Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp5342660rwl; Sun, 8 Jan 2023 13:17:12 -0800 (PST) X-Google-Smtp-Source: AMrXdXuO4qG/wQLCnBFBjtJkV4gSsP75AFgGlFXCGpiAotUoSTdZ0ig9ACSAcDRfXM5ZqWUpTZsv X-Received: by 2002:aa7:cb94:0:b0:496:6a20:6b61 with SMTP id r20-20020aa7cb94000000b004966a206b61mr7627234edt.22.1673212632191; Sun, 08 Jan 2023 13:17:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673212632; cv=none; d=google.com; s=arc-20160816; b=F2V3II76uiEA8LCjNFSL36B3SzipMxyUJupdlM6R8Zavhn+ONqHtyr1E5mAJi1Pf1g COLrKN+4DjJVigPAA1CokChc3lPuBvQMjH2Tl+nZHIrSyErS3lTm0SngrM+Elv0VBvHX qMELc+4Vp8yN6WdnQu7ed2e0jjlmSdtfb/8SviHJ2l7OfgjUiirN+/DJHq/LyqGnS1wi NNCfTLr8xcSq845ttk4iJYIl7cmtuObB/1VZYfqNED/tNA9ivxbaYoFGayUwQjjbkrUu Ztf04DrXvK0W2j8xBa10iLzLIlsON8Y20oXgvLsx8dCO9tLCFtioIIJLd+Lsrst8fJJI QexQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=qjCskzlG3ILyrKq6Mv4hyQZ+8SEsKEKVzEu0wTBFjtU=; b=FSX5p18EnrQBW6fUjRu3N/GdVf5VGPyEBgvaqCeugHrV9B3D0TNSZf8LD8zaF73H2B 93oAPY+usxflKlRWrSaLUvdeB8Zxi3Q9z8xdkCK+PI3LrxNv58ZswdFHXOzrBoxqsXa1 CHGGFdMuTz7HmWsYDGFv0nIfEqR2XbAuDHdoPSJfolPlZhYWMx5eZTGzu3XEu7dJ/diG /pBC7HvzoTxzaSJUPqnsn6fwCRY3taK3dBVSWek3ukvD/9ln6Uon5shyqtNZJInuakHi dgV33AXxnMlAlhyRtQR2Nmcz7szxiPX141sm99GyJG2i8wNWStCG/5B4kLYySQ0lbM9O iHrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=MypaMY67; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h5-20020a056402280500b0048a267dede9si8429422ede.133.2023.01.08.13.17.00; Sun, 08 Jan 2023 13:17:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=MypaMY67; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234878AbjAHVOM (ORCPT + 51 others); Sun, 8 Jan 2023 16:14:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60800 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236294AbjAHVNg (ORCPT ); Sun, 8 Jan 2023 16:13:36 -0500 Received: from madras.collabora.co.uk (madras.collabora.co.uk [46.235.227.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51890DED7 for ; Sun, 8 Jan 2023 13:13:36 -0800 (PST) Received: from workpc.. (109-252-117-89.nat.spd-mgts.ru [109.252.117.89]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dmitry.osipenko) by madras.collabora.co.uk (Postfix) with ESMTPSA id 0D1FC6600357; Sun, 8 Jan 2023 21:13:33 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1673212415; bh=Ez5dB/rkALjWV2HFndt9nadNf0wBhw1F0LNBdhTogSc=; h=From:To:Cc:Subject:Date:From; b=MypaMY67pkHhLAyD3gOjb89yRq+9zbVWCAR0beiNk55c/8ecTylRY9YZG9fEWdxwc i52uMAbxGge7m9tr/EieApG4rcid9+gUV4JKuro6Fm1rfUmINbVc6duW4ssAgpebIK JH/Q1LBr1SXVcweOhb/PbyweU4YmZO5T6AC/l/031w1y48WEHsOb/RMuU9V6Ah4LN5 UPAxRdw8hionuUrriOhlytDzcNW54aa5v1a+DLuW42eGMVxrHjhkOdCqVRyFu2Y2Nz sJz4EfTM2D3pNSQ6bzr+lRu+hHOxMUXh6UpF0sPM2I8WqyouZ7Pg87NVSf0S7B7ztO +fyuyldy0wu3g== From: Dmitry Osipenko To: Rob Clark , Thomas Zimmermann , Daniel Vetter , Javier Martinez Canillas Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH v1] drm/shmem-helper: Remove another errant put in error path Date: Mon, 9 Jan 2023 00:13:11 +0300 Message-Id: <20230108211311.3950107-1-dmitry.osipenko@collabora.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org drm_gem_shmem_mmap() doesn't own reference in error code path, resulting in the dma-buf shmem GEM object getting prematurely freed leading to a later use-after-free. Fixes: f49a51bfdc8e ("drm/shme-helpers: Fix dma_buf_mmap forwarding bug") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Osipenko --- drivers/gpu/drm/drm_gem_shmem_helper.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index f21f47737817..8b20b41497e8 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -624,11 +624,14 @@ int drm_gem_shmem_mmap(struct drm_gem_shmem_object *shmem, struct vm_area_struct int ret; if (obj->import_attach) { - /* Drop the reference drm_gem_mmap_obj() acquired.*/ - drm_gem_object_put(obj); vma->vm_private_data = NULL; + ret = dma_buf_mmap(obj->dma_buf, vma, 0); + + /* Drop the reference drm_gem_mmap_obj() acquired.*/ + if (!ret) + drm_gem_object_put(obj); - return dma_buf_mmap(obj->dma_buf, vma, 0); + return ret; } ret = drm_gem_shmem_get_pages(shmem); -- 2.38.1