Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.16.18 2022-03-28T07:59:55+00:00 2022-03-28T07:59:55+00:00 Roberto Sassu roberto.sassu@huawei.com 2021-12-13T18:31:22+00:00 urn:sha1:ac92b474eeeed75b8660374ba1d129a121c09da8 commit 6b79f96f4a23846516e5e6e4dd37fc06f43a60dd upstream. If virtio_gpu_object_shmem_init() fails (e.g. due to fault injection, as it happened in the bug report by syzbot), virtio_gpu_array_put_free() could be called with objs equal to NULL. Ensure that objs is not NULL in virtio_gpu_array_put_free(), or otherwise return from the function. Cc: stable@vger.kernel.org # 5.13.x Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reported-by: syzbot+e9072e90624a31dfa85f@syzkaller.appspotmail.com Fixes: 377f8331d0565 ("drm/virtio: fix possible leak/unlock virtio_gpu_object_array") Link: http://patchwork.freedesktop.org/patch/msgid/20211213183122.838119-1-roberto.sassu@huawei.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-01-27T11:02:19+00:00 Thomas Zimmermann tzimmermann@suse.de 2021-11-30T09:52:55+00:00 urn:sha1:657b5d916a60291d4590b349891503967b1be74b [ Upstream commit 4ff22f487f8c26b99cbe1678344595734c001a39 ] GEM helper libraries use struct drm_driver.gem_create_object to let drivers override GEM object allocation. On failure, the call returns NULL. Change the semantics to make the calls return a pointer-encoded error. This aligns the callback with its callers. Fixes the ingenic driver, which already returns an error pointer. Also update the callers to handle the involved types more strictly. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Reviewed-by: Steven Price <steven.price@arm.com> Acked-by: Maxime Ripard <maxime@cerno.tech> Link: https://patchwork.freedesktop.org/patch/msgid/20211130095255.26710-1-tzimmermann@suse.de Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-01-27T11:01:27+00:00 Colin Ian King colin.king@canonical.com 2021-09-30T10:27:48+00:00 urn:sha1:9b9b45f1726f12c29abeceab3c88cb768b559742 [ Upstream commit 74c1bda2f3fa79a93e1c910008649b49b02dc09d ] The left shift of unsigned int 32 bit integer constant 1 is evaluated using 32 bit arithmetic and then assigned to a signed 64 bit integer. In the case where value is 32 or more this can lead to an overflow (value can be in range 0..MAX_CAPSET_ID (63). Fix this by shifting the value 1ULL instead. Addresses-Coverity: ("Uninitentional integer overflow") Fixes: 4fb530e5caf7 ("drm/virtio: implement context init: support init ioctl") Signed-off-by: Colin Ian King <colin.king@canonical.com> Link: http://patchwork.freedesktop.org/patch/msgid/20210930102748.16922-1-colin.king@canonical.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-01-27T11:01:27+00:00 Colin Ian King colin.king@canonical.com 2021-09-30T10:19:41+00:00 urn:sha1:d4c14c17cf4be58538a86403310159338f7f5477 [ Upstream commit 8f4502fa284478a5264afa8a5a95511276fa9b80 ] The left shift of unsigned int 32 bit integer constant 1 is evaluated using 32 bit arithmetic and then assigned to a signed 64 bit integer. In the case where i is 32 or more this can lead to an overflow. Fix this by shifting the value 1ULL instead. Addresses-Coverity: ("Uninitentional integer overflow") Fixes: 8d6b006e1f51 ("drm/virtio: implement context init: handle VIRTGPU_CONTEXT_PARAM_POLL_RINGS_MASK") Signed-off-by: Colin Ian King <colin.king@canonical.com> Link: http://patchwork.freedesktop.org/patch/msgid/20210930101941.16546-1-colin.king@canonical.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-11-29T10:46:32+00:00 Gurchetan Singh gurchetansingh@chromium.org 2021-11-22T23:22:10+00:00 urn:sha1:42abd0043e0c64fa64e99adba534c76b9b15e6b8 With the use of dummy events, we can drop virtgpu specific behavior. Fixes: cd7f5ca33585 ("drm/virtio: implement context init: add virtio_gpu_fence_event") Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Gurchetan Singh <gurchetansingh@chromium.org> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/20211122232210.602-3-gurchetansingh@google.