diff mbox

drm: avoid passing null pointer to memset

Message ID 1349812618-11518-1-git-send-email-rodrigo.vivi@gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Rodrigo Vivi Oct. 9, 2012, 7:56 p.m. UTC 
When cmd isn't IOC_IN | IOC_OUT a null "kdata" goes to "memset", which dereferences it.

v2: simpler version just using usize = 0 instead of allocating useless memory

Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com>
---
 drivers/gpu/drm/drm_drv.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Chris Wilson Oct. 10, 2012, 12:52 p.m. UTC | #1 
On Tue,  9 Oct 2012 16:56:58 -0300, Rodrigo Vivi <rodrigo.vivi@gmail.com> wrote:
> When cmd isn't IOC_IN | IOC_OUT a null "kdata" goes to "memset", which dereferences it.
> 
> v2: simpler version just using usize = 0 instead of allocating useless memory
> 
> Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com>

Presuming that coverity is smart enough not to complain about
memcpy(NULL, src, 0),

Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris
diff mbox

Patch

diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index 1490e76..f72dce5 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -444,7 +444,8 @@  long drm_ioctl(struct file *filp,
 			}
 			if (asize > usize)
 				memset(kdata + usize, 0, asize - usize);
-		}
+		} else
+			usize = 0;
 
 		if (cmd & IOC_IN) {
 			if (copy_from_user(kdata, (void __user *)arg,