github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-16 18:46:14 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
032be5f19a
linux/drivers/gpu/drm/vgem
History
Eric Biggers 21d2b12273
drm/vgem: fix use-after-free when drm_gem_handle_create() fails 
If drm_gem_handle_create() fails in vgem_gem_create(), then the
drm_vgem_gem_object is freed twice: once when the reference is dropped
by drm_gem_object_put_unlocked(), and again by __vgem_gem_destroy().

This was hit by syzkaller using fault injection.

Fix it by skipping the second free.

Reported-by: syzbot+e73f2fb5ed5a5df36d33@syzkaller.appspotmail.com
Fixes: af33a9190d ("drm/vgem: Enable dmabuf import interfaces")
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190226214451.195123-1-ebiggers@kernel.org
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
2019-03-18 08:45:57 +01:00
..
Makefile drm/vgem: remove unneeded -Iinclude/drm compiler flag 2017-05-18 07:13:59 +02:00
vgem_drv.c drm/vgem: fix use-after-free when drm_gem_handle_create() fails 2019-03-18 08:45:57 +01:00
vgem_drv.h drm/vgem: Pin our pages for dmabuf exports 2017-06-23 13:04:22 +02:00
vgem_fence.c dma-buf: make fence sequence numbers 64 bit v2 2018-12-07 12:44:16 +01:00