From 756efb7c9b93277738d7d371841f2aea25e0465d Mon Sep 17 00:00:00 2001 From: kettenis Date: Fri, 29 Dec 2023 10:00:18 +0000 Subject: [PATCH] Support for "control" nodes was removed from the drm subsystem some time ago, but some code in drmopen() remained which means that opening a drm device node with a minor that matches the range for the "control" nodes will hit a kernel assertion. A similar issue exists for "render" nodes corresponding to a driver that only supports KMS (such as rkdrm(4)). Add checks to see if the minor is valid and return ENXIO if that isn't the case to prevent a kernel crash. ok jsg@, miod@ --- sys/dev/pci/drm/drm_drv.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/sys/dev/pci/drm/drm_drv.c b/sys/dev/pci/drm/drm_drv.c index cce43104508..de7239c21e2 100644 --- a/sys/dev/pci/drm/drm_drv.c +++ b/sys/dev/pci/drm/drm_drv.c @@ -1556,9 +1556,6 @@ struct drm_device * drm_get_device_from_kdev(dev_t kdev) { int unit = minor(kdev) & ((1 << CLONE_SHIFT) - 1); - /* control */ - if (unit >= 64 && unit < 128) - unit -= 64; /* render */ if (unit >= 128) unit -= 128; @@ -1701,12 +1698,18 @@ drmopen(dev_t kdev, int flags, int fmt, struct proc *p) realminor = dminor & ((1 << CLONE_SHIFT) - 1); if (realminor < 64) minor_type = DRM_MINOR_PRIMARY; - else if (realminor >= 64 && realminor < 128) - minor_type = DRM_MINOR_CONTROL; - else + else if (realminor >= 128 && realminor < 192) minor_type = DRM_MINOR_RENDER; + else { + ret = ENXIO; + goto err; + } dm = *drm_minor_get_slot(dev, minor_type); + if (dm == NULL) { + ret = ENXIO; + goto err; + } dm->index = minor(kdev); file_priv = drm_file_alloc(dm); -- 2.20.1