From 7d1de851632d013023cd7c89eb8664f62e5beb2c Mon Sep 17 00:00:00 2001 From: Thierry Reding Date: Wed, 12 Aug 2015 17:00:30 +0200 Subject: drm/irq: Check for valid VBLANK before dereference When accessing the array of per-CRTC VBLANK structures we must always check that the index into the array is valid before dereferencing to avoid crashing. Signed-off-by: Thierry Reding [danvet: Squash in my own whitespace ocd fixup in drm_vblank_count.] Signed-off-by: Daniel Vetter diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c index 120a16f..f7c8b75 100644 --- a/drivers/gpu/drm/drm_irq.c +++ b/drivers/gpu/drm/drm_irq.c @@ -877,6 +877,7 @@ u32 drm_vblank_count(struct drm_device *dev, int crtc) if (WARN_ON(crtc >= dev->num_crtcs)) return 0; + return vblank->count; } EXPORT_SYMBOL(drm_vblank_count); @@ -1110,10 +1111,10 @@ void drm_vblank_put(struct drm_device *dev, int crtc) { struct drm_vblank_crtc *vblank = &dev->vblank[crtc]; - if (WARN_ON(atomic_read(&vblank->refcount) == 0)) + if (WARN_ON(crtc >= dev->num_crtcs)) return; - if (WARN_ON(crtc >= dev->num_crtcs)) + if (WARN_ON(atomic_read(&vblank->refcount) == 0)) return; /* Last user schedules interrupt disable */ @@ -1158,6 +1159,9 @@ void drm_wait_one_vblank(struct drm_device *dev, int crtc) int ret; u32 last; + if (WARN_ON(crtc >= dev->num_crtcs)) + return; + ret = drm_vblank_get(dev, crtc); if (WARN(ret, "vblank not available on crtc %i, ret=%i\n", crtc, ret)) return; @@ -1428,6 +1432,9 @@ void drm_vblank_post_modeset(struct drm_device *dev, int crtc) if (!dev->num_crtcs) return; + if (WARN_ON(crtc >= dev->num_crtcs)) + return; + if (vblank->inmodeset) { spin_lock_irqsave(&dev->vbl_lock, irqflags); dev->vblank_disable_allowed = true; -- cgit v0.10.2