superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/gpu/drm
History
Francis, David 5e28b7b944 drm: Set old handle to NULL before prime swap in change_handle 
There was a potential race condition in change_handle. The ioctl
briefly had a single object with two idr entries; a concurrent
gem_close could delete the object and remove one of the handles
while leaving the other one dangling, which could subsequently
be dereferenced for a use-after-free.

To fix this, do the same dance that gem_close itself does.
(f6cd7daecf drm: Release driver references to handle before making it available again)
First idr_replace the old handle to NULL. Later, if the prime
operations are successful, actually close it.

create_tail required a similar dance to avoid a similar problem.
(bd46cece51 drm/gem: Fix race in drm_gem_handle_create_tail())
It idr_allocs the new handle with NULL, then swaps in the correct
object later to avoid races. We don't need to do that here, since
the only operations that could race are drm_prime, and
change_handle holds the prime lock for the entire duration.

v2: cleanups of error paths

Signed-off-by: David Francis <David.Francis@amd.com>
Co-authored-by: Dave Airlie <airlied@gmail.com>
Reported-by: Puttimet Thammasaeng <pwn8official@gmail.com>
Tested-by: Vitaly Prosyak <Vitaly.Prosyak@amd.com>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: stable@vger.kernel.org
Cc: Christian Koenig <Christian.Koenig@amd.com>
Fixes: 53096728b8 ("drm: Add DRM prime interface to reassign GEM handle")
Signed-off-by: Dave Airlie <airlied@redhat.com>
 		2026-05-08 17:53:59 +10:00
..
adp
amd drm/amdgpu: nuke amdgpu_userq_fence_slab v2 2026-05-05 10:23:06 -04:00
arm drm/komeda: Add support for Arm China Linlon-D6 2026-03-24 16:08:54 +00:00
armada
aspeed
ast drm/ast: dp501: Fix initialization of SCU2C 2026-03-30 10:38:11 +02:00
atmel-hlcdc drm: atmel-hlcdc: add LCD controller layer definition for sama7d65 2026-02-25 09:20:45 +05:30
bridge drm/bridge: tda998x: Return NULL instead of 0 in tda998x_edid_read() 2026-05-04 16:52:40 +02:00
ci Merge tag 'drm-msm-next-2026-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-next 2026-04-03 18:57:00 +10:00
clients
display drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
etnaviv drm/etnaviv: Fix armed job not being pushed to the DRM scheduler 2026-05-05 11:40:16 +02:00
exynos drm/exynos: remove bridge when component_add fails 2026-05-05 16:50:42 +02:00
fsl-dcu
gma500 drm/gma500: Create framebuffers with drm_gem_fb_create() 2026-03-03 09:28:56 +01:00
gud Merge drm/drm-fixes into drm-misc-next-fixes 2026-03-30 10:05:36 +02:00
hisilicon
hyperv
i915 drm/i915/display: enable ccs modifiers on dg2 2026-05-05 08:12:37 +01:00
imagination drm/imagination: Fix segfault when updating ftrace mask 2026-04-27 14:22:52 +01:00
imx drm/imx: ipuv3-plane: support underlay plane 2026-03-13 16:27:06 +01:00
ingenic drm/atomic: Remove state argument to drm_atomic_private_obj_init 2026-03-20 10:03:11 +01:00
kmb
lima
logicvc
loongson drm/loongson: use drm_gem_ttm_dumb_map_offset() 2026-03-11 09:40:07 +01:00
mcde
mediatek Linux 7.0-rc6 2026-03-31 07:51:02 +10:00
meson Merge tag 'drm-msm-next-2026-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-next 2026-04-03 18:57:00 +10:00
mgag200
msm Merge tag 'drm-msm-next-2026-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-next 2026-04-03 18:57:00 +10:00
mxsfb drm: lcdif: Use dev_err_probe() 2026-03-10 09:42:09 +08:00
nouveau Revert "drm/nouveau/gsp: add support for GA100" 2026-05-01 01:08:00 +02:00
