From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F5A6770FE for ; Thu, 11 Dec 2025 06:36:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765435021; cv=none; b=aj29xvuI1Ed+LSDtLB1sGZy9uZOG2uY0+u4wb9tJ7eQggc4DcbGLtl+uhDcTQBjx35wxG4QvbIN6bfOHDCyu4HeYSJSddRPzfDDeLe3HG2GzqgXhZkzLytzxLFCZI0MRdJQA3hqdUApa4NExNMWsCUl9qwHbPVllKmAkd7iiZVs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765435021; c=relaxed/simple; bh=Aqo258dU0FpZGVLi1+P3zcWov+BUPfD1cHTvvwNNu84=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=creiZr10CADflGGKT1ZmjarjYnbXAgiUduw/gDKxmo87rj1UKJbCxflQmau/SS0+FC1tOX2yrdzIc5ky+Ar6xLORyCxK7SQLRNHXhuiIabE+U/50bqxDiS2mEqpf2XidKAyNXYFF1QgvdNTCkHp9wsWESnNLtBdy25YbQ7fEEBQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mwzmG4e2; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mwzmG4e2" Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-7baf61be569so702499b3a.3 for ; Wed, 10 Dec 2025 22:36:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765435019; x=1766039819; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1RQVXpjkXFLJDPORzRFFaSFCC/p+3KNu6PgWscW2rIM=; b=mwzmG4e2kmGWd6gLOPFIXC+bSmbz//t6mPmg70sSkV5NiirwCtE2awuMELEYDMGPcP byEqyu5XGzViE9yPrtL+/vntF7sqC/OItbSoukfLF3a4jQAFRxNxAHZZ26mY0UxctuUT Px1Ox1rDOdXhHz7xIIq8y6YTkNXo321X2im4rG2GmnGmw8fbJOwkTVGhqhuV2ipcdpAF vVjhahvSZx2N/FVFvo/nD4CGYoSJnuCKQuDMKW+7reiJwWLhVh2OEBF3suSOI2d5nvUP 5YUgoP5vvNInNmFBQRnEffmgJBvbh0nsgdjXIeYr8bX/VvOwA88VluW7oUur8VXHdUZk yvPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765435019; x=1766039819; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1RQVXpjkXFLJDPORzRFFaSFCC/p+3KNu6PgWscW2rIM=; b=kFdrHsCgIWQ6QLYISsEMseOXcI3Z2k2gRF/N2lrGBGFb6/IT2IfRYHfk+mjrfFkUgZ 5sdK9Jk9Ssbd2WY/h/uPAUUoLSAJAR61Ve+++rb3XTkojir9mLBirUD1MDYkJT9qwrQI lpcRR5FxQSpU4Yu0w8jZHL1iX1TqV8B0kToNP1PlwbuqnOtlbgbCQv7ZG87SOn9gxVXL Nl0mA3ocrY+SxFPGVJC5056Fe4yjOHEvp2ROSo54acxXVwA6xokuOp18RCA7sxpTmvBb ZRS7Zf2Eu/JVg/6wIwttHE2rrMvobv4q6HLfe6mbz/+1iZ8zVf+lqBw8NzVtji28tcd+ 7ONQ== X-Gm-Message-State: AOJu0YxuE//VwfXiRua/6U07FBqqjycVkK0r1QVtH206GKOIGSWCoAcl w4rnHks8ML4DCY8vv/Osksut0Wnpv4GUtYVeNVQKCkou4mm5nkUTSgwT X-Gm-Gg: AY/fxX6ol5/+8bjDkkm5ePtMvSJbcrHzarro0DROtdI+DYhXE50jnpGWG/5RXLSxz5Q s1AuuikzzbwqqsiFdREoHJkvdBxq2ITGGmaOq2CQ4SOPt//4HI8BALmyTJ80Y8nMph+50H50ybW kpSkwOnPX4tkHAMDnAmkx7DzKJDb7uCuqPWdoi4hAFLAT1Q3R1OTPfA2g+3BqPBM+HGG0vNcG8h 6lLQmadsLeIiytm1ksmLZ7wfbGVtI3TnwEIK0blDIWqoT0BgNk/9mQMyEUhPzTBVNTYRzFm8BNF fOcZg9k+GbSyuhgCMBh+az3FvoI1FvA64MY0UIEZIEsTsrm1GvPDmA/wpcXIuxC/pxhH+1LtYpl bGEjRGVyKrjXx62lQj6+CicCtTwufEfvYf81cl54O1+5wE15AuKE6HWX/yZ+qfdVWb9VUkvj5yL