On Thu, Jun 27, 2019 at 11:24 AM Boris Brezillon boris.brezillon@collabora.com wrote:
drm_gem_shmem_create_with_handle() returns a GEM object and attach a handle to it. When the user closes the DRM FD, the core releases all GEM handles along with their backing GEM objs, which can lead to a double-free issue if panfrost_ioctl_create_bo() failed and went through the err_free path where drm_gem_object_put_unlocked() is called without deleting the associate handle.
Replace this drm_gem_object_put_unlocked() call by a drm_gem_handle_delete() one to fix that.
Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") Cc: stable@vger.kernel.org Signed-off-by: Boris Brezillon boris.brezillon@collabora.com
Reproduced for real when BO mapping fails because we ran out of memory.
drivers/gpu/drm/panfrost/panfrost_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to drm-misc-fixes.
Rob