From cbcfcbeb75fe249ad23844c8631bfe50ce544579 Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Oct 05 2017 17:24:01 +0000 Subject: More qxl fixup and notate the CVE fixed by 4.13.5 --- diff --git a/kernel.spec b/kernel.spec index baf8749..1c2546a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2253,6 +2253,7 @@ fi * Thu Oct 05 2017 Laura Abbott - 4.13.5-200 - Linux v4.13.5 - Fix for peaq_wmi nul spew (rhbz 1497861) +- Fixes CVE-2017-14954 (rhbz 1497745 1497747) * Thu Sep 28 2017 Laura Abbott - 4.13.4-200 - Linux v4.13.4 diff --git a/qxl-fixes.patch b/qxl-fixes.patch index 0b39c6f..c8bd4b9 100644 --- a/qxl-fixes.patch +++ b/qxl-fixes.patch @@ -1,90 +1,3 @@ -From c463b4ad6b2ac5a40c959e6c636eafc7edb1a63b Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Wed, 6 Sep 2017 11:31:51 +0200 -Subject: qxl: fix primary surface handling - -The atomic conversion of the qxl driver didn't got the primary surface -handling completely right. It works in the common simple cases, but -fails for example when changing the display resolution using xrandr or -in multihead setups. - -The rules are simple: There is one primary surface. Before defining a -new one you have to destroy the old one. - -This patch makes qxl_primary_atomic_update() destroy the primary surface -before defining a new one. It fixes is_primary flag updates. It adds -is_primary checks so we don't try to update the primary surface in case -it already has the state we want it being in. - -Signed-off-by: Gerd Hoffmann ---- - drivers/gpu/drm/qxl/qxl_display.c | 34 +++++++++++++++++++--------------- - 1 file changed, 19 insertions(+), 15 deletions(-) - -diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c -index 03fe182..7babdd8f 100644 ---- a/drivers/gpu/drm/qxl/qxl_display.c -+++ b/drivers/gpu/drm/qxl/qxl_display.c -@@ -512,23 +512,25 @@ static void qxl_primary_atomic_update(struct drm_plane *plane, - .y2 = qfb->base.height - }; - -- if (!old_state->fb) { -- qxl_io_log(qdev, -- "create primary fb: %dx%d,%d,%d\n", -- bo->surf.width, bo->surf.height, -- bo->surf.stride, bo->surf.format); -+ if (old_state->fb) { -+ qfb_old = to_qxl_framebuffer(old_state->fb); -+ bo_old = gem_to_qxl_bo(qfb_old->obj); -+ } else { -+ bo_old = NULL; -+ } - -- qxl_io_create_primary(qdev, 0, bo); -- bo->is_primary = true; -+ if (bo == bo_old) - return; - -- } else { -- qfb_old = to_qxl_framebuffer(old_state->fb); -- bo_old = gem_to_qxl_bo(qfb_old->obj); -+ if (bo_old && bo_old->is_primary) { -+ qxl_io_destroy_primary(qdev); - bo_old->is_primary = false; - } - -- bo->is_primary = true; -+ if (!bo->is_primary) { -+ qxl_io_create_primary(qdev, 0, bo); -+ bo->is_primary = true; -+ } - qxl_draw_dirty_fb(qdev, qfb, bo, 0, 0, &norect, 1, 1); - } - -@@ -537,13 +539,15 @@ static void qxl_primary_atomic_disable(struct drm_plane *plane, - { - struct qxl_device *qdev = plane->dev->dev_private; - -- if (old_state->fb) -- { struct qxl_framebuffer *qfb = -+ if (old_state->fb) { -+ struct qxl_framebuffer *qfb = - to_qxl_framebuffer(old_state->fb); - struct qxl_bo *bo = gem_to_qxl_bo(qfb->obj); - -- qxl_io_destroy_primary(qdev); -- bo->is_primary = false; -+ if (bo->is_primary) { -+ qxl_io_destroy_primary(qdev); -+ bo->is_primary = false; -+ } - } - } - --- -cgit v0.12 - From 05026e6e19b29104ddba4e8979e6c7af17944695 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 15 Sep 2017 12:46:15 +0200