1. 12 Jun, 2018 1 commit
    • Kees Cook's avatar
      treewide: Use array_size() in vmalloc() · 42bc47b3
      Kees Cook authored
      The vmalloc() function has no 2-factor argument form, so multiplication
      factors need to be wrapped in array_size(). This patch replaces cases of:
      
              vmalloc(a * b)
      
      with:
              vmalloc(array_size(a, b))
      
      as well as handling cases of:
      
              vmalloc(a * b * c)
      
      with:
      
              vmalloc(array3_size(a, b, c))
      
      This does, however, attempt to ignore constant size factors like:
      
              vmalloc(4 * 1024)
      
      though any constants defined via macros get caught up in the conversion.
      
      Any factors with a sizeof() of "unsigned char", "char", and "u8" were
      dropped, since they're redundant.
      
      The Coccinelle script used for this was:
      
      // Fix redundant parens around sizeof().
      @@
      type TYPE;
      expression THING, E;
      @@
      
      (
        vmalloc(
      -	(sizeof(TYPE)) * E
      +	sizeof(TYPE) * E
        , ...)
      |
        vmalloc(
      -	(sizeof(THING)) * E
      +	sizeof(THING) * E
        , ...)
      )
      
      // Drop single-byte sizes and redundant parens.
      @@
      expression COUNT;
      typedef u8;
      typedef __u8;
      @@
      
      (
        vmalloc(
      -	sizeof(u8) * (COUNT)
      +	COUNT
        , ...)
      |
        vmalloc(
      -	sizeof(__u8) * (COUNT)
      +	COUNT
        , ...)
      |
        vmalloc(
      -	sizeof(char) * (COUNT)
      +	COUNT
        , ...)
      |
        vmalloc(
      -	sizeof(unsigned char) * (COUNT)
      +	COUNT
        , ...)
      |
        vmalloc(
      -	sizeof(u8) * COUNT
      +	COUNT
        , ...)
      |
        vmalloc(
      -	sizeof(__u8) * COUNT
      +	COUNT
        , ...)
      |
        vmalloc(
      -	sizeof(char) * COUNT
      +	COUNT
        , ...)
      |
        vmalloc(
      -	sizeof(unsigned char) * COUNT
      +	COUNT
        , ...)
      )
      
      // 2-factor product with sizeof(type/expression) and identifier or constant.
      @@
      type TYPE;
      expression THING;
      identifier COUNT_ID;
      constant COUNT_CONST;
      @@
      
      (
        vmalloc(
      -	sizeof(TYPE) * (COUNT_ID)
      +	array_size(COUNT_ID, sizeof(TYPE))
        , ...)
      |
        vmalloc(
      -	sizeof(TYPE) * COUNT_ID
      +	array_size(COUNT_ID, sizeof(TYPE))
        , ...)
      |
        vmalloc(
      -	sizeof(TYPE) * (COUNT_CONST)
      +	array_size(COUNT_CONST, sizeof(TYPE))
        , ...)
      |
        vmalloc(
      -	sizeof(TYPE) * COUNT_CONST
      +	array_size(COUNT_CONST, sizeof(TYPE))
        , ...)
      |
        vmalloc(
      -	sizeof(THING) * (COUNT_ID)
      +	array_size(COUNT_ID, sizeof(THING))
        , ...)
      |
        vmalloc(
      -	sizeof(THING) * COUNT_ID
      +	array_size(COUNT_ID, sizeof(THING))
        , ...)
      |
        vmalloc(
      -	sizeof(THING) * (COUNT_CONST)
      +	array_size(COUNT_CONST, sizeof(THING))
        , ...)
      |
        vmalloc(
      -	sizeof(THING) * COUNT_CONST
      +	array_size(COUNT_CONST, sizeof(THING))
        , ...)
      )
      
      // 2-factor product, only identifiers.
      @@
      identifier SIZE, COUNT;
      @@
      
        vmalloc(
      -	SIZE * COUNT
      +	array_size(COUNT, SIZE)
        , ...)
      
