From: Giuliano Procida <gprocida@google.com>
To: gregkh@linuxfoundation.org, stable@vger.kernel.org
Cc: Giuliano Procida <gprocida@google.com>
Subject: [PATCH v2 1/1] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
Date: Tue, 6 Oct 2020 17:20:00 +0100 [thread overview]
Message-ID: <20201006162000.1146391-1-gprocida@google.com> (raw)
In-Reply-To: <20201006135228.113259-2-gprocida@google.com>
Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
refcount imbalance and thus a struct drm_syncobj object leak which can
be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
which increments the refcount of the object on success. In all of the
drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
in the success path the refcount should remain at +1 as the struct
drm_syncobj now belongs to the newly opened file. Instead, the
refcount was incremented again to +2.
Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
drivers/gpu/drm/drm_syncobj.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index 889c95d4feec..3f71bc3d93fe 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
return PTR_ERR(file);
}
- drm_syncobj_get(syncobj);
fd_install(fd, file);
*p_fd = fd;
--
2.28.0.806.g8561365e88-goog
next prev parent reply other threads:[~2020-10-06 16:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-06 13:52 [PATCH 0/1] Fix drm_syncobj_handle_to_fd refcount leak Giuliano Procida
2020-10-06 13:52 ` [PATCH 1/1] drm/syncobj: " Giuliano Procida
2020-10-06 15:31 ` Greg KH
2020-10-06 16:20 ` Giuliano Procida [this message]
2020-10-06 16:39 ` [PATCH v2 " Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201006162000.1146391-1-gprocida@google.com \
--to=gprocida@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.