Commit 73453d29 authored by T.J. Mercier's avatar T.J. Mercier Committed by Wen Zhiwei
Browse files

drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl 

stable inclusion
from stable-v6.6.52
commit 8e1ffb257982974352e9153eddcbaf01f949f700
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAYXOD

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e1ffb257982974352e9153eddcbaf01f949f700



--------------------------------

commit 8c7c44be57672e1474bf15a451011c291e85fda4 upstream.

A syncobj reference is taken in drm_syncobj_find, but not released if
eventfd_ctx_fdget or kzalloc fails. Put the reference in these error
paths.

Reported-by: default avatarXingyu Jin <xingyuj@google.com>
Fixes: c7a47229 ("drm/syncobj: add IOCTL to register an eventfd")
Signed-off-by: default avatarT.J. Mercier <tjmercier@google.com>
Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@igalia.com>
Reviewed-by. Christian König <christian.koenig@amd.com>
CC: stable@vger.kernel.org # 6.6+
Link: https://patchwork.freedesktop.org/patch/msgid/20240909205400.3498337-1-tjmercier@google.com


Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarWen Zhiwei <wenzhiwei@kylinos.cn>
parent fb956ef4

drivers/gpu/drm/drm_syncobj.c

+13 −4
Original line number Diff line number Diff line
@@ -1421,6 +1421,7 @@ drm_syncobj_eventfd_ioctl(struct drm_device *dev, void *data, 
	struct drm_syncobj *syncobj;

	struct eventfd_ctx *ev_fd_ctx;

	struct syncobj_eventfd_entry *entry;

	int ret;



	if (!drm_core_check_feature(dev, DRIVER_SYNCOBJ_TIMELINE))

		return -EOPNOTSUPP;
@@ -1436,13 +1437,15 @@ drm_syncobj_eventfd_ioctl(struct drm_device *dev, void *data, 
		return -ENOENT;



	ev_fd_ctx = eventfd_ctx_fdget(args->fd);

	if (IS_ERR(ev_fd_ctx))

		return PTR_ERR(ev_fd_ctx);

	if (IS_ERR(ev_fd_ctx)) {

		ret = PTR_ERR(ev_fd_ctx);

		goto err_fdget;

	}



	entry = kzalloc(sizeof(*entry), GFP_KERNEL);

	if (!entry) {

		eventfd_ctx_put(ev_fd_ctx);

		return -ENOMEM;

		ret = -ENOMEM;

		goto err_kzalloc;

	}

	entry->syncobj = syncobj;

	entry->ev_fd_ctx = ev_fd_ctx;
@@ -1453,6 +1456,12 @@ drm_syncobj_eventfd_ioctl(struct drm_device *dev, void *data, 
	drm_syncobj_put(syncobj);



	return 0;



err_kzalloc:

	eventfd_ctx_put(ev_fd_ctx);

err_fdget:

	drm_syncobj_put(syncobj);

	return ret;

}



int