From 80d9b24a658c83602aea66e45e2347c5bb3cbd47 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 18 Oct 2011 09:10:12 +0300
Subject: vmwgfx: information leak in vmw_execbuf_copy_fence_user()
Git-commit: 80d9b24a658c83602aea66e45e2347c5bb3cbd47
Patch-mainline: v3.2-rc1

If ret is non-zero then we don't initialize the struct which leaks
stack information to user space.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Acked-by: Michal Srb <msrb@suse.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index d4a1d8b..28e1c35 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1070,6 +1070,8 @@ vmw_execbuf_copy_fence_user(struct vmw_private *dev_priv,
 	if (user_fence_rep == NULL)
 		return;
 
+	memset(&fence_rep, 0, sizeof(fence_rep));
+
 	fence_rep.error = ret;
 	if (ret == 0) {
 		BUG_ON(fence == NULL);

