CVE-2026-46211
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.
Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.
Add the missing NULL check for kmemdup() and return ret instead of 0.
Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.
Patchwork: https://patchwork.freedesktop.org/patch/714478/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Linux kernel DRM MSM driver, msm_ioctl_gem_info_get_metadata() ignores errors and lacks NULL check for kmemdup(), leading to information disclosure or denial of service.
Vulnerability
The function msm_ioctl_gem_info_get_metadata() in the Linux kernel's DRM MSM driver always returns 0 regardless of errors, ignoring the error code stored in ret when copy_to_user() fails or the user buffer is too small. Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked, leading to a NULL pointer dereference in the subsequent copy_to_user() call. This vulnerability affects kernels containing this code until the fix is applied.
Exploitation
An attacker with local access and the ability to call the DRM_IOCTL_MSM_GEM_INFO ioctl with the GET_METADATA flag can exploit this issue. The attacker can cause copy_to_user() to fail by providing an invalid user buffer or a buffer that is too small, which would normally return an error. The error is suppressed, so userspace believes the ioctl succeeded. Alternatively, by exhausting memory, the attacker can cause kmemdup() to return NULL, triggering a NULL pointer dereference and a system crash.
Impact
Successful exploitation leads to information disclosure (userspace may read uninitialized kernel memory due to the suppressed error) or denial of service (kernel crash from NULL pointer dereference). No privilege escalation is directly achieved, but memory corruption may be possible in certain scenarios.
Mitigation
The fix is in Linux kernel stable commit b079e85c91f44 [1]. Users should update to a patched kernel version that includes this commit. There is no known workaround; applying the patch or updating the kernel is required.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
8b079e85c91f4drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
1 file changed · +6 −2
drivers/gpu/drm/msm/msm_drv.c+6 −2 modifieddiff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index e5ab1e28851dfe..195f40e331e5a8 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -536,6 +536,11 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, len = msm_obj->metadata_size; buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + if (!buf) { + msm_gem_unlock(obj); + return -ENOMEM; + } + msm_gem_unlock(obj); if (*metadata_size < len) { @@ -548,7 +553,7 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, kfree(buf); - return 0; + return ret; } static int msm_ioctl_gem_info(struct drm_device *dev, void *data, -- cgit 1.3-korg
697e1a9559f6drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
1 file changed · +6 −2
drivers/gpu/drm/msm/msm_drv.c+6 −2 modifieddiff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 197d8d9a421d32..d924c0f286058f 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -616,6 +616,11 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, len = msm_obj->metadata_size; buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + if (!buf) { + msm_gem_unlock(obj); + return -ENOMEM; + } + msm_gem_unlock(obj); if (*metadata_size < len) { @@ -628,7 +633,7 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, kfree(buf); - return 0; + return ret; } static int msm_ioctl_gem_info(struct drm_device *dev, void *data, -- cgit 1.3-korg
c57c861956b8drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
1 file changed · +6 −2
drivers/gpu/drm/msm/msm_drv.c+6 −2 modifieddiff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 7e977fec410079..94b32973cd6a1b 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -536,6 +536,11 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, len = msm_obj->metadata_size; buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + if (!buf) { + msm_gem_unlock(obj); + return -ENOMEM; + } + msm_gem_unlock(obj); if (*metadata_size < len) { @@ -548,7 +553,7 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, kfree(buf); - return 0; + return ret; } static int msm_ioctl_gem_info(struct drm_device *dev, void *data, -- cgit 1.3-korg
47cbfe260831drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
1 file changed · +6 −2
drivers/gpu/drm/msm/msm_drv.c+6 −2 modifieddiff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index ed2a61c66ac90b..c7f6d07a5043f9 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -536,6 +536,11 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, len = msm_obj->metadata_size; buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + if (!buf) { + msm_gem_unlock(obj); + return -ENOMEM; + } + msm_gem_unlock(obj); if (*metadata_size < len) { @@ -548,7 +553,7 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, kfree(buf); - return 0; + return ret; } static int msm_ioctl_gem_info(struct drm_device *dev, void *data, -- cgit 1.3-korg
