In the Linux kernel, the following vulnerability has been resolved:
drm/gem: Try to fix change_handle ioctl, attempt 4
[airlied: just added some comments on how to reenable] On-list because the cat is out of the bag and we're clearly not good enough to figure this out in private. The story thus far:
5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle") tried to fix a race condition between the gem_close and gem_change_handle ioctls, but got a few things wrong:
- There's a confusion with the local variable handle, which is actually
- dc366607c41c ("drm: Replace old pointer to new idr") tried to apply
- this would be the right fix (kinda, somewhat, it's a mess) if we'd
We also didn't have an igt merged for the original ioctl, which is a big no-go. This was attempted to address off-list in the original bugfix, and amd QA people claimed the bug was fixed now. Very clearly that's not the case. Here's my attempt to sort this out:
- Rename the local variable to new_handle, the old aliasing with
- Merge the gem obj lookup with the two-stage idr_replace so that we
- This means we don't have a surplus temporary reference anymore, only
- Adjust error paths. I've tried to make the error and success paths
- While at it, also replace the 7 space indent with 1 tab.
And finally, because I flat out don't trust my abilities here at all anymore:
- Disable the ioctl until we have the igt situation and everything else
v2:
Sashiko noticed that I didn't handle the error path for idr_replace correctly, it must be checked with IS_ERR_OR_NULL like in gem_handle_delete. So yeah, definitely should just the existing paths 1:1 because this is endless amounts of tricky.
Also add the Fixes: line for the original ioctl, I forgot that too.