From 31f41ea18622ec2b87a950ef8263f5ddf389a4cc Mon Sep 17 00:00:00 2001 From: Yash Bhatt Date: Tue, 11 Jun 2024 06:36:50 +0000 Subject: [PATCH] video: tegra: nvmap: Fix null error pointer dereference. In function nvmap_ioctl_get_fd_from_list, the return pointer from nvmap_handle_get_from_id is being dereferenced without checking if it is valid. This is causing a kernel panic crash in syzkaller. Fix this by checking whether the pointer is valid or not before dereferencing it. Bug 4479038 Change-Id: Ia65341e9eb12873e660baae44d28966e71317377 Signed-off-by: Yash Bhatt Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3154940 Reviewed-by: mobile promotions Tested-by: mobile promotions --- drivers/video/tegra/nvmap/nvmap_ioctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/video/tegra/nvmap/nvmap_ioctl.c b/drivers/video/tegra/nvmap/nvmap_ioctl.c index 7a6db822..908157ea 100644 --- a/drivers/video/tegra/nvmap/nvmap_ioctl.c +++ b/drivers/video/tegra/nvmap/nvmap_ioctl.c @@ -1539,15 +1539,15 @@ int nvmap_ioctl_get_fd_from_list(struct file *filp, void __user *arg) for (i = 0; i < op.num_handles; i++) { hs[i] = nvmap_handle_get_from_id(client, hndls[i]); - tot_hs_size += hs[i]->size; if (IS_ERR_OR_NULL(hs[i])) { pr_err("invalid handle_ptr[%d] = %u\n", i, hndls[i]); - while (i--) + while (--i >= 0) nvmap_handle_put(hs[i]); err = -EINVAL; goto free_mem; } + tot_hs_size += hs[i]->size; } /* Add check for sizes of all the handles should be > offs and size */