2016-02-02 Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>:
> Op 02-02-16 om 14:23 schreef Gustavo Padovan:
> > From: Gustavo Padovan <gustavo.padovan@xxxxxxxxxxxxxxx>
> >
> > The len member of struct sync_file_info was returning the size of the whole
> > buffer (struct sync_file_info + fence_infos at the of it). This commit
> > change it to return only the size of the array of fence_infos.
> >
> > It also moves len to be right before the fences_infos struct.
> >
> > Signed-off-by: Gustavo Padovan <gustavo.padovan@xxxxxxxxxxxxxxx>
> > ---
> > drivers/staging/android/sync.c | 16 +++++++++++-----
> > drivers/staging/android/uapi/sync.h | 7 +++----
> > 2 files changed, 14 insertions(+), 9 deletions(-)
> >
> > diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
> > index ba7d461..e5fbf5a 100644
> > --- a/drivers/staging/android/sync.c
> > +++ b/drivers/staging/android/sync.c
> > @@ -502,14 +502,19 @@ static int sync_fill_fence_info(struct fence *fence, void *data, int size)
> > static long sync_file_ioctl_fence_info(struct sync_file *sync_file,
> > unsigned long arg)
> > {
> > - struct sync_file_info *info;
> > + struct sync_file_info in, *info;
> > __u32 size;
> > - __u32 len = 0;
> > + __u32 b_len, len = 0;
> > int ret, i;
> >
> > - if (copy_from_user(&size, (void __user *)arg, sizeof(size)))
> > + if (copy_from_user(&in, (void __user *)arg, sizeof(*info)))
> > return -EFAULT;
> >
> > + if (in.name || in.status || in.num_fences || in.fence_info)
> > + return -EFAULT;
> >
> Did you test this? I think in.name is always true..
Ugh, no! These checks were last change I made so I think I forgot to
test them properly.
Gustavo
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
