summaryrefslogtreecommitdiff
path: root/drivers/gpu
diff options
context:
space:
mode:
authorJann Horn <jannh@google.com>2018-10-01 17:31:17 +0200
committerDaniel Vetter <daniel.vetter@ffwll.ch>2018-10-02 10:22:10 +0200
commit12d43deb1ee639d01a2a8d2a7a4cc8ad31224475 (patch)
treec0f54d0c9c1c10852232a0bbb5753dad6fd13f38 /drivers/gpu
parent17b57b1883c1285f3d0dc2266e8f79286a7bef38 (diff)
downloadlwn-12d43deb1ee639d01a2a8d2a7a4cc8ad31224475.tar.gz
lwn-12d43deb1ee639d01a2a8d2a7a4cc8ad31224475.zip
drm: fix use-after-free read in drm_mode_create_lease_ioctl()
fd_install() moves the reference given to it into the file descriptor table of the current process. If the current process is multithreaded, then immediately after fd_install(), another thread can close() the file descriptor and cause the file's resources to be cleaned up. Since the reference to "lessee" is held by the file, we must not access "lessee" after the fd_install() call. As far as I can tell, to reach this codepath, the caller must have an open file descriptor to a DRI device in master mode. I'm not sure what the requirements for that are. Signed-off-by: Jann Horn <jannh@google.com> Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]") Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20181001153117.216923-1-jannh@google.com
Diffstat (limited to 'drivers/gpu')
-rw-r--r--drivers/gpu/drm/drm_lease.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index b54fb78a283c..b82da96ded5c 100644
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -566,14 +566,14 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
lessee_priv->is_master = 1;
lessee_priv->authenticated = 1;
- /* Hook up the fd */
- fd_install(fd, lessee_file);
-
/* Pass fd back to userspace */
DRM_DEBUG_LEASE("Returning fd %d id %d\n", fd, lessee->lessee_id);
cl->fd = fd;
cl->lessee_id = lessee->lessee_id;
+ /* Hook up the fd */
+ fd_install(fd, lessee_file);
+
DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl succeeded\n");
return 0;