From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7852E32C8B for ; Sun, 1 Mar 2026 12:36:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772368562; cv=none; b=LvkjtfavwcBRDalYnSzt3y8Ld5mart0VoCaJLkgsABJ45Pk8xxG7vMVgk99dBeoU5WTVGrJFU3/yOM9D3GXh1um4PuyQS+Lh006VQg0FAcCsruojrXCORscb5yH1u+HsNm8GbjxMOO7wDX6l0HrWA7ZvY4tgd1lyAh+L5Ji+6UE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772368562; c=relaxed/simple; bh=DxbNewEV8IlsHVmCvNU4nij2VG3FPWOYPR+kY3PZdN4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=FNGNBfXq5H8TVnsabOn0FqTNWr2Lqa7qNPH41OksY9zijc3yWsmOBR51VOvc13+X3ovDjLx6DxhbDXdYiNvbnNxsadoJXIzROKCMyK4Y/qdZrdJv01wMYRRvjKK5dMIkIqUgg9zi2Ry3ap30N9RBWhXalMLUDRM5HRcaLiLzz8E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dpCj6z9x; arc=none smtp.client-ip=209.85.221.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dpCj6z9x" Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-436e8758b91so2260563f8f.0 for ; Sun, 01 Mar 2026 04:36:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772368560; x=1772973360; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=7WTaNKvEWa7tYm/Uesjo1oABC1FIfYN68a3odoPwQR0=; b=dpCj6z9xfY+qnkSVkHbyW8CSChCq6r64SN4K0PPNOY5jJdpJgCzXpBUm4U36HvslUW 9y4yA2e25cWec0wCIqeuXDYiLe8TzGZG3GYo5EExISzL0a6tG63JOzxRfA2SCpCo7lJ3 ox+Ox84/DXL5B4mfx9nveePrn3z+Y/FQKgdziQKIZ1urss4GO52nFAyVWL23PGlPnnhY h1sd316nc6EzMlMlXPle8A/RYEsf56O3aIRvG0lDJ1E9CPZnMs2fs5okZ0kGSbppu7LT SMtmimV3rnb+hkMsL6v3Mzp04FJeOitdBjA4s1dVxGcq07k0JPhbn/7zhL2RlbRcPk7Y ASIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772368560; x=1772973360; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7WTaNKvEWa7tYm/Uesjo1oABC1FIfYN68a3odoPwQR0=; b=tCCuYVfTfFV3SUK0hQSNiae+IVnfp6oh9QmkFB75SGBTDJO75Trfk11k8O+t4Quspm fN32eS7ZNZkC1iYJ+AoNA7gwdZm+EfR8cpA2MvZOnJ9YiK/ge4sJxqmqdtH9nraTYuRB s1sHI3gjcgKJ9PN1tS8cobTuhB9zzScrQr2ZusDVQYK+qehi5umD/k94u5/iVt6beo3L vH1uwwKvBde8RlFQgAa9JKNtw+D4lXeb+2KjZDLcBrCPgOngSpvkKsUAR5LjOWbRCiUj uzBjoL+GdFTYGzOqsw17CMrlWYDXoS+E426h9S0YAE1uEqnu5YnoJeQ0paQOF8nhWEMl LGdA== X-Forwarded-Encrypted: i=1; AJvYcCVQ2onjLlYEsVSeZVKBM3mIcsZ6TeS6dX/a6bVaT9/lR3/3FcuP0BmtdTmeIjtgZZgGSWiKaZrlgKeQfTc=@vger.kernel.org X-Gm-Message-State: AOJu0YxrdKi1i9qbtB06BWT373cAqWxmbrJQmf3dxlwJe1nLzBxfVaC9 8vO6A1IbZYEaXsBGqAYb+hKrKe5SlbZQgANFgbT7QkHBOkXJ34fKzgy0 X-Gm-Gg: ATEYQzxTAQNODwjjYyIXPHtQ2dD1yAuLyzXZ58A3zkQEpwSeA/jmihpq8R2bxBhGr20 Rqy52H40LDwpsGb9v+geftBLfl0rMl98T/hipKxZ3/lOfZb6gGqWO6HLxjcUOReXHX0/M0npeMD YvMoo5MaLhlE6jU77Wsi9miL2wtBAzN/zE5EiwBtFfI5bklZUv5fyGn3xR6c9l45gWdttlGGTX2 daZFw1+1LwTB+wijUcFKFjQn8TURYkgquzcaGkQ7iooJ1veSWbVWRO87QBd/hx7M8wj9pTpFxuE 96n9czgEGFf5EIKEByRuib2JgN028v6Zj65DUMvG1ljRbjfCOR/wi7aVgWUzwKs6VXwcgKTatHj AOrxL2BIKTe95qV59yjfl7SN4tB6I9hBZSXXGbWha3IcLRERRRxtWfwEXj2SkO7iAOEikuTXChw PyOlEThlRsOx6q4yGVVBjGhEnPPMkj2NHdm9DwKrsNWYS1GL7EEu2wvN/u3/H/czswVHtAHqwV8 J8MbMfnLmn3txsb/g== X-Received: by 2002:a05:600c:3b22:b0:477:a978:3a7b with SMTP id 5b1f17b1804b1-483c9bff7b0mr143483095e9.22.1772368559454; Sun, 01 Mar 2026 04:35:59 -0800 (PST) Received: from [10.13.0.20] (ip87-106-117-14.pbiaas.com. [87.106.117.14]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4399c70e8dasm21164286f8f.9.2026.03.01.04.35.