commit 81699bd3335ca6d1d19b1f6213fc04be97bfb986
author Archana Sriram <apsrir@codeaurora.org> Mon Dec 14 16:55:35 2020 +0530
committer Luca Weiss <luca.weiss@fairphone.com> Wed Aug 25 08:14:08 2021 +0200
tree 2e77888f45ed99b7970aa67a16ef59db313ba794
parent d66ae7b23eec44fe51ea53f02422973f366317f3

msm: kgsl: Correct the refcount on current process PID

In kgsl_process_private_new() function there is inconsistency
in the refcount of current process PID. Fix this to avoid
overflowing of reference counter leading to use after free
of this struct.

Change-Id: I6291b9a05e139337e7f8471d0f9409fc839969a3
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>

drivers/gpu/msm/kgsl.c

diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
index 562e09d..dec3e3c 100644
--- a/drivers/gpu/msm/kgsl.c
+++ b/drivers/gpu/msm/kgsl.c
@@ -914,17 +914,24 @@
 	list_for_each_entry(private, &kgsl_driver.process_list, list) {
 		if (private->pid == cur_pid) {
 			if (!kgsl_process_private_get(private)) {
-				put_pid(cur_pid);
 				private = ERR_PTR(-EINVAL);
 			}
+			/*
+			 * We need to hold only one reference to the PID for
+			 * each process struct to avoid overflowing the
+			 * reference counter which can lead to use-after-free.
+			 */
+			put_pid(cur_pid);
 			return private;
 		}
 	}
 
 	/* Create a new object */
 	private = kzalloc(sizeof(struct kgsl_process_private), GFP_KERNEL);
-	if (private == NULL)
+	if (private == NULL) {
+		put_pid(cur_pid);
 		return ERR_PTR(-ENOMEM);
+	}
 
 	kref_init(&private->refcount);