!11491 Fix CVE-2022-48887 (a6042799) · Commits · EulixOS / Software / Kernel

drivers/gpu/drm/drm_hashtab.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -74,7 +74,7 @@ void drm_ht_verbose_list(struct drm_open_hash *ht, unsigned long key)
		DRM_DEBUG("count %d, key: 0x%08lx\n", count++, entry->key);
		}

		static struct hlist_node drm_ht_find_key(struct drm_open_hash ht,
		struct hlist_node drm_ht_find_key(struct drm_open_hash ht,
		unsigned long key)
		{
		struct drm_hash_item *entry;
		@@ -91,6 +91,7 @@ static struct hlist_node drm_ht_find_key(struct drm_open_hash ht,
		}
		return NULL;
		}
		EXPORT_SYMBOL(drm_ht_find_key);

		static struct hlist_node drm_ht_find_key_rcu(struct drm_open_hash ht,
		unsigned long key)

drivers/gpu/drm/vmwgfx/ttm_object.c

+17 −38

Original line number	Diff line number	Diff line
		@@ -137,6 +137,20 @@ ttm_object_file_ref(struct ttm_object_file *tfile)
		return tfile;
		}

		static int ttm_tfile_find_ref(struct drm_open_hash *ht,
		uint32_t key,
		struct drm_hash_item **item)
		{
		struct hlist_node *h_node;

		h_node = drm_ht_find_key(ht, key);
		if (!h_node)
		return -EINVAL;

		*item = hlist_entry(h_node, struct drm_hash_item, head);
		return 0;
		}

		static void ttm_object_file_destroy(struct kref *kref)
		{
		struct ttm_object_file *tfile =
		@@ -225,41 +239,6 @@ void ttm_base_object_unref(struct ttm_base_object **p_base)
		kref_put(&base->refcount, ttm_release_base);
		}

		/**
		* ttm_base_object_noref_lookup - look up a base object without reference
		* @tfile: The struct ttm_object_file the object is registered with.
		* @key: The object handle.
		*
		* This function looks up a ttm base object and returns a pointer to it
		* without refcounting the pointer. The returned pointer is only valid
		* until ttm_base_object_noref_release() is called, and the object
		* pointed to by the returned pointer may be doomed. Any persistent usage
		* of the object requires a refcount to be taken using kref_get_unless_zero().
		* Iff this function returns successfully it needs to be paired with
		* ttm_base_object_noref_release() and no sleeping- or scheduling functions
		* may be called inbetween these function callse.
		*
		* Return: A pointer to the object if successful or NULL otherwise.
		*/
		struct ttm_base_object *
		ttm_base_object_noref_lookup(struct ttm_object_file *tfile, uint32_t key)
		{
		struct drm_hash_item *hash;
		struct drm_open_hash *ht = &tfile->ref_hash[TTM_REF_USAGE];
		int ret;

		rcu_read_lock();
		ret = drm_ht_find_item_rcu(ht, key, &hash);
		if (ret) {
		rcu_read_unlock();
		return NULL;
		}

		__release(RCU);
		return drm_hash_entry(hash, struct ttm_ref_object, hash)->obj;
		}
		EXPORT_SYMBOL(ttm_base_object_noref_lookup);

		struct ttm_base_object ttm_base_object_lookup(struct ttm_object_file tfile,
		uint32_t key)
		{
		@@ -268,15 +247,15 @@ struct ttm_base_object ttm_base_object_lookup(struct ttm_object_file tfile,
		struct drm_open_hash *ht = &tfile->ref_hash[TTM_REF_USAGE];
		int ret;

		rcu_read_lock();
		ret = drm_ht_find_item_rcu(ht, key, &hash);
		spin_lock(&tfile->lock);
		ret = ttm_tfile_find_ref(ht, key, &hash);

		if (likely(ret == 0)) {
		base = drm_hash_entry(hash, struct ttm_ref_object, hash)->obj;
		if (!kref_get_unless_zero(&base->refcount))
		base = NULL;
		}
		rcu_read_unlock();
		spin_unlock(&tfile->lock);

		return base;
		}

drivers/gpu/drm/vmwgfx/ttm_object.h

+0 −14

Original line number	Diff line number	Diff line
		@@ -359,18 +359,4 @@ extern int ttm_prime_handle_to_fd(struct ttm_object_file *tfile,
		*/
		#define TTM_OBJ_EXTRA_SIZE 128

		struct ttm_base_object *
		ttm_base_object_noref_lookup(struct ttm_object_file *tfile, uint32_t key);

