drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 1 + 1 file changed, 1 insertion(+)
If the copy of the description string from userspace fails, then the page
for the instance descriptor doesn't get freed before returning -EFAULT,
which leads to a memleak.
Fixes: 7a7a933edd6c ("drm/vmwgfx: Introduce VMware mks-guest-stats")
Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
index 2aceac7856e2..089046fa21be 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
@@ -1076,6 +1076,7 @@ int vmw_mksstat_add_ioctl(struct drm_device *dev, void *data,
if (desc_len < 0) {
atomic_set(&dev_priv->mksstat_user_pids[slot], 0);
+ __free_page(page);
return -EFAULT;
}
--
2.34.1Thank you for the catch!
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Regards,
Martin
On 16.09.22 г. 23:47 ч., Rafael Mendonca wrote:
> If the copy of the description string from userspace fails, then the page
> for the instance descriptor doesn't get freed before returning -EFAULT,
> which leads to a memleak.
>
> Fixes: 7a7a933edd6c ("drm/vmwgfx: Introduce VMware mks-guest-stats")
> Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
> index 2aceac7856e2..089046fa21be 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
> @@ -1076,6 +1076,7 @@ int vmw_mksstat_add_ioctl(struct drm_device *dev, void *data,
>
> if (desc_len < 0) {
> atomic_set(&dev_priv->mksstat_user_pids[slot], 0);
> + __free_page(page);
> return -EFAULT;
> }
>
© 2016 - 2026 Red Hat, Inc.