From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Gustavo Padovan <gustavo@padovan.org>
Cc: Gustavo Padovan <gustavo.padovan@collabora.com>,
stable@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/fence: fix memory overwrite when setting out_fence fd
Date: Fri, 13 Jan 2017 17:00:36 +0200 [thread overview]
Message-ID: <2003560.ZPyAhlVHHW@avalon> (raw)
In-Reply-To: <1484317329-9293-1-git-send-email-gustavo@padovan.org>
Hi Gustavo,
Thank you for the patch.
On Friday 13 Jan 2017 12:22:09 Gustavo Padovan wrote:
> From: Gustavo Padovan <gustavo.padovan@collabora.com>
>
> Currently if the userspace declares a int variable to store the out_fence
> fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits
> above the int variable on 64 bits systems.
>
> Fix this by making the internal storage of out_fence in the kernel a s32
> pointer.
>
> Reported-by: Chad Versace <chadversary@chromium.org>
> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: Rafael Antognolli <rafael.antognolli@intel.com>
> Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Cc: stable@vger.kernel.org
I don't think this is needed, given that the code was merged in v4.10-rc1, and
this patch should be merged as a v4.10-rc fix.
> ---
> drivers/gpu/drm/drm_atomic.c | 12 ++++++------
> include/drm/drm_atomic.h | 2 +-
> include/drm/drm_mode_config.h | 2 +-
> 3 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
> index 6414bcf..723392f 100644
> --- a/drivers/gpu/drm/drm_atomic.c
> +++ b/drivers/gpu/drm/drm_atomic.c
> @@ -286,15 +286,15 @@ drm_atomic_get_crtc_state(struct drm_atomic_state
> *state, EXPORT_SYMBOL(drm_atomic_get_crtc_state);
>
> static void set_out_fence_for_crtc(struct drm_atomic_state *state,
> - struct drm_crtc *crtc, s64 __user
*fence_ptr)
> + struct drm_crtc *crtc, s32 __user
*fence_ptr)
> {
> state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = fence_ptr;
> }
>
> -static s64 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
> +static s32 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
> struct drm_crtc *crtc)
> {
> - s64 __user *fence_ptr;
> + s32 __user *fence_ptr;
>
> fence_ptr = state->crtcs[drm_crtc_index(crtc)].out_fence_ptr;
> state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = NULL;
> @@ -507,7 +507,7 @@ int drm_atomic_crtc_set_property(struct drm_crtc *crtc,
> state->color_mgmt_changed |= replaced;
> return ret;
> } else if (property == config->prop_out_fence_ptr) {
> - s64 __user *fence_ptr = u64_to_user_ptr(val);
> + s32 __user *fence_ptr = u64_to_user_ptr(val);
>
> if (!fence_ptr)
> return 0;
> @@ -1914,7 +1914,7 @@ EXPORT_SYMBOL(drm_atomic_clean_old_fb);
> */
>
> struct drm_out_fence_state {
> - s64 __user *out_fence_ptr;
> + s32 __user *out_fence_ptr;
> struct sync_file *sync_file;
> int fd;
> };
> @@ -1951,7 +1951,7 @@ static int prepare_crtc_signaling(struct drm_device
> *dev, return 0;
>
> for_each_crtc_in_state(state, crtc, crtc_state, i) {
> - u64 __user *fence_ptr;
> + s32 __user *fence_ptr;
>
> fence_ptr = get_out_fence_for_crtc(crtc_state->state, crtc);
>
> diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h
> index f96220e..f1cb2b0 100644
> --- a/include/drm/drm_atomic.h
> +++ b/include/drm/drm_atomic.h
> @@ -144,7 +144,7 @@ struct __drm_crtcs_state {
> struct drm_crtc *ptr;
> struct drm_crtc_state *state;
> struct drm_crtc_commit *commit;
> - s64 __user *out_fence_ptr;
> + s32 __user *out_fence_ptr;
> unsigned last_vblank_count;
> };
>
> diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h
> index 17942c0..fe230f1 100644
> --- a/include/drm/drm_mode_config.h
> +++ b/include/drm/drm_mode_config.h
> @@ -496,7 +496,7 @@ struct drm_mode_config {
> /**
> * @prop_out_fence_ptr: Sync File fd pointer representing the
> * outgoing fences for a CRTC. Userspace should provide a pointer to a
> - * value of type s64, and then cast that pointer to u64.
> + * value of type s32, and then cast that pointer to u64.
> */
> struct drm_property *prop_out_fence_ptr;
> /**
--
Regards,
Laurent Pinchart
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Gustavo Padovan <gustavo@padovan.org>
Cc: dri-devel@lists.freedesktop.org,
Gustavo Padovan <gustavo.padovan@collabora.com>,
Daniel Vetter <daniel@ffwll.ch>,
Rafael Antognolli <rafael.antognolli@intel.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] drm/fence: fix memory overwrite when setting out_fence fd
Date: Fri, 13 Jan 2017 17:00:36 +0200 [thread overview]
Message-ID: <2003560.ZPyAhlVHHW@avalon> (raw)
In-Reply-To: <1484317329-9293-1-git-send-email-gustavo@padovan.org>
Hi Gustavo,
Thank you for the patch.
