Reviewed-by: Deepak Rawat <drawat@xxxxxxxxxx>
On Thu, 2019-01-31 at 10:52 +0100, Thomas Hellstrom wrote:
> if vmw_execbuf_fence_commands() fails, The handle value will be
> uninitialized and a bogus fence handle might be copied to user-space.
>
> Fixes: 2724b2d54cda: ("drm/vmwgfx: Use new validation interface for
> the modesetting code v2")
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Signed-off-by: Thomas Hellstrom <thellstrom@xxxxxxxxxx>
> Reviewed-by: Brian Paul <brianp@xxxxxxxxxx> #v1
> Reviewed-by: Sinclair Yeh <syeh@xxxxxxxxxx> #v1
> ---
> v2: Also initialize the ret local variable, to silence compilatior
> warnings.
> Call vmw_execbuf_copy_fence_user regardless of the value of ret, to
> propagate
> the correct error code to user-space.
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
> b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
> index b351fb5214d3..5e257a600cea 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
> @@ -2554,8 +2554,8 @@ void vmw_kms_helper_validation_finish(struct
> vmw_private *dev_priv,
> user_fence_rep)
> {
> struct vmw_fence_obj *fence = NULL;
> - uint32_t handle;
> - int ret;
> + uint32_t handle = 0;
> + int ret = 0;
>
> if (file_priv || user_fence_rep || vmw_validation_has_bos(ctx)
> ||
> out_fence)
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
