On 7/7/23 05:49, Dmitry Osipenko wrote: > On 6/28/23 18:58, Gurchetan Singh wrote: >> @@ -168,9 +168,13 @@ static int virtio_gpu_init_submit(struct virtio_gpu_submit *submit, >> >> memset(submit, 0, sizeof(*submit)); >> >> - out_fence = virtio_gpu_fence_alloc(vgdev, fence_ctx, ring_idx); >> - if (!out_fence) >> - return -ENOMEM; >> + if ((exbuf->flags & VIRTGPU_EXECBUF_FENCE_FD_OUT) || >> + ((exbuf->flags & VIRTGPU_EXECBUF_RING_IDX) && >> + (vfpriv->ring_idx_mask & BIT_ULL(ring_idx))) || > > Looks like there is a problem here. The virtio_gpu_fence_event_create() > doesn't check whether VIRTGPU_EXECBUF_RING_IDX flag is set, so it's > possible to trigger NULL-deref in that function if userspace will set > ring_idx_mask=1. Perhaps virtio_gpu_fence_event_create() need to be > changed to check the flag presence. Or check whether fence is NULL -- Best regards, Dmitry
