* [PATCH v2] drm/vmwgfx: Do not drop the reference to the handle too soon
@ 2023-02-09 12:37 Zack Rusin
2023-02-09 13:19 ` Martin Krastev (VMware)
0 siblings, 1 reply; 2+ messages in thread
From: Zack Rusin @ 2023-02-09 12:37 UTC (permalink / raw)
To: dri-devel; +Cc: krastevm, stable, banackm, mombasawalam
From: Zack Rusin <zackr@vmware.com>
v2: Update the commit message to include note describing why the second
usag of vmw_gem_object_create_with_handle in vmwgfx_surface.c wasn't
changed
It is possible for userspace to predict the next buffer handle and
to destroy the buffer while it's still used by the kernel. Delay
dropping the internal reference on the buffers until kernel is done
with them.
Also fixes the second usage of vmw_gem_object_create_with_handle in
vmwgfx_surface.c which wasn't grabbing an explicit reference
to the gem object which could have been destroyed by the userspace
on the owning surface at any point.
Signed-off-by: Zack Rusin <zackr@vmware.com>
Fixes: 8afa13a0583f ("drm/vmwgfx: Implement DRIVER_GEM")
Cc: <stable@vger.kernel.org> # v5.17+
---
drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 3 ++-
drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 4 ++--
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 1 -
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
index 43ffa5c7acbd..65bd88c8fef9 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
@@ -708,7 +708,8 @@ int vmw_dumb_create(struct drm_file *file_priv,
ret = vmw_gem_object_create_with_handle(dev_priv, file_priv,
args->size, &args->handle,
&vbo);
-
+ /* drop reference from allocate - handle holds it now */
+ drm_gem_object_put(&vbo->tbo.base);
return ret;
}
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c b/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c
index 51bd1f8c5cc4..d6baf73a6458 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c
@@ -133,8 +133,6 @@ int vmw_gem_object_create_with_handle(struct vmw_private *dev_priv,
(*p_vbo)->tbo.base.funcs = &vmw_gem_object_funcs;
ret = drm_gem_handle_create(filp, &(*p_vbo)->tbo.base, handle);
- /* drop reference from allocate - handle holds it now */
- drm_gem_object_put(&(*p_vbo)->tbo.base);
out_no_bo:
return ret;
}
@@ -161,6 +159,8 @@ int vmw_gem_object_create_ioctl(struct drm_device *dev, void *data,
rep->map_handle = drm_vma_node_offset_addr(&vbo->tbo.base.vma_node);
rep->cur_gmr_id = handle;
rep->cur_gmr_offset = 0;
+ /* drop reference from allocate - handle holds it now */
+ drm_gem_object_put(&vbo->tbo.base);
out_no_bo:
return ret;
}
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index 9d4ae9623a00..d18fec953fa7 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -867,7 +867,6 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
goto out_unlock;
}
vmw_bo_reference(res->guest_memory_bo);
- drm_gem_object_get(&res->guest_memory_bo->tbo.base);
}
tmp = vmw_resource_reference(&srf->res);
--
2.38.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] drm/vmwgfx: Do not drop the reference to the handle too soon
2023-02-09 12:37 [PATCH v2] drm/vmwgfx: Do not drop the reference to the handle too soon Zack Rusin
@ 2023-02-09 13:19 ` Martin Krastev (VMware)
0 siblings, 0 replies; 2+ messages in thread
From: Martin Krastev (VMware) @ 2023-02-09 13:19 UTC (permalink / raw)
To: Zack Rusin, dri-devel; +Cc: krastevm, mombasawalam, banackm, stable
From: Martin Krastev <krastevm@vmware.com>
LGTM
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Regards,
Martin
On 9.02.23 г. 14:37 ч., Zack Rusin wrote:
> From: Zack Rusin <zackr@vmware.com>
>
> v2: Update the commit message to include note describing why the second
> usag of vmw_gem_object_create_with_handle in vmwgfx_surface.c wasn't
> changed
>
> It is possible for userspace to predict the next buffer handle and
> to destroy the buffer while it's still used by the kernel. Delay
> dropping the internal reference on the buffers until kernel is done
> with them.
>
> Also fixes the second usage of vmw_gem_object_create_with_handle in
> vmwgfx_surface.c which wasn't grabbing an explicit reference
> to the gem object which could have been destroyed by the userspace
> on the owning surface at any point.
>
> Signed-off-by: Zack Rusin <zackr@vmware.com>
> Fixes: 8afa13a0583f ("drm/vmwgfx: Implement DRIVER_GEM")
> Cc: <stable@vger.kernel.org> # v5.17+
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 3 ++-
> drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 4 ++--
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 1 -
> 3 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
> index 43ffa5c7acbd..65bd88c8fef9 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
> @@ -708,7 +708,8 @@ int vmw_dumb_create(struct drm_file *file_priv,
> ret = vmw_gem_object_create_with_handle(dev_priv, file_priv,
> args->size, &args->handle,
> &vbo);
> -
> + /* drop reference from allocate - handle holds it now */
> + drm_gem_object_put(&vbo->tbo.base);
> return ret;
> }
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c b/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c
> index 51bd1f8c5cc4..d6baf73a6458 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c
> @@ -133,8 +133,6 @@ int vmw_gem_object_create_with_handle(struct vmw_private *dev_priv,
> (*p_vbo)->tbo.base.funcs = &vmw_gem_object_funcs;
>
> ret = drm_gem_handle_create(filp, &(*p_vbo)->tbo.base, handle);
> - /* drop reference from allocate - handle holds it now */
> - drm_gem_object_put(&(*p_vbo)->tbo.base);
> out_no_bo:
> return ret;
> }
> @@ -161,6 +159,8 @@ int vmw_gem_object_create_ioctl(struct drm_device *dev, void *data,
> rep->map_handle = drm_vma_node_offset_addr(&vbo->tbo.base.vma_node);
> rep->cur_gmr_id = handle;
> rep->cur_gmr_offset = 0;
> + /* drop reference from allocate - handle holds it now */
> + drm_gem_object_put(&vbo->tbo.base);
> out_no_bo:
> return ret;
> }
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> index 9d4ae9623a00..d18fec953fa7 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> @@ -867,7 +867,6 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
> goto out_unlock;
> }
> vmw_bo_reference(res->guest_memory_bo);
> - drm_gem_object_get(&res->guest_memory_bo->tbo.base);
> }
>
> tmp = vmw_resource_reference(&srf->res);
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-02-09 13:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-09 12:37 [PATCH v2] drm/vmwgfx: Do not drop the reference to the handle too soon Zack Rusin
2023-02-09 13:19 ` Martin Krastev (VMware)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).