2016-02-02 Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>: > Op 02-02-16 om 14:23 schreef Gustavo Padovan: > > From: Gustavo Padovan <gustavo.padovan@xxxxxxxxxxxxxxx> > > > > The len member of struct sync_file_info was returning the size of the whole > > buffer (struct sync_file_info + fence_infos at the of it). This commit > > change it to return only the size of the array of fence_infos. > > > > It also moves len to be right before the fences_infos struct. > > > > Signed-off-by: Gustavo Padovan <gustavo.padovan@xxxxxxxxxxxxxxx> > > --- > > drivers/staging/android/sync.c | 16 +++++++++++----- > > drivers/staging/android/uapi/sync.h | 7 +++---- > > 2 files changed, 14 insertions(+), 9 deletions(-) > > > > diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c > > index ba7d461..e5fbf5a 100644 > > --- a/drivers/staging/android/sync.c > > +++ b/drivers/staging/android/sync.c > > @@ -502,14 +502,19 @@ static int sync_fill_fence_info(struct fence *fence, void *data, int size) > > static long sync_file_ioctl_fence_info(struct sync_file *sync_file, > > unsigned long arg) > > { > > - struct sync_file_info *info; > > + struct sync_file_info in, *info; > > __u32 size; > > - __u32 len = 0; > > + __u32 b_len, len = 0; > > int ret, i; > > > > - if (copy_from_user(&size, (void __user *)arg, sizeof(size))) > > + if (copy_from_user(&in, (void __user *)arg, sizeof(*info))) > > return -EFAULT; > > > > + if (in.name || in.status || in.num_fences || in.fence_info) > > + return -EFAULT; > > > Did you test this? I think in.name is always true.. Ugh, no! These checks were last change I made so I think I forgot to test them properly. Gustavo _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel