| Message ID | 20161020080239.15102-1-zhenyuw@linux.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 2016.10.20 09:12:02 +0100, Chris Wilson wrote: > On Thu, Oct 20, 2016 at 04:02:39PM +0800, Zhenyu Wang wrote: > > void intel_gvt_clean_device(struct drm_i915_private *dev_priv) > > { > > - struct intel_gvt *gvt = &dev_priv->gvt; > > + struct intel_gvt *gvt = to_gvt(dev_priv); > > > > if (WARN_ON(!gvt->initialized)) > > return; > > @@ -188,6 +189,8 @@ void intel_gvt_clean_device(struct drm_i915_private *dev_priv) > > intel_gvt_clean_mmio_info(gvt); > > intel_gvt_free_firmware(gvt); > > > > + kfree(dev_priv->gvt); > > + dev_priv->gvt = NULL; > > gvt->initialized = false; > > } > > Whoops. First a NULL pointer deref then a use-after-free before coffee. > I need coffee! > > Just remove struct intel_gvt.initialized, it is leading you astray. oops! sorry about that...
On Thu, Oct 20, 2016 at 04:02:39PM +0800, Zhenyu Wang wrote: > void intel_gvt_clean_device(struct drm_i915_private *dev_priv) > { > - struct intel_gvt *gvt = &dev_priv->gvt; > + struct intel_gvt *gvt = to_gvt(dev_priv); > > if (WARN_ON(!gvt->initialized)) > return; > @@ -188,6 +189,8 @@ void intel_gvt_clean_device(struct drm_i915_private *dev_priv) > intel_gvt_clean_mmio_info(gvt); > intel_gvt_free_firmware(gvt); > > + kfree(dev_priv->gvt); > + dev_priv->gvt = NULL; > gvt->initialized = false; > } Whoops. First a NULL pointer deref then a use-after-free before coffee. I need coffee! Just remove struct intel_gvt.initialized, it is leading you astray. -Chris
diff --git a/drivers/gpu/drm/i915/gvt/aperture_gm.c b/drivers/gpu/drm/i915/gvt/aperture_gm.c index e0211f8..db503c1 100644 --- a/drivers/gpu/drm/i915/gvt/aperture_gm.c +++ b/drivers/gpu/drm/i915/gvt/aperture_gm.c @@ -35,6 +35,7 @@ */ #include "i915_drv.h" +#include "gvt.h" #define MB_TO_BYTES(mb) ((mb) << 20ULL) #define BYTES_TO_MB(b) ((b) >> 20ULL) diff --git a/drivers/gpu/drm/i915/gvt/cfg_space.c b/drivers/gpu/drm/i915/gvt/cfg_space.c index 16360e4..4c68774 100644 --- a/drivers/gpu/drm/i915/gvt/cfg_space.c +++ b/drivers/gpu/drm/i915/gvt/cfg_space.c @@ -32,6 +32,7 @@ */ #include "i915_drv.h" +#include "gvt.h" enum { INTEL_GVT_PCI_BAR_GTTMMIO = 0, diff --git a/drivers/gpu/drm/i915/gvt/cmd_parser.c b/drivers/gpu/drm/i915/gvt/cmd_parser.c index 5808ee7..5b4658f 100644 --- a/drivers/gpu/drm/i915/gvt/cmd_parser.c +++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c @@ -36,6 +36,8 @@ #include <linux/slab.h> #include "i915_drv.h" +#include "gvt.h" +#include "i915_pvinfo.h" #include "trace.h" #define INVALID_OP (~0U) diff --git a/drivers/gpu/drm/i915/gvt/display.c b/drivers/gpu/drm/i915/gvt/display.c index 534000b..d8908d4 100644 --- a/drivers/gpu/drm/i915/gvt/display.c +++ b/drivers/gpu/drm/i915/gvt/display.c @@ -33,6 +33,7 @@ */ #include "i915_drv.h" +#include "gvt.h" static int get_edp_pipe(struct