[PATCH OLK-5.10 1/3] drm/vmwgfx: Introduce ttm reference object find function

hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALIFE

--------------------------------

For CVE-2022-48887, ttm_base_object_lookup requires a non-RCU lookup function to solve buggy RCU paths. But there is none, hence introduce it to handle this CVE.

Fixes: e14c02e6b699 ("drm/vmwgfx: Look up objects without taking a reference") Signed-off-by: Huang Xiaojia huangxiaojia2@huawei.com --- drivers/gpu/drm/drm_hashtab.c | 5 +++-- drivers/gpu/drm/vmwgfx/ttm_object.c | 14 ++++++++++++++ include/drm/drm_hashtab.h | 2 ++ 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_hashtab.c b/drivers/gpu/drm/drm_hashtab.c index c50fa6f0709f..a61642835542 100644 --- a/drivers/gpu/drm/drm_hashtab.c +++ b/drivers/gpu/drm/drm_hashtab.c @@ -74,8 +74,8 @@ void drm_ht_verbose_list(struct drm_open_hash *ht, unsigned long key) DRM_DEBUG("count %d, key: 0x%08lx\n", count++, entry->key); }

-static struct hlist_node *drm_ht_find_key(struct drm_open_hash *ht, - unsigned long key) +struct hlist_node *drm_ht_find_key(struct drm_open_hash *ht, + unsigned long key) { struct drm_hash_item *entry; struct hlist_head *h_list; @@ -91,6 +91,7 @@ static struct hlist_node *drm_ht_find_key(struct drm_open_hash *ht, } return NULL; } +EXPORT_SYMBOL(drm_ht_find_key);

static struct hlist_node *drm_ht_find_key_rcu(struct drm_open_hash *ht, unsigned long key) diff --git a/drivers/gpu/drm/vmwgfx/ttm_object.c b/drivers/gpu/drm/vmwgfx/ttm_object.c index 16077785ad47..03bf50e87d97 100644 --- a/drivers/gpu/drm/vmwgfx/ttm_object.c +++ b/drivers/gpu/drm/vmwgfx/ttm_object.c @@ -137,6 +137,20 @@ ttm_object_file_ref(struct ttm_object_file *tfile) return tfile; }

+static int ttm_tfile_find_ref(struct drm_open_hash *ht, + uint32_t key, + struct drm_hash_item **item) +{ + struct hlist_node *h_node; + + h_node = drm_ht_find_key(ht, key); + if (!h_node) + return -EINVAL; + + *item = hlist_entry(h_node, struct drm_hash_item, head); + return 0; +} + static void ttm_object_file_destroy(struct kref *kref) { struct ttm_object_file *tfile = diff --git a/include/drm/drm_hashtab.h b/include/drm/drm_hashtab.h index bb95ff011baf..fe5ad4793a15 100644 --- a/include/drm/drm_hashtab.h +++ b/include/drm/drm_hashtab.h @@ -49,6 +49,8 @@ struct drm_open_hash { u8 order; };

+struct hlist_node *drm_ht_find_key(struct drm_open_hash *ht, unsigned long key); + int drm_ht_create(struct drm_open_hash *ht, unsigned int order); int drm_ht_insert_item(struct drm_open_hash *ht, struct drm_hash_item *item); int drm_ht_just_insert_please(struct drm_open_hash *ht, struct drm_hash_item *item,