From nobody Mon Oct  6 10:16:33 2025
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC5CF2E3384
	for <linux-kernel@vger.kernel.org>; Tue, 22 Jul 2025 11:58:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1753185518; cv=none;
 b=LsEfK0m1tfLrwaybGQlIZOzsLSh7psUpGvAP0SEnlCfgJ3Y42vO+OH/l6Z2o24P6bPITg0u1wuFY3v70mIVofKXeDZmQSG1FsXNghuHO71vWIAAJoywXcLtvOCpUXUqVX3rkcrn7raRwr64zvOuFnC0hk8lDkT6lXwOsY3VWPm0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1753185518; c=relaxed/simple;
	bh=VRNKdOARxyNPiIG9RaGx/LmFv7pgt5os0GiM6h2e3U0=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=nK3DOv7MfJKhYhL4Pp4emjvNTCNA3iZYaeGR9JVJm3Lm1oAFRb1y6/Q/dhx9cSK6WJ0dL+1rpYns+7WeUpRx27z+nZpJ6ftLYNgBHpRQcflg0QtQ8FVXVQ/wZGIjvp6bWjugnfAT/eosPhDFAUHTD1s9GV0aoD6Hd5BIoahReNc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=nIAbi65q; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="nIAbi65q"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F9C2C4CEEB;
	Tue, 22 Jul 2025 11:58:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1753185517;
	bh=VRNKdOARxyNPiIG9RaGx/LmFv7pgt5os0GiM6h2e3U0=;
	h=From:To:Cc:Subject:Date:From;
	b=nIAbi65qjf9cnS+TorEe2+9FEwihDkYar+X0ybyntOh810E7zZqNCJnMvdCm2uYEC
	 V9MXrMaDiq7oRRQ8uyfJ6YPbs3gEqbBy6yNUssRPSA0aOzxsIrt3QVTfs9CIZVa0rl
	 7YtlvIoyur0fa4ysyZr9zYREVF5ncTADJEBL72VH+U4WxqHU/mfD5vK3R4e3H8EplL
	 7DyWa5GsNYETBrWPOudp/VYzusJSNscayVR8MrasRCW0YcQPJuFKvLKDaK6wPLQDhH
	 3GzghzRyhtVPdIDXvaKgTy23vLYlQD8K1UyU6p+07sZCloU1I/9Z2pGoYA7824TnU9
	 55Oi5zob3ytzw==
From: Arnd Bergmann <arnd@kernel.org>
To: Lyude Paul <lyude@redhat.com>,
	Danilo Krummrich <dakr@kernel.org>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Arnd Bergmann <arnd@arndb.de>
Cc: Satadru Pramanik <satadru@gmail.com>,
	Chris Bainbridge <chris.bainbridge@gmail.com>,
	Ben Skeggs <bskeggs@nvidia.com>,
	Timur Tabi <ttabi@nvidia.com>,
	Dave Airlie <airlied@redhat.com>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	dri-devel@lists.freedesktop.org,
	nouveau@lists.freedesktop.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] Revert "drm/nouveau: check ioctl command codes better"
Date: Tue, 22 Jul 2025 13:58:18 +0200
Message-Id: <20250722115830.2587297-1-arnd@kernel.org>
X-Mailer: git-send-email 2.39.5
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Arnd Bergmann <arnd@arndb.de>

My previous patch ended up causing a regression for the
DRM_IOCTL_NOUVEAU_NVIF ioctl. The intention of my patch was to only
pass ioctl commands that have the correct dir/type/nr bits into the
nouveau_abi16_ioctl() function.

This turned out to be too strict, as userspace does use at least
write-only and write-read direction settings. Checking for both of these
still did not fix the issue, so the best we can do for the 6.16 release
is to revert back to what we've had since linux-3.16.

This version is still fragile, but at least it is known to work with
existing userspace. Fixing this properly requires a better understanding
of what commands are being passed from userspace in practice, and how
that relies on the undocumented (mis)behavior in nouveau_drm_ioctl().

Fixes: e5478166dffb ("drm/nouveau: check ioctl command codes better")
Link: https://lore.kernel.org/dri-devel/CAFrh3J85tsZRpOHQtKgNHUVnn=3DEG=3DQ=
KBnZTRtWS8eWSc1K1xkA@mail.gmail.com/
Reported-by: Satadru Pramanik <satadru@gmail.com>
Reported-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 drivers/gpu/drm/nouveau/nouveau_drm.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouvea=
u/nouveau_drm.c
index 7bb64fcdd497..1527b801f013 100644
--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
@@ -1284,9 +1284,6 @@ nouveau_ioctls[] =3D {
 	DRM_IOCTL_DEF_DRV(NOUVEAU_EXEC, nouveau_exec_ioctl_exec, DRM_RENDER_ALLOW=
),
 };
=20
-#define DRM_IOCTL_NOUVEAU_NVIF _IOC(_IOC_READ | _IOC_WRITE, DRM_IOCTL_BASE=
, \
-				    DRM_COMMAND_BASE + DRM_NOUVEAU_NVIF, 0)
-
 long
 nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 {
@@ -1300,10 +1297,14 @@ nouveau_drm_ioctl(struct file *file, unsigned int c=
md, unsigned long arg)
 		return ret;
 	}
=20
-	if ((cmd & ~IOCSIZE_MASK) =3D=3D DRM_IOCTL_NOUVEAU_NVIF)
+	switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) {
+	case DRM_NOUVEAU_NVIF:
 		ret =3D nouveau_abi16_ioctl(filp, (void __user *)arg, _IOC_SIZE(cmd));
-	else
+		break;
+	default:
 		ret =3D drm_ioctl(file, cmd, arg);
+		break;
+	}
=20
 	pm_runtime_mark_last_busy(dev->dev);
 	pm_runtime_put_autosuspend(dev->dev);
--=20
2.39.5