leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5279fc7724
linux/drivers
History
Maarten Lankhorst 5279fc7724 drm/i915: Fix out-of-bounds array access in bdw_load_gamma_lut 
bdw_load_gamma_lut is writing beyond the array to the maximum value.
The intend of the function is to clamp values > 1 to 1, so write
the intended color to the max register.

This fixes the following KASAN warning:

[  197.020857] [IGT] kms_pipe_color: executing
[  197.063434] [IGT] kms_pipe_color: starting subtest ctm-0-25-pipe0
[  197.078989] ==================================================================
[  197.079127] BUG: KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915]
[  197.079188] Read of size 2 at addr ffff8800d38db150 by task kms_pipe_color/1839
[  197.079208] CPU: 2 PID: 1839 Comm: kms_pipe_color Tainted: G     U 4.13.0-rc1-patser+ #5211
[  197.079215] Hardware name: NUC5i7RYB, BIOS RYBDWi35.86A.0246.2015.0309.1355 03/09/2015
[  197.079220] Call Trace:
[  197.079230]  dump_stack+0x68/0x9e
[  197.079239]  print_address_description+0x6f/0x250
[  197.079251]  kasan_report+0x216/0x370
[  197.079374]  ? bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915]
[  197.079451]  ? gen8_write16+0x4e0/0x4e0 [i915]
[  197.079460]  __asan_report_load2_noabort+0x14/0x20
[  197.079535]  bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915]
[  197.079612]  broadwell_load_luts+0x1df/0x550 [i915]
[  197.079690]  intel_color_load_luts+0x7b/0x80 [i915]
[  197.079764]  intel_begin_crtc_commit+0x138/0x760 [i915]
[  197.079783]  drm_atomic_helper_commit_planes_on_crtc+0x1a3/0x820 [drm_kms_helper]
[  197.079859]  ? intel_pre_plane_update+0x571/0x580 [i915]
[  197.079937]  intel_update_crtc+0x238/0x330 [i915]
[  197.080016]  intel_update_crtcs+0x10f/0x210 [i915]
[  197.080092]  intel_atomic_commit_tail+0x1552/0x3340 [i915]
[  197.080101]  ? _raw_spin_unlock+0x3c/0x40
[  197.080110]  ? __queue_work+0xb40/0xbf0
[  197.080188]  ? skl_update_crtcs+0xc00/0xc00 [i915]
[  197.080195]  ? trace_hardirqs_on+0xd/0x10
[  197.080269]  ? intel_atomic_commit_ready+0x128/0x13c [i915]
[  197.080329]  ? __i915_sw_fence_complete+0x5b8/0x6d0 [i915]
[  197.080336]  ? debug_object_activate+0x39e/0x580
[  197.080397]  ? i915_sw_fence_await+0x30/0x30 [i915]
[  197.080409]  ? __might_sleep+0x15b/0x180
[  197.080483]  intel_atomic_commit+0x944/0xa70 [i915]
[  197.080490]  ? refcount_dec_and_test+0x11/0x20
[  197.080567]  ? intel_atomic_commit_tail+0x3340/0x3340 [i915]
[  197.080597]  ? drm_atomic_crtc_set_property+0x303/0x580 [drm]
[  197.080674]  ? intel_atomic_commit_tail+0x3340/0x3340 [i915]
[  197.080704]  drm_atomic_commit+0xd7/0xe0 [drm]
[  197.080722]  drm_atomic_helper_crtc_set_property+0xec/0x130 [drm_kms_helper]
[  197.080749]  drm_mode_crtc_set_obj_prop+0x7d/0xb0 [drm]
[  197.080775]  drm_mode_obj_set_property_ioctl+0x50b/0x5d0 [drm]
[  197.080783]  ? __might_fault+0x104/0x180
[  197.080809]  ? drm_mode_obj_find_prop_id+0x160/0x160 [drm]
[  197.080838]  ? drm_mode_obj_find_prop_id+0x160/0x160 [drm]
[  197.080861]  drm_ioctl_kernel+0x154/0x1a0 [drm]
[  197.080885]  drm_ioctl+0x624/0x8f0 [drm]
[  197.080910]  ? drm_mode_obj_find_prop_id+0x160/0x160 [drm]
[  197.080934]  ? drm_getunique+0x210/0x210 [drm]
[  197.080943]  ? __handle_mm_fault+0x1bd0/0x1ce0