697e1a9559f6drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
1 file changed · +6 −2
drivers/gpu/drm/msm/msm_drv.c+6 −2 modifieddiff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 197d8d9a421d32..d924c0f286058f 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -616,6 +616,11 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, len = msm_obj->metadata_size; buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + if (!buf) { + msm_gem_unlock(obj); + return -ENOMEM; + } + msm_gem_unlock(obj); if (*metadata_size < len) { @@ -628,7 +633,7 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, kfree(buf); - return 0; + return ret; } static int msm_ioctl_gem_info(struct drm_device *dev, void *data, -- cgit 1.3-korg
47cbfe260831drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
1 file changed · +6 −2
drivers/gpu/drm/msm/msm_drv.c+6 −2 modifieddiff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index ed2a61c66ac90b..c7f6d07a5043f9 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -536,6 +536,11 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, len = msm_obj->metadata_size; buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + if (!buf) { + msm_gem_unlock(obj); + return -ENOMEM; + } + msm_gem_unlock(obj); if (*metadata_size < len) { @@ -548,7 +553,7 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, kfree(buf); - return 0; + return ret; } static int msm_ioctl_gem_info(struct drm_device *dev, void *data, -- cgit 1.3-korg
b079e85c91f4drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
1 file changed · +6 −2
drivers/gpu/drm/msm/msm_drv.c+6 −2 modifieddiff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index e5ab1e28851dfe..195f40e331e5a8 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -536,6 +536,11 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, len = msm_obj->metadata_size; buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + if (!buf) { + msm_gem_unlock(obj); + return -ENOMEM; + } + msm_gem_unlock(obj); if (*metadata_size < len) { @@ -548,7 +553,7 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, kfree(buf); - return 0; + return ret; } static int msm_ioctl_gem_info(struct drm_device *dev, void *data, -- cgit 1.3-korg
c57c861956b8drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
1 file changed · +6 −2
drivers/gpu/drm/msm/msm_drv.c+6 −2 modifieddiff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 7e977fec410079..94b32973cd6a1b 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -536,6 +536,11 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, len = msm_obj->metadata_size; buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + if (!buf) { + msm_gem_unlock(obj); + return -ENOMEM; + } + msm_gem_unlock(obj); if (*metadata_size < len) { @@ -548,7 +553,7 @@ static int msm_ioctl_gem_info_get_metadata(struct drm_gem_object *obj, kfree(buf); - return 0; + return ret; } static int msm_ioctl_gem_info(struct drm_device *dev, void *data, -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing error propagation and missing NULL-pointer check in msm_ioctl_gem_info_get_metadata()."
Attack vector
An attacker with access to the DRM device can invoke the `DRM_MSM_GEM_INFO` ioctl with the metadata flag. If the user-provided buffer is too small (causing `copy_to_user()` to fail) or if a kernel memory allocation via `kmemdup()` fails, the function previously returned 0, making userspace believe the operation succeeded. Additionally, a NULL pointer dereference could occur when `kmemdup()` returns NULL and the result is passed directly to `copy_to_user()` [patch_id=2897727].
Affected code
The vulnerable function is `msm_ioctl_gem_info_get_metadata()` in `drivers/gpu/drm/msm/msm_drv.c` [patch_id=2897727]. The function unconditionally returned 0 at the end, ignoring the error code stored in `ret`, and lacked a NULL check on the return value of `kmemdup()`.
What the fix does
The patch makes two changes in `msm_ioctl_gem_info_get_metadata()` [patch_id=2897727]. First, it adds a NULL check after `kmemdup()` — if allocation fails, the function unlocks the GEM object and returns `-ENOMEM`. Second, it changes the final `return 0` to `return ret`, so that errors from `copy_to_user()` or the buffer-size check are properly propagated to the caller instead of being silently ignored.
Preconditions
- authAttacker must have access to the DRM device (e.g., /dev/dri/card*) to issue DRM_MSM_GEM_INFO ioctls.
- configThe kernel must be built with CONFIG_DRM_MSM enabled.
- authNo special privileges beyond file-level access to the DRM device are required.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.