Reviewed-by: Deepak Rawat drawat@vmware.com
On Thu, 2019-01-31 at 10:52 +0100, Thomas Hellstrom wrote:
if vmw_execbuf_fence_commands() fails, The handle value will be uninitialized and a bogus fence handle might be copied to user-space.
Fixes: 2724b2d54cda: ("drm/vmwgfx: Use new validation interface for the modesetting code v2") Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Thomas Hellstrom thellstrom@vmware.com Reviewed-by: Brian Paul brianp@vmware.com #v1 Reviewed-by: Sinclair Yeh syeh@vmware.com #v1
v2: Also initialize the ret local variable, to silence compilatior warnings. Call vmw_execbuf_copy_fence_user regardless of the value of ret, to propagate the correct error code to user-space.
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index b351fb5214d3..5e257a600cea 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -2554,8 +2554,8 @@ void vmw_kms_helper_validation_finish(struct vmw_private *dev_priv, user_fence_rep) { struct vmw_fence_obj *fence = NULL;
- uint32_t handle;
- int ret;
uint32_t handle = 0;
int ret = 0;
if (file_priv || user_fence_rep || vmw_validation_has_bos(ctx)
|| out_fence)