intel_vgpu *vgpu) { diff --git a/drivers/gpu/drm/i915/gvt/edid.c b/drivers/gpu/drm/i915/gvt/edid.c index a07e427..7e1da1c 100644 --- a/drivers/gpu/drm/i915/gvt/edid.c +++ b/drivers/gpu/drm/i915/gvt/edid.c @@ -33,6 +33,7 @@ */ #include "i915_drv.h" +#include "gvt.h" #define GMBUS1_TOTAL_BYTES_SHIFT 16 #define GMBUS1_TOTAL_BYTES_MASK 0x1ff diff --git a/drivers/gpu/drm/i915/gvt/execlist.c b/drivers/gpu/drm/i915/gvt/execlist.c index c50a3d1..b87b4f5 100644 --- a/drivers/gpu/drm/i915/gvt/execlist.c +++ b/drivers/gpu/drm/i915/gvt/execlist.c @@ -33,6 +33,7 @@ */ #include "i915_drv.h" +#include "gvt.h" #define _EL_OFFSET_STATUS 0x234 #define _EL_OFFSET_STATUS_BUF 0x370 diff --git a/drivers/gpu/drm/i915/gvt/firmware.c b/drivers/gpu/drm/i915/gvt/firmware.c index 4578a4d..d068a52 100644 --- a/drivers/gpu/drm/i915/gvt/firmware.c +++ b/drivers/gpu/drm/i915/gvt/firmware.c @@ -32,6 +32,8 @@ #include <linux/crc32.h> #include "i915_drv.h" +#include "gvt.h" +#include "i915_pvinfo.h" #define FIRMWARE_VERSION (0x0) diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c index 29de179..0722d1e 100644 --- a/drivers/gpu/drm/i915/gvt/gtt.c +++ b/drivers/gpu/drm/i915/gvt/gtt.c @@ -34,6 +34,8 @@ */ #include "i915_drv.h" +#include "gvt.h" +#include "i915_pvinfo.h" #include "trace.h" static bool enable_out_of_sync = false; diff --git a/drivers/gpu/drm/i915/gvt/gvt.c b/drivers/gpu/drm/i915/gvt/gvt.c index e72e26c..aee5ceb 100644 --- a/drivers/gpu/drm/i915/gvt/gvt.c +++ b/drivers/gpu/drm/i915/gvt/gvt.c @@ -35,6 +35,7 @@ #include <linux/kthread.h> #include "i915_drv.h" +#include "gvt.h" struct intel_gvt_host intel_gvt_host; @@ -173,7 +174,7 @@ static int init_service_thread(struct intel_gvt *gvt) */ void intel_gvt_clean_device(struct drm_i915_private *dev_priv) { - struct intel_gvt *gvt = &dev_priv->gvt; + struct intel_gvt *gvt = to_gvt(dev_priv); if (WARN_ON(!gvt->initialized)) return; @@ -188,6 +189,8 @@ void intel_gvt_clean_device(struct drm_i915_private *dev_priv) intel_gvt_clean_mmio_info(gvt); intel_gvt_free_firmware(gvt); + kfree(dev_priv->gvt); + dev_priv->gvt = NULL; gvt->initialized = false; } @@ -204,7 +207,7 @@ void intel_gvt_clean_device(struct drm_i915_private *dev_priv) */ int intel_gvt_init_device(struct drm_i915_private *dev_priv) { - struct intel_gvt *gvt = &dev_priv->gvt; + struct intel_gvt *gvt; int ret; /* @@ -214,9 +217,13 @@ int intel_gvt_init_device(struct drm_i915_private *dev_priv) if (WARN_ON(!intel_gvt_host.initialized)) return -EINVAL; - if (WARN_ON(gvt->initialized)) + if (WARN_ON(dev_priv->gvt)) return -EEXIST; + gvt = kzalloc(sizeof(struct intel_gvt), GFP_KERNEL); + if (!gvt) + return -ENOMEM; + gvt_dbg_core("init gvt device\n"); mutex_init(&gvt->lock); @@ -262,6 +269,7 @@ int intel_gvt_init_device(struct drm_i915_private *dev_priv) gvt_dbg_core("gvt device creation is done\n"); gvt->initialized = true; + dev_priv->gvt = gvt; return 0; out_clean_cmd_parser: @@ -280,5 +288,6 @@ out_free_firmware: intel_gvt_free_firmware(gvt); out_clean_mmio_info: intel_gvt_clean_mmio_info(gvt); + kfree(gvt); return ret; } diff --git a/drivers/gpu/drm/i915/gvt/gvt.h b/drivers/gpu/drm/i915/gvt/gvt.h index 1564554..359fe7f 100644 --- a/drivers/gpu/drm/i915/gvt/gvt.h +++ b/drivers/gpu/drm/i915/gvt/gvt.h @@ -213,6 +213,8 @@ struct intel_gvt { unsigned long service_request; }; +#define to_gvt(dev_priv) (struct intel_gvt *)((dev_priv)->gvt) + enum { INTEL_GVT_REQUEST_EMULATE_VBLANK = 0, }; diff --git a/drivers/gpu/drm/i915/gvt/handlers.c b/drivers/gpu/drm/i915/gvt/handlers.c index e8ec403..b21115f 100644 --- a/drivers/gpu/drm/i915/gvt/handlers.c +++ b/drivers/gpu/drm/i915/gvt/handlers.c @@ -37,6 +37,8 @@ */ #include "i915_drv.h" +#include "gvt.h" +#include "i915_pvinfo.h" /* XXX FIXME i915 has changed PP_XXX definition */ #define PCH_PP_STATUS _MMIO(0xc7200) diff --git a/drivers/gpu/drm/i915/gvt/interrupt.c b/drivers/gpu/drm/i915/gvt/interrupt.c index 84d7174..e43ef72 100644 --- a/drivers/gpu/drm/i915/gvt/interrupt.c +++ b/drivers/gpu/drm/i915/gvt/interrupt.c @@ -30,6 +30,7 @@ */ #include "i915_drv.h" +#include "gvt.h" /* common offset among interrupt control registers */ #define regbase_to_isr(base) (base) diff --git a/drivers/gpu/drm/i915/gvt/mmio.c b/drivers/gpu/drm/i915/gvt/mmio.c index ce3af95..585b01f 100644 --- a/drivers/gpu/drm/i915/gvt/mmio.c +++ b/drivers/gpu/drm/i915/gvt/mmio.c @@ -34,6 +34,7 @@ */ #include "i915_drv.h" +#include "gvt.h" /** * intel_vgpu_gpa_to_mmio_offset - translate a GPA to MMIO offset diff --git a/drivers/gpu/drm/i915/gvt/opregion.c b/drivers/gpu/drm/i915/gvt/opregion.c index 46cc240..53ac81f 100644 --- a/drivers/gpu/drm/i915/gvt/opregion.c +++ b/drivers/gpu/drm/i915/gvt/opregion.c @@ -23,6 +23,7 @@ #include <linux/acpi.h> #include "i915_drv.h" +#include "gvt.h" static int init_vgpu_opregion(struct intel_vgpu *vgpu, u32 gpa) { diff --git a/drivers/gpu/drm/i915/gvt/render.c b/drivers/gpu/drm/i915/gvt/render.c index f54ab85..feebb65 100644 --- a/drivers/gpu/drm/i915/gvt/render.c +++ b/drivers/gpu/drm/i915/gvt/render.c @@ -34,6 +34,7 @@ */ #include "i915_drv.h" +#include "gvt.h" struct render_mmio { int ring_id; diff --git a/drivers/gpu/drm/i915/gvt/sched_policy.c b/drivers/gpu/drm/i915/gvt/sched_policy.c index c607354..278db0c 100644 --- a/drivers/gpu/drm/i915/gvt/sched_policy.c +++ b/drivers/gpu/drm/i915/gvt/sched_policy.c @@ -32,6 +32,7 @@ */ #include "i915_drv.h" +#include "gvt.h" static bool vgpu_has_pending_workload(struct intel_vgpu *vgpu) { diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gvt/scheduler.c index b15cdf5..01d23ad 100644 --- a/drivers/gpu/drm/i915/gvt/scheduler.c +++ b/drivers/gpu/drm/i915/gvt/scheduler.c @@ -33,10 +33,11 @@ * */ -#include "i915_drv.h" - #include <linux/kthread.h> +#include "i915_drv.h" +#include "gvt.h" + #define RING_CTX_OFF(x) \ offsetof(struct execlist_ring_context, x) diff --git a/drivers/gpu/drm/i915/gvt/vgpu.c b/drivers/gpu/drm/i915/gvt/vgpu.c index e5e0a72..9401436 100644 --- a/drivers/gpu/drm/i915/gvt/vgpu.c +++ b/drivers/gpu/drm/i915/gvt/vgpu.c @@ -32,6 +32,8 @@ */ #include "i915_drv.h" +#include "gvt.h" +#include "i915_pvinfo.h" static void clean_vgpu_mmio(struct intel_vgpu *vgpu) { diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h index 4d1133f..5024ad9 100644 --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h @@ -1778,7 +1778,7 @@ struct drm_i915_private { struct i915_virtual_gpu vgpu; - struct intel_gvt gvt; + struct intel_gvt *gvt; struct intel_guc guc; @@ -2992,7 +2992,7 @@ int intel_wait_for_register_fw(struct drm_i915_private *dev_priv, static inline bool intel_gvt_active(struct drm_i915_private *dev_priv) { - return dev_priv->gvt.initialized; + return dev_priv->gvt; } static inline bool intel_vgpu_active(struct drm_i915_private *dev_priv) diff --git a/drivers/gpu/drm/i915/intel_gvt.h b/drivers/gpu/drm/i915/intel_gvt.h index 0f00105..25df2d6 100644 --- a/drivers/gpu/drm/i915/intel_gvt.h +++ b/drivers/gpu/drm/i915/intel_gvt.h @@ -24,8 +24,7 @@ #ifndef _INTEL_GVT_H_ #define _INTEL_GVT_H_ -#include "i915_pvinfo.h" -#include "gvt/gvt.h" +struct intel_gvt; #ifdef CONFIG_DRM_I915_GVT int intel_gvt_init(struct drm_i915_private *dev_priv);
i915 core should only call functions and structures exposed through intel_gvt.h. Remove internal gvt.h and i915_pvinfo.h. Change for internal intel_gvt structure as private handler which not requires to expose gvt internal structure for i915 core. v2: Fix per Chris's comment - carefully handle dev_priv->gvt assignment - add necessary bracket for macro helper - forward declartion struct intel_gvt - keep free operation within same file handling alloc Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com> --- drivers/gpu/drm/i915/gvt/aperture_gm.c | 1 + drivers/gpu/drm/i915/gvt/cfg_space.c | 1 + drivers/gpu/drm/i915/gvt/cmd_parser.c | 2 ++ drivers/gpu/drm/i915/gvt/display.c | 1 + drivers/gpu/drm/i915/gvt/edid.c | 1 + drivers/gpu/drm/i915/gvt/execlist.c | 1 + drivers/gpu/drm/i915/gvt/firmware.c | 2 ++ drivers/gpu/drm/i915/gvt/gtt.c | 2 ++ drivers/gpu/drm/i915/gvt/gvt.c | 15 ++++++++++++--- drivers/gpu/drm/i915/gvt/gvt.h | 2 ++ drivers/gpu/drm/i915/gvt/handlers.c | 2 ++ drivers/gpu/drm/i915/gvt/interrupt.c | 1 + drivers/gpu/drm/i915/gvt/mmio.c | 1 + drivers/gpu/drm/i915/gvt/opregion.c | 1 + drivers/gpu/drm/i915/gvt/render.c | 1 + drivers/gpu/drm/i915/gvt/sched_policy.c | 1 + drivers/gpu/drm/i915/gvt/scheduler.c | 5 +++-- drivers/gpu/drm/i915/gvt/vgpu.c | 2 ++ drivers/gpu/drm/i915/i915_drv.h | 4 ++-- drivers/gpu/drm/i915/intel_gvt.h | 3 +-- 20 files changed, 40 insertions(+), 9 deletions(-)