diff options
| author | Giuliano Procida <gprocida@google.com> | 2020-10-14 09:51:09 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-10-14 09:51:09 +0200 |
| commit | 328ec6286a78a71500b74255448e8f3c83d2b2c4 (patch) | |
| tree | ef7263aa355e62935bccad30d34d89a6c4281ccd | |
| parent | 60634d81cb43b19817b79a8a1d38e25e907e5ea1 (diff) | |
| download | linux-328ec6286a78a71500b74255448e8f3c83d2b2c4.tar.gz linux-328ec6286a78a71500b74255448e8f3c83d2b2c4.tar.bz2 linux-328ec6286a78a71500b74255448e8f3c83d2b2c4.zip | |
drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
refcount imbalance and thus a struct drm_syncobj object leak which can
be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
which increments the refcount of the object on success. In all of the
drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
in the success path the refcount should remain at +1 as the struct
drm_syncobj now belongs to the newly opened file. Instead, the
refcount was incremented again to +2.
Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
Signed-off-by: Giuliano Procida <gprocida@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/gpu/drm/drm_syncobj.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index 889c95d4feec..3f71bc3d93fe 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private, return PTR_ERR(file); } - drm_syncobj_get(syncobj); fd_install(fd, file); *p_fd = fd; |