      // 3-factor product with 1 sizeof(type) or sizeof(expression), with
      // redundant parens removed.
      @@
      expression THING;
      identifier STRIDE, COUNT;
      type TYPE;
      @@
      
      (
        vmalloc(
      -	sizeof(TYPE) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        vmalloc(
      -	sizeof(TYPE) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        vmalloc(
      -	sizeof(TYPE) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        vmalloc(
      -	sizeof(TYPE) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        vmalloc(
      -	sizeof(THING) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        vmalloc(
      -	sizeof(THING) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        vmalloc(
      -	sizeof(THING) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        vmalloc(
      -	sizeof(THING) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      )
      
      // 3-factor product with 2 sizeof(variable), with redundant parens removed.
      @@
      expression THING1, THING2;
      identifier COUNT;
      type TYPE1, TYPE2;
      @@
      
      (
        vmalloc(
      -	sizeof(TYPE1) * sizeof(TYPE2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        vmalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        vmalloc(
      -	sizeof(THING1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        vmalloc(
      -	sizeof(THING1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        vmalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      |
        vmalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      )
      
      // 3-factor product, only identifiers, with redundant parens removed.
      @@
      identifier STRIDE, SIZE, COUNT;
      @@
      
      (
        vmalloc(
      -	(COUNT) * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vmalloc(
      -	COUNT * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vmalloc(
      -	COUNT * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vmalloc(
      -	(COUNT) * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vmalloc(
      -	COUNT * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vmalloc(
      -	(COUNT) * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vmalloc(
      -	(COUNT) * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vmalloc(
      -	COUNT * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      )
      
      // Any remaining multi-factor products, first at least 3-factor products
      // when they're not all constants...
      @@
      expression E1, E2, E3;
      constant C1, C2, C3;
      @@
      
      (
        vmalloc(C1 * C2 * C3, ...)
      |
        vmalloc(
      -	E1 * E2 * E3
      +	array3_size(E1, E2, E3)
        , ...)
      )
      
      // And then all remaining 2 factors products when they're not all constants.
      @@
      expression E1, E2;
      constant C1, C2;
      @@
      
      (
        vmalloc(C1 * C2, ...)
      |
        vmalloc(
      -	E1 * E2
      +	array_size(E1, E2)
        , ...)
      )
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      42bc47b3
  2. 27 Apr, 2018 1 commit
  3. 21 Mar, 2018 1 commit
  4. 23 Oct, 2017 1 commit
  5. 26 Jul, 2017 2 commits
  6. 17 May, 2017 1 commit
  7. 07 Mar, 2017 1 commit
    • Gabriel Krisman Bertazi's avatar
      drm: qxl: Don't alloc fbdev if emulation is not supported · 86107838
      Gabriel Krisman Bertazi authored
      If fbdev emulation is disabled, the QXL shutdown path will try to clean
      a framebuffer that wasn't initialized, hitting the Oops below.  The
      problem is that even when FBDEV_EMULATION is disabled we allocate the
      qfbdev strutucture, but we don't initialize it.  The fix is to stop
      allocating the memory, since it won't be used.  This allows the existing
      verification in the cleanup hook to do it's job preventing the oops.
      
      Now that we don't allocate the unused fbdev structure, we need to be
      careful when dereferencing it in the PM suspend hook.
      
