On 3/30/22 00:23, syzbot wrote:
Hello,
syzbot found the following issue on:
HEAD commit: 8515d05bf6bc Add linux-next specific files for 20220328
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1694e21b700000
kernel config: https://syzkaller.appspot.com/x/.config?x=530c68bef4e2b8a8
dashboard link: https://syzkaller.appspot.com/bug?extid=5c943fe38e86d615cac2
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1467313b700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=121b7cb9700000
The issue was bisected to:
commit 519f490db07e1a539490612f376487f61e48e39c
Author: Christian König <christian.koenig@xxxxxxx>
Date: Fri Mar 11 09:32:26 2022 +0000
dma-buf/sync-file: fix warning about fence containers
There is ZERO_PTR dereference caused by passing 0 to krealloc_array().
Code should not try to reduce allocated memory area if index is equal to 0
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
With regards,
Pavel Skripkin
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c
index b8dea4ec123b..60cb4266e77f 100644
--- a/drivers/dma-buf/sync_file.c
+++ b/drivers/dma-buf/sync_file.c
@@ -264,7 +264,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a,
if (index == 0)
add_fence(fences, &index, dma_fence_get_stub());
- if (num_fences > index) {
+ if (index && num_fences > index) {
struct dma_fence **tmp;
/* Keep going even when reducing the size failed */