diff options
| author | Alex Deucher <alexander.deucher@amd.com> | 2023-07-28 11:14:05 -0400 |
|---|---|---|
| committer | Alex Deucher <alexander.deucher@amd.com> | 2023-08-09 10:55:14 -0400 |
| commit | 90e065677e0362a777b9db97ea21d43a39211399 (patch) | |
| tree | c2d1a5e3e7497b188f4722e29625d5f0ff0b936f | |
| parent | a73ea79a0c94bacfab4df23a1043644d14f56591 (diff) | |
| download | linux-90e065677e0362a777b9db97ea21d43a39211399.tar.gz | |
drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()
Since the gang_size check is outside of chunk parsing
loop, we need to reset i before we free the chunk data.
Suggested by Ye Zhang (@VAR10CK) of Baidu Security.
Reviewed-by: Guchun Chen <guchun.chen@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
| -rw-r--r-- | drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index 040f4cb6ab2d0f..fb78a8f4758792 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -295,7 +295,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p, if (!p->gang_size) { ret = -EINVAL; - goto free_partial_kdata; + goto free_all_kdata; } for (i = 0; i < p->gang_size; ++i) { |