From: shanzhulig shanzhulig@gmail.com
mainline inclusion from mainline-v6.5-rc1 commit 2e54154b9f27262efd0cb4f903cc7d5ad1fe9628 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YD58 CVE: CVE-2023-51042
Reference: https://github.com/torvalds/linux/commit/2e54154b9f27262efd0cb4f903cc7d5ad1f... Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-51042
--------------------------------
fence Decrements the reference count before exiting. Avoid Race Vulnerabilities for fence use-after-free.
v2 (chk): actually fix the use after free and not just move it.
Signed-off-by: shanzhulig shanzhulig@gmail.com Signed-off-by: Christian König christian.koenig@amd.com Reviewed-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: GUO Zihua guozihua@huawei.com --- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index 9e5eae1207e4..ec41eba09b67 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -1517,15 +1517,15 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev, continue;
r = dma_fence_wait_timeout(fence, true, timeout); + if (r > 0 && fence->error) + r = fence->error; + dma_fence_put(fence); if (r < 0) return r;
if (r == 0) break; - - if (fence->error) - return fence->error; }
memset(wait, 0, sizeof(*wait));