On 7/7/23 05:53, Dmitry Osipenko wrote: > On 7/7/23 05:49, Dmitry Osipenko wrote: >> On 6/28/23 18:58, Gurchetan Singh wrote: >>> @@ -168,9 +168,13 @@ static int virtio_gpu_init_submit(struct virtio_gpu_submit *submit, >>> >>> memset(submit, 0, sizeof(*submit)); >>> >>> - out_fence = virtio_gpu_fence_alloc(vgdev, fence_ctx, ring_idx); >>> - if (!out_fence) >>> - return -ENOMEM; >>> + if ((exbuf->flags & VIRTGPU_EXECBUF_FENCE_FD_OUT) || >>> + ((exbuf->flags & VIRTGPU_EXECBUF_RING_IDX) && >>> + (vfpriv->ring_idx_mask & BIT_ULL(ring_idx))) || >> >> Looks like there is a problem here. The virtio_gpu_fence_event_create() >> doesn't check whether VIRTGPU_EXECBUF_RING_IDX flag is set, so it's >> possible to trigger NULL-deref in that function if userspace will set >> ring_idx_mask=1. Perhaps virtio_gpu_fence_event_create() need to be >> changed to check the flag presence. > > Or check whether fence is NULL Actually, maybe this code shouldn't check VIRTGPU_EXECBUF_RING_IDX flag at all. This flag tells which ring to use fo submission, but not which ring to poll. Please check and correct it in v3. -- Best regards, Dmitry
