From: Hideyuki Nagase <[email protected]> Fix a potential NULL pointer crash in hmgrtable_free_handle() when free_handle_list_tail is HMGRTABLE_INVALID_INDEX. Guard the entry dereference with a bounds check before writing the next_free_index.
Signed-off-by: Hideyuki Nagase <[email protected]> --- drivers/hv/dxgkrnl/hmgr.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/hv/dxgkrnl/hmgr.c b/drivers/hv/dxgkrnl/hmgr.c index 24101d0091ab..059f94307a0e 100644 --- a/drivers/hv/dxgkrnl/hmgr.c +++ b/drivers/hv/dxgkrnl/hmgr.c @@ -462,9 +462,14 @@ void hmgrtable_free_handle(struct hmgrtable *table, enum hmgrentry_type t, */ entry->next_free_index = HMGRTABLE_INVALID_INDEX; entry->prev_free_index = table->free_handle_list_tail; - entry = &table->entry_table[table->free_handle_list_tail]; - entry->next_free_index = i; + if (table->free_handle_list_tail != HMGRTABLE_INVALID_INDEX) { + entry = &table->entry_table[table->free_handle_list_tail]; + entry->next_free_index = i; + } table->free_handle_list_tail = i; + if (table->free_handle_list_head == HMGRTABLE_INVALID_INDEX) { + table->free_handle_list_head = i; + } } else { DXG_ERR("Invalid handle to free: %d %x", i, h.v); }
