drm/irq: Check for valid VBLANK before dereference
When accessing the array of per-CRTC VBLANK structures we must always
check that the index into the array is valid before dereferencing to
avoid crashing.
Signed-off-by: Thierry Reding <treding@nvidia.com>
[danvet: Squash in my own whitespace ocd fixup in drm_vblank_count.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index 120a16f..f7c8b75 100644
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -877,6 +877,7 @@
if (WARN_ON(crtc >= dev->num_crtcs))
return 0;
+
return vblank->count;
}
EXPORT_SYMBOL(drm_vblank_count);
@@ -1110,10 +1111,10 @@
{
struct drm_vblank_crtc *vblank = &dev->vblank[crtc];
- if (WARN_ON(atomic_read(&vblank->refcount) == 0))
+ if (WARN_ON(crtc >= dev->num_crtcs))
return;
- if (WARN_ON(crtc >= dev->num_crtcs))
+ if (WARN_ON(atomic_read(&vblank->refcount) == 0))
return;
/* Last user schedules interrupt disable */
@@ -1158,6 +1159,9 @@
int ret;
u32 last;
+ if (WARN_ON(crtc >= dev->num_crtcs))
+ return;
+
ret = drm_vblank_get(dev, crtc);
if (WARN(ret, "vblank not available on crtc %i, ret=%i\n", crtc, ret))
return;
@@ -1428,6 +1432,9 @@
if (!dev->num_crtcs)
return;
+ if (WARN_ON(crtc >= dev->num_crtcs))
+ return;
+
if (vblank->inmodeset) {
spin_lock_irqsave(&dev->vbl_lock, irqflags);
dev->vblank_disable_allowed = true;