEA0PPufEKrI0tSv2CvWPYwCs/DWOckA6ZdPvrjHmaFBFPwFr0E4yp3Wq872Qw0+Jy hgwvPwru+cHegj/Qv6XMK76M0IH/FcS9cxcj5C8qjWj1dkQeiaIXFAKnnu2I8h1124bm vsU1Ma39ZMzWjnu5kwZquy4lCpSJGbJ9yRpLspGyefN1DNs/ilx5NEIn927L6EFyREFB stv7RZ1zpj7epuODgWUUlf4kkBZcu4AwEOGMrsN8AqglS0RZ4oHu4HNbnAJZQXyjr3jz d15FpyY4gZYE9G77kZYFPx2d5ULBlAHVOH05FOCAuKZh83yFkaIXdf74loVizMnIaJE9 H8Rw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Rob Clark , Thomas Hellstrom Subject: [PATCH 4.14 69/89] drm/vmwgfx: fix memory corruption with legacy/sou connectors Date: Mon, 22 Jan 2018 09:45:49 +0100 Message-Id: <20180122084001.321548502@linuxfoundation.org> X-Mailer: git-send-email 2.16.0 In-Reply-To: <20180122083954.683903493@linuxfoundation.org> References: <20180122083954.683903493@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590282105050376140?= X-GMAIL-MSGID: =?utf-8?q?1590282105050376140?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Rob Clark commit 8a510a5c75261ba0ec39155326982aa786541e29 upstream. It looks like in all cases 'struct vmw_connector_state' is used. But only in stdu connectors, was atomic_{duplicate,destroy}_state() properly subclassed. Leading to writes beyond the end of the allocated connector state block and all sorts of fun memory corruption related crashes. Fixes: d7721ca71126 "drm/vmwgfx: Connector atomic state" Signed-off-by: Rob Clark Reviewed-by: Thomas Hellstrom Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c | 4 ++-- drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c @@ -266,8 +266,8 @@ static const struct drm_connector_funcs .set_property = vmw_du_connector_set_property, .destroy = vmw_ldu_connector_destroy, .reset = vmw_du_connector_reset, - .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state, - .atomic_destroy_state = drm_atomic_helper_connector_destroy_state, + .atomic_duplicate_state = vmw_du_connector_duplicate_state, + .atomic_destroy_state = vmw_du_connector_destroy_state, .atomic_set_property = vmw_du_connector_atomic_set_property, .atomic_get_property = vmw_du_connector_atomic_get_property, }; --- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c @@ -420,8 +420,8 @@ static const struct drm_connector_funcs .set_property = vmw_du_connector_set_property, .destroy = vmw_sou_connector_destroy, .reset = vmw_du_connector_reset, - .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state, - .atomic_destroy_state = drm_atomic_helper_connector_destroy_state, + .atomic_duplicate_state = vmw_du_connector_duplicate_state, + .atomic_destroy_state = vmw_du_connector_destroy_state, .atomic_set_property = vmw_du_connector_atomic_set_property, .atomic_get_property = vmw_du_connector_atomic_get_property, };