Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl

Userspace can race to free the gobj(robj converted from), robj should not
be accessed again after drm_gem_object_put, otherwith it will result in
use-after-free.

Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Min Li <lm0963hack@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

authored by

Min Li and committed by
Alex Deucher
e6850f98 5a03159a

+1 -3
+1 -3
drivers/gpu/drm/radeon/radeon_gem.c
··· 459 459 struct radeon_device *rdev = dev->dev_private; 460 460 struct drm_radeon_gem_set_domain *args = data; 461 461 struct drm_gem_object *gobj; 462 - struct radeon_bo *robj; 463 462 int r; 464 463 465 464 /* for now if someone requests domain CPU - ··· 471 472 up_read(&rdev->exclusive_lock); 472 473 return -ENOENT; 473 474 } 474 - robj = gem_to_radeon_bo(gobj); 475 475 476 476 r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain); 477 477 478 478 drm_gem_object_put(gobj); 479 479 up_read(&rdev->exclusive_lock); 480 - r = radeon_gem_handle_lockup(robj->rdev, r); 480 + r = radeon_gem_handle_lockup(rdev, r); 481 481 return r; 482 482 } 483 483