[Devel] [PATCH RHEL7 COMMIT] ms/drivers/gpu/vga: allocate vga_arb_write() buffer on stack

Konstantin Khorenko khorenko at virtuozzo.com
Wed Dec 19 14:30:27 MSK 2018 

The commit is pushed to "branch-rh7-3.10.0-957.1.3.vz7.83.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-957.1.3.vz7.83.4
------>
commit 2f61541f0741834d08dbccbbbf48bc0697b4b5d0
Author: Dmitry Vyukov <dvyukov at google.com>
Date:   Fri Oct 14 15:22:22 2016 +0200

    ms/drivers/gpu/vga: allocate vga_arb_write() buffer on stack
    
    Size of kmalloc() in vga_arb_write() is controlled by user.
    Too large kmalloc() size triggers WARNING message on console.
    Allocate the buffer on stack to avoid the WARNING.
    The string must be small (e.g "target PCI:domain:bus:dev.fn").
    
    Signed-off-by: Dmitry Vyukov <dvyukov at google.com>
    Reviewed-by: Ville Syrjälä <ville.syrjala at linux.intel.com>
    Cc: Dave Airlie <airlied at gmail.com>
    Cc: Ville Syrjälä <ville.syrjala at linux.intel.com>
    Cc: dri-devel at lists.freedesktop.org
    Cc: syzkaller at googlegroups.com
    Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
    Link: http://patchwork.freedesktop.org/patch/msgid/1476451342-146510-1-git-send-email-dvyukov@google.com
    
    https://jira.sw.ru/browse/PSBM-90315
    
    (cherry picked from commit 49521b13cbc02aff9ac1fff8d425055cc86cef08)
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 drivers/gpu/vga/vgaarb.c | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
index e893f6e1937d..ee68884e6030 100644
--- a/drivers/gpu/vga/vgaarb.c
+++ b/drivers/gpu/vga/vgaarb.c
@@ -916,21 +916,16 @@ static ssize_t vga_arb_write(struct file *file, const char __user * buf,
 
 	unsigned int io_state;
 
-	char *kbuf, *curr_pos;
+	char kbuf[64], *curr_pos;
 	size_t remaining = count;
 
 	int ret_val;
 	int i;
 
-
-	kbuf = kmalloc(count + 1, GFP_KERNEL);
-	if (!kbuf)
-		return -ENOMEM;
-
-	if (copy_from_user(kbuf, buf, count)) {
-		kfree(kbuf);
+	if (count >= sizeof(kbuf))
+		return -EINVAL;
+	if (copy_from_user(kbuf, buf, count))
 		return -EFAULT;
-	}
 	curr_pos = kbuf;
 	kbuf[count] = '\0';	/* Just to make sure... */
 
@@ -1150,11 +1145,9 @@ static ssize_t vga_arb_write(struct file *file, const char __user * buf,
 		goto done;
 	}
 	/* If we got here, the message written is not part of the protocol! */
-	kfree(kbuf);
 	return -EPROTO;
 
 done:
-	kfree(kbuf);
 	return ret_val;
 }

More information about the Devel mailing list