[PATCH 04/11] drm/panthor: Fix potential invalid pointer deref in group_process_tiler_oom()

Next message: Sayali Patil: "[PATCH 1/2] selftests/mm: handle EINVAL when configuring gigantic hugepages"
Previous message: Peter Zijlstra: "Re: [PATCH 1/2] sched/core: Allow newidle for core-sched"
In reply to: Boris Brezillon: "Re: [PATCH 03/11] drm/panthor: Fix UAF on works queued to panthor_cleanup_wq"
Next in thread: Liviu Dudau: "Re: [PATCH 04/11] drm/panthor: Fix potential invalid pointer deref in group_process_tiler_oom()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Boris Brezillon

Date: Thu Jun 25 2026 - 08:42:13 EST

If heaps is an ERR_PTR(), panthor_heap_pool_put() will deref an invalid
pointer. Make sure we set it to NULL in that case.

Fixes: de8548813824 ("drm/panthor: Add the scheduler logical block")
Reported-by: sashiko-bot@xxxxxxxxxx
Closes: https://sashiko.dev/#/patchset/20260625-panthor-signal-from-irq-v5-0-8836a74e0ef9@xxxxxxxxxxxxx?part=2
Signed-off-by: Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx>
---
drivers/gpu/drm/panthor/panthor_sched.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c
index e97f29469d28..8fd4d97b062e 100644
--- a/drivers/gpu/drm/panthor/panthor_sched.c
+++ b/drivers/gpu/drm/panthor/panthor_sched.c
@@ -1600,7 +1600,10 @@ static int group_process_tiler_oom(struct panthor_group *group, u32 cs_id)
if (unlikely(csg_id < 0))
return 0;

- if (IS_ERR(heaps) || frag_end > vt_end || vt_end >= vt_start) {
+ if (IS_ERR(heaps)) {
+ ret = -EINVAL;
+ heaps = NULL;
+ } else if (frag_end > vt_end || vt_end >= vt_start) {
ret = -EINVAL;
} else {
/* We do the allocation without holding the scheduler lock to avoid

--
2.54.0