Bug 1860940: platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes
a90163b...
by
Hans de Goede <email address hidden>
platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes
At least on the HP Envy x360 15-cp0xxx model the WMI interface
for HPWMI_FEATURE2_QUERY requires an outsize of at least 128 bytes,
otherwise it fails with an error code 5 (HPWMI_RET_INVALID_PARAMETERS):
Dec 06 00:59:38 kernel: hp_wmi: query 0xd returned error 0x5
We do not care about the contents of the buffer, we just want to know
if the HPWMI_FEATURE2_QUERY command is supported.
This commits bumps the buffer size, fixing the error.
Fixes: 8a1513b4932 ("hp-wmi: limit hotkey enable")
Cc: <email address hidden>
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703
Signed-off-by: Hans de Goede <email address hidden>
Signed-off-by: Andy Shevchenko <email address hidden>
(cherry picked from commit 133b2acee3871ae6bf123b8fe34be14464aa3d2c)
Signed-off-by: You-Sheng Yang <email address hidden>
This patch is a simplified fix to address a use-after-free in 4.14.x and
4.19.x stable kernels. The flaw is already fixed upstream, starting in
5.2, by commit 7dc40713618c ("drm/i915: Introduce a mutex for
file_priv->context_idr") as part of a more complex patch series that
isn't appropriate for backporting to stable kernels.
Expand mutex coverage, while destroying the GEM context, to include the
GEM context lookup step. This fixes a use-after-free detected by KASAN:
==================================================================
BUG: KASAN: use-after-free in i915_ppgtt_close+0x2ca/0x2f0
Write of size 1 at addr ffff8881368a8368 by task i915-poc/3124
The buggy address belongs to the object at ffff8881368a8000
which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 872 bytes inside of
8192-byte region [ffff8881368a8000, ffff8881368aa000)
The buggy address belongs to the page:
page:ffffea0004da2a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
flags: 0x200000000008100(slab|head)
raw: 0200000000008100 0000000000000000 0000000000000000 0000000100030003
raw: dead000000000100 dead000000000200 ffff88822a002280 0000000000000000
page dumped because: kasan: bad access detected
d8d7bc6...
by
Akeem G Abodunrin <email address hidden>
drm/i915/gen9: Clear residual context state on context switch
Intel GPU Hardware prior to Gen11 does not clear EU state
during a context switch. This can result in information
leakage between contexts.
For Gen8 and Gen9, hardware provides a mechanism for
fast cleardown of the EU state, by issuing a PIPE_CONTROL
with bit 27 set. We can use this in a context batch buffer
to explicitly cleardown the state on every context switch.
As this workaround is already in place for gen8, we can borrow
the code verbatim for Gen9.
Signed-off-by: Mika Kuoppala <email address hidden>
Signed-off-by: Akeem G Abodunrin <email address hidden>
CVE-2019-14615
(backported from commit bc8a76a152c5f9ef3b48104154a65a68a8b76946)
[tyhicks: Backport to 5.3:
- Use (i915_scratch_offset(engine->i915) + 2 * CACHELINE_BYTES) in
place of LRC_PPHWSP_SCRATCH_ADDR and PIPE_CONTROL_GLOBAL_GTT_IVB in
place of PIPE_CONTROL_STORE_DATA_INDEX since we're missing commit
e1237523749e ("drm/i915/execlists: Use per-process HWSP as scratch")]
Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Khalid Elmously <email address hidden>
Acked-by: Connor Kuehl <email address hidden>
Signed-off-by: Marcelo Henrique Cerri <email address hidden>