| Message ID | 20190709065800.2354-1-janusz.krzysztofik@linux.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/i915: Fix reporting of size of created GEM object | expand |
Quoting Janusz Krzysztofik (2019-07-09 07:58:00) > Commit e163484afa8d ("drm/i915: Update size upon return from > GEM_CREATE") (re)introduced reporting of actual size of created GEM > objects, possibly rounded up on object alignment. Unfortunately, its > implementation resulted in a possible use-after-free bug. The bug has > been fixed by commit 929eec99f5fd ("drm/i915: Avoid use-after-free in > reporting create.size") at the cost of possibly incorrect value being > reported as actual object size. > > Safely restore correct reporting by capturing actual size of created > GEM object before a reference to the object is put. > > Fixes: 929eec99f5fd ("drm/i915: Avoid use-after-free in reporting create.size") This doesn't do anything. -Chris
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 7ade42b8ec99..16bae5870d6f 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -171,6 +171,7 @@ i915_gem_create(struct drm_file *file, obj = i915_gem_object_create_shmem(dev_priv, size); if (IS_ERR(obj)) return PTR_ERR(obj); + size = obj->base.size; ret = drm_gem_handle_create(file, &obj->base, &handle); /* drop reference from allocate - handle holds it now */
Commit e163484afa8d ("drm/i915: Update size upon return from GEM_CREATE") (re)introduced reporting of actual size of created GEM objects, possibly rounded up on object alignment. Unfortunately, its implementation resulted in a possible use-after-free bug. The bug has been fixed by commit 929eec99f5fd ("drm/i915: Avoid use-after-free in reporting create.size") at the cost of possibly incorrect value being reported as actual object size. Safely restore correct reporting by capturing actual size of created GEM object before a reference to the object is put. Fixes: 929eec99f5fd ("drm/i915: Avoid use-after-free in reporting create.size") Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com> --- drivers/gpu/drm/i915/i915_gem.c | 1 + 1 file changed, 1 insertion(+)