diff options
author | Michel Dänzer <michel.daenzer@amd.com> | 2016-11-30 17:30:01 +0900 |
---|---|---|
committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2016-11-30 10:13:00 +0100 |
commit | e94bd1736f1f60e916a85a80c0b0ebeaae36cce5 (patch) | |
tree | 6be5bed68a1db424105a5f5f4513129b4c376f07 /drivers | |
parent | e5517c2a5a49ed5e99047008629f1cd60246ea0e (diff) | |
download | lwn-e94bd1736f1f60e916a85a80c0b0ebeaae36cce5.tar.gz lwn-e94bd1736f1f60e916a85a80c0b0ebeaae36cce5.zip |
drm: Don't call drm_for_each_crtc with a non-KMS driver
Fixes oops if userspace calls DRM_IOCTL_GET_CAP for
DRM_CAP_PAGE_FLIP_TARGET on a non-KMS device node. (Normal userspace
doesn't do that, discovered by syzkaller)
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: f837297ad824 ("drm: Add DRM_MODE_PAGE_FLIP_TARGET_ABSOLUTE/RELATIVE flags v2")
Cc: stable@vger.kernel.org
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20161130083002.1520-1-michel@daenzer.net
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/gpu/drm/drm_ioctl.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index 0ad2c47f808f..71c3473476c7 100644 --- a/drivers/gpu/drm/drm_ioctl.c +++ b/drivers/gpu/drm/drm_ioctl.c @@ -254,10 +254,12 @@ static int drm_getcap(struct drm_device *dev, void *data, struct drm_file *file_ req->value = dev->mode_config.async_page_flip; break; case DRM_CAP_PAGE_FLIP_TARGET: - req->value = 1; - drm_for_each_crtc(crtc, dev) { - if (!crtc->funcs->page_flip_target) - req->value = 0; + if (drm_core_check_feature(dev, DRIVER_MODESET)) { + req->value = 1; + drm_for_each_crtc(crtc, dev) { + if (!crtc->funcs->page_flip_target) + req->value = 0; + } } break; case DRM_CAP_CURSOR_WIDTH: |