linux-stable.git/drivers/gpu, branch v4.1.41 Linux kernel stable tree drm/ttm: fix use-after-free races in vm fault handling 2017-06-13T13:29:21+00:00 Nicolai Hähnle nicolai.haehnle@amd.com 2017-02-18T21:59:56+00:00 47655216cdf4666a274f41ef64adfb2b91a0890e [ Upstream commit 3089c1df10e2931b1d72d2ffa7d86431084c86b3 ] The vm fault handler relies on the fact that the VMA owns a reference to the BO. However, once mmap_sem is released, other tasks are free to destroy the VMA, which can lead to the BO being freed. Fix two code paths where that can happen, both related to vm fault retries. Found via a lock debugging warning which flagged &bo->wu_mutex as locked while being destroyed. Fixes: cbe12e74ee4e ("drm/ttm: Allow vm fault retries") Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit 3089c1df10e2931b1d72d2ffa7d86431084c86b3 ]

The vm fault handler relies on the fact that the VMA owns a reference
to the BO. However, once mmap_sem is released, other tasks are free to
destroy the VMA, which can lead to the BO being freed. Fix two code
paths where that can happen, both related to vm fault retries.

Found via a lock debugging warning which flagged &bo->wu_mutex as
locked while being destroyed.

Fixes: cbe12e74ee4e ("drm/ttm: Allow vm fault retries")
Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/msm: Expose our reservation object when exporting a dmabuf. 2017-06-08T10:42:00+00:00 Eric Anholt eric@anholt.net 2017-04-12T19:11:58+00:00 7e144ca4d77a8866a7b39b1c573230e69488b84b [ Upstream commit 43523eba79bda8f5b4c27f8ffe20ea078d20113a ] Without this, polling on the dma-buf (and presumably other devices synchronizing against our rendering) would return immediately, even while the BO was busy. Signed-off-by: Eric Anholt <eric@anholt.net> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: stable@vger.kernel.org Cc: Rob Clark <robdclark@gmail.com> Cc: linux-arm-msm@vger.kernel.org Cc: freedreno@lists.freedesktop.org Reviewed-by: Rob Clark <robdclark@gmail.com> Signed-off-by: Rob Clark <robdclark@gmail.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit 43523eba79bda8f5b4c27f8ffe20ea078d20113a ]

Without this, polling on the dma-buf (and presumably other devices
synchronizing against our rendering) would return immediately, even
while the BO was busy.

Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable@vger.kernel.org
Cc: Rob Clark <robdclark@gmail.com>
Cc: linux-arm-msm@vger.kernel.org
Cc: freedreno@lists.freedesktop.org
Reviewed-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/radeon: Unbreak HPD handling for r600+ 2017-06-08T10:41:59+00:00 Lyude lyude@redhat.com 2017-05-11T23:31:12+00:00 b96e5f18eb815c20a31811760f5b4330c25a59f9 [ Upstream commit 3d18e33735a02b1a90aecf14410bf3edbfd4d3dc ] We end up reading the interrupt register for HPD5, and then writing it to HPD6 which on systems without anything using HPD5 results in permanently disabling hotplug on one of the display outputs after the first time we acknowledge a hotplug interrupt from the GPU. This code is really bad. But for now, let's just fix this. I will hopefully have a large patch series to refactor all of this soon. Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Lyude <lyude@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit 3d18e33735a02b1a90aecf14410bf3edbfd4d3dc ]

We end up reading the interrupt register for HPD5, and then writing it
to HPD6 which on systems without anything using HPD5 results in
permanently disabling hotplug on one of the display outputs after the
first time we acknowledge a hotplug interrupt from the GPU.

This code is really bad. But for now, let's just fix this. I will
hopefully have a large patch series to refactor all of this soon.

Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Lyude <lyude@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/gma500/psb: Actually use VBT mode when it is found 2017-06-08T10:12:47+00:00 Patrik Jakobsson patrik.r.jakobsson@gmail.com 2017-04-18T11:43:32+00:00 72a5ed836013a6597700d1a405d3d879c545a255 [ Upstream commit 82bc9a42cf854fdf63155759c0aa790bd1f361b0 ] With LVDS we were incorrectly picking the pre-programmed mode instead of the prefered mode provided by VBT. Make sure we pick the VBT mode if one is provided. It is likely that the mode read-out code is still wrong but this patch fixes the immediate problem on most machines. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=78562 Cc: <stable@vger.kernel.org> Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> Link: http://patchwork.freedesktop.org/patch/msgid/20170418114332.12183-1-patrik.r.jakobsson@gmail.com Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit 82bc9a42cf854fdf63155759c0aa790bd1f361b0 ]

With LVDS we were incorrectly picking the pre-programmed mode instead of
the prefered mode provided by VBT. Make sure we pick the VBT mode if
one is provided. It is likely that the mode read-out code is still wrong
but this patch fixes the immediate problem on most machines.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=78562
Cc: <stable@vger.kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170418114332.12183-1-patrik.r.jakobsson@gmail.com
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() 2017-05-17T19:07:44+00:00 Li Qiang liq3ea@gmail.com 2017-03-28T03:10:53+00:00 d91a91d8f6ba1c98e0822e40b7e4a266d9567813 [ Upstream commit e7e11f99564222d82f0ce84bd521e57d78a6b678 ] In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the 'req->mip_levels' array. This array can be assigned any value from the user space. As both the 'num_sizes' and the array is uint32_t, it is easy to make 'num_sizes' overflow. The later 'mip_levels' is used as the loop count. This can lead an oob write. Add the check of 'req->mip_levels' to avoid this. Cc: <stable@vger.kernel.org> Signed-off-by: Li Qiang <liqiang6-s@360.cn> Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit e7e11f99564222d82f0ce84bd521e57d78a6b678 ]

In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
'req->mip_levels' array. This array can be assigned any value from
the user space. As both the 'num_sizes' and the array is uint32_t,
it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
used as the loop count. This can lead an oob write. Add the check of
'req->mip_levels' to avoid this.

