From: Greg Kroah-Hartman Date: Tue, 6 Oct 2020 16:38:12 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.19.150~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=40bbb86bdd1c743fae2c19ae0479e150bee87dc8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: drm-syncobj-fix-drm_syncobj_handle_to_fd-refcount-leak.patch --- diff --git a/queue-4.14/drm-syncobj-fix-drm_syncobj_handle_to_fd-refcount-leak.patch b/queue-4.14/drm-syncobj-fix-drm_syncobj_handle_to_fd-refcount-leak.patch new file mode 100644 index 00000000000..81df2f26dbc --- /dev/null +++ b/queue-4.14/drm-syncobj-fix-drm_syncobj_handle_to_fd-refcount-leak.patch @@ -0,0 +1,38 @@ +From stable-owner@vger.kernel.org Tue Oct 6 18:20:14 2020 +From: Giuliano Procida +Subject: drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-Id: <20201006162000.1146391-1-gprocida@google.com> + +From: Giuliano Procida + +Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of +upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a +refcount imbalance and thus a struct drm_syncobj object leak which can +be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD. + +The function drm_syncobj_handle_to_fd first calls drm_syncobj_find +which increments the refcount of the object on success. In all of the +drm_syncobj_handle_to_fd error paths, the refcount is decremented, but +in the success path the refcount should remain at +1 as the struct +drm_syncobj now belongs to the newly opened file. Instead, the +refcount was incremented again to +2. + +Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd") +Signed-off-by: Giuliano Procida +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_syncobj.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/gpu/drm/drm_syncobj.c ++++ b/drivers/gpu/drm/drm_syncobj.c +@@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(stru + return PTR_ERR(file); + } + +- drm_syncobj_get(syncobj); + fd_install(fd, file); + + *p_fd = fd; diff --git a/queue-4.14/series b/queue-4.14/series index 1aee800717d..94567c69c84 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -28,3 +28,4 @@ epoll-replace-visited-visited_list-with-generation-count.patch epoll-epoll_ctl_add-close-the-race-in-decision-to-take-fast-path.patch ep_create_wakeup_source-dentry-name-can-change-under-you.patch netfilter-ctnetlink-add-a-range-check-for-l3-l4-protonum.patch +drm-syncobj-fix-drm_syncobj_handle_to_fd-refcount-leak.patch