[PATCH 1/1] drm/amdgpu: Take a reference to an exported BO
Felix Kuehling
Felix.Kuehling at amd.com
Fri May 1 14:21:27 UTC 2020
From: Felix Kuehling <felix.kuehling at gmail.com>
That reference gets dropped when the the dma-buf is freed. Not incrementing
the refcount can lead to use-after-free errors.
Signed-off-by: Felix Kuehling <felix.kuehling at gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
index ffeb20f11c07..a0f9b3ef4aad 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
@@ -398,8 +398,15 @@ struct dma_buf *amdgpu_gem_prime_export(struct drm_gem_object *gobj,
return ERR_PTR(-EPERM);
buf = drm_gem_prime_export(gobj, flags);
- if (!IS_ERR(buf))
+ if (!IS_ERR(buf)) {
buf->ops = &amdgpu_dmabuf_ops;
+ /* GEM needs a reference to the underlying object
+ * that gets dropped when the dma-buf is released,
+ * through the amdgpu_gem_object_free callback
+ * from drm_gem_object_put_unlocked.
+ */
+ amdgpu_bo_ref(bo);
+ }
return buf;
}
--
2.17.1
More information about the amd-gfx
mailing list