* [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes
@ 2025-08-19 23:29 Rob Clark
2025-08-19 23:29 ` [PATCH 1/3] drm/msm: Fix obj leak in VM_BIND error path Rob Clark
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Rob Clark @ 2025-08-19 23:29 UTC (permalink / raw)
To: dri-devel
Cc: linux-arm-msm, freedreno, Akhil P Oommen, Connor Abbott,
Rob Clark, Abhinav Kumar, David Airlie, Dmitry Baryshkov,
Jessica Zhang, open list, Marijn Suijten, Sean Paul,
Simona Vetter
Fixes for a few issues found in vkd3d-proton testing.
Rob Clark (3):
drm/msm: Fix obj leak in VM_BIND error path
drm/msm: Fix missing VM_BIND offset/range validation
drm/msm: Fix 32b size truncation
drivers/gpu/drm/msm/msm_gem.c | 17 ++++++++---------
drivers/gpu/drm/msm/msm_gem.h | 6 +++---
drivers/gpu/drm/msm/msm_gem_vma.c | 31 +++++++++++++++++++++++++------
3 files changed, 36 insertions(+), 18 deletions(-)
--
2.50.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/3] drm/msm: Fix obj leak in VM_BIND error path
2025-08-19 23:29 [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes Rob Clark
@ 2025-08-19 23:29 ` Rob Clark
2025-08-19 23:29 ` [PATCH 2/3] drm/msm: Fix missing VM_BIND offset/range validation Rob Clark
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Rob Clark @ 2025-08-19 23:29 UTC (permalink / raw)
To: dri-devel
Cc: linux-arm-msm, freedreno, Akhil P Oommen, Connor Abbott,
Rob Clark, Dmitry Baryshkov, Abhinav Kumar, Jessica Zhang,
Sean Paul, Marijn Suijten, David Airlie, Simona Vetter, open list
If we fail a handle-lookup part way thru, we need to drop the already
obtained obj references.
Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
---
drivers/gpu/drm/msm/msm_gem_vma.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c
index 00d0f3b7ba32..209154be5efc 100644
--- a/drivers/gpu/drm/msm/msm_gem_vma.c
+++ b/drivers/gpu/drm/msm/msm_gem_vma.c
@@ -1023,6 +1023,7 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, struct drm_msm_vm_bind *args
struct drm_device *dev = job->vm->drm;
int ret = 0;
int cnt = 0;
+ int i = -1;
if (args->nr_ops == 1) {
/* Single op case, the op is inlined: */
@@ -1056,11 +1057,12 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, struct drm_msm_vm_bind *args
spin_lock(&file->table_lock);
- for (unsigned i = 0; i < args->nr_ops; i++) {
+ for (i = 0; i < args->nr_ops; i++) {
+ struct msm_vm_bind_op *op = &job->ops[i];
struct drm_gem_object *obj;
- if (!job->ops[i].handle) {
- job->ops[i].obj = NULL;
+ if (!op->handle) {
+ op->obj = NULL;
continue;
}
@@ -1068,15 +1070,15 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, struct drm_msm_vm_bind *args
* normally use drm_gem_object_lookup(), but for bulk lookup
* all under single table_lock just hit object_idr directly:
*/
- obj = idr_find(&file->object_idr, job->ops[i].handle);
+ obj = idr_find(&file->object_idr, op->handle);
if (!obj) {
- ret = UERR(EINVAL, dev, "invalid handle %u at index %u\n", job->ops[i].handle, i);
+ ret = UERR(EINVAL, dev, "invalid handle %u at index %u\n", op->handle, i);
goto out_unlock;
}
drm_gem_object_get(obj);
- job->ops[i].obj = obj;
+ op->obj = obj;
cnt++;
}
@@ -1085,6 +1087,17 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, struct drm_msm_vm_bind *args
out_unlock:
spin_unlock(&file->table_lock);
+ if (ret) {
+ for (; i >= 0; i--) {
+ struct msm_vm_bind_op *op = &job->ops[i];
+
+ if (!op->obj)
+ continue;
+
+ drm_gem_object_put(op->obj);
+ op->obj = NULL;
+ }
+ }
out:
return ret;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/3] drm/msm: Fix missing VM_BIND offset/range validation
2025-08-19 23:29 [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes Rob Clark
2025-08-19 23:29 ` [PATCH 1/3] drm/msm: Fix obj leak in VM_BIND error path Rob Clark
@ 2025-08-19 23:29 ` Rob Clark
2025-08-19 23:29 ` [PATCH 3/3] drm/msm: Fix 32b size truncation Rob Clark
2025-08-20 14:47 ` [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes Connor Abbott
3 siblings, 0 replies; 7+ messages in thread
From: Rob Clark @ 2025-08-19 23:29 UTC (permalink / raw)
To: dri-devel
Cc: linux-arm-msm, freedreno, Akhil P Oommen, Connor Abbott,
Rob Clark, Dmitry Baryshkov, Abhinav Kumar, Jessica Zhang,
Sean Paul, Marijn Suijten, David Airlie, Simona Vetter, open list
We need to reject the MAP op if offset+range is larger than the BO size.
