diff options
author | Dmitry Vyukov <dvyukov@google.com> | 2016-10-14 15:22:22 +0200 |
---|---|---|
committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2016-10-17 08:21:14 +0200 |
commit | 49521b13cbc02aff9ac1fff8d425055cc86cef08 (patch) | |
tree | 3ab90884b6ace4be6fd89eb6ee5d0d13e4f0a177 /drivers/gpu/vga | |
parent | 0853695c3ba46f97dfc0b5885f7b7e640ca212dd (diff) |
drivers/gpu/vga: allocate vga_arb_write() buffer on stack
Size of kmalloc() in vga_arb_write() is controlled by user.
Too large kmalloc() size triggers WARNING message on console.
Allocate the buffer on stack to avoid the WARNING.
The string must be small (e.g "target PCI:domain:bus:dev.fn").
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: dri-devel@lists.freedesktop.org
Cc: syzkaller@googlegroups.com
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1476451342-146510-1-git-send-email-dvyukov@google.com
Diffstat (limited to 'drivers/gpu/vga')
-rw-r--r-- | drivers/gpu/vga/vgaarb.c | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c index 1887f199ccb7..77657a8c0cd4 100644 --- a/drivers/gpu/vga/vgaarb.c +++ b/drivers/gpu/vga/vgaarb.c @@ -1022,21 +1022,16 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf, unsigned int io_state; - char *kbuf, *curr_pos; + char kbuf[64], *curr_pos; size_t remaining = count; int ret_val; int i; - - kbuf = kmalloc(count + 1, GFP_KERNEL); - if (!kbuf) - return -ENOMEM; - - if (copy_from_user(kbuf, buf, count)) { - kfree(kbuf); + if (count >= sizeof(kbuf)) + return -EINVAL; + if (copy_from_user(kbuf, buf, count)) return -EFAULT; - } curr_pos = kbuf; kbuf[count] = '\0'; /* Just to make sure... */ @@ -1259,11 +1254,9 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf, goto done; } /* If we got here, the message written is not part of the protocol! */ - kfree(kbuf); return -EPROTO; done: - kfree(kbuf); return ret_val; } |