forked from ~ljy/RK356X_SDK_RELEASE
blame | history | patch | commit | commitdiff
hc
2024-01-05 071106ecf68c401173c58808b1cf5f68cc50d390 
 kernel/drivers/gpu/drm/virtio/virtgpu_ioctl.c
....@@ -279,10 +279,18 @@
279279 		drm_gem_object_release(obj);
280280 		return ret;
281281 	}
282
-	drm_gem_object_put(obj);
283282 
284283 	rc->res_handle = qobj->hw_res_handle; /* similiar to a VM address */
285284 	rc->bo_handle = handle;
285
+
286
+	/*
287
+	 * The handle owns the reference now.  But we must drop our
288
+	 * remaining reference *after* we no longer need to dereference
289
+	 * the obj.  Otherwise userspace could guess the handle and
290
+	 * race closing it from another thread.
291
+	 */
292
+	drm_gem_object_put(obj);
293
+
286294 	return 0;
287295 }
288296