From: Russell King Date: Mon, 16 Dec 2013 12:39:31 +0000 (+0000) Subject: imx-drm: imx-drm-core: improve safety of imx_drm_add_crtc() X-Git-Tag: submit/tizen/20160422.055611~1^2~99^2~18^2~2505^2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fd6040ed57d8f200ab0cc2abf706c54995a48370;p=sdk%2Femulator%2Femulator-kernel.git imx-drm: imx-drm-core: improve safety of imx_drm_add_crtc() We must not add more CRTCs than we have declared to the vblank helpers, otherwise we overflow their arrays. Force failure if we exceed the number of CRTCs. Signed-off-by: Russell King Acked-by: Sascha Hauer Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/imx-drm/imx-drm-core.c b/drivers/staging/imx-drm/imx-drm-core.c index 19e431dee493..96e4eee344ef 100644 --- a/drivers/staging/imx-drm/imx-drm-core.c +++ b/drivers/staging/imx-drm/imx-drm-core.c @@ -501,6 +501,15 @@ int imx_drm_add_crtc(struct drm_crtc *crtc, mutex_lock(&imxdrm->mutex); + /* + * The vblank arrays are dimensioned by MAX_CRTC - we can't + * pass IDs greater than this to those functions. + */ + if (imxdrm->pipes >= MAX_CRTC) { + ret = -EINVAL; + goto err_busy; + } + if (imxdrm->drm->open_count) { ret = -EBUSY; goto err_busy;