From: Pavel Skripkin <paskripkin@gmail.com>
To: sumit.semwal@linaro.org, gustavo@padovan.org,
christian.koenig@amd.com, daniel.vetter@ffwll.ch
Cc: linaro-mm-sig@lists.linaro.org,
Pavel Skripkin <paskripkin@gmail.com>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
linux-media@vger.kernel.org
Subject: [PATCH next v2] dma-buf/sync-file: do not allow zero size allocation
Date: Sat, 2 Apr 2022 00:31:14 +0300 [thread overview]
Message-ID: <20220401213114.11956-1-paskripkin@gmail.com> (raw)
In-Reply-To: <2d1f9ba9-ea2a-e41c-eae6-0ba348cdf202@gmail.com>
num_fences is user-controlled value and it can be equal to 0. Code
should not pass 0 to kcalloc(), since it will cause kcalloc() to return
ZERO_PTR. ZERO_PTR will pass `!fences` check and kernel will panic
because of dereferencing ZERO_PTR in add_fence()
Fix it by validating num_fences and bail out early if it is equal to 0
Fixes: 519f490db07e ("dma-buf/sync-file: fix warning about fence containers")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
Changes since v1:
- Dropped already merged part
- Removed syzkaller's tag
---
drivers/dma-buf/sync_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c
index b8dea4ec123b..024f22193e0c 100644
--- a/drivers/dma-buf/sync_file.c
+++ b/drivers/dma-buf/sync_file.c
@@ -212,7 +212,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a,
dma_fence_unwrap_for_each(b_fence, &b_iter, b->fence)
++num_fences;
- if (num_fences > INT_MAX)
+ if (num_fences > INT_MAX || !num_fences)
goto err_free_sync_file;
fences = kcalloc(num_fences, sizeof(*fences), GFP_KERNEL);
--
2.35.1
WARNING: multiple messages have this Message-ID (diff)
From: Pavel Skripkin <paskripkin@gmail.com>
To: sumit.semwal@linaro.org, gustavo@padovan.org,
christian.koenig@amd.com, daniel.vetter@ffwll.ch
Cc: linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org,
Pavel Skripkin <paskripkin@gmail.com>
Subject: [PATCH next v2] dma-buf/sync-file: do not allow zero size allocation
Date: Sat, 2 Apr 2022 00:31:14 +0300 [thread overview]
Message-ID: <20220401213114.11956-1-paskripkin@gmail.com> (raw)
In-Reply-To: <2d1f9ba9-ea2a-e41c-eae6-0ba348cdf202@gmail.com>
num_fences is user-controlled value and it can be equal to 0. Code
should not pass 0 to kcalloc(), since it will cause kcalloc() to return
ZERO_PTR. ZERO_PTR will pass `!fences` check and kernel will panic
because of dereferencing ZERO_PTR in add_fence()
Fix it by validating num_fences and bail out early if it is equal to 0
Fixes: 519f490db07e ("dma-buf/sync-file: fix warning about fence containers")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
Changes since v1:
- Dropped already merged part
- Removed syzkaller's tag
---
drivers/dma-buf/sync_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c
index b8dea4ec123b..024f22193e0c 100644
--- a/drivers/dma-buf/sync_file.c
+++ b/drivers/dma-buf/sync_file.c
@@ -212,7 +212,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a,
dma_fence_unwrap_for_each(b_fence, &b_iter, b->fence)
++num_fences;
- if (num_fences > INT_MAX)
+ if (num_fences > INT_MAX || !num_fences)
goto err_free_sync_file;
fences = kcalloc(num_fences, sizeof(*fences), GFP_KERNEL);
--
2.35.1
next prev parent reply other threads:[~2022-04-01 21:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-29 22:14 [PATCH next] dma-buf/sync-file: do not allow zero size allocations Pavel Skripkin
2022-03-29 22:14 ` Pavel Skripkin
2022-03-30 7:09 ` [Linaro-mm-sig] " Christian König
2022-03-30 7:09 ` Christian König
2022-03-30 18:24 ` Pavel Skripkin
2022-03-30 18:24 ` Pavel Skripkin
2022-03-31 6:23 ` Christian König
2022-03-31 6:23 ` Christian König
2022-04-01 21:31 ` Pavel Skripkin [this message]
2022-04-01 21:31 ` [PATCH next v2] dma-buf/sync-file: do not allow zero size allocation Pavel Skripkin
2022-04-03 15:05 ` Christian König
2022-04-03 15:05 ` Christian König
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220401213114.11956-1-paskripkin@gmail.com \
--to=paskripkin@gmail.com \
--cc=christian.koenig@amd.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavo@padovan.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.