Commit dfe1323a authored by Ian Forbes's avatar Ian Forbes Committed by Zack Rusin
Browse files

drm/vmwgfx: Fix Use-after-free in validation 



Nodes stored in the validation duplicates hashtable come from an arena
allocator that is cleared at the end of vmw_execbuf_process. All nodes
are expected to be cleared in vmw_validation_drop_ht but this node escaped
because its resource was destroyed prematurely.

Fixes: 64ad2abf ("drm/vmwgfx: Adapt validation code for reference-free lookups")
Reported-by: default avatarKuzey Arda Bulut <kuzeyardabulut@gmail.com>
Signed-off-by: default avatarIan Forbes <ian.forbes@broadcom.com>
Reviewed-by: default avatarZack Rusin <zack.rusin@broadcom.com>
Signed-off-by: default avatarZack Rusin <zack.rusin@broadcom.com>
Link: https://lore.kernel.org/r/20250926195427.1405237-1-ian.forbes@broadcom.com
parent 5ac2c027
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment