Received: by 10.192.165.156 with SMTP id m28csp1096066imm; Wed, 11 Apr 2018 12:19:50 -0700 (PDT) X-Google-Smtp-Source: AIpwx499gYbatcOrsnNM06YgY51447loK7tlnYx86FjElYcloPhZVLrT4hvaR1Z0IlRIoclHzHMF X-Received: by 10.98.236.4 with SMTP id k4mr5058214pfh.240.1523474390862; Wed, 11 Apr 2018 12:19:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523474390; cv=none; d=google.com; s=arc-20160816; b=iRvavYf53QOd1pvlcztAMeWFxAuFMUmyVzbw+mTpgRYqzdtUOw6PLe1uqyzAr9m3BK NCvI1vfjWkdQ3i14474DpruJ4D9h+KN3nTqF6f1K49O7rj/FIfHzk/S8vxvwhXkG4P35 /6k9yiXbPTdH44F64/nZiKN6p7U/9nFn28SjfPHkck1GgAyU2v4tLbJGvOaGu2K7eIQT 5+FF65vfwDEABCgPC/wSO/HrRLFMMucM466JgODlcSH7aHnFz28Zpz4C9oty+SG0hRxz FmcsWPbgMpMcRous3yzWAnA5ehFl+qBelVxhAOllF23i9vOFEkQRGYd851mVVSHSZ3n8 YZ4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=bgenm0Tgfb+QXSXAbG7Mm6D4yKg1sabTYE40VoB0sFE=; b=M12+ZopjHcTvXYAIWDHHebTIV2tt+b74Oh8RIg2tKSAUFTQzLimnLpZKLj4WwEM797 SzB8/4HKSfO4MbIK9jCr2zvPIdUDr4J9dLL0RMA1SywK448t7eXsaEG9twQ9UPbC9hQK C305IDq4IoAQIPlPoAyFk9C+LoMx9VN6pxwInC55ec41t4cTWKcgWG9I+1/WCfBG2odt 6Bds9IMAtgslh2y1qXxhmnEmEL/TtRTy3zo5aeDToIvbVE0QsWxH9G1+9DBX3ts9cQRP f30I5Vm3ridx+PL/atkA3qH88Aebkb9X5d9AKj+0waoIhA4RkmdGwwcYzLf83oS/s1JT b2fw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i5-v6si1622598plk.139.2018.04.11.12.19.14; Wed, 11 Apr 2018 12:19:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935123AbeDKTFz (ORCPT + 99 others); Wed, 11 Apr 2018 15:05:55 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:40600 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934041AbeDKTFw (ORCPT ); Wed, 11 Apr 2018 15:05:52 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 721D2D3C; Wed, 11 Apr 2018 19:05:51 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Christophe JAILLET , Eric Anholt , Sasha Levin Subject: [PATCH 4.9 256/310] drm/vc4: Fix resource leak in vc4_get_hang_state_ioctl() in error handling path Date: Wed, 11 Apr 2018 20:36:35 +0200 Message-Id: <20180411183633.443352303@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180411183622.305902791@linuxfoundation.org> References: <20180411183622.305902791@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Christophe JAILLET [ Upstream commit d0b1d259a4b58b21a21ea82d7174bf7ea825e9cc ] If one 'drm_gem_handle_create()' fails, we leak somes handles and some memory. In order to fix it: - move the 'free(bo_state)' at the end of the function so that it is also called in the eror handling path. This has the side effect to also try to free it if the first 'kcalloc' fails. This is harmless. - add a new label, err_delete_handle, in order to delete already allocated handles in error handling path - remove the now useless 'err' label The way the code is now written will also delete the handles if the 'copy_to_user()' call fails. Signed-off-by: Christophe JAILLET Reviewed-by: Eric Anholt Link: http://patchwork.freedesktop.org/patch/msgid/20170512123803.1886-1-christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/vc4/vc4_gem.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) --- a/drivers/gpu/drm/vc4/vc4_gem.c +++ b/drivers/gpu/drm/vc4/vc4_gem.c @@ -110,8 +110,8 @@ vc4_get_hang_state_ioctl(struct drm_devi &handle); if (ret) { - state->bo_count = i - 1; - goto err; + state->bo_count = i; + goto err_delete_handle; } bo_state[i].handle = handle; bo_state[i].paddr = vc4_bo->base.paddr; @@ -123,13 +123,16 @@ vc4_get_hang_state_ioctl(struct drm_devi state->bo_count * sizeof(*bo_state))) ret = -EFAULT; - kfree(bo_state); +err_delete_handle: + if (ret) { + for (i = 0; i < state->bo_count; i++) + drm_gem_handle_delete(file_priv, bo_state[i].handle); + } err_free: - vc4_free_hang_state(dev, kernel_state); + kfree(bo_state); -err: return ret; }