[PATCH 3/3] drm/vmwgfx: fix potential UAF in vmwgfx_surface.c

Zack Rusin zackr at vmware.com
Thu Jul 22 19:17:14 UTC 2021

On 7/22/21 5:29 AM, Desmond Cheong Zhi Xi wrote:
> drm_file.master should be protected by either drm_device.master_mutex
> or drm_file.master_lookup_lock when being dereferenced. However,
> drm_master_get is called on unprotected file_priv->master pointers in
> vmw_surface_define_ioctl and vmw_gb_surface_define_internal.
> This is fixed by replacing drm_master_get with drm_file_get_master.
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx at gmail.com>

Reviewed-by: Zack Rusin <zackr at vmware.com>

Thanks for taking the time to fix this. Apart from the clear logic error, do you happen to know under what circumstances would this be hit? We have someone looking at writing some vmwgfx specific igt tests and I was wondering if I could add this to the list.


More information about the Linux-kernel-mentees mailing list