From 7e9785f78415d32e0b17b1d296a172b66e0d2ab7 Mon Sep 17 00:00:00 2001 From: Manoj Rao Date: Fri, 12 Apr 2013 18:37:14 -0700 Subject: msm: msm_fb: remove mmio access through mmap Disable access to mm io and add appropriate range checks to ensure valid accesses through framebuffer mmap. This prevents illegal access into memory. CRs-Fixed: 474706 Change-Id: If25166f2732433ef967e99c716440030b567aae9 Signed-off-by: Manoj Rao (cherry picked from commit b571bef36cf51f9bb4cd1ad3ba23e3cee6d1d3cb) Conflicts: drivers/video/msm/msm_fb.c Signed-off-by: Raviteja --- drivers/video/msm/msm_fb.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/drivers/video/msm/msm_fb.c b/drivers/video/msm/msm_fb.c index 7d11fa9..2b626a0 100644 --- a/drivers/video/msm/msm_fb.c +++ b/drivers/video/msm/msm_fb.c @@ -1004,22 +1004,20 @@ static int msm_fb_mmap(struct fb_info *info, struct vm_area_struct * vma) u32 len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.smem_len); unsigned long off = vma->vm_pgoff << PAGE_SHIFT; struct msm_fb_data_type *mfd = (struct msm_fb_data_type *)info->par; - if (off >= len) { - /* memory mapped io */ - off -= len; - if (info->var.accel_flags) { - mutex_unlock(&info->lock); - return -EINVAL; - } - start = info->fix.mmio_start; - len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len); - } + if (!start) + return -EINVAL; + + if ((vma->vm_end <= vma->vm_start) || + (off >= len) || + ((vma->vm_end - vma->vm_start) > (len - off))) + return -EINVAL; /* Set VM flags. */ start &= PAGE_MASK; - if ((vma->vm_end - vma->vm_start + off) > len) - return -EINVAL; off += start; + if (off < start) + return -EINVAL; + vma->vm_pgoff = off >> PAGE_SHIFT; /* This is an IO map - tell maydump to skip this VMA */ vma->vm_flags |= VM_IO | VM_RESERVED; -- cgit v1.1