Re: [RFC 4/7] drm/prime: Clear drm_gem_object->dma_buf on release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Noralf Trønnes (2017-12-31 13:58:40)
> Clear the pointer so the buffer can be re-exported. Otherwise use
> after free happens in the next call to drm_gem_prime_handle_to_fd().
> 
> Signed-off-by: Noralf Trønnes <noralf@xxxxxxxxxxx>
> ---
>  drivers/gpu/drm/drm_prime.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
> index 9a17725b0f7a..3214c0eb7466 100644
> --- a/drivers/gpu/drm/drm_prime.c
> +++ b/drivers/gpu/drm/drm_prime.c
> @@ -343,6 +343,7 @@ void drm_gem_dmabuf_release(struct dma_buf *dma_buf)
>  
>         /* drop the reference on the export fd holds */
>         drm_gem_object_put_unlocked(obj);
> +       obj->dma_buf = NULL;

obj->dma_buf holds a reference to the dma_buf, so to get to the dma_buf
release we must have already called dma_buf_put(obj->dma_buf). See
drm_gem_object_exported_dma_buf_free(). (Note you would do the
obj->dma_buf = NULL before dropping the potentially last ref to obj.)
A BUG_ON(obj->dma_buf) may help clarify the cache was already released.
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx




[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]
  Powered by Linux