[PATCH] drm: hold gem reference until object is no longer accessed

10 Jul 2020

BUG: KASAN: use-after-free in drm_gem_open_ioctl
There is potential for use-after-free here if the GEM object
handle is closed between the idr lookup and retrieving the size
from the object since a local reference is not being held at that
point. Hold the local reference while the object can still be
accessed to resolve this.
Signed-off-by: Steve Cohen cohens@codeaurora.org
---
 drivers/gpu/drm/drm_gem.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
index 7bf628e..4b2891c 100644
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -898,14 +898,15 @@ drm_gem_open_ioctl(struct drm_device *dev, void *data,
/* drm_gem_handle_create_tail unlocks dev->object_name_lock. */
    ret = drm_gem_handle_create_tail(file_priv, obj, &handle);
-	drm_gem_object_put_unlocked(obj);
    if (ret)
-		return ret;
+		goto out;
args->handle = handle;
    args->size = obj->size;
-	return 0;
+out:
+	drm_gem_object_put_unlocked(obj);
+	return ret;
 }
/**
-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project


    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[PATCH] drm: hold gem reference until object is no longer accessed