From mboxrd@z Thu Jan 1 00:00:00 1970
From: bugzilla-daemon@freedesktop.org
Subject: [Bug 29340] New: missing copy_from_user? radeon_info_ioctl
Date: Sun, 1 Aug 2010 06:42:17 -0700 (PDT)
Message-ID:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path:
Received: from annarchy.freedesktop.org (annarchy.freedesktop.org
[131.252.210.176])
by gabe.freedesktop.org (Postfix) with ESMTP id 043EA9E7A0
for ;
Sun, 1 Aug 2010 06:42:18 -0700 (PDT)
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org
https://bugs.freedesktop.org/show_bug.cgi?id=29340
Summary: missing copy_from_user? radeon_info_ioctl
Product: DRI
Version: unspecified
Platform: Other
OS/Version: Linux (All)
Status: NEW
Severity: normal
Priority: medium
Component: DRM/Radeon
AssignedTo: dri-devel@lists.freedesktop.org
ReportedBy: freedesktop@treblig.org
2.6.35 kernel as of git/ubuntu 2.6.35-13.18
In radeon_kms.c there is :
int radeon_info_ioctl(struct drm_device *dev, void *data, struct drm_file
*filp)
{
struct radeon_device *rdev = dev->dev_private;
struct drm_radeon_info *info;
struct radeon_mode_info *minfo = &rdev->mode_info;
uint32_t *value_ptr;
uint32_t value;
struct drm_crtc *crtc;
int i, found;
info = data;
value_ptr = (uint32_t *)((unsigned long)info->value);
value = *value_ptr;
I think that *value_ptr should be done with a DRM_COPY_FROM_USER since I'm
managing to trigger an oops from it.
(see ubuntu bug 606081)
Dave
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.