From: Michel Hermier Date: Sat, 25 Dec 2010 15:58:56 +0000 (+0100) Subject: drm/nouveau: Validate channel indices passed from userspace. X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=8e91182bbdb8591be4835907d825a5b9a80495a9;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git drm/nouveau: Validate channel indices passed from userspace. When hacking the libdrm for improvements, I triggered a kernel crash related to the fact that the NOUVEAU_NOTIFIEROBJ_ALLOC ioctl calls nouveau_channel_get with an unchecked channel index. The patch ensures that the channel index is an unsigned and validates its value in nouveau_channel_get. Signed-off-by: Michel Hermier Signed-off-by: Francisco Jerez Signed-off-by: Ben Skeggs --- diff --git a/drivers/gpu/drm/nouveau/nouveau_channel.c b/drivers/gpu/drm/nouveau/nouveau_channel.c index e37977d02463..4d2f19420922 100644 --- a/drivers/gpu/drm/nouveau/nouveau_channel.c +++ b/drivers/gpu/drm/nouveau/nouveau_channel.c @@ -253,6 +253,9 @@ nouveau_channel_get(struct drm_device *dev, struct drm_file *file_priv, int id) struct nouveau_channel *chan; unsigned long flags; + if (unlikely(id < 0 || id >= NOUVEAU_MAX_CHANNEL_NR)) + return ERR_PTR(-EINVAL); + spin_lock_irqsave(&dev_priv->channels.lock, flags); chan = nouveau_channel_get_unlocked(dev_priv->channels.ptr[id]); spin_unlock_irqrestore(&dev_priv->channels.lock, flags);