From patchwork Sun Jan 8 21:13:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Osipenko X-Patchwork-Id: 40579 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp1854136wrt; Sun, 8 Jan 2023 13:16:11 -0800 (PST) X-Google-Smtp-Source: AMrXdXtrOjDsw6qrLzI/TikabBmHEe4u1ia09Hbm3cF5VPJM+Yqq/b/1yDuaOVxhn8MZ3ZyESJ5U X-Received: by 2002:a05:6402:548e:b0:479:8303:dc1c with SMTP id fg14-20020a056402548e00b004798303dc1cmr49056859edb.7.1673212571600; Sun, 08 Jan 2023 13:16:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673212571; cv=none; d=google.com; s=arc-20160816; b=jtbtpuddzpg696dXOjbynhj8Ve25rZCK+QqCtGPwXPk8e0LQjba5Bdv6lq1Wkd3Ytt lNi83ZcHwPaOja4lj8NdcSxWM8ois3t4Y7Ks+xjuHZMuo0AYCNCO3xkdrF2gKyPutA6L bqdwqYG2z5YlxuSVUeEGmNMlOEd5w7MreKn2F2VDKYZjRO7vau4RqPmH17HM29Qu2zK+ zclw/O2vv69px4uLpZVHBhjVW0Zn35myAhblZtYQhhydM450mbKCmNcjSIs7IKbazuXc LyxDq/XSx1MoBOcAWq9yH5cXbugweUYJVRkfAhGShuRajpNYGHa3hLb1EpwN13LZB6SV yCbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=qjCskzlG3ILyrKq6Mv4hyQZ+8SEsKEKVzEu0wTBFjtU=; b=FSX5p18EnrQBW6fUjRu3N/GdVf5VGPyEBgvaqCeugHrV9B3D0TNSZf8LD8zaF73H2B 93oAPY+usxflKlRWrSaLUvdeB8Zxi3Q9z8xdkCK+PI3LrxNv58ZswdFHXOzrBoxqsXa1 CHGGFdMuTz7HmWsYDGFv0nIfEqR2XbAuDHdoPSJfolPlZhYWMx5eZTGzu3XEu7dJ/diG /pBC7HvzoTxzaSJUPqnsn6fwCRY3taK3dBVSWek3ukvD/9ln6Uon5shyqtNZJInuakHi dgV33AXxnMlAlhyRtQR2Nmcz7szxiPX141sm99GyJG2i8wNWStCG/5B4kLYySQ0lbM9O iHrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=MypaMY67; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h5-20020a056402280500b0048a267dede9si8429422ede.133.2023.01.08.13.15.48; Sun, 08 Jan 2023 13:16:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=MypaMY67; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234878AbjAHVOM (ORCPT + 99 others); Sun, 8 Jan 2023 16:14:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60800 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236294AbjAHVNg (ORCPT ); Sun, 8 Jan 2023 16:13:36 -0500 Received: from madras.collabora.co.uk (madras.collabora.co.uk [46.235.227.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51890DED7 for ; Sun, 8 Jan 2023 13:13:36 -0800 (PST) Received: from workpc.. (109-252-117-89.nat.spd-mgts.ru [109.252.117.89]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dmitry.osipenko) by madras.collabora.co.uk (Postfix) with ESMTPSA id 0D1FC6600357; Sun, 8 Jan 2023 21:13:33 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1673212415; bh=Ez5dB/rkALjWV2HFndt9nadNf0wBhw1F0LNBdhTogSc=; h=From:To:Cc:Subject:Date:From; b=MypaMY67pkHhLAyD3gOjb89yRq+9zbVWCAR0beiNk55c/8ecTylRY9YZG9fEWdxwc i52uMAbxGge7m9tr/EieApG4rcid9+gUV4JKuro6Fm1rfUmINbVc6duW4ssAgpebIK JH/Q1LBr1SXVcweOhb/PbyweU4YmZO5T6AC/l/031w1y48WEHsOb/RMuU9V6Ah4LN5 UPAxRdw8hionuUrriOhlytDzcNW54aa5v1a+DLuW42eGMVxrHjhkOdCqVRyFu2Y2Nz sJz4EfTM2D3pNSQ6bzr+lRu+hHOxMUXh6UpF0sPM2I8WqyouZ7Pg87NVSf0S7B7ztO +fyuyldy0wu3g== From: Dmitry Osipenko To: Rob Clark , Thomas Zimmermann , Daniel Vetter , Javier Martinez Canillas Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH v1] drm/shmem-helper: Remove another errant put in error path Date: Mon, 9 Jan 2023 00:13:11 +0300 Message-Id: <20230108211311.3950107-1-dmitry.osipenko@collabora.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1754490545079284973?= X-GMAIL-MSGID: =?utf-8?q?1754490545079284973?= drm_gem_shmem_mmap() doesn't own reference in error code path, resulting in the dma-buf shmem GEM object getting prematurely freed leading to a later use-after-free. Fixes: f49a51bfdc8e ("drm/shme-helpers: Fix dma_buf_mmap forwarding bug") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Osipenko Reviewed-by: Rob Clark --- drivers/gpu/drm/drm_gem_shmem_helper.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index f21f47737817..8b20b41497e8 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -624,11 +624,14 @@ int drm_gem_shmem_mmap(struct drm_gem_shmem_object *shmem, struct vm_area_struct int ret; if (obj->import_attach) { - /* Drop the reference drm_gem_mmap_obj() acquired.*/ - drm_gem_object_put(obj); vma->vm_private_data = NULL; + ret = dma_buf_mmap(obj->dma_buf, vma, 0); + + /* Drop the reference drm_gem_mmap_obj() acquired.*/ + if (!ret) + drm_gem_object_put(obj); - return dma_buf_mmap(obj->dma_buf, vma, 0); + return ret; } ret = drm_gem_shmem_get_pages(shmem);