Re: [PATCH v2] drm/nouveau: fix a use-after-free in r535_gsp_rpc_push()

From: Danilo Krummrich
Date: Fri Jun 13 2025 - 11:46:27 EST

Next message: Danilo Krummrich: "Re: [PATCH v2] drm/nouveau/bl: increase buffer size to avoid truncate warning"
Previous message: Danilo Krummrich: "Re: [PATCH][next] drm/nouveau/gsp: Fix potential integer overflow on integer shifts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/27/25 6:37 PM, Zhi Wang wrote:

The RPC container is released after being passed to r535_gsp_rpc_send().

When sending the initial fragment of a large RPC and passing the
caller's RPC container, the container will be freed prematurely. Subsequent
attempts to send remaining fragments will therefore result in a
use-after-free.

Allocate a temporary RPC container for holding the initial fragment of a
large RPC when sending. Free the caller's container when all fragments
are successfully sent.

Fixes: 176fdcbddfd2 ("drm/nouveau/gsp/r535: add support for booting GSP-RM")
Signed-off-by: Zhi Wang <zhiw@xxxxxxxxxx>

Applied to drm-misc-fixes, thanks!

Next message: Danilo Krummrich: "Re: [PATCH v2] drm/nouveau/bl: increase buffer size to avoid truncate warning"
Previous message: Danilo Krummrich: "Re: [PATCH][next] drm/nouveau/gsp: Fix potential integer overflow on integer shifts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]