I am announcing the release of the 2.6.32.59+drm33.26 longterm tree. This tree is based on 2.6.32 and generally has all of the stable updates applied. Except those to the DRM subsystem, which was based on 2.6.33 and took updates from that upstream stable as long as that existed. It will continue to add patches to the DRM subsystem as long as they are valid according to the stable update rules (Documentation/stable_kernel_rules.txt). DRM patches for this tree should be sent to kernel-t...@lists.ubuntu.com.
This release updates the DRM subsystem only. The updated 2.6.32.y-drm33.z tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/smb/linux-2.6.32.y-drm33.z.git or git://kernel.ubuntu.com/smb/linux-2.6.32.y-drm33.z.git and can be browsed through git web via: http://git.kernel.org/?p=linux/kernel/git/smb/linux-2.6.32.y-drm33.z.git;a=summary or http://kernel.ubuntu.com/git?p=smb/linux-2.6.32.y-drm33.z.git;a=summary -Stefan ------ * drm: integer overflow in drm_mode_dirtyfb_ioctl() * Linux 2.6.32.59+drm33.26 Makefile | 2 +- drivers/gpu/drm/drm_crtc.c | 4 ++++ include/drm/drm_mode.h | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 7667dad..a9c82a4 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 6 SUBLEVEL = 32 -EXTRAVERSION = .59+drm33.25 +EXTRAVERSION = .59+drm33.26 NAME = Man-Eating Seals of Antiquity # *DOCUMENTATION* diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 81ba0e6..ec9e97e 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -1832,6 +1832,10 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev, } if (num_clips && clips_ptr) { + if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) { + ret = -EINVAL; + goto out_err1; + } clips = kzalloc(num_clips * sizeof(*clips), GFP_KERNEL); if (!clips) { ret = -ENOMEM; diff --git a/include/drm/drm_mode.h b/include/drm/drm_mode.h index c5ba163..9cf639c 100644 --- a/include/drm/drm_mode.h +++ b/include/drm/drm_mode.h @@ -232,6 +232,8 @@ struct drm_mode_fb_cmd { #define DRM_MODE_FB_DIRTY_ANNOTATE_FILL 0x02 #define DRM_MODE_FB_DIRTY_FLAGS 0x03 +#define DRM_MODE_FB_DIRTY_MAX_CLIPS 256 + /* * Mark a region of a framebuffer as dirty. * -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
