diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c index cb1a2c388b5a..b884194f260c 100644 --- a/drivers/gpu/drm/drm_file.c +++ b/drivers/gpu/drm/drm_file.c @@ -46,6 +46,8 @@ /* from BKL pushdown */ DEFINE_MUTEX(drm_global_mutex); +#define MAX_DRM_OPEN_COUNT 128 + /** * DOC: file operations * @@ -322,6 +324,11 @@ int drm_open(struct inode *inode, struct file *filp) if (!dev->open_count++) need_setup = 1; + if (dev->open_count >= MAX_DRM_OPEN_COUNT) { + retcode = -EPERM; + goto err_undo; + } + /* share address_space across all char-devs of a single device */ filp->f_mapping = dev->anon_inode->i_mapping; diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c index 69dfed57c2f8..6532a9d4de90 100644 --- a/drivers/gpu/drm/drm_property.c +++ b/drivers/gpu/drm/drm_property.c @@ -26,6 +26,9 @@ #include "drm_crtc_internal.h" +#define MAX_BLOB_PROP_SIZE (PAGE_SIZE * 30) +#define MAX_BLOB_PROP_COUNT 250 + /** * DOC: overview * @@ -556,7 +559,8 @@ drm_property_create_blob(struct drm_device *dev, size_t length, struct drm_property_blob *blob; int ret; - if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) + if (!length || length > MAX_BLOB_PROP_SIZE - + sizeof(struct drm_property_blob)) return ERR_PTR(-EINVAL); blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); @@ -782,12 +786,21 @@ int drm_mode_createblob_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { struct drm_mode_create_blob *out_resp = data; - struct drm_property_blob *blob; + struct drm_property_blob *blob, *bt; int ret = 0; + u32 count = 0; if (!drm_core_check_feature(dev, DRIVER_MODESET)) return -EINVAL; + mutex_lock(&dev->mode_config.blob_lock); + list_for_each_entry(bt, &file_priv->blobs, head_file) + count++; + mutex_unlock(&dev->mode_config.blob_lock); + + if (count >= MAX_BLOB_PROP_COUNT) + return -EOPNOTSUPP; + blob = drm_property_create_blob(dev, out_resp->length, NULL); if (IS_ERR(blob)) return PTR_ERR(blob);