eF X-Google-Smtp-Source: AGHT+IErJ5t2ridDScZNJxvmeT2wCQxzIs88vWjJr+egmr/C08KRQ9elb7j33ewpcVGEyoZWWOcn8A== X-Received: by 2002:aa7:9063:0:b0:7b8:6e0d:6566 with SMTP id d2e1a72fcca58-7f22ce1ff4fmr5263105b3a.15.1765435018794; Wed, 10 Dec 2025 22:36:58 -0800 (PST) Received: from oslab.. ([2402:f000:4:1006:809:ffff:fffe:18ea]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7f4c2772cfbsm1402727b3a.16.2025.12.10.22.36.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Dec 2025 22:36:58 -0800 (PST) From: Tuo Li To: scott.branden@broadcom.com, bcm-kernel-feedback-list@broadcom.com, arnd@arndb.de, gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, Tuo Li Subject: [PATCH] misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() Date: Thu, 11 Dec 2025 14:36:37 +0800 Message-ID: <20251211063637.3987937-1-islituo@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1; To prevent these possible null-pointer dereferences, copy to_h_msg, usr_msg_id, and to_h_blks from iter into temporary variables, and return these temporary variables to the application instead of accessing them through a potentially NULL entry. Signed-off-by: Tuo Li --- drivers/misc/bcm-vk/bcm_vk_msg.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/misc/bcm-vk/bcm_vk_msg.c b/drivers/misc/bcm-vk/bcm_vk_msg.c index 1f42d1d5a630..665a3888708a 100644 --- a/drivers/misc/bcm-vk/bcm_vk_msg.c +++ b/drivers/misc/bcm-vk/bcm_vk_msg.c @@ -1010,6 +1010,9 @@ ssize_t bcm_vk_read(struct file *p_file, struct device *dev = &vk->pdev->dev; struct bcm_vk_msg_chan *chan = &vk->to_h_msg_chan; struct bcm_vk_wkent *entry = NULL, *iter; + struct vk_msg_blk tmp_msg; + u32 tmp_usr_msg_id; + u32 tmp_blks; u32 q_num; u32 rsp_length; @@ -1034,6 +1037,9 @@ ssize_t bcm_vk_read(struct file *p_file, entry = iter; } else { /* buffer not big enough */ + tmp_msg = iter->to_h_msg[0]; + tmp_usr_msg_id = iter->usr_msg_id; + tmp_blks = iter->to_h_blks; rc = -EMSGSIZE; } goto read_loop_exit; @@ -1052,14 +1058,12 @@ ssize_t bcm_vk_read(struct file *p_file, bcm_vk_free_wkent(dev, entry); } else if (rc == -EMSGSIZE) { - struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; - /* * in this case, return just the first block, so * that app knows what size it is looking for. */ - set_msg_id(&tmp_msg, entry->usr_msg_id); - tmp_msg.size = entry->to_h_blks - 1; + set_msg_id(&tmp_msg, tmp_usr_msg_id); + tmp_msg.size = tmp_blks - 1; if (copy_to_user(buf, &tmp_msg, VK_MSGQ_BLK_SIZE) != 0) { dev_err(dev, "Error return 1st block in -EMSGSIZE\n"); rc = -EFAULT; -- 2.43.0