On Tue, Oct 06, 2020 at 05:20:00PM +0100, Giuliano Procida wrote:
> Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
> upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
> refcount imbalance and thus a struct drm_syncobj object leak which can
> be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
>
> The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
> which increments the refcount of the object on success. In all of the
> drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
> in the success path the refcount should remain at +1 as the struct
> drm_syncobj now belongs to the newly opened file. Instead, the
> refcount was incremented again to +2.
>
> Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
> Signed-off-by: Giuliano Procida <gprocida@xxxxxxxxxx>
> ---
> drivers/gpu/drm/drm_syncobj.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
> index 889c95d4feec..3f71bc3d93fe 100644
> --- a/drivers/gpu/drm/drm_syncobj.c
> +++ b/drivers/gpu/drm/drm_syncobj.c
> @@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
> return PTR_ERR(file);
> }
>
> - drm_syncobj_get(syncobj);
> fd_install(fd, file);
>
> *p_fd = fd;
> --
> 2.28.0.806.g8561365e88-goog
>
Thanks, that worked, now queued up!
greg k-h
