UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers/gpu/drm
History
Maarten Lankhorst 09a92bc877 drm/i915: Fix out-of-bounds array access in bdw_load_gamma_lut 
bdw_load_gamma_lut is writing beyond the array to the maximum value.
The intend of the function is to clamp values > 1 to 1, so write
the intended color to the max register.

This fixes the following KASAN warning:

[  197.020857] [IGT] kms_pipe_color: executing
[  197.063434] [IGT] kms_pipe_color: starting subtest ctm-0-25-pipe0
[  197.078989] ==================================================================
[  197.079127] BUG: KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915]
[  197.079188] Read of size 2 at addr ffff8800d38db150 by task kms_pipe_color/1839
[  197.079208] CPU: 2 PID: 1839 Comm: kms_pipe_color Tainted: G     U 4.13.0-rc1-patser+ #5211
[  197.079215] Hardware name: NUC5i7RYB, BIOS RYBDWi35.86A.0246.2015.0309.1355 03/09/2015
[  197.079220] Call Trace:
[  197.079230]  dump_stack+0x68/0x9e
[  197.079239]  print_address_description+0x6f/0x250
[  197.079251]  kasan_report+0x216/0x370
[  197.079374]  ? bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915]
[  197.079451]  ? gen8_write16+0x4e0/0x4e0 [i915]
[  197.079460]  __asan_report_load2_noabort+0x14/0x20
[  197.079535]  bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915]
[  197.079612]  broadwell_load_luts+0x1df/0x550 [i915]
[  197.079690]  intel_color_load_luts+0x7b/0x80 [i915]
[  197.079764]  intel_begin_crtc_commit+0x138/0x760 [i915]
[  197.079783]  drm_atomic_helper_commit_planes_on_crtc+0x1a3/0x820 [drm_kms_helper]
[  197.079859]  ? intel_pre_plane_update+0x571/0x580 [i915]
[  197.079937]  intel_update_crtc+0x238/0x330 [i915]
[  197.080016]  intel_update_crtcs+0x10f/0x210 [i915]
[  197.080092]  intel_atomic_commit_tail+0x1552/0x3340 [i915]
[  197.080101]  ? _raw_spin_unlock+0x3c/0x40
[  197.080110]  ? __queue_work+0xb40/0xbf0
[  197.080188]  ? skl_update_crtcs+0xc00/0xc00 [i915]
[  197.080195]  ? trace_hardirqs_on+0xd/0x10
[  197.080269]  ? intel_atomic_commit_ready+0x128/0x13c [i915]
[  197.080329]  ? __i915_sw_fence_complete+0x5b8/0x6d0 [i915]
[  197.080336]  ? debug_object_activate+0x39e/0x580
[  197.080397]  ? i915_sw_fence_await+0x30/0x30 [i915]
[  197.080409]  ? __might_sleep+0x15b/0x180
[  197.080483]  intel_atomic_commit+0x944/0xa70 [i915]
[  197.080490]  ? refcount_dec_and_test+0x11/0x20
[  197.080567]  ? intel_atomic_commit_tail+0x3340/0x3340 [i915]
[  197.080597]  ? drm_atomic_crtc_set_property+0x303/0x580 [drm]
[  197.080674]  ? intel_atomic_commit_tail+0x3340/0x3340 [i915]
[  197.080704]  drm_atomic_commit+0xd7/0xe0 [drm]
[  197.080722]  drm_atomic_helper_crtc_set_property+0xec/0x130 [drm_kms_helper]
[  197.080749]  drm_mode_crtc_set_obj_prop+0x7d/0xb0 [drm]
[  197.080775]  drm_mode_obj_set_property_ioctl+0x50b/0x5d0 [drm]
[  197.080783]  ? __might_fault+0x104/0x180
[  197.080809]  ? drm_mode_obj_find_prop_id+0x160/0x160 [drm]
[  197.080838]  ? drm_mode_obj_find_prop_id+0x160/0x160 [drm]
[  197.080861]  drm_ioctl_kernel+0x154/0x1a0 [drm]
[  197.080885]  drm_ioctl+0x624/0x8f0 [drm]
[  197.080910]  ? drm_mode_obj_find_prop_id+0x160/0x160 [drm]
[  197.080934]  ? drm_getunique+0x210/0x210 [drm]
[  197.080943]  ? __handle_mm_fault+0x1bd0/0x1ce0
[  197.080949]  ? lock_downgrade+0x610/0x610
[  197.080957]  ? __lru_cache_add+0x15a/0x180
[  197.080967]  do_vfs_ioctl+0xd92/0xe40
[  197.080975]  ? ioctl_preallocate+0x1b0/0x1b0
[  197.080982]  ? selinux_capable+0x20/0x20
[  197.080991]  ? __do_page_fault+0x7b7/0x9a0
[  197.080997]  ? lock_downgrade+0x5bb/0x610
[  197.081007]  ? security_file_ioctl+0x57/0x90
[  197.081016]  SyS_ioctl+0x4e/0x80
[  197.081024]  entry_SYSCALL_64_fastpath+0x18/0xad
[  197.081030] RIP: 0033:0x7f61f287a987
[  197.081035] RSP: 002b:00007fff7d44d188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  197.081043] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f61f287a987
[  197.081048] RDX: 00007fff7d44d1c0 RSI: 00000000c01864ba RDI: 0000000000000003
[  197.081053] RBP: 00007f61f2b3eb00 R08: 0000000000000059 R09: 0000000000000000
[  197.081058] R10: 0000002ea5c4a290 R11: 0000000000000246 R12: 00007f61f2b3eb58
[  197.081063] R13: 0000000000001010 R14: 00007f61f2b3eb58 R15: 0000000000002702

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101659
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Reported-by: Martin Peres <martin.peres@linux.intel.com>
Cc: Martin Peres <martin.peres@linux.intel.com>
Fixes: 82cf435b31 ("drm/i915: Implement color management on bdw/skl/bxt/kbl")
Cc: Shashank Sharma <shashank.sharma@intel.com>
Cc: Kiran S Kumar <kiran.s.kumar@intel.com>
Cc: Kausal Malladi <kausalmalladi@gmail.com>
Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: Matt Roper <matthew.d.roper@intel.com>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: intel-gfx@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v4.7+
Link: https://patchwork.freedesktop.org/patch/msgid/20170724091431.24251-1-maarten.lankhorst@linux.intel.com
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
 		2017-08-02 15:06:13 +02:00
..
