summaryrefslogtreecommitdiff
path: root/drivers/gpu/vga
diff options
context:
space:
mode:
authorDmitry Vyukov <dvyukov@google.com>2016-10-14 15:22:22 +0200
committerDaniel Vetter <daniel.vetter@ffwll.ch>2016-10-17 08:21:14 +0200
commit49521b13cbc02aff9ac1fff8d425055cc86cef08 (patch)
tree3ab90884b6ace4be6fd89eb6ee5d0d13e4f0a177 /drivers/gpu/vga
parent0853695c3ba46f97dfc0b5885f7b7e640ca212dd (diff)
drivers/gpu/vga: allocate vga_arb_write() buffer on stack
Size of kmalloc() in vga_arb_write() is controlled by user. Too large kmalloc() size triggers WARNING message on console. Allocate the buffer on stack to avoid the WARNING. The string must be small (e.g "target PCI:domain:bus:dev.fn"). Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Cc: Dave Airlie <airlied@gmail.com> Cc: Ville Syrjälä <ville.syrjala@linux.intel.com> Cc: dri-devel@lists.freedesktop.org Cc: syzkaller@googlegroups.com Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/1476451342-146510-1-git-send-email-dvyukov@google.com
Diffstat (limited to 'drivers/gpu/vga')
-rw-r--r--drivers/gpu/vga/vgaarb.c15
1 files changed, 4 insertions, 11 deletions
diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
index 1887f199ccb7..77657a8c0cd4 100644
--- a/drivers/gpu/vga/vgaarb.c
+++ b/drivers/gpu/vga/vgaarb.c
@@ -1022,21 +1022,16 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf,
unsigned int io_state;
- char *kbuf, *curr_pos;
+ char kbuf[64], *curr_pos;
size_t remaining = count;
int ret_val;
int i;
-
- kbuf = kmalloc(count + 1, GFP_KERNEL);
- if (!kbuf)
- return -ENOMEM;
-
- if (copy_from_user(kbuf, buf, count)) {
- kfree(kbuf);
+ if (count >= sizeof(kbuf))
+ return -EINVAL;
+ if (copy_from_user(kbuf, buf, count))
return -EFAULT;
- }
curr_pos = kbuf;
kbuf[count] = '\0'; /* Just to make sure... */
@@ -1259,11 +1254,9 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf,
goto done;
}
/* If we got here, the message written is not part of the protocol! */
- kfree(kbuf);
return -EPROTO;
done:
- kfree(kbuf);
return ret_val;
}