* [PATCH] drm: Limit to INT_MAX in create_blob ioctl
@ 2019-11-06 16:47 ` Daniel Vetter
0 siblings, 0 replies; 10+ messages in thread
From: Daniel Vetter @ 2019-11-06 16:47 UTC (permalink / raw)
To: DRI Development
Cc: LKML, Daniel Vetter, syzbot+fb77e97ebf0612ee6914, Kees Cook,
Alexander Viro, Andrew Morton, Stephen Rothwell, Daniel Vetter
The hardened usercpy code is too paranoid ever since:
commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe
Author: Kees Cook <keescook@chromium.org>
Date: Wed Nov 6 16:07:01 2019 +1100
uaccess: disallow > INT_MAX copy sizes
Code itself should have been fine as-is.
Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
--
Kees/Andrew,
Since this is -mm can I have a stable sha1 or something for
referencing? Or do you want to include this in the -mm patch bomb for
the merge window?
-Daniel
---
drivers/gpu/drm/drm_property.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
index 892ce636ef72..6ee04803c362 100644
--- a/drivers/gpu/drm/drm_property.c
+++ b/drivers/gpu/drm/drm_property.c
@@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
struct drm_property_blob *blob;
int ret;
- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
+ if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
return ERR_PTR(-EINVAL);
blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
--
2.24.0.rc2
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH] drm: Limit to INT_MAX in create_blob ioctl @ 2019-11-06 16:47 ` Daniel Vetter 0 siblings, 0 replies; 10+ messages in thread From: Daniel Vetter @ 2019-11-06 16:47 UTC (permalink / raw) To: DRI Development Cc: Stephen Rothwell, syzbot+fb77e97ebf0612ee6914, Kees Cook, Daniel Vetter, LKML, Alexander Viro, Daniel Vetter, Andrew Morton The hardened usercpy code is too paranoid ever since: commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe Author: Kees Cook <keescook@chromium.org> Date: Wed Nov 6 16:07:01 2019 +1100 uaccess: disallow > INT_MAX copy sizes Code itself should have been fine as-is. Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") Cc: Kees Cook <keescook@chromium.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> -- Kees/Andrew, Since this is -mm can I have a stable sha1 or something for referencing? Or do you want to include this in the -mm patch bomb for the merge window? -Daniel --- drivers/gpu/drm/drm_property.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c index 892ce636ef72..6ee04803c362 100644 --- a/drivers/gpu/drm/drm_property.c +++ b/drivers/gpu/drm/drm_property.c @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, struct drm_property_blob *blob; int ret; - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) return ERR_PTR(-EINVAL); blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); -- 2.24.0.rc2 _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl @ 2019-11-06 17:03 ` Ville Syrjälä 0 siblings, 0 replies; 10+ messages in thread From: Ville Syrjälä @ 2019-11-06 17:03 UTC (permalink / raw) To: Daniel Vetter Cc: DRI Development, Stephen Rothwell, syzbot+fb77e97ebf0612ee6914, Kees Cook, LKML, Alexander Viro, Daniel Vetter, Andrew Morton On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote: > The hardened usercpy code is too paranoid ever since: > > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe > Author: Kees Cook <keescook@chromium.org> > Date: Wed Nov 6 16:07:01 2019 +1100 > > uaccess: disallow > INT_MAX copy sizes > > Code itself should have been fine as-is. > > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") > Cc: Kees Cook <keescook@chromium.org> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Stephen Rothwell <sfr@canb.auug.org.au> > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > -- > Kees/Andrew, > > Since this is -mm can I have a stable sha1 or something for > referencing? Or do you want to include this in the -mm patch bomb for > the merge window? > -Daniel > --- > drivers/gpu/drm/drm_property.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c > index 892ce636ef72..6ee04803c362 100644 > --- a/drivers/gpu/drm/drm_property.c > +++ b/drivers/gpu/drm/drm_property.c > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, > struct drm_property_blob *blob; > int ret; > > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) > return ERR_PTR(-EINVAL); INT_MAX should be more than enough. Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> > > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); > -- > 2.24.0.rc2 > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel -- Ville Syrjälä Intel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl @ 2019-11-06 17:03 ` Ville Syrjälä 0 siblings, 0 replies; 10+ messages in thread From: Ville Syrjälä @ 2019-11-06 17:03 UTC (permalink / raw) To: Daniel Vetter Cc: Stephen Rothwell, syzbot+fb77e97ebf0612ee6914, Kees Cook, LKML, DRI Development, Alexander Viro, Daniel Vetter, Andrew Morton On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote: > The hardened usercpy code is too paranoid ever since: > > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe > Author: Kees Cook <keescook@chromium.org> > Date: Wed Nov 6 16:07:01 2019 +1100 > > uaccess: disallow > INT_MAX copy sizes > > Code itself should have been fine as-is. > > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") > Cc: Kees Cook <keescook@chromium.org> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Stephen Rothwell <sfr@canb.auug.org.au> > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > -- > Kees/Andrew, > > Since this is -mm can I have a stable sha1 or something for > referencing? Or do you want to include this in the -mm patch bomb for > the merge window? > -Daniel > --- > drivers/gpu/drm/drm_property.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c > index 892ce636ef72..6ee04803c362 100644 > --- a/drivers/gpu/drm/drm_property.c > +++ b/drivers/gpu/drm/drm_property.c > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, > struct drm_property_blob *blob; > int ret; > > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) > return ERR_PTR(-EINVAL); INT_MAX should be more than enough. Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> > > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); > -- > 2.24.0.rc2 > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel -- Ville Syrjälä Intel _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl @ 2019-11-06 17:24 ` Kees Cook 0 siblings, 0 replies; 10+ messages in thread From: Kees Cook @ 2019-11-06 17:24 UTC (permalink / raw) To: Daniel Vetter Cc: DRI Development, LKML, syzbot+fb77e97ebf0612ee6914, Alexander Viro, Andrew Morton, Stephen Rothwell, Daniel Vetter On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote: > The hardened usercpy code is too paranoid ever since: > > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe > Author: Kees Cook <keescook@chromium.org> > Date: Wed Nov 6 16:07:01 2019 +1100 > > uaccess: disallow > INT_MAX copy sizes > > Code itself should have been fine as-is. I had to go read the syzbot report to understand what was actually being fixed here. Can you be a bit more verbose in this commit log? It sounds like huge usercopy sizes were allowed by drm (though I guess they would fail gracefully in some other way?) but after 6a30afa8c1fb, the copy would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ? What was the prior failure mode that made the existing ULONG_MAX check safe? Your patch looks fine, though: Reviewed-by: Kees Cook <keescook@chromium.org> > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") > Cc: Kees Cook <keescook@chromium.org> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Stephen Rothwell <sfr@canb.auug.org.au> > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > -- > Kees/Andrew, > > Since this is -mm can I have a stable sha1 or something for > referencing? Or do you want to include this in the -mm patch bomb for > the merge window? Traditionally these things live in akpm's tree when they are fixes for patches in there. I have no idea how the Fixes tags work in that case, though... -Kees > -Daniel > --- > drivers/gpu/drm/drm_property.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c > index 892ce636ef72..6ee04803c362 100644 > --- a/drivers/gpu/drm/drm_property.c > +++ b/drivers/gpu/drm/drm_property.c > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, > struct drm_property_blob *blob; > int ret; > > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) > return ERR_PTR(-EINVAL); > > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); > -- > 2.24.0.rc2 > -- Kees Cook ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl @ 2019-11-06 17:24 ` Kees Cook 0 siblings, 0 replies; 10+ messages in thread From: Kees Cook @ 2019-11-06 17:24 UTC (permalink / raw) To: Daniel Vetter Cc: Stephen Rothwell, syzbot+fb77e97ebf0612ee6914, LKML, DRI Development, Alexander Viro, Daniel Vetter, Andrew Morton On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote: > The hardened usercpy code is too paranoid ever since: > > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe > Author: Kees Cook <keescook@chromium.org> > Date: Wed Nov 6 16:07:01 2019 +1100 > > uaccess: disallow > INT_MAX copy sizes > > Code itself should have been fine as-is. I had to go read the syzbot report to understand what was actually being fixed here. Can you be a bit more verbose in this commit log? It sounds like huge usercopy sizes were allowed by drm (though I guess they would fail gracefully