Attachment 25950 Details for Bug 42024 – Fix user/kernel copying in DRI GAMMA driver.

[patch] Fix user/kernel copying in DRI GAMMA driver.

drm-gamma-redhat.patch (text/plain), 5.32 KB, created by antiher0 on 2004-02-19 14:17:02 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: antiher0

Created: 2004-02-19 14:17:02 UTC

Size: 5.32 KB

patch

obsolete

>--- linux/drivers/char/drm/gamma_dma.c	2004-02-19 13:31:16.000000000 -0600
>+++ linux/drivers/char/drm/gamma_dma.c	2004-02-19 14:04:46.000000000 -0600
>@@ -352,6 +352,8 @@
> 	drm_buf_t	  *buf;
> 	drm_buf_t	  *last_buf = NULL;
> 	drm_device_dma_t  *dma	    = dev->dma;
>+	int               *drm_send_indices = NULL;
>+	int               *drm_send_sizes = NULL;
> 	DECLARE_WAITQUEUE(entry, current);
> 
> 				/* Turn off interrupt handling */
>@@ -371,11 +373,27 @@
> 		++must_free;
> 	}
> 
>+	drm_send_indices = kmalloc (d->send_count * sizeof(*drm_send_indices), GFP_KERNEL);
>+	drm_send_sizes = kmalloc (d->send_count * sizeof(*drm_send_sizes), GFP_KERNEL);
>+	if (! drm_send_indices || ! drm_send_sizes)
>+	{
>+		retcode = -ENOMEM;
>+		goto cleanup;
>+	}
>+	if (copy_from_user(drm_send_indices, d->send_indices,
>+			   d->send_count * sizeof(*drm_send_indices)) ||
>+	    copy_from_user(drm_send_sizes, d->send_sizes,
>+			   d->send_count * sizeof(*drm_send_sizes)))
>+	{
>+		retcode = -EFAULT;
>+		goto cleanup;
>+	}
>+
> 	for (i = 0; i < d->send_count; i++) {
>-		idx = d->send_indices[i];
>+		idx = drm_send_indices[i];
> 		if (idx < 0 || idx >= dma->buf_count) {
> 			DRM_ERROR("Index %d (of %d max)\n",
>-				  d->send_indices[i], dma->buf_count - 1);
>+				  drm_send_indices[i], dma->buf_count - 1);
> 			continue;
> 		}
> 		buf = dma->buflist[ idx ];
>@@ -397,7 +415,7 @@
> 				   process closes the /dev/drm? handle, so
> 				   it can't also be doing DMA. */
> 		buf->list	  = DRM_LIST_PRIO;
>-		buf->used	  = d->send_sizes[i];
>+		buf->used         = drm_send_sizes[i];
> 		buf->context	  = d->context;
> 		buf->while_locked = d->flags & _DRM_DMA_WHILE_LOCKED;
> 		address		  = (unsigned long)buf->address;
>@@ -408,14 +426,14 @@
> 		if (buf->pending) {
> 			DRM_ERROR("Sending pending buffer:"
> 				  " buffer %d, offset %d\n",
>-				  d->send_indices[i], i);
>+				  drm_send_indices[i], i);
> 			retcode = -EINVAL;
> 			goto cleanup;
> 		}
> 		if (buf->waiting) {
> 			DRM_ERROR("Sending waiting buffer:"
> 				  " buffer %d, offset %d\n",
>-				  d->send_indices[i], i);
>+				  drm_send_indices[i], i);
> 			retcode = -EINVAL;
> 			goto cleanup;
> 		}
>@@ -464,6 +482,10 @@
> 
> 
> cleanup:
>+	if (drm_send_indices)
>+		kfree(drm_send_indices);
>+	if (drm_send_sizes)
>+		kfree(drm_send_sizes);
> 	if (last_buf) {
> 		gamma_dma_ready(dev);
> 		gamma_free_buffer(dev, last_buf);
>@@ -487,7 +509,11 @@
> 	drm_device_dma_t  *dma	    = dev->dma;
> 
> 	if (d->flags & _DRM_DMA_BLOCK) {
>-		last_buf = dma->buflist[d->send_indices[d->send_count-1]];
>+		int lastindex;
>+		if (copy_from_user(&lastindex, &d->send_indices[d->send_count-1],
>+				   sizeof(lastindex)))
