Received: by 2002:ac0:8845:0:0:0:0:0 with SMTP id g63csp1037964img; Tue, 26 Feb 2019 13:02:19 -0800 (PST) X-Google-Smtp-Source: AHgI3IaUVFRn8KBwdS6YS7OIn764WHJWpTexhDuz6RZVOMKUvrn0bt0YVvycw7besANDmAMjqhMo X-Received: by 2002:a63:d4f:: with SMTP id 15mr26352409pgn.162.1551214939927; Tue, 26 Feb 2019 13:02:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551214939; cv=none; d=google.com; s=arc-20160816; b=E2JW3anFZiAcr7Se3ct1vRMCDVYfOvnXR43hhzPh7OWUgTzCNbSlcD0a6Wf05iZVmP WWjjyOdHz/R/qH1gDnMT6dHtXLDgcxLgWiSZGlJupwkGbMXZPSrTStzw57IdT/iRCGB8 ldYlEx9dsBBdNl1kfO2fw2F/DcwM/HSf9XzDBbTwxA6ppJt5sVK7nhD5TM4s2qXtzJ4v DxXRLK86bSiEyEQ99KveWgJP5t0pTNAITQHYmvHJOU28iBThHnwSb2+Iis++XpmjC5i1 8h8+6M6lSwGulATbjWlzpAbiDpdgGBHCuN/7FRKT8rvWv7JFlljaJZiM1X9+cIENJXJO 9kJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:date:subject:user-agent:message-id :references:cc:in-reply-to:from:to:content-transfer-encoding :mime-version; bh=gwH+4sbVQuak5R3WwrBzlaHhTzIB9TR1h1OnoGJFBow=; b=nYVT2+SyRoTllhAhgXU0HUSCeZxMwqsu/19JLWx3dnXy+iLWa2s7mDlUxTtwsy3JO8 4nbGdf6ULn67dg9XMJVJpotvVL+DFw3iuEGNMWW0irRxk5mw3LEdlOtZ4UC0mkFn42FS SS1sjZ+M1Ca+Pp2Ci/XgnWhXz25cw6woQEMUcFc9v2vg3gcoxie1yPo6phC6yNrL7lbc /IDDalKvW/WwCcaS/w2BV4GQWrxW/mKU9VPpwfaSUjpz923qx0bSA7f47h2ONSI/H6W2 /3rebWP3aJABJilnfwn9LtqpHlf/AKHvAGNmne+nH/zkkCGDeVJUWijOb959oEN2emIm JbQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n14si284121pgv.520.2019.02.26.13.02.04; Tue, 26 Feb 2019 13:02:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728930AbfBZVBj convert rfc822-to-8bit (ORCPT + 99 others); Tue, 26 Feb 2019 16:01:39 -0500 Received: from mail.fireflyinternet.com ([109.228.58.192]:49719 "EHLO fireflyinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728303AbfBZVBj (ORCPT ); Tue, 26 Feb 2019 16:01:39 -0500 X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=78.156.65.138; Received: from localhost (unverified [78.156.65.138]) by fireflyinternet.com (Firefly Internet (M1)) with ESMTP (TLS) id 15710755-1500050 for multiple; Tue, 26 Feb 2019 21:01:31 +0000 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT To: Daniel Vetter , David Airlie , Eric Biggers , dri-devel@lists.freedesktop.org From: Chris Wilson In-Reply-To: <20190226204726.92256-1-ebiggers@kernel.org> Cc: syzkaller-bugs , linux-kernel@vger.kernel.org References: <20190226204726.92256-1-ebiggers@kernel.org> Message-ID: <155121487959.17933.15702334870310780013@skylake-alporthouse-com> User-Agent: alot/0.6 Subject: Re: [PATCH] drm/vgem: fix use-after-free when drm_gem_handle_create() fails Date: Tue, 26 Feb 2019 21:01:29 +0000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Eric Biggers (2019-02-26 20:47:26) > From: Eric Biggers > > If drm_gem_handle_create() fails in vgem_gem_create(), then the > drm_vgem_gem_object is freed twice: once when the reference is dropped > by drm_gem_object_put_unlocked(), and again by __vgem_gem_destroy(). > > This was hit by syzkaller using fault injection. > > Fix it by skipping the second free. > > Reported-by: syzbot+e73f2fb5ed5a5df36d33@syzkaller.appspotmail.com > Fixes: 5ba6c9ff961a ("drm/vgem: Fix mmaping") That's the wrong fixes line, it's Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces") Cc: Chris Wilson Cc: Laura Abbott Cc: Daniel Vetter Sadly I reviewed it so I'm still culpable, but the fix is correct as the put purposely frees it on error. > Cc: stable@vger.kernel.org > Signed-off-by: Eric Biggers > --- > drivers/gpu/drm/vgem/vgem_drv.c | 8 +++----- > 1 file changed, 3 insertions(+), 5 deletions(-) > > diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c > index 5930facd6d2d8..70646d9da1596 100644 > --- a/drivers/gpu/drm/vgem/vgem_drv.c > +++ b/drivers/gpu/drm/vgem/vgem_drv.c > @@ -189,15 +189,13 @@ static struct drm_gem_object *vgem_gem_create(struct drm_device *dev, > return ERR_CAST(obj); > > ret = drm_gem_handle_create(file, &obj->base, handle); > + > drm_gem_object_put_unlocked(&obj->base); > + The pattern in the other GEM drivers is not to have these extra newlines. Reviewed-by: Chris Wilson > if (ret) > - goto err; > + return ERR_PTR(ret); > > return &obj->base; > - > -err: > - __vgem_gem_destroy(obj); > - return ERR_PTR(ret); > } > > static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev, > -- > 2.21.0.rc2.261.ga7da99ff1b-goog >