git.baikalelectronics.ru Git - kernel.git/commit

author	Jann Horn <jannh@google.com>
	Mon, 1 Oct 2018 15:31:17 +0000 (17:31 +0200)
committer	Daniel Vetter <daniel.vetter@ffwll.ch>
	Tue, 2 Oct 2018 08:22:10 +0000 (10:22 +0200)
commit	dd049500e330d76b834e8ba4a57248e7e3556650
tree	c0f54d0c9c1c10852232a0bbb5753dad6fd13f38	tree \| snapshot
parent	5dfa044c3a3b9125da254b1d9969551d27523c1c	commit \| diff

drm: fix use-after-free read in drm_mode_create_lease_ioctl()

fd_install() moves the reference given to it into the file descriptor table
of the current process. If the current process is multithreaded, then
immediately after fd_install(), another thread can close() the file
descriptor and cause the file's resources to be cleaned up.

Since the reference to "lessee" is held by the file, we must not access
"lessee" after the fd_install() call.

As far as I can tell, to reach this codepath, the caller must have an open
file descriptor to a DRI device in master mode. I'm not sure what the
requirements for that are.

Signed-off-by: Jann Horn <jannh@google.com>
Fixes: bba0f602c30a ("drm: Add four ioctls for managing drm mode object leases [v7]")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181001153117.216923-1-jannh@google.com