diff options
author | Dave Airlie <airlied@redhat.com> | 2014-11-15 02:50:21 +0300 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2014-11-15 02:50:21 +0300 |
commit | ca5a71de4852e3eeba53a326ddf260b7b2e117b1 (patch) | |
tree | f593458bc43d1c869ce4d204e76a9ff700f436d1 /drivers/gpu/drm/drm_gem.c | |
parent | 7dea0941f8806e79fed562256822564d5f903edc (diff) | |
parent | 7ff7f0a1a934d0d073560dcabe7508e0a4f75f1c (diff) | |
download | linux-ca5a71de4852e3eeba53a326ddf260b7b2e117b1.tar.xz |
Merge tag 'drm/gem-cma/for-3.19-rc1' of git://people.freedesktop.org/~tagr/linux into drm-next
drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input
Some drivers erroneously treat the .pitch and .size fields of struct
drm_mode_create_dumb as inputs. While the include/uapi/drm/drm_mode.h
header has a comment denoting them as outputs, that seemingly wasn't
enough to make drivers use them properly.
The result is that some userspace doesn't explicitly zero out those
fields, assuming that the kernel won't use them. That causes problems
since the data within the structure might be uninitialized, so bogus
data may end up confusing drivers (ridiculously large values for the
pitch, ...).
This series attempts to improve the situation by fixing all drivers to
not use the output fields. Furthermore to spare new drivers this bad
surprise, the DRM core now zeros out these fields prior to handing the
data structure to the driver.
Lessons learned from this are that future IOCTLs should be properly
documented (in the DRM DocBook for example) and should be rigorously
defined. To prevent misuse like this, userspace should be required to
zero out all output fields. The kernel should check for this and fail
if that's not the case.
* tag 'drm/gem-cma/for-3.19-rc1' of git://people.freedesktop.org/~tagr/linux:
drm/cma: Remove call to drm_gem_free_mmap_offset()
drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input
drm/rcar: gem: dumb: pitch is an output
drm/omap: gem: dumb: pitch is an output
drm/cma: Introduce drm_gem_cma_dumb_create_internal()
drm/doc: Add GEM/CMA helpers to kerneldoc
drm/doc: mm: Fix indentation
drm/gem: Fix a few kerneldoc typos
Diffstat (limited to 'drivers/gpu/drm/drm_gem.c')
-rw-r--r-- | drivers/gpu/drm/drm_gem.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 973a9b6644d4..16a164770713 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -309,7 +309,7 @@ EXPORT_SYMBOL(drm_gem_dumb_destroy); * drm_gem_handle_create_tail - internal functions to create a handle * @file_priv: drm file-private structure to register the handle for * @obj: object to register - * @handlep: pionter to return the created handle to the caller + * @handlep: pointer to return the created handle to the caller * * This expects the dev->object_name_lock to be held already and will drop it * before returning. Used to avoid races in establishing new handles when @@ -362,7 +362,7 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, } /** - * gem_handle_create - create a gem handle for an object + * drm_gem_handle_create - create a gem handle for an object * @file_priv: drm file-private structure to register the handle for * @obj: object to register * @handlep: pionter to return the created handle to the caller @@ -371,10 +371,9 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, * to the object, which includes a regular reference count. Callers * will likely want to dereference the object afterwards. */ -int -drm_gem_handle_create(struct drm_file *file_priv, - struct drm_gem_object *obj, - u32 *handlep) +int drm_gem_handle_create(struct drm_file *file_priv, + struct drm_gem_object *obj, + u32 *handlep) { mutex_lock(&obj->dev->object_name_lock); |