release/5.2.47/drm-vkms-Hold-gem-object-while-still-in-use.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 95c24319b91b67a22d7d91678eb5396d69bf62b0 Mon Sep 17 00:00:00 2001
 From: Ezequiel Garcia <ezequiel@collabora.com>
 Date: Mon, 27 Apr 2020 18:44:05 -0300
 Subject: [PATCH] drm/vkms: Hold gem object while still in-use

 commit 0ea2ea42b31abc1141f2fd3911f952a97d401fcb upstream.

 We need to keep the reference to the drm_gem_object
 until the last access by vkms_dumb_create.

 Therefore, the put the object after it is used.

 This fixes a use-after-free issue reported by syzbot.

 While here, change vkms_gem_create() symbol to static.

 Reported-and-tested-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
 Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
 Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
 Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
 Link: https://patchwork.freedesktop.org/patch/msgid/20200427214405.13069-1-ezequiel@collabora.com
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/gpu/drm/vkms/vkms_drv.h b/drivers/gpu/drm/vkms/vkms_drv.h
 index a0adcc86079f..939ebe84a4a9 100644
 --- a/drivers/gpu/drm/vkms/vkms_drv.h
 +++ b/drivers/gpu/drm/vkms/vkms_drv.h
 @@ -121,11 +121,6 @@ struct drm_plane *vkms_plane_init(struct vkms_device *vkmsdev,
  				  enum drm_plane_type type, int index);

  /* Gem stuff */
 -struct drm_gem_object *vkms_gem_create(struct drm_device *dev,
 -				       struct drm_file *file,
 -				       u32 *handle,
 -				       u64 size);
 -
  vm_fault_t vkms_gem_fault(struct vm_fault *vmf);

  int vkms_dumb_create(struct drm_file *file, struct drm_device *dev,
 diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
 index 69048e73377d..431c401f44c0 100644
 --- a/drivers/gpu/drm/vkms/vkms_gem.c
 +++ b/drivers/gpu/drm/vkms/vkms_gem.c
 @@ -94,10 +94,10 @@ vm_fault_t vkms_gem_fault(struct vm_fault *vmf)
  	return ret;
  }

 -struct drm_gem_object *vkms_gem_create(struct drm_device *dev,
 -				       struct drm_file *file,
 -				       u32 *handle,
 -				       u64 size)
 +static struct drm_gem_object *vkms_gem_create(struct drm_device *dev,
 +					      struct drm_file *file,
 +					      u32 *handle,
 +					      u64 size)
  {
  	struct vkms_gem_object *obj;
  	int ret;
 @@ -110,7 +110,6 @@ struct drm_gem_object *vkms_gem_create(struct drm_device *dev,
  		return ERR_CAST(obj);

  	ret = drm_gem_handle_create(file, &obj->gem, handle);
 -	drm_gem_object_put_unlocked(&obj->gem);
  	if (ret)
  		return ERR_PTR(ret);

 @@ -139,6 +138,8 @@ int vkms_dumb_create(struct drm_file *file, struct drm_device *dev,
  	args->size = gem_obj->size;
  	args->pitch = pitch;

 +	drm_gem_object_put_unlocked(gem_obj);
 +
  	DRM_DEBUG_DRIVER("Created object of size %lld\n", size);

  	return 0;
 --
 2.27.0
	From 95c24319b91b67a22d7d91678eb5396d69bf62b0 Mon Sep 17 00:00:00 2001
	From: Ezequiel Garcia <ezequiel@collabora.com>
	Date: Mon, 27 Apr 2020 18:44:05 -0300
	Subject: [PATCH] drm/vkms: Hold gem object while still in-use

	commit 0ea2ea42b31abc1141f2fd3911f952a97d401fcb upstream.

	We need to keep the reference to the drm_gem_object
	until the last access by vkms_dumb_create.

	Therefore, the put the object after it is used.

	This fixes a use-after-free issue reported by syzbot.

	While here, change vkms_gem_create() symbol to static.

	Reported-and-tested-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
	Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
	Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
	Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
	Link: https://patchwork.freedesktop.org/patch/msgid/20200427214405.13069-1-ezequiel@collabora.com
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/gpu/drm/vkms/vkms_drv.h b/drivers/gpu/drm/vkms/vkms_drv.h
	index a0adcc86079f..939ebe84a4a9 100644
	--- a/drivers/gpu/drm/vkms/vkms_drv.h
	+++ b/drivers/gpu/drm/vkms/vkms_drv.h
	@@ -121,11 +121,6 @@ struct drm_plane vkms_plane_init(struct vkms_device vkmsdev,
	enum drm_plane_type type, int index);

	/* Gem stuff */
	-struct drm_gem_object vkms_gem_create(struct drm_device dev,
	- struct drm_file *file,
	- u32 *handle,
	- u64 size);
	-
	vm_fault_t vkms_gem_fault(struct vm_fault *vmf);

	int vkms_dumb_create(struct drm_file file, struct drm_device dev,
	diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
	index 69048e73377d..431c401f44c0 100644
	--- a/drivers/gpu/drm/vkms/vkms_gem.c
	+++ b/drivers/gpu/drm/vkms/vkms_gem.c
	@@ -94,10 +94,10 @@ vm_fault_t vkms_gem_fault(struct vm_fault *vmf)
	return ret;
	}

	-struct drm_gem_object vkms_gem_create(struct drm_device dev,
	- struct drm_file *file,
	- u32 *handle,
	- u64 size)
	+static struct drm_gem_object vkms_gem_create(struct drm_device dev,
	+ struct drm_file *file,
	+ u32 *handle,
	+ u64 size)
	{
	struct vkms_gem_object *obj;
	int ret;
	@@ -110,7 +110,6 @@ struct drm_gem_object vkms_gem_create(struct drm_device dev,
	return ERR_CAST(obj);

	ret = drm_gem_handle_create(file, &obj->gem, handle);
	- drm_gem_object_put_unlocked(&obj->gem);
	if (ret)
	return ERR_PTR(ret);

	@@ -139,6 +138,8 @@ int vkms_dumb_create(struct drm_file file, struct drm_device dev,
	args->size = gem_obj->size;
	args->pitch = pitch;

	+ drm_gem_object_put_unlocked(gem_obj);
	+
	DRM_DEBUG_DRIVER("Created object of size %lld\n", size);

	return 0;
	--
	2.27.0