drivers/gpu/vga: allocate vga_arb_write() buffer on stack

Size of kmalloc() in vga_arb_write() is controlled by user.
Too large kmalloc() size triggers WARNING message on console.
Allocate the buffer on stack to avoid the WARNING.
The string must be small (e.g "target PCI:domain:bus:dev.fn").

Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: dri-devel@lists.freedesktop.org
Cc: syzkaller@googlegroups.com
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1476451342-146510-1-git-send-email-dvyukov@google.com

diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
index 1887f19..77657a8 100644 (file)
--- a/drivers/gpu/vga/vgaarb.c
+++ b/drivers/gpu/vga/vgaarb.c
@@ -1022,21 +1022,16 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf,
 
        unsigned int io_state;
 
-       char *kbuf, *curr_pos;
+       char kbuf[64], *curr_pos;
        size_t remaining = count;
 
        int ret_val;
        int i;
 
-
-       kbuf = kmalloc(count + 1, GFP_KERNEL);
-       if (!kbuf)
-               return -ENOMEM;
-
-       if (copy_from_user(kbuf, buf, count)) {
-               kfree(kbuf);
+       if (count >= sizeof(kbuf))
+               return -EINVAL;
+       if (copy_from_user(kbuf, buf, count))
                return -EFAULT;
-       }
        curr_pos = kbuf;
        kbuf[count] = '\0';     /* Just to make sure... */
 
@@ -1259,11 +1254,9 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf,
                goto done;
        }
        /* If we got here, the message written is not part of the protocol! */
-       kfree(kbuf);
        return -EPROTO;
 
 done:
-       kfree(kbuf);
        return ret_val;
 }