forked from luck/tmp_suning_uos_patched
34609faad0
[ Upstream commit 56f0729a510f92151682ff6c89f69724d5595d6e ] drm_file->master pointers should be protected by drm_device.master_mutex or drm_file.master_lookup_lock when being dereferenced. However, in drm_lease.c, there are multiple instances where drm_file->master is accessed and dereferenced while neither lock is held. This makes drm_lease.c vulnerable to use-after-free bugs. We address this issue in 2 ways: 1. Add a new drm_file_get_master() function that calls drm_master_get on drm_file->master while holding on to drm_file.master_lookup_lock. Since drm_master_get increments the reference count of master, this prevents master from being freed until we unreference it with drm_master_put. 2. In each case where drm_file->master is directly accessed and eventually dereferenced in drm_lease.c, we wrap the access in a call to the new drm_file_get_master function, then unreference the master pointer once we are done using it. Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-6-desmondcheongzx@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|---|---|---|
| .. | ||
| bridge | ||
| i2c | ||
| ttm | ||
| amd_asic_type.h | ||
| drm_agpsupport.h | ||
| drm_atomic_helper.h | ||
| drm_atomic_state_helper.h | ||
| drm_atomic_uapi.h | ||
| drm_atomic.h | ||
| drm_audio_component.h | ||
| drm_auth.h | ||
| drm_blend.h | ||
| drm_bridge_connector.h | ||
| drm_bridge.h | ||
| drm_cache.h | ||
| drm_client.h | ||
| drm_color_mgmt.h | ||
| drm_connector.h | ||
| drm_crtc_helper.h | ||
| drm_crtc.h | ||
| drm_damage_helper.h | ||
| drm_debugfs_crc.h | ||
| drm_debugfs.h | ||
| drm_device.h | ||
| drm_displayid.h | ||
| drm_dp_dual_mode_helper.h | ||
| drm_dp_helper.h | ||
| drm_dp_mst_helper.h | ||
| drm_drv.h | ||
| drm_dsc.h | ||
| drm_edid.h | ||
| drm_encoder_slave.h | ||
| drm_encoder.h | ||
| drm_fb_cma_helper.h | ||
| drm_fb_helper.h | ||
| drm_file.h | ||
| drm_fixed.h | ||
| drm_flip_work.h | ||
| drm_format_helper.h | ||
| drm_fourcc.h | ||
| drm_framebuffer.h | ||
| drm_gem_cma_helper.h | ||
| drm_gem_framebuffer_helper.h | ||
| drm_gem_shmem_helper.h | ||
| drm_gem_ttm_helper.h | ||
| drm_gem_vram_helper.h | ||
| drm_gem.h | ||
| drm_hashtab.h | ||
| drm_hdcp.h | ||
| drm_ioctl.h | ||
| drm_irq.h | ||
| drm_lease.h | ||
| drm_legacy.h | ||
| drm_managed.h | ||
| drm_mipi_dbi.h | ||
| drm_mipi_dsi.h | ||
| drm_mm.h | ||
| drm_mode_config.h | ||
| drm_mode_object.h | ||
| drm_modes.h | ||
| drm_modeset_helper_vtables.h | ||
| drm_modeset_helper.h | ||
| drm_modeset_lock.h | ||
| drm_of.h | ||
| drm_panel.h | ||
| drm_pciids.h | ||
| drm_plane_helper.h | ||
| drm_plane.h | ||
| drm_prime.h | ||
| drm_print.h | ||
| drm_probe_helper.h | ||
| drm_property.h | ||
| drm_rect.h | ||
| drm_scdc_helper.h | ||
| drm_self_refresh_helper.h | ||
| drm_simple_kms_helper.h | ||
| drm_syncobj.h | ||
| drm_sysfs.h | ||
| drm_util.h | ||
| drm_utils.h | ||
| drm_vblank_work.h | ||
| drm_vblank.h | ||
| drm_vma_manager.h | ||
| drm_writeback.h | ||
| gma_drm.h | ||
| gpu_scheduler.h | ||
| i915_component.h | ||
| i915_drm.h | ||
| i915_mei_hdcp_interface.h | ||
| i915_pciids.h | ||
| intel_lpe_audio.h | ||
| intel-gtt.h | ||
| spsc_queue.h | ||
| task_barrier.h | ||