There have been reports [1][2] that vmw_cmd_dx_define_query() can be called with ctx_node->ctx set to NULL, which results in undefined behavior in vmw_context_cotable(). Avoid this be returning an errno code.
Signed-off-by: Thomas Zimmermann tzimmermann@suse.de Link: https://www.cve.org/CVERecord?id=CVE-2022-38096 # 1 Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 # 2 Cc: stable@vger.kernel.org --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index 6b9aa2b4ef54..1e90362add96 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private *dev_priv, struct vmw_resource *cotable_res; int ret;
- if (!ctx_node) + if (!ctx_node || !ctx_node->ctx) return -EINVAL;
cmd = container_of(header, typeof(*cmd), header);
On Wed, 2023-03-01 at 17:07 +0100, Thomas Zimmermann wrote:
There have been reports [1][2] that vmw_cmd_dx_define_query() can be called with ctx_node->ctx set to NULL, which results in undefined behavior in vmw_context_cotable(). Avoid this be returning an errno code.
Signed-off-by: Thomas Zimmermann tzimmermann@suse.de Link: https://www.cve.org/CVERecord?id=CVE-2022-38096%C2%A0# 1 Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073%C2%A0# 2 Cc: stable@vger.kernel.org
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index 6b9aa2b4ef54..1e90362add96 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -1256,7 +1256,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private *dev_priv, struct vmw_resource *cotable_res; int ret; - if (!ctx_node) + if (!ctx_node || !ctx_node->ctx) return -EINVAL;
I've seen this report, but never a poc that could reproduce it. This should never happen, the ctx in ctx_node should have been initialized. To be honest I'd prefer to just figure out how it's uninitialised instead of just checking for something that should be impossible but without a reproducible test that's difficult.
z
linux-stable-mirror@lists.linaro.org