Merge tag 'drm-misc-fixes-2023-07-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Memory leak fixes in drm/client, memory access/leak fixes for
accel/qaic, another leak fix in dma-buf and three nouveau fixes around
hotplugging.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maxime Ripard <mripard@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/fmj5nok7zggux2lcpdtls2iknweba54wfc6o4zxq6i6s3dgi2r@7z3eawwhyhen

Dave Airlie 2 years ago f4f19c03 78e9b217

+73 -31

7 changed files

expand all

drivers

accel

qaic

qaic_control.c

dma-buf

dma-resv.c

gpu

drm

drm_client_modeset.c

nouveau

dispnv50

disp.c

include

nvkm

subdev

i2c.h

nvkm

engine

disp

uconn.c

subdev

i2c

base.c

+25 -14

drivers/accel/qaic/qaic_control.c

··· 14 14 #include <linux/mm.h> 15 15 #include <linux/moduleparam.h> 16 16 #include <linux/mutex.h> 17 + #include <linux/overflow.h> 17 18 #include <linux/pci.h> 18 19 #include <linux/scatterlist.h> 19 20 #include <linux/types.h> ··· 367 366 if (in_trans->hdr.len % 8 != 0) 368 367 return -EINVAL; 369 368 370 - if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_EXT_MSG_LENGTH) 369 + if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_EXT_MSG_LENGTH) 371 370 return -ENOSPC; 372 371 373 372 trans_wrapper = add_wrapper(wrappers, ··· 419 418 } 420 419 421 420 ret = get_user_pages_fast(xfer_start_addr, nr_pages, 0, page_list); 422 - if (ret < 0 || ret != nr_pages) { 423 - ret = -EFAULT; 421 + if (ret < 0) 424 422 goto free_page_list; 423 + if (ret != nr_pages) { 424 + nr_pages = ret; 425 + ret = -EFAULT; 426 + goto put_pages; 425 427 } 426 428 427 429 sgt = kmalloc(sizeof(*sgt), GFP_KERNEL); ··· 561 557 msg = &wrapper->msg; 562 558 msg_hdr_len = le32_to_cpu(msg->hdr.len); 563 559 564 - if (msg_hdr_len > (UINT_MAX - QAIC_MANAGE_EXT_MSG_LENGTH)) 565 - return -EINVAL; 566 - 567 560 /* There should be enough space to hold at least one ASP entry. */ 568 - if (msg_hdr_len + sizeof(*out_trans) + sizeof(struct wire_addr_size_pair) > 561 + if (size_add(msg_hdr_len, sizeof(*out_trans) + sizeof(struct wire_addr_size_pair)) > 569 562 QAIC_MANAGE_EXT_MSG_LENGTH) 570 563 return -ENOMEM; 571 564 ··· 635 634 msg = &wrapper->msg; 636 635 msg_hdr_len = le32_to_cpu(msg->hdr.len); 637 636 638 - if (msg_hdr_len + sizeof(*out_trans) > QAIC_MANAGE_MAX_MSG_LENGTH) 637 + if (size_add(msg_hdr_len, sizeof(*out_trans)) > QAIC_MANAGE_MAX_MSG_LENGTH) 639 638 return -ENOSPC; 640 639 641 640 if (!in_trans->queue_size) ··· 719 718 msg = &wrapper->msg; 720 719 msg_hdr_len = le32_to_cpu(msg->hdr.len); 721 720 722 - if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_MAX_MSG_LENGTH) 721 + if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_MAX_MSG_LENGTH) 723 722 return -ENOSPC; 724 723 725 724 trans_wrapper = add_wrapper(wrappers, sizeof(*trans_wrapper)); ··· 749 748 int ret; 750 749 int i; 751 750 752 - if (!user_msg->count) { 751 + if (!user_msg->count || 752 + user_msg->len < sizeof(*trans_hdr)) { 753 753 ret = -EINVAL; 754 754 goto out; 755 755 } ··· 767 765 } 768 766 769 767 for (i = 0; i < user_msg->count; ++i) { 770 - if (user_len >= user_msg->len) { 768 + if (user_len > user_msg->len - sizeof(*trans_hdr)) { 771 769 ret = -EINVAL; 772 770 break; 773 771 } 774 772 trans_hdr = (struct qaic_manage_trans_hdr *)(user_msg->data + user_len); 775 - if (user_len + trans_hdr->len > user_msg->len) { 773 + if (trans_hdr->len < sizeof(trans_hdr) || 774 + size_add(user_len, trans_hdr->len) > user_msg->len) { 776 775 ret = -EINVAL; 777 776 break; 778 777 } ··· 956 953 int ret; 957 954 int i; 958 955 959 - if (msg_hdr_len > QAIC_MANAGE_MAX_MSG_LENGTH) 956 + if (msg_hdr_len < sizeof(*trans_hdr) || 957 + msg_hdr_len > QAIC_MANAGE_MAX_MSG_LENGTH) 960 958 return -EINVAL; 961 959 962 960 user_msg->len = 0; 963 961 user_msg->count = le32_to_cpu(msg->hdr.count); 964 962 965 963 for (i = 0; i < user_msg->count; ++i) { 964 + u32 hdr_len; 965 + 966 + if (msg_len > msg_hdr_len - sizeof(*trans_hdr)) 967 + return -EINVAL; 968 + 966 969 trans_hdr = (struct wire_trans_hdr *)(msg->data + msg_len); 967 - if (msg_len + le32_to_cpu(trans_hdr->len) > msg_hdr_len) 970 + hdr_len = le32_to_cpu(trans_hdr->len); 971 + if (hdr_len < sizeof(*trans_hdr) || 972 + size_add(msg_len, hdr_len) > msg_hdr_len) 968 973 return -EINVAL; 969 974 970 975 switch (le32_to_cpu(trans_hdr->type)) {

