From patchwork Fri Mar 6 05:45:13 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Praveen Paneri X-Patchwork-Id: 5950101 Return-Path: X-Original-To: patchwork-intel-gfx@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 64BD89F373 for ; Fri, 6 Mar 2015 05:42:53 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 60DB3202B4 for ; Fri, 6 Mar 2015 05:42:52 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 3E1CD202E5 for ; Fri, 6 Mar 2015 05:42:51 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 9C55C6E848; Thu, 5 Mar 2015 21:42:50 -0800 (PST) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by gabe.freedesktop.org (Postfix) with ESMTP id 895986E847 for ; Thu, 5 Mar 2015 21:42:49 -0800 (PST) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga103.fm.intel.com with ESMTP; 05 Mar 2015 21:37:42 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.11,351,1422950400"; d="scan'208";a="661282287" Received: from intel-desktop.iind.intel.com ([10.223.82.37]) by orsmga001.jf.intel.com with ESMTP; 05 Mar 2015 21:42:47 -0800 From: Praveen Paneri To: intel-gfx@lists.freedesktop.org Date: Fri, 6 Mar 2015 11:15:13 +0530 Message-Id: <1425620714-21703-9-git-send-email-praveen.paneri@intel.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1425620714-21703-1-git-send-email-praveen.paneri@intel.com> References: <1425620714-21703-1-git-send-email-praveen.paneri@intel.com> Cc: deepak.s@intel.com, praveen.paneri@intel.com Subject: [Intel-gfx] [PATCH 8/9] external/drm: Validate all memory allocations X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch adds check for various malloc/calloc function if they were able to allocate memory as requested or not. Return appropriate error if the allocation fails. Signed-off-by: Praveen Paneri --- intel/intel_bufmgr_fake.c | 4 ++++ intel/intel_bufmgr_gem.c | 3 +++ intel/intel_decode.c | 2 ++ xf86drm.c | 54 +++++++++++++++++++++++++++++++++++++---------- xf86drmHash.c | 9 ++++++++ xf86drmSL.c | 2 ++ 6 files changed, 63 insertions(+), 11 deletions(-) diff --git a/intel/intel_bufmgr_fake.c b/intel/intel_bufmgr_fake.c index ed31c23..c00aa80 100644 --- a/intel/intel_bufmgr_fake.c +++ b/intel/intel_bufmgr_fake.c @@ -1277,6 +1277,8 @@ drm_intel_fake_emit_reloc(drm_intel_bo *bo, uint32_t offset, if (bo_fake->relocs == NULL) { bo_fake->relocs = malloc(sizeof(struct fake_buffer_reloc) * MAX_RELOCS); + if (!bo_fake->relocs) + return -ENOMEM; } r = &bo_fake->relocs[bo_fake->nr_relocs++]; @@ -1596,6 +1598,8 @@ drm_intel_bufmgr *drm_intel_bufmgr_fake_init(int fd, drm_intel_bufmgr_fake *bufmgr_fake; bufmgr_fake = calloc(1, sizeof(*bufmgr_fake)); + if (!bufmgr_fake) + return NULL; if (pthread_mutex_init(&bufmgr_fake->lock, NULL) != 0) { free(bufmgr_fake); diff --git a/intel/intel_bufmgr_gem.c b/intel/intel_bufmgr_gem.c index 8251efd..5bf33c4 100644 --- a/intel/intel_bufmgr_gem.c +++ b/intel/intel_bufmgr_gem.c @@ -2261,6 +2261,9 @@ aub_write_bo_data(drm_intel_bo *bo, uint32_t offset, uint32_t size) unsigned int i; data = malloc(bo->size); + if (!data) + return; + drm_intel_bo_get_subdata(bo, offset, size, data); /* Easy mode: write out bo with no relocations */ diff --git a/intel/intel_decode.c b/intel/intel_decode.c index 5a4fc4a..015ef20 100644 --- a/intel/intel_decode.c +++ b/intel/intel_decode.c @@ -3907,6 +3907,8 @@ drm_intel_decode(struct drm_intel_decode *ctx) * checking in statically sized packets. */ temp = malloc(size + 4096); + if (!temp) + return; memcpy(temp, ctx->base_data, size); memset((char *)temp + size, 0xd0, 4096); ctx->data = temp; diff --git a/xf86drm.c b/xf86drm.c index df56f9e..8b206e3 100644 --- a/xf86drm.c +++ b/xf86drm.c @@ -194,6 +194,8 @@ drmHashEntry *drmGetEntry(int fd) if (drmHashTable && drmHashLookup(drmHashTable, key, &value)) { entry = drmMalloc(sizeof(*entry)); + if (!entry) + return NULL; entry->fd = fd; entry->f = NULL; entry->tagTable = drmHashCreate(); @@ -735,6 +737,8 @@ drmVersionPtr drmGetVersion(int fd) { drmVersionPtr retval; drm_version_t *version = drmMalloc(sizeof(*version)); + if (!version) + return NULL; version->name_len = 0; version->name = NULL; @@ -767,7 +771,9 @@ drmVersionPtr drmGetVersion(int fd) if (version->desc_len) version->desc[version->desc_len] = '\0'; retval = drmMalloc(sizeof(*retval)); - drmCopyVersion(retval, version); + if (retval) + drmCopyVersion(retval, version); + drmFreeKernelVersion(version); return retval; } @@ -789,6 +795,8 @@ drmVersionPtr drmGetVersion(int fd) drmVersionPtr drmGetLibVersion(int fd) { drm_version_t *version = drmMalloc(sizeof(*version)); + if (!version) + return NULL; /* Version history: * NOTE THIS MUST NOT GO ABOVE VERSION 1.X due to drivers needing it @@ -1190,14 +1198,25 @@ drmBufInfoPtr drmGetBufInfo(int fd) } retval = drmMalloc(sizeof(*retval)); + if (!retval) { + drmFree(info.list); + return NULL; + } + retval->count = info.count; retval->list = drmMalloc(info.count * sizeof(*retval->list)); - for (i = 0; i < info.count; i++) { - retval->list[i].count = info.list[i].count; - retval->list[i].size = info.list[i].size; - retval->list[i].low_mark = info.list[i].low_mark; - retval->list[i].high_mark = info.list[i].high_mark; + if (retval->list) { + for (i = 0; i < info.count; i++) { + retval->list[i].count = info.list[i].count; + retval->list[i].size = info.list[i].size; + retval->list[i].low_mark = info.list[i].low_mark; + retval->list[i].high_mark = info.list[i].high_mark; + } + } else { + drmFree(retval); + retval = NULL; } + drmFree(info.list); return retval; } @@ -1243,13 +1262,23 @@ drmBufMapPtr drmMapBufs(int fd) } retval = drmMalloc(sizeof(*retval)); + if (!retval) { + drmFree(bufs.list); + return NULL; + } + retval->count = bufs.count; retval->list = drmMalloc(bufs.count * sizeof(*retval->list)); - for (i = 0; i < bufs.count; i++) { - retval->list[i].idx = bufs.list[i].idx; - retval->list[i].total = bufs.list[i].total; - retval->list[i].used = 0; - retval->list[i].address = bufs.list[i].address; + if (retval->list) { + for (i = 0; i < bufs.count; i++) { + retval->list[i].idx = bufs.list[i].idx; + retval->list[i].total = bufs.list[i].total; + retval->list[i].used = 0; + retval->list[i].address = bufs.list[i].address; + } + } else { + drmFree(retval); + retval = NULL; } drmFree(bufs.list); @@ -2612,6 +2641,9 @@ int drmCSCIoctl(int fd, struct CSCCoeff_Matrix *CSC_Matrix) } pCSCCoeff = (struct csc_coeff *)malloc(sizeof(struct csc_coeff)); + if (!pCSCCoeff) + return -ENOMEM; + Calc_CSC_Param(CSC_Matrix, pCSCCoeff, devid); pCSCCoeff->crtc_id = CSC_Matrix->crtc_id; diff --git a/xf86drmHash.c b/xf86drmHash.c index 82cbc2a..56e9af3 100644 --- a/xf86drmHash.c +++ b/xf86drmHash.c @@ -70,6 +70,7 @@ #include #include +#include #define HASH_MAIN 0 @@ -79,6 +80,7 @@ #define HASH_MAGIC 0xdeadbeef #define HASH_DEBUG 0 +#define HASH_INVALID 0xffffffff /* A value that is out of bound */ #define HASH_SIZE 512 /* Good for about 100 entries */ /* If you change this value, you probably have to change the HashHash hashing @@ -137,6 +139,8 @@ static unsigned long HashHash(unsigned long key) if (!init) { HASH_RANDOM_DECL; HASH_RANDOM_INIT(37); + if (!state) + return HASH_INVALID; for (i = 0; i < 256; i++) scatter[i] = HASH_RANDOM; HASH_RANDOM_DESTROY; ++init; @@ -203,6 +207,9 @@ static HashBucketPtr HashFind(HashTablePtr table, if (h) *h = hash; + if (hash == HASH_INVALID) + return NULL; + for (bucket = table->buckets[hash]; bucket; bucket = bucket->next) { if (bucket->key == key) { if (prev) { @@ -244,6 +251,7 @@ int drmHashInsert(void *t, unsigned long key, void *value) if (table->magic != HASH_MAGIC) return -1; /* Bad magic */ if (HashFind(table, key, &hash)) return 1; /* Already in table */ + if (hash == HASH_INVALID) return -1; bucket = HASH_ALLOC(sizeof(*bucket)); if (!bucket) return -1; /* Error */ @@ -267,6 +275,7 @@ int drmHashDelete(void *t, unsigned long key) bucket = HashFind(table, key, &hash); + if (hash == HASH_INVALID) return -1; if (!bucket) return 1; /* Not found */ table->buckets[hash] = bucket->next; diff --git a/xf86drmSL.c b/xf86drmSL.c index 45f3906..00ae9f9 100644 --- a/xf86drmSL.c +++ b/xf86drmSL.c @@ -40,6 +40,7 @@ #include #include +#include #define SL_MAIN 0 @@ -124,6 +125,7 @@ static int SLRandomLevel(void) SL_RANDOM_DECL; SL_RANDOM_INIT(SL_RANDOM_SEED); + if (!state) return -ENOMEM; while ((SL_RANDOM & 0x01) && level < SL_MAX_LEVEL) ++level; return level;