Hi!
> >>--- a/drivers/staging/tidspbridge/rmgr/drv_interface.c
> >>+++ b/drivers/staging/tidspbridge/rmgr/drv_interface.c
> >>@@ -258,7 +258,17 @@ err:
> >> /* This function maps kernel space memory to user space memory. */
> >> static int bridge_mmap(struct file *filp, struct vm_area_struct *vma)
> >> {
> >>- u32 status;
> >>+ int status;
> >>+ struct omap_dsp_platform_data *pdata =
> >>+ omap_dspbridge_dev->dev.platform_data;
> >>+ unsigned long start = vma->vm_pgoff << PAGE_SHIFT;
> >>+
> >>+ if (start < pdata->phys_mempool_base)
> >>+ return -EINVAL;
> >>+
> >>+ if (vma->vm_end - vma->vm_start + (start - pdata->phys_mempool_base)
> >>+ > pdata->phys_mempool_size)
> >This test is vulnerable to integer overflows if you pick a very high
> >value for start. Consider using the vm_iomap_memory() helper function
> >instead of calling remap_pfn_range() directly. Commit 7314e613d5ff
> >('Fix a few incorrectly checked [io_]remap_pfn_range() calls') has an
> >example of how the conversion works.
> >
> >regards,
> >dan carpenter
> >
> Dan,
>
> If that one looks fine, I'll send a correctly formatted patch.
Looks good to me. Feel free to add
Signed-off-by: Pavel Machek <pavel@xxxxxx>
Reported-by: Nico Golde <nico@xxxxxxxxx>
Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html