Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp313916ybx; Wed, 6 Nov 2019 00:45:13 -0800 (PST) X-Google-Smtp-Source: APXvYqz1RLp39vUzRsVsOnFilbi8S5qU7jRNnRy8zvt5ZQCTdsNLfvhnWp1vVddu/pQm+I6eHZvD X-Received: by 2002:a17:906:d793:: with SMTP id pj19mr17105066ejb.303.1573029913413; Wed, 06 Nov 2019 00:45:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573029913; cv=none; d=google.com; s=arc-20160816; b=Qv+H5UjV7W+SNneDr9MZ1mXsS1wc14g0lA/JQvdHoc9+rX7Co6739yy+lRf/P8XAVz j2sglWf/rKFvrzliI0kuWcIijt+c1ltEKMsNI8te0iuszl7TH46Mzl2lDqjYed8/mzJV Eqk+GfJecIWsDULo0JXaOIKiZiwLXUj3gBsi6WtWRRaS6/bp1g1DowpqhtEdvHzw9W7I tI52oBBhMxG7O8QuBG2qZufSqGeXCTMlWAlA48zBLvst75KFZgU8MAlvxNbB++ffsrM1 UV1CHf1DvENILI0ONVJpNvO17V8Ikru3a3G+oWKghWz4sQqqvespH958VP9yGLIIsu71 O7Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date; bh=CxW12dpCnOzhrBlctSvGA91FyhhuIHCLmJ4zhpTPuyE=; b=jJri6AdLfJliWAUDsrfIByA2TeqHCVUMyveeROI5AODz2NyFUBKAWGfG3jjC+ALVhM VCitkenicaZdIPYP0e+HoZ9a61DpOc4WTkhUUofgX8cQhIhn/H6ElT6gnzi5GuWn5eFq A89+sq2lsC+V94vfdTiG+iMUBN6QjMSwEB4cIDwz6IuddjrRkq1IfqizgqH9Xg9Zewxr 7W8Y+fUcxOcMV75Vzk0HWSasmVkIOhg7gr2BU85wMljlUkLi3j9YNdBiAwo+ZzZoitHZ t4iOuXjy+nHKGd+KlViztkzsGrMwoUdryiQxi8r+xMcPwQAFnGfD+m8cmB4YvxriUSYe I+HQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k21si2276938ejc.148.2019.11.06.00.44.49; Wed, 06 Nov 2019 00:45:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730338AbfKFIoJ (ORCPT + 99 others); Wed, 6 Nov 2019 03:44:09 -0500 Received: from mga17.intel.com ([192.55.52.151]:21551 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729881AbfKFIoJ (ORCPT ); Wed, 6 Nov 2019 03:44:09 -0500 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2019 00:44:08 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,274,1569308400"; d="asc'?scan'208";a="205770424" Received: from zhen-hp.sh.intel.com (HELO zhen-hp) ([10.239.13.116]) by orsmga006.jf.intel.com with ESMTP; 06 Nov 2019 00:44:06 -0800 Date: Wed, 6 Nov 2019 16:43:49 +0800 From: Zhenyu Wang To: Pan Bian Cc: Zhi Wang , Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , David Airlie , Daniel Vetter , intel-gvt-dev@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] drm/i915/gvt: fix dropping obj reference twice Message-ID: <20191106084349.GB4196@zhen-hp.sh.intel.com> Reply-To: Zhenyu Wang References: <1573025467-18278-1-git-send-email-bianpan2016@163.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kXdP64Ggrk/fb43R" Content-Disposition: inline In-Reply-To: <1573025467-18278-1-git-send-email-bianpan2016@163.com> User-Agent: Mutt/1.10.0 (2018-05-17) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --kXdP64Ggrk/fb43R Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2019.11.06 15:31:07 +0800, Pan Bian wrote: > The reference count of obj will be decremented twice if error occurs > in dma_buf_fd(). Additionally, attempting to read the reference count of > obj after dropping reference may lead to a use after free bug. Here, we > drop obj's reference until it is not used. >=20 > Signed-off-by: Pan Bian > --- > drivers/gpu/drm/i915/gvt/dmabuf.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/drivers/gpu/drm/i915/gvt/dmabuf.c b/drivers/gpu/drm/i915/gvt= /dmabuf.c > index 13044c027f27..4bfaefdf548d 100644 > --- a/drivers/gpu/drm/i915/gvt/dmabuf.c > +++ b/drivers/gpu/drm/i915/gvt/dmabuf.c > @@ -498,8 +498,6 @@ int intel_vgpu_get_dmabuf(struct intel_vgpu *vgpu, un= signed int dmabuf_id) > goto out_free_gem; > } > =20 > - i915_gem_object_put(obj); > - > ret =3D dma_buf_fd(dmabuf, DRM_CLOEXEC | DRM_RDWR); > if (ret < 0) { > gvt_vgpu_err("create dma-buf fd failed ret:%d\n", ret); > @@ -524,6 +522,8 @@ int intel_vgpu_get_dmabuf(struct intel_vgpu *vgpu, un= signed int dmabuf_id) > file_count(dmabuf->file), > kref_read(&obj->base.refcount)); > =20 > + i915_gem_object_put(obj); > + > return dmabuf_fd; > =20 > out_free_dmabuf: Looks fine to me. Thanks! Reviewed-by: Zhenyu Wang --=20 Open Source Technology Center, Intel ltd. $gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827 --kXdP64Ggrk/fb43R Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQTXuabgHDW6LPt9CICxBBozTXgYJwUCXcKHxQAKCRCxBBozTXgY J4mOAJ9LQBbGYBz26qSqTKOjlyHG7O92MQCgh6qkF9/0GTRd05GChiCic5//yLQ= =6K7k -----END PGP SIGNATURE----- --kXdP64Ggrk/fb43R--