On 12/12/24 08:54, Vivek Kasireddy wrote:
> Fix the following issues identified by Smatch static checker:
> - The call to dma_buf_put(attach->dmabuf) after dma_buf_detach()
> leads to a UAF bug as dma_buf_detach() frees the attach object.
> Fix this by extracting the dmabuf object from attach and using
> that in the call to dma_buf_put().
>
> - The resv object is extracted from attach before checking to see
> if attach is valid (that is !NULL) or not. Although, attach would
> very likely be valid, fix this by making sure that the resv object
> is used only after ensuring that attach is valid.
>
> Fixes: 2885e575abc7 ("drm/virtio: Add helpers to initialize and free the imported object")
> Fixes: ca77f27a2665 ("drm/virtio: Import prime buffers from other devices as guest blobs")
> Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
> Cc: Dmitry Osipenko <dmitry.osipenko@xxxxxxxxxxxxx>
> Cc: Gurchetan Singh <gurchetansingh@xxxxxxxxxxxx>
> Cc: Chia-I Wu <olvaffe@xxxxxxxxx>
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Signed-off-by: Vivek Kasireddy <vivek.kasireddy@xxxxxxxxx>
> ---
> drivers/gpu/drm/virtio/virtgpu_prime.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
Applied to misc-next with edited commit title, thanks!
P.S.: This patch may also be needed applied to next-fixes, but that
branch is locked at the moment. I'll keep an eye on whether patch will
be missed in 6.14-rc1 and I'll need to re-add it to the -fixes.
--
Best regards,
Dmitry
