imx-drm: imx-drm-core: improve safety of imx_drm_add_crtc() We must not add more CRTCs than we have declared to the vblank helpers, otherwise we overflow their arrays. Force failure if we exceed the number of CRTCs. Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Acked-by: Sascha Hauer <s.hauer@pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: fd6040ed57d8f200ab0cc2abf706c54995a48370 [log] [tgz]
author: Russell King <rmk+kernel@arm.linux.org.uk> Mon Dec 16 12:39:31 2013 +0000
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Tue Dec 17 17:12:55 2013 -0800
tree: cf23030e471ce6afa0c312e46b6dc81635bda205
parent: 9fe73d46edd358fc154f7332c8ff312e067255a0 [diff]
diff --git a/drivers/staging/imx-drm/imx-drm-core.c b/drivers/staging/imx-drm/imx-drm-core.c
index 19e431d..96e4eee 100644
--- a/drivers/staging/imx-drm/imx-drm-core.c
+++ b/drivers/staging/imx-drm/imx-drm-core.c

@@ -501,6 +501,15 @@
 
 	mutex_lock(&imxdrm->mutex);
 
+	/*
+	 * The vblank arrays are dimensioned by MAX_CRTC - we can't
+	 * pass IDs greater than this to those functions.
+	 */
+	if (imxdrm->pipes >= MAX_CRTC) {
+		ret = -EINVAL;
+		goto err_busy;
+	}
+
 	if (imxdrm->drm->open_count) {
 		ret = -EBUSY;
 		goto err_busy;
commit	fd6040ed57d8f200ab0cc2abf706c54995a48370	[log] [tgz]
author	Russell King <rmk+kernel@arm.linux.org.uk>	Mon Dec 16 12:39:31 2013 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Tue Dec 17 17:12:55 2013 -0800
tree	cf23030e471ce6afa0c312e46b6dc81635bda205
parent	9fe73d46edd358fc154f7332c8ff312e067255a0 [diff]