[PATCH 1/3] drm/bufs: Fix possible ZERO_SIZE_PTR pointer dereferencing error.

Mon Aug 11 20:30:31 PDT 2014

Since we cannot make sure the 'count' and 'dev->driver->dev_priv_size' will
always be none zero here, and then if either equal to zero, the kzalloc()
will return ZERO_SIZE_PTR, which equals to ((void *)16).

So this patch fix this with just doing the zero check before calling kzalloc().

Signed-off-by: Xiubo Li <Li.Xiubo at freescale.com>
---
 drivers/gpu/drm/drm_bufs.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
index 68175b5..09c1e8c 100644
--- a/drivers/gpu/drm/drm_bufs.c
+++ b/drivers/gpu/drm/drm_bufs.c
@@ -617,6 +617,9 @@ int drm_addbufs_agp(struct drm_device * dev, struct drm_buf_desc * request)
 	int i, valid;
 	struct drm_buf **temp_buflist;
 
+	if (!dev->driver->dev_priv_size)
+		return -EINVAL;
+
 	if (!dma)
 		return -EINVAL;
 
@@ -672,7 +675,7 @@ int drm_addbufs_agp(struct drm_device * dev, struct drm_buf_desc * request)
 		return -ENOMEM;	/* May only call once for each order */
 	}
 
-	if (count < 0 || count > 4096) {
+	if (count <= 0 || count > 4096) {
 		mutex_unlock(&dev->struct_mutex);
 		atomic_dec(&dev->buf_alloc);
 		return -EINVAL;
@@ -781,6 +784,9 @@ int drm_addbufs_pci(struct drm_device * dev, struct drm_buf_desc * request)
 	unsigned long *temp_pagelist;
 	struct drm_buf **temp_buflist;
 
+	if (!dev->driver->dev_priv_size)
+			return -EINVAL;
+
 	if (!drm_core_check_feature(dev, DRIVER_PCI_DMA))
 		return -EINVAL;
 
@@ -821,7 +827,7 @@ int drm_addbufs_pci(struct drm_device * dev, struct drm_buf_desc * request)
 		return -ENOMEM;	/* May only call once for each order */
 	}
 
-	if (count < 0 || count > 4096) {
+	if (count <= 0 || count > 4096) {
 		mutex_unlock(&dev->struct_mutex);
 		atomic_dec(&dev->buf_alloc);
 		return -EINVAL;
@@ -1031,7 +1037,7 @@ static int drm_addbufs_sg(struct drm_device * dev, struct drm_buf_desc * request
 		return -ENOMEM;	/* May only call once for each order */
 	}
 
-	if (count < 0 || count > 4096) {
+	if (count <= 0 || count > 4096) {
 		mutex_unlock(&dev->struct_mutex);
 		atomic_dec(&dev->buf_alloc);
 		return -EINVAL;
-- 
1.8.5

