From nobody Sun May 24 17:49:06 2026 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE86D39769F for ; Sun, 24 May 2026 15:57:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779638253; cv=none; b=SQykPbM/Hzh/T4WZDjtO5q+lS92p9Ja9ogbDl4apczGW3uX+1GmgdOFdV6AomtD9Af2szIJDxys/j2yDSFqPhjKIl6tbpLEBP/cynTW6tgXmI9p/lcadqAgxnEO81ovp4QBPV1pucHtp0xjXHfYK3WqLXoTcrUEMvCv9TXFCrxU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779638253; c=relaxed/simple; bh=B0H12NhIO374kTIfEBVb6LhF2mHBdABLnBNkL2lfe+w=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=CrlUEa1ioPnbxOtDYhzajnqmWQDNJqmPIxb/b37ok4deePfZthvuffjysmPbOADQIMvy5rQik4glGzeXdLoRe08gQ9kvKGwfPM5NtB95saynGsQ9O1Blu8eVZReRCpctWAxrBBvKeAvUeRyQh/2KvMVIGzWUf3o6tyIhXgh1/Qg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=k/c3vlIp; arc=none smtp.client-ip=209.85.216.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="k/c3vlIp" Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-36974217d4eso5731486a91.2 for ; Sun, 24 May 2026 08:57:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779638252; x=1780243052; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=5pGO8hezM1yTgC77jiIpPHRz4G800mj82NUOkgOlqoc=; b=k/c3vlIpFKmmv//bD17jCi28kw3y1ZlyuDuYgNOCkaBUOTzrIyMTzaZsnaw0Pr1DjF vv3QVElAeYnfvOTXIvRnkzcnFZLtXI6lL/zmTkkR5lBSoF7QHbuFyOOwoElKVPunmU8N r4YZ2eZ4SBdVd6N15rTcmgxDGPCZiLiP22a1bNLst+Gpx1ezDnz851EXFR6NJY/Z/bAo 8QoslhZZ8MhQJPNXgMhh9Q3iC+teOL4DhCbfa5TFT98EXnF50lP50uzAgewSdrilwdSO HH+Opz9KQlaPI30r/TUQT6QJdQ3RG+DEGPuLSeRSLbWAXPhWZEKON3N/uYPzklv4w54N J/7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779638252; x=1780243052; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5pGO8hezM1yTgC77jiIpPHRz4G800mj82NUOkgOlqoc=; b=ART4yz8CMNDnSnTZhE5O2tYGbN4i5qX+bDt2OFtrxS2rueGKlNhF4LCjbBQwJ8CXNR iA5re3ZRaZc4viHdoaYSQib1A43yOAv4Sda3tONnHSsl4YMIS7ChwzRig0cYhY0MWORe PbamNqyGUORlv8xROC/iK8izUvoDsKeTNclXkS1LNFHewyq+R3I4xLnIHAIfRTczOxFc +uRxL2pCbKVRrAV46s1S8KVmy4T+K1xZNwKyuiNHu/rT0C84otOTOAaZ1ZO8uJp+8KvE qNaXxuxnDteqCj1xGs5oyUQmzzUtiDkPWJFz0iI3CnvyW+ped6VeM6jK8w1w1D/nbiPR GfLA== X-Forwarded-Encrypted: i=1; AFNElJ/W+QfokQUiRkNh/+v8MKIOQ0rAsZC4sBNSUHEbe2D8QfI6lp0yOAEptw4qu6cN9LRoFPVyBlaL3y9EzuE=@vger.kernel.org X-Gm-Message-State: AOJu0YysL/lWIVnjQXi/LgwqhqUmXUMPgnGEZdqUdyWTvQr7Sv9wg28P /V4t7Dp+Xxu5pPq+ucrd0Rdne6rQNQb8x6RjkXcPrE8xSOMYk4AVxvgn X-Gm-Gg: Acq92OFOFJO2zkKGDFVa/8uDpyU1WzpXJCxDEaxefDs0Rv10wnbDHLQYsJGyObiY0sI MPvTXW7taLd6fBxtoSCantNc69h5+Rq/iDpxd50jdCFKYzxdLJoWcmFOiCLOp0RB6ab/IPBoZdY VzYsiiUlvETUUVmm5daUdpRiCMNJ6k0QX9plK8SyKU0oXO2PjPrCgULvpsRbb/c6bmN8og8yviB WiKBnSGSzprKUpr30X+YdgChRQ/7u41ETs/Zj1fPo2BbuZNw1RQDtWY/CwvSTyMRE2JsTny3HN2 JkbNilyOqdjKSeZISeP/ZmV5znGlxXgvY3QUfYapHGswJWiziXP8gTiXvceSzn57M+sRTurn7Mu 41XB5gealJ1+n/Yp0Htvyc+NuC2nDyh/ADaPVoAkErdIjjiCWljdz1Evbi8STbNbOKZD0klnjaq XLiA1YBPi+arCY3u9ZxligWaWqoL99KBQ+3QLcyJmmVV1lLn1R1le4pWplGhGzfvmba/8GRr4TQ VfvPuKELlezbYph1jN8Vl3UuYTAPrr+yuf7zM7lWEUc7EykYehdmOqJDI8K6uUgl6L04qm5PMSy cxSgU2mu+rv750cMvfQNgg== X-Received: by 2002:a05:6300:2795:10b0:3b3:62be:3584 with SMTP id adf61e73a8af0-3b362be393dmr2496390637.11.1779638251896; Sun, 24 May 2026 08:57:31 -0700 (PDT) Received: from codespaces-78f0a7.mimvmn1ww3huhhjmzljqefhnig.rx.internal.cloudapp.net ([4.240.39.193]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84164fbb66bsm6973381b3a.45.2026.05.24.08.57.