Commit b7a4c5d8 authored Mar 07, 2025 by Xin Xiong Committed by Chen Zhongjin Mar 07, 2025

drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj

stable inclusion
from stable-v4.19.238
commit 72d77ddb2224ebc00648f4f78f8a9a259dccbdf7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP45K
CVE: CVE-2022-49137
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=72d77ddb2224ebc00648f4f78f8a9a259dccbdf7



--------------------------------

[ Upstream commit dfced44f ]

This issue takes place in an error path in
amdgpu_cs_fence_to_handle_ioctl(). When `info->in.what` falls into
default case, the function simply returns -EINVAL, forgetting to
decrement the reference count of a dma_fence obj, which is bumped
earlier by amdgpu_cs_get_fence(). This may result in reference count
leaks.

Fix it by decreasing the refcount of specific object before returning
the error code.

Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>

parent 98d5b044

drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1469,6 +1469,7 @@ int amdgpu_cs_fence_to_handle_ioctl(struct drm_device dev, void data,
		return 0;

		default:
		dma_fence_put(fence);
		return -EINVAL;
		}
		}