From mboxrd@z Thu Jan  1 00:00:00 1970
From: Thierry Reding <thierry.reding@gmail.com>
Subject: [GIT PULL] drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input
Date: Thu, 13 Nov 2014 13:52:47 +0100
Message-ID: <20141113125245.GA25290@ulmo>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1237688107=="
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49])
 by gabe.freedesktop.org (Postfix) with ESMTP id DA70A6EB45
 for <dri-devel@lists.freedesktop.org>; Thu, 13 Nov 2014 04:52:49 -0800 (PST)
Received: by mail-wg0-f49.google.com with SMTP id x13so16852970wgg.8
 for <dri-devel@lists.freedesktop.org>; Thu, 13 Nov 2014 04:52:49 -0800 (PST)
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
To: Dave Airlie <airlied@gmail.com>
Cc: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org


--===============1237688107==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu"
Content-Disposition: inline


--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi Dave,

The following changes since commit f114040e3ea6e07372334ade75d1ee0775c355e1:

  Linux 3.18-rc1 (2014-10-19 18:08:38 -0700)

are available in the git repository at:

  git://people.freedesktop.org/~tagr/linux tags/drm/gem-cma/for-3.19-rc1

for you to fetch changes up to 7ff7f0a1a934d0d073560dcabe7508e0a4f75f1c:

  drm/cma: Remove call to drm_gem_free_mmap_offset() (2014-11-13 13:27:33 +0100)

Thanks,
Thierry

----------------------------------------------------------------
drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input

Some drivers erroneously treat the .pitch and .size fields of struct
drm_mode_create_dumb as inputs. While the include/uapi/drm/drm_mode.h
header has a comment denoting them as outputs, that seemingly wasn't
enough to make drivers use them properly.

The result is that some userspace doesn't explicitly zero out those
fields, assuming that the kernel won't use them. That causes problems
since the data within the structure might be uninitialized, so bogus
data may end up confusing drivers (ridiculously large values for the
pitch, ...).

This series attempts to improve the situation by fixing all drivers to
not use the output fields. Furthermore to spare new drivers this bad
surprise, the DRM core now zeros out these fields prior to handing the
data structure to the driver.

Lessons learned from this are that future IOCTLs should be properly
documented (in the DRM DocBook for example) and should be rigorously
defined. To prevent misuse like this, userspace should be required to
zero out all output fields. The kernel should check for this and fail
if that's not the case.

----------------------------------------------------------------
Thierry Reding (8):
      drm/gem: Fix a few kerneldoc typos
      drm/doc: mm: Fix indentation
      drm/doc: Add GEM/CMA helpers to kerneldoc
      drm/cma: Introduce drm_gem_cma_dumb_create_internal()
      drm/omap: gem: dumb: pitch is an output
      drm/rcar: gem: dumb: pitch is an output
      drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input
      drm/cma: Remove call to drm_gem_free_mmap_offset()

 Documentation/DocBook/drm.tmpl        | 274 +++++++++++++++++-----------------
 drivers/gpu/drm/drm_crtc.c            |  10 ++
 drivers/gpu/drm/drm_gem.c             |  11 +-
 drivers/gpu/drm/drm_gem_cma_helper.c  | 259 ++++++++++++++++++++++++++------
 drivers/gpu/drm/omapdrm/omap_gem.c    |   3 +-
 drivers/gpu/drm/rcar-du/rcar_du_kms.c |   4 +-
 include/drm/drm_gem_cma_helper.h      |  30 +++-
 7 files changed, 395 insertions(+), 196 deletions(-)

--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUZKmdAAoJEN0jrNd/PrOhsqMP/18Wtzvg+U+1cM3dWZSefe9G
Ofyc4dGG4Fpkyqb0hFGHiFpqJoQ3PCFSgc1MPRpM9VXnSqSJX/PDd0Ah6SJPPyoK
Plv4LgRoJ0AB/dp0+wFVbFqq5hq0wNND/FkK7prao6qMesvP72X7sk6yQX5to/tF
9GRi9vhn2W27XDsRo7yA50ztOhJmt/ONUE/fkZvLyMwK+VXc0TMPEyHkxSyyk6KT
EyFMdUa6zZKq8Oj0u3vNvjxc9ymysY+ewWp4HmPZ6fBKup6O7bWsnfYLkixw06q1
dN11gHTgXvx2ZPdsiMYflHtanYkEGhs1obbR+qa6kAqzmodkPzMVpI7YCug//YFD
RhmHPFoMPyfr+qINdAcBu5+FMGggG712dvWIwTwCZ8U3h89j/94F23vfVzI5M7+1
7rEckai5eJHoy48QJT4n7mOXKvysZulVSB4q0z5aPlmESaThddjyFKSm9GmiVsuc
UAtvr7j5DbmsxOWgilcStavvNkeM23NtgJSbW+7oU36D3edfLF8ckGcs8fw8Op69
v5pBhE4k8sXVV9NVVq5oZPUPdBCUY9bz2vEwwi4wrwM/RyqTVITIbvZRnMOtQm/p
9eia5fzNNEMXYnvlTqrVMXdHml0MEYEix3flHzxFvakbnxHGmh15pZ5klJCQ362p
m7aDaBQjUF+ns5q+ZHJj
=jUqa
-----END PGP SIGNATURE-----

--sdtB3X0nJg68CQEu--

--===============1237688107==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs
IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHA6Ly9saXN0
cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2ZWwK

--===============1237688107==--