Commit 90e06567 authored by Alex Deucher's avatar Alex Deucher
Browse files

drm/amdgpu: fix possible UAF in amdgpu_cs_pass1() 



Since the gang_size check is outside of chunk parsing
loop, we need to reset i before we free the chunk data.

Suggested by Ye Zhang (@VAR10CK) of Baidu Security.

Reviewed-by: default avatarGuchun Chen <guchun.chen@amd.com>
Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
parent a73ea79a

drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c

+1 −1
Original line number Diff line number Diff line
@@ -295,7 +295,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p, 


	if (!p->gang_size) {

		ret = -EINVAL;

		goto free_partial_kdata;

		goto free_all_kdata;

	}



	for (i = 0; i < p->gang_size; ++i) {