Patch "drm/client: Prevent NULL dereference in drm_client_buffer_delete()" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 15 Feb 2023 11:34:40 -0500

This is a note to let you know that I've just added the patch titled

    drm/client: Prevent NULL dereference in drm_client_buffer_delete()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-client-prevent-null-dereference-in-drm_client_bu.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 90648d86814df13b130b722c653bc4913b8b4d7f
Author: Dmitry Osipenko <dmitry.osipenko@xxxxxxxxxxxxx>
Date:   Sun Oct 30 18:44:12 2022 +0300

    drm/client: Prevent NULL dereference in drm_client_buffer_delete()
    
    [ Upstream commit 444bbba708e804c13ad757068d1cb31ed6460754 ]
    
    The drm_gem_vunmap() will crash with a NULL dereference if the passed
    object pointer is NULL. It wasn't a problem before we added the locking
    support to drm_gem_vunmap function because the mapping argument was always
    NULL together with the object. Make drm_client_buffer_delete() to check
    whether GEM is NULL before trying to unmap the GEM, it will happen on
    framebuffer creation error.
    
    Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: Christian König <christian.koenig@xxxxxxx>
    Link: https://lore.kernel.org/dri-devel/Y1kFEGxT8MVlf32V@kili/
    Fixes: 79e2cf2e7a19 ("drm/gem: Take reservation lock for vmap/vunmap operations")
    Signed-off-by: Dmitry Osipenko <dmitry.osipenko@xxxxxxxxxxxxx>
    Link: https://patchwork.freedesktop.org/patch/msgid/20221030154412.8320-3-dmitry.osipenko@xxxxxxxxxxxxx
    Stable-dep-of: 85e26dd5100a ("drm/client: fix circular reference counting issue")
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/drm_client.c b/drivers/gpu/drm/drm_client.c
index 38e1be991caa5..fd67efe37c636 100644
--- a/drivers/gpu/drm/drm_client.c
+++ b/drivers/gpu/drm/drm_client.c
@@ -235,10 +235,10 @@ static void drm_client_buffer_delete(struct drm_client_buffer *buffer)
 {
 	struct drm_device *dev = buffer->client->dev;
 
-	drm_gem_vunmap_unlocked(buffer->gem, &buffer->map);
-
-	if (buffer->gem)
+	if (buffer->gem) {
+		drm_gem_vunmap_unlocked(buffer->gem, &buffer->map);
 		drm_gem_object_put(buffer->gem);
+	}
 
 	if (buffer->handle)
 		drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file);






