[PATCH v2.1 1/2] drm/msm: remove resv fields from msm_gem_object struct

[PATCH v2.1 1/2] drm/msm: remove resv fields from msm_gem_object struct

[Brian Masney]

The msm_gem_object structure contains resv and _resv fields that are
no longer needed since the reservation object is now stored on
drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb()
both referenced the wrong reservation object, and would lead to an
attempt to dereference a NULL pointer. Correct those two cases to
point to the correct reservation object.

Signed-off-by: Brian Masney <masneyb@onstation.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Tested-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object reservation_object")
---
This is a split out version of this patch from where I am working to get
the display working on the Nexus 5:

https://lore.kernel.org/lkml/20190509020352.14282-2-masneyb@onstation.org/

Bjorn asks:
    This resolves a NULL-pointer dereference about to show up in v5.2-rc1,
    so please pick this up for -rc.

In this version, I dropped the change to msm_gem_new_impl() that
mistakenly removed 'msm_obj->base.resv = resv;'. I did not put a v3 on
this patch since I wanted to keep that version number for the larger work
to get the display working on the Nexus 5 so I went with 2.1 here. :)

 drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 4 +---
 drivers/gpu/drm/msm/msm_atomic.c          | 4 +---
 drivers/gpu/drm/msm/msm_gem.h             | 4 ----
 3 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
index 4fca24b8702c..f3d009a3dc63 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
@@ -781,7 +781,6 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
 	struct dpu_plane_state *pstate = to_dpu_plane_state(new_state);
 	struct dpu_hw_fmt_layout layout;
 	struct drm_gem_object *obj;
-	struct msm_gem_object *msm_obj;
 	struct dma_fence *fence;
 	struct dpu_kms *kms = _dpu_plane_get_kms(&pdpu->base);
 	int ret;
@@ -800,8 +799,7 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
 	 *       implicit fence and fb prepare by hand here.
 	 */
 	obj = msm_framebuffer_bo(new_state->fb, 0);
-	msm_obj = to_msm_bo(obj);
-	fence = reservation_object_get_excl_rcu(msm_obj->resv);
+	fence = reservation_object_get_excl_rcu(obj->resv);
 	if (fence)
 		drm_atomic_set_fence_for_plane(new_state, fence);
 
diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
index f5b1256e32b6..131c23a267ee 100644
--- a/drivers/gpu/drm/msm/msm_atomic.c
+++ b/drivers/gpu/drm/msm/msm_atomic.c
@@ -49,15 +49,13 @@ int msm_atomic_prepare_fb(struct drm_plane *plane,
 	struct msm_drm_private *priv = plane->dev->dev_private;
 	struct msm_kms *kms = priv->kms;
 	struct drm_gem_object *obj;
-	struct msm_gem_object *msm_obj;
 	struct dma_fence *fence;
 
 	if (!new_state->fb)
 		return 0;
 
 	obj = msm_framebuffer_bo(new_state->fb, 0);
-	msm_obj = to_msm_bo(obj);
-	fence = reservation_object_get_excl_rcu(msm_obj->resv);
+	fence = reservation_object_get_excl_rcu(obj->resv);
 
 	drm_atomic_set_fence_for_plane(new_state, fence);
 
diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
index c5ac781dffee..812d1b1369a5 100644
--- a/drivers/gpu/drm/msm/msm_gem.h
+++ b/drivers/gpu/drm/msm/msm_gem.h
@@ -86,10 +86,6 @@ struct msm_gem_object {
 
 	struct llist_node freed;
 
-	/* normally (resv == &_resv) except for imported bo's */
-	struct reservation_object *resv;
-	struct reservation_object _resv;
-
 	/* For physically contiguous buffers.  Used when we don't have
 	 * an IOMMU.  Also used for stolen/splashscreen buffer.
 	 */
-- 
2.20.1

[PATCH 2/2] drm/msm: correct attempted NULL pointer dereference in debugfs

[Brian Masney]

msm_gem_describe() would attempt to dereference a NULL pointer via the
address space pointer when no IOMMU is present. Correct this by adding
the appropriate check.

Signed-off-by: Brian Masney <masneyb@onstation.org>
Fixes: 575f0485508b ("drm/msm: Clean up and enhance the output of the 'gem' debugfs node")
---
 drivers/gpu/drm/msm/msm_gem.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 31d5a744d84f..35f55dd25994 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -803,7 +803,8 @@ void msm_gem_describe(struct drm_gem_object *obj, struct seq_file *m)
 		seq_puts(m, "      vmas:");
 
 		list_for_each_entry(vma, &msm_obj->vmas, list)
-			seq_printf(m, " [%s: %08llx,%s,inuse=%d]", vma->aspace->name,
+			seq_printf(m, " [%s: %08llx,%s,inuse=%d]",
+				vma->aspace != NULL ? vma->aspace->name : NULL,
 				vma->iova, vma->mapped ? "mapped" : "unmapped",
 				vma->inuse);
 
-- 
2.20.1

[PATCH 2/2] drm/msm: correct attempted NULL pointer dereference in debugfs

[Brian Masney]

msm_gem_describe() would attempt to dereference a NULL pointer via the
address space pointer when no IOMMU is present. Correct this by adding
the appropriate check.

