From: Zack Rusin <zackr@vmware.com>
To: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>,
linux-graphics-maintainer@vmware.com, airlied@linux.ie,
daniel@ffwll.ch, maarten.lankhorst@linux.intel.com,
mripard@kernel.org, tzimmermann@suse.de
Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
intel-gfx@lists.freedesktop.org, skhan@linuxfoundation.org,
gregkh@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c
Date: Thu, 22 Jul 2021 15:17:14 -0400 [thread overview]
Message-ID: <b27a2e80-c912-15eb-e78b-c8b6f3993930@vmware.com> (raw)
In-Reply-To: <20210722092929.244629-4-desmondcheongzx@gmail.com>
On 7/22/21 5:29 AM, Desmond Cheong Zhi Xi wrote:
> drm_file.master should be protected by either drm_device.master_mutex
> or drm_file.master_lookup_lock when being dereferenced. However,
> drm_master_get is called on unprotected file_priv->master pointers in
> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
>
> This is fixed by replacing drm_master_get with drm_file_get_master.
>
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Thanks for taking the time to fix this. Apart from the clear logic error, do you happen to know under what circumstances would this be hit? We have someone looking at writing some vmwgfx specific igt tests and I was wondering if I could add this to the list.
z
next prev parent reply other threads:[~2021-07-22 19:17 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-22 9:29 [PATCH 0/3] drm, drm/vmwgfx: fixes and updates related to drm_master Desmond Cheong Zhi Xi
2021-07-22 9:29 ` [PATCH 1/3] drm: use the lookup lock in drm_is_current_master Desmond Cheong Zhi Xi
2021-07-22 10:38 ` Daniel Vetter
2021-07-22 15:04 ` Boqun Feng
2021-07-22 19:02 ` Daniel Vetter
2021-07-23 7:16 ` Boqun Feng
2021-07-27 14:37 ` Peter Zijlstra
2021-07-29 7:00 ` Daniel Vetter
2021-07-29 14:32 ` Desmond Cheong Zhi Xi
2021-07-29 14:45 ` Peter Zijlstra
2021-07-22 9:29 ` [PATCH 2/3] drm: clarify lifetime/locking for drm_master's lease fields Desmond Cheong Zhi Xi
2021-07-22 10:35 ` Daniel Vetter
2021-07-22 13:02 ` Desmond Cheong Zhi Xi
2021-07-22 14:17 ` Daniel Vetter
2021-07-22 9:29 ` [PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c Desmond Cheong Zhi Xi
2021-07-22 10:39 ` Daniel Vetter
2021-07-22 19:17 ` Zack Rusin [this message]
2021-07-23 6:44 ` Desmond Cheong Zhi Xi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b27a2e80-c912-15eb-e78b-c8b6f3993930@vmware.com \
--to=zackr@vmware.com \
--cc=airlied@linux.ie \
--cc=daniel@ffwll.ch \
--cc=desmondcheongzx@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linux-graphics-maintainer@vmware.com \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).