All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/1] Fix drm_syncobj_handle_to_fd refcount leak
@ 2020-10-06 13:52 Giuliano Procida
  2020-10-06 13:52 ` [PATCH 1/1] drm/syncobj: " Giuliano Procida
  0 siblings, 1 reply; 5+ messages in thread
From: Giuliano Procida @ 2020-10-06 13:52 UTC (permalink / raw)
  To: gregkh, stable; +Cc: Giuliano Procida

This is for 4.14.

Earlier LTS kernels don't have this functionality at all and later
ones have the original commit.

The code is untested as I don't have the right hardware handy.

Giuliano Procida (1):
  drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak

 drivers/gpu/drm/drm_syncobj.c | 1 -
 1 file changed, 1 deletion(-)

-- 
2.28.0.806.g8561365e88-goog


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH 1/1] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
  2020-10-06 13:52 [PATCH 0/1] Fix drm_syncobj_handle_to_fd refcount leak Giuliano Procida
@ 2020-10-06 13:52 ` Giuliano Procida
  2020-10-06 15:31   ` Greg KH
  2020-10-06 16:20   ` [PATCH v2 " Giuliano Procida
  0 siblings, 2 replies; 5+ messages in thread
From: Giuliano Procida @ 2020-10-06 13:52 UTC (permalink / raw)
  To: gregkh, stable; +Cc: Giuliano Procida

commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 upstream.

The cherry-pick 5fb252cad61f of the above commit introduced a refcount
imbalance and so leak of struct drm_syncobj objects that can be
triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.

The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
which increments the refcount of the object on success. In all of the
drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
in the success path the refcount should remain at +1 as the struct
drm_syncobj now belongs to the newly opened file. Instead, the
refcount was incremented again to +2.

Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 drivers/gpu/drm/drm_syncobj.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index 889c95d4feec..3f71bc3d93fe 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
 		return PTR_ERR(file);
 	}
 
-	drm_syncobj_get(syncobj);
 	fd_install(fd, file);
 
 	*p_fd = fd;
-- 
2.28.0.806.g8561365e88-goog


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
  2020-10-06 13:52 ` [PATCH 1/1] drm/syncobj: " Giuliano Procida
@ 2020-10-06 15:31   ` Greg KH
  2020-10-06 16:20   ` [PATCH v2 " Giuliano Procida
  1 sibling, 0 replies; 5+ messages in thread
From: Greg KH @ 2020-10-06 15:31 UTC (permalink / raw)
  To: Giuliano Procida; +Cc: stable

On Tue, Oct 06, 2020 at 02:52:28PM +0100, Giuliano Procida wrote:
> commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 upstream.

That's not what this commit is :(

Are you sure this is correct?

> The cherry-pick 5fb252cad61f of the above commit introduced a refcount
> imbalance and so leak of struct drm_syncobj objects that can be
> triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.

Ok, so the backport of e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 is the
problem, so this needs a bit of wording change to make it obvious what
is happening here.

Can you fix that up and resend?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH v2 1/1] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
  2020-10-06 13:52 ` [PATCH 1/1] drm/syncobj: " Giuliano Procida
  2020-10-06 15:31   ` Greg KH
@ 2020-10-06 16:20   ` Giuliano Procida
  2020-10-06 16:39     ` Greg KH
  1 sibling, 1 reply; 5+ messages in thread
From: Giuliano Procida @ 2020-10-06 16:20 UTC (permalink / raw)
  To: gregkh, stable; +Cc: Giuliano Procida

Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
refcount imbalance and thus a struct drm_syncobj object leak which can
be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.

The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
which increments the refcount of the object on success. In all of the
drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
in the success path the refcount should remain at +1 as the struct
drm_syncobj now belongs to the newly opened file. Instead, the
refcount was incremented again to +2.

Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
Signed-off-by: Giuliano Procida <gprocida@google.com>
---
 drivers/gpu/drm/drm_syncobj.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index 889c95d4feec..3f71bc3d93fe 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
 		return PTR_ERR(file);
 	}
 
-	drm_syncobj_get(syncobj);
 	fd_install(fd, file);
 
 	*p_fd = fd;
-- 
2.28.0.806.g8561365e88-goog


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH v2 1/1] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
  2020-10-06 16:20   ` [PATCH v2 " Giuliano Procida
@ 2020-10-06 16:39     ` Greg KH
  0 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2020-10-06 16:39 UTC (permalink / raw)
  To: Giuliano Procida; +Cc: stable

On Tue, Oct 06, 2020 at 05:20:00PM +0100, Giuliano Procida wrote:
> Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
> upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
> refcount imbalance and thus a struct drm_syncobj object leak which can
> be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
> 
> The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
> which increments the refcount of the object on success. In all of the
> drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
> in the success path the refcount should remain at +1 as the struct
> drm_syncobj now belongs to the newly opened file. Instead, the
> refcount was incremented again to +2.
> 
> Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
> Signed-off-by: Giuliano Procida <gprocida@google.com>
> ---
>  drivers/gpu/drm/drm_syncobj.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
> index 889c95d4feec..3f71bc3d93fe 100644
> --- a/drivers/gpu/drm/drm_syncobj.c
> +++ b/drivers/gpu/drm/drm_syncobj.c
> @@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
>  		return PTR_ERR(file);
>  	}
>  
> -	drm_syncobj_get(syncobj);
>  	fd_install(fd, file);
>  
>  	*p_fd = fd;
> -- 
> 2.28.0.806.g8561365e88-goog
> 

Thanks, that worked, now queued up!

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-10-06 16:38 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-06 13:52 [PATCH 0/1] Fix drm_syncobj_handle_to_fd refcount leak Giuliano Procida
2020-10-06 13:52 ` [PATCH 1/1] drm/syncobj: " Giuliano Procida
2020-10-06 15:31   ` Greg KH
2020-10-06 16:20   ` [PATCH v2 " Giuliano Procida
2020-10-06 16:39     ` Greg KH

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.