* [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
@ 2011-09-14 12:14 Daniel Vetter
2011-09-14 20:02 ` Ben Widawsky
2011-09-23 16:14 ` Daniel Vetter
0 siblings, 2 replies; 5+ messages in thread
From: Daniel Vetter @ 2011-09-14 12:14 UTC (permalink / raw)
To: intel-gfx; +Cc: Daniel Vetter
From: Chris Wilson <chris@chris-wilson.co.uk>
We currently only round up the userspace size to the next page. We
assume that userspace hasn't made a mistake and requested a zero-length
gem object and all through our internal code we then presume that every
object is backed by at least a single page. Fix that oversight and
report EINVAL back to userspace if they try to create a zero length
object.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
[danvet: This fixes tests/gem_bad_length]
Signed-Off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
drivers/gpu/drm/i915/i915_gem.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 7998827..9857e9d 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -195,6 +195,8 @@ i915_gem_create(struct drm_file *file,
u32 handle;
size = roundup(size, PAGE_SIZE);
+ if (size == 0)
+ return -EINVAL;
/* Allocate the new object */
obj = i915_gem_alloc_object(dev, size);
--
1.7.6
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
2011-09-14 12:14 [PATCH] drm/i915: Defend against userspace creating a gem object with size==0 Daniel Vetter
@ 2011-09-14 20:02 ` Ben Widawsky
2011-09-14 21:22 ` Ben Widawsky
2011-09-23 16:14 ` Daniel Vetter
1 sibling, 1 reply; 5+ messages in thread
From: Ben Widawsky @ 2011-09-14 20:02 UTC (permalink / raw)
To: Daniel Vetter; +Cc: intel-gfx
On Wed, Sep 14, 2011 at 02:14:28PM +0200, Daniel Vetter wrote:
> From: Chris Wilson <chris@chris-wilson.co.uk>
>
> We currently only round up the userspace size to the next page. We
> assume that userspace hasn't made a mistake and requested a zero-length
> gem object and all through our internal code we then presume that every
> object is backed by at least a single page. Fix that oversight and
> report EINVAL back to userspace if they try to create a zero length
> object.
>
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> [danvet: This fixes tests/gem_bad_length]
> Signed-Off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> ---
> drivers/gpu/drm/i915/i915_gem.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
> index 7998827..9857e9d 100644
> --- a/drivers/gpu/drm/i915/i915_gem.c
> +++ b/drivers/gpu/drm/i915/i915_gem.c
> @@ -195,6 +195,8 @@ i915_gem_create(struct drm_file *file,
> u32 handle;
>
> size = roundup(size, PAGE_SIZE);
> + if (size == 0)
> + return -EINVAL;
>
> /* Allocate the new object */
> obj = i915_gem_alloc_object(dev, size);
Could we just: s/roundup/DIV_ROUND_UP and be happy?
Ben
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
2011-09-14 20:02 ` Ben Widawsky
@ 2011-09-14 21:22 ` Ben Widawsky
0 siblings, 0 replies; 5+ messages in thread
From: Ben Widawsky @ 2011-09-14 21:22 UTC (permalink / raw)
To: Ben Widawsky; +Cc: Daniel Vetter, intel-gfx
On Wed, 14 Sep 2011 20:02:10 +0000
Ben Widawsky <ben@bwidawsk.net> wrote:
> On Wed, Sep 14, 2011 at 02:14:28PM +0200, Daniel Vetter wrote:
> > From: Chris Wilson <chris@chris-wilson.co.uk>
> >
> > We currently only round up the userspace size to the next page. We
> > assume that userspace hasn't made a mistake and requested a
> > zero-length gem object and all through our internal code we then
> > presume that every object is backed by at least a single page. Fix
> > that oversight and report EINVAL back to userspace if they try to
> > create a zero length object.
> >
> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> > [danvet: This fixes tests/gem_bad_length]
> > Signed-Off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> > ---
> > drivers/gpu/drm/i915/i915_gem.c | 2 ++
> > 1 files changed, 2 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/i915_gem.c
> > b/drivers/gpu/drm/i915/i915_gem.c index 7998827..9857e9d 100644
> > --- a/drivers/gpu/drm/i915/i915_gem.c
> > +++ b/drivers/gpu/drm/i915/i915_gem.c
> > @@ -195,6 +195,8 @@ i915_gem_create(struct drm_file *file,
> > u32 handle;
> >
> > size = roundup(size, PAGE_SIZE);
> > + if (size == 0)
> > + return -EINVAL;
> >
> > /* Allocate the new object */
> > obj = i915_gem_alloc_object(dev, size);
>
> Could we just: s/roundup/DIV_ROUND_UP and be happy?
Rescinded.
Reviewed-by: Ben Widawsky <ben@bwidawsk.net>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
2011-09-14 12:14 [PATCH] drm/i915: Defend against userspace creating a gem object with size==0 Daniel Vetter
2011-09-14 20:02 ` Ben Widawsky
@ 2011-09-23 16:14 ` Daniel Vetter
1 sibling, 0 replies; 5+ messages in thread
From: Daniel Vetter @ 2011-09-23 16:14 UTC (permalink / raw)
To: intel-gfx; +Cc: Daniel Vetter
Hi Keith,
This fixes a potential user-triggerable oops (when submitting an execbuf
with a zero-length object on a kernel with dmar support). Please merge for
-fixes, Cc: stable.
Yours, Daniel
--
Daniel Vetter
Mail: daniel@ffwll.ch
Mobile: +41 (0)79 365 57 48
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
@ 2011-06-23 10:40 Chris Wilson
0 siblings, 0 replies; 5+ messages in thread
From: Chris Wilson @ 2011-06-23 10:40 UTC (permalink / raw)
To: intel-gfx
We currently only round up the userspace size to the next page. We
assume that userspace hasn't made a mistake and requested a zero-length
gem object and all through our internal code we then presume that every
object is backed by at least a single page. Fix that oversight and
report EINVAL back to userspace if they try to create a zero length
object.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
drivers/gpu/drm/i915/i915_gem.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index bceb8ec..ec533c7 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -194,6 +194,8 @@ i915_gem_create(struct drm_file *file,
u32 handle;
size = roundup(size, PAGE_SIZE);
+ if (size == 0)
+ return -EINVAL;
/* Allocate the new object */
obj = i915_gem_alloc_object(dev, size);
--
1.7.5.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-09-23 16:14 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-14 12:14 [PATCH] drm/i915: Defend against userspace creating a gem object with size==0 Daniel Vetter
2011-09-14 20:02 ` Ben Widawsky
2011-09-14 21:22 ` Ben Widawsky
2011-09-23 16:14 ` Daniel Vetter
-- strict thread matches above, loose matches on Subject: below --
2011-06-23 10:40 Chris Wilson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.