From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Daniel Vetter" <daniel.vetter@intel.com>,
"Christian König" <christian.koenig@amd.com>,
"Lionel Landwerlin" <lionel.g.landwerlin@intel.com>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"David Airlie" <airlied@linux.ie>,
"Daniel Vetter" <daniel@ffwll.ch>,
dri-devel@lists.freedesktop.org
Subject: [PATCH 5.4 16/86] drm/syncobj: Fix use-after-free
Date: Mon, 25 Jan 2021 19:38:58 +0100 [thread overview]
Message-ID: <20210125183201.728770789@linuxfoundation.org> (raw)
In-Reply-To: <20210125183201.024962206@linuxfoundation.org>
From: Daniel Vetter <daniel.vetter@ffwll.ch>
commit a37eef63bc9e16e06361b539e528058146af80ab upstream.
While reviewing Christian's annotation patch I noticed that we have a
user-after-free for the WAIT_FOR_SUBMIT case: We drop the syncobj
reference before we've completed the waiting.
Of course usually there's nothing bad happening here since userspace
keeps the reference, but we can't rely on userspace to play nice here!
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Fixes: bc9c80fe01a2 ("drm/syncobj: use the timeline point in drm_syncobj_find_fence v4")
Reviewed-by: Christian König <christian.koenig@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v5.2+
Link: https://patchwork.freedesktop.org/patch/msgid/20210119130318.615145-1-daniel.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_syncobj.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -326,19 +326,18 @@ int drm_syncobj_find_fence(struct drm_fi
return -ENOENT;
*fence = drm_syncobj_fence_get(syncobj);
- drm_syncobj_put(syncobj);
if (*fence) {
ret = dma_fence_chain_find_seqno(fence, point);
if (!ret)
- return 0;
+ goto out;
dma_fence_put(*fence);
} else {
ret = -EINVAL;
}
if (!(flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT))
- return ret;
+ goto out;
memset(&wait, 0, sizeof(wait));
wait.task = current;
@@ -370,6 +369,9 @@ int drm_syncobj_find_fence(struct drm_fi
if (wait.node.next)
drm_syncobj_remove_wait(syncobj, &wait);
+out:
+ drm_syncobj_put(syncobj);
+
return ret;
}
EXPORT_SYMBOL(drm_syncobj_find_fence);
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "David Airlie" <airlied@linux.ie>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
dri-devel@lists.freedesktop.org, stable@vger.kernel.org,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Christian König" <christian.koenig@amd.com>
Subject: [PATCH 5.4 16/86] drm/syncobj: Fix use-after-free
Date: Mon, 25 Jan 2021 19:38:58 +0100 [thread overview]
Message-ID: <20210125183201.728770789@linuxfoundation.org> (raw)
In-Reply-To: <20210125183201.024962206@linuxfoundation.org>
From: Daniel Vetter <daniel.vetter@ffwll.ch>
commit a37eef63bc9e16e06361b539e528058146af80ab upstream.
While reviewing Christian's annotation patch I noticed that we have a
user-after-free for the WAIT_FOR_SUBMIT case: We drop the syncobj
reference before we've completed the waiting.
Of course usually there's nothing bad happening here since userspace
keeps the reference, but we can't rely on userspace to play nice here!