Signed-off-by: Brian Masney <masneyb@onstation.org>
Fixes: 575f0485508b ("drm/msm: Clean up and enhance the output of the 'gem' debugfs node")
---
 drivers/gpu/drm/msm/msm_gem.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 31d5a744d84f..35f55dd25994 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -803,7 +803,8 @@ void msm_gem_describe(struct drm_gem_object *obj, struct seq_file *m)
 		seq_puts(m, "      vmas:");
 
 		list_for_each_entry(vma, &msm_obj->vmas, list)
-			seq_printf(m, " [%s: %08llx,%s,inuse=%d]", vma->aspace->name,
+			seq_printf(m, " [%s: %08llx,%s,inuse=%d]",
+				vma->aspace != NULL ? vma->aspace->name : NULL,
 				vma->iova, vma->mapped ? "mapped" : "unmapped",
 				vma->inuse);
 
-- 
2.20.1

_______________________________________________
Freedreno mailing list
Freedreno@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/freedreno

Re: [PATCH v2.1 1/2] drm/msm: remove resv fields from msm_gem_object struct

[Sean Paul]

On Mon, May 13, 2019 at 07:41:04PM -0400, Brian Masney wrote:
> The msm_gem_object structure contains resv and _resv fields that are
> no longer needed since the reservation object is now stored on
> drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb()
> both referenced the wrong reservation object, and would lead to an
> attempt to dereference a NULL pointer. Correct those two cases to
> point to the correct reservation object.
> 
> Signed-off-by: Brian Masney <masneyb@onstation.org>

Thanks Brian for your patches. I've applied them to drm-misc-next-fixes for
inclusion in 5.2

Sean

> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
> Tested-by: Bjorn Andersson <bjorn.andersson@linaro.org>
> Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object reservation_object")
> ---
> This is a split out version of this patch from where I am working to get
> the display working on the Nexus 5:
> 
> https://lore.kernel.org/lkml/20190509020352.14282-2-masneyb@onstation.org/
> 
> Bjorn asks:
>     This resolves a NULL-pointer dereference about to show up in v5.2-rc1,
>     so please pick this up for -rc.
> 
> In this version, I dropped the change to msm_gem_new_impl() that
> mistakenly removed 'msm_obj->base.resv = resv;'. I did not put a v3 on
> this patch since I wanted to keep that version number for the larger work
> to get the display working on the Nexus 5 so I went with 2.1 here. :)
> 
>  drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 4 +---
>  drivers/gpu/drm/msm/msm_atomic.c          | 4 +---
>  drivers/gpu/drm/msm/msm_gem.h             | 4 ----
>  3 files changed, 2 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> index 4fca24b8702c..f3d009a3dc63 100644
> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> @@ -781,7 +781,6 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
>  	struct dpu_plane_state *pstate = to_dpu_plane_state(new_state);
>  	struct dpu_hw_fmt_layout layout;
>  	struct drm_gem_object *obj;
> -	struct msm_gem_object *msm_obj;
>  	struct dma_fence *fence;
>  	struct dpu_kms *kms = _dpu_plane_get_kms(&pdpu->base);
>  	int ret;
> @@ -800,8 +799,7 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
>  	 *       implicit fence and fb prepare by hand here.
>  	 */
>  	obj = msm_framebuffer_bo(new_state->fb, 0);
> -	msm_obj = to_msm_bo(obj);
> -	fence = reservation_object_get_excl_rcu(msm_obj->resv);
> +	fence = reservation_object_get_excl_rcu(obj->resv);
>  	if (fence)
>  		drm_atomic_set_fence_for_plane(new_state, fence);
>  
> diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
> index f5b1256e32b6..131c23a267ee 100644
> --- a/drivers/gpu/drm/msm/msm_atomic.c
> +++ b/drivers/gpu/drm/msm/msm_atomic.c
> @@ -49,15 +49,13 @@ int msm_atomic_prepare_fb(struct drm_plane *plane,
>  	struct msm_drm_private *priv = plane->dev->dev_private;
>  	struct msm_kms *kms = priv->kms;
>  	struct drm_gem_object *obj;
> -	struct msm_gem_object *msm_obj;
>  	struct dma_fence *fence;
>  
>  	if (!new_state->fb)
>  		return 0;
>  
>  	obj = msm_framebuffer_bo(new_state->fb, 0);
> -	msm_obj = to_msm_bo(obj);
> -	fence = reservation_object_get_excl_rcu(msm_obj->resv);
> +	fence = reservation_object_get_excl_rcu(obj->resv);
>  
>  	drm_atomic_set_fence_for_plane(new_state, fence);
>  
> diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
> index c5ac781dffee..812d1b1369a5 100644
> --- a/drivers/gpu/drm/msm/msm_gem.h
> +++ b/drivers/gpu/drm/msm/msm_gem.h
> @@ -86,10 +86,6 @@ struct msm_gem_object {
>  
>  	struct llist_node freed;
>  
> -	/* normally (resv == &_resv) except for imported bo's */
> -	struct reservation_object *resv;
> -	struct reservation_object _resv;
> -
>  	/* For physically contiguous buffers.  Used when we don't have
>  	 * an IOMMU.  Also used for stolen/splashscreen buffer.
>  	 */
> -- 
> 2.20.1
> 

-- 
Sean Paul, Software Engineer, Google / Chromium OS