amd Linux 4.13-rc2 2017-07-27 08:15:43 +10:00
arc drm: Convert atomic drivers from CRTC .disable() to .atomic_disable() 2017-06-30 14:53:15 +02:00
arm drm/mali: Use new atomic iterator macros 2017-07-13 09:54:12 +02:00
armada drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
ast drm/<drivers>: Drop fbdev info flags 2017-07-26 13:22:40 +02:00
atmel-hlcdc drm/atmel-hlcdc: Handle drm_atomic_helper_swap_state failure 2017-07-26 13:22:41 +02:00
bochs drm/<drivers>: Drop fbdev info flags 2017-07-26 13:22:40 +02:00
bridge Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
cirrus drm/<drivers>: Drop fbdev info flags 2017-07-26 13:22:40 +02:00
etnaviv main drm pull for v4.13 2017-07-09 18:48:37 -07:00
exynos drm/atomic: implement drm_atomic_helper_commit_tail for runtime_pm users 2017-07-26 13:45:08 +02:00
fsl-dcu drm: Add old state pointer to CRTC .enable() helper function 2017-06-30 14:53:14 +02:00
gma500 drm/gma500: remove an unneeded NULL check 2017-06-28 19:17:38 +02:00
hisilicon drm/hisilicon: fix build error without fbdev emulation 2017-07-26 13:45:09 +02:00
i2c drm: handle HDMI 2.0 VICs in AVI info-frames 2017-07-14 21:23:54 +03:00
i810 drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
i915 drm/i915: Fix out-of-bounds array access in bdw_load_gamma_lut 2017-08-02 15:06:13 +02:00
imx Linux 4.13-rc2 2017-07-27 08:15:43 +10:00
lib
mediatek drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
meson drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
mga Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
mgag200 drm/<drivers>: Drop fbdev info flags 2017-07-26 13:22:40 +02:00
msm drm/msm: Handle drm_atomic_helper_swap_state failure 2017-07-26 13:22:42 +02:00
mxsfb drm/mxsfb: Use gem_free_object_unlocked 2017-07-18 08:40:54 +02:00
nouveau Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
omapdrm drm/<drivers>: Drop fbdev info flags 2017-07-26 13:22:40 +02:00
panel drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
pl111 drm/pl111: Use gem_free_object_unlocked 2017-07-18 08:40:54 +02:00
qxl drm/<drivers>: Drop fbdev info flags 2017-07-26 13:22:40 +02:00
r128 drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
radeon Linux 4.13-rc2 2017-07-27 08:15:43 +10:00
rcar-du drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
rockchip drm/atomic: implement drm_atomic_helper_commit_tail for runtime_pm users 2017-07-26 13:45:08 +02:00
savage drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
selftests
shmobile drm/shmob: Drop drm_vblank_cleanup 2017-06-22 08:41:15 +02:00
sis drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
sti drm: handle HDMI 2.0 VICs in AVI info-frames 2017-07-14 21:23:54 +03:00
stm drm/stm: ltdc: Add panel-bridge support 2017-07-18 12:06:42 +05:30
sun4i drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
tdfx drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
tegra drm/tegra: Handle drm_atomic_helper_swap_state failure 2017-07-26 13:22:42 +02:00
tilcdc drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
tinydrm drm/tinydrm: Add RePaper e-ink driver 2017-07-14 19:30:08 +02:00
ttm drm/ttm: Fix use-after-free in ttm_bo_clean_mm 2017-07-03 16:25:43 -04:00
udl drm/<drivers>: Drop fbdev info flags 2017-07-26 13:22:40 +02:00
vc4 Linux 4.13-rc2 2017-07-27 08:15:43 +10:00
vgem drm/vgem: add compat_ioctl support 2017-07-17 21:08:31 +02:00
via drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
virtio drm/<drivers>: Drop fbdev info flags 2017-07-26 13:22:40 +02:00
vmwgfx Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
zte drm/zte: Use gem_free_object_unlocked 2017-07-18 08:40:54 +02:00
Kconfig
Makefile Merge tag 'drm-misc-next-2017-06-15' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-06-16 09:33:43 +10:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic.c drm: rename, adjust and export drm_atomic_replace_property_blob 2017-07-14 15:53:06 +02:00
