From fd6040ed57d8f200ab0cc2abf706c54995a48370 Mon Sep 17 00:00:00 2001
From: Russell King <rmk+kernel@arm.linux.org.uk>
Date: Mon, 16 Dec 2013 12:39:31 +0000
Subject: [PATCH] imx-drm: imx-drm-core: improve safety of imx_drm_add_crtc()

We must not add more CRTCs than we have declared to the vblank
helpers, otherwise we overflow their arrays.  Force failure if we
exceed the number of CRTCs.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/imx-drm/imx-drm-core.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/staging/imx-drm/imx-drm-core.c b/drivers/staging/imx-drm/imx-drm-core.c
index 19e431dee49..96e4eee344e 100644
--- a/drivers/staging/imx-drm/imx-drm-core.c
+++ b/drivers/staging/imx-drm/imx-drm-core.c
@@ -501,6 +501,15 @@ int imx_drm_add_crtc(struct drm_crtc *crtc,
 
 	mutex_lock(&imxdrm->mutex);
 
+	/*
+	 * The vblank arrays are dimensioned by MAX_CRTC - we can't
+	 * pass IDs greater than this to those functions.
+	 */
+	if (imxdrm->pipes >= MAX_CRTC) {
+		ret = -EINVAL;
+		goto err_busy;
+	}
+
 	if (imxdrm->drm->open_count) {
 		ret = -EBUSY;
 		goto err_busy;
-- 
2.43.2