From: Akhil P Oommen akhilpo@codeaurora.org
mainline inclusion from mainline-v5.16-rc4 commit 26d776fd0f79f093a5d0ce1a4c7c7a992bc3264c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SJ0 CVE: CVE-2021-47610
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Fix the below null pointer dereference in msm_ioctl_gem_submit():
26545.260705: Call trace: 26545.263223: kref_put+0x1c/0x60 26545.266452: msm_ioctl_gem_submit+0x254/0x744 26545.270937: drm_ioctl_kernel+0xa8/0x124 26545.274976: drm_ioctl+0x21c/0x33c 26545.278478: drm_compat_ioctl+0xdc/0xf0 26545.282428: __arm64_compat_sys_ioctl+0xc8/0x100 26545.287169: el0_svc_common+0xf8/0x250 26545.291025: do_el0_svc_compat+0x28/0x54 26545.295066: el0_svc_compat+0x10/0x1c 26545.298838: el0_sync_compat_handler+0xa8/0xcc 26545.303403: el0_sync_compat+0x188/0x1c0 26545.307445: Code: d503201f d503201f 52800028 4b0803e8 (b8680008) 26545.318799: Kernel panic - not syncing: Oops: Fatal exception
Signed-off-by: Akhil P Oommen akhilpo@codeaurora.org Link: https://lore.kernel.org/r/20211118154903.2.I3ae019673a0cc45d83a193a7858748dd... Signed-off-by: Rob Clark robdclark@chromium.org Conflicts: drivers/gpu/drm/msm/msm_gem_submit.c [This is a conflict caused by commit 79341eb74c1f("drm/msm: Return ERR_PTR() from submit_create()") which is not merged and some context conflicts.] Signed-off-by: Cheng Yu serein.chengyu@huawei.com --- drivers/gpu/drm/msm/msm_gem_submit.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index aa5c60a7132d..9005646dfb15 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -681,6 +681,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, args->nr_cmds); if (!submit) { ret = -ENOMEM; + submit = NULL; goto out_unlock; }