UPSTREAM: drm/virtio: Ensure cached capset entries are valid before copying.

virtio_gpu_get_caps_ioctl could return success with invalid data if a second caller to the function occurred after the entry was created in virtio_gpu_cmd_get_capset but prior to the virtio_gpu_cmd_capset_cb callback being called. This could leak contents of memory as well since the caps_cache allocation is done without zeroing. Signed-off-by: David Riley <davidriley@chromium.org> Link: http://patchwork.freedesktop.org/patch/msgid/20190605234423.11348-1-davidriley@chromium.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 7fdf478a43869bee27e1b50955830f6ebc730b67) Signed-off-by: Greg Hartman <ghartman@google.com> BUG: 139386237 Change-Id: I4b984184f3ad77cc48e2d449abc031d1dc8530bd
2019-06-05 16:44:20 -07:00 · 2019-06-05 16:44:20 -07:00 · bc371c3453
commit bc371c3453
parent 72ace7ce28
1 changed files with 1 additions and 2 deletions
--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
@ -524,7 +524,6 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev,
 	list_for_each_entry(cache_ent, &vgdev->cap_cache, head) {
 		if (cache_ent->id == args->cap_set_id &&
 		    cache_ent->version == args->cap_set_ver) {
-			ptr = cache_ent->caps_cache;
 			spin_unlock(&vgdev->display_info_lock);
 			goto copy_exit;
 		}
@ -535,6 +534,7 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev,
 	virtio_gpu_cmd_get_capset(vgdev, found_valid, args->cap_set_ver,
 				  &cache_ent);

+copy_exit:
 	ret = wait_event_timeout(vgdev->resp_wq,
 				 atomic_read(&cache_ent->is_valid), 5 * HZ);
 	if (!ret)
@ -545,7 +545,6 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev,

 	ptr = cache_ent->caps_cache;

-copy_exit:
 	if (copy_to_user(u64_to_user_ptr(args->addr), ptr, size))
 		return -EFAULT;