3.2.71-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx> commit 1d97e9154821d52a5ebc226176d4839c7b86b116 upstream. The crtc x/y panning coordinates are stored as signed integers internally. The user provides them as unsigned, so we should check that the user provided values actually fit in the internal datatypes. Signed-off-by: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx> Reviewed-by: Alex Deucher <alexander.deucher@xxxxxxx> Signed-off-by: Dave Airlie <airlied@xxxxxxxxxx> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> --- drivers/gpu/drm/drm_crtc.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -1505,6 +1505,10 @@ int drm_mode_setcrtc(struct drm_device * if (!drm_core_check_feature(dev, DRIVER_MODESET)) return -EINVAL; + /* For some reason crtc x/y offsets are signed internally. */ + if (crtc_req->x > INT_MAX || crtc_req->y > INT_MAX) + return -ERANGE; + mutex_lock(&dev->mode_config.mutex); obj = drm_mode_object_find(dev, crtc_req->crtc_id, DRM_MODE_OBJECT_CRTC); -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html