From 3b6f0d41d75c5c30eceb92450db801e24e2268b5 Mon Sep 17 00:00:00 2001 From: Rob Clark Date: Wed, 14 May 2025 09:33:32 -0700 Subject: [PATCH] drm/msm: Fix a fence leak in submit error path stable inclusion from stable-v6.6.97 commit fe2695b2f63bd77e0e03bc0fc779164115bb4699 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICOXCX CVE: CVE-2025-38410 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=fe2695b2f63bd77e0e03bc0fc779164115bb4699 -------------------------------- [ Upstream commit 5d319f75ccf7f0927425a7545aa1a22b3eedc189 ] In error paths, we could unref the submit without calling drm_sched_entity_push_job(), so msm_job_free() will never get called. Since drm_sched_job_cleanup() will NULL out the s_fence, we can use that to detect this case. Signed-off-by: Rob Clark Patchwork: https://patchwork.freedesktop.org/patch/653584/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin Signed-off-by: Yu Wu --- drivers/gpu/drm/msm/msm_gem_submit.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 018b39546fc1..27366304f5d5 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -85,6 +85,15 @@ void __msm_gem_submit_destroy(struct kref *kref) container_of(kref, struct msm_gem_submit, ref); unsigned i; + /* + * In error paths, we could unref the submit without calling + * drm_sched_entity_push_job(), so msm_job_free() will never + * get called. Since drm_sched_job_cleanup() will NULL out + * s_fence, we can use that to detect this case. + */ + if (submit->base.s_fence) + drm_sched_job_cleanup(&submit->base); + if (submit->fence_id) { spin_lock(&submit->queue->idr_lock); idr_remove(&submit->queue->fence_idr, submit->fence_id); -- Gitee