From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ilija Hadzic <ihadzic@research.bell-labs.com>
Subject: [PATCH 13/16] drm: more elaborate check for num_crtc/encoder/connector
Date: Thu, 29 Mar 2012 12:41:35 -0400
Message-ID: <1333039298-2520-14-git-send-email-ihadzic@research.bell-labs.com>
References: <1333039298-2520-1-git-send-email-ihadzic@research.bell-labs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35])
	by gabe.freedesktop.org (Postfix) with ESMTP id 18CC19F588
	for <dri-devel@lists.freedesktop.org>;
	Thu, 29 Mar 2012 09:42:18 -0700 (PDT)
Received: from usnavsmail4.ndc.alcatel-lucent.com
	(usnavsmail4.ndc.alcatel-lucent.com [135.3.39.12])
	by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id q2TGg6hT000711
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <dri-devel@lists.freedesktop.org>;
	Thu, 29 Mar 2012 11:42:09 -0500 (CDT)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63])
	by usnavsmail4.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id
	q2TGg5tf006342
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <dri-devel@lists.freedesktop.org>; Thu, 29 Mar 2012 11:42:06 -0500
In-Reply-To: <1333039298-2520-1-git-send-email-ihadzic@research.bell-labs.com>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

User space can send us all kinds of nonsense for num_crtc, num_encoder
and num_connector. So far, we have been checking only for presence
of at least one CRTC/encoder/connector (barring the trivial case
of a render node with no display resources, i.e., GPGPU node).

This patch makes the ioctl fail if user space requests more resources
than the physical GPU has. This is primarily to protect the kmalloc
in drm_mode_group_init from hogging a big chunk of memory if some
bozo sends us a request for some huge number of CRTCs, encoders,
or connectors.

Signed-off-by: Ilija Hadzic <ihadzic@research.bell-labs.com>
---
 drivers/gpu/drm/drm_stub.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_stub.c b/drivers/gpu/drm/drm_stub.c
index b59203b..196892c 100644
--- a/drivers/gpu/drm/drm_stub.c
+++ b/drivers/gpu/drm/drm_stub.c
@@ -575,9 +575,11 @@ int drm_render_node_create_ioctl(struct drm_device *dev, void *data,
 		return ret;
 	}
 
-	/* if we have display resources, then we need at least
-	 * one CRTC, one encoder and one connector */
-	if (args->num_crtc == 0 ||
+	/* sanity check for requested num_crtc/num_encoder/num_connector */
+	if (args->num_crtc > dev->mode_config.num_crtc ||
+	    args->num_encoder > dev->mode_config.num_encoder ||
+	    args->num_encoder > dev->mode_config.num_connector ||
+	    args->num_crtc == 0 ||
 	    args->num_encoder == 0 ||
 	    args->num_connector == 0)
 		return -EINVAL;
-- 
1.7.8.5