linux-stable.git/drivers/gpu/drm/vgem, branch linux-5.4.y Linux kernel stable tree drm/vgem: add missing mutex_destroy 2023-05-17T09:35:35+00:00 Maíra Canal mcanal@igalia.com 2023-02-02T12:55:17+00:00 4223f98d4d457278fe15cbf365c2d2c79c1969c1 [ Upstream commit 7c18189b14b33c1fbf76480b1bd217877c086e67 ] vgem_fence_open() instantiates a mutex for a particular fence instance, but never destroys it by calling mutex_destroy() in vgem_fence_close(). So, add the missing mutex_destroy() to guarantee proper resource destruction. Fixes: 407779848445 ("drm/vgem: Attach sw fences to exported vGEM dma-buf (ioctl)") Signed-off-by: Maíra Canal <mcanal@igalia.com> Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com> Signed-off-by: Maíra Canal <mairacanal@riseup.net> Link: https://patchwork.freedesktop.org/patch/msgid/20230202125517.427976-1-mcanal@igalia.com Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 7c18189b14b33c1fbf76480b1bd217877c086e67 ]

vgem_fence_open() instantiates a mutex for a particular fence
instance, but never destroys it by calling mutex_destroy() in
vgem_fence_close().

So, add the missing mutex_destroy() to guarantee proper resource
destruction.

Fixes: 407779848445 ("drm/vgem: Attach sw fences to exported vGEM dma-buf (ioctl)")
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
Signed-off-by: Maíra Canal <mairacanal@riseup.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20230202125517.427976-1-mcanal@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() 2020-08-26T08:40:47+00:00 Chris Wilson chris@chris-wilson.co.uk 2020-07-08T15:49:11+00:00 e42c75ef3477601cc0a2ea7ae2925abdb5289a42 [ Upstream commit 119c53d2d4044c59c450c4f5a568d80b9d861856 ] drm_gem_dumb_map_offset() now exists and does everything vgem_gem_dump_map does and *ought* to do. In particular, vgem_gem_dumb_map() was trying to reject mmapping an imported dmabuf by checking the existence of obj->filp. Unfortunately, we always allocated an obj->filp, even if unused for an imported dmabuf. Instead, the drm_gem_dumb_map_offset(), since commit 90378e589192 ("drm/gem: drm_gem_dumb_map_offset(): reject dma-buf"), uses the obj->import_attach to reject such invalid mmaps. This prevents vgem from allowing userspace mmapping the dumb handle and attempting to incorrectly fault in remote pages belonging to another device, where there may not even be a struct page. v2: Use the default drm_gem_dumb_map_offset() callback Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces") Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: <stable@vger.kernel.org> # v4.13+ Link: https://patchwork.freedesktop.org/patch/msgid/20200708154911.21236-1-chris@chris-wilson.co.uk Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 119c53d2d4044c59c450c4f5a568d80b9d861856 ]

drm_gem_dumb_map_offset() now exists and does everything
vgem_gem_dump_map does and *ought* to do.

In particular, vgem_gem_dumb_map() was trying to reject mmapping an
imported dmabuf by checking the existence of obj->filp. Unfortunately,
we always allocated an obj->filp, even if unused for an imported dmabuf.
Instead, the drm_gem_dumb_map_offset(), since commit 90378e589192
("drm/gem: drm_gem_dumb_map_offset(): reject dma-buf"), uses the
obj->import_attach to reject such invalid mmaps.

This prevents vgem from allowing userspace mmapping the dumb handle and
attempting to incorrectly fault in remote pages belonging to another
device, where there may not even be a struct page.

