Userspace is free to pass in any command bits it feels like through the ioctl cmd, and for example trinity likes to fuzz those bits to create conflicting commands. So instead of relying upon userspace to pass along the correct IN/OUT flags for the ioctl, use the flags as expected by the kernel. This does have a side-effect that NULL pointers can not be substituted by userspace in place of a struct. This feature was not being used by any driver, but instead exposed all of the command handlers to a user triggerable OOPS. Reported-by: Tommi Rantala <tt.rantala@xxxxxxxxx> Link: http://lkml.kernel.org/r/CA+ydwtpuBvbwxbt-tdgPUvj1EU7itmCHo_2B3w13HkD5+jWKow@xxxxxxxxxxxxxx Signed-off-by: Tommi Rantala <tt.rantala@xxxxxxxxx> Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> --- drivers/gpu/drm/drm_drv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index 25f91cd..0ac1991 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -408,6 +408,7 @@ long drm_ioctl(struct file *filp, usize = asize = _IOC_SIZE(cmd); if (drv_size > asize) asize = drv_size; + cmd = ioctl->cmd_drv; } else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) { ioctl = &drm_ioctls[nr]; -- 1.7.10.4 _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