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 01 Mar 2026 04:35:58 -0800 (PST) From: Julian Orth Date: Sun, 01 Mar 2026 13:34:42 +0100 Subject: [PATCH] drm/syncobj: Fix handle <-> fd ioctls with dirty stack Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260301-point-v1-1-21fc5fd98614@gmail.com> X-B4-Tracking: v=1; b=H4sIAAAAAAAC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE vPSU3UzU4B8JSMDIzMDYwND3YL8zLwSXRNjA9MkMxND8zRTUyWg2oKi1LTMCrA50bG1tQBQQD7 ZVwAAAA== X-Change-ID: 20260301-point-4305b6417f55 To: Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , =?utf-8?q?Christian_K=C3=B6nig?= , Dmitry Osipenko , Rob Clark Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Julian Orth X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1772368557; l=2444; i=ju.orth@gmail.com; s=20251120; h=from:subject:message-id; bh=DxbNewEV8IlsHVmCvNU4nij2VG3FPWOYPR+kY3PZdN4=; b=Vd7rGo61uCU2Su434lAUNi/cf7rLnYloe2yqjADQSux9Rf1Rbp+z3OWwHNy0C+tkKHuiSY9zz mxyaUTh5cGBBd7fD5VGje0OUnt0doQYcxD6Bnix5vkWKehoBX6LMlRK X-Developer-Key: i=ju.orth@gmail.com; a=ed25519; pk=uM2SS4lelkuIoYHc7v9N9bgBZ3hS632zJS2xjRJLPLI= Consider the following application: #include #include #include #include int main(void) { int fd = open("/dev/dri/renderD128", O_RDWR); struct drm_syncobj_create arg1; ioctl(fd, DRM_IOCTL_SYNCOBJ_CREATE, &arg1); struct drm_syncobj_handle arg2; memset(&arg2, 1, sizeof(arg2)); // simulate dirty stack arg2.handle = arg1.handle; arg2.flags = 0; arg2.fd = 0; arg2.pad = 0; // arg2.point = 0; // userspace is required to set point to 0 ioctl(fd, DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD, &arg2); } The last ioctl returns EINVAL because args->point is not 0. However, userspace developed against older kernel versions is not aware of the new point field and might therefore not initialize it. The correct check would be if (args->flags & DRM_SYNCOBJ_FD_TO_HANDLE_FLAGS_TIMELINE) return -EINVAL; However, there might already be userspace that relies on this not returning an error as long as point == 0. Therefore use the more lenient check. Fixes: c2d3a7300695 ("drm/syncobj: Extend EXPORT_SYNC_FILE for timeline syncobjs") Signed-off-by: Julian Orth --- This patch fixes a regression that would cause conversions between syncobj handles and fds to fail if userspace did not initialize a recently-added field to 0. --- drivers/gpu/drm/drm_syncobj.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index 250734dee928..49eccb43ce63 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -875,7 +875,7 @@ drm_syncobj_handle_to_fd_ioctl(struct drm_device *dev, void *data, return drm_syncobj_export_sync_file(file_private, args->handle, point, &args->fd); - if (args->point) + if (point) return -EINVAL; return drm_syncobj_handle_to_fd(file_private, args->handle, @@ -909,7 +909,7 @@ drm_syncobj_fd_to_handle_ioctl(struct drm_device *dev, void *data, args->handle, point); - if (args->point) + if (point) return -EINVAL; return drm_syncobj_fd_to_handle(file_private, args->fd, --- base-commit: eb71ab2bf72260054677e348498ba995a057c463 change-id: 20260301-point-4305b6417f55 Best regards, -- Julian Orth