www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Vivek Kasireddy <vivek.kasireddy@intel.com>
	Thu, 12 Dec 2024 05:54:21 +0000 (21:54 -0800)
committer	Dmitry Osipenko <dmitry.osipenko@collabora.com>
	Thu, 9 Jan 2025 13:49:19 +0000 (16:49 +0300)
commit	f7dfd3db3e0459765176124b4b7e4b4b93533676
tree	5c820b5d1e48a8c0be250ec2696b6288159ab453	tree
parent	74509d54ebf1ecfbdf5f7edec32c490fefa01b8b	commit \| diff

drm/virtio: Fix UAF in virtgpu_dma_buf_free_obj()

Fix the following issues identified by Smatch static checker:
- The call to dma_buf_put(attach->dmabuf) after dma_buf_detach()
  leads to a UAF bug as dma_buf_detach() frees the attach object.
  Fix this by extracting the dmabuf object from attach and using
  that in the call to dma_buf_put().

- The resv object is extracted from attach before checking to see
  if attach is valid (that is !NULL) or not. Although, attach would
  very likely be valid, fix this by making sure that the resv object
  is used only after ensuring that attach is valid.

Fixes: 2885e575abc7 ("drm/virtio: Add helpers to initialize and free the imported object")
Fixes: ca77f27a2665 ("drm/virtio: Import prime buffers from other devices as guest blobs")
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Cc: Gurchetan Singh <gurchetansingh@chromium.org>
Cc: Chia-I Wu <olvaffe@gmail.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241212055421.775759-1-vivek.kasireddy@intel.com
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
[dmitry.osipenko@collabora.com: Edited commit title]