This may confuse user-space clients like plymouth that opens a drm file descriptor as a result of a hotplug event and then generates a new event...
Cc: stable@vger.kernel.org Fixes: 5ea1734827bb ("drm/vmwgfx: Send a hotplug event at master_set") Signed-off-by: Thomas Hellstrom thellstrom@vmware.com Reviewed-by: Deepak Rawat drawat@vmware.com --- drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c index bf6c3500d363..4ff11a0077e1 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c @@ -1239,7 +1239,13 @@ static int vmw_master_set(struct drm_device *dev, }
dev_priv->active_master = vmaster; - drm_sysfs_hotplug_event(dev); + + /* + * Inform a new master that the layout may have changed while + * it was gone. + */ + if (!from_open) + drm_sysfs_hotplug_event(dev);
return 0; }
User-space handles equal to zero are interpreted as uninitialized or illegal by some drm systems (most notably kms). This means that a dumb buffer or surface with a zero user-space handle can never be used as a kms frame-buffer.
Cc: stable@vger.kernel.org Fixes: c7eae62666ad ("drm/vmwgfx: Make the object handles idr-generated") Signed-off-by: Thomas Hellstrom thellstrom@vmware.com Reviewed-by: Deepak Rawat drawat@vmware.com --- drivers/gpu/drm/vmwgfx/ttm_object.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/ttm_object.c b/drivers/gpu/drm/vmwgfx/ttm_object.c index 36990b80e790..16077785ad47 100644 --- a/drivers/gpu/drm/vmwgfx/ttm_object.c +++ b/drivers/gpu/drm/vmwgfx/ttm_object.c @@ -174,7 +174,7 @@ int ttm_base_object_init(struct ttm_object_file *tfile, kref_init(&base->refcount); idr_preload(GFP_KERNEL); spin_lock(&tdev->object_lock); - ret = idr_alloc(&tdev->idr, base, 0, 0, GFP_NOWAIT); + ret = idr_alloc(&tdev->idr, base, 1, 0, GFP_NOWAIT); spin_unlock(&tdev->object_lock); idr_preload_end(); if (ret < 0)
In compat mode, we allowed host-backed user-space with guest-backed kernel / device. In this mode, set shader commands was broken since no relocations were emitted. Fix this.
Cc: stable@vger.kernel.org Fixes: e8c66efbfe3a ("drm/vmwgfx: Make user resource lookups reference-free during validation") Signed-off-by: Thomas Hellstrom thellstrom@vmware.com Reviewed-by: Brian Paul brianp@vmware.com --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index 2ff7ba04d8c8..315f9efce765 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -2010,6 +2010,11 @@ static int vmw_cmd_set_shader(struct vmw_private *dev_priv, return 0;
if (cmd->body.shid != SVGA3D_INVALID_ID) { + /* + * This is the compat shader path - Per device guest-backed + * shaders, but user-space thinks it's per context host- + * backed shaders. + */ res = vmw_shader_lookup(vmw_context_res_man(ctx), cmd->body.shid, cmd->body.type); if (!IS_ERR(res)) { @@ -2017,6 +2022,14 @@ static int vmw_cmd_set_shader(struct vmw_private *dev_priv, VMW_RES_DIRTY_NONE); if (unlikely(ret != 0)) return ret; + + ret = vmw_resource_relocation_add + (sw_context, res, + vmw_ptr_diff(sw_context->buf_start, + &cmd->body.shid), + vmw_res_rel_normal); + if (unlikely(ret != 0)) + return ret; } }
From: Murray McAllister murray.mcallister@gmail.com
If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after vmw_cmd_res_check(), leading to a null pointer dereference in vmw_view_add().
Cc: stable@vger.kernel.org Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") Signed-off-by: Murray McAllister murray.mcallister@gmail.com Reviewed-by: Thomas Hellstrom thellstrom@vmware.com Signed-off-by: Thomas Hellstrom thellstrom@vmware.com --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index 315f9efce765..b4c7553d2814 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -2427,6 +2427,10 @@ static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv, return -EINVAL;
cmd = container_of(header, typeof(*cmd), header); + if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) { + VMW_DEBUG_USER("Invalid surface id.\n"); + return -EINVAL; + } ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, VMW_RES_DIRTY_NONE, user_surface_converter, &cmd->sid, &srf);
From: Murray McAllister murray.mcallister@gmail.com
If SVGA_3D_CMD_DX_SET_SHADER is called with a shader ID of SVGA3D_INVALID_ID, and a shader type of SVGA3D_SHADERTYPE_INVALID, the calculated binding.shader_slot will be 4294967295, leading to an out-of-bounds read in vmw_binding_loc() when the offset is calculated.
Cc: stable@vger.kernel.org Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") Signed-off-by: Murray McAllister murray.mcallister@gmail.com Reviewed-by: Thomas Hellstrom thellstrom@vmware.com Signed-off-by: Thomas Hellstrom thellstrom@vmware.com --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index b4c7553d2814..33533d126277 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -2206,7 +2206,8 @@ static int vmw_cmd_dx_set_shader(struct vmw_private *dev_priv,
cmd = container_of(header, typeof(*cmd), header);
- if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX) { + if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX || + cmd->body.type < SVGA3D_SHADERTYPE_MIN) { VMW_DEBUG_USER("Illegal shader type %u.\n", (unsigned int) cmd->body.type); return -EINVAL;
linux-stable-mirror@lists.linaro.org
-
Thomas Hellstrom