提交 10a26e0d 编写于 作者: Z Zack Rusin

drm/vmwgfx: Fix an invalid read

vmw_move assumed that buffers to be moved would always be
vmw_buffer_object's but after introduction of new placement for mob
pages that's no longer the case.
The resulting invalid read didn't have any practical consequences
because the memory isn't used unless the object actually is a
vmw_buffer_object.
Fix it by moving the cast to the spot where the results are used.
Signed-off-by: NZack Rusin <zackr@vmware.com>
Fixes: f6be2326 ("drm/vmwgfx: Introduce a new placement for MOB page tables")
Reported-by: NChuck Lever III <chuck.lever@oracle.com>
Reviewed-by: NMartin Krastev <krastevm@vmware.com>
Tested-by: NChuck Lever <chuck.lever@oracle.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220318174332.440068-2-zack@kde.org
上级 856082f0
...@@ -859,22 +859,21 @@ void vmw_query_move_notify(struct ttm_buffer_object *bo, ...@@ -859,22 +859,21 @@ void vmw_query_move_notify(struct ttm_buffer_object *bo,
struct ttm_device *bdev = bo->bdev; struct ttm_device *bdev = bo->bdev;
struct vmw_private *dev_priv; struct vmw_private *dev_priv;
dev_priv = container_of(bdev, struct vmw_private, bdev); dev_priv = container_of(bdev, struct vmw_private, bdev);
mutex_lock(&dev_priv->binding_mutex); mutex_lock(&dev_priv->binding_mutex);
dx_query_mob = container_of(bo, struct vmw_buffer_object, base);
if (!dx_query_mob || !dx_query_mob->dx_query_ctx) {
mutex_unlock(&dev_priv->binding_mutex);
return;
}
/* If BO is being moved from MOB to system memory */ /* If BO is being moved from MOB to system memory */
if (new_mem->mem_type == TTM_PL_SYSTEM && if (new_mem->mem_type == TTM_PL_SYSTEM &&
old_mem->mem_type == VMW_PL_MOB) { old_mem->mem_type == VMW_PL_MOB) {
struct vmw_fence_obj *fence; struct vmw_fence_obj *fence;
dx_query_mob = container_of(bo, struct vmw_buffer_object, base);
if (!dx_query_mob || !dx_query_mob->dx_query_ctx) {
mutex_unlock(&dev_priv->binding_mutex);
return;
}
(void) vmw_query_readback_all(dx_query_mob); (void) vmw_query_readback_all(dx_query_mob);
mutex_unlock(&dev_priv->binding_mutex); mutex_unlock(&dev_priv->binding_mutex);
...@@ -888,7 +887,6 @@ void vmw_query_move_notify(struct ttm_buffer_object *bo, ...@@ -888,7 +887,6 @@ void vmw_query_move_notify(struct ttm_buffer_object *bo,
(void) ttm_bo_wait(bo, false, false); (void) ttm_bo_wait(bo, false, false);
} else } else
mutex_unlock(&dev_priv->binding_mutex); mutex_unlock(&dev_priv->binding_mutex);
} }
/** /**
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册