git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Jann Horn <jannh@google.com>
	Mon, 1 Oct 2018 15:31:17 +0000 (17:31 +0200)
committer	Juerg Haefliger <juergh@canonical.com>
	Wed, 24 Jul 2019 01:53:08 +0000 (19:53 -0600)
commit	13402e785c1c2beba638ec903c6b218895d5da95
tree	563dd866fd230a1e7295e81d64841319ba1994e4	tree
parent	38805d5018a61cd72fdbb2eb0f797297cc49a37d	commit \| diff

drm: fix use-after-free read in drm_mode_create_lease_ioctl()

BugLink: https://bugs.launchpad.net/bugs/1836426
commit 12d43deb1ee639d01a2a8d2a7a4cc8ad31224475 upstream.

fd_install() moves the reference given to it into the file descriptor table
of the current process. If the current process is multithreaded, then
immediately after fd_install(), another thread can close() the file
descriptor and cause the file's resources to be cleaned up.

Since the reference to "lessee" is held by the file, we must not access
"lessee" after the fd_install() call.

As far as I can tell, to reach this codepath, the caller must have an open
file descriptor to a DRI device in master mode. I'm not sure what the
requirements for that are.

Signed-off-by: Jann Horn <jannh@google.com>
Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181001153117.216923-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>