[  197.080949]  ? lock_downgrade+0x610/0x610
[  197.080957]  ? __lru_cache_add+0x15a/0x180
[  197.080967]  do_vfs_ioctl+0xd92/0xe40
[  197.080975]  ? ioctl_preallocate+0x1b0/0x1b0
[  197.080982]  ? selinux_capable+0x20/0x20
[  197.080991]  ? __do_page_fault+0x7b7/0x9a0
[  197.080997]  ? lock_downgrade+0x5bb/0x610
[  197.081007]  ? security_file_ioctl+0x57/0x90
[  197.081016]  SyS_ioctl+0x4e/0x80
[  197.081024]  entry_SYSCALL_64_fastpath+0x18/0xad
[  197.081030] RIP: 0033:0x7f61f287a987
[  197.081035] RSP: 002b:00007fff7d44d188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  197.081043] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f61f287a987
[  197.081048] RDX: 00007fff7d44d1c0 RSI: 00000000c01864ba RDI: 0000000000000003
[  197.081053] RBP: 00007f61f2b3eb00 R08: 0000000000000059 R09: 0000000000000000
[  197.081058] R10: 0000002ea5c4a290 R11: 0000000000000246 R12: 00007f61f2b3eb58
[  197.081063] R13: 0000000000001010 R14: 00007f61f2b3eb58 R15: 0000000000002702

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101659
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Reported-by: Martin Peres <martin.peres@linux.intel.com>
Cc: Martin Peres <martin.peres@linux.intel.com>
Fixes: 82cf435b31 ("drm/i915: Implement color management on bdw/skl/bxt/kbl")
Cc: Shashank Sharma <shashank.sharma@intel.com>
Cc: Kiran S Kumar <kiran.s.kumar@intel.com>
Cc: Kausal Malladi <kausalmalladi@gmail.com>
Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: Matt Roper <matthew.d.roper@intel.com>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: intel-gfx@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v4.7+
Link: https://patchwork.freedesktop.org/patch/msgid/20170724091431.24251-1-maarten.lankhorst@linux.intel.com
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
(cherry picked from commit 09a92bc877)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
2017-08-07 11:28:23 +03:00
..
accessibility
acpi Merge branches 'acpi-soc', 'acpi-wdat' and 'acpi-cppc' 2017-08-03 20:30:18 +02:00
amba
android binder: Use wake up hint for synchronous transactions. 2017-07-17 14:44:19 +02:00
ata libata: fix a couple of doc build warnings 2017-07-31 08:03:06 -07:00
atm atm: zatm: Fix an error handling path in 'zatm_init_one()' 2017-07-18 11:37:46 -07:00
auxdisplay
base dma mapping fixes for 4.13-rc2: 2017-07-25 17:17:18 -07:00
bcma
block Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2017-07-28 12:13:34 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
bus bus: uniphier-system-bus: set up registers when resuming 2017-08-04 12:57:18 +02:00
cdrom block: don't set bounce limit in blk_init_queue 2017-06-27 12:13:45 -06:00
char Add wait_for_random_bytes() and get_random_*_wait() functions so that 2017-07-15 12:44:02 -07:00
clk clk: keystone: sci-clk: Fix sci_clk_get 2017-08-02 18:37:26 -07:00
clocksource clocksource/drivers/timer-of: Handle of_irq_get_byname() result correctly 2017-07-17 22:43:00 +02:00
connector
cpufreq Merge branches 'pm-cpufreq-x86', 'pm-cpufreq-docs' and 'intel_pstate' 2017-08-03 20:29:24 +02:00
cpuidle powerpc updates for 4.13 2017-07-07 13:55:45 -07:00
crypto crypto: brcm - remove BCM_PDC_MBOX dependency in Kconfig 2017-07-18 17:01:08 +08:00
dax - A few DM integrity fixes that improve performance. One that address 2017-07-28 12:17:17 -07:00
dca
