[thirdparty/kernel/stable-queue.git] / pending-5.1 / drm-vmwgfx-null-pointer-dereference-from-vmw_cmd_dx_view_define.patch

From bcd6aa7b6cbfd6f985f606c6f76046d782905820 Mon Sep 17 00:00:00 2001
From: Murray McAllister <murray.mcallister@gmail.com>
Date: Sat, 11 May 2019 18:01:37 +1200
Subject: drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()

From: Murray McAllister <murray.mcallister@gmail.com>

commit bcd6aa7b6cbfd6f985f606c6f76046d782905820 upstream.

If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface
ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after
vmw_cmd_res_check(), leading to a null pointer dereference in
vmw_view_add().

Cc: <stable@vger.kernel.org>
Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
Signed-off-by: Murray McAllister <murray.mcallister@gmail.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2588,6 +2588,10 @@ static int vmw_cmd_dx_view_define(struct
 	if (view_type == vmw_view_max)
 		return -EINVAL;
 	cmd = container_of(header, typeof(*cmd), header);
+	if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) {
+		DRM_ERROR("Invalid surface id.\n");
+		return -EINVAL;
+	}
 	ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
 				user_surface_converter,
 				&cmd->sid, &srf);
Commit	Line	Data
736b3957 GKH	1	From bcd6aa7b6cbfd6f985f606c6f76046d782905820 Mon Sep 17 00:00:00 2001
	2	From: Murray McAllister <murray.mcallister@gmail.com>
	3	Date: Sat, 11 May 2019 18:01:37 +1200
	4	Subject: drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
	5
	6	From: Murray McAllister <murray.mcallister@gmail.com>
	7
	8	commit bcd6aa7b6cbfd6f985f606c6f76046d782905820 upstream.
	9
	10	If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface
	11	ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after
	12	vmw_cmd_res_check(), leading to a null pointer dereference in
	13	vmw_view_add().
	14
	15	Cc: <stable@vger.kernel.org>
	16	Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
	17	Signed-off-by: Murray McAllister <murray.mcallister@gmail.com>
	18	Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
	19	Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22
	23	---
	24	drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c \| 4 ++++
	25	1 file changed, 4 insertions(+)
	26
	27	--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
	28	+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
	29	@@ -2588,6 +2588,10 @@ static int vmw_cmd_dx_view_define(struct
	30	if (view_type == vmw_view_max)
	31	return -EINVAL;
	32	cmd = container_of(header, typeof(*cmd), header);
	33	+ if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) {
	34	+ DRM_ERROR("Invalid surface id.\n");
	35	+ return -EINVAL;
	36	+ }
	37	ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
	38	user_surface_converter,
	39	&cmd->sid, &srf);