| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251020113708.7403-1-hehuiwen@kylinos.cn>
Date: Mon, 20 Oct 2025 19:37:08 +0800
From: Huiwen He <hehuiwen@...inos.cn>
To: Rob Clark <robin.clark@....qualcomm.com>
Cc: Dmitry Baryshkov <lumag@...nel.org>,
David Airlie <airlied@...il.com>,
linux-arm-msm@...r.kernel.org,
dri-devel@...ts.freedesktop.org,
freedreno@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
Huiwen He <hehuiwen@...inos.cn>
Subject: [PATCH] drm/msm: Fix NULL pointer dereference in crashstate_get_vm_logs()
crashstate_get_vm_logs() did not check the result of kmalloc_array()
before using state->vm_logs. In low memory situations, kmalloc_array()
may fail and return NULL, leading to a kernel crash when the array
is accessed in the subsequent loop.
Fix this by checking the return value of kmalloc_array(). If allocation
fails, set state->nr_vm_logs to 0, and exit the function safely.
Fixes: 9edc52967cc7 ("drm/msm: Add VM logging for VM_BIND updates")
Signed-off-by: Huiwen He <hehuiwen@...inos.cn>
---
drivers/gpu/drm/msm/msm_gpu.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c
index 17759abc46d7..51df6ff945d2 100644
--- a/drivers/gpu/drm/msm/msm_gpu.c
+++ b/drivers/gpu/drm/msm/msm_gpu.c
@@ -348,6 +348,12 @@ static void crashstate_get_vm_logs(struct msm_gpu_state *state, struct msm_gem_v
state->vm_logs = kmalloc_array(
state->nr_vm_logs, sizeof(vm->log[0]), GFP_KERNEL);
+ if (!state->vm_logs) {
+ state->nr_vm_logs = 0;
+ mutex_unlock(&vm->mmu_lock);
+ return;
+ }
+
for (int i = 0; i < state->nr_vm_logs; i++) {
int idx = (i + first) & vm_log_mask;
--
2.43.0
Powered by blists - more mailing lists