This patch fixes an unsafe deference in the DRM_IOCTL_NEW_CTX. If the
ioctl is called before the lock is created or after it has been destroyed.
The code will deference a NULL pointer. This ioctl is a root ioctl so
exploitation is limited.
Issue: VIZ-5485
Signed-off-by: Peter Antoine <peter.antoine@xxxxxxxxx>
---
drivers/gpu/drm/drm_context.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_context.c b/drivers/gpu/drm/drm_context.c
index 9b23525..96350d1 100644
--- a/drivers/gpu/drm/drm_context.c
+++ b/drivers/gpu/drm/drm_context.c
@@ -277,7 +277,13 @@ static int drm_context_switch_complete(struct drm_device *dev,
{
dev->last_context = new; /* PRE/POST: This is the _only_ writer. */
- if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
+ if (file_priv->master->lock.hw_lock == NULL) {
+ DRM_ERROR(
+ "Device has been unregistered. Hard exit. Process %d\n",
+ task_pid_nr(current));
+ send_sig(SIGTERM, current, 0);
+ return -EPERM;
+ } else if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
DRM_ERROR("Lock isn't held after context switch\n");
}
--
1.9.1
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
