tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

drm/panthor: Keep a ref to the VM at the panthor_kernel_bo level

Avoids use-after-free situations when panthor_fw_unplug() is called
and the kernel BO was mapped to the FW VM.

Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240502183813.1612017-3-boris.brezillon@collabora.com

Boris Brezillon ff60c8da 2b2a26b3

+22 -17
+2 -2
drivers/gpu/drm/panthor/panthor_fw.c
··· 453 453 454 454 ret = panthor_kernel_bo_vmap(mem); 455 455 if (ret) { 456 - panthor_kernel_bo_destroy(panthor_fw_vm(ptdev), mem); 456 + panthor_kernel_bo_destroy(mem); 457 457 return ERR_PTR(ret); 458 458 } 459 459 ··· 1134 1134 panthor_fw_stop(ptdev); 1135 1135 1136 1136 list_for_each_entry(section, &ptdev->fw->sections, node) 1137 - panthor_kernel_bo_destroy(panthor_fw_vm(ptdev), section->mem); 1137 + panthor_kernel_bo_destroy(section->mem); 1138 1138 1139 1139 /* We intentionally don't call panthor_vm_idle() and let 1140 1140 * panthor_mmu_unplug() release the AS we acquired with
+5 -3
drivers/gpu/drm/panthor/panthor_gem.c
··· 26 26 27 27 /** 28 28 * panthor_kernel_bo_destroy() - Destroy a kernel buffer object 29 - * @vm: The VM this BO was mapped to. 30 29 * @bo: Kernel buffer object to destroy. If NULL or an ERR_PTR(), the destruction 31 30 * is skipped. 32 31 */ 33 - void panthor_kernel_bo_destroy(struct panthor_vm *vm, 34 - struct panthor_kernel_bo *bo) 32 + void panthor_kernel_bo_destroy(struct panthor_kernel_bo *bo) 35 33 { 34 + struct panthor_vm *vm; 36 35 int ret; 37 36 38 37 if (IS_ERR_OR_NULL(bo)) 39 38 return; 40 39 40 + vm = bo->vm; 41 41 panthor_kernel_bo_vunmap(bo); 42 42 43 43 if (drm_WARN_ON(bo->obj->dev, ··· 53 53 drm_gem_object_put(bo->obj); 54 54 55 55 out_free_bo: 56 + panthor_vm_put(vm); 56 57 kfree(bo); 57 58 } 58 59 ··· 107 106 if (ret) 108 107 goto err_free_va; 109 108 109 + kbo->vm = panthor_vm_get(vm); 110 110 bo->exclusive_vm_root_gem = panthor_vm_root_gem(vm); 111 111 drm_gem_object_get(bo->exclusive_vm_root_gem); 112 112 bo->base.base.resv = bo->exclusive_vm_root_gem->resv;
+6 -2
drivers/gpu/drm/panthor/panthor_gem.h
··· 62 62 struct drm_gem_object *obj; 63 63 64 64 /** 65 + * @vm: VM this private buffer is attached to. 66 + */ 67 + struct panthor_vm *vm; 68 + 69 + /** 65 70 * @va_node: VA space allocated to this GEM. 66 71 */ 67 72 struct drm_mm_node va_node; ··· 141 136 size_t size, u32 bo_flags, u32 vm_map_flags, 142 137 u64 gpu_va); 143 138 144 - void panthor_kernel_bo_destroy(struct panthor_vm *vm, 145 - struct panthor_kernel_bo *bo); 139 + void panthor_kernel_bo_destroy(struct panthor_kernel_bo *bo); 146 140 147 141 #endif /* __PANTHOR_GEM_H__ */
+4 -4
drivers/gpu/drm/panthor/panthor_heap.c
··· 127 127 heap->chunk_count--; 128 128 mutex_unlock(&heap->lock); 129 129 130 - panthor_kernel_bo_destroy(vm, chunk->bo); 130 + panthor_kernel_bo_destroy(chunk->bo); 131 131 kfree(chunk); 132 132 } 133 133 ··· 183 183 return 0; 184 184 185 185 err_destroy_bo: 186 - panthor_kernel_bo_destroy(vm, chunk->bo); 186 + panthor_kernel_bo_destroy(chunk->bo); 187 187 188 188 err_free_chunk: 189 189 kfree(chunk); ··· 395 395 mutex_unlock(&heap->lock); 396 396 397 397 if (removed) { 398 - panthor_kernel_bo_destroy(pool->vm, chunk->bo); 398 + panthor_kernel_bo_destroy(chunk->bo); 399 399 kfree(chunk); 400 400 ret = 0; 401 401 } else { ··· 595 595 drm_WARN_ON(&pool->ptdev->base, panthor_heap_destroy_locked(pool, i)); 596 596 597 597 if (!IS_ERR_OR_NULL(pool->gpu_contexts)) 598 - panthor_kernel_bo_destroy(pool->vm, pool->gpu_contexts); 598 + panthor_kernel_bo_destroy(pool->gpu_contexts); 599 599 600 600 /* Reflects the fact the pool has been destroyed. */ 601 601 pool->vm = NULL;
+5 -6
drivers/gpu/drm/panthor/panthor_sched.c
··· 826 826 827 827 panthor_queue_put_syncwait_obj(queue); 828 828 829 - panthor_kernel_bo_destroy(group->vm, queue->ringbuf); 830 - panthor_kernel_bo_destroy(panthor_fw_vm(group->ptdev), queue->iface.mem); 829 + panthor_kernel_bo_destroy(queue->ringbuf); 830 + panthor_kernel_bo_destroy(queue->iface.mem); 831 831 832 832 kfree(queue); 833 833 } ··· 837 837 struct panthor_group *group = container_of(work, 838 838 struct panthor_group, 839 839 release_work); 840 - struct panthor_device *ptdev = group->ptdev; 841 840 u32 i; 842 841 843 842 for (i = 0; i < group->queue_count; i++) 844 843 group_free_queue(group, group->queues[i]); 845 844 846 - panthor_kernel_bo_destroy(panthor_fw_vm(ptdev), group->suspend_buf); 847 - panthor_kernel_bo_destroy(panthor_fw_vm(ptdev), group->protm_suspend_buf); 848 - panthor_kernel_bo_destroy(group->vm, group->syncobjs); 845 + panthor_kernel_bo_destroy(group->suspend_buf); 846 + panthor_kernel_bo_destroy(group->protm_suspend_buf); 847 + panthor_kernel_bo_destroy(group->syncobjs); 849 848 850 849 panthor_vm_put(group->vm); 851 850 kfree(group);