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Fixes: bc9c80fe01a2 ("drm/syncobj: use the timeline point in drm_syncobj_find_fence v4")
Reviewed-by: Christian König <christian.koenig@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v5.2+
Link: https://patchwork.freedesktop.org/patch/msgid/20210119130318.615145-1-daniel.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_syncobj.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -326,19 +326,18 @@ int drm_syncobj_find_fence(struct drm_fi
return -ENOENT;
*fence = drm_syncobj_fence_get(syncobj);
- drm_syncobj_put(syncobj);
if (*fence) {
ret = dma_fence_chain_find_seqno(fence, point);
if (!ret)
- return 0;
+ goto out;
dma_fence_put(*fence);
} else {
ret = -EINVAL;
}
if (!(flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT))
- return ret;
+ goto out;
memset(&wait, 0, sizeof(wait));
wait.task = current;
@@ -370,6 +369,9 @@ int drm_syncobj_find_fence(struct drm_fi
if (wait.node.next)
drm_syncobj_remove_wait(syncobj, &wait);
+out:
+ drm_syncobj_put(syncobj);
+
return ret;
}
EXPORT_SYMBOL(drm_syncobj_find_fence);
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2021-01-26 8:42 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-25 18:38 [PATCH 5.4 00/86] 5.4.93-rc1 review Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 01/86] i2c: bpmp-tegra: Ignore unknown I2C_M flags Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 02/86] platform/x86: i2c-multi-instantiate: Dont create platform device for INT3515 ACPI nodes Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 03/86] platform/x86: ideapad-laptop: Disable touchpad_switch for ELAN0634 Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 04/86] ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 05/86] ALSA: hda/via: Add minimum mute flag Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 06/86] ACPI: scan: Make acpi_bus_get_device() clear return pointer on error Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 07/86] btrfs: dont get an EINTR during drop_snapshot for reloc Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 08/86] btrfs: fix lockdep splat in btrfs_recover_relocation Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 09/86] btrfs: dont clear ret in btrfs_start_dirty_block_groups Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 10/86] btrfs: send: fix invalid clone operations when cloning from the same file and root Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 11/86] mmc: core: dont initialize block size from ext_csd if not present Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 12/86] mmc: sdhci-xenon: fix 1.8v regulator stabilization Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 13/86] dm: avoid filesystem lookup in dm_get_dev_t() Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 14/86] dm integrity: fix a crash if "recalculate" used without "internal_hash" Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 15/86] drm/atomic: put state on error path Greg Kroah-Hartman
2021-01-25 18:38 ` Greg Kroah-Hartman [this message]
2021-01-25 18:38 ` [PATCH 5.4 16/86] drm/syncobj: Fix use-after-free Greg Kroah-Hartman
2021-01-25 18:38 ` [PATCH 5.4 17/86] drm/i915/gt: Prevent use of engine->wa_ctx after error Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 18/86] ASoC: Intel: haswell: Add missing pm_ops Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 19/86] HID: multitouch: Enable multi-input for Synaptics pointstick/touchpad device Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 20/86] dm integrity: select CRYPTO_SKCIPHER Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 21/86] scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 22/86] scsi: qedi: Correct max length of CHAP secret Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 23/86] scsi: sd: Suppress spurious errors when WRITE SAME is being disabled Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 24/86] riscv: Fix kernel time_init() Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 25/86] riscv: Fix sifive serial driver Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 26/86] HID: logitech-dj: add the G602 receiver Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 27/86] HID: Ignore battery for Elan touchscreen on ASUS UX550 Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 28/86] clk: tegra30: Add hda clock default rates to clock driver Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 29/86] arm64: make atomic helpers __always_inline Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 30/86] xen: Fix event channel callback via INTX/GSI Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 31/86] x86/xen: Add xen_no_vector_callback option to test PCI INTX delivery Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 32/86] dts: phy: fix missing mdio device and probe failure of vsc8541-01 device Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 33/86] dts: phy: add GPIO number and active state used for phy reset Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 34/86] riscv: defconfig: enable gpio support for HiFive Unleashed Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 35/86] drm/amdgpu/psp: fix psp gfx ctrl cmds Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 36/86] drm/amd/display: Fix to be able to stop crc calculation Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 37/86] drm/nouveau/bios: fix issue shadowing expansion ROMs Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 38/86] drm/nouveau/privring: ack