Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error. xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed. Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning. v2: Add comments to explain the free logic. (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)
Product status
eb289a5f6cc668853f9b2ea6aca04afe58ed11c7 (git) before f9ad21b90162baf1d78f8036ff3813c3ec1ac88e
eb289a5f6cc668853f9b2ea6aca04afe58ed11c7 (git) before 8fa8c2a22585fcb31dc605b91a67bbcca223fdd7
eb289a5f6cc668853f9b2ea6aca04afe58ed11c7 (git) before 93a528f67ce5095bcab46a69839eca97f43dd352
6.18
Any version before 6.18
6.18.32 (semver)
7.0.9 (semver)
7.1-rc2 (original_commit_for_fix)
References
git.kernel.org/...c/f9ad21b90162baf1d78f8036ff3813c3ec1ac88e
git.kernel.org/...c/8fa8c2a22585fcb31dc605b91a67bbcca223fdd7
git.kernel.org/...c/93a528f67ce5095bcab46a69839eca97f43dd352