devfreq PM / devfreq: constify attribute_group structures. 2017-07-06 10:17:24 +09:00
dio
dma dmaengine updates for 4.13-rc1 2017-07-08 12:36:50 -07:00
dma-buf Merge branch 'drm-misc-next-fixes' into drm-misc-fixes 2017-07-17 11:56:07 -04:00
edac EDAC, pnd2: Fix Apollo Lake DIMM detection 2017-06-29 10:37:50 +02:00
eisa
extcon
firewire
firmware efi: avoid fortify checks in EFI stub 2017-07-12 16:26:02 -07:00
fmc
fpga
fsi drivers/fsi: fix fsi_slave_mode prototype 2017-07-17 16:13:54 +02:00
gpio gpio: tegra: fix unbalanced chained_irq_enter/exit 2017-08-02 10:42:38 +02:00
gpu drm/i915: Fix out-of-bounds array access in bdw_load_gamma_lut 2017-08-07 11:28:23 +03:00
hid HID: ortek: add one more buggy device 2017-07-24 17:38:21 +02:00
hsi HSI changes for the v4.13 series 2017-07-04 14:28:22 -07:00
hv vmbus: re-enable channel tasklet 2017-07-17 15:00:47 +02:00
hwmon hwmon: (applesmc) Avoid buffer overruns 2017-07-15 16:38:56 -07:00
hwspinlock
hwtracing Char/Misc patches for 4.13-rc1 2017-07-03 20:55:59 -07:00
i2c Merge branch 'i2c/for-4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2017-07-12 10:04:56 -07:00
ide ide: avoid warning for timings calculation 2017-07-21 04:37:22 +01:00
idle intel_idle: Use more common logging style 2017-06-29 22:58:35 +02:00
iio hwmon updates for v4.13: 2017-07-04 11:48:27 -07:00
infiniband RDMA/core: Initialize port_num in qp_attr 2017-07-20 11:24:13 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2017-07-14 22:53:37 -07:00
iommu iommu/amd: Fix schedule-while-atomic BUG in initialization code 2017-07-26 15:39:14 +02:00
ipack
irqchip irqchip/digicolor: Drop unnecessary static 2017-07-18 21:59:23 +02:00
isdn isdn/i4l: fix buffer overflow 2017-08-02 20:43:36 -07:00
leds LED updates for 4.13 2017-07-06 11:32:40 -07:00
lguest
lightnvm lightnvm: pblk: advance bio according to lba index 2017-07-28 08:06:00 -06:00
macintosh Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-05 13:13:32 -07:00
mailbox mailbox: pcc: Fix crash when request PCC channel 0 2017-07-26 02:11:47 +02:00
mcb
md Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2017-07-28 12:24:21 -07:00
media media: platform: davinci: drop VPFE_CMD_S_CCDC_RAW_PARAMS 2017-07-26 06:14:33 -04:00
memory ARM: SoC driver updates 2017-07-04 14:47:47 -07:00
memstick
message
mfd chrome-platform-for-linus-4.13 2017-07-11 09:55:47 -07:00
misc powerpc updates for 4.13 2017-07-07 13:55:45 -07:00
mmc mmc: block: bypass the queue even if usage is present for hotplug 2017-08-03 11:00:39 +02:00
mtd MTD updates for v4.13-rc1: 2017-07-13 12:07:44 -07:00
mux mux: mux-core: unregister mux_class in mux_exit() 2017-07-17 16:38:35 +02:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-07-31 22:36:42 -07:00
nfc NFC 4.13 pull request 2017-07-01 14:30:39 -07:00
ntb ntb: Add error path/handling to Debug FS entry creation 2017-07-06 11:30:08 -04:00
nubus
nvdimm libnvdimm: fix badblock range handling of ARS range 2017-07-17 11:43:58 -07:00
nvme nvme: validate admin queue before unquiesce 2017-07-26 17:41:41 +02:00
nvmem nvmem: rockchip-efuse: amend compatible rk322x-efuse to rk3228-efuse 2017-07-17 16:15:57 +02:00
of Merge remote-tracking branches 'asoc/fix/dpcm', 'asoc/fix/imx', 'asoc/fix/msm8916', 'asoc/fix/multi-pcm', 'asoc/fix/of-graph' and 'asoc/fix/pxa' into asoc-linus 2017-08-01 15:17:06 +01:00
