Fix use after free in get_capset_info callback.

[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ]

If a response to virtio_gpu_cmd_get_capset_info takes longer than
five seconds to return, the callback will access freed kernel memory
in vg->capsets.

Signed-off-by: Doug Horn <doughorn@google.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
index 6400506a06b07036d77be04cdb6cb9fe567a7419..bed450fbb21681a9481c1700daff4262c4a887e3 100644 (file)
--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
+++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
@@ -113,8 +113,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev,
                                         vgdev->capsets[i].id > 0, 5 * HZ);
                if (ret == 0) {
                        DRM_ERROR("timed out waiting for cap set %d\n", i);
+                       spin_lock(&vgdev->display_info_lock);
                        kfree(vgdev->capsets);
                        vgdev->capsets = NULL;
+                       spin_unlock(&vgdev->display_info_lock);
                        return;
                }
                DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n",

diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
index a3be65e689fd255b00981eae99013898a316864e..a956c73ea85e51335caad51bae56923af90eb701 100644 (file)
--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
+++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
@@ -563,9 +563,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev,
        int i = le32_to_cpu(cmd->capset_index);
 
        spin_lock(&vgdev->display_info_lock);
-       vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
-       vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
-       vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
+       if (vgdev->capsets) {
+               vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
+               vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
+               vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
+       } else {
+               DRM_ERROR("invalid capset memory.");
+       }
        spin_unlock(&vgdev->display_info_lock);
        wake_up(&vgdev->resp_wq);
 }