Maksytka/linux
1
1
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2025-12-01 07:26:02 +07:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'drm-fixes-2025-10-11' of https://gitlab.freedesktop.org/drm/kernel

Browse Source 
Pull drm fixes from Dave Airlie:
 "Some fixes leftover from our fixes branch, just nouveau and vmwgfx:

  nouveau:
   - Return errno code from TTM move helper

  vmwgfx:
   - Fix null-ptr access in cursor code
   - Fix UAF in validation
   - Use correct iterator in validation"

* tag 'drm-fixes-2025-10-11' of https://gitlab.freedesktop.org/drm/kernel:
  drm/nouveau: fix bad ret code in nouveau_bo_move_prep
  drm/vmwgfx: Fix copy-paste typo in validation
  drm/vmwgfx: Fix Use-after-free in validation
  drm/vmwgfx: Fix a null-ptr access in the cursor snooper
This commit is contained in:
Linus Torvalds
2025-10-10 13:59:38 -07:00
parent f76b1683d1 5ca5f00a16
commit 1e5d41b981
3 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/gpu/drm/nouveau/nouveau_bo.c
View File

@@ -929,7 +929,7 @@ done:
nvif_vmm_put(vmm, &old_mem->vma[1]);
nvif_vmm_put(vmm, &old_mem->vma[0]);
}
return 0;
return ret;
}
static int

17
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
View File

@@ -1497,6 +1497,7 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv,
SVGA3dCmdHeader *header)
{
struct vmw_bo *vmw_bo = NULL;
struct vmw_resource *res;
struct vmw_surface *srf = NULL;
VMW_DECLARE_CMD_VAR(*cmd, SVGA3dCmdSurfaceDMA);
int ret;
@@ -1532,18 +1533,24 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv,
dirty = (cmd->body.transfer == SVGA3D_WRITE_HOST_VRAM) ?
VMW_RES_DIRTY_SET : 0;
ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
dirty, user_surface_converter,
&cmd->body.host.sid, NULL);
ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, dirty,
user_surface_converter, &cmd->body.host.sid,
NULL);
if (unlikely(ret != 0)) {
if (unlikely(ret != -ERESTARTSYS))
VMW_DEBUG_USER("could not find surface for DMA.\n");
return ret;
}
srf = vmw_res_to_srf(sw_context->res_cache[vmw_res_surface].res);
res = sw_context->res_cache[vmw_res_surface].res;
if (!res) {
VMW_DEBUG_USER("Invalid DMA surface.\n");
return -EINVAL;
}
vmw_kms_cursor_snoop(srf, sw_context->fp->tfile, &vmw_bo->tbo, header);
srf = vmw_res_to_srf(res);
vmw_kms_cursor_snoop(srf, sw_context->fp->tfile, &vmw_bo->tbo,
header);
return 0;
}

6
drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
View File

@@ -308,8 +308,10 @@ int vmw_validation_add_resource(struct vmw_validation_context *ctx,
hash_add_rcu(ctx->sw_context->res_ht, &node->hash.head, node->hash.key);
}
node->res = vmw_resource_reference_unless_doomed(res);
if (!node->res)
if (!node->res) {
hash_del_rcu(&node->hash.head);
return -ESRCH;
}
node->first_usage = 1;
if (!res->dev_priv->has_mob) {
@@ -636,7 +638,7 @@ void vmw_validation_drop_ht(struct vmw_validation_context *ctx)
hash_del_rcu(&val->hash.head);
list_for_each_entry(val, &ctx->resource_ctx_list, head)
hash_del_rcu(&entry->hash.head);
hash_del_rcu(&val->hash.head);
ctx->sw_context = NULL;
}