This is for 4.14.
Earlier LTS kernels don't have this functionality at all and later ones have the original commit.
The code is untested as I don't have the right hardware handy.
Giuliano Procida (1): drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
drivers/gpu/drm/drm_syncobj.c | 1 - 1 file changed, 1 deletion(-)
commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 upstream.
The cherry-pick 5fb252cad61f of the above commit introduced a refcount imbalance and so leak of struct drm_syncobj objects that can be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
The function drm_syncobj_handle_to_fd first calls drm_syncobj_find which increments the refcount of the object on success. In all of the drm_syncobj_handle_to_fd error paths, the refcount is decremented, but in the success path the refcount should remain at +1 as the struct drm_syncobj now belongs to the newly opened file. Instead, the refcount was incremented again to +2.
Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd") Signed-off-by: Giuliano Procida gprocida@google.com --- drivers/gpu/drm/drm_syncobj.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index 889c95d4feec..3f71bc3d93fe 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private, return PTR_ERR(file); }
- drm_syncobj_get(syncobj); fd_install(fd, file);
*p_fd = fd;
On Tue, Oct 06, 2020 at 02:52:28PM +0100, Giuliano Procida wrote:
commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 upstream.
That's not what this commit is :(
Are you sure this is correct?
The cherry-pick 5fb252cad61f of the above commit introduced a refcount imbalance and so leak of struct drm_syncobj objects that can be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
Ok, so the backport of e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 is the problem, so this needs a bit of wording change to make it obvious what is happening here.
Can you fix that up and resend?
thanks,
greg k-h
Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a refcount imbalance and thus a struct drm_syncobj object leak which can be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
The function drm_syncobj_handle_to_fd first calls drm_syncobj_find which increments the refcount of the object on success. In all of the drm_syncobj_handle_to_fd error paths, the refcount is decremented, but in the success path the refcount should remain at +1 as the struct drm_syncobj now belongs to the newly opened file. Instead, the refcount was incremented again to +2.
Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd") Signed-off-by: Giuliano Procida gprocida@google.com --- drivers/gpu/drm/drm_syncobj.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index 889c95d4feec..3f71bc3d93fe 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private, return PTR_ERR(file); }
- drm_syncobj_get(syncobj); fd_install(fd, file);
*p_fd = fd;
On Tue, Oct 06, 2020 at 05:20:00PM +0100, Giuliano Procida wrote:
Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a refcount imbalance and thus a struct drm_syncobj object leak which can be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
The function drm_syncobj_handle_to_fd first calls drm_syncobj_find which increments the refcount of the object on success. In all of the drm_syncobj_handle_to_fd error paths, the refcount is decremented, but in the success path the refcount should remain at +1 as the struct drm_syncobj now belongs to the newly opened file. Instead, the refcount was incremented again to +2.
Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd") Signed-off-by: Giuliano Procida gprocida@google.com
drivers/gpu/drm/drm_syncobj.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index 889c95d4feec..3f71bc3d93fe 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private, return PTR_ERR(file); }
- drm_syncobj_get(syncobj); fd_install(fd, file);
*p_fd = fd;
2.28.0.806.g8561365e88-goog
Thanks, that worked, now queued up!
greg k-h
linux-stable-mirror@lists.linaro.org
-
Giuliano Procida -
Greg KH