From: chenmaodong chenmaodong@huawei.com
euleros inclusion catagery: bugfix bugzilla: 46917
-------------------------
virtio_gpu drop reference from allocate in virtio_gpu_gem_create when creating dumb, but after that, this process will continue to use virtio_gpu_object in virtio_gpu_object_attach, which cause uaf. See defail in bugzilla.
Signed-off-by: chenmaodong chenmaodong@huawei.com Reviewed-by: Xie XiuQi xiexiuqi@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- drivers/gpu/drm/virtio/virtgpu_gem.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/virtio/virtgpu_gem.c b/drivers/gpu/drm/virtio/virtgpu_gem.c index 0f2768eacaee..692776abdcf1 100644 --- a/drivers/gpu/drm/virtio/virtgpu_gem.c +++ b/drivers/gpu/drm/virtio/virtgpu_gem.c @@ -71,9 +71,6 @@ int virtio_gpu_gem_create(struct drm_file *file,
*obj_p = &obj->gem_base;
- /* drop reference from allocate - handle holds it now */ - drm_gem_object_put_unlocked(&obj->gem_base); - *handle_p = handle; return 0; } @@ -107,6 +104,7 @@ int virtio_gpu_mode_dumb_create(struct drm_file *file_priv, /* attach the object to the resource */ obj = gem_to_virtio_gpu_obj(gobj); ret = virtio_gpu_object_attach(vgdev, obj, resid, NULL); + drm_gem_object_put_unlocked(&obj->gem_base); if (ret) goto fail;