summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorManoj Rao <manojraj@codeaurora.org>2013-04-16 17:42:38 -0700
committerDavid Keitel <dkeitel@codeaurora.org>2016-03-23 20:17:38 -0700
commit0d2321769751b63d79c318a98e76e63edca18a31 (patch)
tree76ee76665f8001897bc6a7af05bbc9a934774197
parentb0caf0756bd96d6655c02b1b3e5b9bd521d5636b (diff)
mdss: mdss_fb: remove mmio access through mmap
Disable access to mm io and add appropriate range checks to ensure valid accesses through framebuffer mmap. This prevents illegal access into memory. Change-Id: Ic6e47ec726d330d48ce9a7a708418492a553543b CRs-Fixed: 474706 Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
-rw-r--r--drivers/video/fbdev/msm/mdss_fb.c16
1 files changed, 5 insertions, 11 deletions
diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c
index 6562f1f65a56..c5d8cf476d40 100644
--- a/drivers/video/fbdev/msm/mdss_fb.c
+++ b/drivers/video/fbdev/msm/mdss_fb.c
@@ -669,22 +669,16 @@ static int mdss_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
}
mdss_fb_pan_idle(mfd);
- if (off >= len) {
- /* memory mapped io */
- off -= len;
- if (info->var.accel_flags) {
- mutex_unlock(&info->lock);
- return -EINVAL;
- }
- start = info->fix.mmio_start;
- len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len);
- }
/* Set VM flags. */
start &= PAGE_MASK;
- if ((vma->vm_end - vma->vm_start + off) > len)
+ if ((vma->vm_end <= vma->vm_start) ||
+ (off >= len) ||
+ ((vma->vm_end - vma->vm_start) > (len - off)))
return -EINVAL;
off += start;
+ if (off < start)
+ return -EINVAL;
vma->vm_pgoff = off >> PAGE_SHIFT;
/* This is an IO map - tell maydump to skip this VMA */
vma->vm_flags |= VM_IO;