On 16/01/18 14:08, Chris Wilson wrote:
Quoting Lionel Landwerlin (2018-01-16 13:40:09)+int i915_query_ioctl(struct drm_device *dev, void *data, struct drm_file *file) +{ + struct drm_i915_query *args = data; + struct drm_i915_query_item __user *user_item_ptr = + u64_to_user_ptr(args->items_ptr); + u32 i;You need to reject non-zero pad values. I would just rename them as flags because that's almost always the first field added later on when extending the ioctl.
Ah yeah, forgot about that...
+ + for (i = 0; i < args->num_items; i++, user_item_ptr++) { + struct drm_i915_query_item item; + + if (copy_from_user(&item, user_item_ptr, sizeof(item))) + return -EFAULT; + + switch (item.query_id) { + default: + return -EINVAL; + } + + if (copy_to_user(user_item_ptr, &item, sizeof(item))) + return -EFAULT;I would suggest not doing a blind copy of the entire item. The majority of it should be unchanged, but copying everything sounds like an easy accident to leak information (looking at that item_ptr.ptr!). The only out-param in the item is the length, so just copy that back? -Chris
Done. _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx
