diff options
| author | Akash Goel <akash.goel@arm.com> | 2025-11-27 16:49:12 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-12-18 14:03:34 +0100 |
| commit | c646ebff3fa571e7ea974235286fb9ed3edc260c (patch) | |
| tree | 2504c30cc36799cd13b98473d2356eac2bd56189 /tools/perf/scripts/python/stackcollapse.py | |
| parent | 38694f9aae00459ab443a7dc8b3949a6b33b560a (diff) | |
| download | kernel-c646ebff3fa571e7ea974235286fb9ed3edc260c.tar.gz | |
drm/panthor: Prevent potential UAF in group creation
[ Upstream commit eec7e23d848d2194dd8791fcd0f4a54d4378eecd ]
This commit prevents the possibility of a use after free issue in the
GROUP_CREATE ioctl function, which arose as pointer to the group is
accessed in that ioctl function after storing it in the Xarray.
A malicious userspace can second guess the handle of a group and try
to call GROUP_DESTROY ioctl from another thread around the same time
as GROUP_CREATE ioctl.
To prevent the use after free exploit, this commit uses a mark on an
entry of group pool Xarray which is added just before returning from
the GROUP_CREATE ioctl function. The mark is checked for all ioctls
that specify the group handle and so userspace won't be abe to delete
a group that isn't marked yet.
v2: Add R-bs and fixes tags
Fixes: de85488138247 ("drm/panthor: Add the scheduler logical block")
Co-developed-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Akash Goel <akash.goel@arm.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
Link: https://patch.msgid.link/20251127164912.3788155-1-akash.goel@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'tools/perf/scripts/python/stackcollapse.py')
0 files changed, 0 insertions, 0 deletions