releases/5.1.12/drm-vmwgfx-null-pointer-dereference-from-vmw_cmd_dx_view_define.patch

   1 From bcd6aa7b6cbfd6f985f606c6f76046d782905820 Mon Sep 17 00:00:00 2001
   2 From: Murray McAllister <murray.mcallister@gmail.com>
   3 Date: Sat, 11 May 2019 18:01:37 +1200
   4 Subject: drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
   5
   6 From: Murray McAllister <murray.mcallister@gmail.com>
   7
   8 commit bcd6aa7b6cbfd6f985f606c6f76046d782905820 upstream.
   9
  10 If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface
  11 ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after
  12 vmw_cmd_res_check(), leading to a null pointer dereference in
  13 vmw_view_add().
  14
  15 Cc: <stable@vger.kernel.org>
  16 Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
  17 Signed-off-by: Murray McAllister <murray.mcallister@gmail.com>
  18 Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
  19 Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
  20 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21
  22
  23 ---
  24  drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |    4 ++++
  25  1 file changed, 4 insertions(+)
  26
  27 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
  28 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
  29 @@ -2588,6 +2588,10 @@ static int vmw_cmd_dx_view_define(struct
  30         if (view_type == vmw_view_max)
  31                 return -EINVAL;
  32         cmd = container_of(header, typeof(*cmd), header);
  33 +       if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) {
  34 +               DRM_ERROR("Invalid surface id.\n");
  35 +               return -EINVAL;
  36 +       }
  37         ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
  38                                 user_surface_converter,
  39                                 &cmd->sid, &srf);