vmw_validation_add_resource() conditionally calls hash_add_rcu() only
when ctx->sw_context is non-NULL, but the doomed-resource error path
calls hash_del_rcu() unconditionally.
The KMS validation contexts created with DECLARE_VAL_CONTEXT(_, NULL,
0) in vmwgfx_kms.c, vmwgfx_scrn.c, and vmwgfx_stdu.c never add the
node to a hash chain, so the resulting hlist_del_rcu() writes through
node->hash.head.pprev which is freshly allocated and uninitialized,
corrupting whatever happens to lie at that address.
Mirror the conditional from the add side in the cleanup path so the
node is only unlinked from the hash table when it was actually added.
Fixes: dfe1323ab3c8 ("drm/vmwgfx: Fix Use-after-free in validation")
Cc: [email protected]
Assisted-by: Claude:claude-opus-4.7
Signed-off-by: Zack Rusin <[email protected]>
---
drivers/gpu/drm/vmwgfx/vmwgfx_validation.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
index 35dc94c3db39..45fde7ec514f 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
@@ -309,7 +309,8 @@ int vmw_validation_add_resource(struct
vmw_validation_context *ctx,
}
node->res = vmw_resource_reference_unless_doomed(res);
if (!node->res) {
- hash_del_rcu(&node->hash.head);
+ if (ctx->sw_context)
+ hash_del_rcu(&node->hash.head);
return -ESRCH;
}
--
2.51.0
