All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
@ 2011-09-14 12:14 Daniel Vetter
  2011-09-14 20:02 ` Ben Widawsky
  2011-09-23 16:14 ` Daniel Vetter
  0 siblings, 2 replies; 5+ messages in thread
From: Daniel Vetter @ 2011-09-14 12:14 UTC (permalink / raw)
  To: intel-gfx; +Cc: Daniel Vetter

From: Chris Wilson <chris@chris-wilson.co.uk>

We currently only round up the userspace size to the next page. We
assume that userspace hasn't made a mistake and requested a zero-length
gem object and all through our internal code we then presume that every
object is backed by at least a single page. Fix that oversight and
report EINVAL back to userspace if they try to create a zero length
object.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
[danvet: This fixes tests/gem_bad_length]
Signed-Off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
 drivers/gpu/drm/i915/i915_gem.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 7998827..9857e9d 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -195,6 +195,8 @@ i915_gem_create(struct drm_file *file,
 	u32 handle;
 
 	size = roundup(size, PAGE_SIZE);
+	if (size == 0)
+		return -EINVAL;
 
 	/* Allocate the new object */
 	obj = i915_gem_alloc_object(dev, size);
-- 
1.7.6

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
  2011-09-14 12:14 [PATCH] drm/i915: Defend against userspace creating a gem object with size==0 Daniel Vetter
@ 2011-09-14 20:02 ` Ben Widawsky
  2011-09-14 21:22   ` Ben Widawsky
  2011-09-23 16:14 ` Daniel Vetter
  1 sibling, 1 reply; 5+ messages in thread
From: Ben Widawsky @ 2011-09-14 20:02 UTC (permalink / raw)
  To: Daniel Vetter; +Cc: intel-gfx

On Wed, Sep 14, 2011 at 02:14:28PM +0200, Daniel Vetter wrote:
> From: Chris Wilson <chris@chris-wilson.co.uk>
> 
> We currently only round up the userspace size to the next page. We
> assume that userspace hasn't made a mistake and requested a zero-length
> gem object and all through our internal code we then presume that every
> object is backed by at least a single page. Fix that oversight and
> report EINVAL back to userspace if they try to create a zero length
> object.
> 
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> [danvet: This fixes tests/gem_bad_length]
> Signed-Off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> ---
>  drivers/gpu/drm/i915/i915_gem.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
> index 7998827..9857e9d 100644
> --- a/drivers/gpu/drm/i915/i915_gem.c
> +++ b/drivers/gpu/drm/i915/i915_gem.c
> @@ -195,6 +195,8 @@ i915_gem_create(struct drm_file *file,
>  	u32 handle;
>  
>  	size = roundup(size, PAGE_SIZE);
> +	if (size == 0)
> +		return -EINVAL;
>  
>  	/* Allocate the new object */
>  	obj = i915_gem_alloc_object(dev, size);

Could we just: s/roundup/DIV_ROUND_UP and be happy?

Ben

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
  2011-09-14 20:02 ` Ben Widawsky
@ 2011-09-14 21:22   ` Ben Widawsky
  0 siblings, 0 replies; 5+ messages in thread
From: Ben Widawsky @ 2011-09-14 21:22 UTC (permalink / raw)
  To: Ben Widawsky; +Cc: Daniel Vetter, intel-gfx

On Wed, 14 Sep 2011 20:02:10 +0000
Ben Widawsky <ben@bwidawsk.net> wrote:

> On Wed, Sep 14, 2011 at 02:14:28PM +0200, Daniel Vetter wrote:
> > From: Chris Wilson <chris@chris-wilson.co.uk>
> > 
> > We currently only round up the userspace size to the next page. We
> > assume that userspace hasn't made a mistake and requested a
> > zero-length gem object and all through our internal code we then
> > presume that every object is backed by at least a single page. Fix
> > that oversight and report EINVAL back to userspace if they try to
> > create a zero length object.
> > 
> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> > [danvet: This fixes tests/gem_bad_length]
> > Signed-Off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> > ---
> >  drivers/gpu/drm/i915/i915_gem.c |    2 ++
> >  1 files changed, 2 insertions(+), 0 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/i915/i915_gem.c
> > b/drivers/gpu/drm/i915/i915_gem.c index 7998827..9857e9d 100644
> > --- a/drivers/gpu/drm/i915/i915_gem.c
> > +++ b/drivers/gpu/drm/i915/i915_gem.c
> > @@ -195,6 +195,8 @@ i915_gem_create(struct drm_file *file,
> >  	u32 handle;
> >  
> >  	size = roundup(size, PAGE_SIZE);
> > +	if (size == 0)
> > +		return -EINVAL;
> >  
> >  	/* Allocate the new object */
> >  	obj = i915_gem_alloc_object(dev, size);
> 
> Could we just: s/roundup/DIV_ROUND_UP and be happy?

Rescinded.
Reviewed-by: Ben Widawsky <ben@bwidawsk.net>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
  2011-09-14 12:14 [PATCH] drm/i915: Defend against userspace creating a gem object with size==0 Daniel Vetter
  2011-09-14 20:02 ` Ben Widawsky
@ 2011-09-23 16:14 ` Daniel Vetter
  1 sibling, 0 replies; 5+ messages in thread
From: Daniel Vetter @ 2011-09-23 16:14 UTC (permalink / raw)
  To: intel-gfx; +Cc: Daniel Vetter

Hi Keith,

This fixes a potential user-triggerable oops (when submitting an execbuf
with a zero-length object on a kernel with dmar support). Please merge for
-fixes, Cc: stable.

Yours, Daniel
-- 
Daniel Vetter
Mail: daniel@ffwll.ch
Mobile: +41 (0)79 365 57 48

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH] drm/i915: Defend against userspace creating a gem object with size==0
@ 2011-06-23 10:40 Chris Wilson
  0 siblings, 0 replies; 5+ messages in thread
From: Chris Wilson @ 2011-06-23 10:40 UTC (permalink / raw)
  To: intel-gfx

We currently only round up the userspace size to the next page. We
assume that userspace hasn't made a mistake and requested a zero-length
gem object and all through our internal code we then presume that every
object is backed by at least a single page. Fix that oversight and
report EINVAL back to userspace if they try to create a zero length
object.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
 drivers/gpu/drm/i915/i915_gem.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index bceb8ec..ec533c7 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -194,6 +194,8 @@ i915_gem_create(struct drm_file *file,
 	u32 handle;
 
 	size = roundup(size, PAGE_SIZE);
+	if (size == 0)
+		return -EINVAL;
 
 	/* Allocate the new object */
 	obj = i915_gem_alloc_object(dev, size);
-- 
1.7.5.4

^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2011-09-23 16:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-09-14 12:14 [PATCH] drm/i915: Defend against userspace creating a gem object with size==0 Daniel Vetter
2011-09-14 20:02 ` Ben Widawsky
2011-09-14 21:22   ` Ben Widawsky
2011-09-23 16:14 ` Daniel Vetter
  -- strict thread matches above, loose matches on Subject: below --
2011-06-23 10:40 Chris Wilson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.