nova rust: gem: Introduce DriverObject::Args 2026-03-26 02:08:04 +01:00
omapdrm drm/atomic: Remove state argument to drm_atomic_private_obj_init 2026-03-20 10:03:11 +01:00
panel drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds 2026-05-05 14:43:36 +02:00
panfrost drm/panfrost: Test for imported buffers with drm_gem_is_imported() 2026-03-02 11:51:41 +00:00
panthor drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
pl111
qxl drm/qxl: Fix missing KMS poll cleanup 2026-05-04 14:54:44 +02:00
radeon drm/radeon: add missing revision check for CI 2026-05-05 10:15:49 -04:00
renesas drm: rcar-du: Fix crash when no CMM is available 2026-04-23 15:53:46 +03:00
rockchip drm/rockchip: analogix: Convert to drm_output_color_format 2026-03-24 13:54:34 +01:00
scheduler Linux 7.0-rc3 2026-03-11 11:18:31 +01:00
sitronix Merge drm/drm-fixes into drm-misc-next-fixes 2026-03-30 10:05:36 +02:00
solomon drm/solomon: Fix page start when updating rectangle in page addressing mode 2026-02-26 13:42:09 +01:00
sprd
sti drm/sti: remove bridge when sti_hda component_add fails 2026-05-04 22:52:39 +02:00
stm drm/bridge: stm_lvds: Do not fail atomic_check on disabled connector 2026-04-13 12:52:33 +02:00
sun4i drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
sysfb drm/sysfb: ofdrm: fix PCI device reference leaks 2026-04-27 11:30:49 +02:00
tegra drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
tests drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
tidss
tilcdc drm/tilcdc: Fix type mismatch 2026-03-17 17:50:49 +01:00
tiny drm/bochs: Drop manual put on probe error path 2026-05-07 10:51:18 +02:00
ttm drm/ttm: Fix GPU MM stats during pool shrinking 2026-05-03 21:05:59 -07:00
tve200
tyr drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
udl drm/udl: Increase GET_URB_TIMEOUT 2026-04-28 10:50:41 +02:00
v3d drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
vboxvideo
vc4 drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
verisilicon drm: verisilicon: make vs_dc_platform_driver static 2026-03-25 15:21:23 +01:00
vgem
virtio
vkms drm/vkms: Support setting custom background color 2026-03-18 09:59:57 +00:00
vmwgfx Linux 7.0-rc6 2026-03-31 07:51:02 +10:00
xe drm/xe/guc: Exclude indirect ring state page from ADS engine state size 2026-05-05 16:15:04 -07:00
xen
xlnx
Kconfig DRM Rust changes for v7.1-rc1 2026-04-01 07:32:05 +10:00
Kconfig.debug drm: fix dead default for DRM_TTM_KUNIT_TEST 2026-03-24 16:19:04 +01:00
Makefile Merge drm/drm-next into drm-xe-next 2026-03-12 07:23:23 -07:00
drm_atomic.c drm/atomic: Remove state argument to drm_atomic_private_obj_init 2026-03-20 10:03:11 +01:00
drm_atomic_helper.c drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
drm_atomic_state_helper.c drm: Add CRTC background color property 2026-03-18 09:59:57 +00:00
drm_atomic_uapi.c drm: Add CRTC background color property 2026-03-18 09:59:57 +00:00
drm_auth.c
drm_blend.c drm: Add CRTC background color property 2026-03-18 09:59:57 +00:00
drm_bridge.c Linux 7.0-rc7 2026-04-07 12:36:31 +02:00
drm_bridge_helper.c
drm_buddy.c
drm_cache.c
drm_client.c drm/client: Export drm_client_buffer_create() 2026-03-03 09:28:31 +01:00
drm_client_event.c
drm_client_modeset.c drm/client: Do not destroy NULL modes 2026-02-25 09:31:54 +02:00
drm_client_sysrq.c
drm_color_mgmt.c drm/color-mgmt: Typo s/R332/RGB332/ 2026-04-27 11:36:05 +02:00
drm_colorop.c drm/colorop: Preserve bypass value in duplicate_state() 2026-03-16 08:33:05 +05:30