+9 -4

drivers/dma-buf/dma-resv.c

··· 571 571 dma_resv_for_each_fence_unlocked(&cursor, fence) { 572 572 573 573 if (dma_resv_iter_is_restarted(&cursor)) { 574 + struct dma_fence **new_fences; 574 575 unsigned int count; 575 576 576 577 while (*num_fences) ··· 580 579 count = cursor.num_fences + 1; 581 580 582 581 /* Eventually re-allocate the array */ 583 - *fences = krealloc_array(*fences, count, 584 - sizeof(void *), 585 - GFP_KERNEL); 586 - if (count && !*fences) { 582 + new_fences = krealloc_array(*fences, count, 583 + sizeof(void *), 584 + GFP_KERNEL); 585 + if (count && !new_fences) { 586 + kfree(*fences); 587 + *fences = NULL; 588 + *num_fences = 0; 587 589 dma_resv_iter_end(&cursor); 588 590 return -ENOMEM; 589 591 } 592 + *fences = new_fences; 590 593 } 591 594 592 595 (*fences)[(*num_fences)++] = dma_fence_get(fence);

drivers/gpu/drm/drm_client_modeset.c

··· 311 311 can_clone = true; 312 312 dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); 313 313 314 + if (!dmt_mode) 315 + goto fail; 316 + 314 317 for (i = 0; i < connector_count; i++) { 315 318 if (!enabled[i]) 316 319 continue; ··· 329 326 if (!modes[i]) 330 327 can_clone = false; 331 328 } 329 + kfree(dmt_mode); 332 330 333 331 if (can_clone) { 334 332 DRM_DEBUG_KMS("can clone using 1024x768\n"); 335 333 return true; 336 334 } 335 + fail: 337 336 DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); 338 337 return false; 339 338 } ··· 867 862 break; 868 863 } 869 864 865 + kfree(modeset->mode); 870 866 modeset->mode = drm_mode_duplicate(dev, mode); 871 867 drm_connector_get(connector); 872 868 modeset->connectors[modeset->num_connectors++] = connector;

drivers/gpu/drm/nouveau/dispnv50/disp.c

··· 1877 1877 nvif_outp_dtor(&nv_encoder->outp); 1878 1878 1879 1879 drm_encoder_cleanup(encoder); 1880 + 1881 + mutex_destroy(&nv_encoder->dp.hpd_irq_lock); 1880 1882 kfree(encoder); 1881 1883 } 1882 1884 ··· 1922 1920 nv_encoder->dcb = dcbe; 1923 1921 nv_encoder->i2c = ddc; 1924 1922 nv_encoder->aux = aux; 1923 + 1924 + mutex_init(&nv_encoder->dp.hpd_irq_lock); 1925 1925 1926 1926 encoder = to_drm_encoder(nv_encoder); 1927 1927 encoder->possible_crtcs = dcbe->heads;

