--- /dev/null
+From stable-owner@vger.kernel.org Tue Oct 6 18:20:14 2020
+From: Giuliano Procida <gprocida@google.com>
+Subject: drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Message-Id: <20201006162000.1146391-1-gprocida@google.com>
+
+From: Giuliano Procida <gprocida@google.com>
+
+Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
+upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
+refcount imbalance and thus a struct drm_syncobj object leak which can
+be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
+
+The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
+which increments the refcount of the object on success. In all of the
+drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
+in the success path the refcount should remain at +1 as the struct
+drm_syncobj now belongs to the newly opened file. Instead, the
+refcount was incremented again to +2.
+
+Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
+Signed-off-by: Giuliano Procida <gprocida@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_syncobj.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_syncobj.c
++++ b/drivers/gpu/drm/drm_syncobj.c
+@@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(stru
+ return PTR_ERR(file);
+ }
+
+- drm_syncobj_get(syncobj);
+ fd_install(fd, file);
+
+ *p_fd = fd;
projects / thirdparty / kernel / stable-queue.git / commitdiff
