Commit 9802f0a
drm/nouveau: fix a use-after-free in r535_gsp_rpc_push()
The RPC container is released after being passed to r535_gsp_rpc_send().
When sending the initial fragment of a large RPC and passing the
caller's RPC container, the container will be freed prematurely. Subsequent
attempts to send remaining fragments will therefore result in a
use-after-free.
Allocate a temporary RPC container for holding the initial fragment of a
large RPC when sending. Free the caller's container when all fragments
are successfully sent.
Fixes: 176fdcb ("drm/nouveau/gsp/r535: add support for booting GSP-RM")
Signed-off-by: Zhi Wang <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
[ Rebase onto Blackwell changes. - Danilo ]
Signed-off-by: Danilo Krummrich <[email protected]>1 parent 80626ae commit 9802f0a
1 file changed
Lines changed: 12 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
637 | 637 | | |
638 | 638 | | |
639 | 639 | | |
| 640 | + | |
640 | 641 | | |
641 | | - | |
642 | | - | |
643 | | - | |
| 642 | + | |
| 643 | + | |
| 644 | + | |
| 645 | + | |
| 646 | + | |
| 647 | + | |
644 | 648 | | |
645 | | - | |
| 649 | + | |
| 650 | + | |
| 651 | + | |
646 | 652 | | |
647 | 653 | | |
648 | 654 | | |
| |||
653 | 659 | | |
654 | 660 | | |
655 | 661 | | |
656 | | - | |
657 | 662 | | |
658 | 663 | | |
659 | 664 | | |
| |||
674 | 679 | | |
675 | 680 | | |
676 | 681 | | |
| 682 | + | |
| 683 | + | |
677 | 684 | | |
678 | 685 | | |
679 | 686 | | |
| |||
0 commit comments