diff options
| author | Ernesto Ramos <ernesto@ti.com> | 2010-07-28 12:50:36 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-08-02 20:11:00 -0400 |
| commit | 35f338e4f2fcd2614f6fdff33f38920cf9434f86 (patch) | |
| tree | 4f2a513c4861a32e510f47f56905a91f3b5de933 | |
| parent | 019415ce5e00bcc0287f2ea88042b9fb685cdbcf (diff) | |
staging: ti dspbridge: avoid possible NULL dereference panic
When dsp_notifications array is received from user,
dspbridge verifies the array has valid pointers
and dsp_notification structures. However, these
structures contain pointers that need to be
checked for valid handles.
Signed-off-by: Ernesto Ramos <ernesto@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| -rw-r--r-- | drivers/staging/tidspbridge/pmgr/dspapi.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/drivers/staging/tidspbridge/pmgr/dspapi.c b/drivers/staging/tidspbridge/pmgr/dspapi.c index 1b0ab4ab1921..da08dfc64593 100644 --- a/drivers/staging/tidspbridge/pmgr/dspapi.c +++ b/drivers/staging/tidspbridge/pmgr/dspapi.c | |||
| @@ -539,7 +539,7 @@ func_end: | |||
| 539 | */ | 539 | */ |
| 540 | u32 mgrwrap_wait_for_bridge_events(union trapped_args *args, void *pr_ctxt) | 540 | u32 mgrwrap_wait_for_bridge_events(union trapped_args *args, void *pr_ctxt) |
| 541 | { | 541 | { |
| 542 | int status = 0, real_status = 0; | 542 | int status = 0; |
| 543 | struct dsp_notification *anotifications[MAX_EVENTS]; | 543 | struct dsp_notification *anotifications[MAX_EVENTS]; |
| 544 | struct dsp_notification notifications[MAX_EVENTS]; | 544 | struct dsp_notification notifications[MAX_EVENTS]; |
| 545 | u32 index, i; | 545 | u32 index, i; |
| @@ -554,19 +554,21 @@ u32 mgrwrap_wait_for_bridge_events(union trapped_args *args, void *pr_ctxt) | |||
| 554 | /* get the events */ | 554 | /* get the events */ |
| 555 | for (i = 0; i < count; i++) { | 555 | for (i = 0; i < count; i++) { |
| 556 | CP_FM_USR(¬ifications[i], anotifications[i], status, 1); | 556 | CP_FM_USR(¬ifications[i], anotifications[i], status, 1); |
| 557 | if (!status) { | 557 | if (status || !notifications[i].handle) { |
| 558 | /* set the array of pointers to kernel structures */ | 558 | status = -EINVAL; |
| 559 | anotifications[i] = ¬ifications[i]; | 559 | break; |
| 560 | } | 560 | } |
| 561 | /* set the array of pointers to kernel structures */ | ||
| 562 | anotifications[i] = ¬ifications[i]; | ||
| 561 | } | 563 | } |
| 562 | if (!status) { | 564 | if (!status) { |
| 563 | real_status = mgr_wait_for_bridge_events(anotifications, count, | 565 | status = mgr_wait_for_bridge_events(anotifications, count, |
| 564 | &index, | 566 | &index, |
| 565 | args->args_mgr_wait. | 567 | args->args_mgr_wait. |
| 566 | utimeout); | 568 | utimeout); |
| 567 | } | 569 | } |
| 568 | CP_TO_USR(args->args_mgr_wait.pu_index, &index, status, 1); | 570 | CP_TO_USR(args->args_mgr_wait.pu_index, &index, status, 1); |
| 569 | return real_status; | 571 | return status; |
| 570 | } | 572 | } |
| 571 | 573 | ||
| 572 | /* | 574 | /* |