1 From 36b6c9ed45afe89045973e8dee1b004dd5372d40 Mon Sep 17 00:00:00 2001
2 From: Eric Biggers <ebiggers@google.com>
3 Date: Tue, 26 Feb 2019 14:08:58 -0800
4 Subject: drm/vkms: fix use-after-free when drm_gem_handle_create() fails
6 From: Eric Biggers <ebiggers@google.com>
8 commit 36b6c9ed45afe89045973e8dee1b004dd5372d40 upstream.
10 If drm_gem_handle_create() fails in vkms_gem_create(), then the
11 vkms_gem_object is freed twice: once when the reference is dropped by
12 drm_gem_object_put_unlocked(), and again by the extra calls to
13 drm_gem_object_release() and kfree().
15 Fix it by skipping the second release and free.
17 This bug was originally found in the vgem driver by syzkaller using
18 fault injection, but I noticed it's also present in the vkms driver.
20 Fixes: 559e50fd34d1 ("drm/vkms: Add dumb operations")
21 Cc: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
22 Cc: Haneen Mohammed <hamohammed.sa@gmail.com>
23 Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
24 Cc: Chris Wilson <chris@chris-wilson.co.uk>
25 Cc: stable@vger.kernel.org
26 Signed-off-by: Eric Biggers <ebiggers@google.com>
27 Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
28 Reviewed-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
29 Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
30 Link: https://patchwork.freedesktop.org/patch/msgid/20190226220858.214438-1-ebiggers@kernel.org
31 Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
32 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
35 drivers/gpu/drm/vkms/vkms_gem.c | 5 +----
36 1 file changed, 1 insertion(+), 4 deletions(-)
38 --- a/drivers/gpu/drm/vkms/vkms_gem.c
39 +++ b/drivers/gpu/drm/vkms/vkms_gem.c
40 @@ -111,11 +111,8 @@ struct drm_gem_object *vkms_gem_create(s
42 ret = drm_gem_handle_create(file, &obj->gem, handle);
43 drm_gem_object_put_unlocked(&obj->gem);
45 - drm_gem_object_release(&obj->gem);
projects / thirdparty / kernel / stable-queue.git / blob