Merge checker fixes from Alan Cox made to the drm in the ac kernel tree.
These aren't really security problems, but Alan has made some arguments
that have convinced me that the code should be fixed anyway.
main
Jeff Hartmann
parent
ae5b4effc0
commit
5e8ba79eb6
|
|
@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp,
|
|||
return -ENOMEM; /* May only call once for each order */
|
||||
}
|
||||
|
||||
if (count < 0 || count > 4096) {
|
||||
up( &dev->struct_sem );
|
||||
atomic_dec( &dev->buf_alloc );
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
|
||||
DRM_MEM_BUFS );
|
||||
if ( !entry->buflist ) {
|
||||
|
|
@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
|
|||
return -ENOMEM; /* May only call once for each order */
|
||||
}
|
||||
|
||||
if (count < 0 || count > 4096) {
|
||||
up( &dev->struct_sem );
|
||||
atomic_dec( &dev->buf_alloc );
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
|
||||
DRM_MEM_BUFS );
|
||||
if ( !entry->buflist ) {
|
||||
|
|
@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
|
|||
|
||||
atomic_dec( &dev->buf_alloc );
|
||||
return 0;
|
||||
|
||||
}
|
||||
#endif /* __HAVE_PCI_DMA */
|
||||
|
||||
|
|
@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp,
|
|||
return -ENOMEM; /* May only call once for each order */
|
||||
}
|
||||
|
||||
if (count < 0 || count > 4096) {
|
||||
up( &dev->struct_sem );
|
||||
atomic_dec( &dev->buf_alloc );
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
|
||||
DRM_MEM_BUFS );
|
||||
if ( !entry->buflist ) {
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp,
|
|||
if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u)))
|
||||
return -EFAULT;
|
||||
|
||||
if (!u.unique_len)
|
||||
if (!u.unique_len || u.unique_len > 1024)
|
||||
return -EINVAL;
|
||||
|
||||
dev->unique_len = u.unique_len;
|
||||
|
|
|
|||
|
|
@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp,
|
|||
return -ENOMEM; /* May only call once for each order */
|
||||
}
|
||||
|
||||
if (count < 0 || count > 4096) {
|
||||
up( &dev->struct_sem );
|
||||
atomic_dec( &dev->buf_alloc );
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
|
||||
DRM_MEM_BUFS );
|
||||
if ( !entry->buflist ) {
|
||||
|
|
@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
|
|||
return -ENOMEM; /* May only call once for each order */
|
||||
}
|
||||
|
||||
if (count < 0 || count > 4096) {
|
||||
up( &dev->struct_sem );
|
||||
atomic_dec( &dev->buf_alloc );
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
|
||||
DRM_MEM_BUFS );
|
||||
if ( !entry->buflist ) {
|
||||
|
|
@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
|
|||
|
||||
atomic_dec( &dev->buf_alloc );
|
||||
return 0;
|
||||
|
||||
}
|
||||
#endif /* __HAVE_PCI_DMA */
|
||||
|
||||
|
|
@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp,
|
|||
return -ENOMEM; /* May only call once for each order */
|
||||
}
|
||||
|
||||
if (count < 0 || count > 4096) {
|
||||
up( &dev->struct_sem );
|
||||
atomic_dec( &dev->buf_alloc );
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
|
||||
DRM_MEM_BUFS );
|
||||
if ( !entry->buflist ) {
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp,
|
|||
if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u)))
|
||||
return -EFAULT;
|
||||
|
||||
if (!u.unique_len)
|
||||
if (!u.unique_len || u.unique_len > 1024)
|
||||
return -EINVAL;
|
||||
|
||||
dev->unique_len = u.unique_len;
|
||||
|
|
|
|||
Loading…
Reference in New Issue