aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorManoj Rao <manojraj@codeaurora.org>2013-04-13 01:37:14 (GMT)
committerRaviteja <adimur@codeaurora.org>2013-06-27 19:26:46 (GMT)
commit7e9785f78415d32e0b17b1d296a172b66e0d2ab7 (patch)
treed8ed37f16a8df0943af1ac5348fe1134ae34199a
parent9ca164f01e3faf97d980f6b48dac4129f1c71e8a (diff)
msm: msm_fb: remove mmio access through mmap
Disable access to mm io and add appropriate range checks to ensure valid accesses through framebuffer mmap. This prevents illegal access into memory. CRs-Fixed: 474706 Change-Id: If25166f2732433ef967e99c716440030b567aae9 Signed-off-by: Manoj Rao <manojraj@codeaurora.org> (cherry picked from commit b571bef36cf51f9bb4cd1ad3ba23e3cee6d1d3cb) Conflicts: drivers/video/msm/msm_fb.c Signed-off-by: Raviteja <adimur@codeaurora.org>
-rw-r--r--drivers/video/msm/msm_fb.c22
1 files changed, 10 insertions, 12 deletions
diff --git a/drivers/video/msm/msm_fb.c b/drivers/video/msm/msm_fb.c
index 7d11fa9..2b626a0 100644
--- a/drivers/video/msm/msm_fb.c
+++ b/drivers/video/msm/msm_fb.c
@@ -1004,22 +1004,20 @@ static int msm_fb_mmap(struct fb_info *info, struct vm_area_struct * vma)
u32 len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.smem_len);
unsigned long off = vma->vm_pgoff << PAGE_SHIFT;
struct msm_fb_data_type *mfd = (struct msm_fb_data_type *)info->par;
- if (off >= len) {
- /* memory mapped io */
- off -= len;
- if (info->var.accel_flags) {
- mutex_unlock(&info->lock);
- return -EINVAL;
- }
- start = info->fix.mmio_start;
- len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len);
- }
+ if (!start)
+ return -EINVAL;
+
+ if ((vma->vm_end <= vma->vm_start) ||
+ (off >= len) ||
+ ((vma->vm_end - vma->vm_start) > (len - off)))
+ return -EINVAL;
/* Set VM flags. */
start &= PAGE_MASK;
- if ((vma->vm_end - vma->vm_start + off) > len)
- return -EINVAL;
off += start;
+ if (off < start)
+ return -EINVAL;
+
vma->vm_pgoff = off >> PAGE_SHIFT;
/* This is an IO map - tell maydump to skip this VMA */
vma->vm_flags |= VM_IO | VM_RESERVED;