[PATCH 54/55] drivers: hv: dxgkrnl: Fix crash at hmgrtable_free_handle

Next message: Eric Curtin: "[PATCH 19/55] drivers: hv: dxgkrnl: Flush heap transitions"
Previous message: Eric Curtin: "[PATCH 30/55] drivers: hv: dxgkrnl: Remove dxgk_init_ioctls"
In reply to: Eric Curtin: "[PATCH 30/55] drivers: hv: dxgkrnl: Remove dxgk_init_ioctls"
Next in thread: Eric Curtin: "[PATCH 19/55] drivers: hv: dxgkrnl: Flush heap transitions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Curtin

Date: Thu Mar 19 2026 - 16:31:06 EST

From: Hideyuki Nagase <hideyukn@xxxxxxxxxxxxx>

Fix a potential NULL pointer crash in hmgrtable_free_handle() when
free_handle_list_tail is HMGRTABLE_INVALID_INDEX. Guard the entry
dereference with a bounds check before writing the next_free_index.

Signed-off-by: Hideyuki Nagase <hideyukn@xxxxxxxxxxxxx>
---
drivers/hv/dxgkrnl/hmgr.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/hv/dxgkrnl/hmgr.c b/drivers/hv/dxgkrnl/hmgr.c
index 24101d0091ab..059f94307a0e 100644
--- a/drivers/hv/dxgkrnl/hmgr.c
+++ b/drivers/hv/dxgkrnl/hmgr.c
@@ -462,9 +462,14 @@ void hmgrtable_free_handle(struct hmgrtable *table, enum hmgrentry_type t,
*/
entry->next_free_index = HMGRTABLE_INVALID_INDEX;
entry->prev_free_index = table->free_handle_list_tail;
- entry = &table->entry_table[table->free_handle_list_tail];
- entry->next_free_index = i;
+ if (table->free_handle_list_tail != HMGRTABLE_INVALID_INDEX) {
+ entry = &table->entry_table[table->free_handle_list_tail];
+ entry->next_free_index = i;
+ }
table->free_handle_list_tail = i;
+ if (table->free_handle_list_head == HMGRTABLE_INVALID_INDEX) {
+ table->free_handle_list_head = i;
+ }
} else {
DXG_ERR("Invalid handle to free: %d %x", i, h.v);
}