interrupts the same way as RM Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 39/86] drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 40/86] drm/nouveau/mmu: fix vram heap sizing Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 41/86] drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0 Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 42/86] powerpc: Use the common INIT_DATA_SECTION macro in vmlinux.lds.S Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 43/86] pinctrl: aspeed: g6: Fix PWMG0 pinctrl setting Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 44/86] scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 45/86] powerpc: Fix alignment bug within the init sections Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 46/86] i2c: octeon: check correct size of maximum RECV_LEN packet Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 47/86] platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 48/86] selftests: net: fib_tests: remove duplicate log test Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 49/86] can: dev: can_restart: fix use after free bug Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 50/86] can: vxcan: vxcan_xmit: " Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 51/86] can: peak_usb: fix use after free bugs Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 52/86] iio: ad5504: Fix setting power-down state Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 53/86] cifs: do not fail __smb_send_rqst if non-fatal signals are pending Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 54/86] irqchip/mips-cpu: Set IPI domain parent chip Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 55/86] x86/mmx: Use KFPU_387 for MMX string operations Greg Kroah-Hartman
2021-01-26 7:03 ` Krzysztof Olędzki
2021-01-25 18:39 ` [PATCH 5.4 56/86] intel_th: pci: Add Alder Lake-P support Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 57/86] stm class: Fix module init return on allocation failure Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 58/86] serial: mvebu-uart: fix tx lost characters at power off Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 59/86] ehci: fix EHCI host controller initialization sequence Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 60/86] USB: ehci: fix an interrupt calltrace error Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 61/86] usb: gadget: aspeed: fix stop dma register setting Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 62/86] usb: udc: core: Use lock when write to soft_connect Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 63/86] usb: bdc: Make bdc pci driver depend on BROKEN Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 64/86] xhci: make sure TRB is fully written before giving it to the controller Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 65/86] xhci: tegra: Delay for disabling LFPS detector Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 66/86] driver core: Extend device_is_dependent() Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 67/86] pinctrl: ingenic: Fix JZ4760 support Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 68/86] x86/cpu/amd: Set __max_die_per_package on AMD Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 69/86] netfilter: rpfilter: mask ecn bits before fib lookup Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 70/86] sh: dma: fix kconfig dependency for G2_DMA Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 71/86] net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 72/86] sh_eth: Fix power down vs. is_opened flag ordering Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 73/86] lightnvm: fix memory leak when submit fails Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 74/86] skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 75/86] kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 76/86] kasan: fix incorrect arguments passing in kasan_add_zero_shadow Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 5.4 77/86] udp: mask TOS bits in udp_v4_early_demux() Greg Kroah-Hartman
2021-01-25 18:40 ` [PATCH 5.4 78/86] ipv6: create multicast route with RTPROT_KERNEL Greg Kroah-Hartman
2021-01-25 18:40 ` [PATCH 5.4 79/86] net_sched: avoid shift-out-of-bounds in tcindex_set_parms() Greg Kroah-Hartman
2021-01-25 18:40 ` [PATCH 5.4 80/86] net_sched: reject silly cell_log in qdisc_get_rtab() Greg Kroah-Hartman
2021-01-25 18:40 ` [PATCH 5.4 81/86] ipv6: set multicast flag on the multicast route Greg Kroah-Hartman
2021-01-25 18:40 ` [PATCH 5.4 82/86] net: mscc: ocelot: allow offloading of bridge on top of LAG Greg Kroah-Hartman
2021-01-25 18:40 ` [PATCH 5.4 83/86] net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled Greg Kroah-Hartman
2021-01-25 18:40 ` [PATCH 5.4 84/86] net: dsa: b53: fix an off by one in checking "vlan->vid" Greg Kroah-Hartman
2021-01-25 18:40 ` [PATCH 5.4 85/86] tcp: do not mess with cloned skbs in tcp_add_backlog() Greg Kroah-Hartman
2021-01-25 18:40 ` [PATCH 5.4 86/86] tcp: fix TCP_USER_TIMEOUT with zero window Greg Kroah-Hartman
2021-01-25 19:44 ` [PATCH 5.4 00/86] 5.4.93-rc1 review Daniel Díaz
2021-01-26 10:47 ` Jon Hunter
2021-01-26 10:48 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210125183201.728770789@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=airlied@linux.ie \
--cc=christian.koenig@amd.com \
--cc=daniel.vetter@intel.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lionel.g.landwerlin@intel.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.