Am 18.08.21 um 15:02 schrieb Wentao_Liang:
In line 317 (#1), drm_gem_prime_import() is called, it will call
drm_gem_prime_import_dev(). At the end of the function
drm_gem_prime_import_dev() (line 956, #2), "dma_buf_put(dma_buf);" puts
dma_buf->file and may cause it to be released. However, after
drm_gem_prime_import() returning, the dma_buf may be put again by the
same put function in lines 342, 351 and 358 (#3, #4, #5). Putting the
dma_buf improperly more than once can lead to an incorrect dma_buf-
file put.
We believe that the put of the dma_buf in the function
drm_gem_prime_import() is unnecessary (#2). We can fix the above bug by
removing the redundant "dma_buf_put(dma_buf);" in line 956.
Guys I'm getting tired of NAKing those incorrect reference count analysis.
The dma_buf_put() in the error handling of drm_gem_prime_import_dev()
function is balanced with the get_dma_buf() in the same function
directly above.
This is for the creating a GEM object for a DMA-buf imported from other
device use case and certainly correct.
The various dma_buf_put() in drm_gem_prime_fd_to_handle() is balanced
with the dma_buf_get(prime_fd) at the beginning of the function.
This is for extracting the DMA-buf from the file descriptor and keeping
a reference to it while we are busy importing it (e.g. to prevent a race
when somebody changes the fd at the same time).
As far as I can see this is correct as well.
Regards,
Christian.
314 if (dev->driver->gem_prime_import)
315 obj = dev->driver->gem_prime_import(dev, dma_buf);
316 else
317 obj = drm_gem_prime_import(dev, dma_buf);
//#1 call to drm_gem_prime_import
// ->drm_gem_prime_import_dev
// ->dma_buf_put
...
336 ret = drm_prime_add_buf_handle(&file_priv->prime,
337 dma_buf, *handle);
...
342 dma_buf_put(dma_buf); //#3 put again
343
344 return 0;
345
346 fail:
351 dma_buf_put(dma_buf); //#4 put again
352 return ret;
356 out_put:
357 mutex_unlock(&file_priv->prime.lock);
358 dma_buf_put(dma_buf); //#5 put again
359 return ret;
360 }
905 struct drm_gem_object *drm_gem_prime_import_dev
(struct drm_device *dev,
906 struct dma_buf *dma_buf,
907 struct device *attach_dev)
908 {
...
952 fail_unmap:
953 dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
954 fail_detach:
955 dma_buf_detach(dma_buf, attach);
956 dma_buf_put(dma_buf); //#2 the first put of dma_buf
// (unnecessary)
957
958 return ERR_PTR(ret);
959 }
Signed-off-by: Wentao_Liang <Wentao_Liang_g@xxxxxxx>
---
drivers/gpu/drm/drm_prime.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
index 2a54f86856af..cef03ad0d5cd 100644
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -953,7 +953,6 @@ struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
fail_detach:
dma_buf_detach(dma_buf, attach);
- dma_buf_put(dma_buf);
return ERR_PTR(ret);
}
