Message ID | 20190509020352.14282-2-masneyb@onstation.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | ARM: qcom: initial Nexus 5 display support | expand |
On Wed 08 May 19:03 PDT 2019, Brian Masney wrote: > The msm_gem_object structure contains resv and _resv fields that are > no longer needed since the reservation object is now stored on > drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb() > both referenced the wrong reservation object, and would lead to an > attempt to dereference a NULL pointer. Correct those two cases to > point to the correct reservation object. > > Signed-off-by: Brian Masney <masneyb@onstation.org> > Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object reservation_object") Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Tested-by: Bjorn Andersson <bjorn.andersson@linaro.org> This resolves a NULL-pointer dereference about to show up in v5.2-rc1, so please pick this up for -rc. Regards, Bjorn > --- > Patch introduced in v2 > > drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 4 +--- > drivers/gpu/drm/msm/msm_atomic.c | 4 +--- > drivers/gpu/drm/msm/msm_gem.c | 3 --- > drivers/gpu/drm/msm/msm_gem.h | 4 ---- > 4 files changed, 2 insertions(+), 13 deletions(-) > > diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c > index da1f727d7495..ce1a555e1f31 100644 > --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c > +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c > @@ -780,7 +780,6 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane, > struct dpu_plane_state *pstate = to_dpu_plane_state(new_state); > struct dpu_hw_fmt_layout layout; > struct drm_gem_object *obj; > - struct msm_gem_object *msm_obj; > struct dma_fence *fence; > struct dpu_kms *kms = _dpu_plane_get_kms(&pdpu->base); > int ret; > @@ -799,8 +798,7 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane, > * implicit fence and fb prepare by hand here. > */ > obj = msm_framebuffer_bo(new_state->fb, 0); > - msm_obj = to_msm_bo(obj); > - fence = reservation_object_get_excl_rcu(msm_obj->resv); > + fence = reservation_object_get_excl_rcu(obj->resv); > if (fence) > drm_atomic_set_fence_for_plane(new_state, fence); > > diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c > index f5b1256e32b6..131c23a267ee 100644 > --- a/drivers/gpu/drm/msm/msm_atomic.c > +++ b/drivers/gpu/drm/msm/msm_atomic.c > @@ -49,15 +49,13 @@ int msm_atomic_prepare_fb(struct drm_plane *plane, > struct msm_drm_private *priv = plane->dev->dev_private; > struct msm_kms *kms = priv->kms; > struct drm_gem_object *obj; > - struct msm_gem_object *msm_obj; > struct dma_fence *fence; > > if (!new_state->fb) > return 0; > > obj = msm_framebuffer_bo(new_state->fb, 0); > - msm_obj = to_msm_bo(obj); > - fence = reservation_object_get_excl_rcu(msm_obj->resv); > + fence = reservation_object_get_excl_rcu(obj->resv); > > drm_atomic_set_fence_for_plane(new_state, fence); > > diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c > index 31d5a744d84f..947508e8269d 100644 > --- a/drivers/gpu/drm/msm/msm_gem.c > +++ b/drivers/gpu/drm/msm/msm_gem.c > @@ -973,9 +973,6 @@ static int msm_gem_new_impl(struct drm_device *dev, > msm_obj->flags = flags; > msm_obj->madv = MSM_MADV_WILLNEED; > > - if (resv) > - msm_obj->base.resv = resv; > - > INIT_LIST_HEAD(&msm_obj->submit_entry); > INIT_LIST_HEAD(&msm_obj->vmas); > > diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h > index c5ac781dffee..812d1b1369a5 100644 > --- a/drivers/gpu/drm/msm/msm_gem.h > +++ b/drivers/gpu/drm/msm/msm_gem.h > @@ -86,10 +86,6 @@ struct msm_gem_object { > > struct llist_node freed; > > - /* normally (resv == &_resv) except for imported bo's */ > - struct reservation_object *resv; > - struct reservation_object _resv; > - > /* For physically contiguous buffers. Used when we don't have > * an IOMMU. Also used for stolen/splashscreen buffer. > */ > -- > 2.20.1 >
On Mon, May 13, 2019 at 01:32:39PM -0700, Bjorn Andersson wrote: > On Wed 08 May 19:03 PDT 2019, Brian Masney wrote: > > > The msm_gem_object structure contains resv and _resv fields that are > > no longer needed since the reservation object is now stored on > > drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb() > > both referenced the wrong reservation object, and would lead to an > > attempt to dereference a NULL pointer. Correct those two cases to > > point to the correct reservation object. > > > > Signed-off-by: Brian Masney <masneyb@onstation.org> > > Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object reservation_object") > > Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> > Tested-by: Bjorn Andersson <bjorn.andersson@linaro.org> > > This resolves a NULL-pointer dereference about to show up in v5.2-rc1, > so please pick this up for -rc. Let me send out another version of just this patch. This snippet below that I removed needs to stay. I got a little too over eager removing code. > > @@ -973,9 +973,6 @@ static int msm_gem_new_impl(struct drm_device *dev, > > msm_obj->flags = flags; > > msm_obj->madv = MSM_MADV_WILLNEED; > > > > - if (resv) > > - msm_obj->base.resv = resv; > > - > > INIT_LIST_HEAD(&msm_obj->submit_entry); > > INIT_LIST_HEAD(&msm_obj->vmas); > > Brian
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c index da1f727d7495..ce1a555e1f31 100644 --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c @@ -780,7 +780,6 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane, struct dpu_plane_state *pstate = to_dpu_plane_state(new_state); struct dpu_hw_fmt_layout layout; struct drm_gem_object *obj; - struct msm_gem_object *msm_obj; struct dma_fence *fence; struct dpu_kms *kms = _dpu_plane_get_kms(&pdpu->base); int ret; @@ -799,8 +798,7 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane, * implicit fence and fb prepare by hand here. */ obj = msm_framebuffer_bo(new_state->fb, 0); - msm_obj = to_msm_bo(obj); - fence = reservation_object_get_excl_rcu(msm_obj->resv); + fence = reservation_object_get_excl_rcu(obj->resv); if (fence) drm_atomic_set_fence_for_plane(new_state, fence); diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c index f5b1256e32b6..131c23a267ee 100644 --- a/drivers/gpu/drm/msm/msm_atomic.c +++ b/drivers/gpu/drm/msm/msm_atomic.c @@ -49,15 +49,13 @@ int msm_atomic_prepare_fb(struct drm_plane *plane, struct msm_drm_private *priv = plane->dev->dev_private; struct msm_kms *kms = priv->kms; struct drm_gem_object *obj; - struct msm_gem_object *msm_obj; struct dma_fence *fence; if (!new_state->fb) return 0; obj = msm_framebuffer_bo(new_state->fb, 0); - msm_obj = to_msm_bo(obj); - fence = reservation_object_get_excl_rcu(msm_obj->resv); + fence = reservation_object_get_excl_rcu(obj->resv); drm_atomic_set_fence_for_plane(new_state, fence); diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c index 31d5a744d84f..947508e8269d 100644 --- a/drivers/gpu/drm/msm/msm_gem.c +++ b/drivers/gpu/drm/msm/msm_gem.c @@ -973,9 +973,6 @@ static int msm_gem_new_impl(struct drm_device *dev, msm_obj->flags = flags; msm_obj->madv = MSM_MADV_WILLNEED; - if (resv) - msm_obj->base.resv = resv; - INIT_LIST_HEAD(&msm_obj->submit_entry); INIT_LIST_HEAD(&msm_obj->vmas); diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h index c5ac781dffee..812d1b1369a5 100644 --- a/drivers/gpu/drm/msm/msm_gem.h +++ b/drivers/gpu/drm/msm/msm_gem.h @@ -86,10 +86,6 @@ struct msm_gem_object { struct llist_node freed; - /* normally (resv == &_resv) except for imported bo's */ - struct reservation_object *resv; - struct reservation_object _resv; - /* For physically contiguous buffers. Used when we don't have * an IOMMU. Also used for stolen/splashscreen buffer. */
The msm_gem_object structure contains resv and _resv fields that are no longer needed since the reservation object is now stored on drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb() both referenced the wrong reservation object, and would lead to an attempt to dereference a NULL pointer. Correct those two cases to point to the correct reservation object. Signed-off-by: Brian Masney <masneyb@onstation.org> Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object reservation_object") --- Patch introduced in v2 drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 4 +--- drivers/gpu/drm/msm/msm_atomic.c | 4 +--- drivers/gpu/drm/msm/msm_gem.c | 3 --- drivers/gpu/drm/msm/msm_gem.h | 4 ---- 4 files changed, 2 insertions(+), 13 deletions(-)