This is a false positive, deleting an empty/NULL node doesn't do anything. On Tue, May 5, 2026 at 5:28 PM Zack Rusin <[email protected]> wrote: > > vmw_validation_add_resource() conditionally calls hash_add_rcu() only > when ctx->sw_context is non-NULL, but the doomed-resource error path > calls hash_del_rcu() unconditionally. > > The KMS validation contexts created with DECLARE_VAL_CONTEXT(_, NULL, > 0) in vmwgfx_kms.c, vmwgfx_scrn.c, and vmwgfx_stdu.c never add the > node to a hash chain, so the resulting hlist_del_rcu() writes through > node->hash.head.pprev which is freshly allocated and uninitialized, > corrupting whatever happens to lie at that address. > > Mirror the conditional from the add side in the cleanup path so the > node is only unlinked from the hash table when it was actually added. > > Fixes: dfe1323ab3c8 ("drm/vmwgfx: Fix Use-after-free in validation") > Cc: [email protected] > Assisted-by: Claude:claude-opus-4.7 > Signed-off-by: Zack Rusin <[email protected]> > --- > drivers/gpu/drm/vmwgfx/vmwgfx_validation.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c > b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c > index 35dc94c3db39..45fde7ec514f 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c > @@ -309,7 +309,8 @@ int vmw_validation_add_resource(struct > vmw_validation_context *ctx, > } > node->res = vmw_resource_reference_unless_doomed(res); > if (!node->res) { > - hash_del_rcu(&node->hash.head); > + if (ctx->sw_context) > + hash_del_rcu(&node->hash.head); > return -ESRCH; > } > > -- > 2.51.0 >
smime.p7s
Description: S/MIME Cryptographic Signature
