kernel/drivers/gpu/drm/msm, branch linux-4.1.yHosts the 0x221E linux distro kernel.https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-4.1.y2018-05-23T01:33:51Zdrm/msm: fix leak in failed get_pages2018-05-23T01:33:51ZPrakash Kamliyapkamliya@codeaurora.org2017-12-04T13:40:15Zurn:sha1:c67f1987fdf46cb4083d55ffa7bf8495a893abdb
[ Upstream commit 62e3a3e342af3c313ab38603811ecdb1fcc79edb ]
get_pages doesn't keep a reference of the pages allocated
when it fails later in the code path. This can lead to
a memory leak. Keep reference of the allocated pages so
that it can be freed when msm_gem_free_object gets called
later during cleanup.
Signed-off-by: Prakash Kamliya <pkamliya@codeaurora.org>
Signed-off-by: Sharat Masetty <smasetty@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
drm/msm: fix an integer overflow test2017-12-07T02:19:54ZDan Carpenterdan.carpenter@oracle.com2017-06-30T07:59:15Zurn:sha1:9cc11635340aa4103ccb07fc5e4d29973c582347
[ Upstream commit 65e93108891e571f177c202add9288eda9ac4100 ]
We recently added an integer overflow check but it needs an additional
tweak to work properly on 32 bit systems.
The problem is that we're doing the right hand side of the assignment as
type unsigned long so the max it will have an integer overflow instead
of being larger than SIZE_MAX. That means the "sz > SIZE_MAX" condition
is never true even on 32 bit systems. We need to first cast it to u64
and then do the math.
Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/msm: Fix potential buffer overflow issue2017-12-07T02:19:54ZKasin Lidonglil@codeaurora.org2017-06-19T21:36:53Zurn:sha1:3ab2e16ed810d77380109b9556d0afe5ef126b70
[ Upstream commit 4a630fadbb29d9efaedb525f1a8f7449ad107641 ]
In function submit_create, if nr_cmds or nr_bos is assigned with
negative value, the allocated buffer may be small than intended.
Using this buffer will lead to buffer overflow issue.
Signed-off-by: Kasin Li <donglil@codeaurora.org>
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set2017-09-10T20:35:54ZJordan Crousejcrouse@codeaurora.org2016-12-20T15:54:31Zurn:sha1:245f3fe90e5fd0f6325a775650dc5826a411e63f
[ Upstream commit a6cb3b864b21b7345f824a4faa12b723c8aaf099 ]
For every submission buffer object one of MSM_SUBMIT_BO_WRITE
and MSM_SUBMIT_BO_READ must be set (and nothing else). If we
allowed zero then the buffer object would never get queued to
be unreferenced.
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/msm: Ensure that the hardware write pointer is valid2017-09-10T20:35:53ZJordan Crousejcrouse@codeaurora.org2016-12-20T15:54:29Zurn:sha1:dc9ba163c38c6f4d858ce86571aab2bc0b170be4
[ Upstream commit 88b333b0ed790f9433ff542b163bf972953b74d3 ]
Currently the value written to CP_RB_WPTR is calculated on the fly as
(rb->next - rb->start). But as the code is designed rb->next is wrapped
before writing the commands so if a series of commands happened to
fit perfectly in the ringbuffer, rb->next would end up being equal to
rb->size / 4 and thus result in an out of bounds address to CP_RB_WPTR.
The easiest way to fix this is to mask WPTR when writing it to the
hardware; it makes the hardware happy and the rest of the ringbuffer
math appears to work and there isn't any point in upsetting anything.
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
[squash in is_power_of_2() check]
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/msm: Expose our reservation object when exporting a dmabuf.2017-06-08T10:42:00ZEric Anholteric@anholt.net2017-04-12T19:11:58Zurn:sha1:7e144ca4d77a8866a7b39b1c573230e69488b84b
[ Upstream commit 43523eba79bda8f5b4c27f8ffe20ea078d20113a ]
Without this, polling on the dma-buf (and presumably other devices
synchronizing against our rendering) would return immediately, even
while the BO was busy.