Reported-by: Connor Abbott <cwabbott0@gmail.com>
Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
---
drivers/gpu/drm/msm/msm_gem_vma.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c
index 209154be5efc..381a0853c05b 100644
--- a/drivers/gpu/drm/msm/msm_gem_vma.c
+++ b/drivers/gpu/drm/msm/msm_gem_vma.c
@@ -1080,6 +1080,12 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, struct drm_msm_vm_bind *args
op->obj = obj;
cnt++;
+
+ if ((op->range + op->obj_offset) > obj->size) {
+ ret = UERR(EINVAL, dev, "invalid range: %016llx + %016llx > %016zx\n",
+ op->range, op->obj_offset, obj->size);
+ goto out_unlock;
+ }
}
*nr_bos = cnt;
--
2.50.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] drm/msm: Fix 32b size truncation
2025-08-19 23:29 [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes Rob Clark
2025-08-19 23:29 ` [PATCH 1/3] drm/msm: Fix obj leak in VM_BIND error path Rob Clark
2025-08-19 23:29 ` [PATCH 2/3] drm/msm: Fix missing VM_BIND offset/range validation Rob Clark
@ 2025-08-19 23:29 ` Rob Clark
2025-08-20 13:50 ` Connor Abbott
2025-08-20 14:47 ` [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes Connor Abbott
3 siblings, 1 reply; 7+ messages in thread
From: Rob Clark @ 2025-08-19 23:29 UTC (permalink / raw)
To: dri-devel
Cc: linux-arm-msm, freedreno, Akhil P Oommen, Connor Abbott,
Rob Clark, Dmitry Baryshkov, Abhinav Kumar, Jessica Zhang,
Sean Paul, Marijn Suijten, David Airlie, Simona Vetter, open list
Somehow we never noticed this when arm64 became a thing, many years ago.
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
---
drivers/gpu/drm/msm/msm_gem.c | 17 ++++++++---------
drivers/gpu/drm/msm/msm_gem.h | 6 +++---
2 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 958bac4e2768..9a935650e5e3 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -1142,7 +1142,7 @@ static int msm_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
/* convenience method to construct a GEM buffer object, and userspace handle */
int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file,
- uint32_t size, uint32_t flags, uint32_t *handle,
+ size_t size, uint32_t flags, uint32_t *handle,
char *name)
{
struct drm_gem_object *obj;
@@ -1208,9 +1208,8 @@ static const struct drm_gem_object_funcs msm_gem_object_funcs = {
.vm_ops = &vm_ops,
};
-static int msm_gem_new_impl(struct drm_device *dev,
- uint32_t size, uint32_t flags,
- struct drm_gem_object **obj)
+static int msm_gem_new_impl(struct drm_device *dev, uint32_t flags,
+ struct drm_gem_object **obj)
{
struct msm_drm_private *priv = dev->dev_private;
struct msm_gem_object *msm_obj;
@@ -1244,7 +1243,7 @@ static int msm_gem_new_impl(struct drm_device *dev,
return 0;
}
-struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, uint32_t flags)
+struct drm_gem_object *msm_gem_new(struct drm_device *dev, size_t size, uint32_t flags)
{
struct msm_drm_private *priv = dev->dev_private;
struct msm_gem_object *msm_obj;
@@ -1259,7 +1258,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, uint32
if (size == 0)
return ERR_PTR(-EINVAL);
- ret = msm_gem_new_impl(dev, size, flags, &obj);
+ ret = msm_gem_new_impl(dev, flags, &obj);
if (ret)
return ERR_PTR(ret);
@@ -1299,12 +1298,12 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
struct msm_drm_private *priv = dev->dev_private;
struct msm_gem_object *msm_obj;
struct drm_gem_object *obj;
- uint32_t size;
+ size_t size;
int ret, npages;
size = PAGE_ALIGN(dmabuf->size);
- ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj);
+ ret = msm_gem_new_impl(dev, MSM_BO_WC, &obj);
if (ret)
return ERR_PTR(ret);
@@ -1347,7 +1346,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
return ERR_PTR(ret);
}
-void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t flags,
+void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t flags,
