From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Sasha Levin" <sashal@kernel.org>,
"Min Li" <lm0963hack@gmail.com>,
Xinhui.Pan@amd.com, amd-gfx@lists.freedesktop.org,
dri-devel@lists.freedesktop.org, daniel@ffwll.ch,
"Alex Deucher" <alexander.deucher@amd.com>,
airlied@gmail.com, "Christian König" <christian.koenig@amd.com>
Subject: [PATCH AUTOSEL 5.10 11/14] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
Date: Fri, 16 Jun 2023 06:27:48 -0400 [thread overview]
Message-ID: <20230616102753.673975-11-sashal@kernel.org> (raw)
In-Reply-To: <20230616102753.673975-1-sashal@kernel.org>
From: Min Li <lm0963hack@gmail.com>
[ Upstream commit 982b173a6c6d9472730c3116051977e05d17c8c5 ]
Userspace can race to free the gobj(robj converted from), robj should not
be accessed again after drm_gem_object_put, otherwith it will result in
use-after-free.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Min Li <lm0963hack@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon_gem.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
index e5c4271e64ede..75053917d2137 100644
--- a/drivers/gpu/drm/radeon/radeon_gem.c
+++ b/drivers/gpu/drm/radeon/radeon_gem.c
@@ -385,7 +385,6 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
struct radeon_device *rdev = dev->dev_private;
struct drm_radeon_gem_set_domain *args = data;
struct drm_gem_object *gobj;
- struct radeon_bo *robj;
int r;
/* for now if someone requests domain CPU -
@@ -398,13 +397,12 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
up_read(&rdev->exclusive_lock);
return -ENOENT;
}
- robj = gem_to_radeon_bo(gobj);
r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain);
drm_gem_object_put(gobj);
up_read(&rdev->exclusive_lock);
- r = radeon_gem_handle_lockup(robj->rdev, r);
+ r = radeon_gem_handle_lockup(rdev, r);
return r;
}
--
2.39.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Min Li" <lm0963hack@gmail.com>,
"Christian König" <christian.koenig@amd.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Sasha Levin" <sashal@kernel.org>,
Xinhui.Pan@amd.com, airlied@gmail.com, daniel@ffwll.ch,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.10 11/14] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
Date: Fri, 16 Jun 2023 06:27:48 -0400 [thread overview]
Message-ID: <20230616102753.673975-11-sashal@kernel.org> (raw)
In-Reply-To: <20230616102753.673975-1-sashal@kernel.org>
From: Min Li <lm0963hack@gmail.com>
[ Upstream commit 982b173a6c6d9472730c3116051977e05d17c8c5 ]
Userspace can race to free the gobj(robj converted from), robj should not
be accessed again after drm_gem_object_put, otherwith it will result in
use-after-free.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Min Li <lm0963hack@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon_gem.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
index e5c4271e64ede..75053917d2137 100644
--- a/drivers/gpu/drm/radeon/radeon_gem.c
+++ b/drivers/gpu/drm/radeon/radeon_gem.c
@@ -385,7 +385,6 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
struct radeon_device *rdev = dev->dev_private;
struct drm_radeon_gem_set_domain *args = data;
struct drm_gem_object *gobj;
- struct radeon_bo *robj;
int r;
/* for now if someone requests domain CPU -
@@ -398,13 +397,12 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
up_read(&rdev->exclusive_lock);
return -ENOENT;
}
- robj = gem_to_radeon_bo(gobj);
r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain);
drm_gem_object_put(gobj);
up_read(&rdev->exclusive_lock);
- r = radeon_gem_handle_lockup(robj->rdev, r);
+ r = radeon_gem_handle_lockup(rdev, r);
return r;
}
--
2.39.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Sasha Levin" <sashal@kernel.org>,
"Min Li" <lm0963hack@gmail.com>,
Xinhui.Pan@amd.com, amd-gfx@lists.freedesktop.org,
dri-devel@lists.freedesktop.org,
"Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>
Subject: [PATCH AUTOSEL 5.10 11/14] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
Date: Fri, 16 Jun 2023 06:27:48 -0400 [thread overview]
Message-ID: <20230616102753.673975-11-sashal@kernel.org> (raw)
In-Reply-To: <20230616102753.673975-1-sashal@kernel.org>
From: Min Li <lm0963hack@gmail.com>
[ Upstream commit 982b173a6c6d9472730c3116051977e05d17c8c5 ]
Userspace can race to free the gobj(robj converted from), robj should not
be accessed again after drm_gem_object_put, otherwith it will result in
use-after-free.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Min Li <lm0963hack@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon_gem.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
index e5c4271e64ede..75053917d2137 100644
--- a/drivers/gpu/drm/radeon/radeon_gem.c
+++ b/drivers/gpu/drm/radeon/radeon_gem.c
@@ -385,7 +385,6 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
struct radeon_device *rdev = dev->dev_private;
struct drm_radeon_gem_set_domain *args = data;
struct drm_gem_object *gobj;
- struct radeon_bo *robj;
int r;
/* for now if someone requests domain CPU -
@@ -398,13 +397,12 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
up_read(&rdev->exclusive_lock);
return -ENOENT;
}
- robj = gem_to_radeon_bo(gobj);
r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain);
drm_gem_object_put(gobj);
up_read(&rdev->exclusive_lock);
- r = radeon_gem_handle_lockup(robj->rdev, r);
+ r = radeon_gem_handle_lockup(rdev, r);
return r;
}
--
2.39.2
next prev parent reply other threads:[~2023-06-16 10:28 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-16 10:27 [PATCH AUTOSEL 5.10 01/14] Input: soc_button_array - add invalid acpi_index DMI quirk handling Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 02/14] s390/cio: unregister device when the only path is gone Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 03/14] spi: lpspi: disable lpspi module irq in DMA mode Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 04/14] ASoC: simple-card: Add missing of_node_put() in case of error Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 05/14] soundwire: qcom: add proper error paths in qcom_swrm_startup() Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 06/14] ASoC: nau8824: Add quirk to active-high jack-detect Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 07/14] s390/purgatory: disable branch profiling Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 08/14] ARM: dts: Fix erroneous ADS touchscreen polarities Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 09/14] drm/exynos: vidi: fix a wrong error return Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 10/14] drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` Sasha Levin [this message]
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 11/14] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 12/14] Revert "ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled" Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 13/14] ext4: only check dquot_initialize_needed() when debugging Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.10 14/14] vhost_vdpa: tell vqs about the negotiated Sasha Levin
2023-06-16 10:27 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230616102753.673975-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Xinhui.Pan@amd.com \
--cc=airlied@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lm0963hack@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.