diff options
| author | Vivek Kasireddy <[email protected]> | 2024-12-12 05:54:21 +0000 |
|---|---|---|
| committer | Dmitry Osipenko <[email protected]> | 2025-01-19 12:12:28 +0000 |
| commit | db8b2c0e2abc90d1025fd7f6d4461b21b1d3248e (patch) | |
| tree | c2c1f0a4795865479105b482919ac62eb8bfc807 /lib/timerqueue.c | |
| parent | cgroup/rdma: Drop bogus PAGE_COUNTER select (diff) | |
| download | kernel-db8b2c0e2abc90d1025fd7f6d4461b21b1d3248e.tar.gz kernel-db8b2c0e2abc90d1025fd7f6d4461b21b1d3248e.zip | |
drm/virtio: Fix UAF in virtgpu_dma_buf_free_obj()
Fix the following issues identified by Smatch static checker:
- The call to dma_buf_put(attach->dmabuf) after dma_buf_detach()
leads to a UAF bug as dma_buf_detach() frees the attach object.
Fix this by extracting the dmabuf object from attach and using
that in the call to dma_buf_put().
- The resv object is extracted from attach before checking to see
if attach is valid (that is !NULL) or not. Although, attach would
very likely be valid, fix this by making sure that the resv object
is used only after ensuring that attach is valid.
Fixes: 2885e575abc7 ("drm/virtio: Add helpers to initialize and free the imported object")
Fixes: ca77f27a2665 ("drm/virtio: Import prime buffers from other devices as guest blobs")
Cc: Gerd Hoffmann <[email protected]>
Cc: Dmitry Osipenko <[email protected]>
Cc: Gurchetan Singh <[email protected]>
Cc: Chia-I Wu <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Vivek Kasireddy <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Reviewed-by: Dmitry Osipenko <[email protected]>
Tested-by: Dmitry Osipenko <[email protected]>
Signed-off-by: Dmitry Osipenko <[email protected]>
[[email protected]: Edited commit title]
Diffstat (limited to 'lib/timerqueue.c')
0 files changed, 0 insertions, 0 deletions