drm/fence: fix memory overwrite when setting out_fence fd
diff mbox

Message ID 1484317329-9293-1-git-send-email-gustavo@padovan.org
State New
Headers show

Commit Message

Gustavo Padovan Jan. 13, 2017, 2:22 p.m. UTC
From: Gustavo Padovan <gustavo.padovan@collabora.com>

Currently if the userspace declares a int variable to store the out_fence
fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits
above the int variable on 64 bits systems.

Fix this by making the internal storage of out_fence in the kernel a s32
pointer.

Reported-by: Chad Versace <chadversary@chromium.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Rafael Antognolli <rafael.antognolli@intel.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/drm_atomic.c  | 12 ++++++------
 include/drm/drm_atomic.h      |  2 +-
 include/drm/drm_mode_config.h |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

Comments

Laurent Pinchart Jan. 13, 2017, 3 p.m. UTC | #1
Hi Gustavo,

Thank you for the patch.

On Friday 13 Jan 2017 12:22:09 Gustavo Padovan wrote:
> From: Gustavo Padovan <gustavo.padovan@collabora.com>
> 
> Currently if the userspace declares a int variable to store the out_fence
> fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits
> above the int variable on 64 bits systems.
> 
> Fix this by making the internal storage of out_fence in the kernel a s32
> pointer.
> 
> Reported-by: Chad Versace <chadversary@chromium.org>
> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: Rafael Antognolli <rafael.antognolli@intel.com>
> Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

> Cc: stable@vger.kernel.org

I don't think this is needed, given that the code was merged in v4.10-rc1, and 
this patch should be merged as a v4.10-rc fix.

> ---
>  drivers/gpu/drm/drm_atomic.c  | 12 ++++++------
>  include/drm/drm_atomic.h      |  2 +-
>  include/drm/drm_mode_config.h |  2 +-
>  3 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
> index 6414bcf..723392f 100644
> --- a/drivers/gpu/drm/drm_atomic.c
> +++ b/drivers/gpu/drm/drm_atomic.c
> @@ -286,15 +286,15 @@ drm_atomic_get_crtc_state(struct drm_atomic_state
> *state, EXPORT_SYMBOL(drm_atomic_get_crtc_state);
> 
>  static void set_out_fence_for_crtc(struct drm_atomic_state *state,
> -				   struct drm_crtc *crtc, s64 __user 
*fence_ptr)
> +				   struct drm_crtc *crtc, s32 __user 
*fence_ptr)
>  {
>  	state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = fence_ptr;
>  }
> 
> -static s64 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
> +static s32 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
>  					  struct drm_crtc *crtc)
>  {
> -	s64 __user *fence_ptr;
> +	s32 __user *fence_ptr;
> 
>  	fence_ptr = state->crtcs[drm_crtc_index(crtc)].out_fence_ptr;
>  	state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = NULL;
> @@ -507,7 +507,7 @@ int drm_atomic_crtc_set_property(struct drm_crtc *crtc,
>  		state->color_mgmt_changed |= replaced;
>  		return ret;
>  	} else if (property == config->prop_out_fence_ptr) {
> -		s64 __user *fence_ptr = u64_to_user_ptr(val);
> +		s32 __user *fence_ptr = u64_to_user_ptr(val);
> 
>  		if (!fence_ptr)
>  			return 0;
> @@ -1914,7 +1914,7 @@ EXPORT_SYMBOL(drm_atomic_clean_old_fb);
>   */
> 
>  struct drm_out_fence_state {
> -	s64 __user *out_fence_ptr;
> +	s32 __user *out_fence_ptr;
>  	struct sync_file *sync_file;
>  	int fd;
>  };
> @@ -1951,7 +1951,7 @@ static int prepare_crtc_signaling(struct drm_device
> *dev, return 0;
> 
>  	for_each_crtc_in_state(state, crtc, crtc_state, i) {
> -		u64 __user *fence_ptr;
> +		s32 __user *fence_ptr;
> 
>  		fence_ptr = get_out_fence_for_crtc(crtc_state->state, crtc);
> 
> diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h
> index f96220e..f1cb2b0 100644
> --- a/include/drm/drm_atomic.h
> +++ b/include/drm/drm_atomic.h
> @@ -144,7 +144,7 @@ struct __drm_crtcs_state {
>  	struct drm_crtc *ptr;
>  	struct drm_crtc_state *state;
>  	struct drm_crtc_commit *commit;
> -	s64 __user *out_fence_ptr;
> +	s32 __user *out_fence_ptr;
>  	unsigned last_vblank_count;
>  };
> 
> diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h
> index 17942c0..fe230f1 100644
> --- a/include/drm/drm_mode_config.h
> +++ b/include/drm/drm_mode_config.h
> @@ -496,7 +496,7 @@ struct drm_mode_config {
>  	/**
>  	 * @prop_out_fence_ptr: Sync File fd pointer representing the
>  	 * outgoing fences for a CRTC. Userspace should provide a pointer to a
> -	 * value of type s64, and then cast that pointer to u64.
> +	 * value of type s32, and then cast that pointer to u64.
>  	 */
>  	struct drm_property *prop_out_fence_ptr;
>  	/**
Gustavo Padovan Jan. 13, 2017, 4:56 p.m. UTC | #2
2017-01-13 Laurent Pinchart <laurent.pinchart@ideasonboard.com>:

