2019-05-13 23:43:37

by Brian Masney

[permalink] [raw]
Subject: [PATCH v2.1 1/2] drm/msm: remove resv fields from msm_gem_object struct

The msm_gem_object structure contains resv and _resv fields that are
no longer needed since the reservation object is now stored on
drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb()
both referenced the wrong reservation object, and would lead to an
attempt to dereference a NULL pointer. Correct those two cases to
point to the correct reservation object.

Signed-off-by: Brian Masney <[email protected]>
Reviewed-by: Bjorn Andersson <[email protected]>
Tested-by: Bjorn Andersson <[email protected]>
Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object reservation_object")
---
This is a split out version of this patch from where I am working to get
the display working on the Nexus 5:

https://lore.kernel.org/lkml/[email protected]/

Bjorn asks:
This resolves a NULL-pointer dereference about to show up in v5.2-rc1,
so please pick this up for -rc.

In this version, I dropped the change to msm_gem_new_impl() that
mistakenly removed 'msm_obj->base.resv = resv;'. I did not put a v3 on
this patch since I wanted to keep that version number for the larger work
to get the display working on the Nexus 5 so I went with 2.1 here. :)

drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 4 +---
drivers/gpu/drm/msm/msm_atomic.c | 4 +---
drivers/gpu/drm/msm/msm_gem.h | 4 ----
3 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
index 4fca24b8702c..f3d009a3dc63 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
@@ -781,7 +781,6 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
struct dpu_plane_state *pstate = to_dpu_plane_state(new_state);
struct dpu_hw_fmt_layout layout;
struct drm_gem_object *obj;
- struct msm_gem_object *msm_obj;
struct dma_fence *fence;
struct dpu_kms *kms = _dpu_plane_get_kms(&pdpu->base);
int ret;
@@ -800,8 +799,7 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
* implicit fence and fb prepare by hand here.
*/
obj = msm_framebuffer_bo(new_state->fb, 0);
- msm_obj = to_msm_bo(obj);
- fence = reservation_object_get_excl_rcu(msm_obj->resv);
+ fence = reservation_object_get_excl_rcu(obj->resv);
if (fence)
drm_atomic_set_fence_for_plane(new_state, fence);

diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
index f5b1256e32b6..131c23a267ee 100644
--- a/drivers/gpu/drm/msm/msm_atomic.c
+++ b/drivers/gpu/drm/msm/msm_atomic.c
@@ -49,15 +49,13 @@ int msm_atomic_prepare_fb(struct drm_plane *plane,
struct msm_drm_private *priv = plane->dev->dev_private;
struct msm_kms *kms = priv->kms;
struct drm_gem_object *obj;
- struct msm_gem_object *msm_obj;
struct dma_fence *fence;

if (!new_state->fb)
return 0;

obj = msm_framebuffer_bo(new_state->fb, 0);
- msm_obj = to_msm_bo(obj);
- fence = reservation_object_get_excl_rcu(msm_obj->resv);
+ fence = reservation_object_get_excl_rcu(obj->resv);

drm_atomic_set_fence_for_plane(new_state, fence);

diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
index c5ac781dffee..812d1b1369a5 100644
--- a/drivers/gpu/drm/msm/msm_gem.h
+++ b/drivers/gpu/drm/msm/msm_gem.h
@@ -86,10 +86,6 @@ struct msm_gem_object {

struct llist_node freed;

- /* normally (resv == &_resv) except for imported bo's */
- struct reservation_object *resv;
- struct reservation_object _resv;
-
/* For physically contiguous buffers. Used when we don't have
* an IOMMU. Also used for stolen/splashscreen buffer.
*/
--
2.20.1


2019-05-14 18:15:10

by Sean Paul

[permalink] [raw]
Subject: Re: [PATCH v2.1 1/2] drm/msm: remove resv fields from msm_gem_object struct

