Message ID | 20190627172414.27231-1-boris.brezillon@collabora.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | drm/panfrost: Fix a double-free error | expand |
On Thu, Jun 27, 2019 at 11:24 AM Boris Brezillon <boris.brezillon@collabora.com> wrote: > > drm_gem_shmem_create_with_handle() returns a GEM object and attach a > handle to it. When the user closes the DRM FD, the core releases all > GEM handles along with their backing GEM objs, which can lead to a > double-free issue if panfrost_ioctl_create_bo() failed and went > through the err_free path where drm_gem_object_put_unlocked() is > called without deleting the associate handle. > > Replace this drm_gem_object_put_unlocked() call by a > drm_gem_handle_delete() one to fix that. > > Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") > Cc: <stable@vger.kernel.org> > Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> > --- > Reproduced for real when BO mapping fails because we ran out of > memory. > --- > drivers/gpu/drm/panfrost/panfrost_drv.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Applied to drm-misc-fixes. Rob
diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c index 07b01eb3d136..cb43ff4ebf4a 100644 --- a/drivers/gpu/drm/panfrost/panfrost_drv.c +++ b/drivers/gpu/drm/panfrost/panfrost_drv.c @@ -67,7 +67,7 @@ static int panfrost_ioctl_create_bo(struct drm_device *dev, void *data, return 0; err_free: - drm_gem_object_put_unlocked(&shmem->base); + drm_gem_handle_delete(file, args->handle); return ret; }
drm_gem_shmem_create_with_handle() returns a GEM object and attach a handle to it. When the user closes the DRM FD, the core releases all GEM handles along with their backing GEM objs, which can lead to a double-free issue if panfrost_ioctl_create_bo() failed and went through the err_free path where drm_gem_object_put_unlocked() is called without deleting the associate handle. Replace this drm_gem_object_put_unlocked() call by a drm_gem_handle_delete() one to fix that. Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") Cc: <stable@vger.kernel.org> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> --- Reproduced for real when BO mapping fails because we ran out of memory. --- drivers/gpu/drm/panfrost/panfrost_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)