On Thu, Jan 27, 2022 at 11:54:37PM -0500, Zack Rusin wrote:
> From: Mathias Krause <minipli@xxxxxxxxxxxxxx>
>
> commit a0f90c8815706981c483a652a6aefca51a5e191c upstream.
>
> A failing usercopy of the fence_rep object will lead to a stale entry in
> the file descriptor table as put_unused_fd() won't release it. This
> enables userland to refer to a dangling 'file' object through that still
> valid file descriptor, leading to all kinds of use-after-free
> exploitation scenarios.
>
> Fix this by deferring the call to fd_install() until after the usercopy
> has succeeded.
>
> Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
> [mks: backport to v5.16 and older]
> Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>
> Signed-off-by: Zack Rusin <zackr@xxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # v5.4+
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 5 ++--
> drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 33 +++++++++++++------------
> drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +-
> drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 +-
> 4 files changed, 21 insertions(+), 21 deletions(-)
All now queued up, thanks.
greg k-h
