Hi all, Thanks to a report by Jacek Lawrynowicz I've crawled around in core and driver code around drm_gem_handle_create() and found a bunch of issues.
Attached series is either fixes where I could do them, or RFC-style patches that just add a comment about what looks wrong. The conversion from idr_for_each_entry to idr_for_each only fixes temporary premature idr iteration termination, and so fairly benign impact. Testing and review very much welcome. Cheers, Sima Simona Vetter (8): drm/gem: Fix race in drm_gem_handle_create_tail() drm/fdinfo: Switch to idr_for_each() in drm_show_memory_stats() drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code accel/qaic: delete qaic_bo.handle drm/amd/kfd: Add comment about possible drm_gem_handle_create() race drm/amdgpu: Add comments about drm_file.object_idr issues drm/vmwgfx: Add comments about drm_file.object_idr issues drm/xe: Add comments about drm_file.object_idr issues drivers/accel/qaic/qaic.h | 2 - drivers/accel/qaic/qaic_data.c | 1 - .../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 2 + drivers/gpu/drm/drm_file.c | 95 +++++++++++-------- drivers/gpu/drm/drm_gem.c | 10 +- drivers/gpu/drm/panthor/panthor_gem.c | 31 +++--- drivers/gpu/drm/panthor/panthor_gem.h | 3 - drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 1 + drivers/gpu/drm/xe/xe_drm_client.c | 3 + include/drm/drm_file.h | 3 + 11 files changed, 90 insertions(+), 63 deletions(-) -- 2.49.0
