On 9/14/23 16:27, Boris Brezillon wrote: ... > If you added this pages_use_count > 0 check to deal with the > 'free-partially-imported-GEM' case, I keep thinking this is not > the right fix. You should just assume that obj->import_attach == NULL > means not-a-prime-buffer, and then make sure > partially-initialized-prime-GEMs have import_attach assigned (see the > oneliner I suggested in my review of > `[PATCH v15 01/23] drm/shmem-helper: Fix UAF in error path when > freeing SGT of imported GEM`). Yes, I added it to deal with the partially imported GEM. The obj->import_attach can't be set until dma-buf is fully imported as it also will cause trouble for the error code path, now dma-buf will be freed two times. >> dma_unmap_sgtable(obj->dev->dev, shmem->sgt, >> DMA_BIDIRECTIONAL, 0); >> sg_free_table(shmem->sgt); >> kfree(shmem->sgt); >> >> __drm_gem_shmem_put_pages(shmem); > You need to decrement pages_use_count: > > /* shmem->pages_use_count should be 1 when ->sgt != NULL and > * zero otherwise. If some users still hold a pages reference > * that's a bug, and we intentionally leak the pages so they > * can't be re-allocated to someone else while the GPU/CPU > * still have access to it. > */ > if (refcount_dec_and_test(&shmem->pages_use_count)) > __drm_gem_shmem_put_pages(shmem); > The put_pages() itself decrements the refcnt. I'm going back to deferring all this questionable changes for the later times. It is not essential problem for this patchset. -- Best regards, Dmitry
