https://github.com/torvalds/linux
Revision e94bd1736f1f60e916a85a80c0b0ebeaae36cce5 authored by Michel Dänzer on 30 November 2016, 08:30:01 UTC, committed by Daniel Vetter on 30 November 2016, 09:13:00 UTC
Fixes oops if userspace calls DRM_IOCTL_GET_CAP for
DRM_CAP_PAGE_FLIP_TARGET on a non-KMS device node. (Normal userspace
doesn't do that, discovered by syzkaller)
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: f837297ad824 ("drm: Add DRM_MODE_PAGE_FLIP_TARGET_ABSOLUTE/RELATIVE flags v2")
Cc: stable@vger.kernel.org
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20161130083002.1520-1-michel@daenzer.net
1 parent e5517c2
Tip revision: e94bd1736f1f60e916a85a80c0b0ebeaae36cce5 authored by Michel Dänzer on 30 November 2016, 08:30:01 UTC
drm: Don't call drm_for_each_crtc with a non-KMS driver
drm: Don't call drm_for_each_crtc with a non-KMS driver
Tip revision: e94bd17
iommu-helper.c
/*
* IOMMU helper functions for the free area management
*/
#include <linux/export.h>
#include <linux/bitmap.h>
#include <linux/bug.h>
int iommu_is_span_boundary(unsigned int index, unsigned int nr,
unsigned long shift,
unsigned long boundary_size)
{
BUG_ON(!is_power_of_2(boundary_size));
shift = (shift + index) & (boundary_size - 1);
return shift + nr > boundary_size;
}
unsigned long iommu_area_alloc(unsigned long *map, unsigned long size,
unsigned long start, unsigned int nr,
unsigned long shift, unsigned long boundary_size,
unsigned long align_mask)
{
unsigned long index;
/* We don't want the last of the limit */
size -= 1;
again:
index = bitmap_find_next_zero_area(map, size, start, nr, align_mask);
if (index < size) {
if (iommu_is_span_boundary(index, nr, shift, boundary_size)) {
start = ALIGN(shift + index, boundary_size) - shift;
goto again;
}
bitmap_set(map, index, nr);
return index;
}
return -1;
}
EXPORT_SYMBOL(iommu_area_alloc);
Computing file changes ...
