www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Steven Price <steven.price@arm.com>
	Mon, 19 Dec 2022 14:01:30 +0000 (14:01 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 12 Jan 2023 11:01:57 +0000 (12:01 +0100)
commit	ba3d2c2380e7129b525a787489c0b7e819a3b898
tree	2502df689ec0e441f8c4c0dc2fa156d74fe8d864	tree
parent	321635c70352d635832a2cb067520cbc0852bc7b	commit \| diff

drm/panfrost: Fix GEM handle creation ref-counting

[ Upstream commit 4217c6ac817451d5116687f3cc6286220dc43d49 ]

panfrost_gem_create_with_handle() previously returned a BO but with the
only reference being from the handle, which user space could in theory
guess and release, causing a use-after-free. Additionally if the call to
panfrost_gem_mapping_get() in panfrost_ioctl_create_bo() failed then
a(nother) reference on the BO was dropped.

The _create_with_handle() is a problematic pattern, so ditch it and
instead create the handle in panfrost_ioctl_create_bo(). If the call to
panfrost_gem_mapping_get() fails then this means that user space has
indeed gone behind our back and freed the handle. In which case just
return an error code.

Reported-by: Rob Clark <robdclark@chromium.org>
Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
Signed-off-by: Steven Price <steven.price@arm.com>
Reviewed-by: Rob Clark <robdclark@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221219140130.410578-1-steven.price@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/gpu/drm/panfrost/panfrost_drv.c		diff \| blob \| history
drivers/gpu/drm/panfrost/panfrost_gem.c		diff \| blob \| history
drivers/gpu/drm/panfrost/panfrost_gem.h		diff \| blob \| history