A potential NULL pointer dereference may occur when accessing
tmp_mqd->cp_hqd_pq_control without verifying that tmp_mqd is non-NULL.
This may happen if mqd_backup[mqd_idx] is unexpectedly NULL.
Although a NULL check for mqd_backup[mqd_idx] existed previously, it was
moved to a position after the
The "num_syncobj_handles" is a u32 value that comes from the user via the
ioctl. On 32bit systems the "sizeof(uint32_t) * num_syncobj_handles"
multiplication can have an integer overflow. Use size_mul() to fix that.
Fixes: 38c67ec9aa4b ("drm/amdgpu: Add input fence to sync bo map/unmap")
Cc: sta
'struct timing_generator_funcs' are not modified in these drivers.
Constifying these structures moves some data to a read-only section, so
increases overall security, especially when the structure holds some
function pointers.
Signed-off-by: Christophe JAILLET
---
This is NOT compile tested, bec
This patch only affects 32bit systems. There are several integer
overflows bugs here but only the "sizeof(u32) * num_syncobj"
multiplication is a problem at runtime. (The last lines of this patch).
These variables are u32 variables that come from the user. The issue
is the multiplications can o
On Fri, May 23, 2025 at 04:11:39PM +0200, Danilo Krummrich wrote:
> On Fri, May 23, 2025 at 02:56:40PM +0200, Christian König wrote:
> > + if (xas_nomem(&xas, GFP_KERNEL)) {
> > + xa_lock(&job->dependencies);
> > + goto retry;
>
> Please don't use a goto here, if we would hav
