msm: kgsl: Correct the refcount on current process PID

In kgsl_process_private_new() function there is inconsistency in the refcount of current process PID. Fix this to avoid overflowing of reference counter leading to use after free of this struct. Change-Id: I6291b9a05e139337e7f8471d0f9409fc839969a3 Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
author: Archana Sriram <apsrir@codeaurora.org> 2020-12-14 16:55:35 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2020-12-30 22:37:36 -0800
commit: c83d52bce5565b77f8e67adb5fdec578c2f7973d (patch)
tree: 40bb3e0bb1b9d7382b6efb6a89c31f6f2d0b6339
parent: b30ff4c21dca02b1aaef35ae7dc1f380c7ae5793 (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
index 9d9836052158..268e7231162a 100644
--- a/drivers/gpu/msm/kgsl.c
+++ b/drivers/gpu/msm/kgsl.c
@@ -916,17 +916,24 @@ static struct kgsl_process_private *kgsl_process_private_new(
 	list_for_each_entry(private, &kgsl_driver.process_list, list) {
 		if (private->pid == cur_pid) {
 			if (!kgsl_process_private_get(private)) {
-				put_pid(cur_pid);
 				private = ERR_PTR(-EINVAL);
 			}
+			/*
+			 * We need to hold only one reference to the PID for
+			 * each process struct to avoid overflowing the
+			 * reference counter which can lead to use-after-free.
+			 */
+			put_pid(cur_pid);
 			return private;
 		}
 	}
 
 	/* Create a new object */
 	private = kzalloc(sizeof(struct kgsl_process_private), GFP_KERNEL);
-	if (private == NULL)
+	if (private == NULL) {
+		put_pid(cur_pid);
 		return ERR_PTR(-ENOMEM);
+	}
 
 	kref_init(&private->refcount);
author	Archana Sriram <apsrir@codeaurora.org>	2020-12-14 16:55:35 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2020-12-30 22:37:36 -0800
commit	c83d52bce5565b77f8e67adb5fdec578c2f7973d (patch)
tree	40bb3e0bb1b9d7382b6efb6a89c31f6f2d0b6339
parent	b30ff4c21dca02b1aaef35ae7dc1f380c7ae5793 (diff)