Op 02-02-16 om 14:23 schreef Gustavo Padovan:
> From: Gustavo Padovan <gustavo.padovan@xxxxxxxxxxxxxxx>
>
> The len member of struct sync_file_info was returning the size of the whole
> buffer (struct sync_file_info + fence_infos at the of it). This commit
> change it to return only the size of the array of fence_infos.
>
> It also moves len to be right before the fences_infos struct.
>
> Signed-off-by: Gustavo Padovan <gustavo.padovan@xxxxxxxxxxxxxxx>
> ---
> drivers/staging/android/sync.c | 16 +++++++++++-----
> drivers/staging/android/uapi/sync.h | 7 +++----
> 2 files changed, 14 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
> index ba7d461..e5fbf5a 100644
> --- a/drivers/staging/android/sync.c
> +++ b/drivers/staging/android/sync.c
> @@ -502,14 +502,19 @@ static int sync_fill_fence_info(struct fence *fence, void *data, int size)
> static long sync_file_ioctl_fence_info(struct sync_file *sync_file,
> unsigned long arg)
> {
> - struct sync_file_info *info;
> + struct sync_file_info in, *info;
> __u32 size;
> - __u32 len = 0;
> + __u32 b_len, len = 0;
> int ret, i;
>
> - if (copy_from_user(&size, (void __user *)arg, sizeof(size)))
> + if (copy_from_user(&in, (void __user *)arg, sizeof(*info)))
> return -EFAULT;
>
> + if (in.name || in.status || in.num_fences || in.fence_info)
> + return -EFAULT;
>
Did you test this? I think in.name is always true..
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
