On 6/28/23 18:58, Gurchetan Singh wrote: > @@ -168,9 +168,13 @@ static int virtio_gpu_init_submit(struct > virtio_gpu_submit *submit, > > memset(submit, 0, sizeof(*submit)); > > - out_fence = virtio_gpu_fence_alloc(vgdev, fence_ctx, ring_idx); > - if (!out_fence) > - return -ENOMEM; > + if ((exbuf->flags & VIRTGPU_EXECBUF_FENCE_FD_OUT) || > + ((exbuf->flags & VIRTGPU_EXECBUF_RING_IDX) && > + (vfpriv->ring_idx_mask & BIT_ULL(ring_idx))) ||
Looks like there is a problem here. The virtio_gpu_fence_event_create() doesn't check whether VIRTGPU_EXECBUF_RING_IDX flag is set, so it's possible to trigger NULL-deref in that function if userspace will set ring_idx_mask=1. Perhaps virtio_gpu_fence_event_create() need to be changed to check the flag presence. -- Best regards, Dmitry