      [   24.284684] BUG: unable to handle kernel NULL pointer dereference at 00000000000002e0
      [   24.285627] IP: mutex_lock+0x18/0x30
      [   24.286049] PGD 78cdf067
      [   24.286050] PUD 7940f067
      [   24.286344] PMD 0
      [   24.286649]
      [   24.287072] Oops: 0002 [#1] SMP
      [   24.287422] Modules linked in: qxl
      [   24.287806] CPU: 0 PID: 2328 Comm: bash Not tainted 4.10.0-rc5+ #97
      [   24.288515] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
      [   24.289681] task: ffff88007c4c0000 task.stack: ffffc90001b58000
      [   24.290354] RIP: 0010:mutex_lock+0x18/0x30
      [   24.290812] RSP: 0018:ffffc90001b5bcb0 EFLAGS: 00010246
      [   24.291401] RAX: 0000000000000000 RBX: 00000000000002e0 RCX: 0000000000000000
      [   24.292209] RDX: ffff88007c4c0000 RSI: 0000000000000001 RDI: 00000000000002e0
      [   24.292987] RBP: ffffc90001b5bcb8 R08: fffffffffffffffe R09: 0000000000000001
      [   24.293797] R10: ffff880078d80b80 R11: 0000000000011400 R12: 0000000000000000
      [   24.294601] R13: 00000000000002e0 R14: ffffffffa0009c28 R15: 0000000000000060
      [   24.295439] FS:  00007f30e3acbb40(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
      [   24.296364] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   24.296997] CR2: 00000000000002e0 CR3: 0000000078c7b000 CR4: 00000000000006f0
      [   24.297813] Call Trace:
      [   24.298097]  drm_framebuffer_cleanup+0x1f/0x70
      [   24.298612]  qxl_fbdev_fini+0x68/0x90 [qxl]
      [   24.299074]  qxl_modeset_fini+0xd/0x30 [qxl]
      [   24.299562]  qxl_pci_remove+0x22/0x50 [qxl]
      [   24.300025]  pci_device_remove+0x34/0xb0
      [   24.300507]  device_release_driver_internal+0x150/0x200
      [   24.301082]  device_release_driver+0xd/0x10
      [   24.301587]  unbind_store+0x108/0x150
      [   24.301993]  drv_attr_store+0x20/0x30
      [   24.302402]  sysfs_kf_write+0x32/0x40
      [   24.302827]  kernfs_fop_write+0x108/0x190
      [   24.303269]  __vfs_write+0x23/0x120
      [   24.303678]  ? security_file_permission+0x36/0xb0
      [   24.304193]  ? rw_verify_area+0x49/0xb0
      [   24.304636]  vfs_write+0xb0/0x190
      [   24.305004]  SyS_write+0x41/0xa0
      [   24.305362]  entry_SYSCALL_64_fastpath+0x1a/0xa9
      [   24.305887] RIP: 0033:0x7f30e31d9620
      [   24.306285] RSP: 002b:00007ffc54b47e68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [   24.307128] RAX: ffffffffffffffda RBX: 00007f30e3497600 RCX: 00007f30e31d9620
      [   24.307928] RDX: 000000000000000d RSI: 0000000000da2008 RDI: 0000000000000001
      [   24.308727] RBP: 000000000070bc60 R08: 00007f30e3498760 R09: 00007f30e3acbb40
      [   24.309504] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000001
      [   24.310295] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffc54b47f34
      [   24.311095] Code: 0e 01 e9 7b fe ff ff 66 90 66 2e 0f 1f 84 00 00 00 00 00
      55 48 89 e5 53 48 89 fb e8 83 e8 ff ff 65 48 8b 14 25 40 c4 00 00 31 c0 <3e>
      48 0f b1 13 48 85 c0 74 08 48 89 df e8 66 fd ff ff 5b 5d c3
      [   24.313182] RIP: mutex_lock+0x18/0x30 RSP: ffffc90001b5bcb0
      [   24.313811] CR2: 00000000000002e0
      [   24.314208] ---[ end trace 29669c1593cae14b ]---
      Signed-off-by: default avatarGabriel Krisman Bertazi <krisman@collabora.co.uk>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170227203330.18542-1-krisman@collabora.co.ukSigned-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
      86107838
  8. 28 Feb, 2017 1 commit
  9. 07 Feb, 2017 1 commit
  10. 02 Feb, 2017 3 commits
  11. 15 Dec, 2016 1 commit
  12. 15 Nov, 2016 1 commit
  13. 14 Nov, 2016 1 commit
  14. 25 Aug, 2016 1 commit
  15. 12 Aug, 2016 2 commits
  16. 07 Jun, 2016 1 commit
  17. 17 May, 2016 1 commit
  18. 02 May, 2016 2 commits
  19. 20 Apr, 2016 1 commit
  20. 24 Nov, 2015 2 commits
  21. 07 Oct, 2015 1 commit
  22. 06 Aug, 2015 1 commit
  23. 07 May, 2015 1 commit
    • Gerd Hoffmann's avatar
      drm/qxl: rewrite framebuffer support · c0fe07aa
      Gerd Hoffmann authored
      Completely different approach:  Instead of encoding each and every
      framebuffer update as spice operation simply update the shadow
      framebuffer and maintain a dirty rectangle.  Also schedule a worker
      to push an update for the dirty rectangle as spice operation.  Usually
      a bunch of dirty rectangle updates are collected before the worker
      actually runs.
      
