On Thu, Nov 13, 2014 at 07:05:51PM +0100, Thierry Reding wrote: > From: Thierry Reding <[email protected]> > > The DRM_IOCTL_MODE_CREATE_DUMB (and others) IOCTL isn't very rigorously > specified, which has the effect that some kernel drivers do not consider > the .pitch and .size fields of struct drm_mode_create_dumb outputs only. > Instead they will use these as lower bounds and overwrite them only if > the values that they compute are larger than what userspace provided. > > This works if and only if userspace initializes the fields explicitly to > either 0 or some meaningful value. However, if userspace just leaves the > values uninitialized and the struct drm_mode_create_dumb is allocated on > the stack for example, the driver may try to overallocate buffers. > > Fortunately most userspace does zero out the structure before passing it > to the IOCTL, but there are rare exceptions. Mesa is one of them. In an > attempt to rectify this situation, kernel drivers are being updated to > not use the .pitch and .size fields as inputs. However in order to fix > the issue with older kernels, make sure that Mesa always zeros out the > structure as well. > > Future IOCTLs should be more rigorously defined so that structures can > be validated and IOCTLs rejected if output fields aren't set to zero. > > Signed-off-by: Thierry Reding <[email protected]>
Reviewed-by: Daniel Vetter <[email protected]> > --- > src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c | 2 +- > src/gbm/backends/dri/gbm_dri.c | 1 + > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c > b/src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c > index ee71027c5872..507983ec251a 100644 > --- a/src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c > +++ b/src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c > @@ -131,10 +131,10 @@ kms_sw_displaytarget_create(struct sw_winsys *ws, > kms_sw_dt->width = width; > kms_sw_dt->height = height; > > + memset(&create_req, 0, sizeof(create_req)); > create_req.bpp = 32; > create_req.width = width; > create_req.height = height; > - create_req.handle = 0; > ret = drmIoctl(kms_sw->fd, DRM_IOCTL_MODE_CREATE_DUMB, &create_req); > if (ret) > goto free_bo; > diff --git a/src/gbm/backends/dri/gbm_dri.c b/src/gbm/backends/dri/gbm_dri.c > index 470a54f3dd89..bc263297ec33 100644 > --- a/src/gbm/backends/dri/gbm_dri.c > +++ b/src/gbm/backends/dri/gbm_dri.c > @@ -774,6 +774,7 @@ create_dumb(struct gbm_device *gbm, > if (bo == NULL) > return NULL; > > + memset(&create_arg, 0, sizeof(create_arg)); > create_arg.bpp = 32; > create_arg.width = width; > create_arg.height = height; > -- > 2.1.3 > > _______________________________________________ > mesa-dev mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/mesa-dev -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch _______________________________________________ mesa-dev mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/mesa-dev