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable@vger.kernel.org
Cc: Rob Clark <robdclark@gmail.com>
Cc: linux-arm-msm@vger.kernel.org
Cc: freedreno@lists.freedesktop.org
Reviewed-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/msm: fix use of copy_from_user() while holding spinlock2016-12-22T03:45:42ZRob Clarkrobdclark@gmail.com2016-08-22T19:15:23Zurn:sha1:e537a0977f3ee837b6c101037c89936348063b2d
[ Upstream commit 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 ]
Use instead __copy_from_user_inatomic() and fallback to slow-path where
we drop and re-aquire the lock in case of fault.
Cc: stable@vger.kernel.org
Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
drm/msm/mdp5: fix incorrect parameter for msm_framebuffer_iova()2015-05-21T04:31:45ZStephane Viausviau@codeaurora.org2015-05-20T14:57:27Zurn:sha1:755c814a7d826257d5488cfaa801ec19377c472a
The index of ->planes[] array (3rd parameter) cannot be equal to MAX_PLANE.
This looks like a typo that is now fixed.
Signed-off-by: Stephane Viau <sviau@codeaurora.org>
Acked-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
drm/msm: fix locking inconsistencies in gpu->destroy()2015-05-15T13:28:27ZRob Clarkrobdclark@gmail.com2015-05-15T13:19:36Zurn:sha1:774449ebcb18bae146e2b6f6d012b46e64a095b9
In error paths, this was being called without struct_mutex held.
Leading to panics like:
msm 1a00000.qcom,mdss_mdp: No memory protection without IOMMU
Kernel panic - not syncing: BUG!
CPU: 0 PID: 1409 Comm: cat Not tainted 4.0.0-dirty #4
Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
Call trace:
[<ffffffc000089c78>] dump_backtrace+0x0/0x118
[<ffffffc000089da0>] show_stack+0x10/0x20
[<ffffffc0006686d4>] dump_stack+0x84/0xc4
[<ffffffc0006678b4>] panic+0xd0/0x210
[<ffffffc0003e1ce4>] drm_gem_object_free+0x5c/0x60
[<ffffffc000402870>] adreno_gpu_cleanup+0x60/0x80
[<ffffffc0004035a0>] a3xx_destroy+0x20/0x70
[<ffffffc0004036f4>] a3xx_gpu_init+0x84/0x108
[<ffffffc0004018b8>] adreno_load_gpu+0x58/0x190
[<ffffffc000419dac>] msm_open+0x74/0x88
[<ffffffc0003e0a48>] drm_open+0x168/0x400
[<ffffffc0003e7210>] drm_stub_open+0xa8/0x118
[<ffffffc0001a0e84>] chrdev_open+0x94/0x198
[<ffffffc000199f88>] do_dentry_open+0x208/0x310
[<ffffffc00019a4c4>] vfs_open+0x44/0x50
[<ffffffc0001aa26c>] do_last.isra.14+0x2c4/0xc10
[<ffffffc0001aac38>] path_openat+0x80/0x5e8
[<ffffffc0001ac354>] do_filp_open+0x2c/0x98
[<ffffffc00019b60c>] do_sys_open+0x13c/0x228
[<ffffffc00019b72c>] SyS_openat+0xc/0x18
CPU1: stopping
But there isn't any particularly good reason to hold struct_mutex for
teardown, so just standardize on calling it without the mutex held and
use the _unlocked() versions for GEM obj unref'ing
Signed-off-by: Rob Clark <robdclark@gmail.com>
drm/msm/dsi: Simplify the code to get the number of read byte2015-05-14T20:57:25ZHai Lihali@codeaurora.org2015-04-29T15:39:00Zurn:sha1:ec1936eb099bb8c1c7a32b9ac4be128e1e68e2d9
During cmd rx, only new versions of H/W provide register to read back
the real number of byte returned by panel. For the old versions, reading
this register will not get the right number. In fact, we only need to
assume the returned data is the same size as we expected, because later
we will check the data type to detect error.
Signed-off-by: Hai Li <hali@codeaurora.org>