lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CACSVV02vOhbW9U-9ZAT3QAh8ZKqr1vyO0sQY7CDRAGrwM997NA@mail.gmail.com>
Date: Wed, 12 Nov 2025 06:00:37 -0800
From: Rob Clark <rob.clark@....qualcomm.com>
To: Huiwen He <hehuiwen@...inos.cn>
Cc: Dmitry Baryshkov <lumag@...nel.org>, David Airlie <airlied@...il.com>,
        linux-arm-msm@...r.kernel.org, dri-devel@...ts.freedesktop.org,
        freedreno@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] drm/msm: Fix NULL pointer dereference in crashstate_get_vm_logs()

On Mon, Oct 20, 2025 at 4:37 AM Huiwen He <hehuiwen@...inos.cn> wrote:
>
> crashstate_get_vm_logs() did not check the result of kmalloc_array()
> before using state->vm_logs. In low memory situations, kmalloc_array()
> may fail and return NULL, leading to a kernel crash when the array
> is accessed in the subsequent loop.
>
> Fix this by checking the return value of kmalloc_array(). If allocation
> fails, set state->nr_vm_logs to 0, and exit the function safely.
>
> Fixes: 9edc52967cc7 ("drm/msm: Add VM logging for VM_BIND updates")
> Signed-off-by: Huiwen He <hehuiwen@...inos.cn>
> ---
>  drivers/gpu/drm/msm/msm_gpu.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c
> index 17759abc46d7..51df6ff945d2 100644
> --- a/drivers/gpu/drm/msm/msm_gpu.c
> +++ b/drivers/gpu/drm/msm/msm_gpu.c
> @@ -348,6 +348,12 @@ static void crashstate_get_vm_logs(struct msm_gpu_state *state, struct msm_gem_v
>
>         state->vm_logs = kmalloc_array(
>                 state->nr_vm_logs, sizeof(vm->log[0]), GFP_KERNEL);
> +       if (!state->vm_logs) {
> +               state->nr_vm_logs = 0;
> +               mutex_unlock(&vm->mmu_lock);
> +               return;

You could simplify this by just setting state->nr_vm_logs to zero and
dropping the other two lines

BR,
-R

> +       }
> +
>         for (int i = 0; i < state->nr_vm_logs; i++) {
>                 int idx = (i + first) & vm_log_mask;
>
> --
> 2.43.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