On Fri, 31 Oct 2025 08:08:20 +0100
Marcin Ślusarz <[email protected]> wrote:
> On Thu, Oct 30, 2025 at 03:05:22PM +0100, Boris Brezillon wrote:
> > +static int panfrost_ioctl_sync_bo(struct drm_device *ddev, void *data,
> > + struct drm_file *file)
> > +{
> > + struct drm_panfrost_sync_bo *args = data;
> > + struct drm_panfrost_bo_sync_op *ops;
> > + struct drm_gem_object *obj;
> > + int ret;
> > + u32 i;
> > +
> > + if (args->pad)
> > + return -EINVAL;
> > +
> > + ops = kvmalloc_array(args->op_count, sizeof(*ops), GFP_KERNEL);
> > + if (!ops) {
> > + DRM_DEBUG("Failed to allocate incoming BO sync ops array\n");
> > + return -ENOMEM;
> > + }
> > +
> > + if (copy_from_user(ops, (void __user *)(uintptr_t)args->ops,
> > + args->op_count * sizeof(*ops))) {
> > + DRM_DEBUG("Failed to copy in BO sync ops\n");
> > + ret = -EFAULT;
> > + goto err_ops;
> > + }
> > +
> > + for (i = 0; i < args->op_count; i++) {
> > + obj = drm_gem_object_lookup(file, ops[i].handle);
> > + if (!obj) {
> > + ret = -ENOENT;
> > + goto err_ops;
> > + }
> > +
> > + ret = panfrost_gem_sync(obj, ops[i].type,
> > + ops[i].offset, ops[i].size);
> > +
> > + drm_gem_object_put(obj);
> > +
> > + if (ret)
> > + goto err_ops;
> > + }
> > +
> > +err_ops:
> > + kvfree(ops);
> > +
> > + return ret;
>
> This function will still return garbage if args->op_count is 0.
Sorry, this fell through the cracks. Will be fixed in v6.
