From patchwork Tue Aug 12 03:30:31 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Xiubo Li <Li.Xiubo@freescale.com>
X-Patchwork-Id: 4715721
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 1DB079F37E
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Wed, 13 Aug 2014 01:01:03 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 42520201B4
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Wed, 13 Aug 2014 01:01:02 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id 366EE20173
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Wed, 13 Aug 2014 01:01:01 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 0BE026E338;
	Tue, 12 Aug 2014 18:00:59 -0700 (PDT)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from na01-bn1-obe.outbound.protection.outlook.com
	(mail-bn1lp0144.outbound.protection.outlook.com [207.46.163.144])
	by gabe.freedesktop.org (Postfix) with ESMTP id 455196E02E
	for <dri-devel@lists.freedesktop.org>;
	Mon, 11 Aug 2014 20:49:35 -0700 (PDT)
Received: from BN3PR0301CA0004.namprd03.prod.outlook.com (25.160.180.142) by
	DM2PR0301MB0624.namprd03.prod.outlook.com (25.160.95.28) with
	Microsoft SMTP
	Server (TLS) id 15.0.1005.10; Tue, 12 Aug 2014 03:34:46 +0000
Received: from BN1AFFO11FD051.protection.gbl (2a01:111:f400:7c10::156) by
	BN3PR0301CA0004.outlook.office365.com (2a01:111:e400:4000::14) with
	Microsoft SMTP Server (TLS) id 15.0.1005.10 via Frontend Transport;
	Tue, 12 Aug 2014 03:34:46 +0000
Received: from tx30smr01.am.freescale.net (192.88.168.50) by
	BN1AFFO11FD051.mail.protection.outlook.com (10.58.53.66) with
	Microsoft SMTP
	Server (TLS) id 15.0.1010.11 via Frontend Transport; Tue, 12 Aug 2014
	03:34:46 +0000
Received: from titan.ap.freescale.net ([10.192.208.233])
	by tx30smr01.am.freescale.net (8.14.3/8.14.0) with ESMTP id
	s7C3Yads027875; Mon, 11 Aug 2014 20:34:44 -0700
From: Xiubo Li <Li.Xiubo@freescale.com>
To: <airlied@linux.ie>, <dri-devel@lists.freedesktop.org>
Subject: [PATCH 1/3] drm/bufs: Fix possible ZERO_SIZE_PTR pointer
	dereferencing error.
Date: Tue, 12 Aug 2014 11:30:31 +0800
Message-ID: <1407814233-43689-2-git-send-email-Li.Xiubo@freescale.com>
X-Mailer: git-send-email 1.8.5
In-Reply-To: <1407814233-43689-1-git-send-email-Li.Xiubo@freescale.com>
References: <1407814233-43689-1-git-send-email-Li.Xiubo@freescale.com>
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:192.88.168.50; CTRY:US; IPV:CAL; IPV:NLI;
	EFV:NLI; SFV:NSPM;
	SFS:(979002)(6009001)(199003)(189002)(36756003)(31966008)(74662001)(19580405001)(85306004)(19580395003)(104166001)(84676001)(93916002)(85852003)(87286001)(50226001)(74502001)(77156001)(4396001)(26826002)(92566001)(95666004)(21056001)(105606002)(107046002)(229853001)(44976005)(106466001)(81542001)(83322001)(81342001)(104016003)(80022001)(92726001)(62966002)(47776003)(50986999)(20776003)(6806004)(50466002)(64706001)(76176999)(99396002)(68736004)(89996001)(87936001)(48376002)(88136002)(83072002)(86362001)(102836001)(97736001)(76482001)(77982001)(46102001)(79102001)(969003)(989001)(999001)(1009001)(1019001);
	DIR:OUT; SFP:; SCL:1; SRVR:DM2PR0301MB0624;
	H:tx30smr01.am.freescale.net; FPR:;
	MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
MIME-Version: 1.0
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;UriScan:;
X-Forefront-PRVS: 0301360BF5
Received-SPF: Fail (protection.outlook.com: domain of freescale.com does not
	designate 192.88.168.50 as permitted sender)
	receiver=protection.outlook.com;
	client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net;
Authentication-Results: spf=fail (sender IP is 192.88.168.50)
	smtp.mailfrom=Li.Xiubo@freescale.com;
X-OriginatorOrg: freescale.com
X-Mailman-Approved-At: Tue, 12 Aug 2014 18:00:55 -0700
Cc: Xiubo Li <Li.Xiubo@freescale.com>
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Since we cannot make sure the 'count' and 'dev->driver->dev_priv_size' will
always be none zero here, and then if either equal to zero, the kzalloc()
will return ZERO_SIZE_PTR, which equals to ((void *)16).

So this patch fix this with just doing the zero check before calling kzalloc().

Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com>
---
 drivers/gpu/drm/drm_bufs.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
index 68175b5..09c1e8c 100644
--- a/drivers/gpu/drm/drm_bufs.c
+++ b/drivers/gpu/drm/drm_bufs.c
@@ -617,6 +617,9 @@ int drm_addbufs_agp(struct drm_device * dev, struct drm_buf_desc * request)
 	int i, valid;
 	struct drm_buf **temp_buflist;
 
+	if (!dev->driver->dev_priv_size)
+		return -EINVAL;
+
 	if (!dma)
 		return -EINVAL;
 
@@ -672,7 +675,7 @@ int drm_addbufs_agp(struct drm_device * dev, struct drm_buf_desc * request)
 		return -ENOMEM;	/* May only call once for each order */
 	}
 
-	if (count < 0 || count > 4096) {
+	if (count <= 0 || count > 4096) {
 		mutex_unlock(&dev->struct_mutex);
 		atomic_dec(&dev->buf_alloc);
 		return -EINVAL;
@@ -781,6 +784,9 @@ int drm_addbufs_pci(struct drm_device * dev, struct drm_buf_desc * request)
 	unsigned long *temp_pagelist;
 	struct drm_buf **temp_buflist;
 
+	if (!dev->driver->dev_priv_size)
+			return -EINVAL;
+
 	if (!drm_core_check_feature(dev, DRIVER_PCI_DMA))
 		return -EINVAL;
 
@@ -821,7 +827,7 @@ int drm_addbufs_pci(struct drm_device * dev, struct drm_buf_desc * request)
 		return -ENOMEM;	/* May only call once for each order */
 	}
 
-	if (count < 0 || count > 4096) {
+	if (count <= 0 || count > 4096) {
 		mutex_unlock(&dev->struct_mutex);
 		atomic_dec(&dev->buf_alloc);
 		return -EINVAL;
@@ -1031,7 +1037,7 @@ static int drm_addbufs_sg(struct drm_device * dev, struct drm_buf_desc * request
 		return -ENOMEM;	/* May only call once for each order */
 	}
 
-	if (count < 0 || count > 4096) {
+	if (count <= 0 || count > 4096) {
 		mutex_unlock(&dev->struct_mutex);
 		atomic_dec(&dev->buf_alloc);
 		return -EINVAL;