| Message ID | 1365759599-9657-1-git-send-email-chris@chris-wilson.co.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
> ioctl cmd, and for example trinity likes to fuzz those bits to create > conflicting commands. So instead of relying upon userspace to pass along > the correct IN/OUT flags for the ioctl, use the flags as expected by the > kernel. > > This does have a side-effect that NULL pointers can not be substituted > by userspace in place of a struct. This feature was not being used by > any driver, but instead exposed all of the command handlers to a user > triggerable OOPS. > > Reported-by: Tommi Rantala <tt.rantala@gmail.com> > Link: http://lkml.kernel.org/r/CA+ydwtpuBvbwxbt-tdgPUvj1EU7itmCHo_2B3w13HkD5+jWKow@mail.gmail.com > Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Applied thanks. Dave.
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index 25f91cd..0ac1991 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -408,6 +408,7 @@ long drm_ioctl(struct file *filp, usize = asize = _IOC_SIZE(cmd); if (drv_size > asize) asize = drv_size; + cmd = ioctl->cmd_drv; } else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) { ioctl = &drm_ioctls[nr];