1. Patchew
  2. linux
  3. [PATCH v4 00/55] drivers: hv: dxgkrnl: Driver for Hyper-V virtual compute device
  4. View patch

[PATCH 54/55] drivers: hv: dxgkrnl: Fix crash at hmgrtable_free_handle

Eric Curtin posted 55 patches 2 weeks, 3 days ago
[PATCH 54/55] drivers: hv: dxgkrnl: Fix crash at hmgrtable_free_handle
Posted by Eric Curtin 2 weeks, 3 days ago 
From: Hideyuki Nagase <hideyukn@microsoft.com>

Fix a potential NULL pointer crash in hmgrtable_free_handle() when
free_handle_list_tail is HMGRTABLE_INVALID_INDEX. Guard the entry
dereference with a bounds check before writing the next_free_index.

Signed-off-by: Hideyuki Nagase <hideyukn@microsoft.com>
---
 drivers/hv/dxgkrnl/hmgr.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/hv/dxgkrnl/hmgr.c b/drivers/hv/dxgkrnl/hmgr.c
index 24101d0091ab..059f94307a0e 100644
--- a/drivers/hv/dxgkrnl/hmgr.c
+++ b/drivers/hv/dxgkrnl/hmgr.c
@@ -462,9 +462,14 @@ void hmgrtable_free_handle(struct hmgrtable *table, enum hmgrentry_type t,
 		 */
 		entry->next_free_index = HMGRTABLE_INVALID_INDEX;
 		entry->prev_free_index = table->free_handle_list_tail;
-		entry = &table->entry_table[table->free_handle_list_tail];
-		entry->next_free_index = i;
+		if (table->free_handle_list_tail != HMGRTABLE_INVALID_INDEX) {
+			entry = &table->entry_table[table->free_handle_list_tail];
+			entry->next_free_index = i;
+		}
 		table->free_handle_list_tail = i;
+		if (table->free_handle_list_head == HMGRTABLE_INVALID_INDEX) {
+			table->free_handle_list_head = i;
+		}
 	} else {
 		DXG_ERR("Invalid handle to free: %d %x", i, h.v);
 	}

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.