v2: Use the default drm_gem_dumb_map_offset() callback

Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: <stable@vger.kernel.org> # v4.13+
Link: https://patchwork.freedesktop.org/patch/msgid/20200708154911.21236-1-chris@chris-wilson.co.uk
Signed-off-by: Sasha Levin <sashal@kernel.org>
drm/vgem: Close use-after-free race in vgem_gem_create 2020-02-19T18:53:04+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2020-02-02T13:21:33+00:00 3ea7f138cec139be98f8bb9fc1a6b432003f834e commit 4b848f20eda5974020f043ca14bacf7a7e634fc8 upstream. There's two references floating around here (for the object reference, not the handle_count reference, that's a different thing): - The temporary reference held by vgem_gem_create, acquired by creating the object and released by calling drm_gem_object_put_unlocked. - The reference held by the object handle, created by drm_gem_handle_create. This one generally outlives the function, except if a 2nd thread races with a GEM_CLOSE ioctl call. So usually everything is correct, except in that race case, where the access to gem_object->size could be looking at freed data already. Which again isn't a real problem (userspace shot its feet off already with the race, we could return garbage), but maybe someone can exploit this as an information leak. Cc: Dan Carpenter <dan.carpenter@oracle.com> Cc: Hillf Danton <hdanton@sina.com> Reported-by: syzbot+0dc4444774d419e916c8@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Cc: Emil Velikov <emil.velikov@collabora.com> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Sean Paul <seanpaul@chromium.org> Cc: Chris Wilson <chris@chris-wilson.co.uk> Cc: Eric Anholt <eric@anholt.net> Cc: Sam Ravnborg <sam@ravnborg.org> Cc: Rob Clark <robdclark@chromium.org> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20200202132133.1891846-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 4b848f20eda5974020f043ca14bacf7a7e634fc8 upstream.

There's two references floating around here (for the object reference,
not the handle_count reference, that's a different thing):

- The temporary reference held by vgem_gem_create, acquired by
  creating the object and released by calling
  drm_gem_object_put_unlocked.

- The reference held by the object handle, created by
  drm_gem_handle_create. This one generally outlives the function,
  except if a 2nd thread races with a GEM_CLOSE ioctl call.

So usually everything is correct, except in that race case, where the
access to gem_object->size could be looking at freed data already.
Which again isn't a real problem (userspace shot its feet off already
with the race, we could return garbage), but maybe someone can exploit
this as an information leak.

Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Hillf Danton <hdanton@sina.com>
Reported-by: syzbot+0dc4444774d419e916c8@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Cc: Emil Velikov <emil.velikov@collabora.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Eric Anholt <eric@anholt.net>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Rob Clark <robdclark@chromium.org>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200202132133.1891846-1-daniel.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
dma-buf: rename reservation_object to dma_resv 2019-08-13T07:09:30+00:00 Christian König christian.koenig@amd.com 2019-08-11T08:06:32+00:00 52791eeec1d9f4a7e7fe08aaba0b1553149d93bc Be more consistent with the naming of the other DMA-buf objects. Signed-off-by: Christian König <christian.koenig@amd.com> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Link: https://patchwork.freedesktop.org/patch/323401/ 
Be more consistent with the naming of the other DMA-buf objects.

Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/323401/
drm/vgem: drop DRM_AUTH usage from the driver 2019-08-07T15:53:21+00:00 Emil Velikov emil.velikov@collabora.com 2019-05-27T08:17:39+00:00 0a0b65d8eae3eb25dde57f72596b7a7c81a126fa The authentication can be circumvented, by design, by using the render node. From the driver POV there is no distinction between primary and render nodes, thus we can drop the token. Cc: David Airlie <airlied@linux.ie> Cc: Daniel Vetter <daniel@ffwll.ch> Signed-off-by: Emil Velikov <emil.velikov@collabora.com> Signed-off-by: Sean Paul <seanpaul@chromium.org> Link: https://patchwork.freedesktop.org/patch/msgid/20190527081741.14235-11-emil.l.velikov@gmail.com 
The authentication can be circumvented, by design, by using the render
node.

From the driver POV there is no distinction between primary and render
nodes, thus we can drop the token.

Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190527081741.14235-11-emil.l.velikov@gmail.com
Revert "drm/vgem: drop DRM_AUTH usage from the driver" 2019-08-07T14:45:00+00:00 Sean Paul seanpaul@chromium.org 2019-08-07T14:20:56+00:00 54fc01b775fe35fa0889cb3344ed98c72a52d2c1 This reverts commit e4eee93d25776da998ec2dfaabe7d2206598d26d. Mandatory review was missing from this patch. Acked-by: Maxime Ripard <maxime.ripard@bootlin.com> Acked-by: Emil Velikov <emil.velikov@collabora.com> Signed-off-by: Sean Paul <seanpaul@chromium.org> Link: https://patchwork.freedesktop.org/patch/msgid/20190807142101.251400-4-sean@poorly.run 
This reverts commit e4eee93d25776da998ec2dfaabe7d2206598d26d.