On Mon, May 13, 2019 at 07:41:04PM -0400, Brian Masney wrote:
> The msm_gem_object structure contains resv and _resv fields that are
> no longer needed since the reservation object is now stored on
> drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb()
> both referenced the wrong reservation object, and would lead to an
> attempt to dereference a NULL pointer. Correct those two cases to
> point to the correct reservation object.
>
> Signed-off-by: Brian Masney <[email protected]>

Thanks Brian for your patches. I've applied them to drm-misc-next-fixes for
inclusion in 5.2

Sean

> Reviewed-by: Bjorn Andersson <[email protected]>
> Tested-by: Bjorn Andersson <[email protected]>
> Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object reservation_object")
> ---
> This is a split out version of this patch from where I am working to get
> the display working on the Nexus 5:
>
> https://lore.kernel.org/lkml/[email protected]/
>
> Bjorn asks:
> This resolves a NULL-pointer dereference about to show up in v5.2-rc1,
> so please pick this up for -rc.
>
> In this version, I dropped the change to msm_gem_new_impl() that
> mistakenly removed 'msm_obj->base.resv = resv;'. I did not put a v3 on
> this patch since I wanted to keep that version number for the larger work
> to get the display working on the Nexus 5 so I went with 2.1 here. :)
>
> drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 4 +---
> drivers/gpu/drm/msm/msm_atomic.c | 4 +---
> drivers/gpu/drm/msm/msm_gem.h | 4 ----
> 3 files changed, 2 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> index 4fca24b8702c..f3d009a3dc63 100644
> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> @@ -781,7 +781,6 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
> struct dpu_plane_state *pstate = to_dpu_plane_state(new_state);
> struct dpu_hw_fmt_layout layout;
> struct drm_gem_object *obj;
> - struct msm_gem_object *msm_obj;
> struct dma_fence *fence;
> struct dpu_kms *kms = _dpu_plane_get_kms(&pdpu->base);
> int ret;
> @@ -800,8 +799,7 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
> * implicit fence and fb prepare by hand here.
> */
> obj = msm_framebuffer_bo(new_state->fb, 0);
> - msm_obj = to_msm_bo(obj);
> - fence = reservation_object_get_excl_rcu(msm_obj->resv);
> + fence = reservation_object_get_excl_rcu(obj->resv);
> if (fence)
> drm_atomic_set_fence_for_plane(new_state, fence);
>
> diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
> index f5b1256e32b6..131c23a267ee 100644
> --- a/drivers/gpu/drm/msm/msm_atomic.c
> +++ b/drivers/gpu/drm/msm/msm_atomic.c
> @@ -49,15 +49,13 @@ int msm_atomic_prepare_fb(struct drm_plane *plane,
> struct msm_drm_private *priv = plane->dev->dev_private;
> struct msm_kms *kms = priv->kms;
> struct drm_gem_object *obj;
> - struct msm_gem_object *msm_obj;
> struct dma_fence *fence;
>
> if (!new_state->fb)
> return 0;
>
> obj = msm_framebuffer_bo(new_state->fb, 0);
> - msm_obj = to_msm_bo(obj);
> - fence = reservation_object_get_excl_rcu(msm_obj->resv);
> + fence = reservation_object_get_excl_rcu(obj->resv);
>
> drm_atomic_set_fence_for_plane(new_state, fence);
>
> diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
> index c5ac781dffee..812d1b1369a5 100644
> --- a/drivers/gpu/drm/msm/msm_gem.h
> +++ b/drivers/gpu/drm/msm/msm_gem.h
> @@ -86,10 +86,6 @@ struct msm_gem_object {
>
> struct llist_node freed;
>
> - /* normally (resv == &_resv) except for imported bo's */
> - struct reservation_object *resv;
> - struct reservation_object _resv;
> -
> /* For physically contiguous buffers. Used when we don't have
> * an IOMMU. Also used for stolen/splashscreen buffer.
> */
> --
> 2.20.1
>

--
Sean Paul, Software Engineer, Google / Chromium OS