From: Giuliano Procida <gprocida@google.com>
To: gregkh@linuxfoundation.org, stable@vger.kernel.org
Cc: Giuliano Procida <gprocida@google.com>
Subject: [PATCH 1/1] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
Date: Tue, 6 Oct 2020 14:52:28 +0100 [thread overview]
Message-ID: <20201006135228.113259-2-gprocida@google.com> (raw)
In-Reply-To: <20201006135228.113259-1-gprocida@google.com>
commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 upstream.
The cherry-pick 5fb252cad61f of the above commit introduced a refcount
imbalance and so leak of struct drm_syncobj objects that can be
triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
which increments the refcount of the object on success. In all of the
drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
in the success path the refcount should remain at +1 as the struct
drm_syncobj now belongs to the newly opened file. Instead, the
refcount was incremented again to +2.
Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
drivers/gpu/drm/drm_syncobj.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index 889c95d4feec..3f71bc3d93fe 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
return PTR_ERR(file);
}
- drm_syncobj_get(syncobj);
fd_install(fd, file);
*p_fd = fd;
--
2.28.0.806.g8561365e88-goog
next prev parent reply other threads:[~2020-10-06 13:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-06 13:52 [PATCH 0/1] Fix drm_syncobj_handle_to_fd refcount leak Giuliano Procida
2020-10-06 13:52 ` Giuliano Procida [this message]
2020-10-06 15:31 ` [PATCH 1/1] drm/syncobj: " Greg KH
2020-10-06 16:20 ` [PATCH v2 " Giuliano Procida
2020-10-06 16:39 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201006135228.113259-2-gprocida@google.com \
--to=gprocida@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.