drm: fix DRM_IOCTL_MODE_GETFB handle-leak

[pandora-kernel.git] / drivers / gpu / drm / drm_crtc.c

diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 3f1799b..09851ce 100644 (file)
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -1815,7 +1815,17 @@ int drm_mode_getfb(struct drm_device *dev,
        r->depth = fb->depth;
        r->bpp = fb->bits_per_pixel;
        r->pitch = fb->pitch;
-       fb->funcs->create_handle(fb, file_priv, &r->handle);
+       if (file_priv->is_master || capable(CAP_SYS_ADMIN)) {
+               ret = fb->funcs->create_handle(fb, file_priv, &r->handle);
+       } else {
+               /* GET_FB() is an unprivileged ioctl so we must not
+                * return a buffer-handle to non-master processes! For
+                * backwards-compatibility reasons, we cannot make
+                * GET_FB() privileged, so just return an invalid handle
+                * for non-masters. */
+               r->handle = 0;
+               ret = 0;
+       }
 
 out:
        mutex_unlock(&dev->mode_config.mutex);