[PATCH] drm/msm: fix missing NULL check after kcalloc in crashstate_get_bos()

Wed, 12 Nov 2025 09:20:08 -0800 

The crashstate_get_bos() function allocates memory for `state->bos`
using kcalloc(), but the vmbind path does not check for allocation
failure before dereferencing it in the following drm_gpuvm_for_each_va()
loop. This could lead to a NULL pointer dereference if memory allocation
fails.

Fix this by wrapping the drm_gpuvm_for_each_va() loop with a NULL check
on state->bos, similar to the safety check in the non-vmbind path.

Fixes: af9aa6f316b3d ("drm/msm: Crashdump support for sparse")
Signed-off-by: Huiwen He <[email protected]>
---
 drivers/gpu/drm/msm/msm_gpu.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c
index 17759abc46d7..a9b5f5106ebc 100644
--- a/drivers/gpu/drm/msm/msm_gpu.c
+++ b/drivers/gpu/drm/msm/msm_gpu.c
@@ -287,16 +287,17 @@ static void crashstate_get_bos(struct msm_gpu_state 
*state, struct msm_gem_submi
 
                state->bos = kcalloc(cnt, sizeof(struct msm_gpu_state_bo), 
GFP_KERNEL);
 
-               drm_gpuvm_for_each_va (vma, submit->vm) {
-                       bool dump = rd_full || (vma->flags & MSM_VMA_DUMP);
+               if (state->bos)
+                       drm_gpuvm_for_each_va(vma, submit->vm) {
+                               bool dump = rd_full || (vma->flags & 
MSM_VMA_DUMP);
 
-                       /* Skip MAP_NULL/PRR VMAs: */
-                       if (!vma->gem.obj)
-                               continue;
+                               /* Skip MAP_NULL/PRR VMAs: */
+                               if (!vma->gem.obj)
+                                       continue;
 
-                       msm_gpu_crashstate_get_bo(state, vma->gem.obj, 
vma->va.addr,
-                                                 dump, vma->gem.offset, 
vma->va.range);
-               }
+                               msm_gpu_crashstate_get_bo(state, vma->gem.obj, 
vma->va.addr,
+                                                         dump, 
vma->gem.offset, vma->va.range);
+                       }
 
                drm_exec_fini(&exec);
        } else {
-- 
2.25.1

Reply via email to