[PATCH] drm/prime: fix a potential double put (release) bug

From: Wentao_Liang
Date: Wed Aug 18 2021 - 09:20:15 EST

Next message: Jeff Layton: "Re: [PATCH] CIFS: Fix a potencially linear read overflow"
Previous message: Colin King: "[PATCH][next] futex: fix assigned ret variable that is never read"
Next in thread: Christian König: "Re: [PATCH] drm/prime: fix a potential double put (release) bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In line 317 (#1), drm_gem_prime_import() is called, it will call
drm_gem_prime_import_dev(). At the end of the function
drm_gem_prime_import_dev() (line 956, #2), "dma_buf_put(dma_buf);" puts
dma_buf->file and may cause it to be released. However, after
drm_gem_prime_import() returning, the dma_buf may be put again by the
same put function in lines 342, 351 and 358 (#3, #4, #5). Putting the
dma_buf improperly more than once can lead to an incorrect dma_buf-
>file put.

We believe that the put of the dma_buf in the function
drm_gem_prime_import() is unnecessary (#2). We can fix the above bug by
removing the redundant "dma_buf_put(dma_buf);" in line 956.

314 if (dev->driver->gem_prime_import)
315 obj = dev->driver->gem_prime_import(dev, dma_buf);
316 else
317 obj = drm_gem_prime_import(dev, dma_buf);
//#1 call to drm_gem_prime_import
// ->drm_gem_prime_import_dev
// ->dma_buf_put
...

336 ret = drm_prime_add_buf_handle(&file_priv->prime,
337 dma_buf, *handle);

...

342 dma_buf_put(dma_buf); //#3 put again
343
344 return 0;
345
346 fail:

351 dma_buf_put(dma_buf); //#4 put again
352 return ret;

356 out_put:
357 mutex_unlock(&file_priv->prime.lock);
358 dma_buf_put(dma_buf); //#5 put again
359 return ret;
360 }

905 struct drm_gem_object *drm_gem_prime_import_dev
(struct drm_device *dev,
906 struct dma_buf *dma_buf,
907 struct device *attach_dev)
908 {

...

952 fail_unmap:
953 dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
954 fail_detach:
955 dma_buf_detach(dma_buf, attach);
956 dma_buf_put(dma_buf); //#2 the first put of dma_buf
// (unnecessary)
957
958 return ERR_PTR(ret);
959 }

Signed-off-by: Wentao_Liang <Wentao_Liang_g@xxxxxxx>
---
drivers/gpu/drm/drm_prime.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
index 2a54f86856af..cef03ad0d5cd 100644
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -953,7 +953,6 @@ struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
fail_detach:
dma_buf_detach(dma_buf, attach);
- dma_buf_put(dma_buf);

return ERR_PTR(ret);
}
--
2.25.1

Next message: Jeff Layton: "Re: [PATCH] CIFS: Fix a potencially linear read overflow"
Previous message: Colin King: "[PATCH][next] futex: fix assigned ret variable that is never read"
Next in thread: Christian König: "Re: [PATCH] drm/prime: fix a potential double put (release) bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]