From 87d3ce1169d329bc4cab41996fccb68c06b5725b Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 25 May 2017 16:24:20 -0400 Subject: [PATCH] switch compat_drm_mapbufs() to drm_ioctl_kernel() Another horror like addbufs; this one is even uglier. With that done, drm_ioc32.c should be sane. Signed-off-by: Al Viro --- drivers/gpu/drm/drm_bufs.c | 68 ++++++++++++++++++++--------------- drivers/gpu/drm/drm_ioc32.c | 70 ++++++++++++++++++------------------ drivers/gpu/drm/drm_legacy.h | 4 +++ 3 files changed, 77 insertions(+), 65 deletions(-) diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c index 93e38d51cdc3..1ee84dd802d4 100644 --- a/drivers/gpu/drm/drm_bufs.c +++ b/drivers/gpu/drm/drm_bufs.c @@ -1443,15 +1443,15 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data, * offset equal to 0, which drm_mmap() interpretes as PCI buffers and calls * drm_mmap_dma(). */ -int drm_legacy_mapbufs(struct drm_device *dev, void *data, - struct drm_file *file_priv) +int __drm_legacy_mapbufs(struct drm_device *dev, void *data, int *p, + void __user **v, + int (*f)(void *, int, unsigned long, + struct drm_buf *), + struct drm_file *file_priv) { struct drm_device_dma *dma = dev->dma; int retcode = 0; - const int zero = 0; unsigned long virtual; - unsigned long address; - struct drm_buf_map *request = data; int i; if (!drm_core_check_feature(dev, DRIVER_LEGACY)) @@ -1471,7 +1471,7 @@ int drm_legacy_mapbufs(struct drm_device *dev, void *data, dev->buf_use++; /* Can't allocate more after this call */ spin_unlock(&dev->buf_lock); - if (request->count >= dma->buf_count) { + if (*p >= dma->buf_count) { if ((dev->agp && (dma->flags & _DRM_DMA_USE_AGP)) || (drm_core_check_feature(dev, DRIVER_SG) && (dma->flags & _DRM_DMA_USE_SG))) { @@ -1496,41 +1496,51 @@ int drm_legacy_mapbufs(struct drm_device *dev, void *data, retcode = (signed long)virtual; goto done; } - request->virtual = (void __user *)virtual; + *v = (void __user *)virtual; for (i = 0; i < dma->buf_count; i++) { - if (copy_to_user(&request->list[i].idx, - &dma->buflist[i]->idx, - sizeof(request->list[0].idx))) { - retcode = -EFAULT; - goto done; - } - if (copy_to_user(&request->list[i].total, - &dma->buflist[i]->total, - sizeof(request->list[0].total))) { - retcode = -EFAULT; - goto done; - } - if (copy_to_user(&request->list[i].used, - &zero, sizeof(zero))) { - retcode = -EFAULT; - goto done; - } - address = virtual + dma->buflist[i]->offset; /* *** */ - if (copy_to_user(&request->list[i].address, - &address, sizeof(address))) { + if (f(data, i, virtual, dma->buflist[i]) < 0) { retcode = -EFAULT; goto done; } } } done: - request->count = dma->buf_count; - DRM_DEBUG("%d buffers, retcode = %d\n", request->count, retcode); + *p = dma->buf_count; + DRM_DEBUG("%d buffers, retcode = %d\n", *p, retcode); return retcode; } +static int map_one_buf(void *data, int idx, unsigned long virtual, + struct drm_buf *buf) +{ + struct drm_buf_map *request = data; + unsigned long address = virtual + buf->offset; /* *** */ + + if (copy_to_user(&request->list[idx].idx, &buf->idx, + sizeof(request->list[0].idx))) + return -EFAULT; + if (copy_to_user(&request->list[idx].total, &buf->total, + sizeof(request->list[0].total))) + return -EFAULT; + if (clear_user(&request->list[idx].used, sizeof(int))) + return -EFAULT; + if (copy_to_user(&request->list[idx].address, &address, + sizeof(address))) + return -EFAULT; + return 0; +} + +int drm_legacy_mapbufs(struct drm_device *dev, void *data, + struct drm_file *file_priv) +{ + struct drm_buf_map *request = data; + return __drm_legacy_mapbufs(dev, data, &request->count, + &request->virtual, map_one_buf, + file_priv); +} + int