| Message ID | 20220401213114.11956-1-paskripkin@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [next,v2] dma-buf/sync-file: do not allow zero size allocation | expand |
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c index b8dea4ec123b..024f22193e0c 100644 --- a/drivers/dma-buf/sync_file.c +++ b/drivers/dma-buf/sync_file.c @@ -212,7 +212,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a, dma_fence_unwrap_for_each(b_fence, &b_iter, b->fence) ++num_fences; - if (num_fences > INT_MAX) + if (num_fences > INT_MAX || !num_fences) goto err_free_sync_file; fences = kcalloc(num_fences, sizeof(*fences), GFP_KERNEL);
num_fences is user-controlled value and it can be equal to 0. Code should not pass 0 to kcalloc(), since it will cause kcalloc() to return ZERO_PTR. ZERO_PTR will pass `!fences` check and kernel will panic because of dereferencing ZERO_PTR in add_fence() Fix it by validating num_fences and bail out early if it is equal to 0 Fixes: 519f490db07e ("dma-buf/sync-file: fix warning about fence containers") Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> --- Changes since v1: - Dropped already merged part - Removed syzkaller's tag --- drivers/dma-buf/sync_file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)