tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release

The kref_put() call uses (void *)kvfree as the release callback, which
is incorrect. kref_put() expects a function with signature
void (*release)(struct kref *), but kvfree has signature
void (*)(const void *). Calling through an incompatible function pointer
is undefined behavior.

The code only worked by accident because ref_count is the first member
of vmw_bo_dirty, making the kref pointer equal to the struct pointer.

Fix this by adding a proper release callback that uses container_of()
to retrieve the containing structure before freeing.

Fixes: c1962742ffff ("drm/vmwgfx: Use kref in vmw_bo_dirty")
Signed-off-by: Brad Spengler <brad.spengler@opensrcsec.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Cc: Ian Forbes <ian.forbes@broadcom.com>
Link: https://patch.msgid.link/20260107171236.3573118-1-zack.rusin@broadcom.com

authored by

Brad Spengler and committed by
Zack Rusin 211ecfaa 40b24d9c

+8 -1
+8 -1
drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
··· 260 260 return ret; 261 261 } 262 262 263 + static void vmw_bo_dirty_free(struct kref *kref) 264 + { 265 + struct vmw_bo_dirty *dirty = container_of(kref, struct vmw_bo_dirty, ref_count); 266 + 267 + kvfree(dirty); 268 + } 269 + 263 270 /** 264 271 * vmw_bo_dirty_release - Release a dirty-tracking user from a buffer object 265 272 * @vbo: The buffer object ··· 281 274 { 282 275 struct vmw_bo_dirty *dirty = vbo->dirty; 283 276 284 - if (dirty && kref_put(&dirty->ref_count, (void *)kvfree)) 277 + if (dirty && kref_put(&dirty->ref_count, vmw_bo_dirty_free)) 285 278 vbo->dirty = NULL; 286 279 } 287 280