Cc: <stable@vger.kernel.org>
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/vmwgfx: Remove getparam error message 2017-05-17T19:07:44+00:00 Thomas Hellstrom thellstrom@vmware.com 2017-03-27T11:06:05+00:00 6431059d9e0f2ebdd6645247e0134d2cb5d67b21 [ Upstream commit 53e16798b0864464c5444a204e1bb93ae246c429 ] The mesa winsys sometimes uses unimplemented parameter requests to check for features. Remove the error message to avoid bloating the kernel log. Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Reviewed-by: Brian Paul <brianp@vmware.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit 53e16798b0864464c5444a204e1bb93ae246c429 ]

The mesa winsys sometimes uses unimplemented parameter requests to
check for features. Remove the error message to avoid bloating the
kernel log.

Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl() 2017-05-17T19:07:44+00:00 Murray McAllister murray.mcallister@insomniasec.com 2017-03-27T09:15:12+00:00 b31c507e2c3b0394c35d8e80c781d65264b5fe87 [ Upstream commit 63774069d9527a1aeaa4aa20e929ef5e8e9ecc38 ] In vmw_get_cap_3d_ioctl(), a user can supply 0 for a size that is used in vzalloc(). This eventually calls dump_stack() (in warn_alloc()), which can leak useful addresses to dmesg. Add check to avoid a size of 0. Cc: <stable@vger.kernel.org> Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit 63774069d9527a1aeaa4aa20e929ef5e8e9ecc38 ]

In vmw_get_cap_3d_ioctl(), a user can supply 0 for a size that is
used in vzalloc(). This eventually calls dump_stack() (in warn_alloc()),
which can leak useful addresses to dmesg.

Add check to avoid a size of 0.

Cc: <stable@vger.kernel.org>
Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() 2017-05-17T19:07:44+00:00 Murray McAllister murray.mcallister@insomniasec.com 2017-03-27T09:12:53+00:00 13b52a46a6778fe23e64a20499230738ed3d445b [ Upstream commit 36274ab8c596f1240c606bb514da329add2a1bcd ] Before memory allocations vmw_surface_define_ioctl() checks the upper-bounds of a user-supplied size, but does not check if the supplied size is 0. Add check to avoid NULL pointer dereferences. Cc: <stable@vger.kernel.org> Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit 36274ab8c596f1240c606bb514da329add2a1bcd ]

Before memory allocations vmw_surface_define_ioctl() checks the
upper-bounds of a user-supplied size, but does not check if the
supplied size is 0.

Add check to avoid NULL pointer dereferences.

Cc: <stable@vger.kernel.org>
Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/vmwgfx: Type-check lookups of fence objects 2017-05-17T19:07:44+00:00 Thomas Hellstrom thellstrom@vmware.com 2017-03-27T09:09:08+00:00 55f1d24ac1ab964943a1f644ce278bcce082d9a7 [ Upstream commit f7652afa8eadb416b23eb57dec6f158529942041 ] A malicious caller could otherwise hand over handles to other objects causing all sorts of interesting problems. Testing done: Ran a Fedora 25 desktop using both Xorg and gnome-shell/Wayland. Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Reviewed-by: Sinclair Yeh <syeh@vmware.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit f7652afa8eadb416b23eb57dec6f158529942041 ]

A malicious caller could otherwise hand over handles to other objects
causing all sorts of interesting problems.

Testing done: Ran a Fedora 25 desktop using both Xorg and
gnome-shell/Wayland.

Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags 2017-05-17T19:07:44+00:00 Michel Dänzer michel.daenzer@amd.com 2017-03-24T10:01:09+00:00 f8889a244545af2787a4078110702fab42161703 [ Upstream commit ce4b4f228e51219b0b79588caf73225b08b5b779 ] We were accidentally only overriding the first VRAM placement. For BOs with the RADEON_GEM_NO_CPU_ACCESS flag set, radeon_ttm_placement_from_domain creates a second VRAM placment with fpfn == 0. If VRAM is almost full, the first VRAM placement with fpfn > 0 may not work, but the second one with fpfn == 0 always will (the BO's current location trivially satisfies it). Because "moving" the BO to its current location puts it back on the LRU list, this results in an infinite loop. Fixes: 2a85aedd117c ("drm/radeon: Try evicting from CPU accessible to inaccessible VRAM first") Reported-by: Zachary Michaels <zmichaels@oblong.com> Reported-and-Tested-by: Julien Isorce <jisorce@oblong.com> Reviewed-by: Christian König <christian.koenig@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin <alexander.levin@verizon.com> 
[ Upstream commit ce4b4f228e51219b0b79588caf73225b08b5b779 ]

We were accidentally only overriding the first VRAM placement. For BOs
with the RADEON_GEM_NO_CPU_ACCESS flag set,
radeon_ttm_placement_from_domain creates a second VRAM placment with
fpfn == 0. If VRAM is almost full, the first VRAM placement with
fpfn > 0 may not work, but the second one with fpfn == 0 always will
(the BO's current location trivially satisfies it). Because "moving"
the BO to its current location puts it back on the LRU list, this
results in an infinite loop.

Fixes: 2a85aedd117c ("drm/radeon: Try evicting from CPU accessible to
                      inaccessible VRAM first")
Reported-by: Zachary Michaels <zmichaels@oblong.com>
Reported-and-Tested-by: Julien Isorce <jisorce@oblong.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org

Signed-off-by: Sasha Levin <alexander.levin@verizon.com>