| Message ID | 1484317329-9293-1-git-send-email-gustavo@padovan.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi Gustavo, Thank you for the patch. On Friday 13 Jan 2017 12:22:09 Gustavo Padovan wrote: > From: Gustavo Padovan <gustavo.padovan@collabora.com> > > Currently if the userspace declares a int variable to store the out_fence > fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits > above the int variable on 64 bits systems. > > Fix this by making the internal storage of out_fence in the kernel a s32 > pointer. > > Reported-by: Chad Versace <chadversary@chromium.org> > Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com> > Cc: Daniel Vetter <daniel@ffwll.ch> > Cc: Rafael Antognolli <rafael.antognolli@intel.com> > Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > Cc: stable@vger.kernel.org I don't think this is needed, given that the code was merged in v4.10-rc1, and this patch should be merged as a v4.10-rc fix. > --- > drivers/gpu/drm/drm_atomic.c | 12 ++++++------ > include/drm/drm_atomic.h | 2 +- > include/drm/drm_mode_config.h | 2 +- > 3 files changed, 8 insertions(+), 8 deletions(-) > > diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c > index 6414bcf..723392f 100644 > --- a/drivers/gpu/drm/drm_atomic.c > +++ b/drivers/gpu/drm/drm_atomic.c > @@ -286,15 +286,15 @@ drm_atomic_get_crtc_state(struct drm_atomic_state > *state, EXPORT_SYMBOL(drm_atomic_get_crtc_state); > > static void set_out_fence_for_crtc(struct drm_atomic_state *state, > - struct drm_crtc *crtc, s64 __user *fence_ptr) > + struct drm_crtc *crtc, s32 __user *fence_ptr) > { > state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = fence_ptr; > } > > -static s64 __user *get_out_fence_for_crtc(struct drm_atomic_state *state, > +static s32 __user *get_out_fence_for_crtc(struct drm_atomic_state *state, > struct drm_crtc *crtc) > { > - s64 __user *fence_ptr; > + s32 __user *fence_ptr; > > fence_ptr = state->crtcs[drm_crtc_index(crtc)].out_fence_ptr; > state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = NULL; > @@ -507,7 +507,7 @@ int drm_atomic_crtc_set_property(struct drm_crtc *crtc, > state->color_mgmt_changed |= replaced; > return ret; > } else if (property == config->prop_out_fence_ptr) { > - s64 __user *fence_ptr = u64_to_user_ptr(val); > + s32 __user *fence_ptr = u64_to_user_ptr(val); > > if (!fence_ptr) > return 0; > @@ -1914,7 +1914,7 @@ EXPORT_SYMBOL(drm_atomic_clean_old_fb); > */ > > struct drm_out_fence_state { > - s64 __user *out_fence_ptr; > + s32 __user *out_fence_ptr; > struct sync_file *sync_file; > int fd; > }; > @@ -1951,7 +1951,7 @@ static int prepare_crtc_signaling(struct drm_device > *dev, return 0; > > for_each_crtc_in_state(state, crtc, crtc_state, i) { > - u64 __user *fence_ptr; > + s32 __user *fence_ptr; > > fence_ptr = get_out_fence_for_crtc(crtc_state->state, crtc); > > diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h > index f96220e..f1cb2b0 100644 > --- a/include/drm/drm_atomic.h > +++ b/include/drm/drm_atomic.h > @@ -144,7 +144,7 @@ struct __drm_crtcs_state { > struct drm_crtc *ptr; > struct drm_crtc_state *state; > struct drm_crtc_commit *commit; > - s64 __user *out_fence_ptr; > + s32 __user *out_fence_ptr; > unsigned last_vblank_count; > }; > > diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h > index 17942c0..fe230f1 100644 > --- a/include/drm/drm_mode_config.h > +++ b/include/drm/drm_mode_config.h > @@ -496,7 +496,7 @@ struct drm_mode_config { > /** > * @prop_out_fence_ptr: Sync File fd pointer representing the > * outgoing fences for a CRTC. Userspace should provide a pointer to a > - * value of type s64, and then cast that pointer to u64. > + * value of type s32, and then cast that pointer to u64. > */ > struct drm_property *prop_out_fence_ptr; > /**
2017-01-13 Laurent Pinchart <laurent.pinchart@ideasonboard.com>: > Hi Gustavo, > > Thank you for the patch. > > On Friday 13 Jan 2017 12:22:09 Gustavo Padovan wrote: > > From: Gustavo Padovan <gustavo.padovan@collabora.com> > > > > Currently if the userspace declares a int variable to store the out_fence > > fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits > > above the int variable on 64 bits systems. > > > > Fix this by making the internal storage of out_fence in the kernel a s32 > > pointer. > > > > Reported-by: Chad Versace <chadversary@chromium.org> > > Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com> > > Cc: Daniel Vetter <daniel@ffwll.ch> > > Cc: Rafael Antognolli <rafael.antognolli@intel.com> > > Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > > Cc: stable@vger.kernel.org > > I don't think this is needed, given that the code was merged in v4.10-rc1, and > this patch should be merged as a v4.10-rc fix. Hmm, yeah. I got confused. Gustavo
