diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index e35126a35093..1fad76289e66 100644 --- a/drivers/gpu/drm/drm_ioctl.c +++ b/drivers/gpu/drm/drm_ioctl.c @@ -92,7 +92,8 @@ int drm_setunique(struct drm_device *dev, void *data, return -EINVAL; master->unique_len = u->unique_len; - master->unique = drm_alloc(u->unique_len + 1, DRM_MEM_DRIVER); + master->unique_size = u->unique_len + 1; + master->unique = drm_alloc(master->unique_size, DRM_MEM_DRIVER); if (!master->unique) return -ENOMEM; if (copy_from_user(master->unique, u->unique, master->unique_len)) @@ -136,7 +137,8 @@ static int drm_set_busid(struct drm_device *dev, struct drm_file *file_priv) return -EBUSY; master->unique_len = 40; - master->unique = drm_alloc(master->unique_len + 1, DRM_MEM_DRIVER); + master->unique_size = master->unique_len; + master->unique = drm_alloc(master->unique_size, DRM_MEM_DRIVER); if (master->unique == NULL) return -ENOMEM; @@ -145,8 +147,10 @@ static int drm_set_busid(struct drm_device *dev, struct drm_file *file_priv) dev->pdev->bus->number, PCI_SLOT(dev->pdev->devfn), PCI_FUNC(dev->pdev->devfn)); - if (len > master->unique_len) + if (len >= master->unique_len) DRM_ERROR("buffer overflow"); + else + master->unique_len = len; dev->devname = drm_alloc(strlen(dev->driver->pci_driver.name) + master->unique_len + diff --git a/drivers/gpu/drm/drm_stub.c b/drivers/gpu/drm/drm_stub.c index 0f24c2dcd517..f7985c303cb0 100644 --- a/drivers/gpu/drm/drm_stub.c +++ b/drivers/gpu/drm/drm_stub.c @@ -117,7 +117,7 @@ static void drm_master_destroy(struct kref *kref) dev->driver->master_destroy(dev, master); if (master->unique) { - drm_free(master->unique, strlen(master->unique) + 1, DRM_MEM_DRIVER); + drm_free(master->unique, master->unique_size, DRM_MEM_DRIVER); master->unique = NULL; master->unique_len = 0; } diff --git a/include/drm/drmP.h b/include/drm/drmP.h index 4c6e8298b424..c9cc618dbcfc 100644 --- a/include/drm/drmP.h +++ b/include/drm/drmP.h @@ -627,6 +627,7 @@ struct drm_master { char *unique; /**< Unique identifier: e.g., busid */ int unique_len; /**< Length of unique field */ + int unique_size; /**< amount allocated */ int blocked; /**< Blocked due to VC switch? */