From: Giuliano Procida Date: Wed, 14 Oct 2020 07:51:09 +0000 (+0200) Subject: drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak X-Git-Tag: v4.14.201~40 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=328ec6286a78a71500b74255448e8f3c83d2b2c4;p=users%2Fdwmw2%2Flinux.git drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a refcount imbalance and thus a struct drm_syncobj object leak which can be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD. The function drm_syncobj_handle_to_fd first calls drm_syncobj_find which increments the refcount of the object on success. In all of the drm_syncobj_handle_to_fd error paths, the refcount is decremented, but in the success path the refcount should remain at +1 as the struct drm_syncobj now belongs to the newly opened file. Instead, the refcount was incremented again to +2. Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd") Signed-off-by: Giuliano Procida Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index 889c95d4feecc..3f71bc3d93fef 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private, return PTR_ERR(file); } - drm_syncobj_get(syncobj); fd_install(fd, file); *p_fd = fd;