struct drm_gpuvm *vm, struct drm_gem_object **bo,
uint64_t *iova)
{
diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
index 751c3b4965bc..a4cf31853c50 100644
--- a/drivers/gpu/drm/msm/msm_gem.h
+++ b/drivers/gpu/drm/msm/msm_gem.h
@@ -297,10 +297,10 @@ bool msm_gem_active(struct drm_gem_object *obj);
int msm_gem_cpu_prep(struct drm_gem_object *obj, uint32_t op, ktime_t *timeout);
int msm_gem_cpu_fini(struct drm_gem_object *obj);
int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file,
- uint32_t size, uint32_t flags, uint32_t *handle, char *name);
+ size_t size, uint32_t flags, uint32_t *handle, char *name);
struct drm_gem_object *msm_gem_new(struct drm_device *dev,
- uint32_t size, uint32_t flags);
-void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t flags,
+ size_t size, uint32_t flags);
+void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t flags,
struct drm_gpuvm *vm, struct drm_gem_object **bo,
uint64_t *iova);
void msm_gem_kernel_put(struct drm_gem_object *bo, struct drm_gpuvm *vm);
--
2.50.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] drm/msm: Fix 32b size truncation
2025-08-19 23:29 ` [PATCH 3/3] drm/msm: Fix 32b size truncation Rob Clark
@ 2025-08-20 13:50 ` Connor Abbott
2025-08-21 0:03 ` Rob Clark
0 siblings, 1 reply; 7+ messages in thread
From: Connor Abbott @ 2025-08-20 13:50 UTC (permalink / raw)
To: Rob Clark
Cc: dri-devel, linux-arm-msm, freedreno, Akhil P Oommen,
Dmitry Baryshkov, Abhinav Kumar, Jessica Zhang, Sean Paul,
Marijn Suijten, David Airlie, Simona Vetter, open list
On Tue, Aug 19, 2025 at 7:29 PM Rob Clark <robin.clark@oss.qualcomm.com> wrote:
>
> Somehow we never noticed this when arm64 became a thing, many years ago.
>
> Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
> ---
> drivers/gpu/drm/msm/msm_gem.c | 17 ++++++++---------
> drivers/gpu/drm/msm/msm_gem.h | 6 +++---
> 2 files changed, 11 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
> index 958bac4e2768..9a935650e5e3 100644
> --- a/drivers/gpu/drm/msm/msm_gem.c
> +++ b/drivers/gpu/drm/msm/msm_gem.c
> @@ -1142,7 +1142,7 @@ static int msm_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
>
> /* convenience method to construct a GEM buffer object, and userspace handle */
> int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file,
> - uint32_t size, uint32_t flags, uint32_t *handle,
> + size_t size, uint32_t flags, uint32_t *handle,
> char *name)
> {
> struct drm_gem_object *obj;
> @@ -1208,9 +1208,8 @@ static const struct drm_gem_object_funcs msm_gem_object_funcs = {
> .vm_ops = &vm_ops,
> };
>
> -static int msm_gem_new_impl(struct drm_device *dev,
> - uint32_t size, uint32_t flags,
> - struct drm_gem_object **obj)
> +static int msm_gem_new_impl(struct drm_device *dev, uint32_t flags,
> + struct drm_gem_object **obj)
> {
> struct msm_drm_private *priv = dev->dev_private;
> struct msm_gem_object *msm_obj;
> @@ -1244,7 +1243,7 @@ static int msm_gem_new_impl(struct drm_device *dev,
> return 0;
> }
>
> -struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, uint32_t flags)
> +struct drm_gem_object *msm_gem_new(struct drm_device *dev, size_t size, uint32_t flags)
> {
> struct msm_drm_private *priv = dev->dev_private;
> struct msm_gem_object *msm_obj;
> @@ -1259,7 +1258,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, uint32
> if (size == 0)
> return ERR_PTR(-EINVAL);
>
> - ret = msm_gem_new_impl(dev, size, flags, &obj);
> + ret = msm_gem_new_impl(dev, flags, &obj);
> if (ret)
> return ERR_PTR(ret);
>
> @@ -1299,12 +1298,12 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
> struct msm_drm_private *priv = dev->dev_private;
> struct msm_gem_object *msm_obj;
> struct drm_gem_object *obj;
> - uint32_t size;
> + size_t size;
> int ret, npages;
npages should also be size_t.
