[PATCH v2] accel/qaic: fix GEM object refcount leak in qaic_attach_slice_bo_ioctl

[PATCH v2] accel/qaic: fix GEM object refcount leak in qaic_attach_slice_bo_ioctl

[WenTao Liang]

drm_gem_object_lookup() acquires a GEM object reference on success. All
error paths correctly release it via put_bo, but the success path returns
without calling drm_gem_object_put(obj). Since list_add_tail does not
transfer ownership, the GEM object reference is permanently leaked on
each successful call.

Suggested-by: Greg KH <gregkh@linuxfoundation.org>
Fixes: 75af0a585af9 ("accel/qaic: Grab ch_lock during QAIC_ATTACH_SLICE_BO")
Cc: stable@vger.kernel.org
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
Changes in v2:
- Fix patch format based on reviewer feedback
---
 drivers/accel/qaic/qaic_data.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index 1e4c579d2725..b17df7bf565d 100644
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -1084,6 +1084,7 @@ int qaic_attach_slice_bo_ioctl(struct drm_device *dev, void *data, struct drm_fi
 
 	bo->sliced = true;
 	list_add_tail(&bo->bo_list, &bo->dbc->bo_lists);
+	drm_gem_object_put(obj);
 	srcu_read_unlock(&dbc->ch_lock, rcu_id);
 	mutex_unlock(&bo->lock);
 	kfree(slice_ent);
-- 
2.39.5 (Apple Git-154)

Re: [PATCH v2] accel/qaic: fix GEM object refcount leak in qaic_attach_slice_bo_ioctl

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [Critical] The patch incorrectly adds `drm_gem_object_put(obj)` to the success path of `qaic_attach_slice_bo_ioctl`, dropping a reference that is supposed to be owned by the `dbc->bo_lists` list, introducing immediate Use-After-Free and Double-Free vulnerabilities.

Pre-existing issues:
- [High] Concurrent modifications to the `dbc->bo_lists` list are not protected by mutual exclusion, leading to linked list corruption.
--

commit bc2c1f25fbb00a819fac019aaf005f851bd75d49
Author: WenTao Liang <vulab@iscas.ac.cn>

accel/qaic: fix GEM object refcount leak in qaic_attach_slice_bo_ioctl

This commit attempts to fix a perceived GEM object reference leak by adding
a drm_gem_object_put() call in the success path of
qaic_attach_slice_bo_ioctl().

> diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
> index ef0351b6dc9b5..46842d4a0848e 100644
> --- a/drivers/accel/qaic/qaic_data.c
> +++ b/drivers/accel/qaic/qaic_data.c
[ ... ]
> @@ -1084,6 +1084,7 @@ int qaic_attach_slice_bo_ioctl(struct drm_device *dev, void *data, struct drm_fi
>  
>  	bo->sliced = true;
>  	list_add_tail(&bo->bo_list, &bo->dbc->bo_lists);

[Severity: High]
This is a pre-existing issue, but does this list_add_tail() race with other
concurrent list modifications?

The dbc->ch_lock only provides a shared read lock via srcu_read_lock(), and
bo->lock is a per-BO mutex. If userspace issues concurrent ioctls on the
same DBC with different BOs, wouldn't they simultaneously modify
dbc->bo_lists without mutual exclusion?

> +	drm_gem_object_put(obj);

[Severity: Critical]
Does adding this put call introduce a use-after-free?

The original code appears to transfer the GEM reference to the
dbc->bo_lists linked list on success, with detach_slice_bo() releasing it
later via drm_gem_object_put(&bo->base):

detach_slice_bo() {
    ...
    list_del(&bo->bo_list);
    drm_gem_object_put(&bo->base);
    ...
}

If we drop the reference early here, couldn't the BO be freed while still
linked in dbc->bo_lists, leading to list corruption during later operations?

Additionally, if this put drops the final reference, won't the subsequent
mutex_unlock(&bo->lock) operate on a destroyed mutex?

>  	srcu_read_unlock(&dbc->ch_lock, rcu_id);
>  	mutex_unlock(&bo->lock);
>  	kfree(slice_ent);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260628115119.44215-1-vulab@iscas.ac.cn?part=1