On Wed, Aug 24, 2022 at 11:35:22PM -0700, Vivek Kasireddy wrote: > When userspace tries to map the dmabuf and if for some reason > (e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be > set to NULL. Otherwise, when the userspace subsequently closes the > dmabuf fd, we'd try to erroneously free the invalid sg table from > release_udmabuf resulting in the following crash reported by syzbot: > > general protection fault, probably for non-canonical address > 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN [ ... ] > Reported-by: syzbot+c80e9ef5d8bb45894db0@xxxxxxxxxxxxxxxxxxxxxxxxx > Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx> > Signed-off-by: Vivek Kasireddy <vivek.kasireddy@xxxxxxxxx> Pushed to drm-misc-next. thanks, Gerd
