From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ryan Mallon <rmallon@gmail.com>
Subject: [PATCH] vmwgfx: Fix assignment in vmw_framebuffer_create_handle
Date: Sat, 28 Jan 2012 08:51:40 +1100
Message-ID: <4F231C6C.80803@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-kernel-owner@vger.kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
To: airlied@linux.ie, airlied@redhat.com, thellstrom@vmware.com, jakob@vmware.com
Cc: dri-devel@lists.freedesktop.org, LKML <linux-kernel@vger.kernel.org>, joe@perches.com, stable@vger.kernel.org
List-Id: dri-devel@lists.freedesktop.org

The assignment of handle in vmw_framebuffer_create_handle doesn't actually do anything useful and is incorrectly assigning an integer value to a pointer argument. It appears that this is a typo and should be dereferencing handle rather than assigning to it directly. This fixes a bug where an undefined handle value is potentially returned to user-space.

Signed-off-by: Ryan Mallon <rmallon@gmail.com>
Reviewed-by: Jakob Bornecrantz<jakob@vmware.com>
Cc: stable@vger.kernel.org
---
Thomas and Jakob have said that a correct fix involves returning the correct user_handle, but also requires changes to userspace. This patch is therefore a temporary fix only. Because it corrects an undefined handle value being returned to userspace, this should also be merged for stable kernels.

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 0af6ebd..b66ef0e 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -378,7 +378,7 @@ int vmw_framebuffer_create_handle(struct drm_framebuffer *fb,
 				  unsigned int *handle)
 {
 	if (handle)
-		handle = 0;
+		*handle = 0;
 
 	return 0;
 }