From nobody Wed Apr 8 20:08:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BEEA5C433FE for ; Sat, 29 Oct 2022 07:47:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229750AbiJ2Hrg (ORCPT ); Sat, 29 Oct 2022 03:47:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229441AbiJ2Hre (ORCPT ); Sat, 29 Oct 2022 03:47:34 -0400 Received: from mail-m973.mail.163.com (mail-m973.mail.163.com [123.126.97.3]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C5C0DB8C0D for ; Sat, 29 Oct 2022 00:47:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=K2PKa fCEYXHMfQ1Jc/mijsgMNFcp0Mg3fqjNMpvECbI=; b=FMEoRNbDFET3f1Gmh/iC8 MzOuoi8D2ngIRNibx9WNxR2+HU20n3rDX9YrLVjNmg6aQuahtKhAmMHSnU0ZlekO Jz2V1pTeS3Zxa2UGvA3LmLtNkRq9+jA9BCGLWUokmpm/a+PasfqRar473kYDQf5X 5enOQWFq/D+ycL3OPXITG0= Received: from localhost.localdomain (unknown [111.206.145.21]) by smtp3 (Coremail) with SMTP id G9xpCgDH1S1w2lxjInYWpQ--.13602S2; Sat, 29 Oct 2022 15:46:56 +0800 (CST) From: Zheng Wang To: nouveau@lists.freedesktop.org Cc: bskeggs@redhat.com, kherbst@redhat.com, lyude@redhat.com, airlied@gmail.com, hackerzheng666@gmail.com, alex000young@gmail.com, security@kernel.org, daniel@ffwll.ch, Julia.Lawall@inria.fr, linux-kernel@vger.kernel.org, Zheng Wang Subject: [PATCH] drm/nouveau/mmu: fix use-after-free bug in nvkm_vmm_pfn_map Date: Sat, 29 Oct 2022 15:46:54 +0800 Message-Id: <20221029074654.203153-1-zyytlz.wz@163.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: G9xpCgDH1S1w2lxjInYWpQ--.13602S2 X-Coremail-Antispam: 1Uf129KBjvdXoW7Wr1xAr1UXF4kZr4fAw17trb_yoWDGrb_uF 1rXrnxWr95CryDWws8ZF43AFy2gan7ZFs2q3WSy3sxtasrXrsxWr9xZrn5W3s8AF1xKFyD G3WkXr1FqrnrWjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7xRKVbytUUUUU== X-Originating-IP: [111.206.145.21] X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiQhCpU1aEDXIgKgAAsP Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If it failed in kzalloc, vma will be freed in nvkm_vmm_node_merge. The later use of vma will casue use after free. Reported-by: Zheng Wang Reported-by: Zhuorao Yang Fix it by returning to upper caller as soon as error occurs. Signed-off-by: Zheng Wang Reviewed-by: Lyude Paul --- drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/dr= m/nouveau/nvkm/subdev/mmu/vmm.c index ae793f400ba1..04befd28f80b 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c @@ -1272,8 +1272,7 @@ nvkm_vmm_pfn_map(struct nvkm_vmm *vmm, u8 shift, u64 = addr, u64 size, u64 *pfn) page - vmm->func->page, map); if (WARN_ON(!tmp)) { - ret =3D -ENOMEM; - goto next; + return -ENOMEM; } =20 if ((tmp->mapped =3D map)) --=20 2.25.1