>
> size = PAGE_ALIGN(dmabuf->size);
>
> - ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj);
> + ret = msm_gem_new_impl(dev, MSM_BO_WC, &obj);
> if (ret)
> return ERR_PTR(ret);
>
> @@ -1347,7 +1346,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
> return ERR_PTR(ret);
> }
>
> -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t flags,
> +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t flags,
> struct drm_gpuvm *vm, struct drm_gem_object **bo,
> uint64_t *iova)
> {
> diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
> index 751c3b4965bc..a4cf31853c50 100644
> --- a/drivers/gpu/drm/msm/msm_gem.h
> +++ b/drivers/gpu/drm/msm/msm_gem.h
> @@ -297,10 +297,10 @@ bool msm_gem_active(struct drm_gem_object *obj);
> int msm_gem_cpu_prep(struct drm_gem_object *obj, uint32_t op, ktime_t *timeout);
> int msm_gem_cpu_fini(struct drm_gem_object *obj);
> int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file,
> - uint32_t size, uint32_t flags, uint32_t *handle, char *name);
> + size_t size, uint32_t flags, uint32_t *handle, char *name);
> struct drm_gem_object *msm_gem_new(struct drm_device *dev,
> - uint32_t size, uint32_t flags);
> -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t flags,
> + size_t size, uint32_t flags);
> +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t flags,
> struct drm_gpuvm *vm, struct drm_gem_object **bo,
> uint64_t *iova);
> void msm_gem_kernel_put(struct drm_gem_object *bo, struct drm_gpuvm *vm);
> --
> 2.50.1
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes
2025-08-19 23:29 [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes Rob Clark
` (2 preceding siblings ...)
2025-08-19 23:29 ` [PATCH 3/3] drm/msm: Fix 32b size truncation Rob Clark
@ 2025-08-20 14:47 ` Connor Abbott
3 siblings, 0 replies; 7+ messages in thread
From: Connor Abbott @ 2025-08-20 14:47 UTC (permalink / raw)
To: Rob Clark
Cc: dri-devel, linux-arm-msm, freedreno, Akhil P Oommen,
Abhinav Kumar, David Airlie, Dmitry Baryshkov, Jessica Zhang,
open list, Marijn Suijten, Sean Paul, Simona Vetter
On Tue, Aug 19, 2025 at 7:29 PM Rob Clark <robin.clark@oss.qualcomm.com> wrote:
>
> Fixes for a few issues found in vkd3d-proton testing.
>
> Rob Clark (3):
> drm/msm: Fix obj leak in VM_BIND error path
> drm/msm: Fix missing VM_BIND offset/range validation
> drm/msm: Fix 32b size truncation
>
> drivers/gpu/drm/msm/msm_gem.c | 17 ++++++++---------
> drivers/gpu/drm/msm/msm_gem.h | 6 +++---
> drivers/gpu/drm/msm/msm_gem_vma.c | 31 +++++++++++++++++++++++++------
> 3 files changed, 36 insertions(+), 18 deletions(-)
>
> --
> 2.50.1
>
Confirmed that this fixes vkd3d-proton test_large_heap on a750 with my
turnip sparse MR.
Tested-by: Connor Abbott <cwabbott0@gmail.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] drm/msm: Fix 32b size truncation
2025-08-20 13:50 ` Connor Abbott
@ 2025-08-21 0:03 ` Rob Clark
0 siblings, 0 replies; 7+ messages in thread
From: Rob Clark @ 2025-08-21 0:03 UTC (permalink / raw)
To: Connor Abbott
Cc: dri-devel, linux-arm-msm, freedreno, Akhil P Oommen,
Dmitry Baryshkov, Abhinav Kumar, Jessica Zhang, Sean Paul,
Marijn Suijten, David Airlie, Simona Vetter, open list
On Wed, Aug 20, 2025 at 6:51 AM Connor Abbott <cwabbott0@gmail.com> wrote:
>
> On Tue, Aug 19, 2025 at 7:29 PM Rob Clark <robin.clark@oss.qualcomm.com> wrote:
> >
> > Somehow we never noticed this when arm64 became a thing, many years ago.
