git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jann Horn <jannh@google.com>
	Wed, 4 Dec 2024 16:26:21 +0000 (17:26 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 27 Dec 2024 13:02:10 +0000 (14:02 +0100)
commit	c9fc8428d4255c2128da9c4d5cd92e554d0150cf
tree	09d91365211cc6c7840d985723e120cab565f496	tree
parent	8e86e9909ad204c4fa2e05fb0bb6583c839a9602	commit \| diff

udmabuf: fix memory leak on last export_udmabuf() error path

[ Upstream commit f49856f525acd5bef52ae28b7da2e001bbe7439e ]

In export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a
dma_buf owning the udmabuf has already been created; but the error handling
in udmabuf_create() will tear down the udmabuf without doing anything about
the containing dma_buf.

This leaves a dma_buf in memory that contains a dangling pointer; though
that doesn't seem to lead to anything bad except a memory leak.

Fix it by moving the dma_buf_fd() call out of export_udmabuf() so that we
can give it different error handling.

Note that the shape of this code changed a lot in commit 5e72b2b41a21
("udmabuf: convert udmabuf driver to use folios"); but the memory leak
seems to have existed since the introduction of udmabuf.

Fixes: fbb0de795078 ("Add udmabuf misc device")
Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-3-23887289de1c@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>