in some other way?) but after 6a30afa8c1fb, the copy would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ? What was the prior failure mode that made the existing ULONG_MAX check safe? Your patch looks fine, though: Reviewed-by: Kees Cook <keescook@chromium.org> > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") > Cc: Kees Cook <keescook@chromium.org> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Stephen Rothwell <sfr@canb.auug.org.au> > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > -- > Kees/Andrew, > > Since this is -mm can I have a stable sha1 or something for > referencing? Or do you want to include this in the -mm patch bomb for > the merge window? Traditionally these things live in akpm's tree when they are fixes for patches in there. I have no idea how the Fixes tags work in that case, though... -Kees > -Daniel > --- > drivers/gpu/drm/drm_property.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c > index 892ce636ef72..6ee04803c362 100644 > --- a/drivers/gpu/drm/drm_property.c > +++ b/drivers/gpu/drm/drm_property.c > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, > struct drm_property_blob *blob; > int ret; > > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) > return ERR_PTR(-EINVAL); > > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); > -- > 2.24.0.rc2 > -- Kees Cook _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl @ 2019-11-06 17:56 ` Daniel Vetter 0 siblings, 0 replies; 10+ messages in thread From: Daniel Vetter @ 2019-11-06 17:56 UTC (permalink / raw) To: Kees Cook Cc: DRI Development, LKML, syzbot, Alexander Viro, Andrew Morton, Stephen Rothwell, Daniel Vetter On Wed, Nov 6, 2019 at 6:24 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote: > > The hardened usercpy code is too paranoid ever since: > > > > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe > > Author: Kees Cook <keescook@chromium.org> > > Date: Wed Nov 6 16:07:01 2019 +1100 > > > > uaccess: disallow > INT_MAX copy sizes > > > > Code itself should have been fine as-is. > > I had to go read the syzbot report to understand what was actually being > fixed here. Can you be a bit more verbose in this commit log? It sounds > like huge usercopy sizes were allowed by drm (though I guess they would > fail gracefully in some other way?) but after 6a30afa8c1fb, the copy > would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ? The WARNING seems to have been the only bad effect. I guess in practice the real big stuff fails at memory allocation time, but shouldn't overflow. Or maybe I still don't get how this C thing works. Anyway I figured the cited patch is good enough, userptr copies > INT_MAX aren't allowed anymore, so we need to adjust our overflow checks. -Daniel > What was the prior failure mode that made the existing ULONG_MAX check > safe? Your patch looks fine, though: > > Reviewed-by: Kees Cook <keescook@chromium.org> > > > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com > > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") > > Cc: Kees Cook <keescook@chromium.org> > > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > > Cc: Andrew Morton <akpm@linux-foundation.org> > > Cc: Stephen Rothwell <sfr@canb.auug.org.au> > > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > > -- > > Kees/Andrew, > > > > Since this is -mm can I have a stable sha1 or something for > > referencing? Or do you want to include this in the -mm patch bomb for > > the merge window? > > Traditionally these things live in akpm's tree when they are fixes for > patches in there. I have no idea how the Fixes tags work in that case, > though... > > -Kees > > > -Daniel > > --- > > drivers/gpu/drm/drm_property.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c > > index 892ce636ef72..6ee04803c362 100644 > > --- a/drivers/gpu/drm/drm_property.c > > +++ b/drivers/gpu/drm/drm_property.c > > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, > > struct drm_property_blob *blob; > > int ret; > > > > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) > > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) > > return ERR_PTR(-EINVAL); > > > > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); > > -- > > 2.24.0.rc2 > > > > -- > Kees Cook -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl @ 2019-11-06 17:56 ` Daniel Vetter 0 siblings, 0 replies; 10+ messages in thread From: Daniel Vetter @ 2019-11-06 17:56 UTC (permalink / raw) To: Kees Cook Cc: Stephen Rothwell, syzbot, LKML, DRI Development, Alexander Viro, Daniel Vetter, Andrew Morton On Wed, Nov 6, 2019 at 6:24 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Nov 06, 2019 at 05:47:55PM +0100, Daniel Vetter wrote: > > The hardened usercpy code is too