[PATCH] drm: fix NULL pointer access by wrong ioctl
From: Zhaowei Yuan
If user uses wrong ioctl command with _IOC_NONE and argument size
greater than 0, it can cause NULL pointer access from memset of line
463. If _IOC_NONE, don't memset to 0 for kdata.
Signed-off-by: Zhaowei Yuan
---
drivers/gpu/drm/drm_drv.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
mode change 100644 => 100755 drivers/gpu/drm/drm_drv.c
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
old mode 100644
new mode 100755
index 2ab782c..1a92bcb
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -459,8 +459,9 @@ long drm_ioctl(struct file *filp,
retcode = -EFAULT;
goto err_i1;
}
- } else
+ } else if (cmd & IOC_OUT) {
memset(kdata, 0, usize);
+ }
if (ioctl->flags & DRM_UNLOCKED)
retcode = func(dev, kdata, file_priv);
--
1.7.9.5
[PATCH V6] drm: edid: add support for E-DDC
From: Shirish S This patch adds support in probing 4 block edid data, for E-DDC. This is the first test case in CTS, for HDMI compliance. Changes from V1: 1. Data type of offset adress updated to unsigned short 2. Updated the buf feild of msg[0] Changes from V2: Add switch for DDC and E-DDC Changes from V3: Remove switch,and avoid sending of segment data for non E-DDC Changes from V4: Fix review comments about space and comment indentation. Changes from V5: Compacted the code. Based on drm-next branch Shirish S (1): drm: edid: add support for E-DDC drivers/gpu/drm/drm_edid.c | 19 --- 1 files changed, 16 insertions(+), 3 deletions(-)
[PATCH V6] drm: edid: add support for E-DDC
From: Shirish S This patch adds support in probing 4 block edid data, for E-DDC. This is the first test case in CTS, for HDMI compliance. Changes from V1: 1. Data type of offset adress updated to unsigned short 2. Updated the buf feild of msg[0] Changes from V2: Add switch for DDC and E-DDC Changes from V3: Remove switch,and avoid sending of segment data for non E-DDC Changes from V4: Fix review comments about space and comment indentation. Changes from V5: Compacted the code. Based on drm-next branch Shirish S (1): drm: edid: add support for E-DDC drivers/gpu/drm/drm_edid.c | 19 --- 1 files changed, 16 insertions(+), 3 deletions(-)
[PATCH v6] drm: edid: add support for E-DDC
From: Shirish S
The current logic for probing ddc is limited to
2 blocks (256 bytes), this patch adds support
for the 4 block (512) data.
To do this, a single 8-bit segment index is
passed to the display via the I2C address 30h.
Data from the selected segment is then immediately
read via the regular DDC2 address using a repeated
I2C 'START' signal.
Signed-off-by: Shirish S
Reviewed-by: Jean Delvare
Reviewed-by: Daniel Vetter
Reviewed-by: Ville Syrjala
---
drivers/gpu/drm/drm_edid.c | 19 ---
1 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
index bcc4725..7f62de5 100644
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -254,6 +254,8 @@ drm_do_probe_ddc_edid(struct i2c_adapter *adapter, unsigned
char *buf,
int block, int len)
{
unsigned char start = block * EDID_LENGTH;
+ unsigned char segment = block >> 1;
+ unsigned char xfers = segment ? 3 : 2;
int ret, retries = 5;
/* The core i2c driver will automatically retry the transfer if the
@@ -265,6 +267,11 @@ drm_do_probe_ddc_edid(struct i2c_adapter *adapter,
unsigned char *buf,
do {
struct i2c_msg msgs[] = {
{
+ .addr = DDC_SEGMENT_ADDR,
+ .flags = 0,
+ .len= 1,
+ .buf= &segment,
+ }, {
.addr = DDC_ADDR,
.flags = 0,
.len= 1,
@@ -276,15 +283,21 @@ drm_do_probe_ddc_edid(struct i2c_adapter *adapter,
unsigned char *buf,
.buf= buf,
}
};
- ret = i2c_transfer(adapter, msgs, 2);
+
+ /*
+* Avoid sending the segment addr to not upset non-compliant ddc
+* monitors.
+*/
+ ret = i2c_transfer(adapter, &msgs[3 - xfers], xfers);
+
if (ret == -ENXIO) {
DRM_DEBUG_KMS("drm: skipping non-existent adapter %s\n",
adapter->name);
break;
}
- } while (ret != 2 && --retries);
+ } while (ret != xfers && --retries);
- return ret == 2 ? 0 : -1;
+ return ret == xfers ? 0 : -1;
}
static bool drm_edid_is_zero(u8 *in_edid, int length)
--
1.7.0.4
[PATCH] drm: edid: add support for E-DDC
From: Shirish S
The current logic for probing ddc is limited to
2 blocks (256 bytes), this patch adds support
for the 4 block (512) data.
To do this, a single 8-bit segment index is
passed to the display via the I2C address 30h.
Data from the selected segment is then immediately
read via the regular DDC2 address using a repeated
I2C 'START' signal.
Signed-off-by: Shirish S
Reviewed-by: Jean Delvare
Reviewed-by: Daniel Vetter
Reviewed-by: Ville Syrjala
---
drivers/gpu/drm/drm_edid.c | 19 ---
1 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
index bcc4725..7f62de5 100644
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -254,6 +254,8 @@ drm_do_probe_ddc_edid(struct i2c_adapter *adapter, unsigned
char *buf,
int block, int len)
{
unsigned char start = block * EDID_LENGTH;
+ unsigned char segment = block >> 1;
+ unsigned char xfers = segment ? 3 : 2;
int ret, retries = 5;
/* The core i2c driver will automatically retry the transfer if the
@@ -265,6 +267,11 @@ drm_do_probe_ddc_edid(struct i2c_adapter *adapter,
unsigned char *buf,
do {
struct i2c_msg msgs[] = {
{
+ .addr = DDC_SEGMENT_ADDR,
+ .flags = 0,
+ .len= 1,
+ .buf= &segment,
+ }, {
.addr = DDC_ADDR,
.flags = 0,
.len= 1,
@@ -276,15 +283,21 @@ drm_do_probe_ddc_edid(struct i2c_adapter *adapter,
unsigned char *buf,
.buf= buf,
}
};
- ret = i2c_transfer(adapter, msgs, 2);
+
+ /*
+* Avoid sending the segment addr to not upset non-compliant ddc
+* monitors.
+*/
+ ret = i2c_transfer(adapter, &msgs[3 - xfers], xfers);
+
if (ret == -ENXIO) {
DRM_DEBUG_KMS("drm: skipping non-existent adapter %s\n",
adapter->name);
break;
}
- } while (ret != 2 && --retries);
+ } while (ret != xfers && --retries);
- return ret == 2 ? 0 : -1;
+ return ret == xfers ? 0 : -1;
}
static bool drm_edid_is_zero(u8 *in_edid, int length)
--
1.7.0.4
