drm/panfrost: Fix GEM handle creation ref-counting (4217c6ac) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit 4217c6ac authored Dec 19, 2022 by

Steven Price

drm/panfrost: Fix GEM handle creation ref-counting



panfrost_gem_create_with_handle() previously returned a BO but with the
only reference being from the handle, which user space could in theory
guess and release, causing a use-after-free. Additionally if the call to
panfrost_gem_mapping_get() in panfrost_ioctl_create_bo() failed then
a(nother) reference on the BO was dropped.

The _create_with_handle() is a problematic pattern, so ditch it and
instead create the handle in panfrost_ioctl_create_bo(). If the call to
panfrost_gem_mapping_get() fails then this means that user space has
indeed gone behind our back and freed the handle. In which case just
return an error code.

Reported-by: Rob Clark <robdclark@chromium.org>
Fixes: f3ba9122

 ("drm/panfrost: Add initial panfrost driver")
Signed-off-by: Steven Price <steven.price@arm.com>
Reviewed-by: Rob Clark <robdclark@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221219140130.410578-1-steven.price@arm.com

parent 4e699e34

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 4f1105ee
· Jan 13, 2023

mentioned in commit 4f1105ee

mentioned in commit 4f1105ee72d8c7c35d90e3491b31b2d9d6b7e33a

Toggle commit list
mirror @mirror
mentioned in commit 0b70f6ea
· Jan 15, 2023

mentioned in commit 0b70f6ea

mentioned in commit 0b70f6ea4d4f2b4d4b291d86ab76b4d07394932c

Toggle commit list

Please register or to comment