Received: by 2002:ac0:8845:0:0:0:0:0 with SMTP id g63csp1096000img; Tue, 26 Feb 2019 14:11:36 -0800 (PST) X-Google-Smtp-Source: AHgI3Iaig/MQdCZL41cMR/nn2oFodK50ABjLlZ6IVR+u3B/Uy+ygBiegHsYiwmU+6KP1ksQfzCKu X-Received: by 2002:a17:902:e486:: with SMTP id cj6mr28199142plb.86.1551219096265; Tue, 26 Feb 2019 14:11:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551219096; cv=none; d=google.com; s=arc-20160816; b=F26QhxwaRgzCAHgn38mMzJ5qR00d4hcI1oQhwI/dUyEf11Mfgyh7I9eLidQRFA8Uze VFHG+5OuHKZDr3sQK+rxzKM9XzjNkuf7QjKY9/T3z1PUcXY2Ri/1jCctGCQUSIbQvvHM Lv+BkrMxu9Al/QBozshI10YkIfA+sw3gSXDyD3ZCN30BkGCArDA0POD2gYvP+nR4vav+ a58jC1xBmmXVHyOpW1jUkEJUQoVcFP9AiVpmeoOCof7ypw2xwZkXUnotQWzVzdeoFlGe XwPiRSIMzRl5wp7GnV5GYNke9Jab14tt6RWjfmBYN328+qJ6L5XlInhWEjbtEidszVSy RJTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=4sFsePr+eiOJGJQXH2MPMdHcwrZ2Z2KrPV915kBJxhc=; b=xlUU1hDHNWfYmi8yda9sbhp4gXQn8G562d0IwPkgBadH5NZsW/Aco+uVduZnBGNZRL gBAPAQ6iZneSrGgYeBqIAr2ZZ7TpExZTw+9H93YMLTo+ybVtsMA+6wptZ9e94lKb2flf z0NMKnt1BhCeph6dfWT0OHpMjPhZ73bHJYJMqMaWIj927kLFs7VTWsZ00eMQUHy4jsr8 3dMq11bnVBsYcH6+E1wxlGCClH3muoCgp93vcyblNljCqS2/9GNPiUOUk9944FZ4yixv 1kZYZ5+QsrCsyDVs4bO5vzOirISWhheqqjuPB+E+MkVVGFw5SL/fo0PbmE0kWRmW/ugF a6dQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=05h2ohzK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k70si12929445pgd.74.2019.02.26.14.11.20; Tue, 26 Feb 2019 14:11:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=05h2ohzK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729261AbfBZWJa (ORCPT + 99 others); Tue, 26 Feb 2019 17:09:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:44714 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728766AbfBZWJa (ORCPT ); Tue, 26 Feb 2019 17:09:30 -0500 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 254D72146F; Tue, 26 Feb 2019 22:09:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1551218969; bh=nAWKJVnGFlVIF8CgK1I4DdB1l4VNvxVN31ahu5HL3UA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=05h2ohzKBEH0wwOHfZ44YT4D6kdeU9zel4+3F1iNAS4IFmmEvO9IrtRZ5UJ1/IeyL r/PO5PTMP92OX0FXUa9Va/OQ1viQUcCp1YEsIoHep8fACc8wzPzTG4qg+YHXf95HYn Oz+Rx2Cpyx1fozuVkL2gczCb5y4aCl7bIXtFeoaw= From: Eric Biggers To: dri-devel@lists.freedesktop.org Cc: syzkaller-bugs , linux-kernel@vger.kernel.org, Rodrigo Siqueira , Haneen Mohammed , Daniel Vetter , Chris Wilson , stable@vger.kernel.org Subject: [PATCH] drm/vkms: fix use-after-free when drm_gem_handle_create() fails Date: Tue, 26 Feb 2019 14:08:58 -0800 Message-Id: <20190226220858.214438-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.21.0.rc2.261.ga7da99ff1b-goog In-Reply-To: <20190226213053.GC218103@gmail.com> References: <20190226213053.GC218103@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers If drm_gem_handle_create() fails in vkms_gem_create(), then the vkms_gem_object is freed twice: once when the reference is dropped by drm_gem_object_put_unlocked(), and again by the extra calls to drm_gem_object_release() and kfree(). Fix it by skipping the second release and free. This bug was originally found in the vgem driver by syzkaller using fault injection, but I noticed it's also present in the vkms driver. Fixes: 559e50fd34d1 ("drm/vkms: Add dumb operations") Cc: Rodrigo Siqueira Cc: Haneen Mohammed Cc: Daniel Vetter Cc: Chris Wilson Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers --- drivers/gpu/drm/vkms/vkms_gem.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c index 138b0bb325cf9..69048e73377dc 100644 --- a/drivers/gpu/drm/vkms/vkms_gem.c +++ b/drivers/gpu/drm/vkms/vkms_gem.c @@ -111,11 +111,8 @@ struct drm_gem_object *vkms_gem_create(struct drm_device *dev, ret = drm_gem_handle_create(file, &obj->gem, handle); drm_gem_object_put_unlocked(&obj->gem); - if (ret) { - drm_gem_object_release(&obj->gem); - kfree(obj); + if (ret) return ERR_PTR(ret); - } return &obj->gem; } -- 2.21.0.rc2.261.ga7da99ff1b-goog