diff options
| author | Zack Rusin <zackr@vmware.com> | 2023-08-18 07:13:01 +0300 |
|---|---|---|
| committer | Zack Rusin <zackr@vmware.com> | 2023-08-23 20:20:04 +0300 |
| commit | f9e96bf1905479f18e83a3a4c314a8dfa56ede2c (patch) | |
| tree | e66f797c55073d1c284fb802f5a9f78e5c9db7ae /drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | |
| parent | 14abdfae508228a7307f7491b5c4215ae70c6542 (diff) | |
| download | linux-f9e96bf1905479f18e83a3a4c314a8dfa56ede2c.tar.xz | |
drm/vmwgfx: Fix possible invalid drm gem put calls
vmw_bo_unreference sets the input buffer to null on exit, resulting in
null ptr deref's on the subsequent drm gem put calls.
This went unnoticed because only very old userspace would be exercising
those paths but it wouldn't be hard to hit on old distros with brand
new kernels.
Introduce a new function that abstracts unrefing of user bo's to make
the code cleaner and more explicit.
Signed-off-by: Zack Rusin <zackr@vmware.com>
Reported-by: Ian Forbes <iforbes@vmware.com>
Fixes: 9ef8d83e8e25 ("drm/vmwgfx: Do not drop the reference to the handle too soon")
Cc: <stable@vger.kernel.org> # v6.4+
Reviewed-by: Maaz Mombasawala<mombasawalam@vmware.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230818041301.407636-1-zack@kde.org
Diffstat (limited to 'drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c')
| -rw-r--r-- | drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c index 7e112319a23c..fb85f244c3d0 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c @@ -451,8 +451,7 @@ int vmw_overlay_ioctl(struct drm_device *dev, void *data, ret = vmw_overlay_update_stream(dev_priv, buf, arg, true); - vmw_bo_unreference(&buf); - drm_gem_object_put(&buf->tbo.base); + vmw_user_bo_unref(buf); out_unlock: mutex_unlock(&overlay->mutex); |