Mandatory review was missing from this patch.

Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
Acked-by: Emil Velikov <emil.velikov@collabora.com>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190807142101.251400-4-sean@poorly.run
drm/vgem: drop use of drmP.h 2019-07-17T10:52:55+00:00 Sam Ravnborg sam@ravnborg.org 2019-07-16T06:42:13+00:00 7b42a2f4e4b850ba9069a3927c50754da8aceb51 Drop use of the deprecated header drmP.h. Replace with necessary includes in the individual .c files. Signed-off-by: Sam Ravnborg <sam@ravnborg.org> Acked-by: Emil Velikov <emil.velikov@collabora.com> Cc: David Airlie <airlied@linux.ie> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: Deepak Sharma <deepak.sharma@amd.com> Cc: Thomas Zimmermann <tzimmermann@suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/20190716064220.18157-13-sam@ravnborg.org 
Drop use of the deprecated header drmP.h.
Replace with necessary includes in the individual .c files.

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Acked-by: Emil Velikov <emil.velikov@collabora.com>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Deepak Sharma <deepak.sharma@amd.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20190716064220.18157-13-sam@ravnborg.org
drm/vgem: Reclassify buffer creation debug message 2019-07-12T16:35:37+00:00 Chris Wilson chris@chris-wilson.co.uk 2019-07-12T12:01:47+00:00 913cafbb250f146654ea979186d8615e0c54d6a7 A buffer is created in response to the user ioctl, it should therefore be a plain DRM_DEBUG() message to reflect it being a user invoked response and not a driver construct. This is just to make the commonplace drm.debug=[26e] quieter when running with vgem. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20190712120147.29830-1-chris@chris-wilson.co.uk 
A buffer is created in response to the user ioctl, it should therefore
be a plain DRM_DEBUG() message to reflect it being a user invoked
response and not a driver construct.

This is just to make the commonplace drm.debug=[26e] quieter when
running with vgem.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20190712120147.29830-1-chris@chris-wilson.co.uk
drm/vgem: drop DRM_AUTH usage from the driver 2019-06-26T14:00:40+00:00 Emil Velikov emil.velikov@collabora.com 2019-05-27T08:17:39+00:00 e4eee93d25776da998ec2dfaabe7d2206598d26d The authentication can be circumvented, by design, by using the render node. From the driver POV there is no distinction between primary and render nodes, thus we can drop the token. Cc: David Airlie <airlied@linux.ie> Cc: Daniel Vetter <daniel@ffwll.ch> Signed-off-by: Emil Velikov <emil.velikov@collabora.com> Link: https://patchwork.freedesktop.org/patch/msgid/20190527081741.14235-11-emil.l.velikov@gmail.com 
The authentication can be circumvented, by design, by using the render
node.

From the driver POV there is no distinction between primary and render
nodes, thus we can drop the token.

Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190527081741.14235-11-emil.l.velikov@gmail.com
drm/vgem: Ditch attach trickery in the fence ioctl 2019-06-21T20:20:20+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2019-06-14T20:36:04+00:00 7b0cdf3e56b9b0bd05afa4904dc249c0f22dd30b It looks like this was done purely to get a consistent place to look up the reservation object pointer. With the drm_prime.c helper code now also setting gem_object->resv for imported objects we can just use that pointer directly, instead of first ensuring a dma-buf exists. v2: Note that I screwed up the patch ordering, hence why this needed a Fixes: tag - CI spotted the broken intermediate state. Fixes: 5eab998741c8 ("drm/vgem: Drop drm_gem_prime_export") Reviewed-by: Emil Velikov <emil.velikov@collabora.com> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20190614203615.12639-49-daniel.vetter@ffwll.ch 
It looks like this was done purely to get a consistent place to look
up the reservation object pointer. With the drm_prime.c helper code
now also setting gem_object->resv for imported objects we can just use
that pointer directly, instead of first ensuring a dma-buf exists.

v2: Note that I screwed up the patch ordering, hence why this needed
a Fixes: tag - CI spotted the broken intermediate state.

Fixes: 5eab998741c8 ("drm/vgem: Drop drm_gem_prime_export")
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190614203615.12639-49-daniel.vetter@ffwll.ch