paranoid ever since: > > > > commit 6a30afa8c1fbde5f10f9c584c2992aa3c7f7a8fe > > Author: Kees Cook <keescook@chromium.org> > > Date: Wed Nov 6 16:07:01 2019 +1100 > > > > uaccess: disallow > INT_MAX copy sizes > > > > Code itself should have been fine as-is. > > I had to go read the syzbot report to understand what was actually being > fixed here. Can you be a bit more verbose in this commit log? It sounds > like huge usercopy sizes were allowed by drm (though I guess they would > fail gracefully in some other way?) but after 6a30afa8c1fb, the copy > would yell about sizes where INT_MAX < size < ULONG_MAX - sizeof(...) ? The WARNING seems to have been the only bad effect. I guess in practice the real big stuff fails at memory allocation time, but shouldn't overflow. Or maybe I still don't get how this C thing works. Anyway I figured the cited patch is good enough, userptr copies > INT_MAX aren't allowed anymore, so we need to adjust our overflow checks. -Daniel > What was the prior failure mode that made the existing ULONG_MAX check > safe? Your patch looks fine, though: > > Reviewed-by: Kees Cook <keescook@chromium.org> > > > Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com > > Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") > > Cc: Kees Cook <keescook@chromium.org> > > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > > Cc: Andrew Morton <akpm@linux-foundation.org> > > Cc: Stephen Rothwell <sfr@canb.auug.org.au> > > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > > -- > > Kees/Andrew, > > > > Since this is -mm can I have a stable sha1 or something for > > referencing? Or do you want to include this in the -mm patch bomb for > > the merge window? > > Traditionally these things live in akpm's tree when they are fixes for > patches in there. I have no idea how the Fixes tags work in that case, > though... > > -Kees > > > -Daniel > > --- > > drivers/gpu/drm/drm_property.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c > > index 892ce636ef72..6ee04803c362 100644 > > --- a/drivers/gpu/drm/drm_property.c > > +++ b/drivers/gpu/drm/drm_property.c > > @@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, > > struct drm_property_blob *blob; > > int ret; > > > > - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) > > + if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) > > return ERR_PTR(-EINVAL); > > > > blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); > > -- > > 2.24.0.rc2 > > > > -- > Kees Cook -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl @ 2019-11-06 18:13 ` Andrew Morton 0 siblings, 0 replies; 10+ messages in thread From: Andrew Morton @ 2019-11-06 18:13 UTC (permalink / raw) To: Kees Cook Cc: Daniel Vetter, DRI Development, LKML, syzbot+fb77e97ebf0612ee6914, Alexander Viro, Stephen Rothwell, Daniel Vetter On Wed, 6 Nov 2019 09:24:18 -0800 Kees Cook <keescook@chromium.org> wrote: > > Since this is -mm can I have a stable sha1 or something for > > referencing? Or do you want to include this in the -mm patch bomb for > > the merge window? > > Traditionally these things live in akpm's tree when they are fixes for > patches in there. I have no idea how the Fixes tags work in that case, > though... I queued it immediately ahead of uaccess-disallow-int_max-copy-sizes.patch so all should be good, thanks. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm: Limit to INT_MAX in create_blob ioctl @ 2019-11-06 18:13 ` Andrew Morton 0 siblings, 0 replies; 10+ messages in thread From: Andrew Morton @ 2019-11-06 18:13 UTC (permalink / raw) To: Kees Cook Cc: Stephen Rothwell, syzbot+fb77e97ebf0612ee6914, Daniel Vetter, LKML, DRI Development, Alexander Viro, Daniel Vetter On Wed, 6 Nov 2019 09:24:18 -0800 Kees Cook <keescook@chromium.org> wrote: > > Since this is -mm can I have a stable sha1 or something for > > referencing? Or do you want to include this in the -mm patch bomb for > > the merge window? > > Traditionally these things live in akpm's tree when they are fixes for > patches in there. I have no idea how the Fixes tags work in that case, > though... I queued it immediately ahead of uaccess-disallow-int_max-copy-sizes.patch so all should be good, thanks. _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2019-11-06 18:13 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-11-06 16:47 [PATCH] drm: Limit to INT_MAX in create_blob ioctl Daniel Vetter 2019-11-06 16:47 ` Daniel Vetter 2019-11-06 17:03 ` Ville Syrjälä 2019-11-06 17:03 ` Ville Syrjälä 2019-11-06 17:24 ` Kees Cook 2019-11-06 17:24 ` Kees Cook 2019-11-06 17:56 ` Daniel Vetter 2019-11-06 17:56 ` Daniel Vetter 2019-11-06 18:13 ` Andrew Morton 2019-11-06 18:13 ` Andrew Morton
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.