projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| fe504f71 SL |
1 | From 33d0109a07cef52373ec35ff88ce20173182ea6c Mon Sep 17 00:00:00 2001 |
| 2 | From: Sasha Levin <sashal@kernel.org> | |
| 3 | Date: Wed, 20 Mar 2024 04:15:23 +0500 | |
| 4 | Subject: dma-buf: Fix NULL pointer dereference in sanitycheck() | |
| 5 | MIME-Version: 1.0 | |
| 6 | Content-Type: text/plain; charset=UTF-8 | |
| 7 | Content-Transfer-Encoding: 8bit | |
| 8 | ||
| 9 | From: Pavel Sakharov <p.sakharov@ispras.ru> | |
| 10 | ||
| 11 | [ Upstream commit 2295bd846765c766701e666ed2e4b35396be25e6 ] | |
| 12 | ||
| 13 | If due to a memory allocation failure mock_chain() returns NULL, it is | |
| 14 | passed to dma_fence_enable_sw_signaling() resulting in NULL pointer | |
| 15 | dereference there. | |
| 16 | ||
| 17 | Call dma_fence_enable_sw_signaling() only if mock_chain() succeeds. | |
| 18 | ||
| 19 | Found by Linux Verification Center (linuxtesting.org) with SVACE. | |
| 20 | ||
| 21 | Fixes: d62c43a953ce ("dma-buf: Enable signaling on fence for selftests") | |
| 22 | Signed-off-by: Pavel Sakharov <p.sakharov@ispras.ru> | |
| 23 | Reviewed-by: Christian König <christian.koenig@amd.com> | |
| 24 | Signed-off-by: Christian König <christian.koenig@amd.com> | |
| 25 | Link: https://patchwork.freedesktop.org/patch/msgid/20240319231527.1821372-1-p.sakharov@ispras.ru | |
| 26 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
| 27 | --- | |
| 28 | drivers/dma-buf/st-dma-fence-chain.c | 6 +++--- | |
| 29 | 1 file changed, 3 insertions(+), 3 deletions(-) | |
| 30 | ||
| 31 | diff --git a/drivers/dma-buf/st-dma-fence-chain.c b/drivers/dma-buf/st-dma-fence-chain.c | |
| 32 | index 0a9b099d05187..d90479d830fc3 100644 | |
| 33 | --- a/drivers/dma-buf/st-dma-fence-chain.c | |
| 34 | +++ b/drivers/dma-buf/st-dma-fence-chain.c | |
| 35 | @@ -84,11 +84,11 @@ static int sanitycheck(void *arg) | |
| 36 | return -ENOMEM; | |
| 37 | ||
| 38 | chain = mock_chain(NULL, f, 1); | |
| 39 | - if (!chain) | |
| 40 | + if (chain) | |
| 41 | + dma_fence_enable_sw_signaling(chain); | |
| 42 | + else | |
| 43 | err = -ENOMEM; | |
| 44 | ||
| 45 | - dma_fence_enable_sw_signaling(chain); | |
| 46 | - | |
| 47 | dma_fence_signal(f); | |
| 48 | dma_fence_put(f); | |
| 49 | ||
| 50 | -- | |
| 51 | 2.43.0 | |
| 52 |