From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thierry Reding Subject: Re: [PATCH 16/17] drm/tegra: gem: dumb: pitch and size are outputs Date: Mon, 3 Nov 2014 11:12:23 +0100 Message-ID: <20141103101221.GA501@ulmo.nvidia.com> References: <1415006868-318-1-git-send-email-thierry.reding@gmail.com> <1415006868-318-16-git-send-email-thierry.reding@gmail.com> <20141103095141.GC26941@phenom.ffwll.local> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1620072278==" Return-path: Received: from mail-pd0-f179.google.com (mail-pd0-f179.google.com [209.85.192.179]) by gabe.freedesktop.org (Postfix) with ESMTP id AB27E6E010 for ; Mon, 3 Nov 2014 02:12:29 -0800 (PST) Received: by mail-pd0-f179.google.com with SMTP id g10so11290202pdj.10 for ; Mon, 03 Nov 2014 02:12:29 -0800 (PST) In-Reply-To: <20141103095141.GC26941@phenom.ffwll.local> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Daniel Vetter Cc: dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org --===============1620072278== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 03, 2014 at 10:51:42AM +0100, Daniel Vetter wrote: > On Mon, Nov 03, 2014 at 10:27:47AM +0100, Thierry Reding wrote: > > From: Thierry Reding > >=20 > > When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB > > IOCTL, only the width, height, bpp and flags parameters are inputs. The > > caller is not guaranteed to zero out or set handle, pitch and size, so > > the driver must not treat these values as possible inputs. > >=20 > > Fixes a bug where running the Weston compositor on Tegra DRM would cause > > an attempt to allocate a 3 GiB framebuffer to be allocated. > >=20 > > Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb") > > Cc: stable@vger.kernel.org > > Signed-off-by: Thierry Reding >=20 > Shouldn't we also clear these fields in the drm core ioctl code? This > is indeed surprising (yay for lacking input validation!), doing this > mistake in each driver won't scale ... They are clearly documented as being outputs in the drm_mode_create_dumb struct (include/uapi/drm/drm_mode.h), so this was really just me being stupid a couple of year ago. But yes, validating the input in the core sounds like a good idea to avoid this in other drivers in the future. Thierry --ZGiS0Q5IWpPtfppv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUV1UFAAoJEN0jrNd/PrOhSgwP/3IFyUUJDGzathcy6jW2H8Z8 yATIlxMt4RDFRd1wOFJk6OJ+QOiwxSaxtQzwRA6mXckhd9Rj+QrIZi1tHGITgi+w qIgpgVKissOQiiq0VRjKgQqkPq7su7X45RSdKz/veZqrYVWnT1vA7Sk/ceg+iZmD twhB0ZZmsgNP7Q3yv/glnNMo6GbsbpLXzRTaubQq1niJlvqeDz/MP523ekpjScsa 4OCBGYZVzC92FQQf3Hh4Zb6TIHPwhYBjsv/RNJm7MWLhkjfei8+kvRjna0pBgDWe rFSm0ynKZDLYLXbxKXvFPidREDkUEy2NtiH/CaFcwppJgq5CfqcE/CVbxpmG0LAs QfiFrBkIylUhQ4LLXk63OpvI8u00kvup/ivcvm+gnKh6EJWHKvlZE0kzEKgd6FaJ HNyZIbN71CJj15q1l9ZcwWNk7485j3GM6s0OR196x+UPvzpd7Z1qWnlOG8BmPn7i bPuxlUCXKfHLFCgsmP69mgT8eVwx4LtkeWkqXD3R2DtAswrYDNp4DcZnuWJd67/L S8Nn5FIXbg4pIAs5cRJpFyk2rekqYbeHfdcE0aKGyxedFyh3by+tE68xtYWPowC6 jrfFECeI5c+VkweRKx1UjLbzKRM+EvxUkDJ1WfKWN7iGjSeYFCgxLCBscSKpcUtV AZsLtGtKALe3UtSpLv7g =PSfn -----END PGP SIGNATURE----- --ZGiS0Q5IWpPtfppv-- --===============1620072278== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHA6Ly9saXN0 cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2ZWwK --===============1620072278==--