[PATCH] Revert "drm/nouveau: check ioctl command codes better"

[PATCH] Revert "drm/nouveau: check ioctl command codes better"

[Arnd Bergmann]

From: Arnd Bergmann <arnd@arndb.de>

My previous patch ended up causing a regression for the
DRM_IOCTL_NOUVEAU_NVIF ioctl. The intention of my patch was to only
pass ioctl commands that have the correct dir/type/nr bits into the
nouveau_abi16_ioctl() function.

This turned out to be too strict, as userspace does use at least
write-only and write-read direction settings. Checking for both of these
still did not fix the issue, so the best we can do for the 6.16 release
is to revert back to what we've had since linux-3.16.

This version is still fragile, but at least it is known to work with
existing userspace. Fixing this properly requires a better understanding
of what commands are being passed from userspace in practice, and how
that relies on the undocumented (mis)behavior in nouveau_drm_ioctl().

Fixes: e5478166dffb ("drm/nouveau: check ioctl command codes better")
Link: https://lore.kernel.org/dri-devel/CAFrh3J85tsZRpOHQtKgNHUVnn=EG=QKBnZTRtWS8eWSc1K1xkA@mail.gmail.com/
Reported-by: Satadru Pramanik <satadru@gmail.com>
Reported-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 drivers/gpu/drm/nouveau/nouveau_drm.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
index 7bb64fcdd497..1527b801f013 100644
--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
@@ -1284,9 +1284,6 @@ nouveau_ioctls[] = {
 	DRM_IOCTL_DEF_DRV(NOUVEAU_EXEC, nouveau_exec_ioctl_exec, DRM_RENDER_ALLOW),
 };
 
-#define DRM_IOCTL_NOUVEAU_NVIF _IOC(_IOC_READ | _IOC_WRITE, DRM_IOCTL_BASE, \
-				    DRM_COMMAND_BASE + DRM_NOUVEAU_NVIF, 0)
-
 long
 nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 {
@@ -1300,10 +1297,14 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		return ret;
 	}
 
-	if ((cmd & ~IOCSIZE_MASK) == DRM_IOCTL_NOUVEAU_NVIF)
+	switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) {
+	case DRM_NOUVEAU_NVIF:
 		ret = nouveau_abi16_ioctl(filp, (void __user *)arg, _IOC_SIZE(cmd));
-	else
+		break;
+	default:
 		ret = drm_ioctl(file, cmd, arg);
+		break;
+	}
 
 	pm_runtime_mark_last_busy(dev->dev);
 	pm_runtime_put_autosuspend(dev->dev);
-- 
2.39.5

Re: [PATCH] Revert "drm/nouveau: check ioctl command codes better"

[Danilo Krummrich]

On Tue Jul 22, 2025 at 1:58 PM CEST, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> My previous patch ended up causing a regression for the
> DRM_IOCTL_NOUVEAU_NVIF ioctl. The intention of my patch was to only
> pass ioctl commands that have the correct dir/type/nr bits into the
> nouveau_abi16_ioctl() function.
>
> This turned out to be too strict, as userspace does use at least
> write-only and write-read direction settings. Checking for both of these
> still did not fix the issue, so the best we can do for the 6.16 release
> is to revert back to what we've had since linux-3.16.
>
> This version is still fragile, but at least it is known to work with
> existing userspace. Fixing this properly requires a better understanding
> of what commands are being passed from userspace in practice, and how
> that relies on the undocumented (mis)behavior in nouveau_drm_ioctl().
>
> Fixes: e5478166dffb ("drm/nouveau: check ioctl command codes better")
> Link: https://lore.kernel.org/dri-devel/CAFrh3J85tsZRpOHQtKgNHUVnn=EG=QKBnZTRtWS8eWSc1K1xkA@mail.gmail.com/
> Reported-by: Satadru Pramanik <satadru@gmail.com>
> Reported-by: Chris Bainbridge <chris.bainbridge@gmail.com>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

Applied to drm-misc-fixes, thanks!

  [ Add Closes: tags, fix minor typo in commit message. - Danilo ]