diff options
author | Boris Brezillon <boris.brezillon@collabora.com> | 2019-06-27 20:24:14 +0300 |
---|---|---|
committer | Rob Herring <robh@kernel.org> | 2019-06-29 01:45:51 +0300 |
commit | 2f040d27080ddfffecff2be1a77107c494d0e4f4 (patch) | |
tree | 1fada45149073102e0cd827677da41f13f27a167 | |
parent | 41de4be6f6efa4132b29af51158cd672d93f2543 (diff) | |
download | linux-2f040d27080ddfffecff2be1a77107c494d0e4f4.tar.xz |
drm/panfrost: Fix a double-free error
drm_gem_shmem_create_with_handle() returns a GEM object and attach a
handle to it. When the user closes the DRM FD, the core releases all
GEM handles along with their backing GEM objs, which can lead to a
double-free issue if panfrost_ioctl_create_bo() failed and went
through the err_free path where drm_gem_object_put_unlocked() is
called without deleting the associate handle.
Replace this drm_gem_object_put_unlocked() call by a
drm_gem_handle_delete() one to fix that.
Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190627172414.27231-1-boris.brezillon@collabora.com
-rw-r--r-- | drivers/gpu/drm/panfrost/panfrost_drv.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c index d11e2281dde6..7e43b25785f7 100644 --- a/drivers/gpu/drm/panfrost/panfrost_drv.c +++ b/drivers/gpu/drm/panfrost/panfrost_drv.c @@ -63,7 +63,7 @@ static int panfrost_ioctl_create_bo(struct drm_device *dev, void *data, return 0; err_free: - drm_gem_object_put_unlocked(&shmem->base); + drm_gem_handle_delete(file, args->handle); return ret; } |