> Hi Gustavo,
> 
> Thank you for the patch.
> 
> On Friday 13 Jan 2017 12:22:09 Gustavo Padovan wrote:
> > From: Gustavo Padovan <gustavo.padovan@collabora.com>
> > 
> > Currently if the userspace declares a int variable to store the out_fence
> > fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits
> > above the int variable on 64 bits systems.
> > 
> > Fix this by making the internal storage of out_fence in the kernel a s32
> > pointer.
> > 
> > Reported-by: Chad Versace <chadversary@chromium.org>
> > Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
> > Cc: Daniel Vetter <daniel@ffwll.ch>
> > Cc: Rafael Antognolli <rafael.antognolli@intel.com>
> > Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> 
> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> 
> > Cc: stable@vger.kernel.org
> 
> I don't think this is needed, given that the code was merged in v4.10-rc1, and 
> this patch should be merged as a v4.10-rc fix.

Hmm, yeah. I got confused.

Gustavo
Chad Versace Jan. 13, 2017, 9:27 p.m. UTC | #3
On Fri 13 Jan 2017, Gustavo Padovan wrote:
> From: Gustavo Padovan <gustavo.padovan@collabora.com>
> 
> Currently if the userspace declares a int variable to store the out_fence
> fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits
> above the int variable on 64 bits systems.
> 
> Fix this by making the internal storage of out_fence in the kernel a s32
> pointer.
> 
> Reported-by: Chad Versace <chadversary@chromium.org>
> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: Rafael Antognolli <rafael.antognolli@intel.com>
> Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Cc: stable@vger.kernel.org

Reviewed-and-Tested-by: Chad Versace <chadversary@chromium.org>

I applied this to my kernel branch, updated kmscube, and the spinning cube still looks good.
For reference, here are the tags I tested with:

    mesa: http://git.kiwitree.net/cgit/~chadv/mesa/tag/?h=chadv/review/i965-exec-fence-v03
    libdrm: http://git.kiwitree.net/cgit/~chadv/libdrm/tag/?h=chadv/review/intel-exec-fence-v01
    linux: http://git.kiwitree.net/cgit/~chadv/linux/tag/?h=chadv/test/i915-exec-fence-v04
    kmscube: http://git.kiwitree.net/cgit/~chadv/kmscube/tag/?h=chadv/test/fences-v03
Gustavo Padovan Jan. 16, 2017, 10:24 p.m. UTC | #4
2017-01-13 Chad Versace <chadversary@chromium.org>:

