From: Chengfeng Ye cyeaa@connect.ust.hk
stable inclusion from stable-v4.19.218 commit ab4c1ebc40f699f48346f634d7b72b9c5193f315 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9FNFE CVE: CVE-2021-47207
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit a0d21bb3279476c777434c40d969ea88ca64f9aa ]
The pointer block return from snd_gf1_dma_next_block could be null, so there is a potential null pointer dereference issue. Fix this by adding a null check before dereference.
Signed-off-by: Chengfeng Ye cyeaa@connect.ust.hk Link: https://lore.kernel.org/r/20211024104611.9919-1-cyeaa@connect.ust.hk Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Kaixiong Yu yukaixiong@huawei.com --- sound/isa/gus/gus_dma.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/sound/isa/gus/gus_dma.c b/sound/isa/gus/gus_dma.c index 7f95f452f106..48e76b8fede4 100644 --- a/sound/isa/gus/gus_dma.c +++ b/sound/isa/gus/gus_dma.c @@ -141,6 +141,8 @@ static void snd_gf1_dma_interrupt(struct snd_gus_card * gus) } block = snd_gf1_dma_next_block(gus); spin_unlock(&gus->dma_lock); + if (!block) + return; snd_gf1_dma_program(gus, block->addr, block->buf_addr, block->count, (unsigned short) block->cmd); kfree(block); #if 0