oprofile
parisc parisc: pdc_stable: Fix locking when creating sysfs links 2017-07-31 16:43:13 +02:00
parport
pci Power management fixes for v4.13-rc1 2017-07-14 22:24:25 -07:00
pcmcia
perf drivers/perf: arm_pmu: Request PMU SPIs with IRQF_PER_CPU 2017-07-27 13:43:22 +01:00
phy phy: bcm-ns-usb3: fix MDIO_BUS dependency 2017-07-27 17:20:19 -07:00
pinctrl pinctrl: stm32: select IRQ_DOMAIN_HIERARCHY instead of depends on 2017-08-01 10:04:41 +02:00
platform platform/x86: intel-vbtn: match power button on press rather than release 2017-08-05 14:37:19 -07:00
pnp This is the bulk of GPIO changes for the v4.13 series: 2017-07-07 12:40:27 -07:00
power power supply and reset changes for the v4.13 series (part 2) 2017-07-13 11:47:59 -07:00
powercap powercap/RAPL: prevent overridding bits outside of the mask 2017-06-28 00:38:34 +02:00
pps
ps3
ptp ptp: dte: Use LL suffix for 64-bit constants 2017-07-06 11:40:58 +01:00
pwm pwm: Changes for v4.13-rc1 2017-07-13 11:49:52 -07:00
rapidio
ras arm64 updates for 4.13: 2017-07-05 17:09:27 -07:00
regulator Merge remote-tracking branches 'regulator/topic/settle', 'regulator/topic/tps65910' and 'regulator/topic/tps65917' into regulator-next 2017-07-03 16:52:21 +01:00
remoteproc remoteproc/keystone: Fix circular dependencies for ARM configs 2017-06-27 16:21:34 -07:00
reset ARM: SoC driver updates 2017-07-04 14:47:47 -07:00
rpmsg rpmsg updates for v4.13 2017-07-06 15:38:31 -07:00
rtc RTC for 4.13 2017-07-13 12:15:06 -07:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2017-07-25 08:44:27 -07:00
sbus sbus: Convert to using %pOF instead of full_name 2017-07-20 12:37:10 -07:00
scsi SCSI fixes on 20170802 2017-08-02 08:43:19 -07:00
sfi
sh drivers/sh/intc/virq.c: delete an error message for a failed memory allocation in add_virq_to_pirq() 2017-07-06 16:24:30 -07:00
sn
soc soc: zte: Restrict SOC_ZTE to ARCH_ZX or COMPILE_TEST 2017-07-27 13:12:34 +02:00
spi Merge branch 'for-spi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-08 10:41:53 -07:00
spmi spmi: pmic-arb: Always allocate ppid_to_apid table 2017-07-17 15:00:47 +02:00
ssb
staging media fixes for v4.13-rc2 2017-08-05 14:09:26 -07:00
target Add wait_for_random_bytes() and get_random_*_wait() functions so that 2017-07-15 12:44:02 -07:00
tc
tee
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2017-07-14 13:12:32 -07:00
thunderbolt Merge branches 'pm-core' and 'pm-misc' 2017-08-03 20:29:45 +02:00
tty gpio: exar: Use correct property prefix and document bindings 2017-08-01 13:43:55 +02:00
uio
usb xhci: fix memleak in xhci_run() 2017-07-20 14:40:36 +02:00
uwb driver core patches for 4.13-rc1 2017-07-03 20:27:48 -07:00
vfio vfio/pci: Fix handling of RC integrated endpoint PCIe capability size 2017-07-27 10:39:33 -06:00
vhost Revert "vhost: cache used event for better performance" 2017-07-29 14:15:56 -07:00
video Merge branch 'akpm' (patches from Andrew) 2017-07-13 12:38:49 -07:00
virt
virtio virtio-balloon: coding format cleanup 2017-07-25 16:37:35 +03:00
vlynq
vme
w1 w1: omap-hdq: fix error return code in omap_hdq_probe() 2017-07-17 16:48:15 +02:00
watchdog Merge git://www.linux-watchdog.org/linux-watchdog 2017-07-11 09:59:37 -07:00
xen xen: dont fiddle with event channel masking in suspend/resume 2017-07-27 19:55:46 +02:00
zorro
Kconfig
Makefile