diff mbox series

[1/1] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak

Message ID 20201006135228.113259-2-gprocida@google.com
State New
Headers show
Series [1/1] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak | expand

Commit Message

Giuliano Procida Oct. 6, 2020, 1:52 p.m. UTC
commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 upstream.

The cherry-pick 5fb252cad61f of the above commit introduced a refcount
imbalance and so leak of struct drm_syncobj objects that can be
triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.

The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
which increments the refcount of the object on success. In all of the
drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
in the success path the refcount should remain at +1 as the struct
drm_syncobj now belongs to the newly opened file. Instead, the
refcount was incremented again to +2.

Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 drivers/gpu/drm/drm_syncobj.c | 1 -
 1 file changed, 1 deletion(-)

Comments

Greg KH Oct. 6, 2020, 3:31 p.m. UTC | #1
On Tue, Oct 06, 2020 at 02:52:28PM +0100, Giuliano Procida wrote:
> commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 upstream.


That's not what this commit is :(

Are you sure this is correct?

> The cherry-pick 5fb252cad61f of the above commit introduced a refcount

> imbalance and so leak of struct drm_syncobj objects that can be

> triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.


Ok, so the backport of e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 is the
problem, so this needs a bit of wording change to make it obvious what
is happening here.

Can you fix that up and resend?

thanks,

greg k-h
diff mbox series

Patch

diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index 889c95d4feec..3f71bc3d93fe 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -355,7 +355,6 @@  static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
 		return PTR_ERR(file);
 	}
 
-	drm_syncobj_get(syncobj);
 	fd_install(fd, file);
 
 	*p_fd = fd;