From patchwork Thu Oct 17 00:12:35 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pavel Roskin X-Patchwork-Id: 3064391 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 1BD709F372 for ; Fri, 18 Oct 2013 00:39:42 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 59BCD2045B for ; Fri, 18 Oct 2013 00:39:41 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 5B37F2009C for ; Fri, 18 Oct 2013 00:39:40 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 4A2F1E70C9 for ; Thu, 17 Oct 2013 17:39:40 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by gabe.freedesktop.org (Postfix) with ESMTP id CE716E6500 for ; Wed, 16 Oct 2013 17:12:37 -0700 (PDT) Received: from unknown (HELO smtprelay1.cesmail.net) ([192.168.1.111]) by c60.cesmail.net with ESMTP; 16 Oct 2013 20:12:36 -0400 Received: from [127.0.1.1] (206.83.81.178.ptr.us.xo.net [206.83.81.178]) by smtprelay1.cesmail.net (Postfix) with ESMTPSA id C78AF3496C; Wed, 16 Oct 2013 20:13:46 -0400 (EDT) Subject: [PATCH] drm: never write to the userspace more data than the caller wants From: Pavel Roskin To: Dave Airlie , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Chris Wilson Date: Wed, 16 Oct 2013 20:12:35 -0400 Message-ID: <20131017001235.3077.92963.stgit@IRBT4585> User-Agent: StGit/0.17-1-g7c57 MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 17 Oct 2013 17:34:09 -0700 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The amount of data wanted by the userspace caller is encoded in the ioctl number. Generic drm ioctls were ignoring it. As a result, Intel Xorg driver didn't work for i386 userspace on x86_64 kernel on some systems. sizeof(struct drm_mode_get_connector) is 76 bytes on i686 and 80 bytes on x86_64 due to the tail alignment (the data positions match). The userspace was using the 4 bytes after the structure to hold the result of the ioctl. Since drm_ioctl() was copying 80 bytes instead of 76, it was clobbering that data. A workaround has been committed to xf86-video-intel. Signed-off-by: Pavel Roskin Cc: stable@vger.kernel.org --- drivers/gpu/drm/drm_drv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index e572dd2..8a1c721 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -403,8 +403,11 @@ long drm_ioctl(struct file *filp, } else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) { ioctl = &drm_ioctls[nr]; + usize = _IOC_SIZE(cmd); cmd = ioctl->cmd; - usize = asize = _IOC_SIZE(cmd); + asize = _IOC_SIZE(cmd); + if (unlikely(usize > asize)) + usize = asize; } else goto err_i1;