The return value of hga_card_detect() is not properly handled causing the probe to succeed even though hga_card_detect() failed. Since probe succeeds, hgafb_open() can be called which will end up operating on an unmapped hga_vram. This results in an out-of-bounds access as reported by kernel test robot [1].
To fix this, correctly detect failure of hga_card_detect() by checking for a non-zero error code.
[1]: https://lore.kernel.org/lkml/20210516150019.GB25903@xsang-OptiPlex-9020/
Reported-by: kernel test robot oliver.sang@intel.com Fixes: dc13cac4862c ("video: hgafb: fix potential NULL pointer dereference") Cc: stable stable@vger.kernel.org Signed-off-by: Anirudh Rayabharam mail@anirudhrb.com --- drivers/video/fbdev/hgafb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/hgafb.c b/drivers/video/fbdev/hgafb.c index cc8e62ae93f6..bd3d07aa4f0e 100644 --- a/drivers/video/fbdev/hgafb.c +++ b/drivers/video/fbdev/hgafb.c @@ -558,7 +558,7 @@ static int hgafb_probe(struct platform_device *pdev) int ret;
ret = hga_card_detect(); - if (!ret) + if (ret) return ret;
printk(KERN_INFO "hgafb: %s with %ldK of memory detected.\n",