drivers/gpu/vga: allocate vga_arb_write() buffer on stack
Size of kmalloc() in vga_arb_write() is controlled by user. Too large kmalloc() size triggers WARNING message on console. Allocate the buffer on stack to avoid the WARNING. The string must be small (e.g "target PCI:domain:bus:dev.fn"). Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Cc: Dave Airlie <airlied@gmail.com> Cc: Ville Syrjälä <ville.syrjala@linux.intel.com> Cc: dri-devel@lists.freedesktop.org Cc: syzkaller@googlegroups.com Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/1476451342-146510-1-git-send-email-dvyukov@google.com
This commit is contained in:
parent
0853695c3b
commit
49521b13cb
|
@ -1022,21 +1022,16 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf,
|
|||
|
||||
unsigned int io_state;
|
||||
|
||||
char *kbuf, *curr_pos;
|
||||
char kbuf[64], *curr_pos;
|
||||
size_t remaining = count;
|
||||
|
||||
int ret_val;
|
||||
int i;
|
||||
|
||||
|
||||
kbuf = kmalloc(count + 1, GFP_KERNEL);
|
||||
if (!kbuf)
|
||||
return -ENOMEM;
|
||||
|
||||
if (copy_from_user(kbuf, buf, count)) {
|
||||
kfree(kbuf);
|
||||
if (count >= sizeof(kbuf))
|
||||
return -EINVAL;
|
||||
if (copy_from_user(kbuf, buf, count))
|
||||
return -EFAULT;
|
||||
}
|
||||
curr_pos = kbuf;
|
||||
kbuf[count] = '\0'; /* Just to make sure... */
|
||||
|
||||
|
@ -1259,11 +1254,9 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf,
|
|||
goto done;
|
||||
}
|
||||
/* If we got here, the message written is not part of the protocol! */
|
||||
kfree(kbuf);
|
||||
return -EPROTO;
|
||||
|
||||
done:
|
||||
kfree(kbuf);
|
||||
return ret_val;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue