[PATCH] drm/nouveau: fix a use-after-free in r535_gsp_rpc_push()

[Zhi Wang]

The RPC container is released after being passed to r535_gsp_rpc_send().

When sending the initial fragment of a large RPC and passing the
caller's RPC container, the container will be freed prematurely. Subsequent
attempts to send remaining fragments will therefore result in a
use-after-free.

Allocate a temporary RPC container for holding the initial fragment of a
large RPC when sending. Free the caller's container when all fragments
are successfully sent.

This problem is caught by KASAN.

Fixes: 176fdcbddfd2 ("drm/nouveau/gsp/r535: add support for booting GSP-RM")
Signed-off-by: Zhi Wang <z...@nvidia.com>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c 
b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
index 969f6b921fdb..ab865da2541d 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
@@ -978,12 +978,21 @@ r535_gsp_rpc_push(struct nvkm_gsp *gsp, void *payload,
        if (payload_size > max_payload_size) {
                const u32 fn = rpc->function;
                u32 remain_payload_size = payload_size;
+               void *next;
 
                /* Adjust length, and send initial RPC. */
                rpc->length = sizeof(*rpc) + max_payload_size;
                msg->checksum = rpc->length;
 
-               repv = r535_gsp_rpc_send(gsp, payload, 
NVKM_GSP_RPC_REPLY_NOWAIT, 0);
+               next = r535_gsp_rpc_get(gsp, fn, max_payload_size);
+               if (IS_ERR(next)) {
+                       repv = next;
+                       goto done;
+               }
+
+               memcpy(next, payload, max_payload_size);
+
+               repv = r535_gsp_rpc_send(gsp, next, NVKM_GSP_RPC_REPLY_NOWAIT, 
0);
                if (IS_ERR(repv))
                        goto done;
 
@@ -994,7 +1003,6 @@ r535_gsp_rpc_push(struct nvkm_gsp *gsp, void *payload,
                while (remain_payload_size) {
                        u32 size = min(remain_payload_size,
                                       max_payload_size);
-                       void *next;
 
                        next = r535_gsp_rpc_get(gsp, 
NV_VGPU_MSG_FUNCTION_CONTINUATION_RECORD, size);
                        if (IS_ERR(next)) {
@@ -1015,6 +1023,8 @@ r535_gsp_rpc_push(struct nvkm_gsp *gsp, void *payload,
                /* Wait for reply. */
                repv = r535_gsp_rpc_handle_reply(gsp, fn, policy, payload_size +
                                                 sizeof(*rpc));
+               if (!IS_ERR(repv))
+                       kvfree(msg);
        } else {
                repv = r535_gsp_rpc_send(gsp, payload, policy, gsp_rpc_len);
        }
-- 
2.43.5