From mboxrd@z Thu Jan  1 00:00:00 1970
From: Laura Abbott <labbott@redhat.com>
Subject: Re: [PATCH v2] drm/vgem: fix use-after-free when
 drm_gem_handle_create() fails
Date: Wed, 27 Feb 2019 15:52:43 -0800
Message-ID: <2ba38b28-89a3-3ae7-6f13-af298165cfd8@redhat.com>
References: <20190226213053.GC218103@gmail.com>
 <20190226214451.195123-1-ebiggers@kernel.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <20190226214451.195123-1-ebiggers@kernel.org>
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
To: Eric Biggers <ebiggers@kernel.org>, dri-devel@lists.freedesktop.org
Cc: Chris Wilson <chris@chris-wilson.co.uk>, syzkaller-bugs <syzkaller-bugs@googlegroups.com>, linux-kernel@vger.kernel.org, syzbot+e73f2fb5ed5a5df36d33@syzkaller.appspotmail.com, Daniel Vetter <daniel.vetter@ffwll.ch>, stable@vger.kernel.org
List-Id: dri-devel@lists.freedesktop.org

On 2/26/19 1:44 PM, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> If drm_gem_handle_create() fails in vgem_gem_create(), then the
> drm_vgem_gem_object is freed twice: once when the reference is dropped
> by drm_gem_object_put_unlocked(), and again by __vgem_gem_destroy().
> 
> This was hit by syzkaller using fault injection.
> 
> Fix it by skipping the second free.
> 
> Reported-by: syzbot+e73f2fb5ed5a5df36d33@syzkaller.appspotmail.com
> Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces")
> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Laura Abbott <labbott@redhat.com>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>   drivers/gpu/drm/vgem/vgem_drv.c | 6 +-----
>   1 file changed, 1 insertion(+), 5 deletions(-)
> 
> diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
> index 5930facd6d2d8..11a8f99ba18c5 100644
> --- a/drivers/gpu/drm/vgem/vgem_drv.c
> +++ b/drivers/gpu/drm/vgem/vgem_drv.c
> @@ -191,13 +191,9 @@ static struct drm_gem_object *vgem_gem_create(struct drm_device *dev,
>   	ret = drm_gem_handle_create(file, &obj->base, handle);
>   	drm_gem_object_put_unlocked(&obj->base);
>   	if (ret)
> -		goto err;
> +		return ERR_PTR(ret);
>   
>   	return &obj->base;
> -
> -err:
> -	__vgem_gem_destroy(obj);
> -	return ERR_PTR(ret);
>   }
>   
>   static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
> 


Acked-by: Laura Abbott <labbott@redhat.com>