From: Pauli Nieminen <pauli.nieminen@linux.intel.com>
Date: Wed, 23 Nov 2011 19:06:25 +0000 (+0200)
Subject: gfx: pvr: Move ioctl number check before first use
X-Git-Tag: 2.1b_release~487
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=79389f0814fc1a24483ce3b194362f8f12fd882d;p=kernel%2Fkernel-mfld-blackbay.git

gfx: pvr: Move ioctl number check before first use

Driver is using user provided ioctl number before checking if it is in
valid range. That makes it possible to force kernel to read memory past
the end of ioctl information array.

Signed-off-by: Pauli Nieminen <pauli.nieminen@linux.intel.com>
Acked-by: Imre Deak <imre.deak@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---

diff --git a/drivers/staging/mrst/pvr/services4/srvkm/bridged/bridged_pvr_bridge.c b/drivers/staging/mrst/pvr/services4/srvkm/bridged/bridged_pvr_bridge.c
index c161d43..6f1e2dd 100644
--- a/drivers/staging/mrst/pvr/services4/srvkm/bridged/bridged_pvr_bridge.c
+++ b/drivers/staging/mrst/pvr/services4/srvkm/bridged/bridged_pvr_bridge.c
@@ -3850,6 +3850,13 @@ IMG_INT BridgedDispatchKM(PVRSRV_PER_PROCESS_DATA * psPerProc,
 	IMG_INT      err          = -EFAULT;
 	PVRSRV_ERROR pvr_err      = PVRSRV_OK;
 
+	if(ui32BridgeID >= (BRIDGE_DISPATCH_TABLE_ENTRY_COUNT))
+	{
+		PVR_DPF((PVR_DBG_ERROR, "%s: ui32BridgeID = %d is out if range!",
+				 __FUNCTION__, ui32BridgeID));
+		goto return_fault;
+	}
+
 	dte = &g_BridgeDispatchTable[ui32BridgeID];
 
 #if defined(DEBUG_TRACE_BRIDGE_KM)
@@ -3953,12 +3960,6 @@ IMG_INT BridgedDispatchKM(PVRSRV_PER_PROCESS_DATA * psPerProc,
 	psBridgeOut = psBridgePackageKM->pvParamOut;
 #endif
 
-	if(ui32BridgeID >= (BRIDGE_DISPATCH_TABLE_ENTRY_COUNT))
-	{
-		PVR_DPF((PVR_DBG_ERROR, "%s: ui32BridgeID = %d is out if range!",
-				 __FUNCTION__, ui32BridgeID));
-		goto return_fault;
-	}
 	pfBridgeHandler = (BridgeWrapperFunction)dte->pfFunction;
 	err = pfBridgeHandler(ui32BridgeID,
 						  psBridgeIn,