[PATCH v2] drm/nouveau: fix a use-after-free in r535_gsp_rpc_push()
Danilo Krummrich
dakr at kernel.org
Fri Jun 13 15:46:17 UTC 2025
On 5/27/25 6:37 PM, Zhi Wang wrote:
> The RPC container is released after being passed to r535_gsp_rpc_send().
>
> When sending the initial fragment of a large RPC and passing the
> caller's RPC container, the container will be freed prematurely. Subsequent
> attempts to send remaining fragments will therefore result in a
> use-after-free.
>
> Allocate a temporary RPC container for holding the initial fragment of a
> large RPC when sending. Free the caller's container when all fragments
> are successfully sent.
>
> Fixes: 176fdcbddfd2 ("drm/nouveau/gsp/r535: add support for booting GSP-RM")
> Signed-off-by: Zhi Wang <zhiw at nvidia.com>
Applied to drm-misc-fixes, thanks!
More information about the dri-devel
mailing list