OpenCloudOS-Kernel/drivers/gpu/drm
Jann Horn 12d43deb1e drm: fix use-after-free read in drm_mode_create_lease_ioctl()
fd_install() moves the reference given to it into the file descriptor table
of the current process. If the current process is multithreaded, then
immediately after fd_install(), another thread can close() the file
descriptor and cause the file's resources to be cleaned up.

Since the reference to "lessee" is held by the file, we must not access
"lessee" after the fd_install() call.

As far as I can tell, to reach this codepath, the caller must have an open
file descriptor to a DRI device in master mode. I'm not sure what the
requirements for that are.

Signed-off-by: Jann Horn <jannh@google.com>
Fixes: 62884cd386 ("drm: Add four ioctls for managing drm mode object leases [v7]")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181001153117.216923-1-jannh@google.com
2018-10-02 10:22:10 +02:00
..
amd drm/amd/display: Fix Edid emulation for linux 2018-09-27 10:05:21 -05:00
arc drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
arm drm/malidp: Fix writeback in NV12 2018-09-21 10:55:00 +01:00
armada drm/armada: remove obsolete fb unreferencing kfifo and workqueue 2018-07-30 11:53:06 +01:00
ast drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
atmel-hlcdc Merge v4.18-rc3 into drm-next 2018-07-04 10:27:12 +10:00
bochs drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
bridge drm pull for 4.19-rc1 2018-08-15 17:39:07 -07:00
cirrus drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
etnaviv drm/etnaviv: add DMA configuration for etnaviv platform device 2018-09-14 18:46:10 +02:00
exynos drm/exynos/mixer: Remove unused local variable priv 2018-07-24 16:28:53 +09:00
fsl-dcu drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
gma500 drivers/gpu/drm/gma500/: change return type to vm_fault_t 2018-08-23 18:48:43 -07:00
hisilicon drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
i2c VLA leftovers pull summary: 2018-08-17 10:40:09 -07:00
i810 drm/i810: off by one in i810_dma_vertex() 2018-07-03 15:00:42 +02:00
i915 Merge tag 'gvt-fixes-2018-09-18' of https://github.com/intel/gvt-linux into drm-intel-fixes 2018-09-18 08:09:44 -07:00
imx drm/imx: use suspend/resume helpers, add ipu-v3 V4L2 XRGB32/XBGR32 support 2018-08-10 11:13:36 +10:00
lib
mediatek drm/mediatek: fix connection from RDMA2 to DSI1 2018-08-27 11:24:37 +08:00
meson drm/meson: Make DMT timings parameters and pixel clock generic 2018-07-16 11:14:59 +02:00
mga
mgag200 drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
msm drm/msm: a6xx: fix spelling mistake: "initalization" -> "initialization" 2018-08-10 18:49:18 -04:00
mxsfb
nouveau drm/nouveau/devinit: fix warning when PMU/PRE_OS is missing 2018-09-13 10:56:58 +10:00
omapdrm drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
panel drm/panel: simple: tv123wam: Add unprepare delay 2018-08-14 13:42:37 -04:00
pl111 drm/pl111: Make sure of_device_id tables are NULL terminated 2018-09-10 16:01:22 -04:00
qxl drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
r128
radeon mm, oom: distinguish blockable mode for mmu notifiers 2018-08-22 10:52:44 -07:00
rcar-du drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
rockchip drm/rockchip: Substitute is_yuv_support() with format->is_yuv 2018-07-18 16:59:27 +01:00
savage drm/savage: off by one in savage_bci_cmdbuf() 2018-07-04 14:27:01 +02:00
