On Wed, Nov 30, 2016 at 05:30:01PM +0900, Michel Dänzer wrote:
> From: Michel Dänzer <michel.daenzer@xxxxxxx>
>
> Fixes oops if userspace calls DRM_IOCTL_GET_CAP for
> DRM_CAP_PAGE_FLIP_TARGET on a non-KMS device node. (Normal userspace
> doesn't do that, discovered by syzkaller)
>
> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Fixes: f837297ad824 ("drm: Add DRM_MODE_PAGE_FLIP_TARGET_ABSOLUTE/RELATIVE flags v2")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Michel Dänzer <michel.daenzer@xxxxxxx>
Applied to drm-misc-fixes, thanks.
-Daniel
> ---
> drivers/gpu/drm/drm_ioctl.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
> index 0ad2c47..71c3473 100644
> --- a/drivers/gpu/drm/drm_ioctl.c
> +++ b/drivers/gpu/drm/drm_ioctl.c
> @@ -254,10 +254,12 @@ static int drm_getcap(struct drm_device *dev, void *data, struct drm_file *file_
> req->value = dev->mode_config.async_page_flip;
> break;
> case DRM_CAP_PAGE_FLIP_TARGET:
> - req->value = 1;
> - drm_for_each_crtc(crtc, dev) {
> - if (!crtc->funcs->page_flip_target)
> - req->value = 0;
> + if (drm_core_check_feature(dev, DRIVER_MODESET)) {
> + req->value = 1;
> + drm_for_each_crtc(crtc, dev) {
> + if (!crtc->funcs->page_flip_target)
> + req->value = 0;
> + }
> }
> break;
> case DRM_CAP_CURSOR_WIDTH:
> --
> 2.10.2
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