drm_atomic_helper.c Merge airlied/drm-next into drm-intel-next-queued 2017-07-27 09:33:49 +02:00
drm_auth.c
drm_blend.c drm: Add DRM_MODE_ROTATE_ and DRM_MODE_REFLECT_ to UAPI 2017-05-22 09:49:48 +02:00
drm_bridge.c drm: Introduce drm_bridge_mode_valid() 2017-05-30 08:37:50 +02:00
drm_bufs.c switch compat_drm_mapbufs() to drm_ioctl_kernel() 2017-07-04 13:16:26 -04:00
drm_cache.c
drm_color_mgmt.c drm: More links for gamma support helpers 2017-06-20 12:13:11 +02:00
drm_connector.c Linux 4.12-rc7 2017-06-27 08:28:30 +10:00
drm_context.c
drm_crtc.c
drm_crtc_helper.c
drm_crtc_helper_internal.h drm: Add drm_{crtc/encoder/connector}_mode_valid() 2017-05-30 08:37:24 +02:00
drm_crtc_internal.h
drm_debugfs.c
drm_debugfs_crc.c drm/crc: Only open CRC on atomic drivers when the CRTC is active. 2017-07-17 16:34:51 +02:00
drm_dma.c
drm_dp_aux_dev.c drm_dp_aux_dev: switch to read_iter/write_iter 2017-07-08 20:51:46 -04:00
drm_dp_dual_mode_helper.c
drm_dp_helper.c drm/dp: start a DPCD based DP sink/branch device quirk database 2017-05-29 13:43:26 +03:00
drm_dp_mst_topology.c Linux 4.13-rc2 2017-07-27 08:15:43 +10:00
drm_drv.c drm: inhibit drm drivers register to uninitialized drm core 2017-07-11 12:03:11 +02:00
drm_dumb_buffers.c
drm_edid.c drm/edid: parse ycbcr 420 deep color information 2017-07-14 21:23:54 +03:00
drm_edid_load.c
drm_encoder.c
drm_encoder_slave.c
drm_fb_cma_helper.c drm: Convert CMA fbdev console suspend helpers to use bool 2017-06-20 16:23:40 +02:00
drm_fb_helper.c drm/fb-helper: Support deferred setup 2017-07-26 13:45:07 +02:00
drm_file.c Merge remote-tracking branch 'airlied/drm-next' into drm-misc-next 2017-06-27 09:18:17 -04:00
drm_flip_work.c
drm_fourcc.c
drm_framebuffer.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_gem.c drm: Don't complain too much about struct_mutex. 2017-07-18 09:17:22 +02:00
drm_gem_cma_helper.c drm: Update docs around gem_free_object 2017-07-26 13:22:39 +02:00
drm_global.c
drm_hashtab.c
drm_info.c
drm_internal.h Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_ioc32.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_ioctl.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_irq.c drm/doc: Polish irq helper documentation 2017-06-01 08:02:14 +02:00
drm_kms_helper_common.c
drm_legacy.h switch compat_drm_mapbufs() to drm_ioctl_kernel() 2017-07-04 13:16:26 -04:00
drm_lock.c
drm_memory.c
drm_mipi_dsi.c drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
drm_mm.c
drm_mode_config.c
drm_mode_object.c
drm_modes.c drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
drm_modeset_helper.c
drm_modeset_lock.c drm: Improve kerneldoc for drm_modeset_lock 2017-07-26 13:45:08 +02:00
drm_of.c drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
drm_panel.c
drm_pci.c drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
drm_plane.c drm: Fix deadlock retry loop in page_flip_ioctl 2017-05-23 09:39:14 +02:00
drm_plane_helper.c drm: Add DRM_MODE_ROTATE_ and DRM_MODE_REFLECT_ to UAPI 2017-05-22 09:49:48 +02:00
drm_prime.c
drm_print.c
drm_probe_helper.c drm: add helper to validate YCBCR420 modes 2017-07-14 21:23:54 +03:00
drm_property.c drm: rename, adjust and export drm_atomic_replace_property_blob 2017-07-14 15:53:06 +02:00
drm_rect.c drm: Add DRM_MODE_ROTATE_ and DRM_MODE_REFLECT_ to UAPI 2017-05-22 09:49:48 +02:00
drm_scatter.c
drm_scdc_helper.c
drm_simple_kms_helper.c drm/simple-kms-helper: Fix the check for the mismatch between plane and CRTC enabled. 2017-07-13 09:44:51 +02:00
drm_syncobj.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_sysfs.c
drm_trace.h
drm_trace_points.c
drm_vblank.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_vm.c
drm_vma_manager.c