[PATCH 1/2] drm/vmwgfx: Fix an uninitialized fence handle value

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



if vmw_execbuf_fence_commands() fails, The handle value will be
uninitialized and a bogus fence handle might be copied to user-space.

Cc: <stable@xxxxxxxxxxxxxxx>
Fixes: 2724b2d54cda: ("drm/vmwgfx: Use new validation interface for the modesetting code v2")
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Thomas Hellstrom <thellstrom@xxxxxxxxxx>
Reviewed-by: Brian Paul <brianp@xxxxxxxxxx>
Reviewed-by: Sinclair Yeh <syeh@xxxxxxxxxx>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index b351fb5214d3..3330bc89f1b9 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -2554,7 +2554,7 @@ void vmw_kms_helper_validation_finish(struct vmw_private *dev_priv,
 				      user_fence_rep)
 {
 	struct vmw_fence_obj *fence = NULL;
-	uint32_t handle;
+	uint32_t handle = 0;
 	int ret;
 
 	if (file_priv || user_fence_rep || vmw_validation_has_bos(ctx) ||
@@ -2562,7 +2562,7 @@ void vmw_kms_helper_validation_finish(struct vmw_private *dev_priv,
 		ret = vmw_execbuf_fence_commands(file_priv, dev_priv, &fence,
 						 file_priv ? &handle : NULL);
 	vmw_validation_done(ctx, fence);
-	if (file_priv)
+	if (file_priv && !ret)
 		vmw_execbuf_copy_fence_user(dev_priv, vmw_fpriv(file_priv),
 					    ret, user_fence_rep, fence,
 					    handle, -1, NULL);
-- 
2.19.0.rc1




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux