drm/vmwgfx: Fix stale file descriptors on failed usercopy - bcachefs.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Mathias Krause <minipli@grsecurity.net>	2022-01-27 18:34:19 +1000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-01-29 10:26:11 +0100
commit	ae2b20f27732fe92055d9e7b350abc5cdf3e2414 (patch)
tree	65e25c6e38e00f425dc7e4f9014c7a0ca81b00d1 /Makefile
parent	11ba2c6dfb902de05b73000a98534e376173b6ca (diff)

drm/vmwgfx: Fix stale file descriptors on failed usercopy

commit a0f90c8815706981c483a652a6aefca51a5e191c upstream. A failing usercopy of the fence_rep object will lead to a stale entry in the file descriptor table as put_unused_fd() won't release it. This enables userland to refer to a dangling 'file' object through that still valid file descriptor, leading to all kinds of use-after-free exploitation scenarios. Fix this by deferring the call to fd_install() until after the usercopy has succeeded. Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support") Signed-off-by: Mathias Krause <minipli@grsecurity.net> Signed-off-by: Zack Rusin <zackr@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'Makefile')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: