Description
In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix GEM handle creation ref-counting panfrost_gem_create_with_handle() previously returned a BO but with the only reference being from the handle, which user space could in theory guess and release, causing a use-after-free. Additionally if the call to panfrost_gem_mapping_get() in panfrost_ioctl_create_bo() failed then a(nother) reference on the BO was dropped. The _create_with_handle() is a problematic pattern, so ditch it and instead create the handle in panfrost_ioctl_create_bo(). If the call to panfrost_gem_mapping_get() fails then this means that user space has indeed gone behind our back and freed the handle. In which case just return an error code.
Product status
f3ba91228e8e917e5bd6c4b72bfe846933d17370 (git) before 0b70f6ea4d4f2b4d4b291d86ab76b4d07394932c
f3ba91228e8e917e5bd6c4b72bfe846933d17370 (git) before 4f1105ee72d8c7c35d90e3491b31b2d9d6b7e33a
f3ba91228e8e917e5bd6c4b72bfe846933d17370 (git) before 3f9feffa8a5ab08b4e298a27b1aa7204a7d42ca2
f3ba91228e8e917e5bd6c4b72bfe846933d17370 (git) before ba3d2c2380e7129b525a787489c0b7e819a3b898
f3ba91228e8e917e5bd6c4b72bfe846933d17370 (git) before 4217c6ac817451d5116687f3cc6286220dc43d49
5.2
Any version before 5.2
5.10.163 (semver)
5.15.87 (semver)
6.0.19 (semver)
6.1.5 (semver)
6.2 (original_commit_for_fix)
References
git.kernel.org/...c/0b70f6ea4d4f2b4d4b291d86ab76b4d07394932c
git.kernel.org/...c/4f1105ee72d8c7c35d90e3491b31b2d9d6b7e33a
git.kernel.org/...c/3f9feffa8a5ab08b4e298a27b1aa7204a7d42ca2
git.kernel.org/...c/ba3d2c2380e7129b525a787489c0b7e819a3b898
git.kernel.org/...c/4217c6ac817451d5116687f3cc6286220dc43d49
