FROMGIT: drm/virtio: Fix use after free in get_capset_info callback.android12-5.4

If a response to virtio_gpu_cmd_get_capset_info takes longer than
five seconds to return, the callback will access freed kernel memory
in vg->capsets.

Bug: 166299146
Signed-off-by: Doug Horn <doughorn@google.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit e219688fc5c3d0d9136f8d29d7e0498388f01440)
Change-Id: I1ab01855152e12dc34c56f9c85d723c8e7f7780c

2 files changed, 9 insertions, 3 deletions

diff --git a/virtio_gpu/virtgpu_kms.c b/virtio_gpu/virtgpu_kms.c
index 01d6f62..88b16df 100644
--- a/virtio_gpu/virtgpu_kms.c
+++ b/virtio_gpu/virtgpu_kms.c
@@ -97,8 +97,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev,
 					 vgdev->capsets[i].id > 0, 5 * HZ);
 		if (ret == 0) {
 			DRM_ERROR("timed out waiting for cap set %d\n", i);
+			spin_lock(&vgdev->display_info_lock);
 			kfree(vgdev->capsets);
 			vgdev->capsets = NULL;
+			spin_unlock(&vgdev->display_info_lock);
 			return;
 		}
 		DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n",
diff --git a/virtio_gpu/virtgpu_vq.c b/virtio_gpu/virtgpu_vq.c
index 93b32ef..1b7f4e6 100644
--- a/virtio_gpu/virtgpu_vq.c
+++ b/virtio_gpu/virtgpu_vq.c
@@ -572,9 +572,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev,
 	int i = le32_to_cpu(cmd->capset_index);
 
 	spin_lock(&vgdev->display_info_lock);
-	vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
-	vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
-	vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
+	if (vgdev->capsets) {
+		vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
+		vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
+		vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
+	} else {
+		DRM_ERROR("invalid capset memory.");
+	}
 	spin_unlock(&vgdev->display_info_lock);
 	wake_up(&vgdev->resp_wq);
 }