Fix use after free in get_capset_info callback.

[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ]

If a response to virtio_gpu_cmd_get_capset_info takes longer than
five seconds to return, the callback will access freed kernel memory
in vg->capsets.

Signed-off-by: Doug Horn <doughorn@google.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
index 0a5c8cf409fb854f65b09a2d04e44b39c0fe79a4..dc8cb8dfce58eb24fbe5a51ae25510f7b0c9c93d 100644 (file)
--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
+++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
@@ -80,8 +80,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev,
                                         vgdev->capsets[i].id > 0, 5 * HZ);
                if (ret == 0) {
                        DRM_ERROR("timed out waiting for cap set %d\n", i);
+                       spin_lock(&vgdev->display_info_lock);
                        kfree(vgdev->capsets);
                        vgdev->capsets = NULL;
+                       spin_unlock(&vgdev->display_info_lock);
                        return;
                }
                DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n",

diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
index 9e663a5d9952684f154730b83ed1680b24f2d50b..2517450bf46bacb06029755953b4bb97260cfc00 100644 (file)
--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
+++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
@@ -684,9 +684,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev,
        int i = le32_to_cpu(cmd->capset_index);
 
        spin_lock(&vgdev->display_info_lock);
-       vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
-       vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
-       vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
+       if (vgdev->capsets) {
+               vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
+               vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
+               vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
+       } else {
+               DRM_ERROR("invalid capset memory.");
+       }
        spin_unlock(&vgdev->display_info_lock);
        wake_up(&vgdev->resp_wq);
 }