[PATCH 2/3] drm/crtc: Fix possible ZERO_SIZE_PTR pointer dereferencing error.

[Xiubo Li]

Since we cannot make sure the 'total_objects' and 'gamma_size' will always
be none zero here, and then if either equals to zero, the kzalloc() will
return ZERO_SIZE_PTR, which equals to ((void *)16).

This patch fix this with just doing the zero check before calling kzalloc().

Signed-off-by: Xiubo Li <Li.Xiubo at freescale.com>
---
 drivers/gpu/drm/drm_crtc.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 901b812..2379c7a 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -1507,9 +1507,14 @@ static int drm_mode_group_init(struct drm_device *dev, struct drm_mode_group *gr
 	total_objects += dev->mode_config.num_encoder;
 	total_objects += dev->mode_config.num_bridge;
 
-	group->id_list = kzalloc(total_objects * sizeof(uint32_t), GFP_KERNEL);
-	if (!group->id_list)
-		return -ENOMEM;
+	if (total_objects) {
+		group->id_list = kzalloc(total_objects * sizeof(uint32_t),
+				GFP_KERNEL);
+		if (!group->id_list)
+			return -ENOMEM;
+	} else {
+		group->id_list = NULL;
+	}
 
 	group->num_crtcs = 0;
 	group->num_connectors = 0;
@@ -4337,6 +4342,9 @@ EXPORT_SYMBOL(drm_mode_connector_attach_encoder);
 int drm_mode_crtc_set_gamma_size(struct drm_crtc *crtc,
 				 int gamma_size)
 {
+	if (!gamma_size)
+		return -EINVAL;
+
 	crtc->gamma_size = gamma_size;
 
 	crtc->gamma_store = kzalloc(gamma_size * sizeof(uint16_t) * 3, GFP_KERNEL);
-- 
1.8.5