drm/virtio: Fix UAF in virtgpu_dma_buf_free_obj()

Fix the following issues identified by Smatch static checker: - The call to dma_buf_put(attach->dmabuf) after dma_buf_detach() leads to a UAF bug as dma_buf_detach() frees the attach object. Fix this by extracting the dmabuf object from attach and using that in the call to dma_buf_put(). - The resv object is extracted from attach before checking to see if attach is valid (that is !NULL) or not. Although, attach would very likely be valid, fix this by making sure that the resv object is used only after ensuring that attach is valid. Fixes: 2885e575 ("drm/virtio: Add helpers to initialize and free the imported object") Fixes: ca77f27a ("drm/virtio: Import prime buffers from other devices as guest blobs") Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com> Cc: Gurchetan Singh <gurchetansingh@chromium.org> Cc: Chia-I Wu <olvaffe@gmail.com> Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241212055421.775759-1-vivek.kasireddy@intel.com Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> [dmitry.osipenko@collabora.com: Edited commit title]

drm/virtio: Fix UAF in virtgpu_dma_buf_free_obj()
db8b2c0e · Vivek Kasireddy · Dmitry Osipenko · bea6afc1 · db8b2c0e
Commit db8b2c0e authored 3 months ago by Vivek Kasireddy Committed by Dmitry Osipenko 2 months ago
--- a/drivers/gpu/drm/virtio/virtgpu_prime.c
+++ b/drivers/gpu/drm/virtio/virtgpu_prime.c
@@ -189,10 +189,11 @@ static void virtgpu_dma_buf_free_obj(struct drm_gem_object *obj)
 	struct virtio_gpu_object *bo = gem_to_virtio_gpu_obj(obj);
 	struct virtio_gpu_device *vgdev = obj->dev->dev_private;
 	struct dma_buf_attachment *attach = obj->import_attach;
-	struct dma_resv *resv = attach->dmabuf->resv;

 	if (attach) {
-		dma_resv_lock(resv, NULL);
+		struct dma_buf *dmabuf = attach->dmabuf;
+
+		dma_resv_lock(dmabuf->resv, NULL);

 		virtio_gpu_detach_object_fenced(bo);

@@ -200,10 +201,10 @@ static void virtgpu_dma_buf_free_obj(struct drm_gem_object *obj)
 			dma_buf_unmap_attachment(attach, bo->sgt,
 						 DMA_BIDIRECTIONAL);

-		dma_resv_unlock(resv);
+		dma_resv_unlock(dmabuf->resv);

-		dma_buf_detach(attach->dmabuf, attach);
-		dma_buf_put(attach->dmabuf);
+		dma_buf_detach(dmabuf, attach);
+		dma_buf_put(dmabuf);
 	}

 	if (bo->created) {