fix virtio_gpu use-after-free while creating dumb

euleros inclusion catagery: bugfix bugzilla: 46917 ------------------------- virtio_gpu drop reference from allocate in virtio_gpu_gem_create when creating dumb, but after that, this process will continue to use virtio_gpu_object in virtio_gpu_object_attach, which cause uaf. See defail in bugzilla. Signed-off-by: N chenmaodong <chenmaodong@huawei.com> Reviewed-by: N Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Cheng Jian <cj.chengjian@huawei.com>

fix virtio_gpu use-after-free while creating dumb
euleros inclusion catagery: bugfix bugzilla: 46917 ------------------------- virtio_gpu drop reference from allocate in virtio_gpu_gem_create when creating dumb, but after that, this process will continue to use virtio_gpu_object in virtio_gpu_object_attach, which cause uaf. See defail in bugzilla. Signed-off-by: N chenmaodong <chenmaodong@huawei.com> Reviewed-by: N Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Cheng Jian <cj.chengjian@huawei.com>
21450e79 · chenmaodong · Yang Yingliang · e131b1c1 · 21450e79
显示空白变更内容
内联并排

Showing with 1 addition and 3 deletion

drivers/gpu/drm/virtio/virtgpu_gem.c drivers/gpu/drm/virtio/virtgpu_gem.c +1 -3

未找到文件。
--- a/drivers/gpu/drm/virtio/virtgpu_gem.c
+++ b/drivers/gpu/drm/virtio/virtgpu_gem.c
@@ -71,9 +71,6 @@ int virtio_gpu_gem_create(struct drm_file *file,
 	*obj_p = &obj->gem_base;
-	/* drop reference from allocate - handle holds it now */
-	drm_gem_object_put_unlocked(&obj->gem_base);
 	*handle_p = handle;
 	return 0;
 }
@@ -107,6 +104,7 @@ int virtio_gpu_mode_dumb_create(struct drm_file *file_priv,
 	/* attach the object to the resource */
 	obj = gem_to_virtio_gpu_obj(gobj);
 	ret = virtio_gpu_object_attach(vgdev, obj, resid, NULL);
+	drm_gem_object_put_unlocked(&obj->gem_base);
 	if (ret)
 		goto fail;