* [PATCH] vmwgfx: Fix assignment in vmw_framebuffer_create_handle
@ 2012-01-27 21:51 Ryan Mallon
0 siblings, 0 replies; only message in thread
From: Ryan Mallon @ 2012-01-27 21:51 UTC (permalink / raw)
To: airlied, airlied, thellstrom, jakob; +Cc: dri-devel, LKML, joe, stable
The assignment of handle in vmw_framebuffer_create_handle doesn't actually do anything useful and is incorrectly assigning an integer value to a pointer argument. It appears that this is a typo and should be dereferencing handle rather than assigning to it directly. This fixes a bug where an undefined handle value is potentially returned to user-space.
Signed-off-by: Ryan Mallon <rmallon@gmail.com>
Reviewed-by: Jakob Bornecrantz<jakob@vmware.com>
Cc: stable@vger.kernel.org
---
Thomas and Jakob have said that a correct fix involves returning the correct user_handle, but also requires changes to userspace. This patch is therefore a temporary fix only. Because it corrects an undefined handle value being returned to userspace, this should also be merged for stable kernels.
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 0af6ebd..b66ef0e 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -378,7 +378,7 @@ int vmw_framebuffer_create_handle(struct drm_framebuffer *fb,
unsigned int *handle)
{
if (handle)
- handle = 0;
+ *handle = 0;
return 0;
}
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-01-27 21:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-27 21:51 [PATCH] vmwgfx: Fix assignment in vmw_framebuffer_create_handle Ryan Mallon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).