drm/nouveau: Validate channel indices passed from userspace.

When hacking the libdrm for improvements, I triggered a kernel crash related to the fact that the NOUVEAU_NOTIFIEROBJ_ALLOC ioctl calls nouveau_channel_get with an unchecked channel index. The patch ensures that the channel index is an unsigned and validates its value in nouveau_channel_get. Signed-off-by: Michel Hermier <hermier@frugalware.org> Signed-off-by: Francisco Jerez <currojerez@riseup.net> Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
git-mirror · Dec 27, 2010 · 8e91182 · 8e91182
1 parent c429880
commit 8e91182
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/drivers/gpu/drm/nouveau/nouveau_channel.c b/drivers/gpu/drm/nouveau/nouveau_channel.c
@@ -253,6 +253,9 @@ nouveau_channel_get(struct drm_device *dev, struct drm_file *file_priv, int id)
 	struct nouveau_channel *chan;
 	unsigned long flags;
 
+	if (unlikely(id < 0 || id >= NOUVEAU_MAX_CHANNEL_NR))
+		return ERR_PTR(-EINVAL);
+
 	spin_lock_irqsave(&dev_priv->channels.lock, flags);
 	chan = nouveau_channel_get_unlocked(dev_priv->channels.ptr[id]);
 	spin_unlock_irqrestore(&dev_priv->channels.lock, flags);