diff options
| author | Axel Haslam <axelhaslam@ti.com> | 2010-12-17 00:37:39 -0500 |
|---|---|---|
| committer | Paolo Pisati <paolo.pisati@canonical.com> | 2012-08-17 04:19:15 -0400 |
| commit | 58239aeb418a3cd1fe1570709a295d0cfedda216 (patch) | |
| tree | 89fdb80412449876bd9f7c6ef721a3030d51e8d0 /arch | |
| parent | 721d2eee2257f89be881ecc5a76a291c8a6cef95 (diff) | |
KW: iodmm: Verify pointers prior to dereferencing and init locals
In the function user_to_device_map
-Initialized the local w to 0
-Check the vma pointer and return if NULL
-In error condition verify that gen_pool is valid before
freeing the memory
Change-Id: I7c3fa08dcb561564cc3e45bdc2b20d404bdbb514
Signed-off-by: Axel Haslam <axelhaslam@ti.com>
Diffstat (limited to 'arch')
| -rw-r--r-- | arch/arm/plat-omap/iodmm.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/arch/arm/plat-omap/iodmm.c b/arch/arm/plat-omap/iodmm.c index c4cd4564679..465fb9017ae 100644 --- a/arch/arm/plat-omap/iodmm.c +++ b/arch/arm/plat-omap/iodmm.c | |||
| @@ -673,7 +673,7 @@ static int user_to_device_map(struct iommu *mmu, u32 uva, u32 da, u32 size, | |||
| 673 | 673 | ||
| 674 | { | 674 | { |
| 675 | int res = 0; | 675 | int res = 0; |
| 676 | int w; | 676 | int w = 0; |
| 677 | struct vm_area_struct *vma; | 677 | struct vm_area_struct *vma; |
| 678 | struct mm_struct *mm = current->mm; | 678 | struct mm_struct *mm = current->mm; |
| 679 | u32 pg_num; | 679 | u32 pg_num; |
| @@ -690,6 +690,10 @@ static int user_to_device_map(struct iommu *mmu, u32 uva, u32 da, u32 size, | |||
| 690 | pages = size / PAGE_SIZE; | 690 | pages = size / PAGE_SIZE; |
| 691 | 691 | ||
| 692 | vma = find_vma(mm, uva); | 692 | vma = find_vma(mm, uva); |
| 693 | if (!vma) { | ||
| 694 | WARN_ON(1); | ||
| 695 | return -EFAULT; | ||
| 696 | } | ||
| 693 | 697 | ||
| 694 | if (vma->vm_flags & (VM_WRITE | VM_MAYWRITE)) | 698 | if (vma->vm_flags & (VM_WRITE | VM_MAYWRITE)) |
| 695 | w = 1; | 699 | w = 1; |
| @@ -811,7 +815,8 @@ static int phys_to_device_map(struct iodmm_struct *obj, | |||
| 811 | return 0; | 815 | return 0; |
| 812 | 816 | ||
| 813 | err_add_map: | 817 | err_add_map: |
| 814 | gen_pool_free(gen_pool, da, bytes); | 818 | if (gen_pool) |
| 819 | gen_pool_free(gen_pool, da, bytes); | ||
| 815 | exit: | 820 | exit: |
| 816 | return err; | 821 | return err; |
| 817 | } | 822 | } |
| @@ -1026,7 +1031,11 @@ int omap_create_dmm_pool(struct iodmm_struct *obj, const void __user *args) | |||
| 1026 | pool->da_end = pool_info.da_begin + pool_info.size; | 1031 | pool->da_end = pool_info.da_begin + pool_info.size; |
| 1027 | 1032 | ||
| 1028 | pool->genpool = gen_pool_create(12, -1); | 1033 | pool->genpool = gen_pool_create(12, -1); |
| 1029 | gen_pool_add(pool->genpool, pool->da_begin, pool_info.size, -1); | 1034 | if (pool->genpool) |
| 1035 | gen_pool_add(pool->genpool, pool->da_begin, | ||
| 1036 | pool_info.size, -1); | ||
| 1037 | else | ||
| 1038 | pr_err("%s:gen_pool_create retuned null\n", __func__); | ||
| 1030 | 1039 | ||
| 1031 | INIT_LIST_HEAD(&pool->list); | 1040 | INIT_LIST_HEAD(&pool->list); |
| 1032 | list_add_tail(&pool->list, &iovmm->mmap_pool); | 1041 | list_add_tail(&pool->list, &iovmm->mmap_pool); |