diff options
author | Alex Deucher <alexander.deucher@amd.com> | 2023-07-28 18:14:05 +0300 |
---|---|---|
committer | Alex Deucher <alexander.deucher@amd.com> | 2023-08-09 17:55:14 +0300 |
commit | 90e065677e0362a777b9db97ea21d43a39211399 (patch) | |
tree | c2d1a5e3e7497b188f4722e29625d5f0ff0b936f /drivers/gpu/drm/amd | |
parent | a73ea79a0c94bacfab4df23a1043644d14f56591 (diff) | |
download | linux-90e065677e0362a777b9db97ea21d43a39211399.tar.xz |
drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()
Since the gang_size check is outside of chunk parsing
loop, we need to reset i before we free the chunk data.
Suggested by Ye Zhang (@VAR10CK) of Baidu Security.
Reviewed-by: Guchun Chen <guchun.chen@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Diffstat (limited to 'drivers/gpu/drm/amd')
-rw-r--r-- | drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index 040f4cb6ab2d..fb78a8f47587 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -295,7 +295,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p, if (!p->gang_size) { ret = -EINVAL; - goto free_partial_kdata; + goto free_all_kdata; } for (i = 0; i < p->gang_size; ++i) { |