* [PATCH 1/6] drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set
@ 2019-05-21 8:24 Thomas Hellstrom
2019-05-21 8:24 ` [PATCH 2/6] drm/vmwgfx: Fix user space handle equal to zero Thomas Hellstrom
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Thomas Hellstrom @ 2019-05-21 8:24 UTC (permalink / raw)
To: dri-devel; +Cc: Thomas Hellstrom, stable, Deepak Singh Rawat
This may confuse user-space clients like plymouth that opens a drm
file descriptor as a result of a hotplug event and then generates a
new event...
Cc: <stable@vger.kernel.org>
Fixes: 5ea1734827bb ("drm/vmwgfx: Send a hotplug event at master_set")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
index bf6c3500d363..4ff11a0077e1 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
@@ -1239,7 +1239,13 @@ static int vmw_master_set(struct drm_device *dev,
}
dev_priv->active_master = vmaster;
- drm_sysfs_hotplug_event(dev);
+
+ /*
+ * Inform a new master that the layout may have changed while
+ * it was gone.
+ */
+ if (!from_open)
+ drm_sysfs_hotplug_event(dev);
return 0;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/6] drm/vmwgfx: Fix user space handle equal to zero
2019-05-21 8:24 [PATCH 1/6] drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set Thomas Hellstrom
@ 2019-05-21 8:24 ` Thomas Hellstrom
2019-05-21 8:24 ` [PATCH 3/6] drm/vmwgfx: Fix compat mode shader operation Thomas Hellstrom
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Hellstrom @ 2019-05-21 8:24 UTC (permalink / raw)
To: dri-devel; +Cc: Thomas Hellstrom, stable, Deepak Singh Rawat
User-space handles equal to zero are interpreted as uninitialized or
illegal by some drm systems (most notably kms). This means that a
dumb buffer or surface with a zero user-space handle can never be
used as a kms frame-buffer.
Cc: <stable@vger.kernel.org>
Fixes: c7eae62666ad ("drm/vmwgfx: Make the object handles idr-generated")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
---
drivers/gpu/drm/vmwgfx/ttm_object.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/ttm_object.c b/drivers/gpu/drm/vmwgfx/ttm_object.c
index 36990b80e790..16077785ad47 100644
--- a/drivers/gpu/drm/vmwgfx/ttm_object.c
+++ b/drivers/gpu/drm/vmwgfx/ttm_object.c
@@ -174,7 +174,7 @@ int ttm_base_object_init(struct ttm_object_file *tfile,
kref_init(&base->refcount);
idr_preload(GFP_KERNEL);
spin_lock(&tdev->object_lock);
- ret = idr_alloc(&tdev->idr, base, 0, 0, GFP_NOWAIT);
+ ret = idr_alloc(&tdev->idr, base, 1, 0, GFP_NOWAIT);
spin_unlock(&tdev->object_lock);
idr_preload_end();
if (ret < 0)
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/6] drm/vmwgfx: Fix compat mode shader operation
2019-05-21 8:24 [PATCH 1/6] drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set Thomas Hellstrom
2019-05-21 8:24 ` [PATCH 2/6] drm/vmwgfx: Fix user space handle equal to zero Thomas Hellstrom
@ 2019-05-21 8:24 ` Thomas Hellstrom
2019-05-21 8:25 ` [PATCH 5/6] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() Thomas Hellstrom
2019-05-21 8:25 ` [PATCH 6/6] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read Thomas Hellstrom
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Hellstrom @ 2019-05-21 8:24 UTC (permalink / raw)
To: dri-devel; +Cc: Thomas Hellstrom, stable, Brian Paul
In compat mode, we allowed host-backed user-space with guest-backed
kernel / device. In this mode, set shader commands was broken since
no relocations were emitted. Fix this.
Cc: <stable@vger.kernel.org>
Fixes: e8c66efbfe3a ("drm/vmwgfx: Make user resource lookups reference-free during validation")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 2ff7ba04d8c8..315f9efce765 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2010,6 +2010,11 @@ static int vmw_cmd_set_shader(struct vmw_private *dev_priv,
return 0;
if (cmd->body.shid != SVGA3D_INVALID_ID) {
+ /*
+ * This is the compat shader path - Per device guest-backed
+ * shaders, but user-space thinks it's per context host-
+ * backed shaders.
