Re: [PATCH] drm/vmwgfx: Return the correct value in vmw_translate_ptr functions

Tue, 13 Jan 2026 16:57:10 -0800 

On Tue, Jan 13, 2026 at 12:54 PM Ian Forbes <[email protected]> wrote:
>
> Before the referenced fixes these functions used a lookup function that
> returned a pointer. This was changed to another lookup function that
> returned an error code with the pointer becoming an out parameter.
>
> The error path when the lookup failed was not changed to reflect this
> change and the code continued to return the PTR_ERR of the now
> uninitialized pointer. This could cause the vmw_translate_ptr functions
> to return success when they actually failed causing further uninitialized
> and OOB accesses.
>
> Reported-by: Kuzey Arda Bulut <[email protected]>
> Fixes: a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
> Signed-off-by: Ian Forbes <[email protected]>
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 
> b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> index 3057f8baa7d2..e1f18020170a 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> @@ -1143,7 +1143,7 @@ static int vmw_translate_mob_ptr(struct vmw_private 
> *dev_priv,
>         ret = vmw_user_bo_lookup(sw_context->filp, handle, &vmw_bo);
>         if (ret != 0) {
>                 drm_dbg(&dev_priv->drm, "Could not find or use MOB 
> buffer.\n");
> -               return PTR_ERR(vmw_bo);
> +               return ret;
>         }
>         vmw_bo_placement_set(vmw_bo, VMW_BO_DOMAIN_MOB, VMW_BO_DOMAIN_MOB);
>         ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo);
> @@ -1199,7 +1199,7 @@ static int vmw_translate_guest_ptr(struct vmw_private 
> *dev_priv,
>         ret = vmw_user_bo_lookup(sw_context->filp, handle, &vmw_bo);
>         if (ret != 0) {
>                 drm_dbg(&dev_priv->drm, "Could not find or use GMR 
> region.\n");
> -               return PTR_ERR(vmw_bo);
> +               return ret;
>         }
>         vmw_bo_placement_set(vmw_bo, VMW_BO_DOMAIN_GMR | VMW_BO_DOMAIN_VRAM,
>                              VMW_BO_DOMAIN_GMR | VMW_BO_DOMAIN_VRAM);
> --
> 2.52.0
>

Looks good.

Reviewed-by: Zack Rusin <[email protected]>

z

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to