From patchwork Fri Jan 13 14:22:09 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gustavo Padovan <gustavo@padovan.org>
X-Patchwork-Id: 9515719
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	2F634601DA for <patchwork-dri-devel@patchwork.kernel.org>;
	Fri, 13 Jan 2017 14:22:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 22EC828732
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Fri, 13 Jan 2017 14:22:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 179A828736; Fri, 13 Jan 2017 14:22:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.7 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 8C60528735
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Fri, 13 Jan 2017 14:22:18 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 9ADCF6E084;
	Fri, 13 Jan 2017 14:22:17 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-vk0-f68.google.com (mail-vk0-f68.google.com
	[209.85.213.68])
	by gabe.freedesktop.org (Postfix) with ESMTPS id DCE286E084
	for <dri-devel@lists.freedesktop.org>;
	Fri, 13 Jan 2017 14:22:16 +0000 (UTC)
Received: by mail-vk0-f68.google.com with SMTP id r136so3848068vke.1
	for <dri-devel@lists.freedesktop.org>;
	Fri, 13 Jan 2017 06:22:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=mHNtj991WDEci7LxeErcFxYY1GR2ZGk0bI8dXMveDwQ=;
	b=iPyEfbrYcynxCxfW8BGU3/b+ecBoloV/Sx1Zt5jCjS04ZI927d5BadpMM8jBgVWLiJ
	T33aG33KxJ7SoZs9cpTT9ugL0ol+LAyRhEnLTKLvszplZiFE7xfMPR2CQdbyrHuf2J+O
	VVzXpAKC2T58Su6cyE2B9zllmUor0JwHTIkzNAUZEWLK8V0JhoNrfV7SqaXv6gkuy0oV
	pwwkF93maqOauTL/8Im/ql0fbZIBcb2AkCUzRE21toY3vfRdz7KD+6TUomHbz5/RQm38
	5sZwcOlaEFu4bLEv1yovnAOzyVAmbH7mnTXVCDWSrEJfnYRj7fcwVTQITPWWBl098Enj
	EC5Q==
X-Gm-Message-State: 
 AIkVDXLBcbFyxnip7lqirUJQf2spR426CHB6RAFIbqOHGVOyYApngG95nviJeULPXUWlPA==
X-Received: by 10.31.134.77 with SMTP id i74mr10156040vkd.57.1484317335984;
	Fri, 13 Jan 2017 06:22:15 -0800 (PST)
Received: from jade.localdomain ([187.64.235.185])
	by smtp.gmail.com with ESMTPSA id
	s76sm2416206vkb.1.2017.01.13.06.22.13
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 13 Jan 2017 06:22:15 -0800 (PST)
From: Gustavo Padovan <gustavo@padovan.org>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH] drm/fence: fix memory overwrite when setting out_fence fd
Date: Fri, 13 Jan 2017 12:22:09 -0200
Message-Id: <1484317329-9293-1-git-send-email-gustavo@padovan.org>
X-Mailer: git-send-email 2.5.5
Cc: Gustavo Padovan <gustavo.padovan@collabora.com>, stable@vger.kernel.org,
	Laurent Pinchart <laurent.pinchart@ideasonboard.com>
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Gustavo Padovan <gustavo.padovan@collabora.com>

Currently if the userspace declares a int variable to store the out_fence
fd and pass it to OUT_FENCE_PTR the kernel will overwrite the 32 bits
above the int variable on 64 bits systems.

Fix this by making the internal storage of out_fence in the kernel a s32
pointer.

Reported-by: Chad Versace <chadversary@chromium.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Rafael Antognolli <rafael.antognolli@intel.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: stable@vger.kernel.org
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
 drivers/gpu/drm/drm_atomic.c  | 12 ++++++------
 include/drm/drm_atomic.h      |  2 +-
 include/drm/drm_mode_config.h |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
index 6414bcf..723392f 100644
--- a/drivers/gpu/drm/drm_atomic.c
+++ b/drivers/gpu/drm/drm_atomic.c
@@ -286,15 +286,15 @@ drm_atomic_get_crtc_state(struct drm_atomic_state *state,
 EXPORT_SYMBOL(drm_atomic_get_crtc_state);
 
 static void set_out_fence_for_crtc(struct drm_atomic_state *state,
-				   struct drm_crtc *crtc, s64 __user *fence_ptr)
+				   struct drm_crtc *crtc, s32 __user *fence_ptr)
 {
 	state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = fence_ptr;
 }
 
-static s64 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
+static s32 __user *get_out_fence_for_crtc(struct drm_atomic_state *state,
 					  struct drm_crtc *crtc)
 {
-	s64 __user *fence_ptr;
+	s32 __user *fence_ptr;
 
 	fence_ptr = state->crtcs[drm_crtc_index(crtc)].out_fence_ptr;
 	state->crtcs[drm_crtc_index(crtc)].out_fence_ptr = NULL;
@@ -507,7 +507,7 @@ int drm_atomic_crtc_set_property(struct drm_crtc *crtc,
 		state->color_mgmt_changed |= replaced;
 		return ret;
 	} else if (property == config->prop_out_fence_ptr) {
-		s64 __user *fence_ptr = u64_to_user_ptr(val);
+		s32 __user *fence_ptr = u64_to_user_ptr(val);
 
 		if (!fence_ptr)
 			return 0;
@@ -1914,7 +1914,7 @@ EXPORT_SYMBOL(drm_atomic_clean_old_fb);
  */
 
 struct drm_out_fence_state {
-	s64 __user *out_fence_ptr;
+	s32 __user *out_fence_ptr;
 	struct sync_file *sync_file;
 	int fd;
 };
@@ -1951,7 +1951,7 @@ static int prepare_crtc_signaling(struct drm_device *dev,
 		return 0;
 
 	for_each_crtc_in_state(state, crtc, crtc_state, i) {
-		u64 __user *fence_ptr;
+		s32 __user *fence_ptr;
 
 		fence_ptr = get_out_fence_for_crtc(crtc_state->state, crtc);
 
diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h
index f96220e..f1cb2b0 100644
--- a/include/drm/drm_atomic.h
+++ b/include/drm/drm_atomic.h
@@ -144,7 +144,7 @@ struct __drm_crtcs_state {
 	struct drm_crtc *ptr;
 	struct drm_crtc_state *state;
 	struct drm_crtc_commit *commit;
-	s64 __user *out_fence_ptr;
+	s32 __user *out_fence_ptr;
 	unsigned last_vblank_count;
 };
 
diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h
index 17942c0..fe230f1 100644
--- a/include/drm/drm_mode_config.h
+++ b/include/drm/drm_mode_config.h
@@ -496,7 +496,7 @@ struct drm_mode_config {
 	/**
 	 * @prop_out_fence_ptr: Sync File fd pointer representing the
 	 * outgoing fences for a CRTC. Userspace should provide a pointer to a
-	 * value of type s64, and then cast that pointer to u64.
+	 * value of type s32, and then cast that pointer to u64.
 	 */
 	struct drm_property *prop_out_fence_ptr;
 	/**