Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2918402yba; Fri, 10 May 2019 23:14:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqwFjCoNCrcI1aGNv0LG3vDZM35siZ91vlQ6G0Y8kLZI/QO9vq3ovIiFAcZrnJwKMGux/aTg X-Received: by 2002:a17:902:8a83:: with SMTP id p3mr18018374plo.88.1557555244589; Fri, 10 May 2019 23:14:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557555244; cv=none; d=google.com; s=arc-20160816; b=np/Bf0iZzxH1B1ABpmJTamOOh5OLnHKn2Wc5AhZGv3PHlIfnHZBsLS+BU6Ob1HvxZf JnOKRMtGeMYRBZfR0JMBNJI2TV0bVPar7Xu6VcqwQrmPE3ADdaBaiQS+fpGclkVBx6sy vVjpkOFU3v+J8dOdNAm1S7fW+TzUHnhTQDvScsTtpUA9M76spkQ/ZiS89JQM3Lck7PDt r+JgZPFfp+xSR95OA3mPbufqM1UlHZWjjblHq/t9cor+jyHZK/87Kv6XBi4IG97dO14e SrUKJjrD+6/w1SJP/VABwWaDaDD6gws5ZXazBvhMyCkz1VadogVF9Oecbig9hdabokPw Jiug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:content-transfer-encoding:mime-version :message-id:date:subject:cc:from:dkim-signature; bh=kBIV0O0qGoeY97ZaUi2m9+lkbOG6A0guIBzLPEYh3y8=; b=yuQSdCltRYfUbo6v4dl/tb1xa/SC8YAr3hC5sh+L86isYnMFP3HQD8D4PATbM5MyHV Dnxk3d0Y9dsXGEZXMEXxgGeIYJDlL+Du3I6ZdewZfxfd//S/1AkZJqFuCEnlTqkStjdl ulc+tGTSSaTToNsAwYwXyw2yL6K+55lAvHbaBrqCsvtgIalRwbTsJy5YRheGWXiVHqcJ KPLeLPXnD1h7Hru0Aelap3dy7Ozdy5SJsuyUVWLQ4+7KjHT2o1agra6wrDo9lnhXSxAp CwGtf5d4GPfEmaS+jv0trBcpGdZqhf4lMJmvXHxtGB2kw1VvsTCx8H/9IQ9JLqwNskS2 YZKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=XAqSgrQE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q13si10071565pll.162.2019.05.10.23.13.46; Fri, 10 May 2019 23:14:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=XAqSgrQE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728249AbfEKGDU (ORCPT + 99 others); Sat, 11 May 2019 02:03:20 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:41436 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725990AbfEKGDU (ORCPT ); Sat, 11 May 2019 02:03:20 -0400 Received: by mail-pg1-f195.google.com with SMTP id z3so4027980pgp.8 for ; Fri, 10 May 2019 23:03:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kBIV0O0qGoeY97ZaUi2m9+lkbOG6A0guIBzLPEYh3y8=; b=XAqSgrQEObDwj/mPPtLgS0JSVjBIlJJ/0JJnvBFfJ+3+31lwnxrp1DvnQ57VnKE9X0 EZD1SyQi6bcCqGn6+UpqH0tzOiXQ+9oiv1q8HTd7CvybmcfKD5FnLzKPbKIHKe30jCZL kDhbyCVATD5KXgcGwRtzAKeCmQqqVmR/QvJw5+IjT+el2LTK5cptFWDB8Xu85xZF5Afv qIjg/QHW4EmhVtP3c/SDYWnB7LFr3YATCix5ipOP+n+YAKyJiP4w0eza0J6qk5643WAU TqJnKWSMp8QAoSsfe03TaJlsv5O8DKGZO0dYjJRXkG5dEu9Em/oKJM29est7aD/uu5tN MFcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kBIV0O0qGoeY97ZaUi2m9+lkbOG6A0guIBzLPEYh3y8=; b=LCvcIJysoLx/8fe+OyxK1vfjRGw4AxoPZowZe4SfkG/okbxLye3UfdcKMLO6VXFoXd QjW96gLxVaihAmakSzwVnNxtAx6MPU6sM5fchXCAXCKGcwTd7Bk4yihKChjKLe5xmWrA iqS10o7xmxed/+bf0RKXYfg3hUvWrEpyJtNM9uXYpkk9A3buP71CEpl1OG52Yo4bcfDK B5evCotRHgtUJNpCpKr1U4//LwsRhYlH3bYwK4P2fYC8pqE87RhHcMlLitQ71FF9I669 +XMpcBjvJmmMQ+taGYDK9YRkDAYmSNzA97dCVhknPzc+4iCOqWWmWT2cV68/GZk8jI4L gYqA== X-Gm-Message-State: APjAAAUTJW8vWlxa6d+MuWQxQUgMXoellcIF70wUd4tAv33gyY21gTDl hMt8E6pX+BaNAg75bWwwlB09Zj7h+v9+Sw== X-Received: by 2002:a65:4589:: with SMTP id o9mr18550951pgq.381.1557554599593; Fri, 10 May 2019 23:03:19 -0700 (PDT) Received: from localhost.localdomain (115.193.225.49.dyn.cust.vf.net.nz. [49.225.193.115]) by smtp.gmail.com with ESMTPSA id m17sm11687559pfi.17.2019.05.10.23.03.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 10 May 2019 23:03:19 -0700 (PDT) From: Murray McAllister Cc: murray.mcallister@gmail.com, VMware Graphics , Thomas Hellstrom , David Airlie , Daniel Vetter , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() Date: Sat, 11 May 2019 18:01:37 +1200 Message-Id: <20190511060138.20592-1-murray.mcallister@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after vmw_cmd_res_check(), leading to a null pointer dereference in vmw_view_add(). Signed-off-by: Murray McAllister --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index 2ff7ba04d8c8..447afd086206 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -2414,6 +2414,10 @@ static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv, return -EINVAL; cmd = container_of(header, typeof(*cmd), header); + if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) { + DRM_ERROR("Invalid surface id.\n"); + return -EINVAL; + } ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, VMW_RES_DIRTY_NONE, user_surface_converter, &cmd->sid, &srf); -- 2.20.1