drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() [Linux 4.14.128]

drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() [Linux 4.14.128]

This Linux kernel change "drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()" is included in the Linux 4.14.128 release. This change is authored by Murray McAllister <murray.mcallister [at] gmail.com> on Sat May 11 18:01:37 2019 +1200. The commit for this change in Linux stable tree is 095b1de (patch) which is from upstream commit bcd6aa7. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream bcd6aa7.

drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()

commit bcd6aa7b6cbfd6f985f606c6f76046d782905820 upstream.

If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface
ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after
vmw_cmd_res_check(), leading to a null pointer dereference in
vmw_view_add().

Cc: <[email protected]>
Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
Signed-off-by: Murray McAllister <[email protected]>
Reviewed-by: Thomas Hellstrom <[email protected]>
Signed-off-by: Thomas Hellstrom <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

There are 4 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index d4865ec..dc677ba 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2735,6 +2735,10 @@ static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv,
    if (view_type == vmw_view_max)
        return -EINVAL;
    cmd = container_of(header, typeof(*cmd), header);
+   if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) {
+       DRM_ERROR("Invalid surface id.\n");
+       return -EINVAL;
+   }
    ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
                user_surface_converter,
                &cmd->sid, &srf_node);

Leave a Reply

Your email address will not be published. Required fields are marked *