1 From a2285dfad4c68beb9a8376fa2a2df905319b11fa Mon Sep 17 00:00:00 2001
2 From: Sinclair Yeh <syeh@vmware.com>
3 Date: Thu, 22 Jun 2017 17:28:14 +0200
4 Subject: [PATCH 3/5] drm/vmwgfx: Make sure backup_handle is always valid
6 When vmw_gb_surface_define_ioctl() is called with an existing buffer,
7 we end up returning an uninitialized variable in the backup_handle.
9 The fix is to first initialize backup_handle to 0 just to be sure, and
10 second, when a user-provided buffer is found, we will use the
11 req->buffer_handle as the backup_handle.
13 Cc: <stable@vger.kernel.org>
14 Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
15 Signed-off-by: Sinclair Yeh <syeh@vmware.com>
16 Reviewed-by: Deepak Rawat <drawat@vmware.com>
20 (cherry picked from commit 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c)
21 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
22 Acked-by: Colin Ian King <colin.king@canonical.com>
23 Acked-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
24 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
25 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
27 drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 18 +++++++++++-------
28 1 file changed, 11 insertions(+), 7 deletions(-)
30 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
31 index 05fa092c942b..8da50fce3b77 100644
32 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
33 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
34 @@ -1275,7 +1275,7 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
35 struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile;
38 - uint32_t backup_handle;
39 + uint32_t backup_handle = 0;
41 if (req->multisample_count != 0)
43 @@ -1315,12 +1315,16 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
44 ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle,
46 &user_srf->backup_base);
47 - if (ret == 0 && res->backup->base.num_pages * PAGE_SIZE <
49 - DRM_ERROR("Surface backup buffer is too small.\n");
50 - vmw_dmabuf_unreference(&res->backup);
54 + if (res->backup->base.num_pages * PAGE_SIZE <
56 + DRM_ERROR("Surface backup buffer is too small.\n");
57 + vmw_dmabuf_unreference(&res->backup);
61 + backup_handle = req->buffer_handle;
64 } else if (req->drm_surface_flags & drm_vmw_surface_flag_create_buffer)
65 ret = vmw_user_dmabuf_alloc(dev_priv, tfile,