diff options
| author | Sinclair Yeh <syeh@vmware.com> | 2017-06-02 01:50:57 -0400 |
|---|---|---|
| committer | Thomas Hellstrom <thellstrom@vmware.com> | 2017-06-07 06:07:35 -0400 |
| commit | 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c (patch) | |
| tree | 672fc9dfc28889f99da13104524ec09b7a7fb6ff | |
| parent | f0c62e9878024300319ba2438adc7b06c6b9c448 (diff) | |
drm/vmwgfx: Make sure backup_handle is always valid
When vmw_gb_surface_define_ioctl() is called with an existing buffer,
we end up returning an uninitialized variable in the backup_handle.
The fix is to first initialize backup_handle to 0 just to be sure, and
second, when a user-provided buffer is found, we will use the
req->buffer_handle as the backup_handle.
Cc: <stable@vger.kernel.org>
Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
Signed-off-by: Sinclair Yeh <syeh@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
| -rw-r--r-- | drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index baf03d4d86d2..834bb10973a2 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | |||
| @@ -1274,7 +1274,7 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, | |||
| 1274 | struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; | 1274 | struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; |
| 1275 | int ret; | 1275 | int ret; |
| 1276 | uint32_t size; | 1276 | uint32_t size; |
| 1277 | uint32_t backup_handle; | 1277 | uint32_t backup_handle = 0; |
| 1278 | 1278 | ||
| 1279 | if (req->multisample_count != 0) | 1279 | if (req->multisample_count != 0) |
| 1280 | return -EINVAL; | 1280 | return -EINVAL; |
| @@ -1317,12 +1317,16 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, | |||
| 1317 | ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle, | 1317 | ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle, |
| 1318 | &res->backup, | 1318 | &res->backup, |
| 1319 | &user_srf->backup_base); | 1319 | &user_srf->backup_base); |
| 1320 | if (ret == 0 && res->backup->base.num_pages * PAGE_SIZE < | 1320 | if (ret == 0) { |
| 1321 | res->backup_size) { | 1321 | if (res->backup->base.num_pages * PAGE_SIZE < |
| 1322 | DRM_ERROR("Surface backup buffer is too small.\n"); | 1322 | res->backup_size) { |
| 1323 | vmw_dmabuf_unreference(&res->backup); | 1323 | DRM_ERROR("Surface backup buffer is too small.\n"); |
| 1324 | ret = -EINVAL; | 1324 | vmw_dmabuf_unreference(&res->backup); |
| 1325 | goto out_unlock; | 1325 | ret = -EINVAL; |
| 1326 | goto out_unlock; | ||
| 1327 | } else { | ||
| 1328 | backup_handle = req->buffer_handle; | ||
| 1329 | } | ||
| 1326 | } | 1330 | } |
| 1327 | } else if (req->drm_surface_flags & drm_vmw_surface_flag_create_buffer) | 1331 | } else if (req->drm_surface_flags & drm_vmw_surface_flag_create_buffer) |
| 1328 | ret = vmw_user_dmabuf_alloc(dev_priv, tfile, | 1332 | ret = vmw_user_dmabuf_alloc(dev_priv, tfile, |