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> 2021-11-29T10:46:32+00:00 Gurchetan Singh gurchetansingh@chromium.org 2021-11-22T23:22:09+00:00 urn:sha1:7e78781df491e4beb475bac22e6c44236a5002d7 The current virtgpu implementation of poll(..) drops events when VIRTGPU_CONTEXT_PARAM_POLL_RINGS_MASK is enabled (otherwise it's like a normal DRM driver). This is because paravirtualized userspaces receives responses in a buffer of type BLOB_MEM_GUEST, not by read(..). To be in line with other DRM drivers and avoid specialized behavior, it is possible to define a dummy event for virtgpu. Paravirtualized userspace will now have to call read(..) on the DRM fd to receive the dummy event. Fixes: b10790434cf2 ("drm/virtgpu api: create context init feature") Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Gurchetan Singh <gurchetansingh@chromium.org> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/20211122232210.602-2-gurchetansingh@google.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> 2021-11-08T12:54:41+00:00 Vivek Kasireddy vivek.kasireddy@intel.com 2021-11-04T21:42:49+00:00 urn:sha1:d89c0c8322ecdc9a2ec84b959b6f766be082da76 When virgl is not enabled, vfpriv pointer would not be allocated. Therefore, check for a valid value before dereferencing. Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de> Cc: Gurchetan Singh <gurchetansingh@chromium.org> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com> Tested-by: Christian Zigotzky <chzigotzky@xenosoft.de> Link: http://patchwork.freedesktop.org/patch/msgid/20211104214249.1802789-1-vivek.kasireddy@intel.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> 2021-10-11T09:16:45+00:00 Jing Xiangfeng jingxiangfeng@huawei.com 2021-10-09T09:09:20+00:00 urn:sha1:a63f393dd7e1ebee707c9dee1d197fdc33d6486b virtio_gpu_user_framebuffer_create() misses to call drm_gem_object_put() in an error path. Add the missed function call to fix it. Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> Link: http://patchwork.freedesktop.org/patch/msgid/1633770560-11658-1-git-send-email-jingxiangfeng@huawei.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> 2021-09-29T07:22:31+00:00 Gurchetan Singh gurchetansingh@chromium.org 2021-09-21T23:20:24+00:00 urn:sha1:78aa20fa4381623cf59a85d053486f98784ca3a0 This advertises the context init feature to userspace, along with a mask of supported capabilities. Signed-off-by: Gurchetan Singh <gurchetansingh@chromium.org> Acked-by: Lingfeng Yang <lfy@google.com> Link: http://patchwork.freedesktop.org/patch/msgid/20210921232024.817-13-gurchetansingh@chromium.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> 2021-09-29T07:22:31+00:00 Gurchetan Singh gurchetansingh@chromium.org 2021-09-21T23:20:23+00:00 urn:sha1:cd7f5ca33585918febe5e2f6dc090a21cfa775b0 Similar to DRM_VMW_EVENT_FENCE_SIGNALED. Sends a pollable event to the DRM file descriptor when a fence on a specific ring is signaled. One difference is the event is not exposed via the UAPI -- this is because host responses are on a shared memory buffer of type BLOB_MEM_GUEST [this is the common way to receive responses with virtgpu]. As such, there is no context specific read(..) implementation either -- just a poll(..) implementation. Signed-off-by: Gurchetan Singh <gurchetansingh@chromium.org> Acked-by: Nicholas Verne <nverne@chromium.org> Link: http://patchwork.freedesktop.org/patch/msgid/20210921232024.817-12-gurchetansingh@chromium.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>