diff mbox

drm: avoid passing null pointer to memset

Message ID 1349805046-4587-1-git-send-email-rodrigo.vivi@gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Rodrigo Vivi Oct. 9, 2012, 5:50 p.m. UTC 
When cmd isn't IOC_IN | IOC_OUT a null "kdata" goes to "memset", which dereferences it.

Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com>
---
 drivers/gpu/drm/drm_drv.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Comments

Chris Wilson Oct. 9, 2012, 6:03 p.m. UTC | #1 
On Tue,  9 Oct 2012 14:50:46 -0300, Rodrigo Vivi <rodrigo.vivi@gmail.com> wrote:
> When cmd isn't IOC_IN | IOC_OUT a null "kdata" goes to "memset", which dereferences it.
> 
usize should be 0 in that case, since the ioctl is neither copying data
in or out, for example I915_GEM_THROTTLE. To be on the safe side:
if (IOC_IN | IOC_OUT) { /* blah */ } else usize = 0;
-Chris
diff mbox

Patch

diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index 1490e76..5945920 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -452,8 +452,16 @@  long drm_ioctl(struct file *filp,
 				retcode = -EFAULT;
 				goto err_i1;
 			}
-		} else
+		} else {
+			if (!kdata) {
+				kdata = kmalloc(usize, GFP_KERNEL);
+		    		if (!kdata) {
+					retcode = -ENOMEM;
+					goto err_i1;
+				}
+			}
 			memset(kdata, 0, usize);
+		}
 
 		if (ioctl->flags & DRM_UNLOCKED)
 			retcode = func(dev, kdata, file_priv);