drm_legacy_dma_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c index 57b0ae39169b..0e6ae9ceceb6 100644 --- a/drivers/gpu/drm/drm_ioc32.c +++ b/drivers/gpu/drm/drm_ioc32.c @@ -415,54 +415,52 @@ typedef struct drm_buf_map32 { u32 list; /**< Buffer information */ } drm_buf_map32_t; +static int map_one_buf32(void *data, int idx, unsigned long virtual, + struct drm_buf *buf) +{ + drm_buf_map32_t *request = data; + drm_buf_pub32_t __user *to = compat_ptr(request->list) + idx; + drm_buf_pub32_t v; + + v.idx = buf->idx; + v.total = buf->total; + v.used = 0; + v.address = virtual + buf->offset; + if (copy_to_user(to, &v, sizeof(v))) + return -EFAULT; + return 0; +} + +static int drm_legacy_mapbufs32(struct drm_device *dev, void *data, + struct drm_file *file_priv) +{ + drm_buf_map32_t *request = data; + void __user *v; + int err = __drm_legacy_mapbufs(dev, data, &request->count, + &v, map_one_buf32, + file_priv); + request->virtual = ptr_to_compat(v); + return err; +} + static int compat_drm_mapbufs(struct file *file, unsigned int cmd, unsigned long arg) { drm_buf_map32_t __user *argp = (void __user *)arg; drm_buf_map32_t req32; - drm_buf_pub32_t __user *list32; - struct drm_buf_map __user *request; - struct drm_buf_pub __user *list; - int i, err; - int count, actual; - size_t nbytes; - void __user *addr; + int err; if (copy_from_user(&req32, argp, sizeof(req32))) return -EFAULT; - count = req32.count; - list32 = (void __user *)(unsigned long)req32.list; - - if (count < 0) + if (req32.count < 0) return -EINVAL; - nbytes = sizeof(*request) + count * sizeof(struct drm_buf_pub); - request = compat_alloc_user_space(nbytes); - if (!request) - return -EFAULT; - list = (struct drm_buf_pub *) (request + 1); - if (__put_user(count, &request->count) - || __put_user(list, &request->list)) - return -EFAULT; - - err = drm_ioctl(file, DRM_IOCTL_MAP_BUFS, (unsigned long)request); + err = drm_ioctl_kernel(file, drm_legacy_mapbufs32, &req32, DRM_AUTH); if (err) return err; - if (__get_user(actual, &request->count)) - return -EFAULT; - if (count >= actual) - for (i = 0; i < actual; ++i) - if (__copy_in_user(&list32[i], &list[i], - offsetof(struct drm_buf_pub, address)) - || __get_user(addr, &list[i].address) - || __put_user((unsigned long)addr, - &list32[i].address)) - return -EFAULT; - - if (__put_user(actual, &argp->count) - || __get_user(addr, &request->virtual) - || __put_user((unsigned long)addr, &argp->virtual)) + if (put_user(req32.count, &argp->count) + || put_user(req32.virtual, &argp->virtual)) return -EFAULT; return 0; @@ -910,7 +908,7 @@ static struct { DRM_IOCTL32_DEF(DRM_IOCTL_ADD_BUFS, compat_drm_addbufs), DRM_IOCTL32_DEF(DRM_IOCTL_MARK_BUFS, compat_drm_markbufs), DRM_IOCTL32_DEF(DRM_IOCTL_INFO_BUFS, compat_drm_infobufs), - [DRM_IOCTL_NR(DRM_IOCTL_MAP_BUFS32)].fn = compat_drm_mapbufs, + DRM_IOCTL32_DEF(DRM_IOCTL_MAP_BUFS, compat_drm_mapbufs), DRM_IOCTL32_DEF(DRM_IOCTL_FREE_BUFS, compat_drm_freebufs), DRM_IOCTL32_DEF(DRM_IOCTL_RM_MAP, compat_drm_rmmap), DRM_IOCTL32_DEF(DRM_IOCTL_SET_SAREA_CTX, compat_drm_setsareactx), diff --git a/drivers/gpu/drm/drm_legacy.h b/drivers/gpu/drm/drm_legacy.h index 702ae0c9379c..280fbeb846ff 100644 --- a/drivers/gpu/drm/drm_legacy.h +++ b/drivers/gpu/drm/drm_legacy.h @@ -76,6 +76,10 @@ int drm_legacy_dma_ioctl(struct drm_device *d, void *v, struct drm_file *f); int __drm_legacy_infobufs(struct drm_device *, void *, int *, int (*)(void *, int, struct drm_buf_entry *)); +int __drm_legacy_mapbufs(struct drm_device *, void *, int *, + void __user **, + int (*)(void *, int, unsigned long, struct drm_buf *), + struct drm_file *); #ifdef CONFIG_DRM_VM void drm_legacy_vma_flush(struct drm_device *d); -- 2.20.1