tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drm/vmwgfx: fix potential UAF in vmwgfx_surface.c

drm_file.master should be protected by either drm_device.master_mutex
or drm_file.master_lookup_lock when being dereferenced. However,
drm_master_get is called on unprotected file_priv->master pointers in
vmw_surface_define_ioctl and vmw_gb_surface_define_internal.

This is fixed by replacing drm_master_get with drm_file_get_master.

Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Zack Rusin <zackr@vmware.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210724111824.59266-4-desmondcheongzx@gmail.com

authored by

Desmond Cheong Zhi Xi and committed by
Zack Rusin 2bc5da52 1cb48cf3

+2 -2
+2 -2
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
··· 865 865 user_srf->prime.base.shareable = false; 866 866 user_srf->prime.base.tfile = NULL; 867 867 if (drm_is_primary_client(file_priv)) 868 - user_srf->master = drm_master_get(file_priv->master); 868 + user_srf->master = drm_file_get_master(file_priv); 869 869 870 870 /** 871 871 * From this point, the generic resource management functions ··· 1534 1534 1535 1535 user_srf = container_of(srf, struct vmw_user_surface, srf); 1536 1536 if (drm_is_primary_client(file_priv)) 1537 - user_srf->master = drm_master_get(file_priv->master); 1537 + user_srf->master = drm_file_get_master(file_priv); 1538 1538 1539 1539 res = &user_srf->srf.res; 1540 1540