kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   97f949b8b55cc23176301e4f8d57c4e6c4f40a83
  2.   patches.suse
  3.   0029-switch-compat_drm_mapbufs-to-drm_ioctl_kernel
Blob Blame History Raw 
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu, 25 May 2017 16:24:20 -0400
Subject: switch compat_drm_mapbufs() to drm_ioctl_kernel()
Git-commit: 87d3ce1169d329bc4cab41996fccb68c06b5725b
Patch-mainline: v4.13-rc1
References: FATE#326289 FATE#326079 FATE#326049 FATE#322398 FATE#326166

Another horror like addbufs; this one is even uglier.  With that
done, drm_ioc32.c should be sane.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Petr Tesarik <ptesarik@suse.com>
---
 drivers/gpu/drm/drm_bufs.c   |   68 +++++++++++++++++++++++------------------
 drivers/gpu/drm/drm_ioc32.c  |   70 ++++++++++++++++++++-----------------------
 drivers/gpu/drm/drm_legacy.h |    4 ++
 3 files changed, 77 insertions(+), 65 deletions(-)

--- a/drivers/gpu/drm/drm_bufs.c
+++ b/drivers/gpu/drm/drm_bufs.c
@@ -1443,15 +1443,15 @@ int drm_legacy_freebufs(struct drm_devic
  * offset equal to 0, which drm_mmap() interpretes as PCI buffers and calls
  * drm_mmap_dma().
  */
-int drm_legacy_mapbufs(struct drm_device *dev, void *data,
-		       struct drm_file *file_priv)
+int __drm_legacy_mapbufs(struct drm_device *dev, void *data, int *p,
+			 void __user **v,
+			 int (*f)(void *, int, unsigned long,
+				  struct drm_buf *),
+		         struct drm_file *file_priv)
 {
 	struct drm_device_dma *dma = dev->dma;
 	int retcode = 0;
-	const int zero = 0;
 	unsigned long virtual;
-	unsigned long address;
-	struct drm_buf_map *request = data;
 	int i;
 
 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
@@ -1471,7 +1471,7 @@ int drm_legacy_mapbufs(struct drm_device
 	dev->buf_use++;		/* Can't allocate more after this call */
 	spin_unlock(&dev->buf_lock);
 
-	if (request->count >= dma->buf_count) {
+	if (*p >= dma->buf_count) {
 		if ((dev->agp && (dma->flags & _DRM_DMA_USE_AGP))
 		    || (drm_core_check_feature(dev, DRIVER_SG)
 			&& (dma->flags & _DRM_DMA_USE_SG))) {
@@ -1496,41 +1496,51 @@ int drm_legacy_mapbufs(struct drm_device
 			retcode = (signed long)virtual;
 			goto done;
 		}
-		request->virtual = (void __user *)virtual;
+		*v = (void __user *)virtual;
 
 		for (i = 0; i < dma->buf_count; i++) {
-			if (copy_to_user(&request->list[i].idx,
-					 &dma->buflist[i]->idx,
-					 sizeof(request->list[0].idx))) {
-				retcode = -EFAULT;
-				goto done;
-			}
-			if (copy_to_user(&request->list[i].total,
-					 &dma->buflist[i]->total,
-					 sizeof(request->list[0].total))) {
-				retcode = -EFAULT;
-				goto done;
-			}
-			if (copy_to_user(&request->list[i].used,
-					 &zero, sizeof(zero))) {
-				retcode = -EFAULT;
-				goto done;
-			}
-			address = virtual + dma->buflist[i]->offset;	/* *** */
-			if (copy_to_user(&request->list[i].address,
-					 &address, sizeof(address))) {
+			if (f(data, i, virtual, dma->buflist[i]) < 0) {
 				retcode = -EFAULT;
 				goto done;
 			}
 		}
 	}
       done:
-	request->count = dma->buf_count;
-	DRM_DEBUG("%d buffers, retcode = %d\n", request->count, retcode);
+	*p = dma->buf_count;
+	DRM_DEBUG("%d buffers, retcode = %d\n", *p, retcode);
 
 	return retcode;
 }
 
+static int map_one_buf(void *data, int idx, unsigned long virtual,
+			struct drm_buf *buf)
+{
+	struct drm_buf_map *request = data;
+	unsigned long address = virtual + buf->offset;	/* *** */
+
+	if (copy_to_user(&request->list[idx].idx, &buf->idx,
+			 sizeof(request->list[0].idx)))
+		return -EFAULT;
+	if (copy_to_user(&request->list[idx].total, &buf->total,
+			 sizeof(request->list[0].total)))
+		return -EFAULT;
+	if (clear_user(&request->list[idx].used, sizeof(int)))
+		return -EFAULT;
+	if (copy_to_user(&request->list[idx].address, &address,
+			 sizeof(address)))
+		return -EFAULT;
+	return 0;
+}
+
+int drm_legacy_mapbufs(struct drm_device *dev, void *data,
+		       struct drm_file *file_priv)
+{
+	struct drm_buf_map *request = data;
+	return __drm_legacy_mapbufs(dev, data, &request->count,
+				    &request->virtual, map_one_buf,
+				    file_priv);
+}
+
 int drm_legacy_dma_ioctl(struct drm_device *dev, void *data,
 		  struct drm_file *file_priv)
 {
--- a/drivers/gpu/drm/drm_ioc32.c
+++ b/drivers/gpu/drm/drm_ioc32.c
@@ -415,54 +415,52 @@ typedef struct drm_buf_map32 {
 	u32 list;		/**< Buffer information */
 } drm_buf_map32_t;
 