> On Fri 13 Jan 2017, Gustavo Padovan wrote:
> > From: Gustavo Padovan <gustavo.padovan@collabora.com>
> > 
> > Currently if the userspace declares a int variable to store the out_fence
> > fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits
> > above the int variable on 64 bits systems.
> > 
> > Fix this by making the internal storage of out_fence in the kernel a s32
> > pointer.
> > 
> > Reported-by: Chad Versace <chadversary@chromium.org>
> > Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
> > Cc: Daniel Vetter <daniel@ffwll.ch>
> > Cc: Rafael Antognolli <rafael.antognolli@intel.com>
> > Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> > Cc: stable@vger.kernel.org
> 
> Reviewed-and-Tested-by: Chad Versace <chadversary@chromium.org>
> 
> I applied this to my kernel branch, updated kmscube, and the spinning cube still looks good.
> For reference, here are the tags I tested with:
> 
>     mesa: http://git.kiwitree.net/cgit/~chadv/mesa/tag/?h=chadv/review/i965-exec-fence-v03
>     libdrm: http://git.kiwitree.net/cgit/~chadv/libdrm/tag/?h=chadv/review/intel-exec-fence-v01
>     linux: http://git.kiwitree.net/cgit/~chadv/linux/tag/?h=chadv/test/i915-exec-fence-v04
>     kmscube: http://git.kiwitree.net/cgit/~chadv/kmscube/tag/?h=chadv/test/fences-v03

I pushed this patch to drm-misc-fixes. Thank you all.

Gustavo

Patch
diff mbox

diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
index 6414bcf..723392f 100644
--- a/drivers/gpu/drm/drm_atomic.c
+++ b/drivers/gpu/drm/drm_atomic.c
@@ -286,15 +286,15 @@  drm_atomic_get_crtc_state(struct drm_atomic_state *state,
 EXPORT_SYMBOL(drm_atomic_get_crtc_state);
 
 static void set_out_fence_for_crtc(struct drm_atomic_state *state,
-				   struct drm_crtc *crtc, s64 __user *fence_ptr)
+				   struct drm_crtc *crtc, s32 __user *fence_ptr)
 {
 	state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = fence_ptr;
 }
 
-static s64 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
+static s32 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
 					  struct drm_crtc *crtc)
 {
-	s64 __user *fence_ptr;
+	s32 __user *fence_ptr;
 
 	fence_ptr = state->crtcs[drm_crtc_index(crtc)].out_fence_ptr;
 	state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = NULL;
@@ -507,7 +507,7 @@  int drm_atomic_crtc_set_property(struct drm_crtc *crtc,
 		state->color_mgmt_changed |= replaced;
 		return ret;
 	} else if (property == config->prop_out_fence_ptr) {
-		s64 __user *fence_ptr = u64_to_user_ptr(val);
+		s32 __user *fence_ptr = u64_to_user_ptr(val);
 
 		if (!fence_ptr)
 			return 0;
@@ -1914,7 +1914,7 @@  EXPORT_SYMBOL(drm_atomic_clean_old_fb);
  */
 
 struct drm_out_fence_state {
-	s64 __user *out_fence_ptr;
+	s32 __user *out_fence_ptr;
 	struct sync_file *sync_file;
 	int fd;
 };
@@ -1951,7 +1951,7 @@  static int prepare_crtc_signaling(struct drm_device *dev,
 		return 0;
 
 	for_each_crtc_in_state(state, crtc, crtc_state, i) {
-		u64 __user *fence_ptr;
+		s32 __user *fence_ptr;
 
 		fence_ptr = get_out_fence_for_crtc(crtc_state->state, crtc);
 
diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h
index f96220e..f1cb2b0 100644
--- a/include/drm/drm_atomic.h
+++ b/include/drm/drm_atomic.h
@@ -144,7 +144,7 @@  struct __drm_crtcs_state {
 	struct drm_crtc *ptr;
 	struct drm_crtc_state *state;
 	struct drm_crtc_commit *commit;
-	s64 __user *out_fence_ptr;
+	s32 __user *out_fence_ptr;
 	unsigned last_vblank_count;
 };
 
diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h
index 17942c0..fe230f1 100644
--- a/include/drm/drm_mode_config.h
+++ b/include/drm/drm_mode_config.h
@@ -496,7 +496,7 @@  struct drm_mode_config {
 	/**
 	 * @prop_out_fence_ptr: Sync File fd pointer representing the
 	 * outgoing fences for a CRTC. Userspace should provide a pointer to a
-	 * value of type s64, and then cast that pointer to u64.
+	 * value of type s32, and then cast that pointer to u64.
 	 */
 	struct drm_property *prop_out_fence_ptr;
 	/**