From: Greg Kroah-Hartman Date: Tue, 3 May 2022 14:21:36 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.4.192~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5338def7ca95005e7c3e8cae9ec6cebcb51b5ee1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: drm-vgem-close-use-after-free-race-in-vgem_gem_create.patch --- diff --git a/queue-4.19/drm-vgem-close-use-after-free-race-in-vgem_gem_create.patch b/queue-4.19/drm-vgem-close-use-after-free-race-in-vgem_gem_create.patch new file mode 100644 index 00000000000..206de7c1323 --- /dev/null +++ b/queue-4.19/drm-vgem-close-use-after-free-race-in-vgem_gem_create.patch @@ -0,0 +1,74 @@ +From 4b848f20eda5974020f043ca14bacf7a7e634fc8 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sun, 2 Feb 2020 14:21:33 +0100 +Subject: drm/vgem: Close use-after-free race in vgem_gem_create + +From: Daniel Vetter + +commit 4b848f20eda5974020f043ca14bacf7a7e634fc8 upstream. + +There's two references floating around here (for the object reference, +not the handle_count reference, that's a different thing): + +- The temporary reference held by vgem_gem_create, acquired by + creating the object and released by calling + drm_gem_object_put_unlocked. + +- The reference held by the object handle, created by + drm_gem_handle_create. This one generally outlives the function, + except if a 2nd thread races with a GEM_CLOSE ioctl call. + +So usually everything is correct, except in that race case, where the +access to gem_object->size could be looking at freed data already. +Which again isn't a real problem (userspace shot its feet off already +with the race, we could return garbage), but maybe someone can exploit +this as an information leak. + +Cc: Dan Carpenter +Cc: Hillf Danton +Reported-by: syzbot+0dc4444774d419e916c8@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Cc: Emil Velikov +Cc: Daniel Vetter +Cc: Sean Paul +Cc: Chris Wilson +Cc: Eric Anholt +Cc: Sam Ravnborg +Cc: Rob Clark +Reviewed-by: Chris Wilson +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200202132133.1891846-1-daniel.vetter@ffwll.ch +[OP: backport to 4.19: adjusted DRM_DEBUG() -> DRM_DEBUG_DRIVER()] +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vgem/vgem_drv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/vgem/vgem_drv.c ++++ b/drivers/gpu/drm/vgem/vgem_drv.c +@@ -189,9 +189,10 @@ static struct drm_gem_object *vgem_gem_c + return ERR_CAST(obj); + + ret = drm_gem_handle_create(file, &obj->base, handle); +- drm_gem_object_put_unlocked(&obj->base); +- if (ret) ++ if (ret) { ++ drm_gem_object_put_unlocked(&obj->base); + return ERR_PTR(ret); ++ } + + return &obj->base; + } +@@ -214,7 +215,9 @@ static int vgem_gem_dumb_create(struct d + args->size = gem_object->size; + args->pitch = pitch; + +- DRM_DEBUG_DRIVER("Created object of size %lld\n", size); ++ drm_gem_object_put_unlocked(gem_object); ++ ++ DRM_DEBUG_DRIVER("Created object of size %llu\n", args->size); + + return 0; + } diff --git a/queue-4.19/series b/queue-4.19/series index 2a4dcddce9f..5163414d609 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -55,3 +55,4 @@ tty-n_gsm-fix-missing-explicit-ldisc-flush.patch tty-n_gsm-fix-wrong-command-retry-handling.patch tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch tty-n_gsm-fix-incorrect-ua-handling.patch +drm-vgem-close-use-after-free-race-in-vgem_gem_create.patch