Displaying 1 result from an estimated 1 matches for "cleanup_submit".
2023 Apr 03
1
[PATCH v4 2/2] drm/virtio: Support sync objects
...gt; >> + if (ret)
> >> + goto cleanup;
> >> +
> >
> > I think we should zero num_(in|out)_syncobjs when the respective parse
> > fails. Otherwise we get one "cleanup" within the parse function itself
> > and a second during the cleanup_submit. Haven't looked at it too closely
> > but I suspect that will trigger an UAF or two.
>
> There are checks for NULL pointers in the code that will prevent the
> UAF. I'll add zeroing of the nums for more consistency.
>
Riiiight the drm_syncobj is attached to the encapsula...