Commit 8e91182b authored Dec 25, 2010 by Michel Hermier Committed by Ben Skeggs Dec 27, 2010

drm/nouveau: Validate channel indices passed from userspace.



When hacking the libdrm for improvements, I triggered a kernel crash
related to the fact that the NOUVEAU_NOTIFIEROBJ_ALLOC ioctl calls
nouveau_channel_get with an unchecked channel index.
The patch ensures that the channel index is an unsigned and validates
its value in nouveau_channel_get.

Signed-off-by: Michel Hermier <hermier@frugalware.org>
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

parent c4298801

drivers/gpu/drm/nouveau/nouveau_channel.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -253,6 +253,9 @@ nouveau_channel_get(struct drm_device dev, struct drm_file file_priv, int id)
		struct nouveau_channel *chan;
		unsigned long flags;

		if (unlikely(id < 0 \|\| id >= NOUVEAU_MAX_CHANNEL_NR))
		return ERR_PTR(-EINVAL);

		spin_lock_irqsave(&dev_priv->channels.lock, flags);
		chan = nouveau_channel_get_unlocked(dev_priv->channels.ptr[id]);
		spin_unlock_irqrestore(&dev_priv->channels.lock, flags);