releases/4.14.110/drm-vgem-fix-use-after-free-when-drm_gem_handle_create-fails.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 21d2b122732318b48c10b7262e15595ce54511d3 Mon Sep 17 00:00:00 2001
 From: Eric Biggers <ebiggers@google.com>
 Date: Tue, 26 Feb 2019 13:44:51 -0800
 Subject: drm/vgem: fix use-after-free when drm_gem_handle_create() fails

 From: Eric Biggers <ebiggers@google.com>

 commit 21d2b122732318b48c10b7262e15595ce54511d3 upstream.

 If drm_gem_handle_create() fails in vgem_gem_create(), then the
 drm_vgem_gem_object is freed twice: once when the reference is dropped
 by drm_gem_object_put_unlocked(), and again by __vgem_gem_destroy().

 This was hit by syzkaller using fault injection.

 Fix it by skipping the second free.

 Reported-by: syzbot+e73f2fb5ed5a5df36d33@syzkaller.appspotmail.com
 Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces")
 Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
 Cc: Laura Abbott <labbott@redhat.com>
 Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
 Cc: stable@vger.kernel.org
 Signed-off-by: Eric Biggers <ebiggers@google.com>
 Acked-by: Laura Abbott <labbott@redhat.com>
 Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
 Link: https://patchwork.freedesktop.org/patch/msgid/20190226214451.195123-1-ebiggers@kernel.org
 Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/gpu/drm/vgem/vgem_drv.c |    6 +-----
  1 file changed, 1 insertion(+), 5 deletions(-)

 --- a/drivers/gpu/drm/vgem/vgem_drv.c
 +++ b/drivers/gpu/drm/vgem/vgem_drv.c
 @@ -192,13 +192,9 @@ static struct drm_gem_object *vgem_gem_c
  	ret = drm_gem_handle_create(file, &obj->base, handle);
  	drm_gem_object_put_unlocked(&obj->base);
  	if (ret)
 -		goto err;
 +		return ERR_PTR(ret);

  	return &obj->base;
 -
 -err:
 -	__vgem_gem_destroy(obj);
 -	return ERR_PTR(ret);
  }

  static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
	From 21d2b122732318b48c10b7262e15595ce54511d3 Mon Sep 17 00:00:00 2001
	From: Eric Biggers <ebiggers@google.com>
	Date: Tue, 26 Feb 2019 13:44:51 -0800
	Subject: drm/vgem: fix use-after-free when drm_gem_handle_create() fails

	From: Eric Biggers <ebiggers@google.com>

	commit 21d2b122732318b48c10b7262e15595ce54511d3 upstream.

	If drm_gem_handle_create() fails in vgem_gem_create(), then the
	drm_vgem_gem_object is freed twice: once when the reference is dropped
	by drm_gem_object_put_unlocked(), and again by __vgem_gem_destroy().

	This was hit by syzkaller using fault injection.

	Fix it by skipping the second free.

	Reported-by: syzbot+e73f2fb5ed5a5df36d33@syzkaller.appspotmail.com
	Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces")
	Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
	Cc: Laura Abbott <labbott@redhat.com>
	Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
	Cc: stable@vger.kernel.org
	Signed-off-by: Eric Biggers <ebiggers@google.com>
	Acked-by: Laura Abbott <labbott@redhat.com>
	Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
	Link: https://patchwork.freedesktop.org/patch/msgid/20190226214451.195123-1-ebiggers@kernel.org
	Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/gpu/drm/vgem/vgem_drv.c \| 6 +-----
	1 file changed, 1 insertion(+), 5 deletions(-)

	--- a/drivers/gpu/drm/vgem/vgem_drv.c
	+++ b/drivers/gpu/drm/vgem/vgem_drv.c
	@@ -192,13 +192,9 @@ static struct drm_gem_object *vgem_gem_c
	ret = drm_gem_handle_create(file, &obj->base, handle);
	drm_gem_object_put_unlocked(&obj->base);
	if (ret)
	- goto err;
	+ return ERR_PTR(ret);

	return &obj->base;
	-
	-err:
	- __vgem_gem_destroy(obj);
	- return ERR_PTR(ret);
	}

	static int vgem_gem_dumb_create(struct drm_file file, struct drm_device dev,