Xiubo Li (3): drm/bufs: Fix possible ZERO_SIZE_PTR pointer dereferencing error. drm/crtc: Fix possible ZERO_SIZE_PTR pointer dereferencing error. drm/global: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
drivers/gpu/drm/drm_bufs.c | 12 +++++++++--- drivers/gpu/drm/drm_crtc.c | 14 +++++++++++--- drivers/gpu/drm/drm_global.c | 5 +++++ 3 files changed, 25 insertions(+), 6 deletions(-)
Since we cannot make sure the 'count' and 'dev->driver->dev_priv_size' will always be none zero here, and then if either equal to zero, the kzalloc() will return ZERO_SIZE_PTR, which equals to ((void *)16).
So this patch fix this with just doing the zero check before calling kzalloc().
Signed-off-by: Xiubo Li Li.Xiubo@freescale.com --- drivers/gpu/drm/drm_bufs.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c index 68175b5..09c1e8c 100644 --- a/drivers/gpu/drm/drm_bufs.c +++ b/drivers/gpu/drm/drm_bufs.c @@ -617,6 +617,9 @@ int drm_addbufs_agp(struct drm_device * dev, struct drm_buf_desc * request) int i, valid; struct drm_buf **temp_buflist;
+ if (!dev->driver->dev_priv_size) + return -EINVAL; + if (!dma) return -EINVAL;
@@ -672,7 +675,7 @@ int drm_addbufs_agp(struct drm_device * dev, struct drm_buf_desc * request) return -ENOMEM; /* May only call once for each order */ }
- if (count < 0 || count > 4096) { + if (count <= 0 || count > 4096) { mutex_unlock(&dev->struct_mutex); atomic_dec(&dev->buf_alloc); return -EINVAL; @@ -781,6 +784,9 @@ int drm_addbufs_pci(struct drm_device * dev, struct drm_buf_desc * request) unsigned long *temp_pagelist; struct drm_buf **temp_buflist;
+ if (!dev->driver->dev_priv_size) + return -EINVAL; + if (!drm_core_check_feature(dev, DRIVER_PCI_DMA)) return -EINVAL;
@@ -821,7 +827,7 @@ int drm_addbufs_pci(struct drm_device * dev, struct drm_buf_desc * request) return -ENOMEM; /* May only call once for each order */ }
- if (count < 0 || count > 4096) { + if (count <= 0 || count > 4096) { mutex_unlock(&dev->struct_mutex); atomic_dec(&dev->buf_alloc); return -EINVAL; @@ -1031,7 +1037,7 @@ static int drm_addbufs_sg(struct drm_device * dev, struct drm_buf_desc * request return -ENOMEM; /* May only call once for each order */ }
- if (count < 0 || count > 4096) { + if (count <= 0 || count > 4096) { mutex_unlock(&dev->struct_mutex); atomic_dec(&dev->buf_alloc); return -EINVAL;
Since we cannot make sure the 'total_objects' and 'gamma_size' will always be none zero here, and then if either equals to zero, the kzalloc() will return ZERO_SIZE_PTR, which equals to ((void *)16).
This patch fix this with just doing the zero check before calling kzalloc().
Signed-off-by: Xiubo Li Li.Xiubo@freescale.com --- drivers/gpu/drm/drm_crtc.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 901b812..2379c7a 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -1507,9 +1507,14 @@ static int drm_mode_group_init(struct drm_device *dev, struct drm_mode_group *gr total_objects += dev->mode_config.num_encoder; total_objects += dev->mode_config.num_bridge;
- group->id_list = kzalloc(total_objects * sizeof(uint32_t), GFP_KERNEL); - if (!group->id_list) - return -ENOMEM; + if (total_objects) { + group->id_list = kzalloc(total_objects * sizeof(uint32_t), + GFP_KERNEL); + if (!group->id_list) + return -ENOMEM; + } else { + group->id_list = NULL; + }
group->num_crtcs = 0; group->num_connectors = 0; @@ -4337,6 +4342,9 @@ EXPORT_SYMBOL(drm_mode_connector_attach_encoder); int drm_mode_crtc_set_gamma_size(struct drm_crtc *crtc, int gamma_size) { + if (!gamma_size) + return -EINVAL; + crtc->gamma_size = gamma_size;
crtc->gamma_store = kzalloc(gamma_size * sizeof(uint16_t) * 3, GFP_KERNEL);
Since we cannot make sure the 'ref->size' will always be none zero here, and then if it equals to zero, the kzalloc() will return ZERO_SIZE_PTR, which equals to ((void *)16).
This patch fix this with just doing the zero check before calling kzalloc().
Signed-off-by: Xiubo Li Li.Xiubo@freescale.com --- drivers/gpu/drm/drm_global.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/drm_global.c b/drivers/gpu/drm/drm_global.c index 3d2e91c..a669d01 100644 --- a/drivers/gpu/drm/drm_global.c +++ b/drivers/gpu/drm/drm_global.c @@ -70,6 +70,11 @@ int drm_global_item_ref(struct drm_global_reference *ref)
mutex_lock(&item->mutex); if (item->refcount == 0) { + if (!ref->size) { + ret = -EINVAL; + goto out_err; + } + item->object = kzalloc(ref->size, GFP_KERNEL); if (unlikely(item->object == NULL)) { ret = -ENOMEM;
Ping :)
Thanks,
BRs Xiubo
-----Original Message----- From: Xiubo Li [mailto:Li.Xiubo@freescale.com] Sent: Tuesday, August 12, 2014 11:30 AM To: airlied@linux.ie; dri-devel@lists.freedesktop.org Cc: Xiubo Li-B47053 Subject: [PATCH 0/3] drm: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
Xiubo Li (3): drm/bufs: Fix possible ZERO_SIZE_PTR pointer dereferencing error. drm/crtc: Fix possible ZERO_SIZE_PTR pointer dereferencing error. drm/global: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
drivers/gpu/drm/drm_bufs.c | 12 +++++++++--- drivers/gpu/drm/drm_crtc.c | 14 +++++++++++--- drivers/gpu/drm/drm_global.c | 5 +++++ 3 files changed, 25 insertions(+), 6 deletions(-)
-- 1.8.5
dri-devel@lists.freedesktop.org
-
Li.Xiuboï¼ freescale.com -
Xiubo Li