[PATCH 3/3] drm/global: Fix possible ZERO_SIZE_PTR pointer dereferencing error.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Since we cannot make sure the 'ref->size' will always be none zero here,
and then if it equals to zero, the kzalloc() will return ZERO_SIZE_PTR,
which equals to ((void *)16).

This patch fix this with just doing the zero check before calling kzalloc().

Signed-off-by: Xiubo Li <Li.Xiubo@xxxxxxxxxxxxx>
---
 drivers/gpu/drm/drm_global.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/gpu/drm/drm_global.c b/drivers/gpu/drm/drm_global.c
index 3d2e91c..a669d01 100644
--- a/drivers/gpu/drm/drm_global.c
+++ b/drivers/gpu/drm/drm_global.c
@@ -70,6 +70,11 @@ int drm_global_item_ref(struct drm_global_reference *ref)
 
 	mutex_lock(&item->mutex);
 	if (item->refcount == 0) {
+		if (!ref->size) {
+			ret = -EINVAL;
+			goto out_err;
+		}
+
 		item->object = kzalloc(ref->size, GFP_KERNEL);
 		if (unlikely(item->object == NULL)) {
 			ret = -ENOMEM;
-- 
1.8.5

_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel




[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux