| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Jan 2022 10:34:22 +0000
From: Roberto Sassu <roberto.sassu@...wei.com>
To: "maarten.lankhorst@...ux.intel.com"
<maarten.lankhorst@...ux.intel.com>,
"mripard@...nel.org" <mripard@...nel.org>,
"tzimmermann@...e.de" <tzimmermann@...e.de>,
"airlied@...ux.ie" <airlied@...ux.ie>,
"daniel@...ll.ch" <daniel@...ll.ch>
CC: "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
"syzbot+c8ae65286134dd1b800d@...kaller.appspotmail.com"
<syzbot+c8ae65286134dd1b800d@...kaller.appspotmail.com>
Subject: RE: [PATCH] drm: Fix gem obj imbalance due to calling
drm_gem_object_put() twice
> From: Roberto Sassu
> Sent: Tuesday, December 21, 2021 12:39 PM
> After commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"),
> drm_gem_mmap_obj() takes a reference of the passed drm_gem_object at the
> beginning of the function to safely dereference the mmap offset pointer,
> and releases it at the end, if an error occurred. However, the cma and
> shmem helpers are also releasing that reference in case of an error,
> which causes the imbalance of the reference counter and the panic
> reported by syzbot.
>
> Don't release the reference in drm_gem_mmap_obj() if the mmap method was
> called and it returned an error, and uniformly apply the same behavior of
> the cma and shmem helpers to the ttm helper (release the reference in the
> helper, not in the caller, when an error occurs).
Hello
I'm wondering if this patch and:
https://lore.kernel.org/dri-devel/20211213183122.838119-1-roberto.sassu@huawei.com/
could be useful.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
> Cc: stable@...r.kernel.org
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> Reported-by: syzbot+c8ae65286134dd1b800d@...kaller.appspotmail.com
> Fixes: 9786b65bc61ac ("drm/ttm: fix mmap refcounting")
> ---
> drivers/gpu/drm/drm_gem.c | 3 ++-
> drivers/gpu/drm/drm_gem_ttm_helper.c | 4 +---
> 2 files changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 4dcdec6487bb..7264a1a7a8d2 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -1049,8 +1049,9 @@ int drm_gem_mmap_obj(struct drm_gem_object
> *obj, unsigned long obj_size,
>
> if (obj->funcs->mmap) {
> ret = obj->funcs->mmap(obj, vma);
> + /* All helpers call drm_gem_object_put() */
> if (ret)
> - goto err_drm_gem_object_put;
> + return ret;
> WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));
> } else {
> if (!vma->vm_ops) {
> diff --git a/drivers/gpu/drm/drm_gem_ttm_helper.c
> b/drivers/gpu/drm/drm_gem_ttm_helper.c
> index ecf3d2a54a98..c44bfdbb722d 100644
> --- a/drivers/gpu/drm/drm_gem_ttm_helper.c
> +++ b/drivers/gpu/drm/drm_gem_ttm_helper.c
> @@ -101,8 +101,6 @@ int drm_gem_ttm_mmap(struct drm_gem_object *gem,
> int ret;
>
> ret = ttm_bo_mmap_obj(vma, bo);
> - if (ret < 0)
> - return ret;
>
> /*
> * ttm has its own object refcounting, so drop gem reference
> @@ -110,7 +108,7 @@ int drm_gem_ttm_mmap(struct drm_gem_object *gem,
> */
> drm_gem_object_put(gem);
>
> - return 0;
> + return ret;
> }
> EXPORT_SYMBOL(drm_gem_ttm_mmap);
>
> --
> 2.32.0
Powered by blists - more mailing lists