From patchwork Sun Jan 8 21:13:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Osipenko X-Patchwork-Id: 13092740 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1CA6FC54EBD for ; Sun, 8 Jan 2023 21:13:40 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 3C12C10E24A; Sun, 8 Jan 2023 21:13:39 +0000 (UTC) Received: from madras.collabora.co.uk (madras.collabora.co.uk [46.235.227.172]) by gabe.freedesktop.org (Postfix) with ESMTPS id 55B3110E248 for ; Sun, 8 Jan 2023 21:13:36 +0000 (UTC) Received: from workpc.. (109-252-117-89.nat.spd-mgts.ru [109.252.117.89]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dmitry.osipenko) by madras.collabora.co.uk (Postfix) with ESMTPSA id 0D1FC6600357; Sun, 8 Jan 2023 21:13:33 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1673212415; bh=Ez5dB/rkALjWV2HFndt9nadNf0wBhw1F0LNBdhTogSc=; h=From:To:Cc:Subject:Date:From; b=MypaMY67pkHhLAyD3gOjb89yRq+9zbVWCAR0beiNk55c/8ecTylRY9YZG9fEWdxwc i52uMAbxGge7m9tr/EieApG4rcid9+gUV4JKuro6Fm1rfUmINbVc6duW4ssAgpebIK JH/Q1LBr1SXVcweOhb/PbyweU4YmZO5T6AC/l/031w1y48WEHsOb/RMuU9V6Ah4LN5 UPAxRdw8hionuUrriOhlytDzcNW54aa5v1a+DLuW42eGMVxrHjhkOdCqVRyFu2Y2Nz sJz4EfTM2D3pNSQ6bzr+lRu+hHOxMUXh6UpF0sPM2I8WqyouZ7Pg87NVSf0S7B7ztO +fyuyldy0wu3g== From: Dmitry Osipenko To: Rob Clark , Thomas Zimmermann , Daniel Vetter , Javier Martinez Canillas Subject: [PATCH v1] drm/shmem-helper: Remove another errant put in error path Date: Mon, 9 Jan 2023 00:13:11 +0300 Message-Id: <20230108211311.3950107-1-dmitry.osipenko@collabora.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" drm_gem_shmem_mmap() doesn't own reference in error code path, resulting in the dma-buf shmem GEM object getting prematurely freed leading to a later use-after-free. Fixes: f49a51bfdc8e ("drm/shme-helpers: Fix dma_buf_mmap forwarding bug") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Osipenko Reviewed-by: Rob Clark --- drivers/gpu/drm/drm_gem_shmem_helper.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index f21f47737817..8b20b41497e8 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -624,11 +624,14 @@ int drm_gem_shmem_mmap(struct drm_gem_shmem_object *shmem, struct vm_area_struct int ret; if (obj->import_attach) { - /* Drop the reference drm_gem_mmap_obj() acquired.*/ - drm_gem_object_put(obj); vma->vm_private_data = NULL; + ret = dma_buf_mmap(obj->dma_buf, vma, 0); + + /* Drop the reference drm_gem_mmap_obj() acquired.*/ + if (!ret) + drm_gem_object_put(obj); - return dma_buf_mmap(obj->dma_buf, vma, 0); + return ret; } ret = drm_gem_shmem_get_pages(shmem);