git.baikalelectronics.ru Git - kernel.git/commit

author	Mathias Krause <minipli@grsecurity.net>
	Thu, 27 Jan 2022 08:34:19 +0000 (18:34 +1000)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Thu, 27 Jan 2022 15:55:20 +0000 (17:55 +0200)
commit	5fdb31a4ade21c442195021ab5d401fe8a0eb27b
tree	4a6833bd11235602d4c8986c77bfa35936b98fd3	tree \| snapshot
parent	5be9f9e13007195686672d8ddebcb00f0b8b9a51	commit \| diff

drm/vmwgfx: Fix stale file descriptors on failed usercopy

A failing usercopy of the fence_rep object will lead to a stale entry in
the file descriptor table as put_unused_fd() won't release it. This
enables userland to refer to a dangling 'file' object through that still
valid file descriptor, leading to all kinds of use-after-free
exploitation scenarios.

Fix this by deferring the call to fd_install() until after the usercopy
has succeeded.

Fixes: f5ef95eccf82 ("drm/vmwgfx: Add export fence to file descriptor support")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

drivers/gpu/drm/vmwgfx/vmwgfx_drv.h		diff \| blob \| history
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c		diff \| blob \| history
drivers/gpu/drm/vmwgfx/vmwgfx_fence.c		diff \| blob \| history
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c		diff \| blob \| history