>+			return -EFAULT;
>+		last_buf = dma->buflist[lastindex];
> 		add_wait_queue(&last_buf->dma_wait, &entry);
> 	}
> 
>--- linux/drivers/char/drm-4.0/gamma_dma.c	2004-02-19 14:07:41.000000000 -0600
>+++ linux/drivers/char/drm-4.0/gamma_dma.c	2004-02-19 14:50:41.000000000 -0600
>@@ -392,6 +392,8 @@
> 	drm_buf_t	  *buf;
> 	drm_buf_t	  *last_buf = NULL;
> 	drm_device_dma_t  *dma	    = dev->dma;
>+	int               *drm_send_indices = NULL;
>+	int               *drm_send_sizes = NULL;
> 	DECLARE_WAITQUEUE(entry, current);
> 
> 				/* Turn off interrupt handling */
>@@ -412,11 +414,27 @@
> 	}
> 	atomic_inc(&dma->total_prio);
> 
>+	drm_send_indices = kmalloc (d->send_count * sizeof(*drm_send_indices), GFP_KERNEL);
>+	drm_send_sizes = kmalloc (d->send_count * sizeof(*drm_send_sizes), GFP_KERNEL);
>+	if (! drm_send_indices || ! drm_send_sizes)
>+	{
>+		retcode = -ENOMEM;
>+		goto cleanup;
>+	}
>+	if (copy_from_user(drm_send_indices, d->send_indices,
>+			   d->send_count * sizeof(*drm_send_indices)) ||
>+	    copy_from_user(drm_send_sizes, d->send_sizes,
>+			   d->send_count * sizeof(*drm_send_sizes)))
>+	{
>+		retcode = -EFAULT;
>+		goto cleanup;
>+	}
>+
> 	for (i = 0; i < d->send_count; i++) {
>-		idx = d->send_indices[i];
>+		idx = drm_send_indices[i];
> 		if (idx < 0 || idx >= dma->buf_count) {
> 			DRM_ERROR("Index %d (of %d max)\n",
>-				  d->send_indices[i], dma->buf_count - 1);
>+				  drm_send_indices[i], dma->buf_count - 1);
> 			continue;
> 		}
> 		buf = dma->buflist[ idx ];
>@@ -438,7 +456,7 @@
> 				   process closes the /dev/drm? handle, so
> 				   it can't also be doing DMA. */
> 		buf->list	  = DRM_LIST_PRIO;
>-		buf->used	  = d->send_sizes[i];
>+		buf->used         = drm_send_sizes[i];
> 		buf->context	  = d->context;
> 		buf->while_locked = d->flags & _DRM_DMA_WHILE_LOCKED;
> 		address		  = (unsigned long)buf->address;
>@@ -449,14 +467,14 @@
> 		if (buf->pending) {
> 			DRM_ERROR("Sending pending buffer:"
> 				  " buffer %d, offset %d\n",
>-				  d->send_indices[i], i);
>+				  drm_send_indices[i], i);
> 			retcode = -EINVAL;
> 			goto cleanup;
> 		}
> 		if (buf->waiting) {
> 			DRM_ERROR("Sending waiting buffer:"
> 				  " buffer %d, offset %d\n",
>-				  d->send_indices[i], i);
>+				  drm_send_indices[i], i);
> 			retcode = -EINVAL;
> 			goto cleanup;
> 		}
>@@ -505,6 +523,10 @@
> 
> 
> cleanup:
>+	if (drm_send_indices)
>+		kfree(drm_send_indices);
>+	if (drm_send_sizes)
>+		kfree(drm_send_sizes);
> 	if (last_buf) {
> 		gamma_dma_ready(dev);
> 		drm_free_buffer(dev, last_buf);
>@@ -528,7 +550,11 @@
> 	drm_device_dma_t  *dma	    = dev->dma;
> 
> 	if (d->flags & _DRM_DMA_BLOCK) {
>-		last_buf = dma->buflist[d->send_indices[d->send_count-1]];
>+		int lastindex;
>+		if (copy_from_user(&lastindex, &d->send_indices[d->send_count-1],
>+				   sizeof(lastindex)))
>+			return -EFAULT;
>+		last_buf = dma->buflist[lastindex];
> 		add_wait_queue(&last_buf->dma_wait, &entry);
> 	}
>

Actions: View | Diff

Attachments on bug 42024: 25878 | 25879 | 25949 | 25950 | 26198