Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp6967326rwl; Mon, 9 Jan 2023 15:55:34 -0800 (PST) X-Google-Smtp-Source: AMrXdXv1PZjQNVaD4Q+g+iFGXCxlUGC7qdFbl6aeackL/Ltn6xTzAQ/FyK+MH1q2Lm0tbmRJkIWt X-Received: by 2002:a05:6a20:690d:b0:b5:97de:d7e7 with SMTP id q13-20020a056a20690d00b000b597ded7e7mr13771100pzj.18.1673308534033; Mon, 09 Jan 2023 15:55:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673308534; cv=none; d=google.com; s=arc-20160816; b=ajXrhSHKNovgYPnrge0g6nQYsYQIg7afL3I0Jp7CYRxfbiegSOm5RgtsnBj2gqJuMx fyHA2KVk5hl4sJCsAvfF6PkyJvPUv3KJozr0hTcV28nDpSWiR+JPH1Wb6gvugDvQqvUj hX6rfWQ4XACtIUHQ0VxAXL3GsRdjtc3Y+2mGYWfUov6EKa//uLGAcAR8dbbMQxx3U8sU zsHsxrRz6aTBZERP8IfZLDifQKSbCJyPbjAHuSv+niTD5g+vwoweNm8LGhxWD2TOhixd HAygHy1MKc/bEmUs56iPxuSQEA4PMYxj3echvl1PmhMmUjKqKdbvBG9RCRQkTXeE/Dlu HpLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=7mQ1hkZNx+UeJpVCGmT9RmBZLphiqQZbFdYVIylomvs=; b=ZIGZxSfOUG7fOTxzcUo+/AEWjFUZU+yGAz/e+XcJFgYu2iFNtJVFdqIMYtriUdxfng 9pXxsKD4yIG8wECrde7dBbO4ANKxpAqow+BC0EukFpAOnTPycpTJHw+ASBMNTLcuMw1d ibD6WI0WP75A8zqpVgp2YZjjoCUZbPs6I1aClGmyxKDjUO3/zmuGvcZW50L1KXkjZ59j IHVmd2nLsHW1pQ4ZB+oF6W+sNSBCvd7r5OjfQ2hPNzZQF6AR78DL2FU5Xw1oFUfwYmO6 yTtz4hGMFICMEThD4iYbAHdGAK7hc7Zl0zhNvMbkdzLIbYckOQ6ifs4DdKW7/g9vVX0R KFLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=NzWsjApf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a2-20020a63e402000000b004a2f26de947si10393317pgi.224.2023.01.09.15.55.27; Mon, 09 Jan 2023 15:55:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=NzWsjApf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237892AbjAIX2x (ORCPT + 53 others); Mon, 9 Jan 2023 18:28:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56034 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237883AbjAIX2u (ORCPT ); Mon, 9 Jan 2023 18:28:50 -0500 Received: from madras.collabora.co.uk (madras.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e5ab]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E620101D9 for ; Mon, 9 Jan 2023 15:28:49 -0800 (PST) Received: from [192.168.2.154] (unknown [109.252.117.89]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: dmitry.osipenko) by madras.collabora.co.uk (Postfix) with ESMTPSA id BEE746602D68; Mon, 9 Jan 2023 23:28:47 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1673306928; bh=bw1hYe8Xc6/o43q1d4oFrzR72ui9P2UWVKyDLL+iuMM=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=NzWsjApffRkLRnZprpeIs5QfddIl4P1biqIapM5DhZgQJkuE2qGgflKHWsp0yBcn1 1kywVhNkjT9t4PXlW9fw9pTLNGzYT1QUhlBB+Tl7PXCdgL4uXjmLCus8IhZgcRQnrA te34I4JVLVinz9NQyc0gGpduCXQn9C7m5jpdVBqBjT3PbyniWl7UvPfce+F9SSeEIA ueyjjIguXgOmtWiq/FQdiU1RTKS8bzPiYEiLWldCpjF6ClbI8L2XqwiTl9QasmzZeH 1vll2NrOznZg/KRupuB7y7r+ElLaPLnlVUJkQzF80vlGNcFwCVknbedF/qj7SnhI70 s5NP5ZOPSpHlQ== Message-ID: <3ae74f28-580b-3b53-3d7b-e8bde97dabe3@collabora.com> Date: Tue, 10 Jan 2023 02:28:45 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH] drm/virtio: Fix GEM handle creation UAF Content-Language: en-US To: Rob Clark , dri-devel@lists.freedesktop.org Cc: Rob Clark , open list , Gurchetan Singh , Gerd Hoffmann , David Airlie , "open list:VIRTIO GPU DRIVER" References: <20221216233355.542197-1-robdclark@gmail.com> <20221216233355.542197-2-robdclark@gmail.com> From: Dmitry Osipenko In-Reply-To: <20221216233355.542197-2-robdclark@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/17/22 02:33, Rob Clark wrote: > From: Rob Clark > > Userspace can guess the handle value and try to race GEM object creation > with handle close, resulting in a use-after-free if we dereference the > object after dropping the handle's reference. For that reason, dropping > the handle's reference must be done *after* we are done dereferencing > the object. > > Signed-off-by: Rob Clark > --- > drivers/gpu/drm/virtio/virtgpu_ioctl.c | 19 +++++++++++++++++-- > 1 file changed, 17 insertions(+), 2 deletions(-) Added fixes/stable tags and applied this virtio-gpu patch to misc-fixes. The Panfrost patch is untouched. -- Best regards, Dmitry