From: Greg KH <gregkh@linuxfoundation.org>
To: Giuliano Procida <gprocida@google.com>
Cc: stable@vger.kernel.org
Subject: Re: [PATCH v2 1/1] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
Date: Tue, 6 Oct 2020 18:39:14 +0200 [thread overview]
Message-ID: <20201006163914.GA36638@kroah.com> (raw)
In-Reply-To: <20201006162000.1146391-1-gprocida@google.com>
On Tue, Oct 06, 2020 at 05:20:00PM +0100, Giuliano Procida wrote:
> Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
> upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
> refcount imbalance and thus a struct drm_syncobj object leak which can
> be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
>
> The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
> which increments the refcount of the object on success. In all of the
> drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
> in the success path the refcount should remain at +1 as the struct
> drm_syncobj now belongs to the newly opened file. Instead, the
> refcount was incremented again to +2.
>
> Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
> Signed-off-by: Giuliano Procida <gprocida@google.com>
> ---
> drivers/gpu/drm/drm_syncobj.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
> index 889c95d4feec..3f71bc3d93fe 100644
> --- a/drivers/gpu/drm/drm_syncobj.c
> +++ b/drivers/gpu/drm/drm_syncobj.c
> @@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
> return PTR_ERR(file);
> }
>
> - drm_syncobj_get(syncobj);
> fd_install(fd, file);
>
> *p_fd = fd;
> --
> 2.28.0.806.g8561365e88-goog
>
Thanks, that worked, now queued up!
greg k-h
prev parent reply other threads:[~2020-10-06 16:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-06 13:52 [PATCH 0/1] Fix drm_syncobj_handle_to_fd refcount leak Giuliano Procida
2020-10-06 13:52 ` [PATCH 1/1] drm/syncobj: " Giuliano Procida
2020-10-06 15:31 ` Greg KH
2020-10-06 16:20 ` [PATCH v2 " Giuliano Procida
2020-10-06 16:39 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201006163914.GA36638@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=gprocida@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.