drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()

Since the gang_size check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang (@VAR10CK) of Baidu Security. Reviewed-by: Guchun Chen <[email protected]> Reviewed-by: Christian König <[email protected]> Signed-off-by: Alex Deucher <[email protected]>
author: Alex Deucher <[email protected]> 2023-07-28 15:14:05 +0000
committer: Alex Deucher <[email protected]> 2023-08-09 13:39:40 +0000
commit: 73b0648179c51659bb5a7b063f2a3ccb6ea936ce (patch)
tree: 10e5233bdf4cbf171541cbca29c4f2e2587145fa /drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
parent: drm/amdgpu: Report vbios version instead of PN (diff)
download: kernel-73b0648179c51659bb5a7b063f2a3ccb6ea936ce.tar.gz
kernel-73b0648179c51659bb5a7b063f2a3ccb6ea936ce.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index 977e1804718d..49dd9aa8da70 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -293,7 +293,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p,
 
 	if (!p->gang_size) {
 		ret = -EINVAL;
-		goto free_partial_kdata;
+		goto free_all_kdata;
 	}
 
 	for (i = 0; i < p->gang_size; ++i) {
author	Alex Deucher <[email protected]>	2023-07-28 15:14:05 +0000
committer	Alex Deucher <[email protected]>	2023-08-09 13:39:40 +0000
commit	73b0648179c51659bb5a7b063f2a3ccb6ea936ce (patch)
tree	10e5233bdf4cbf171541cbca29c4f2e2587145fa /drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
parent	drm/amdgpu: Report vbios version instead of PN (diff)
download	kernel-73b0648179c51659bb5a7b063f2a3ccb6ea936ce.tar.gz kernel-73b0648179c51659bb5a7b063f2a3ccb6ea936ce.zip