On Fri 13 Jan 2017, Gustavo Padovan wrote: > From: Gustavo Padovan <gustavo.padovan@collabora.com> > > Currently if the userspace declares a int variable to store the out_fence > fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits > above the int variable on 64 bits systems. > > Fix this by making the internal storage of out_fence in the kernel a s32 > pointer. > > Reported-by: Chad Versace <chadversary@chromium.org> > Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com> > Cc: Daniel Vetter <daniel@ffwll.ch> > Cc: Rafael Antognolli <rafael.antognolli@intel.com> > Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > Cc: stable@vger.kernel.org Reviewed-and-Tested-by: Chad Versace <chadversary@chromium.org> I applied this to my kernel branch, updated kmscube, and the spinning cube still looks good. For reference, here are the tags I tested with: mesa: http://git.kiwitree.net/cgit/~chadv/mesa/tag/?h=chadv/review/i965-exec-fence-v03 libdrm: http://git.kiwitree.net/cgit/~chadv/libdrm/tag/?h=chadv/review/intel-exec-fence-v01 linux: http://git.kiwitree.net/cgit/~chadv/linux/tag/?h=chadv/test/i915-exec-fence-v04 kmscube: http://git.kiwitree.net/cgit/~chadv/kmscube/tag/?h=chadv/test/fences-v03
2017-01-13 Chad Versace <chadversary@chromium.org>: > On Fri 13 Jan 2017, Gustavo Padovan wrote: > > From: Gustavo Padovan <gustavo.padovan@collabora.com> > > > > Currently if the userspace declares a int variable to store the out_fence > > fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits > > above the int variable on 64 bits systems. > > > > Fix this by making the internal storage of out_fence in the kernel a s32 > > pointer. > > > > Reported-by: Chad Versace <chadversary@chromium.org> > > Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com> > > Cc: Daniel Vetter <daniel@ffwll.ch> > > Cc: Rafael Antognolli <rafael.antognolli@intel.com> > > Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > Cc: stable@vger.kernel.org > > Reviewed-and-Tested-by: Chad Versace <chadversary@chromium.org> > > I applied this to my kernel branch, updated kmscube, and the spinning cube still looks good. > For reference, here are the tags I tested with: > > mesa: http://git.kiwitree.net/cgit/~chadv/mesa/tag/?h=chadv/review/i965-exec-fence-v03 > libdrm: http://git.kiwitree.net/cgit/~chadv/libdrm/tag/?h=chadv/review/intel-exec-fence-v01 > linux: http://git.kiwitree.net/cgit/~chadv/linux/tag/?h=chadv/test/i915-exec-fence-v04 > kmscube: http://git.kiwitree.net/cgit/~chadv/kmscube/tag/?h=chadv/test/fences-v03 I pushed this patch to drm-misc-fixes. Thank you all. Gustavo
diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 6414bcf..723392f 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -286,15 +286,15 @@ drm_atomic_get_crtc_state(struct drm_atomic_state *state, EXPORT_SYMBOL(drm_atomic_get_crtc_state); static void set_out_fence_for_crtc(struct drm_atomic_state *state, - struct drm_crtc *crtc, s64 __user *fence_ptr) + struct drm_crtc *crtc, s32 __user *fence_ptr) { state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = fence_ptr; } -static s64 __user *get_out_fence_for_crtc(struct drm_atomic_state *state, +static s32 __user *get_out_fence_for_crtc(struct drm_atomic_state *state, struct drm_crtc *crtc) { - s64 __user *fence_ptr; + s32 __user *fence_ptr; fence_ptr = state->crtcs[drm_crtc_index(crtc)].out_fence_ptr; state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = NULL; @@ -507,7 +507,7 @@ int drm_atomic_crtc_set_property(struct drm_crtc *crtc, state->color_mgmt_changed |= replaced; return ret; } else if (property == config->prop_out_fence_ptr) { - s64 __user *fence_ptr = u64_to_user_ptr(val); + s32 __user *fence_ptr = u64_to_user_ptr(val); if (!fence_ptr) return 0; @@ -1914,7 +1914,7 @@ EXPORT_SYMBOL(drm_atomic_clean_old_fb); */ struct drm_out_fence_state { - s64 __user *out_fence_ptr; + s32 __user *out_fence_ptr; struct sync_file *sync_file; int fd; }; @@ -1951,7 +1951,7 @@ static int prepare_crtc_signaling(struct drm_device *dev, return 0; for_each_crtc_in_state(state, crtc, crtc_state, i) { - u64 __user *fence_ptr; + s32 __user *fence_ptr; fence_ptr = get_out_fence_for_crtc(crtc_state->state, crtc); diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h index f96220e..f1cb2b0 100644 --- a/include/drm/drm_atomic.h +++ b/include/drm/drm_atomic.h @@ -144,7 +144,7 @@ struct __drm_crtcs_state { struct drm_crtc *ptr; struct drm_crtc_state *state; struct drm_crtc_commit *commit; - s64 __user *out_fence_ptr; + s32 __user *out_fence_ptr; unsigned last_vblank_count; }; diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h index 17942c0..fe230f1 100644 --- a/include/drm/drm_mode_config.h +++ b/include/drm/drm_mode_config.h @@ -496,7 +496,7 @@ struct drm_mode_config { /** * @prop_out_fence_ptr: Sync File fd pointer representing the * outgoing fences for a CRTC. Userspace should provide a pointer to a - * value of type s64, and then cast that pointer to u64. + * value of type s32, and then cast that pointer to u64. */ struct drm_property *prop_out_fence_ptr; /**