This patch fixes an unsafe deference in the DRM_IOCTL_NEW_CTX. If the
ioctl is called before the lock is created or after it has been destroyed.
The code will deference a NULL pointer. This ioctl is a root ioctl so
exploitation is limited.
Issue: GMINL-7409
Change-Id: Icabf814abe8225d616fdf4f981cd36d2b27f7ad5
Signed-off-by: Peter Antoine <peter.antoine@xxxxxxxxx>
---
drivers/gpu/drm/drm_context.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_context.c b/drivers/gpu/drm/drm_context.c
index a4b017b..4754e79 100644
--- a/drivers/gpu/drm/drm_context.c
+++ b/drivers/gpu/drm/drm_context.c
@@ -252,7 +252,13 @@ static int drm_context_switch_complete(struct drm_device *dev,
{
dev->last_context = new; /* PRE/POST: This is the _only_ writer. */
- if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
+ if (file_priv->master->lock.hw_lock == NULL) {
+ DRM_ERROR(
+ "Device has been unregistered. Hard exit. Process %d\n",
+ task_pid_nr(current));
+ send_sig(SIGTERM, current, 0);
+ return -EINTR;
+ } else if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
DRM_ERROR("Lock isn't held after context switch\n");
}
--
1.9.1
---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/intel-gfx
