diff options
| author | Vivek Kasireddy <vivek.kasireddy@intel.com> | 2024-12-11 21:54:21 -0800 |
|---|---|---|
| committer | Dmitry Osipenko <dmitry.osipenko@collabora.com> | 2025-01-19 15:12:28 +0300 |
| commit | db8b2c0e2abc90d1025fd7f6d4461b21b1d3248e (patch) | |
| tree | c2c1f0a4795865479105b482919ac62eb8bfc807 | |
| parent | bea6afc1bfad1d44f87ee73cfb631533b82aa3e2 (diff) | |
drm/virtio: Fix UAF in virtgpu_dma_buf_free_obj()
Fix the following issues identified by Smatch static checker:
- The call to dma_buf_put(attach->dmabuf) after dma_buf_detach()
leads to a UAF bug as dma_buf_detach() frees the attach object.
Fix this by extracting the dmabuf object from attach and using
that in the call to dma_buf_put().
- The resv object is extracted from attach before checking to see
if attach is valid (that is !NULL) or not. Although, attach would
very likely be valid, fix this by making sure that the resv object
is used only after ensuring that attach is valid.
Fixes: 2885e575abc7 ("drm/virtio: Add helpers to initialize and free the imported object")
Fixes: ca77f27a2665 ("drm/virtio: Import prime buffers from other devices as guest blobs")
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Cc: Gurchetan Singh <gurchetansingh@chromium.org>
Cc: Chia-I Wu <olvaffe@gmail.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241212055421.775759-1-vivek.kasireddy@intel.com
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
[dmitry.osipenko@collabora.com: Edited commit title]
| -rw-r--r-- | drivers/gpu/drm/virtio/virtgpu_prime.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/gpu/drm/virtio/virtgpu_prime.c b/drivers/gpu/drm/virtio/virtgpu_prime.c index b3664c12843d..f92133a01195 100644 --- a/drivers/gpu/drm/virtio/virtgpu_prime.c +++ b/drivers/gpu/drm/virtio/virtgpu_prime.c @@ -189,10 +189,11 @@ static void virtgpu_dma_buf_free_obj(struct drm_gem_object *obj) struct virtio_gpu_object *bo = gem_to_virtio_gpu_obj(obj); struct virtio_gpu_device *vgdev = obj->dev->dev_private; struct dma_buf_attachment *attach = obj->import_attach; - struct dma_resv *resv = attach->dmabuf->resv; if (attach) { - dma_resv_lock(resv, NULL); + struct dma_buf *dmabuf = attach->dmabuf; + + dma_resv_lock(dmabuf->resv, NULL); virtio_gpu_detach_object_fenced(bo); @@ -200,10 +201,10 @@ static void virtgpu_dma_buf_free_obj(struct drm_gem_object *obj) dma_buf_unmap_attachment(attach, bo->sgt, DMA_BIDIRECTIONAL); - dma_resv_unlock(resv); + dma_resv_unlock(dmabuf->resv); - dma_buf_detach(attach->dmabuf, attach); - dma_buf_put(attach->dmabuf); + dma_buf_detach(dmabuf, attach); + dma_buf_put(dmabuf); } if (bo->created) { |