> >
> > Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
> > ---
> > drivers/gpu/drm/msm/msm_gem.c | 17 ++++++++---------
> > drivers/gpu/drm/msm/msm_gem.h | 6 +++---
> > 2 files changed, 11 insertions(+), 12 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
> > index 958bac4e2768..9a935650e5e3 100644
> > --- a/drivers/gpu/drm/msm/msm_gem.c
> > +++ b/drivers/gpu/drm/msm/msm_gem.c
> > @@ -1142,7 +1142,7 @@ static int msm_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
> >
> > /* convenience method to construct a GEM buffer object, and userspace handle */
> > int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file,
> > - uint32_t size, uint32_t flags, uint32_t *handle,
> > + size_t size, uint32_t flags, uint32_t *handle,
> > char *name)
> > {
> > struct drm_gem_object *obj;
> > @@ -1208,9 +1208,8 @@ static const struct drm_gem_object_funcs msm_gem_object_funcs = {
> > .vm_ops = &vm_ops,
> > };
> >
> > -static int msm_gem_new_impl(struct drm_device *dev,
> > - uint32_t size, uint32_t flags,
> > - struct drm_gem_object **obj)
> > +static int msm_gem_new_impl(struct drm_device *dev, uint32_t flags,
> > + struct drm_gem_object **obj)
> > {
> > struct msm_drm_private *priv = dev->dev_private;
> > struct msm_gem_object *msm_obj;
> > @@ -1244,7 +1243,7 @@ static int msm_gem_new_impl(struct drm_device *dev,
> > return 0;
> > }
> >
> > -struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, uint32_t flags)
> > +struct drm_gem_object *msm_gem_new(struct drm_device *dev, size_t size, uint32_t flags)
> > {
> > struct msm_drm_private *priv = dev->dev_private;
> > struct msm_gem_object *msm_obj;
> > @@ -1259,7 +1258,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, uint32
> > if (size == 0)
> > return ERR_PTR(-EINVAL);
> >
> > - ret = msm_gem_new_impl(dev, size, flags, &obj);
> > + ret = msm_gem_new_impl(dev, flags, &obj);
> > if (ret)
> > return ERR_PTR(ret);
> >
> > @@ -1299,12 +1298,12 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
> > struct msm_drm_private *priv = dev->dev_private;
> > struct msm_gem_object *msm_obj;
> > struct drm_gem_object *obj;
> > - uint32_t size;
> > + size_t size;
> > int ret, npages;
>
> npages should also be size_t.
hmm, true.. a bit more of a theoretical overflow on existing devices,
but v2 will fix that
> >
> > size = PAGE_ALIGN(dmabuf->size);
> >
> > - ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj);
> > + ret = msm_gem_new_impl(dev, MSM_BO_WC, &obj);
> > if (ret)
> > return ERR_PTR(ret);
> >
> > @@ -1347,7 +1346,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
> > return ERR_PTR(ret);
> > }
> >
> > -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t flags,
> > +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t flags,
> > struct drm_gpuvm *vm, struct drm_gem_object **bo,
> > uint64_t *iova)
> > {
> > diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
> > index 751c3b4965bc..a4cf31853c50 100644
> > --- a/drivers/gpu/drm/msm/msm_gem.h
> > +++ b/drivers/gpu/drm/msm/msm_gem.h
> > @@ -297,10 +297,10 @@ bool msm_gem_active(struct drm_gem_object *obj);
> > int msm_gem_cpu_prep(struct drm_gem_object *obj, uint32_t op, ktime_t *timeout);
> > int msm_gem_cpu_fini(struct drm_gem_object *obj);
> > int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file,
> > - uint32_t size, uint32_t flags, uint32_t *handle, char *name);
> > + size_t size, uint32_t flags, uint32_t *handle, char *name);
> > struct drm_gem_object *msm_gem_new(struct drm_device *dev,
> > - uint32_t size, uint32_t flags);
> > -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t flags,
> > + size_t size, uint32_t flags);
> > +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t flags,
> > struct drm_gpuvm *vm, struct drm_gem_object **bo,
> > uint64_t *iova);
> > void msm_gem_kernel_put(struct drm_gem_object *bo, struct drm_gpuvm *vm);
> > --
> > 2.50.1
> >
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-08-21 0:03 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-19 23:29 [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes Rob Clark
2025-08-19 23:29 ` [PATCH 1/3] drm/msm: Fix obj leak in VM_BIND error path Rob Clark
2025-08-19 23:29 ` [PATCH 2/3] drm/msm: Fix missing VM_BIND offset/range validation Rob Clark
2025-08-19 23:29 ` [PATCH 3/3] drm/msm: Fix 32b size truncation Rob Clark
2025-08-20 13:50 ` Connor Abbott
2025-08-21 0:03 ` Rob Clark
2025-08-20 14:47 ` [PATCH 0/3] drm/msm: A few GEM/VM_BIND fixes Connor Abbott
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).