+2 -2

drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h

··· 16 16 const struct nvkm_i2c_bus_func *func; 17 17 struct nvkm_i2c_pad *pad; 18 18 #define NVKM_I2C_BUS_CCB(n) /* 'n' is ccb index */ (n) 19 - #define NVKM_I2C_BUS_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x100) 19 + #define NVKM_I2C_BUS_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x10) 20 20 #define NVKM_I2C_BUS_PRI /* ccb primary comm. port */ -1 21 21 #define NVKM_I2C_BUS_SEC /* ccb secondary comm. port */ -2 22 22 int id; ··· 38 38 const struct nvkm_i2c_aux_func *func; 39 39 struct nvkm_i2c_pad *pad; 40 40 #define NVKM_I2C_AUX_CCB(n) /* 'n' is ccb index */ (n) 41 - #define NVKM_I2C_AUX_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x100) 41 + #define NVKM_I2C_AUX_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x10) 42 42 int id; 43 43 44 44 struct mutex mutex;

+18 -9

drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c

··· 81 81 return -ENOSYS; 82 82 83 83 list_for_each_entry(outp, &conn->disp->outps, head) { 84 - if (outp->info.connector == conn->index && outp->dp.aux) { 85 - if (args->v0.types & NVIF_CONN_EVENT_V0_PLUG ) bits |= NVKM_I2C_PLUG; 86 - if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_I2C_UNPLUG; 87 - if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ ) bits |= NVKM_I2C_IRQ; 84 + if (outp->info.connector == conn->index) 85 + break; 86 + } 88 87 89 - return nvkm_uevent_add(uevent, &device->i2c->event, outp->dp.aux->id, bits, 90 - nvkm_uconn_uevent_aux); 91 - } 88 + if (&outp->head == &conn->disp->outps) 89 + return -EINVAL; 90 + 91 + if (outp->dp.aux && !outp->info.location) { 92 + if (args->v0.types & NVIF_CONN_EVENT_V0_PLUG ) bits |= NVKM_I2C_PLUG; 93 + if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_I2C_UNPLUG; 94 + if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ ) bits |= NVKM_I2C_IRQ; 95 + 96 + return nvkm_uevent_add(uevent, &device->i2c->event, outp->dp.aux->id, bits, 97 + nvkm_uconn_uevent_aux); 92 98 } 93 99 94 100 if (args->v0.types & NVIF_CONN_EVENT_V0_PLUG ) bits |= NVKM_GPIO_HI; 95 101 if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_GPIO_LO; 96 - if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ) 97 - return -EINVAL; 102 + if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ) { 103 + /* TODO: support DP IRQ on ANX9805 and remove this hack. */ 104 + if (!outp->info.location) 105 + return -EINVAL; 106 + } 98 107 99 108 return nvkm_uevent_add(uevent, &device->gpio->event, conn->info.hpd, bits, 100 109 nvkm_uconn_uevent_gpio);

+9 -2

drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c

··· 260 260 { 261 261 struct nvkm_bios *bios = device->bios; 262 262 struct nvkm_i2c *i2c; 263 + struct nvkm_i2c_aux *aux; 263 264 struct dcb_i2c_entry ccbE; 264 265 struct dcb_output dcbE; 265 266 u8 ver, hdr; 266 - int ret, i; 267 + int ret, i, ids; 267 268 268 269 if (!(i2c = *pi2c = kzalloc(sizeof(*i2c), GFP_KERNEL))) 269 270 return -ENOMEM; ··· 407 406 } 408 407 } 409 408 410 - return nvkm_event_init(&nvkm_i2c_intr_func, &i2c->subdev, 4, i, &i2c->event); 409 + ids = 0; 410 + list_for_each_entry(aux, &i2c->aux, head) 411 + ids = max(ids, aux->id + 1); 412 + if (!ids) 413 + return 0; 414 + 415 + return nvkm_event_init(&nvkm_i2c_intr_func, &i2c->subdev, 4, ids, &i2c->event); 411 416 }