[syzbot] general protection fault in dma_fence_array_first

Pavel Skripkin paskripkin at gmail.com
Tue Mar 29 22:02:36 UTC 2022


On 3/30/22 00:23, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    8515d05bf6bc Add linux-next specific files for 20220328
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1694e21b700000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=530c68bef4e2b8a8
> dashboard link: https://syzkaller.appspot.com/bug?extid=5c943fe38e86d615cac2
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1467313b700000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=121b7cb9700000
> 
> The issue was bisected to:
> 
> commit 519f490db07e1a539490612f376487f61e48e39c
> Author: Christian König <christian.koenig at amd.com>
> Date:   Fri Mar 11 09:32:26 2022 +0000
> 
>      dma-buf/sync-file: fix warning about fence containers
> 

There is ZERO_PTR dereference caused by passing 0 to krealloc_array(). 
Code should not try to reduce allocated memory area if index is equal to 0

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master




With regards,
Pavel Skripkin
-------------- next part --------------
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c
index b8dea4ec123b..60cb4266e77f 100644
--- a/drivers/dma-buf/sync_file.c
+++ b/drivers/dma-buf/sync_file.c
@@ -264,7 +264,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a,
 	if (index == 0)
 		add_fence(fences, &index, dma_fence_get_stub());
 
-	if (num_fences > index) {
+	if (index && num_fences > index) {
 		struct dma_fence **tmp;
 
 		/* Keep going even when reducing the size failed */


More information about the dri-devel mailing list