diff options
| author | Michel Hermier <hermier@frugalware.org> | 2010-12-25 16:58:56 +0100 |
|---|---|---|
| committer | Ben Skeggs <bskeggs@redhat.com> | 2010-12-27 10:41:01 +1000 |
| commit | 8e91182bbdb8591be4835907d825a5b9a80495a9 (patch) | |
| tree | a1154af0d994252622da3d48fcdcb1b8de775d03 /drivers/gpu/drm/nouveau/nouveau_channel.c | |
| parent | c42988012ad9c1807b7c7a5ff855cd630094989b (diff) | |
| download | kernel_samsung_smdk4412-8e91182bbdb8591be4835907d825a5b9a80495a9.zip kernel_samsung_smdk4412-8e91182bbdb8591be4835907d825a5b9a80495a9.tar.gz kernel_samsung_smdk4412-8e91182bbdb8591be4835907d825a5b9a80495a9.tar.bz2 | |
drm/nouveau: Validate channel indices passed from userspace.
When hacking the libdrm for improvements, I triggered a kernel crash
related to the fact that the NOUVEAU_NOTIFIEROBJ_ALLOC ioctl calls
nouveau_channel_get with an unchecked channel index.
The patch ensures that the channel index is an unsigned and validates
its value in nouveau_channel_get.
Signed-off-by: Michel Hermier <hermier@frugalware.org>
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Diffstat (limited to 'drivers/gpu/drm/nouveau/nouveau_channel.c')
| -rw-r--r-- | drivers/gpu/drm/nouveau/nouveau_channel.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/gpu/drm/nouveau/nouveau_channel.c b/drivers/gpu/drm/nouveau/nouveau_channel.c index e37977d..4d2f194 100644 --- a/drivers/gpu/drm/nouveau/nouveau_channel.c +++ b/drivers/gpu/drm/nouveau/nouveau_channel.c @@ -253,6 +253,9 @@ nouveau_channel_get(struct drm_device *dev, struct drm_file *file_priv, int id) struct nouveau_channel *chan; unsigned long flags; + if (unlikely(id < 0 || id >= NOUVEAU_MAX_CHANNEL_NR)) + return ERR_PTR(-EINVAL); + spin_lock_irqsave(&dev_priv->channels.lock, flags); chan = nouveau_channel_get_unlocked(dev_priv->channels.ptr[id]); spin_unlock_irqrestore(&dev_priv->channels.lock, flags); |