From patchwork Tue May 21 08:25:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Hellstrom X-Patchwork-Id: 10953157 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0BA33924 for ; Tue, 21 May 2019 08:25:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F027B2880B for ; Tue, 21 May 2019 08:25:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E447A28879; Tue, 21 May 2019 08:25:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 99F822880B for ; Tue, 21 May 2019 08:25:06 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 1B2968925F; Tue, 21 May 2019 08:25:05 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-eopbgr730063.outbound.protection.outlook.com [40.107.73.63]) by gabe.freedesktop.org (Postfix) with ESMTPS id 7FC168925F for ; Tue, 21 May 2019 08:25:03 +0000 (UTC) Received: from MN2PR05MB6141.namprd05.prod.outlook.com (20.178.241.217) by MN2PR05MB6384.namprd05.prod.outlook.com (20.178.246.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.12; Tue, 21 May 2019 08:25:01 +0000 Received: from MN2PR05MB6141.namprd05.prod.outlook.com ([fe80::c19e:e8f8:b151:9ad]) by MN2PR05MB6141.namprd05.prod.outlook.com ([fe80::c19e:e8f8:b151:9ad%6]) with mapi id 15.20.1922.013; Tue, 21 May 2019 08:25:01 +0000 From: Thomas Hellstrom To: "dri-devel@lists.freedesktop.org" Subject: [PATCH 5/6] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() Thread-Topic: [PATCH 5/6] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() Thread-Index: AQHVD66vMx659dgbLkCRMkI5Y/UGAg== Date: Tue, 21 May 2019 08:25:01 +0000 Message-ID: <20190521082345.27286-5-thellstrom@vmware.com> References: <20190521082345.27286-1-thellstrom@vmware.com> In-Reply-To: <20190521082345.27286-1-thellstrom@vmware.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: VI1PR08CA0156.eurprd08.prod.outlook.com (2603:10a6:800:d5::34) To MN2PR05MB6141.namprd05.prod.outlook.com (2603:10b6:208:c7::25) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-originating-ip: [155.4.205.35] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8e580b37-bb83-4a6b-bd4b-08d6ddc5d13b x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:MN2PR05MB6384; x-ms-traffictypediagnostic: MN2PR05MB6384: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:765; x-forefront-prvs: 0044C17179 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(366004)(136003)(396003)(376002)(346002)(39860400002)(199004)(189003)(25786009)(6116002)(8676002)(305945005)(14454004)(5660300002)(3846002)(476003)(54906003)(11346002)(81156014)(26005)(486006)(81166006)(256004)(68736007)(76176011)(71200400001)(8936002)(7736002)(6916009)(1076003)(478600001)(2616005)(446003)(71190400001)(66476007)(66556008)(64756008)(66446008)(73956011)(36756003)(6512007)(86362001)(66946007)(2906002)(66066001)(186003)(53936002)(52116002)(50226002)(316002)(4326008)(2501003)(102836004)(386003)(6506007)(99286004)(5640700003)(6436002)(2351001)(107886003)(6486002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR05MB6384; H:MN2PR05MB6141.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: vmware.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: LY+BeyGKqj8Ay1+6S1TERchrjOpD0uNDKl7EA2GWXqT4vjSRtg0dQ09rAyV+jpbIR55CBTiSOFcvN9JzcVNImxyO9+TJSmMKjLF3ToXYGV0SS4M6Flt4qUPfVfBuwJo0A0lXf7AAvtnozvEnIC87jwA8oSBVhqgVfn7MOA34jIjeu5//g7ZV6uFnZ4fuRwFIb0jRJLvPpvIs3TpkLSkzV4fjnwdTgFKX369KOVE1dadQY7yAtdb9yi7ZEVKcdPJEJ7sEYakOz3lb8PVY2i7XXGguGiLSySVGRCRmn2PnnBQc5Xm4oTIkSyo/IvSBOPNzkd7mlea5RKP068Oy/M45kmnP+kEIheFsy3PiyGzw8/up9jW3Aa+iM8+R/6nndCja7vow249L7BJy3udIgaEciJqm72xaUyAgQnKGTQ5sMts= MIME-Version: 1.0 X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8e580b37-bb83-4a6b-bd4b-08d6ddc5d13b X-MS-Exchange-CrossTenant-originalarrivaltime: 21 May 2019 08:25:01.3250 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: thellstrom@vmware.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB6384 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vmware.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GABHx8R42T9goBZkKnieCdLu7mt10L9I2fFPKfU7Y7Y=; b=gZBr978a03Has6HpYQXV5cKhPq4C1fA/WhSqo5EGzkWoQwcI2SveONACofqpyvG4CZqgyfe7TE9B1RbgLSHu0fosozCQF1U0+MXc5wsOkDManegd0ed4bPUNSot9E01OPVFBOvcNDr8pxmDw8JzOOKNx+9mmKc5SYSAmnhtHxR4= X-Mailman-Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=thellstrom@vmware.com; X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Murray McAllister , Thomas Hellstrom , "stable@vger.kernel.org" Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Murray McAllister If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after vmw_cmd_res_check(), leading to a null pointer dereference in vmw_view_add(). Cc: Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") Signed-off-by: Murray McAllister Reviewed-by: Thomas Hellstrom Signed-off-by: Thomas Hellstrom --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index 315f9efce765..b4c7553d2814 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -2427,6 +2427,10 @@ static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv, return -EINVAL; cmd = container_of(header, typeof(*cmd), header); + if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) { + VMW_DEBUG_USER("Invalid surface id.\n"); + return -EINVAL; + } ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, VMW_RES_DIRTY_NONE, user_surface_converter, &cmd->sid, &srf);