Re: [PATCH 10/12] drm/vmwgfx: skip hash_del_rcu when validation context has no hash table

Fri, 22 May 2026 08:30:57 -0700 

I'll change the commit message and drop the Fixes but the change
itself is still good. We want this code to match the actual ownership
rules, especially if the allocation itself changes and ->prev is not
null anymore.

z

On Fri, May 22, 2026 at 11:20 AM Ian Forbes <[email protected]> wrote:
>
> This is a false positive, deleting an empty/NULL node doesn't do anything.
>
> On Tue, May 5, 2026 at 5:28 PM Zack Rusin <[email protected]> wrote:
> >
> > vmw_validation_add_resource() conditionally calls hash_add_rcu() only
> > when ctx->sw_context is non-NULL, but the doomed-resource error path
> > calls hash_del_rcu() unconditionally.
> >
> > The KMS validation contexts created with DECLARE_VAL_CONTEXT(_, NULL,
> > 0) in vmwgfx_kms.c, vmwgfx_scrn.c, and vmwgfx_stdu.c never add the
> > node to a hash chain, so the resulting hlist_del_rcu() writes through
> > node->hash.head.pprev which is freshly allocated and uninitialized,
> > corrupting whatever happens to lie at that address.
> >
> > Mirror the conditional from the add side in the cleanup path so the
> > node is only unlinked from the hash table when it was actually added.
> >
> > Fixes: dfe1323ab3c8 ("drm/vmwgfx: Fix Use-after-free in validation")
> > Cc: [email protected]
> > Assisted-by: Claude:claude-opus-4.7
> > Signed-off-by: Zack Rusin <[email protected]>
> > ---
> >  drivers/gpu/drm/vmwgfx/vmwgfx_validation.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c 
> > b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
> > index 35dc94c3db39..45fde7ec514f 100644
> > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
> > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
> > @@ -309,7 +309,8 @@ int vmw_validation_add_resource(struct 
> > vmw_validation_context *ctx,
> >         }
> >         node->res = vmw_resource_reference_unless_doomed(res);
> >         if (!node->res) {
> > -               hash_del_rcu(&node->hash.head);
> > +               if (ctx->sw_context)
> > +                       hash_del_rcu(&node->hash.head);
> >                 return -ESRCH;
> >         }
> >
> > --
> > 2.51.0
> >

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to