Hello Murray,
thanks for looking into this!
> > > On Thu, 2023-09-28 at 00:13 -0400, Zack Rusin wrote:
> > > > From: Zack Rusin <zackr@xxxxxxxxxx>
> > > >
> > > > Surfaces can be backed (i.e. stored in) memory objects (mob's) which
> > > > are created and managed by the userspace as GEM buffers. Surfaces
> > > > grab only a ttm reference which means that the gem object can
> > > > be deleted underneath us, especially in cases where prime buffer
> > > > export is used.
> > > >
> > > > Make sure that all userspace surfaces which are backed by gem objects
> > > > hold a gem reference to make sure they're not deleted before vmw
> > > > surfaces are done with them, which fixes:
> > > > ------------[ cut here ]------------
> > > > refcount_t: underflow; use-after-free.
> > > > WARNING: CPU: 2 PID: 2632 at lib/refcount.c:28 refcount_warn_saturate+0xfb/0x150
[]
> > > > ---[ end trace 0000000000000000 ]---
> > > >
> > > > A lot of the analyis on the bug was done by Murray McAllister and
> > > > Ian Forbes.
> > > >
> > > > Reported-by: Murray McAllister <murray.mcallister@xxxxxxxxx>
> > > > Cc: Ian Forbes <iforbes@xxxxxxxxxx>
> > > > Signed-off-by: Zack Rusin <zackr@xxxxxxxxxx>
> > > > Fixes: a950b989ea29 ("drm/vmwgfx: Do not drop the reference to the handle too soon")
> > > > Cc: <stable@xxxxxxxxxxxxxxx> # v6.2+
> > >
> > > Do you remember the particular reason this was marked 6.2+?
> >
> > That's because that's the kernel release where the commit this one is
> > fixing first landed.
> >
> > > We see this on Debian 6.1.67 (which at least has the mentioned
> > > "drm/vmwgfx: Do not drop the reference to the handle too soon"):
> >
> > The original had to be backported there. I'll ask someone on my team
> > to check the branches the original was backported to see if this
> > change even applies on those and then we'll see what we can do. In the
> > meantime if you know anyone on the Debian kernel team suggesting this
> > as a cherry-pick might also be a good idea.
> >
> > z
>
> Hi Alexander,
>
> I think the backport might already be on Debian's radar for your version:
>
> https://security-tracker.debian.org/tracker/CVE-2023-5633
Sorry, my reference to Debian was irrelevant, the patch-to-be-fixed
is actually in the upstream kernel:
$ git log --grep "drm/vmwgfx: Do not drop the reference to the handle too soon" v6.1.67
commit 0a127ac972404600c99eb141c8d5b5348e53ee4f
Author: Zack Rusin <zackr@xxxxxxxxxx>
Date: Sat Feb 11 00:05:14 2023 -0500
drm/vmwgfx: Do not drop the reference to the handle too soon
commit a950b989ea29ab3b38ea7f6e3d2540700a3c54e8 upstream.
So it was merely a hint for Stable Team to pick the Subject path into v6.1.x.
--
Alexander Sverdlin
Siemens AG
www.siemens.com