scheduler drm/scheduler: fix param documentation 2018-08-09 11:57:39 -05:00
selftests drm-misc-next for 4.19: 2018-06-22 12:58:08 +10:00
shmobile drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
sis
sti drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
stm drm/stm: Replace drm_dev_unref with drm_dev_put 2018-07-13 10:11:02 +02:00
sun4i drm: sun4i: drop second PLL from A64 HDMI PHY 2018-09-19 09:58:40 +02:00
tdfx
tegra drm pull for 4.19-rc1 2018-08-15 17:39:07 -07:00
tilcdc drm-misc-next for 4.19: 2018-07-20 10:46:49 +10:00
tinydrm drm/tinydrm: add backlight dependency for ili9341 2018-07-12 12:10:07 -05:00
ttm drm/ttm: clean up non-x86 definitions on ttm_tt 2018-08-01 17:23:56 -05:00
tve200
udl drm: udl: Destroy framebuffer only if it was initialized 2018-09-10 16:02:51 -04:00
v3d drm/scheduler: modify API to avoid redundancy 2018-07-25 15:06:19 -05:00
vc4 drm/vc4: Fix the "no scaling" case on multi-planar YUV formats 2018-09-10 16:01:22 -04:00
vgem drm/vgem: off by one in vgem_gem_fault() 2018-07-03 15:06:15 +02:00
via treewide: Use array_size() in vzalloc() 2018-06-12 16:19:22 -07:00
virtio drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
vkms drm/vkms: Fix connector leak at the module removal 2018-07-28 16:09:39 -03:00
vmwgfx drm/vmwgfx: Fix buffer object eviction 2018-09-20 08:05:14 +02:00
xen drm-misc-next for 4.19: 2018-06-22 12:58:08 +10:00
zte drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
Kconfig drm: add support for DisplayPort CEC-Tunneling-over-AUX 2018-07-13 17:58:19 +03:00
Makefile drm: add support for DisplayPort CEC-Tunneling-over-AUX 2018-07-13 17:58:19 +03:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic.c drm/atomic: Use drm_drv_uses_atomic_modeset() for debugfs creation 2018-09-17 19:24:37 -04:00
drm_atomic_helper.c drm pull for 4.19-rc1 2018-08-15 17:39:07 -07:00
drm_auth.c
drm_blend.c
drm_bridge.c
drm_bufs.c
drm_cache.c
drm_client.c drm/client: Fix double free in error path 2018-07-13 12:07:46 +02:00
drm_color_mgmt.c
drm_connector.c drm/connector: Fix typo in drm_connector_list_iter_next() 2018-07-16 13:18:09 -04:00
drm_context.c drm: re-enable error handling 2018-07-16 10:01:19 -04:00
drm_crtc.c drm: Skip __drm_mode_set_config_internal() on atomic drivers 2018-07-13 17:58:19 +03:00
drm_crtc_helper.c
drm_crtc_helper_internal.h
drm_crtc_internal.h drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_debugfs.c drm/atomic: Use drm_drv_uses_atomic_modeset() for debugfs creation 2018-09-17 19:24:37 -04:00
drm_debugfs_crc.c drm/crc: Only report a single overflow when a CRC fd is opened 2018-07-06 14:57:03 +02:00
drm_dma.c
drm_dp_aux_dev.c
drm_dp_cec.c drm_dp_cec.c: fix formatting typo: %pdH -> %phD 2018-07-28 15:50:40 -03:00
drm_dp_dual_mode_helper.c
drm_dp_helper.c drm/dp_helper: Add DP aux channel tracing 2018-07-16 11:47:53 -04:00
drm_dp_mst_topology.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_drv.c drm/dp_helper: Add DP aux channel tracing 2018-07-16 11:47:53 -04:00
drm_dumb_buffers.c drm-misc-next for 4.19: 2018-06-28 13:29:07 +10:00
drm_edid.c drm/edid: Add 6 bpc quirk for SDC panel in Lenovo B50-80 2018-08-23 10:25:39 +02:00
drm_edid_load.c
drm_encoder.c
drm_encoder_slave.c
drm_fb_cma_helper.c drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs() 2018-07-10 14:54:50 +02:00
drm_fb_helper.c drm/fb-helper: Remove set but not used variable 'connector_funcs' 2018-09-12 09:27:28 -04:00
