New subject: [PATCH 2/2] drm/vmwgfx: Also check for crtc status while checking for DU active

29 Jan 2019

if vmw_execbuf_fence_commands() fails, The handle value will be
uninitialized and a bogus fence handle might be copied to user-space.
Cc: stable@vger.kernel.org
Fixes: 2724b2d54cda: ("drm/vmwgfx: Use new validation interface for the modesetting code v2")
Reported-by: Dan Carpenter dan.carpenter@oracle.com
Signed-off-by: Thomas Hellstrom thellstrom@vmware.com
Reviewed-by: Brian Paul brianp@vmware.com
Reviewed-by: Sinclair Yeh syeh@vmware.com
---
 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index b351fb5214d3..3330bc89f1b9 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -2554,7 +2554,7 @@ void vmw_kms_helper_validation_finish(struct vmw_private *dev_priv,
    			      user_fence_rep)
 {
    struct vmw_fence_obj *fence = NULL;
-	uint32_t handle;
+	uint32_t handle = 0;
    int ret;
if (file_priv || user_fence_rep || vmw_validation_has_bos(ctx) ||
@@ -2562,7 +2562,7 @@ void vmw_kms_helper_validation_finish(struct vmw_private *dev_priv,
    	ret = vmw_execbuf_fence_commands(file_priv, dev_priv, &fence,
    					 file_priv ? &handle : NULL);
    vmw_validation_done(ctx, fence);
-	if (file_priv)
+	if (file_priv && !ret)
    	vmw_execbuf_copy_fence_user(dev_priv, vmw_fpriv(file_priv),
    				    ret, user_fence_rep, fence,
    				    handle, -1, NULL);
-- 
2.19.0.rc1


    

[PATCH 1/2] drm/vmwgfx: Fix an uninitialized fence handle value