drm_connector.c drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
drm_crtc.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_crtc_helper.c
drm_crtc_helper_internal.h
drm_crtc_internal.h
drm_damage_helper.c
drm_debugfs.c
drm_debugfs_crc.c
drm_displayid.c
drm_displayid_internal.h
drm_draw.c
drm_draw_internal.h
drm_drv.c drm-misc-next for v7.1: 2026-03-27 12:45:54 +10:00
drm_dumb_buffers.c
drm_edid.c drm/edid: Parse AMD Vendor-Specific Data Block 2026-04-03 13:45:49 -04:00
drm_edid_load.c
drm_eld.c
drm_encoder.c
drm_exec.c
drm_fb_dma_helper.c
drm_fb_helper.c drm/fb-helper: Fix clipping when damage area spans a single scanline 2026-05-04 14:55:40 +02:00
drm_fbdev_dma.c
drm_fbdev_shmem.c
drm_fbdev_ttm.c
drm_file.c Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug" 2026-03-26 14:09:26 +01:00
drm_flip_work.c
drm_format_helper.c
drm_format_internal.h
drm_fourcc.c
drm_framebuffer.c
drm_gem.c drm: Set old handle to NULL before prime swap in change_handle 2026-05-08 17:53:59 +10:00
drm_gem_atomic_helper.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_gem_dma_helper.c drm/gem-dma: set VM_DONTDUMP for mmap 2026-03-26 14:35:18 +08:00
drm_gem_framebuffer_helper.c drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() 2026-04-27 11:27:22 +02:00
drm_gem_shmem_helper.c drm/shmem_helper: Make sure PMD entries get the writeable upgrade 2026-04-03 10:11:04 +02:00
drm_gem_ttm_helper.c
drm_gem_vram_helper.c drm/vram: remove DRM_VRAM_MM_FILE_OPERATIONS from docs 2026-04-09 09:34:28 +02:00
drm_gpusvm.c drm/pagemap: Add helper to access zone_device_data 2026-03-13 18:12:07 -07:00
drm_gpuvm.c
drm_internal.h
drm_ioc32.c drm/ioc32: stop speculation on the drm_compat_ioctl path 2026-04-02 08:24:55 +02:00
drm_ioctl.c
drm_kms_helper_common.c
drm_lease.c
drm_managed.c
drm_mipi_dbi.c drm/mipi-dbi: Remove simple-display helpers from mipi-dbi 2026-03-25 15:05:17 +01:00
drm_mipi_dsi.c
drm_mm.c
drm_mode_config.c Linux 7.0-rc7 2026-04-07 12:36:31 +02:00
drm_mode_object.c
drm_modes.c
drm_modeset_helper.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_modeset_lock.c
drm_of.c
drm_pagemap.c drm/pagemap: Enable THP support for GPU memory migration 2026-03-13 18:12:59 -07:00
drm_pagemap_util.c drm/pagemap_util: Ensure proper cache lock management on free 2026-03-17 15:39:07 +01:00
drm_panel.c
drm_panel_backlight_quirks.c
drm_panel_orientation_quirks.c
drm_panic.c
drm_panic_qr.rs
drm_pci.c
drm_plane.c
drm_plane_helper.c
drm_prime.c drm/prime: Limit scatter list size with dedicated DMA device 2026-03-23 13:23:29 +08:00
drm_print.c
drm_privacy_screen.c
drm_privacy_screen_x86.c
drm_probe_helper.c
drm_property.c
drm_ras.c drm/ras: Introduce the DRM RAS infrastructure over generic netlink 2026-03-05 19:38:55 -05:00
drm_ras_genl_family.c drm/ras: Introduce the DRM RAS infrastructure over generic netlink 2026-03-05 19:38:55 -05:00
drm_ras_nl.c drm/ras: Introduce the DRM RAS infrastructure over generic netlink 2026-03-05 19:38:55 -05:00
drm_ras_nl.h drm/ras: Introduce the DRM RAS infrastructure over generic netlink 2026-03-05 19:38:55 -05:00
drm_rect.c
drm_self_refresh_helper.c
drm_simple_kms_helper.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_suballoc.c Merge tag 'drm-xe-next-2026-03-02' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-next 2026-03-03 10:37:29 +10:00
drm_syncobj.c drm/syncobj: Fix xa_alloc allocation flags 2026-03-25 08:05:35 +00:00
drm_sysfs.c
drm_trace.h
drm_trace_points.c
drm_vblank.c
drm_vblank_helper.c
drm_vblank_work.c
drm_vma_manager.c
drm_writeback.c