In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a user-controlled value which is not checked for zero. It is used in a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR is dereferenced which leads to a GPF and possibly to a kernel panic. Add the check for zero to avoid this. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719 Signed-off-by: Vladis Dronov <vdronov@xxxxxxxxxx> --- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index b445ce9..42840cc 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c @@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) num_sizes += req->mip_levels[i]; - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * - DRM_VMW_MAX_MIP_LEVELS) + if (num_sizes <= 0 || + num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS) return -EINVAL; size = vmw_user_surface_size + 128 + -- 2.9.3 _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel