[PATCH] drm: hold gem reference until object is no longer accessed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



BUG: KASAN: use-after-free in drm_gem_open_ioctl

There is potential for use-after-free here if the GEM object
handle is closed between the idr lookup and retrieving the size
from the object since a local reference is not being held at that
point. Hold the local reference while the object can still be
accessed to resolve this.

Signed-off-by: Steve Cohen <cohens@xxxxxxxxxxxxxx>
---
 drivers/gpu/drm/drm_gem.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
index 7bf628e..4b2891c 100644
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -898,14 +898,15 @@ drm_gem_open_ioctl(struct drm_device *dev, void *data,
 
 	/* drm_gem_handle_create_tail unlocks dev->object_name_lock. */
 	ret = drm_gem_handle_create_tail(file_priv, obj, &handle);
-	drm_gem_object_put_unlocked(obj);
 	if (ret)
-		return ret;
+		goto out;
 
 	args->handle = handle;
 	args->size = obj->size;
 
-	return 0;
+out:
+	drm_gem_object_put_unlocked(obj);
+	return ret;
 }
 
 /**
-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux