kernel/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c, branch linux-5.1.y

drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()

2019-06-19T06:00:12Z

commit bcd6aa7b6cbfd6f985f606c6f76046d782905820 upstream. If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after vmw_cmd_res_check(), leading to a null pointer dereference in vmw_view_add(). Cc: Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") Signed-off-by: Murray McAllister Reviewed-by: Thomas Hellstrom Signed-off-by: Thomas Hellstrom Signed-off-by: Greg Kroah-Hartman

drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read

2019-06-19T06:00:12Z

commit 5ed7f4b5eca11c3c69e7c8b53e4321812bc1ee1e upstream. If SVGA_3D_CMD_DX_SET_SHADER is called with a shader ID of SVGA3D_INVALID_ID, and a shader type of SVGA3D_SHADERTYPE_INVALID, the calculated binding.shader_slot will be 4294967295, leading to an out-of-bounds read in vmw_binding_loc() when the offset is calculated. Cc: Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") Signed-off-by: Murray McAllister Reviewed-by: Thomas Hellstrom Signed-off-by: Thomas Hellstrom Signed-off-by: Greg Kroah-Hartman

drm/vmwgfx: Fix compat mode shader operation

2019-06-09T07:16:17Z

commit e41c20cf50a8a7d0dfa337a7530590aacef4193b upstream. In compat mode, we allowed host-backed user-space with guest-backed kernel / device. In this mode, set shader commands was broken since no relocations were emitted. Fix this. Cc: Fixes: e8c66efbfe3a ("drm/vmwgfx: Make user resource lookups reference-free during validation") Signed-off-by: Thomas Hellstrom Reviewed-by: Brian Paul Signed-off-by: Greg Kroah-Hartman

drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user

2019-02-05T12:50:53Z

The function was unconditionally returning 0, and a caller would have to rely on the returned fence pointer being NULL to detect errors. However, the function vmw_execbuf_copy_fence_user() would expect a non-zero error code in that case and would BUG otherwise. So make sure we return a proper non-zero error code if the fence pointer returned is NULL. Cc: Fixes: ae2a104058e2: ("vmwgfx: Implement fence objects") Signed-off-by: Thomas Hellstrom Reviewed-by: Deepak Rawat

drm/vmwgfx: Protect from excessive execbuf kernel memory allocations v3

2018-12-13T12:04:25Z

With the new validation code, a malicious user-space app could potentially submit command streams with enough buffer-object and resource references in them to have the resulting allocated validion nodes and relocations make the kernel run out of GFP_KERNEL memory. Protect from this by having the validation code reserve TTM graphics memory when allocating. Signed-off-by: Thomas Hellstrom Reviewed-by: Deepak Rawat --- v2: Removed leftover debug printouts

drm/vmwgfx: remove redundant return ret statement

2018-12-12T11:01:05Z

The return statement is redundant as there is a return statement immediately before it so we have dead code that can be removed. Also remove the unused declaration of ret. Detected by CoverityScan, CID#1473793 ("Structurally dead code") Signed-off-by: Colin Ian King Reviewed-by: Thomas Hellstrom Signed-off-by: Thomas Hellstrom

drm/vmwgfx: Make user resource lookups reference-free during validation

2018-09-28T06:57:09Z

Make the process of looking up a user resource and adding it to the validation list reference-free unless when it's actually added to the validation list where a single reference is taken. This saves two locked atomic operations per command stream buffer object handle lookup, unless there is a lookup cache hit. Signed-off-by: Thomas Hellstrom Reviewed-by: Sinclair Yeh

drm/vmwgfx: Don't refcount cotable lookups during command buffer validation

2018-09-28T06:57:08Z

The typical pattern of these lookups are -Lookup -Put on validate list if not already there. -Unreference And since we are the exclusive user of the context during lookup time, we can be sure that the resource will stay alive during the sequence. So avoid taking a reference during lookup, and also avoid unreferencing when done. There are two users outside of command buffer validation and those are refcounted explicitly. Signed-off-by: Thomas Hellstrom Reviewed-by: Sinclair Yeh

drm/vmwgfx: Don't refcount command-buffer managed resource lookups during command buffer validation

2018-09-28T06:57:08Z

The typical pattern of these lookups are -Lookup -Put on validate list if not already there. -Unreference And since we are the exclusive user of the context during lookup time, we can be sure that the resource will stay alive during the sequence. So avoid taking a reference during lookup, and also avoid unreferencing when done. Signed-off-by: Thomas Hellstrom Reviewed-by: Sinclair Yeh

drm/vmwgfx: Make buffer object lookups reference-free during validation

2018-09-28T06:57:08Z

Make the process of looking up a buffer object and adding it to the validation list reference-free unless when it's actually added to the validation list where a single reference is taken. This saves two locked atomic operations per command stream buffer object handle lookup. Signed-off-by: Thomas Hellstrom Reviewed-by: Sinclair Yeh