summaryrefslogtreecommitdiffstats
path: root/drivers/gpu/drm/qxl/qxl_ioctl.c
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/gpu/drm/qxl/qxl_ioctl.c')
-rw-r--r--drivers/gpu/drm/qxl/qxl_ioctl.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
index 6db7370373ea..a30f29425c21 100644
--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
@@ -151,7 +151,7 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data,
struct qxl_bo *cmd_bo;
int release_type;
struct drm_qxl_command *commands =
- (struct drm_qxl_command *)execbuffer->commands;
+ (struct drm_qxl_command *)(uintptr_t)execbuffer->commands;
if (DRM_COPY_FROM_USER(&user_cmd, &commands[cmd_num],
sizeof(user_cmd)))
@@ -171,6 +171,11 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data,
if (user_cmd.command_size > PAGE_SIZE - sizeof(union qxl_release_info))
return -EINVAL;
+ if (!access_ok(VERIFY_READ,
+ (void *)(unsigned long)user_cmd.command,
+ user_cmd.command_size))
+ return -EFAULT;
+
ret = qxl_alloc_release_reserved(qdev,
sizeof(union qxl_release_info) +
user_cmd.command_size,
@@ -193,7 +198,7 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data,
for (i = 0 ; i < user_cmd.relocs_num; ++i) {
if (DRM_COPY_FROM_USER(&reloc,
- &((struct drm_qxl_reloc *)user_cmd.relocs)[i],
+ &((struct drm_qxl_reloc *)(uintptr_t)user_cmd.relocs)[i],
sizeof(reloc))) {
qxl_bo_list_unreserve(&reloc_list, true);
qxl_release_unreserve(qdev, release);
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-31 16:54:22 +0000