[PATCH 3/3] drm/global: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
Xiubo Li
Li.Xiubo at freescale.com
Mon Aug 11 20:30:33 PDT 2014
Since we cannot make sure the 'ref->size' will always be none zero here,
and then if it equals to zero, the kzalloc() will return ZERO_SIZE_PTR,
which equals to ((void *)16).
This patch fix this with just doing the zero check before calling kzalloc().
Signed-off-by: Xiubo Li <Li.Xiubo at freescale.com>
---
drivers/gpu/drm/drm_global.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/drm_global.c b/drivers/gpu/drm/drm_global.c
index 3d2e91c..a669d01 100644
--- a/drivers/gpu/drm/drm_global.c
+++ b/drivers/gpu/drm/drm_global.c
@@ -70,6 +70,11 @@ int drm_global_item_ref(struct drm_global_reference *ref)
mutex_lock(&item->mutex);
if (item->refcount == 0) {
+ if (!ref->size) {
+ ret = -EINVAL;
+ goto out_err;
+ }
+
item->object = kzalloc(ref->size, GFP_KERNEL);
if (unlikely(item->object == NULL)) {
ret = -ENOMEM;
--
1.8.5
More information about the dri-devel
mailing list