drm/xe/pf: Fix use-after-free in migration restore

When an error is returned from xe_sriov_pf_migration_restore_produce(), the data pointer is not set to NULL, which can trigger use-after-free in subsequent .write() calls. Set the pointer to NULL upon error to fix the problem. Fixes: 1ed30397c0b92 ("drm/xe/pf: Add support for encap/decap of bitstream to/from packet") Reported-by: Sebastian Österlund <sebastian.osterlund@intel.com> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7230 Reviewed-by: Shuicheng Lin <shuicheng.lin@intel.com> Link: https://patch.msgid.link/20260217154118.176902-1-michal.winiarski@intel.com Signed-off-by: Michał Winiarski <michal.winiarski@intel.com>
author: Michał Winiarski <michal.winiarski@intel.com> 2026-02-17 18:41:18 +0300
committer: Michał Winiarski <michal.winiarski@intel.com> 2026-03-23 11:44:14 +0300
commit: 4f53d8c6d23527d734fe3531d08e15cb170a0819 (patch)
tree: 76827fb1c22eec49024beedd69a738b78d1e5bab
parent: cb7415d8cbb750221b48e5beebe8f402719a20d9 (diff)
download: linux-4f53d8c6d23527d734fe3531d08e15cb170a0819.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/gpu/drm/xe/xe_sriov_packet.c b/drivers/gpu/drm/xe/xe_sriov_packet.c
index 968f32496282..2ae9eff2a7c0 100644
--- a/drivers/gpu/drm/xe/xe_sriov_packet.c
+++ b/drivers/gpu/drm/xe/xe_sriov_packet.c
@@ -341,6 +341,8 @@ ssize_t xe_sriov_packet_write_single(struct xe_device *xe, unsigned int vfid,
 		ret = xe_sriov_pf_migration_restore_produce(xe, vfid, *data);
 		if (ret) {
 			xe_sriov_packet_free(*data);
+			*data = NULL;
+
 			return ret;
 		}
author	Michał Winiarski <michal.winiarski@intel.com>	2026-02-17 18:41:18 +0300
committer	Michał Winiarski <michal.winiarski@intel.com>	2026-03-23 11:44:14 +0300
commit	4f53d8c6d23527d734fe3531d08e15cb170a0819 (patch)
tree	76827fb1c22eec49024beedd69a738b78d1e5bab
parent	cb7415d8cbb750221b48e5beebe8f402719a20d9 (diff)
download	linux-4f53d8c6d23527d734fe3531d08e15cb170a0819.tar.xz