FROMGIT: drm/virtio: Fix GEM handle creation UAF
Userspace can guess the handle value and try to race GEM object creation with handle close, resulting in a use-after-free if we dereference the object after dropping the handle's reference. For that reason, dropping the handle's reference must be done *after* we are done dereferencing the object. Signed-off-by:Rob Clark <robdclark@chromium.org> Reviewed-by:
Chia-I Wu <olvaffe@gmail.com> Fixes: 62fb7a5e ("virtio-gpu: add 3d/virgl support") Cc: stable@vger.kernel.org Signed-off-by:
Dmitry Osipenko <dmitry.osipenko@collabora.com> Link: https://patchwork.freedesktop.org/patch/msgid/20221216233355.542197-2-robdclark@gmail.com (cherry picked from commit 52531258 git://anongit.freedesktop.org/drm/drm-misc drm-misc-fixes) BUG=chromium:1400037 TEST=None Change-Id: I9ad3c7412c0fe0d3cdab6a98b31de36aa1bc8bc9 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/4150632 Reviewed-by:
Sean Paul <sean@poorly.run> Auto-Submit: Rob Clark <robdclark@chromium.org> Commit-Queue: Chia-I Wu <olv@google.com> Reviewed-by:
Chia-I Wu <olv@google.com> Tested-by:
Richard Fung <richardfung@google.com>
Loading
Please sign in to comment