commit 5375d668eb898993d0acbba27de47e2eb605b0a0
author Doug Horn <doughorn@google.com> Fri Oct 02 11:50:44 2020 -0700
committer Doug Horn <doughorn@google.com> Fri Oct 02 18:58:41 2020 +0000
tree bc9f00b3dc121f9d960868ee88694122f3a9cb62
parent d7b3ec24a03da313f5b49669a70344c4daf5ec56

FROMGIT: drm/virtio: Fix use after free in get_capset_info callback.

If a response to virtio_gpu_cmd_get_capset_info takes longer than
five seconds to return, the callback will access freed kernel memory
in vg->capsets.

Bug: 166299146
Signed-off-by: Doug Horn <doughorn@google.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit e219688fc5c3d0d9136f8d29d7e0498388f01440)
Change-Id: I1ab01855152e12dc34c56f9c85d723c8e7f7780c

virtio_gpu/virtgpu_kms.c

diff --git a/virtio_gpu/virtgpu_kms.c b/virtio_gpu/virtgpu_kms.c
index 01d6f62..88b16df 100644
--- a/virtio_gpu/virtgpu_kms.c
+++ b/virtio_gpu/virtgpu_kms.c
@@ -97,8 +97,10 @@
 					 vgdev->capsets[i].id > 0, 5 * HZ);
 		if (ret == 0) {
 			DRM_ERROR("timed out waiting for cap set %d\n", i);
+			spin_lock(&vgdev->display_info_lock);
 			kfree(vgdev->capsets);
 			vgdev->capsets = NULL;
+			spin_unlock(&vgdev->display_info_lock);
 			return;
 		}
 		DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n",

virtio_gpu/virtgpu_vq.c

diff --git a/virtio_gpu/virtgpu_vq.c b/virtio_gpu/virtgpu_vq.c
index 93b32ef..1b7f4e6 100644
--- a/virtio_gpu/virtgpu_vq.c
+++ b/virtio_gpu/virtgpu_vq.c
@@ -572,9 +572,13 @@
 	int i = le32_to_cpu(cmd->capset_index);
 
 	spin_lock(&vgdev->display_info_lock);
-	vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
-	vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
-	vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
+	if (vgdev->capsets) {
+		vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
+		vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
+		vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
+	} else {
+		DRM_ERROR("invalid capset memory.");
+	}
 	spin_unlock(&vgdev->display_info_lock);
 	wake_up(&vgdev->resp_wq);
 }