diff options
author | Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> | 2021-07-12 07:35:08 +0300 |
---|---|---|
committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2021-07-20 21:22:19 +0300 |
commit | 56f0729a510f92151682ff6c89f69724d5595d6e (patch) | |
tree | 79227994f4b4c0df44486cdaa3e6edfec9cc02f8 /include/drm/drm_auth.h | |
parent | 0b0860a3cf5eccf183760b1177a1dcdb821b0b66 (diff) | |
download | linux-56f0729a510f92151682ff6c89f69724d5595d6e.tar.xz |
drm: protect drm_master pointers in drm_lease.c
drm_file->master pointers should be protected by
drm_device.master_mutex or drm_file.master_lookup_lock when being
dereferenced.
However, in drm_lease.c, there are multiple instances where
drm_file->master is accessed and dereferenced while neither lock is
held. This makes drm_lease.c vulnerable to use-after-free bugs.
We address this issue in 2 ways:
1. Add a new drm_file_get_master() function that calls drm_master_get
on drm_file->master while holding on to
drm_file.master_lookup_lock. Since drm_master_get increments the
reference count of master, this prevents master from being freed until
we unreference it with drm_master_put.
2. In each case where drm_file->master is directly accessed and
eventually dereferenced in drm_lease.c, we wrap the access in a call
to the new drm_file_get_master function, then unreference the master
pointer once we are done using it.
Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-6-desmondcheongzx@gmail.com
Diffstat (limited to 'include/drm/drm_auth.h')
-rw-r--r-- | include/drm/drm_auth.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/drm/drm_auth.h b/include/drm/drm_auth.h index 6bf8b2b78991..f99d3417f304 100644 --- a/include/drm/drm_auth.h +++ b/include/drm/drm_auth.h @@ -107,6 +107,7 @@ struct drm_master { }; struct drm_master *drm_master_get(struct drm_master *master); +struct drm_master *drm_file_get_master(struct drm_file *file_priv); void drm_master_put(struct drm_master **master); bool drm_is_current_master(struct drm_file *fpriv); |