      What changes:  Updates get batched now.  Instead of sending tons of
      small updates a few large ones are sent.  When the same region is
      updated multiple times within a short timeframe (scrolling multiple
      lines for example) we send a single update only.  Spice server has an
      easier job now:  The dependency tree for display operations which spice
      server maintains for lazy rendering is alot smaller now.  Spice server's
      image compression probably works better too with the larger image blits.
      
      Net effect:  framebuffer console @ qxldrmfb is an order of magnitude
      faster now.
      Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      c0fe07aa
  24. 21 Jan, 2015 1 commit
  25. 24 Sep, 2014 1 commit
  26. 08 Jul, 2014 2 commits
  27. 04 Nov, 2013 1 commit
  28. 24 Jul, 2013 1 commit
    • Dave Airlie's avatar
      drm/qxl: add delayed fb operations · 0665f9f8
      Dave Airlie authored
      Due to the nature of qxl hw we cannot queue operations while in an irq
      context, so we queue these operations as best we can until atomic allocations
      fail, and dequeue them later in a work queue.
      
      Daniel looked over the locking on the list and agrees it should be sufficent.
      
      The atomic allocs use no warn, as the last thing we want if we haven't memory
      to allocate space for a printk in an irq context is more printks.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      0665f9f8
  29. 05 Jul, 2013 2 commits
  30. 17 Jun, 2013 1 commit
  31. 16 Apr, 2013 1 commit
    • Dave Airlie's avatar
      drm/qxl: make lots of things static. · 6d01f1f5
      Dave Airlie authored
      /usr/lib/gcc/x86_64-linux-gnu/4.7/include/stddef.h:414:9: sparse: preprocessor token offsetof redefined
      include/linux/stddef.h:17:9: this was the original definition
      >> drivers/gpu/drm/qxl/qxl_drv.c:49:5: sparse: symbol 'qxl_modeset' was not declared. Should it be static?
      
      Reported-by: kbuild test robot.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      6d01f1f5
  32. 12 Apr, 2013 1 commit
    • Dave Airlie's avatar
      drm: add new QXL driver. (v1.4) · f64122c1
      Dave Airlie authored
      QXL is a paravirtual graphics device used by the Spice virtual desktop
      interface.
      
      The drivers uses GEM and TTM to manage memory, the qxl hw fencing however
      is quite different than normal TTM expects, we have to keep track of a number
      of non-linear fence ids per bo that we need to have released by the hardware.
      
      The releases are freed from a workqueue that wakes up and processes the
      release ring.
      
      releases are suballocated from a BO, there are 3 release categories, drawables,
      surfaces and cursor cmds. The hw also has 3 rings for commands, cursor and release handling.
      
      The hardware also have a surface id tracking mechnaism and the driver encapsulates it completely inside the kernel, userspace never sees the actual hw surface
      ids.
      
      This requires a newer version of the QXL userspace driver, so shouldn't be
      enabled until that has been placed into your distro of choice.
      
      Authors: Dave Airlie, Alon Levy
      
      v1.1: fixup some issues in the ioctl interface with padding
      v1.2: add module device table
      v1.3: fix nomodeset, fbcon leak, dumb bo create, release ring irq,
            don't try flush release ring (broken hw), fix -modesetting.
      v1.4: fbcon cpu usage reduction + suitable accel flags.
      Signed-off-by: default avatarAlon Levy <alevy@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      f64122c1