From db148961f46a2d5a1dae109e572f7d9e1fccf30d Mon Sep 17 00:00:00 2001 From: Ian Forbes Date: Tue, 25 Nov 2025 09:36:43 +0800 Subject: [PATCH] drm/vmwgfx: Fix Use-after-free in validation stable inclusion from stable-v6.6.113 commit 867bda5d95d36f10da398fd4409e21c7002b2332 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID6794 CVE: CVE-2025-40111 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=867bda5d95d36f10da398fd4409e21c7002b2332 -------------------------------- [ Upstream commit dfe1323ab3c8a4dd5625ebfdba44dc47df84512a ] Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely. Fixes: 64ad2abfe9a6 ("drm/vmwgfx: Adapt validation code for reference-free lookups") Reported-by: Kuzey Arda Bulut Signed-off-by: Ian Forbes Reviewed-by: Zack Rusin Signed-off-by: Zack Rusin Link: https://lore.kernel.org/r/20250926195427.1405237-1-ian.forbes@broadcom.com Signed-off-by: Sasha Levin Signed-off-by: Lin Ruifeng --- drivers/gpu/drm/vmwgfx/vmwgfx_validation.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c index aaacbdcbd742..a4a11e725d18 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c @@ -326,8 +326,10 @@ int vmw_validation_add_resource(struct vmw_validation_context *ctx, hash_add_rcu(ctx->sw_context->res_ht, &node->hash.head, node->hash.key); } node->res = vmw_resource_reference_unless_doomed(res); - if (!node->res) + if (!node->res) { + hash_del_rcu(&node->hash.head); return -ESRCH; + } node->first_usage = 1; if (!res->dev_priv->has_mob) { -- Gitee