Received: by 10.192.165.156 with SMTP id m28csp1096066imm;
        Wed, 11 Apr 2018 12:19:50 -0700 (PDT)
X-Google-Smtp-Source: AIpwx499gYbatcOrsnNM06YgY51447loK7tlnYx86FjElYcloPhZVLrT4hvaR1Z0IlRIoclHzHMF
X-Received: by 10.98.236.4 with SMTP id k4mr5058214pfh.240.1523474390862;
        Wed, 11 Apr 2018 12:19:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523474390; cv=none;
        d=google.com; s=arc-20160816;
        b=iRvavYf53QOd1pvlcztAMeWFxAuFMUmyVzbw+mTpgRYqzdtUOw6PLe1uqyzAr9m3BK
         NCvI1vfjWkdQ3i14474DpruJ4D9h+KN3nTqF6f1K49O7rj/FIfHzk/S8vxvwhXkG4P35
         /6k9yiXbPTdH44F64/nZiKN6p7U/9nFn28SjfPHkck1GgAyU2v4tLbJGvOaGu2K7eIQT
         5+FF65vfwDEABCgPC/wSO/HrRLFMMucM466JgODlcSH7aHnFz28Zpz4C9oty+SG0hRxz
         FmcsWPbgMpMcRous3yzWAnA5ehFl+qBelVxhAOllF23i9vOFEkQRGYd851mVVSHSZ3n8
         YZ4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=bgenm0Tgfb+QXSXAbG7Mm6D4yKg1sabTYE40VoB0sFE=;
        b=M12+ZopjHcTvXYAIWDHHebTIV2tt+b74Oh8RIg2tKSAUFTQzLimnLpZKLj4WwEM797
         SzB8/4HKSfO4MbIK9jCr2zvPIdUDr4J9dLL0RMA1SywK448t7eXsaEG9twQ9UPbC9hQK
         C305IDq4IoAQIPlPoAyFk9C+LoMx9VN6pxwInC55ec41t4cTWKcgWG9I+1/WCfBG2odt
         6Bds9IMAtgslh2y1qXxhmnEmEL/TtRTy3zo5aeDToIvbVE0QsWxH9G1+9DBX3ts9cQRP
         f30I5Vm3ridx+PL/atkA3qH88Aebkb9X5d9AKj+0waoIhA4RkmdGwwcYzLf83oS/s1JT
         b2fw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i5-v6si1622598plk.139.2018.04.11.12.19.14;
        Wed, 11 Apr 2018 12:19:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935123AbeDKTFz (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Wed, 11 Apr 2018 15:05:55 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:40600 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934041AbeDKTFw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Apr 2018 15:05:52 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 721D2D3C;
        Wed, 11 Apr 2018 19:05:51 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
        Eric Anholt <eric@anholt.net>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.9 256/310] drm/vc4: Fix resource leak in vc4_get_hang_state_ioctl() in error handling path
Date:   Wed, 11 Apr 2018 20:36:35 +0200
Message-Id: <20180411183633.443352303@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180411183622.305902791@linuxfoundation.org>
References: <20180411183622.305902791@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>


[ Upstream commit d0b1d259a4b58b21a21ea82d7174bf7ea825e9cc ]

If one 'drm_gem_handle_create()' fails, we leak somes handles and some
memory.

In order to fix it:
  - move the 'free(bo_state)' at the end of the function so that it is also
    called in the eror handling path. This has the side effect to also try
    to free it if the first 'kcalloc' fails. This is harmless.
  - add a new label, err_delete_handle, in order to delete already
    allocated handles in error handling path
  - remove the now useless 'err' label

The way the code is now written will also delete the handles if the
'copy_to_user()' call fails.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Eric Anholt <eric@anholt.net>
Link: http://patchwork.freedesktop.org/patch/msgid/20170512123803.1886-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/vc4/vc4_gem.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -110,8 +110,8 @@ vc4_get_hang_state_ioctl(struct drm_devi
 					    &handle);
 
 		if (ret) {
-			state->bo_count = i - 1;
-			goto err;
+			state->bo_count = i;
+			goto err_delete_handle;
 		}
 		bo_state[i].handle = handle;
 		bo_state[i].paddr = vc4_bo->base.paddr;
@@ -123,13 +123,16 @@ vc4_get_hang_state_ioctl(struct drm_devi
 			 state->bo_count * sizeof(*bo_state)))
 		ret = -EFAULT;
 
-	kfree(bo_state);
+err_delete_handle:
+	if (ret) {
+		for (i = 0; i < state->bo_count; i++)
+			drm_gem_handle_delete(file_priv, bo_state[i].handle);
+	}
 
 err_free:
-
 	vc4_free_hang_state(dev, kernel_state);
+	kfree(bo_state);
 
-err:
 	return ret;
 }