drm_file.c drm: Begin an API for in-kernel clients 2018-07-10 14:51:37 +02:00
drm_flip_work.c
drm_fourcc.c drm/fourcc: Add is_yuv field to drm_format_info to denote if the format is yuv 2018-07-18 16:56:45 +01:00
drm_framebuffer.c drm: Add drm_plane_mask() 2018-07-02 18:45:55 +03:00
drm_gem.c drm/i915: Prevent writing into a read-only object via a GGTT mmap 2018-07-13 16:14:04 +01:00
drm_gem_cma_helper.c
drm_gem_framebuffer_helper.c drm/gem-fb-helper: Always do implicit sync 2018-06-20 14:43:13 +02:00
drm_global.c drm: add SPDX identifier and clarify license 2018-06-29 15:28:47 -05:00
drm_hashtab.c treewide: Use array_size() in vzalloc() 2018-06-12 16:19:22 -07:00
drm_info.c
drm_internal.h drm: provide management functions for drm_file 2018-06-25 16:17:03 +02:00
drm_ioc32.c drm: Drop DRM_CONTROL_ALLOW from ioctls 2018-05-03 11:28:02 +02:00
drm_ioctl.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_irq.c
drm_kms_helper_common.c
drm_lease.c drm: fix use-after-free read in drm_mode_create_lease_ioctl() 2018-10-02 10:22:10 +02:00
drm_legacy.h
drm_lock.c
drm_memory.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
drm_mipi_dsi.c drm: Add support for pps and compression mode command packet 2018-07-25 07:51:05 -04:00
drm_mm.c drm/mm: Add a search-by-address variant to only inspect a single hole 2018-05-24 15:04:30 +01:00
drm_mode_config.c drm: writeback: Add client capability for exposing writeback connectors 2018-06-20 15:30:20 +01:00
drm_mode_object.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_modes.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_modeset_helper.c
drm_modeset_lock.c drm: Change deadlock-avoidance algorithm for the modeset locks. 2018-07-03 09:46:05 +02:00
drm_of.c drm/doc: Include drm_of.c helpers 2018-07-13 18:40:28 +02:00
drm_panel.c Revert "drm/panel: Add device_link from panel device to DRM device" 2018-09-27 11:00:42 -04:00
drm_panel_orientation_quirks.c drm: panel-orientation-quirks: Convert to use match_string() helper 2018-05-10 11:36:25 -04:00
drm_pci.c drm: drop drm_pcie_get_speed_cap_mask and drm_pcie_get_max_link_width 2018-07-05 16:40:00 -05:00
drm_plane.c drm: Introduce __setplane_atomic() 2018-07-13 17:58:19 +03:00
drm_plane_helper.c drm: add missing ctx argument to plane transitional helpers 2018-07-03 09:30:19 +02:00
drm_prime.c dma-buf: remove kmap_atomic interface 2018-06-20 15:59:34 +02:00
drm_print.c drm: Add puts callback for the coredump printer 2018-07-30 08:49:41 -04:00
drm_probe_helper.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_property.c drm: Use kvzalloc for allocating blob property memory 2018-07-02 11:05:21 -05:00
drm_rect.c drm/rect: Handle rounding errors in drm_rect_clip_scaled, v3. 2018-05-04 11:09:54 +02:00
drm_scatter.c
drm_scdc_helper.c
drm_simple_kms_helper.c drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
drm_syncobj.c drm/syncobj: Don't leak fences when WAIT_FOR_SUBMIT is set 2018-09-26 10:39:14 -04:00
drm_sysfs.c drm: remove all control node code 2018-05-03 21:26:32 +02:00
drm_trace.h
drm_trace_points.c
drm_vblank.c
drm_vm.c gpu: drm: drm_vm: Adding new typedef vm_fault_t 2018-05-29 08:58:46 +02:00
drm_vma_manager.c drm: add SPDX idenitifier and clarify license 2018-06-29 15:28:47 -05:00
drm_writeback.c drm: writeback: Fix doc that says connector should be disconnected 2018-07-16 16:35:27 +01:00