Re: [PATCH] fix: drm/vc4: vc4_cl_lookup_bos: fix NULL pointer dereference on drm_gem_objects_lookup failure

From: WenTao Liang

Date: Sun Jun 28 2026 - 00:07:19 EST




> 2026年6月26日 22:56,WenTao Liang <vulab@xxxxxxxxxxx> 写道:
>
> When drm_gem_objects_lookup fails, it sets *objs_out to NULL, leaving
> exec->bo as NULL. The fail_put_bo error handler unconditionally iterates
> over exec->bo[i] without checking for NULL, causing a NULL pointer
> dereference.
>
> Add a NULL check for exec->bo before accessing its entries in the
> fail_put_bo error path.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: ba3f6db4afee ("drm/vc4: replace obj lookup steps with drm_gem_objects_lookup")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> drivers/gpu/drm/vc4/vc4_gem.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
> index ab3c6d5d4eb4..f79c0171e43e 100644
> --- a/drivers/gpu/drm/vc4/vc4_gem.c
> +++ b/drivers/gpu/drm/vc4/vc4_gem.c
> @@ -724,10 +724,12 @@ vc4_cl_lookup_bos(struct drm_device *dev,
>
> fail_put_bo:
> /* Release any reference to acquired objects. */
> - for (i = 0; i < exec->bo_count && exec->bo[i]; i++)
> - drm_gem_object_put(exec->bo[i]);
> + if (exec->bo) {
> + for (i = 0; i < exec->bo_count && exec->bo[i]; i++)
> + drm_gem_object_put(exec->bo[i]);
>
> - kvfree(exec->bo);
> + kvfree(exec->bo);
> + }
> exec->bo = NULL;
> return ret;
> }
> --
> 2.39.5 (Apple Git-154)

Please ignore this patch. I will resend a proper version after
learning the kernel submission process.

Apologies for the noise.

Best regards,
WenTao Liang