linux

mirror of https://github.com/torvalds/linux.git synced 2024-12-13 14:43:03 +00:00

History

Eric Biggers 36b6c9ed45 drm/vkms: fix use-after-free when drm_gem_handle_create() fails If drm_gem_handle_create() fails in vkms_gem_create(), then the vkms_gem_object is freed twice: once when the reference is dropped by drm_gem_object_put_unlocked(), and again by the extra calls to drm_gem_object_release() and kfree(). Fix it by skipping the second release and free. This bug was originally found in the vgem driver by syzkaller using fault injection, but I noticed it's also present in the vkms driver. Fixes: `559e50fd34` ("drm/vkms: Add dumb operations") Cc: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com> Cc: Haneen Mohammed <hamohammed.sa@gmail.com> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Chris Wilson <chris@chris-wilson.co.uk> Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Reviewed-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com> Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com> Link: https://patchwork.freedesktop.org/patch/msgid/20190226220858.214438-1-ebiggers@kernel.org Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>		2019-03-18 08:45:57 +01:00
..
drm	drm/vkms: fix use-after-free when drm_gem_handle_create() fails	2019-03-18 08:45:57 +01:00
host1x	gpu: host1x: Continue CDMA execution starting with a next job	2019-02-07 18:34:25 +01:00
ipu-v3	media updates for v5.1-rc1	2019-03-09 14:45:54 -08:00
vga	- qxl: Remove the conflicting framebuffers earlier	2019-03-14 11:37:46 +10:00
Makefile