aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/bcm27xx/patches-5.4/950-0279-drm-vc4-Prevent-load-tracking-from-breaking-FKMS.patch
diff options
context:
space:
mode:
Diffstat (limited to 'target/linux/bcm27xx/patches-5.4/950-0279-drm-vc4-Prevent-load-tracking-from-breaking-FKMS.patch')
-rw-r--r--target/linux/bcm27xx/patches-5.4/950-0279-drm-vc4-Prevent-load-tracking-from-breaking-FKMS.patch74
1 files changed, 74 insertions, 0 deletions
diff --git a/target/linux/bcm27xx/patches-5.4/950-0279-drm-vc4-Prevent-load-tracking-from-breaking-FKMS.patch b/target/linux/bcm27xx/patches-5.4/950-0279-drm-vc4-Prevent-load-tracking-from-breaking-FKMS.patch
new file mode 100644
index 0000000000..e4f178d0a2
--- /dev/null
+++ b/target/linux/bcm27xx/patches-5.4/950-0279-drm-vc4-Prevent-load-tracking-from-breaking-FKMS.patch
@@ -0,0 +1,74 @@
+From 907dc84e0c7208b79ad57e0e2a7964dbc9155f50 Mon Sep 17 00:00:00 2001
+From: Phil Elwell <phil@raspberrypi.org>
+Date: Thu, 15 Aug 2019 08:39:08 +0100
+Subject: [PATCH] drm/vc4: Prevent load tracking from breaking FKMS
+
+Firmware KMS uses a mixture of VC4 processing and dedicated code. The
+load tracking support in VC4 assumes it is dealing with vc4_plane_state
+objects when up-casting with container_of, but FKMS uses unadorned
+drm_plane_state structures causing the VC4 code to read off the end
+into random portions of memory. Work around the problem in a minimally-
+invasive way by over-allocating the FKMS plane state structures to be
+large enough to contain a vc4_plane_state, filling the remainder with
+zeroes.
+
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+---
+ drivers/gpu/drm/vc4/vc4_firmware_kms.c | 34 ++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_firmware_kms.c
++++ b/drivers/gpu/drm/vc4/vc4_firmware_kms.c
+@@ -561,6 +561,20 @@ static int vc4_plane_atomic_check(struct
+ return 0;
+ }
+
++/* Called during init to allocate the plane's atomic state. */
++static void vc4_plane_reset(struct drm_plane *plane)
++{
++ struct vc4_plane_state *vc4_state;
++
++ WARN_ON(plane->state);
++
++ vc4_state = kzalloc(sizeof(*vc4_state), GFP_KERNEL);
++ if (!vc4_state)
++ return;
++
++ __drm_atomic_helper_plane_reset(plane, &vc4_state->base);
++}
++
+ static void vc4_plane_destroy(struct drm_plane *plane)
+ {
+ drm_plane_cleanup(plane);
+@@ -602,13 +616,29 @@ static bool vc4_fkms_format_mod_supporte
+ }
+ }
+
++static struct drm_plane_state *vc4_plane_duplicate_state(struct drm_plane *plane)
++{
++ struct vc4_plane_state *vc4_state;
++
++ if (WARN_ON(!plane->state))
++ return NULL;
++
++ vc4_state = kzalloc(sizeof(*vc4_state), GFP_KERNEL);
++ if (!vc4_state)
++ return NULL;
++
++ __drm_atomic_helper_plane_duplicate_state(plane, &vc4_state->base);
++
++ return &vc4_state->base;
++}
++
+ static const struct drm_plane_funcs vc4_plane_funcs = {
+ .update_plane = drm_atomic_helper_update_plane,
+ .disable_plane = drm_atomic_helper_disable_plane,
+ .destroy = vc4_plane_destroy,
+ .set_property = NULL,
+- .reset = drm_atomic_helper_plane_reset,
+- .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
++ .reset = vc4_plane_reset,
++ .atomic_duplicate_state = vc4_plane_duplicate_state,
+ .atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
+ .format_mod_supported = vc4_fkms_format_mod_supported,
+ };
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-06 05:46:09 +0000