Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2162542iof; Tue, 7 Jun 2022 21:50:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy0XKO81h1Sxq65nsKGB8jJGpPku776w6vTTimmzUZw1Oo6YLuCCYLO3PhK9yViVUYe/tEe X-Received: by 2002:a17:903:24f:b0:15c:e3b8:a640 with SMTP id j15-20020a170903024f00b0015ce3b8a640mr32268862plh.5.1654663821466; Tue, 07 Jun 2022 21:50:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654663821; cv=none; d=google.com; s=arc-20160816; b=X6mxQEacbjYt53AhtTuSJ3m6bThXfaQ284sfTYYMj1yjjAJbU1pKwOqflFhkXXTFz7 ywqbL6q/bf52pPcuF4hzpcj9cT3QXRSxw0cD0jp/mom0I7ibQwaYtT0cGyRVdKH60jHd G6JzHy1+sDmkKDTK/xHrv9aOAbJVcynYulZQhUeS2rE7LfTS1T5FhZuLWQbYqJVflyZG pc03Ex0f+x7n9X6zGW4CMwaB2MJfuqfB5E4i0ailwSygKa7W/VX7crXvmhr39CoMBp/t 4jW/GYI5Cu+77WYIUAkEXE4tdOtkDaDNXdqpnG1h5TDPgdFzXB2jfe2UM45Yx1vd8kRw zg9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BWZOlfSNYN21akcPxIU58/N/bMpJ3inKIoFbpgcb20I=; b=yeZTzSmsJUDAcVIeyIPVphY5wU7wzVFlkmViR2EoZJ2VAIYMaJi/y3l4kIwqEaltPF 1+np2eUOXwxF8yLdGCUmiAtCUWYgX//bhc9HSQUrVtQwbwoWIwtyDcGn5CIM8Y94FFJB uK82cjzFVbLpP5VHEnf4BOknvmJs4RpLTgUv/LORbUhcaQGjmk5xKtmafICckF5CKE01 P9x0wfUpTOLXlqfIWLb/8V5TJsD8x8ejd9eBHBxTP4YqRvk6lqax9nkjvJrEIwMuMLaN BTb/JODX+i3wwXmb3AiAKdWE1iV9exgki5cWHwW8tH/j2sRWuhtWFOot6fG1GYBOqu0J jmOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PLTCL0yz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id a63-20020a639042000000b003c5a1baf6acsi23201966pge.503.2022.06.07.21.50.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 21:50:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PLTCL0yz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E346714AC91; Tue, 7 Jun 2022 21:20:22 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1380901AbiFGWYP (ORCPT + 99 others); Tue, 7 Jun 2022 18:24:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1380829AbiFGVRB (ORCPT ); Tue, 7 Jun 2022 17:17:01 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18F2531213; Tue, 7 Jun 2022 11:57:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C6EECB82399; Tue, 7 Jun 2022 18:57:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1DF11C385A2; Tue, 7 Jun 2022 18:57:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654628267; bh=lVb6UTuygucsmz/MH5XjePqf9ciEP9xuVs7XAYlBMbk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PLTCL0yz5KAkJhPhYG9q/kAW54YnsHw6foCpsgLHAqi+qc7vCPUq7Kdq+lLBz0Mv1 I98qJWHbovsjGxgRu/Sygv5rI+CT9Ay3b5zw5tDaPe5ia8eGhdrMLnS1wqwXb9M+Kd txslBV5J/2X9ug/JNJgTlfdmzxzqy/Lb4sVzg9OE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zack Rusin , Chuck Lever III , Martin Krastev , Sasha Levin Subject: [PATCH 5.18 267/879] drm/vmwgfx: Fix an invalid read Date: Tue, 7 Jun 2022 18:56:25 +0200 Message-Id: <20220607165010.599841412@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607165002.659942637@linuxfoundation.org> References: <20220607165002.659942637@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zack Rusin [ Upstream commit 10a26e0d5fc3574f63ce8a6cf28381b126317f40 ] vmw_move assumed that buffers to be moved would always be vmw_buffer_object's but after introduction of new placement for mob pages that's no longer the case. The resulting invalid read didn't have any practical consequences because the memory isn't used unless the object actually is a vmw_buffer_object. Fix it by moving the cast to the spot where the results are used. Signed-off-by: Zack Rusin Fixes: f6be23264bba ("drm/vmwgfx: Introduce a new placement for MOB page tables") Reported-by: Chuck Lever III Reviewed-by: Martin Krastev Tested-by: Chuck Lever Link: https://patchwork.freedesktop.org/patch/msgid/20220318174332.440068-2-zack@kde.org Signed-off-by: Sasha Levin --- drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c index 708899ba2102..6542f1498651 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c @@ -859,22 +859,21 @@ void vmw_query_move_notify(struct ttm_buffer_object *bo, struct ttm_device *bdev = bo->bdev; struct vmw_private *dev_priv; - dev_priv = container_of(bdev, struct vmw_private, bdev); mutex_lock(&dev_priv->binding_mutex); - dx_query_mob = container_of(bo, struct vmw_buffer_object, base); - if (!dx_query_mob || !dx_query_mob->dx_query_ctx) { - mutex_unlock(&dev_priv->binding_mutex); - return; - } - /* If BO is being moved from MOB to system memory */ if (new_mem->mem_type == TTM_PL_SYSTEM && old_mem->mem_type == VMW_PL_MOB) { struct vmw_fence_obj *fence; + dx_query_mob = container_of(bo, struct vmw_buffer_object, base); + if (!dx_query_mob || !dx_query_mob->dx_query_ctx) { + mutex_unlock(&dev_priv->binding_mutex); + return; + } + (void) vmw_query_readback_all(dx_query_mob); mutex_unlock(&dev_priv->binding_mutex); @@ -888,7 +887,6 @@ void vmw_query_move_notify(struct ttm_buffer_object *bo, (void) ttm_bo_wait(bo, false, false); } else mutex_unlock(&dev_priv->binding_mutex); - } /** -- 2.35.1