Fix use after free in get_capset_info callback.

If a response to virtio_gpu_cmd_get_capset_info takes longer than five seconds to return, the callback will access freed kernel memory in vg->capsets. Signed-off-by: Doug Horn <doughorn@google.com> Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
author: Doug Horn <doughorn@google.com> 2020-09-02 23:08:25 +0200
committer: Gerd Hoffmann <kraxel@redhat.com> 2020-09-09 08:54:14 +0200
commit: e219688fc5c3d0d9136f8d29d7e0498388f01440 (patch)
tree: 5dec56331a6d437fcba1220979a6a82c6dfb3116 /drivers/gpu/drm/virtio/virtgpu_kms.c
parent: drm: allow limiting the scatter list size. (diff)
download: linux-e219688fc5c3d0d9136f8d29d7e0498388f01440.tar.xz
linux-e219688fc5c3d0d9136f8d29d7e0498388f01440.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
index 75d0dc2f6d28..5ba389e0a02f 100644
--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
+++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
@@ -80,8 +80,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev,
 					 vgdev->capsets[i].id > 0, 5 * HZ);
 		if (ret == 0) {
 			DRM_ERROR("timed out waiting for cap set %d\n", i);
+			spin_lock(&vgdev->display_info_lock);
 			kfree(vgdev->capsets);
 			vgdev->capsets = NULL;
+			spin_unlock(&vgdev->display_info_lock);
 			return;
 		}
 		DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n",
author	Doug Horn <doughorn@google.com>	2020-09-02 23:08:25 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	2020-09-09 08:54:14 +0200
commit	e219688fc5c3d0d9136f8d29d7e0498388f01440 (patch)
tree	5dec56331a6d437fcba1220979a6a82c6dfb3116 /drivers/gpu/drm/virtio/virtgpu_kms.c
parent	drm: allow limiting the scatter list size. (diff)
download	linux-e219688fc5c3d0d9136f8d29d7e0498388f01440.tar.xz linux-e219688fc5c3d0d9136f8d29d7e0498388f01440.zip