		/**
		* ttm_base_object_noref_release - release a base object pointer looked up
		* without reference
		*
		* Releases a base object pointer looked up with ttm_base_object_noref_lookup().
		*/
		static inline void ttm_base_object_noref_release(void)
		{
		__acquire(RCU);
		rcu_read_unlock();
		}
		#endif

drivers/gpu/drm/vmwgfx/vmwgfx_bo.c

+0 −42

Original line number	Diff line number	Diff line
		@@ -932,48 +932,6 @@ int vmw_user_bo_lookup(struct ttm_object_file *tfile,
		return 0;
		}

		/**
		* vmw_user_bo_noref_lookup - Look up a vmw user buffer object without reference
		* @tfile: The TTM object file the handle is registered with.
		* @handle: The user buffer object handle.
		*
		* This function looks up a struct vmw_user_bo and returns a pointer to the
		* struct vmw_buffer_object it derives from without refcounting the pointer.
		* The returned pointer is only valid until vmw_user_bo_noref_release() is
		* called, and the object pointed to by the returned pointer may be doomed.
		* Any persistent usage of the object requires a refcount to be taken using
		* ttm_bo_reference_unless_doomed(). Iff this function returns successfully it
		* needs to be paired with vmw_user_bo_noref_release() and no sleeping-
		* or scheduling functions may be called inbetween these function calls.
		*
		* Return: A struct vmw_buffer_object pointer if successful or negative
		* error pointer on failure.
		*/
		struct vmw_buffer_object *
		vmw_user_bo_noref_lookup(struct ttm_object_file *tfile, u32 handle)
		{
		struct vmw_user_buffer_object *vmw_user_bo;
		struct ttm_base_object *base;

		base = ttm_base_object_noref_lookup(tfile, handle);
		if (!base) {
		DRM_ERROR("Invalid buffer object handle 0x%08lx.\n",
		(unsigned long)handle);
		return ERR_PTR(-ESRCH);
		}

		if (unlikely(ttm_base_object_type(base) != ttm_buffer_type)) {
		ttm_base_object_noref_release();
		DRM_ERROR("Invalid buffer object handle 0x%08lx.\n",
		(unsigned long)handle);
		return ERR_PTR(-EINVAL);
		}

		vmw_user_bo = container_of(base, struct vmw_user_buffer_object,
		prime.base);
		return &vmw_user_bo->vbo;
		}

		/**
		* vmw_user_bo_reference - Open a handle to a vmw user buffer object.
		*

drivers/gpu/drm/vmwgfx/vmwgfx_drv.h

+1 −26

Original line number	Diff line number	Diff line
		@@ -770,12 +770,7 @@ extern int vmw_user_resource_lookup_handle(
		uint32_t handle,
		const struct vmw_user_resource_conv *converter,
		struct vmw_resource **p_res);
		extern struct vmw_resource *
		vmw_user_resource_noref_lookup_handle(struct vmw_private *dev_priv,
		struct ttm_object_file *tfile,
		uint32_t handle,
		const struct vmw_user_resource_conv *
		converter);

		extern int vmw_stream_claim_ioctl(struct drm_device dev, void data,
		struct drm_file *file_priv);
		extern int vmw_stream_unref_ioctl(struct drm_device dev, void data,
		@@ -813,15 +808,6 @@ static inline bool vmw_resource_mob_attached(const struct vmw_resource *res)
		return !RB_EMPTY_NODE(&res->mob_node);
		}

		/**
		* vmw_user_resource_noref_release - release a user resource pointer looked up
		* without reference
		*/
		static inline void vmw_user_resource_noref_release(void)
		{
		ttm_base_object_noref_release();
		}

		/**
		* Buffer object helper functions - vmwgfx_bo.c
		*/
		@@ -878,17 +864,6 @@ extern void vmw_bo_unmap(struct vmw_buffer_object *vbo);
		extern void vmw_bo_move_notify(struct ttm_buffer_object *bo,
		struct ttm_resource *mem);
		extern void vmw_bo_swap_notify(struct ttm_buffer_object *bo);
		extern struct vmw_buffer_object *
		vmw_user_bo_noref_lookup(struct ttm_object_file *tfile, u32 handle);

		/**
		* vmw_user_bo_noref_release - release a buffer object pointer looked up
		* without reference
		*/
		static inline void vmw_user_bo_noref_release(void)
		{
		ttm_base_object_noref_release();
		}

		/**
		* vmw_bo_adjust_prio - Adjust the buffer object eviction priority