+static int map_one_buf32(void *data, int idx, unsigned long virtual,
+			struct drm_buf *buf)
+{
+	drm_buf_map32_t *request = data;
+	drm_buf_pub32_t __user *to = compat_ptr(request->list) + idx;
+	drm_buf_pub32_t v;
+
+	v.idx = buf->idx;
+	v.total = buf->total;
+	v.used = 0;
+	v.address = virtual + buf->offset;
+	if (copy_to_user(to, &v, sizeof(v)))
+		return -EFAULT;
+	return 0;
+}
+
+static int drm_legacy_mapbufs32(struct drm_device *dev, void *data,
+		       struct drm_file *file_priv)
+{
+	drm_buf_map32_t *request = data;
+	void __user *v;
+	int err = __drm_legacy_mapbufs(dev, data, &request->count,
+				    &v, map_one_buf32,
+				    file_priv);
+	request->virtual = ptr_to_compat(v);
+	return err;
+}
+
 static int compat_drm_mapbufs(struct file *file, unsigned int cmd,
 			      unsigned long arg)
 {
 	drm_buf_map32_t __user *argp = (void __user *)arg;
 	drm_buf_map32_t req32;
-	drm_buf_pub32_t __user *list32;
-	struct drm_buf_map __user *request;
-	struct drm_buf_pub __user *list;
-	int i, err;
-	int count, actual;
-	size_t nbytes;
-	void __user *addr;
+	int err;
 
 	if (copy_from_user(&req32, argp, sizeof(req32)))
 		return -EFAULT;
-	count = req32.count;
-	list32 = (void __user *)(unsigned long)req32.list;
-
-	if (count < 0)
+	if (req32.count < 0)
 		return -EINVAL;
-	nbytes = sizeof(*request) + count * sizeof(struct drm_buf_pub);
-	request = compat_alloc_user_space(nbytes);
-	if (!request)
-		return -EFAULT;
-	list = (struct drm_buf_pub *) (request + 1);
 
-	if (__put_user(count, &request->count)
-	    || __put_user(list, &request->list))
-		return -EFAULT;
-
-	err = drm_ioctl(file, DRM_IOCTL_MAP_BUFS, (unsigned long)request);
+	err = drm_ioctl_kernel(file, drm_legacy_mapbufs32, &req32, DRM_AUTH);
 	if (err)
 		return err;
 
-	if (__get_user(actual, &request->count))
-		return -EFAULT;
-	if (count >= actual)
-		for (i = 0; i < actual; ++i)
-			if (__copy_in_user(&list32[i], &list[i],
-					   offsetof(struct drm_buf_pub, address))
-			    || __get_user(addr, &list[i].address)
-			    || __put_user((unsigned long)addr,
-					  &list32[i].address))
-				return -EFAULT;
-
-	if (__put_user(actual, &argp->count)
-	    || __get_user(addr, &request->virtual)
-	    || __put_user((unsigned long)addr, &argp->virtual))
+	if (put_user(req32.count, &argp->count)
+	    || put_user(req32.virtual, &argp->virtual))
 		return -EFAULT;
 
 	return 0;
@@ -910,7 +908,7 @@ static struct {
 	DRM_IOCTL32_DEF(DRM_IOCTL_ADD_BUFS, compat_drm_addbufs),
 	DRM_IOCTL32_DEF(DRM_IOCTL_MARK_BUFS, compat_drm_markbufs),
 	DRM_IOCTL32_DEF(DRM_IOCTL_INFO_BUFS, compat_drm_infobufs),
-	[DRM_IOCTL_NR(DRM_IOCTL_MAP_BUFS32)].fn = compat_drm_mapbufs,
+	DRM_IOCTL32_DEF(DRM_IOCTL_MAP_BUFS, compat_drm_mapbufs),
 	DRM_IOCTL32_DEF(DRM_IOCTL_FREE_BUFS, compat_drm_freebufs),
 	DRM_IOCTL32_DEF(DRM_IOCTL_RM_MAP, compat_drm_rmmap),
 	DRM_IOCTL32_DEF(DRM_IOCTL_SET_SAREA_CTX, compat_drm_setsareactx),
--- a/drivers/gpu/drm/drm_legacy.h
+++ b/drivers/gpu/drm/drm_legacy.h
@@ -76,6 +76,10 @@ int drm_legacy_dma_ioctl(struct drm_devi
 
 int __drm_legacy_infobufs(struct drm_device *, void *, int *,
 			  int (*)(void *, int, struct drm_buf_entry *));
+int __drm_legacy_mapbufs(struct drm_device *, void *, int *,
+			  void __user **,
+			  int (*)(void *, int, unsigned long, struct drm_buf *),
+			  struct drm_file *);
 
 #ifdef CONFIG_DRM_VM
 void drm_legacy_vma_flush(struct drm_device *d);
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.