From: Alex Deucher <alexander.deucher@amd.com>
Date: Fri, 28 Jul 2023 15:14:05 +0000 (-0400)
Subject: drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()
X-Git-Tag: microblaze-v6.8~477^2~9^2~111
X-Git-Url: http://git.monstr.eu/?a=commitdiff_plain;h=73b0648179c51659bb5a7b063f2a3ccb6ea936ce;p=linux-2.6-microblaze.git

drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()

Since the gang_size check is outside of chunk parsing
loop, we need to reset i before we free the chunk data.

Suggested by Ye Zhang (@VAR10CK) of Baidu Security.

Reviewed-by: Guchun Chen <guchun.chen@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
---

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index 977e1804718d..49dd9aa8da70 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -293,7 +293,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p,
 
 	if (!p->gang_size) {
 		ret = -EINVAL;
-		goto free_partial_kdata;
+		goto free_all_kdata;
 	}
 
 	for (i = 0; i < p->gang_size; ++i) {