+ */
res = vmw_shader_lookup(vmw_context_res_man(ctx),
cmd->body.shid, cmd->body.type);
if (!IS_ERR(res)) {
@@ -2017,6 +2022,14 @@ static int vmw_cmd_set_shader(struct vmw_private *dev_priv,
VMW_RES_DIRTY_NONE);
if (unlikely(ret != 0))
return ret;
+
+ ret = vmw_resource_relocation_add
+ (sw_context, res,
+ vmw_ptr_diff(sw_context->buf_start,
+ &cmd->body.shid),
+ vmw_res_rel_normal);
+ if (unlikely(ret != 0))
+ return ret;
}
}
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 5/6] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
2019-05-21 8:24 [PATCH 1/6] drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set Thomas Hellstrom
2019-05-21 8:24 ` [PATCH 2/6] drm/vmwgfx: Fix user space handle equal to zero Thomas Hellstrom
2019-05-21 8:24 ` [PATCH 3/6] drm/vmwgfx: Fix compat mode shader operation Thomas Hellstrom
@ 2019-05-21 8:25 ` Thomas Hellstrom
2019-05-21 8:25 ` [PATCH 6/6] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read Thomas Hellstrom
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Hellstrom @ 2019-05-21 8:25 UTC (permalink / raw)
To: dri-devel; +Cc: Murray McAllister, stable, Thomas Hellstrom
From: Murray McAllister <murray.mcallister@gmail.com>
If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface
ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after
vmw_cmd_res_check(), leading to a null pointer dereference in
vmw_view_add().
Cc: <stable@vger.kernel.org>
Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
Signed-off-by: Murray McAllister <murray.mcallister@gmail.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 315f9efce765..b4c7553d2814 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2427,6 +2427,10 @@ static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv,
return -EINVAL;
cmd = container_of(header, typeof(*cmd), header);
+ if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) {
+ VMW_DEBUG_USER("Invalid surface id.\n");
+ return -EINVAL;
+ }
ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
VMW_RES_DIRTY_NONE, user_surface_converter,
&cmd->sid, &srf);
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 6/6] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
2019-05-21 8:24 [PATCH 1/6] drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set Thomas Hellstrom
` (2 preceding siblings ...)
2019-05-21 8:25 ` [PATCH 5/6] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() Thomas Hellstrom
@ 2019-05-21 8:25 ` Thomas Hellstrom
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Hellstrom @ 2019-05-21 8:25 UTC (permalink / raw)
To: dri-devel; +Cc: Murray McAllister, stable, Thomas Hellstrom
From: Murray McAllister <murray.mcallister@gmail.com>
If SVGA_3D_CMD_DX_SET_SHADER is called with a shader ID
of SVGA3D_INVALID_ID, and a shader type of
SVGA3D_SHADERTYPE_INVALID, the calculated binding.shader_slot
will be 4294967295, leading to an out-of-bounds read in vmw_binding_loc()
when the offset is calculated.
Cc: <stable@vger.kernel.org>
Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
Signed-off-by: Murray McAllister <murray.mcallister@gmail.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index b4c7553d2814..33533d126277 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2206,7 +2206,8 @@ static int vmw_cmd_dx_set_shader(struct vmw_private *dev_priv,
cmd = container_of(header, typeof(*cmd), header);
- if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX) {
+ if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX ||
+ cmd->body.type < SVGA3D_SHADERTYPE_MIN) {
VMW_DEBUG_USER("Illegal shader type %u.\n",
(unsigned int) cmd->body.type);
return -EINVAL;
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-05-21 8:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-21 8:24 [PATCH 1/6] drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set Thomas Hellstrom
2019-05-21 8:24 ` [PATCH 2/6] drm/vmwgfx: Fix user space handle equal to zero Thomas Hellstrom
2019-05-21 8:24 ` [PATCH 3/6] drm/vmwgfx: Fix compat mode shader operation Thomas Hellstrom
2019-05-21 8:25 ` [PATCH 5/6] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() Thomas Hellstrom
2019-05-21 8:25 ` [PATCH 6/6] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read Thomas Hellstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).