From 21450e79077901350d6d60f8b6861d259c88b6a9 Mon Sep 17 00:00:00 2001
From: chenmaodong <chenmaodong@huawei.com>
Date: Mon, 22 Feb 2021 10:59:12 +0800
Subject: [PATCH] fix virtio_gpu use-after-free while creating dumb

euleros inclusion
catagery: bugfix
bugzilla: 46917

-------------------------

virtio_gpu drop reference from allocate in virtio_gpu_gem_create when creating
dumb, but after that, this process will continue to use virtio_gpu_object
in virtio_gpu_object_attach, which cause uaf. See defail in bugzilla.

Signed-off-by: chenmaodong <chenmaodong@huawei.com>
Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
---
 drivers/gpu/drm/virtio/virtgpu_gem.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/virtio/virtgpu_gem.c b/drivers/gpu/drm/virtio/virtgpu_gem.c
index 0f2768eacaee..692776abdcf1 100644
--- a/drivers/gpu/drm/virtio/virtgpu_gem.c
+++ b/drivers/gpu/drm/virtio/virtgpu_gem.c
@@ -71,9 +71,6 @@ int virtio_gpu_gem_create(struct drm_file *file,
 
 	*obj_p = &obj->gem_base;
 
-	/* drop reference from allocate - handle holds it now */
-	drm_gem_object_put_unlocked(&obj->gem_base);
-
 	*handle_p = handle;
 	return 0;
 }
@@ -107,6 +104,7 @@ int virtio_gpu_mode_dumb_create(struct drm_file *file_priv,
 	/* attach the object to the resource */
 	obj = gem_to_virtio_gpu_obj(gobj);
 	ret = virtio_gpu_object_attach(vgdev, obj, resid, NULL);
+	drm_gem_object_put_unlocked(&obj->gem_base);
 	if (ret)
 		goto fail;
 
-- 
GitLab