| Message ID | 20180430235927.28712-1-eric@anholt.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, May 1, 2018 at 1:59 AM, Eric Anholt <eric@anholt.net> wrote: > I had originally asked Stefan Schake to drop the pad field from the > syncobj changes that just landed, because I couldn't come up with a > reason to align to 64 bits. > > Talking with Dave Airlie about the new v3d driver's submit ioctl, we > came up with a reason: sizeof() on 64-bit platforms may align to 64 > bits, in which case the userspace will be submitting the aligned size > and the final 32 bits won't be zero-padded by the kernel. If > userspace doesn't zero-fill, then a future ABI change adding a 32-bit > field at the end could potentially cause the kernel to read undefined > data from old userspace (our userspace happens to use structure > initialization that zero-fills, but as a general rule we try not to > rely on that in the kernel). > Did a quick sizeof check on arm64 and that indeed came to 176 mod 8 = 0, suggesting we need this additional pad. So fwiw Reviewed-by: Stefan Schake <stschake@gmail.com> Thanks, Stefan
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c index a4c4be3ac6af..7910b9acedd6 100644 --- a/drivers/gpu/drm/vc4/vc4_gem.c +++ b/drivers/gpu/drm/vc4/vc4_gem.c @@ -1132,6 +1132,11 @@ vc4_submit_cl_ioctl(struct drm_device *dev, void *data, return -EINVAL; } + if (args->pad2 != 0) { + DRM_DEBUG("Invalid pad: 0x%08x\n", args->pad2); + return -EINVAL; + } + exec = kcalloc(1, sizeof(*exec), GFP_KERNEL); if (!exec) { DRM_ERROR("malloc failure on exec struct\n"); diff --git a/include/uapi/drm/vc4_drm.h b/include/uapi/drm/vc4_drm.h index 2be4fe3610b8..2cac6277a1d7 100644 --- a/include/uapi/drm/vc4_drm.h +++ b/include/uapi/drm/vc4_drm.h @@ -193,6 +193,8 @@ struct drm_vc4_submit_cl { * render job. 0 means ignore. */ __u32 out_sync; + + __u32 pad2; }; /**
I had originally asked Stefan Schake to drop the pad field from the syncobj changes that just landed, because I couldn't come up with a reason to align to 64 bits. Talking with Dave Airlie about the new v3d driver's submit ioctl, we came up with a reason: sizeof() on 64-bit platforms may align to 64 bits, in which case the userspace will be submitting the aligned size and the final 32 bits won't be zero-padded by the kernel. If userspace doesn't zero-fill, then a future ABI change adding a 32-bit field at the end could potentially cause the kernel to read undefined data from old userspace (our userspace happens to use structure initialization that zero-fills, but as a general rule we try not to rely on that in the kernel). Signed-off-by: Eric Anholt <eric@anholt.net> --- danvet, could you update the "Botching up IOCTLs" post with this explanation for why we need struct size alignment for non-array structs? drivers/gpu/drm/vc4/vc4_gem.c | 5 +++++ include/uapi/drm/vc4_drm.h | 2 ++ 2 files changed, 7 insertions(+)