| Message ID | 20171231135843.10760-5-noralf@tronnes.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Quoting Noralf Trønnes (2017-12-31 13:58:40) > Clear the pointer so the buffer can be re-exported. Otherwise use > after free happens in the next call to drm_gem_prime_handle_to_fd(). > > Signed-off-by: Noralf Trønnes <noralf@tronnes.org> > --- > drivers/gpu/drm/drm_prime.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c > index 9a17725b0f7a..3214c0eb7466 100644 > --- a/drivers/gpu/drm/drm_prime.c > +++ b/drivers/gpu/drm/drm_prime.c > @@ -343,6 +343,7 @@ void drm_gem_dmabuf_release(struct dma_buf *dma_buf) > > /* drop the reference on the export fd holds */ > drm_gem_object_put_unlocked(obj); > + obj->dma_buf = NULL; obj->dma_buf holds a reference to the dma_buf, so to get to the dma_buf release we must have already called dma_buf_put(obj->dma_buf). See drm_gem_object_exported_dma_buf_free(). (Note you would do the obj->dma_buf = NULL before dropping the potentially last ref to obj.) A BUG_ON(obj->dma_buf) may help clarify the cache was already released. -Chris
Den 31.12.2017 16.41, skrev Chris Wilson: > Quoting Noralf Trønnes (2017-12-31 13:58:40) >> Clear the pointer so the buffer can be re-exported. Otherwise use >> after free happens in the next call to drm_gem_prime_handle_to_fd(). >> >> Signed-off-by: Noralf Trønnes <noralf@tronnes.org> >> --- >> drivers/gpu/drm/drm_prime.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c >> index 9a17725b0f7a..3214c0eb7466 100644 >> --- a/drivers/gpu/drm/drm_prime.c >> +++ b/drivers/gpu/drm/drm_prime.c >> @@ -343,6 +343,7 @@ void drm_gem_dmabuf_release(struct dma_buf *dma_buf) >> >> /* drop the reference on the export fd holds */ >> drm_gem_object_put_unlocked(obj); >> + obj->dma_buf = NULL; > obj->dma_buf holds a reference to the dma_buf, so to get to the dma_buf > release we must have already called dma_buf_put(obj->dma_buf). See > drm_gem_object_exported_dma_buf_free(). (Note you would do the > obj->dma_buf = NULL before dropping the potentially last ref to obj.) > A BUG_ON(obj->dma_buf) may help clarify the cache was already released. Hmm, okay it was a shot in the dark. Maybe I can defer dumb_buffer and drm_framebuffer creation until fb_open and then free it all in fb_close. That would align fbdev emulation more with how DRM userspace operates. Let's see what assumptions the code has about drm_fb_helper->fb being set on probe... Noralf.
diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c index 9a17725b0f7a..3214c0eb7466 100644 --- a/drivers/gpu/drm/drm_prime.c +++ b/drivers/gpu/drm/drm_prime.c @@ -343,6 +343,7 @@ void drm_gem_dmabuf_release(struct dma_buf *dma_buf) /* drop the reference on the export fd holds */ drm_gem_object_put_unlocked(obj); + obj->dma_buf = NULL; drm_dev_put(dev); }
Clear the pointer so the buffer can be re-exported. Otherwise use after free happens in the next call to drm_gem_prime_handle_to_fd(). Signed-off-by: Noralf Trønnes <noralf@tronnes.org> --- drivers/gpu/drm/drm_prime.c | 1 + 1 file changed, 1 insertion(+)