From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5A573FF1BE; Fri, 15 May 2026 15:54:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778860485; cv=none; b=afP7A0BJXWsLWufvyaCjeHSjsOW05x8TgVzI6JopleAs1yDp/vqROdy/r/2CjcBOEItxN6jmm/SmcVVfxiycJ3t+8DIzcn2lOq7MSwgGnslqLLtx5sYm8JK7pD+x3Z1mzvzj96s3FzSuYo90/Db/FWqUff/iG5fkTGIsNeJtDQk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778860485; c=relaxed/simple; bh=TUXR5hGXbuTLps3s/MvGqL7blAtphfKF2gXaDo32vjM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lB5AQ3ThqFhxX+/sT3oUaDY6ATwyIp4/PeLF8FTt/HVovwnNJkHFnEBEGUt5Vpl0FoOpBi29N85SmrmE5fmDphrIGTTS6SA91U/sc+3NDCNK457RZsbs0n7YEA1Qe24H6JVmdjXhh10OtgelzOyVZWjH0p+bUnExR45Tbe0prMM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=JjG7JbeR; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="JjG7JbeR" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7A0B2C2BCB0; Fri, 15 May 2026 15:54:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778860484; bh=TUXR5hGXbuTLps3s/MvGqL7blAtphfKF2gXaDo32vjM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JjG7JbeRgUBnGAI7Yd4tqWSoRseRRQyoPfup1eCQw2iYJQVRoESMwySYiMrE1+pPv 1Ybpru0riXlWLNiIFfkhgeZupiO4mJGSGEbjH/K6YZ8huwdlLm4t8I2//xjJ/Puuhx RYL4jqnZm9exaCZ0hPGtewPvskoyGEPkkuonPQWc= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Yasuaki Torimaru , Rob Clark Subject: [PATCH 6.12 065/144] drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() Date: Fri, 15 May 2026 17:48:11 +0200 Message-ID: <20260515154655.053764690@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260515154653.469907118@linuxfoundation.org> References: <20260515154653.469907118@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yasuaki Torimaru commit 47cbfe2608314b833ad61a65827d8fb363bc2d2d upstream. msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not. Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call. Add the missing NULL check for kmemdup() and return ret instead of 0. Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret. Fixes: 9902cb999e4e ("drm/msm/gem: Add metadata") Cc: stable@vger.kernel.org Signed-off-by: Yasuaki Torimaru Patchwork: https://patchwork.freedesktop.org/patch/714478/ Message-ID: <20260325114635.383241-1-yasuakitorimaru@gmail.com> Signed-off-by: Rob Clark Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/msm/msm_drv.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -616,6 +616,11 @@ static int msm_ioctl_gem_info_get_metada len = msm_obj->metadata_size; buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + if (!buf) { + msm_gem_unlock(obj); + return -ENOMEM; + } + msm_gem_unlock(obj); if (*metadata_size < len) { @@ -628,7 +633,7 @@ static int msm_ioctl_gem_info_get_metada kfree(buf); - return 0; + return ret; } static int msm_ioctl_gem_info(struct drm_device *dev, void *data,