summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThierry Reding <[email protected]>2014-11-13 19:05:51 +0100
committerEmil Velikov <[email protected]>2014-11-16 01:03:40 +0000
commit631090e1557437faa89f4dfd452a194241707363 (patch)
treeded89985d1e5b12a708b7452c1b14e6b3c42c2a2
parent2efabd9f5a711a7f6cd1846630244b7814bf25b3 (diff)
dri/kms: Always zero out struct drm_mode_create_dumb
The DRM_IOCTL_MODE_CREATE_DUMB (and others) IOCTL isn't very rigorously specified, which has the effect that some kernel drivers do not consider the .pitch and .size fields of struct drm_mode_create_dumb outputs only. Instead they will use these as lower bounds and overwrite them only if the values that they compute are larger than what userspace provided. This works if and only if userspace initializes the fields explicitly to either 0 or some meaningful value. However, if userspace just leaves the values uninitialized and the struct drm_mode_create_dumb is allocated on the stack for example, the driver may try to overallocate buffers. Fortunately most userspace does zero out the structure before passing it to the IOCTL, but there are rare exceptions. Mesa is one of them. In an attempt to rectify this situation, kernel drivers are being updated to not use the .pitch and .size fields as inputs. However in order to fix the issue with older kernels, make sure that Mesa always zeros out the structure as well. Future IOCTLs should be more rigorously defined so that structures can be validated and IOCTLs rejected if output fields aren't set to zero. Signed-off-by: Thierry Reding <[email protected]> Reviewed-by: Daniel Vetter <[email protected]> Reviewed-by: Emil Velikov <[email protected]>
-rw-r--r--src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c2
-rw-r--r--src/gbm/backends/dri/gbm_dri.c1
2 files changed, 2 insertions, 1 deletions
diff --git a/src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c b/src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c
index 49b2e6596ac..ed34dfa6cbc 100644
--- a/src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c
+++ b/src/gallium/winsys/sw/kms-dri/kms_dri_sw_winsys.c
@@ -131,10 +131,10 @@ kms_sw_displaytarget_create(struct sw_winsys *ws,
kms_sw_dt->width = width;
kms_sw_dt->height = height;
+ memset(&create_req, 0, sizeof(create_req));
create_req.bpp = 32;
create_req.width = width;
create_req.height = height;
- create_req.handle = 0;
ret = drmIoctl(kms_sw->fd, DRM_IOCTL_MODE_CREATE_DUMB, &create_req);
if (ret)
goto free_bo;
diff --git a/src/gbm/backends/dri/gbm_dri.c b/src/gbm/backends/dri/gbm_dri.c
index 066426617ba..39e6b30d473 100644
--- a/src/gbm/backends/dri/gbm_dri.c
+++ b/src/gbm/backends/dri/gbm_dri.c
@@ -774,6 +774,7 @@ create_dumb(struct gbm_device *gbm,
if (bo == NULL)
return NULL;
+ memset(&create_arg, 0, sizeof(create_arg));
create_arg.bpp = 32;
create_arg.width = width;
create_arg.height = height;