linux/drivers/gpu/drm/vkms/vkms_drv.h
Ezequiel Garcia 0ea2ea42b3 drm/vkms: Hold gem object while still in-use
We need to keep the reference to the drm_gem_object
until the last access by vkms_dumb_create.

Therefore, the put the object after it is used.

This fixes a use-after-free issue reported by syzbot.

While here, change vkms_gem_create() symbol to static.

Reported-and-tested-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200427214405.13069-1-ezequiel@collabora.com
2020-05-06 21:51:46 -04:00

148 lines
3.6 KiB
C

/* SPDX-License-Identifier: GPL-2.0+ */
#ifndef _VKMS_DRV_H_
#define _VKMS_DRV_H_
#include <linux/hrtimer.h>
#include <drm/drm.h>
#include <drm/drm_gem.h>
#include <drm/drm_encoder.h>
#define XRES_MIN 20
#define YRES_MIN 20
#define XRES_DEF 1024
#define YRES_DEF 768
#define XRES_MAX 8192
#define YRES_MAX 8192
extern bool enable_cursor;
struct vkms_composer {
struct drm_framebuffer fb;
struct drm_rect src, dst;
unsigned int offset;
unsigned int pitch;
unsigned int cpp;
};
/**
* vkms_plane_state - Driver specific plane state
* @base: base plane state
* @composer: data required for composing computation
*/
struct vkms_plane_state {
struct drm_plane_state base;
struct vkms_composer *composer;
};
/**
* vkms_crtc_state - Driver specific CRTC state
* @base: base CRTC state
* @composer_work: work struct to compose and add CRC entries
* @n_frame_start: start frame number for computed CRC
* @n_frame_end: end frame number for computed CRC
*/
struct vkms_crtc_state {
struct drm_crtc_state base;
struct work_struct composer_work;
int num_active_planes;
/* stack of active planes for crc computation, should be in z order */
struct vkms_plane_state **active_planes;
/* below three are protected by vkms_output.composer_lock */
bool crc_pending;
u64 frame_start;
u64 frame_end;
};
struct vkms_output {
struct drm_crtc crtc;
struct drm_encoder encoder;
struct drm_connector connector;
struct hrtimer vblank_hrtimer;
ktime_t period_ns;
struct drm_pending_vblank_event *event;
/* ordered wq for composer_work */
struct workqueue_struct *composer_workq;
/* protects concurrent access to composer */
spinlock_t lock;
/* protected by @lock */
bool composer_enabled;
struct vkms_crtc_state *composer_state;
spinlock_t composer_lock;
};
struct vkms_device {
struct drm_device drm;
struct platform_device *platform;
struct vkms_output output;
};
struct vkms_gem_object {
struct drm_gem_object gem;
struct mutex pages_lock; /* Page lock used in page fault handler */
struct page **pages;
unsigned int vmap_count;
void *vaddr;
};
#define drm_crtc_to_vkms_output(target) \
container_of(target, struct vkms_output, crtc)
#define drm_device_to_vkms_device(target) \
container_of(target, struct vkms_device, drm)
#define drm_gem_to_vkms_gem(target)\
container_of(target, struct vkms_gem_object, gem)
#define to_vkms_crtc_state(target)\
container_of(target, struct vkms_crtc_state, base)
#define to_vkms_plane_state(target)\
container_of(target, struct vkms_plane_state, base)
/* CRTC */
int vkms_crtc_init(struct drm_device *dev, struct drm_crtc *crtc,
struct drm_plane *primary, struct drm_plane *cursor);
int vkms_output_init(struct vkms_device *vkmsdev, int index);
struct drm_plane *vkms_plane_init(struct vkms_device *vkmsdev,
enum drm_plane_type type, int index);
/* Gem stuff */
vm_fault_t vkms_gem_fault(struct vm_fault *vmf);
int vkms_dumb_create(struct drm_file *file, struct drm_device *dev,
struct drm_mode_create_dumb *args);
void vkms_gem_free_object(struct drm_gem_object *obj);
int vkms_gem_vmap(struct drm_gem_object *obj);
void vkms_gem_vunmap(struct drm_gem_object *obj);
/* Prime */
struct drm_gem_object *
vkms_prime_import_sg_table(struct drm_device *dev,
struct dma_buf_attachment *attach,
struct sg_table *sg);
/* CRC Support */
const char *const *vkms_get_crc_sources(struct drm_crtc *crtc,
size_t *count);
int vkms_set_crc_source(struct drm_crtc *crtc, const char *src_name);
int vkms_verify_crc_source(struct drm_crtc *crtc, const char *source_name,
size_t *values_cnt);
/* Composer Support */
void vkms_composer_worker(struct work_struct *work);
#endif /* _VKMS_DRV_H_ */