On Friday 13 Jan 2017 12:22:09 Gustavo Padovan wrote:
> From: Gustavo Padovan <gustavo.padovan@collabora.com>
>
> Currently if the userspace declares a int variable to store the out_fence
> fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits
> above the int variable on 64 bits systems.
>
> Fix this by making the internal storage of out_fence in the kernel a s32
> pointer.
>
> Reported-by: Chad Versace <chadversary@chromium.org>
> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: Rafael Antognolli <rafael.antognolli@intel.com>
> Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Cc: stable@vger.kernel.org
I don't think this is needed, given that the code was merged in v4.10-rc1, and
this patch should be merged as a v4.10-rc fix.
> ---
> drivers/gpu/drm/drm_atomic.c | 12 ++++++------
> include/drm/drm_atomic.h | 2 +-
> include/drm/drm_mode_config.h | 2 +-
> 3 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
> index 6414bcf..723392f 100644
> --- a/drivers/gpu/drm/drm_atomic.c
> +++ b/drivers/gpu/drm/drm_atomic.c
> @@ -286,15 +286,15 @@ drm_atomic_get_crtc_state(struct drm_atomic_state
> *state, EXPORT_SYMBOL(drm_atomic_get_crtc_state);
>
> static void set_out_fence_for_crtc(struct drm_atomic_state *state,
> - struct drm_crtc *crtc, s64 __user
*fence_ptr)
> + struct drm_crtc *crtc, s32 __user
*fence_ptr)
> {
> state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = fence_ptr;
> }
>
> -static s64 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
> +static s32 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
> struct drm_crtc *crtc)
> {
> - s64 __user *fence_ptr;
> + s32 __user *fence_ptr;
>
> fence_ptr = state->crtcs[drm_crtc_index(crtc)].out_fence_ptr;
> state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = NULL;
> @@ -507,7 +507,7 @@ int drm_atomic_crtc_set_property(struct drm_crtc *crtc,
> state->color_mgmt_changed |= replaced;
> return ret;
> } else if (property == config->prop_out_fence_ptr) {
> - s64 __user *fence_ptr = u64_to_user_ptr(val);
> + s32 __user *fence_ptr = u64_to_user_ptr(val);
>
> if (!fence_ptr)
> return 0;
> @@ -1914,7 +1914,7 @@ EXPORT_SYMBOL(drm_atomic_clean_old_fb);
> */
>
> struct drm_out_fence_state {
> - s64 __user *out_fence_ptr;
> + s32 __user *out_fence_ptr;
> struct sync_file *sync_file;
> int fd;
> };
> @@ -1951,7 +1951,7 @@ static int prepare_crtc_signaling(struct drm_device
> *dev, return 0;
>
> for_each_crtc_in_state(state, crtc, crtc_state, i) {
> - u64 __user *fence_ptr;
> + s32 __user *fence_ptr;
>
> fence_ptr = get_out_fence_for_crtc(crtc_state->state, crtc);
>
> diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h
> index f96220e..f1cb2b0 100644
> --- a/include/drm/drm_atomic.h
> +++ b/include/drm/drm_atomic.h
> @@ -144,7 +144,7 @@ struct __drm_crtcs_state {
> struct drm_crtc *ptr;
> struct drm_crtc_state *state;
> struct drm_crtc_commit *commit;
> - s64 __user *out_fence_ptr;
> + s32 __user *out_fence_ptr;
> unsigned last_vblank_count;
> };
>
> diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h
> index 17942c0..fe230f1 100644
> --- a/include/drm/drm_mode_config.h
> +++ b/include/drm/drm_mode_config.h
> @@ -496,7 +496,7 @@ struct drm_mode_config {
> /**
> * @prop_out_fence_ptr: Sync File fd pointer representing the
> * outgoing fences for a CRTC. Userspace should provide a pointer to a
> - * value of type s64, and then cast that pointer to u64.
> + * value of type s32, and then cast that pointer to u64.
> */
> struct drm_property *prop_out_fence_ptr;
> /**
--
Regards,
Laurent Pinchart
next prev parent reply other threads:[~2017-01-13 15:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-13 14:22 [PATCH] drm/fence: fix memory overwrite when setting out_fence fd Gustavo Padovan
2017-01-13 14:22 ` Gustavo Padovan
2017-01-13 15:00 ` Laurent Pinchart [this message]
2017-01-13 15:00 ` Laurent Pinchart
2017-01-13 16:56 ` Gustavo Padovan
2017-01-13 21:27 ` Chad Versace
2017-01-13 21:27 ` Chad Versace
2017-01-16 22:24 ` Gustavo Padovan
2017-01-16 22:24 ` Gustavo Padovan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2003560.ZPyAhlVHHW@avalon \
--to=laurent.pinchart@ideasonboard.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavo.padovan@collabora.com \
--cc=gustavo@padovan.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.