[syzbot] general protection fault in dma_fence_array_first
Pavel Skripkin
paskripkin at gmail.com
Tue Mar 29 22:02:36 UTC 2022
On 3/30/22 00:23, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 8515d05bf6bc Add linux-next specific files for 20220328
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1694e21b700000
> kernel config: https://syzkaller.appspot.com/x/.config?x=530c68bef4e2b8a8
> dashboard link: https://syzkaller.appspot.com/bug?extid=5c943fe38e86d615cac2
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1467313b700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=121b7cb9700000
>
> The issue was bisected to:
>
> commit 519f490db07e1a539490612f376487f61e48e39c
> Author: Christian König <christian.koenig at amd.com>
> Date: Fri Mar 11 09:32:26 2022 +0000
>
> dma-buf/sync-file: fix warning about fence containers
>
There is ZERO_PTR dereference caused by passing 0 to krealloc_array().
Code should not try to reduce allocated memory area if index is equal to 0
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
With regards,
Pavel Skripkin
-------------- next part --------------
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c
index b8dea4ec123b..60cb4266e77f 100644
--- a/drivers/dma-buf/sync_file.c
+++ b/drivers/dma-buf/sync_file.c
@@ -264,7 +264,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a,
if (index == 0)
add_fence(fences, &index, dma_fence_get_stub());
- if (num_fences > index) {
+ if (index && num_fences > index) {
struct dma_fence **tmp;
/* Keep going even when reducing the size failed */
More information about the dri-devel
mailing list