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 May 2026 08:57:31 -0700 (PDT) From: Muhammad Bilal To: tomeu@tomeuvizoso.net Cc: ogabbay@kernel.org, jeff.hugo@oss.qualcomm.com, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Muhammad Bilal Subject: [PATCH] accel/rocket: fix NULL dereference and integer overflow in rocket_job_push() Date: Sun, 24 May 2026 15:57:16 +0000 Message-ID: <20260524155716.90955-1-meatuni001@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" rocket_job_push() allocates a temporary array to hold all input and output GEM object pointers: bos =3D kvmalloc_array(job->in_bo_count + job->out_bo_count, sizeof(void *), GFP_KERNEL); memcpy(bos, job->in_bos, job->in_bo_count * sizeof(void *)); memcpy(&bos[job->in_bo_count], job->out_bos, ...); Two bugs exist: 1. Missing NULL check: if kvmalloc_array() fails, bos is NULL and the subsequent memcpy() dereferences it, causing a kernel NULL pointer dereference. 2. Integer overflow: in_bo_count and out_bo_count are both u32, set directly from userspace-supplied in_bo_handle_count and out_bo_handle_count with no prior validation. Their sum is computed in u32 arithmetic and can wrap to a smaller value, causing the allocation count passed to kvmalloc_array() to be smaller than intended. Subsequent uses still operate on the original counts when copying and locking objects, which may lead to out-of-bounds accesses on the temporary array. Fix by using check_add_overflow() to detect count overflow before the allocation, and adding a NULL check on the allocation result. Fixes: 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- drivers/accel/rocket/rocket_job.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/accel/rocket/rocket_job.c b/drivers/accel/rocket/rocke= t_job.c index ac51bff39833..71f64bf2bb7f 100644 --- a/drivers/accel/rocket/rocket_job.c +++ b/drivers/accel/rocket/rocket_job.c @@ -8,6 +8,7 @@ #include #include #include +#include #include #include #include @@ -188,14 +189,19 @@ static int rocket_job_push(struct rocket_job *job) struct rocket_device *rdev =3D job->rdev; struct drm_gem_object **bos; struct ww_acquire_ctx acquire_ctx; + u32 bo_count; int ret =3D 0; =20 - bos =3D kvmalloc_array(job->in_bo_count + job->out_bo_count, sizeof(void = *), - GFP_KERNEL); + if (check_add_overflow(job->in_bo_count, job->out_bo_count, &bo_count)) + return -EINVAL; + + bos =3D kvmalloc_array(bo_count, sizeof(*bos), GFP_KERNEL); + if (!bos) + return -ENOMEM; memcpy(bos, job->in_bos, job->in_bo_count * sizeof(void *)); memcpy(&bos[job->in_bo_count], job->out_bos, job->out_bo_count * sizeof(v= oid *)); =20 - ret =3D drm_gem_lock_reservations(bos, job->in_bo_count + job->out_bo_cou= nt, &acquire_ctx); + ret =3D drm_gem_lock_reservations(bos, bo_count, &acquire_ctx); if (ret) goto err; =20 @@ -220,7 +226,7 @@ static int rocket_job_push(struct rocket_job *job) rocket_attach_object_fences(job->out_bos, job->out_bo_count, job->inferen= ce_done_fence); =20 err_unlock: - drm_gem_unlock_reservations(bos, job->in_bo_count + job->out_bo_count, &a= cquire_ctx); + drm_gem_unlock_reservations(bos, bo_count, &acquire_ctx); err: kvfree(bos); =20 --=20 2.53.0