Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp4420067pxu; Mon, 12 Oct 2020 19:48:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJygxGOXB1vqB/bpXovrvQsTakf/qAkg1xRYbHlTNZQV2dUKpeqC3+t5Rfhy3W07Cv8ZFzxX X-Received: by 2002:a17:906:1f53:: with SMTP id d19mr30712556ejk.255.1602557335457; Mon, 12 Oct 2020 19:48:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602557335; cv=none; d=google.com; s=arc-20160816; b=Ix6/3IfdJ844KLjLrbxqql5iphxxs0CfwrfM/miPtiSaNN8XYVaS1z1BYcW9H5nhyL QMyUH4ZqRhDBBRa2armJJWXrApS2/5/r781lsd8hf644D1IFa6N323BJdqi8EQrM1An3 eCjmjncLlOK5gm0SwuT3NzUCJ5kTms2mX7iEVyNgygya6j1FC+cWLaqPrGeu5VLzvCZm ZeDSG3RHkmspW6jZrae3Hd+eBKWL6Cki172vj1SVJhNw2xLlt7cJCCTNkIL3n4tWJNOu VyBQlsYmAIxBWif+lSI1rPzQuS+xWsTYtQmqcF5bdJvjpR6Gomap0soMHCJYzzhHcXha QLpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=N4NUx4fcTKCCphCCaYlbYXu9sOyxyN9sNuN08xz+vQ8=; b=KT481NwkVL+hd0srbAATa28UR5tF3eS8ujx9ZHlo0iKTkT/dnlsHMRmZ0s7GsqHSag tXKO4muJuySFTbRCZyOm8cY8rQpE4a5JR1LlPtyFNGlFcyQnByp5FQrUGGLnRxWwo5q4 79AQXPiTldN7wTpvZsibpPY929HfoLtnf3C6wVVG1X7ikP4y5Ypsq+x8HWF7gzYewU3E njpch1KLtf9qoNJz7lktfZ4voaDoCSruoOwBfHBd84r95l7GhRkeIlxcIuypOhrCA2qy tGKSOcM6zT1MaYyhki9v1AbuwV2d7Dqmp9m88ifX0zeW7qt7TKpoSKx/8JvRs19k3ezA s8bw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cbjWU33o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bv12si608088ejb.662.2020.10.12.19.48.33; Mon, 12 Oct 2020 19:48:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cbjWU33o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731344AbgJLODs (ORCPT + 99 others); Mon, 12 Oct 2020 10:03:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:39186 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730424AbgJLNgc (ORCPT ); Mon, 12 Oct 2020 09:36:32 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B46452076E; Mon, 12 Oct 2020 13:36:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1602509790; bh=Uqcssya3qJQURCLZ5TZcMKCc+eeib0YtWVFfrFHR1vk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cbjWU33o/WbW+8zviYWmpZjCXLeO+fOQWwOp69Jrs5I7TcLqoaaTI+F8tH2HnmJCq a7BuKqAPPGUK4h35sjPs6ImDT5h5m/poCYK+VIoLrNOA52pIMVn71Bok6/SEo6xfYJ by8Wcd36UDjUPP0kTJyCvMEjWcC7AyqdBNE8FCWs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Giuliano Procida Subject: [PATCH 4.14 31/70] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak Date: Mon, 12 Oct 2020 15:26:47 +0200 Message-Id: <20201012132631.677832766@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201012132630.201442517@linuxfoundation.org> References: <20201012132630.201442517@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Giuliano Procida Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a refcount imbalance and thus a struct drm_syncobj object leak which can be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD. The function drm_syncobj_handle_to_fd first calls drm_syncobj_find which increments the refcount of the object on success. In all of the drm_syncobj_handle_to_fd error paths, the refcount is decremented, but in the success path the refcount should remain at +1 as the struct drm_syncobj now belongs to the newly opened file. Instead, the refcount was incremented again to +2. Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd") Signed-off-by: Giuliano Procida Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/drm_syncobj.c | 1 - 1 file changed, 1 deletion(-) --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(stru return PTR_ERR(file); } - drm_syncobj_get(syncobj); fd_install(fd, file); *p_fd = fd;