[PATCH 1/1] drm/amdgpu: Take a reference to an exported BO
Christian König
ckoenig.leichtzumerken at gmail.com
Fri May 1 14:29:56 UTC 2020
Am 01.05.20 um 16:21 schrieb Felix Kuehling:
> From: Felix Kuehling <felix.kuehling at gmail.com>
>
> That reference gets dropped when the the dma-buf is freed. Not incrementing
> the refcount can lead to use-after-free errors.
>
> Signed-off-by: Felix Kuehling <felix.kuehling at gmail.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> index ffeb20f11c07..a0f9b3ef4aad 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> @@ -398,8 +398,15 @@ struct dma_buf *amdgpu_gem_prime_export(struct drm_gem_object *gobj,
> return ERR_PTR(-EPERM);
>
> buf = drm_gem_prime_export(gobj, flags);
> - if (!IS_ERR(buf))
> + if (!IS_ERR(buf)) {
> buf->ops = &amdgpu_dmabuf_ops;
> + /* GEM needs a reference to the underlying object
> + * that gets dropped when the dma-buf is released,
> + * through the amdgpu_gem_object_free callback
> + * from drm_gem_object_put_unlocked.
> + */
> + amdgpu_bo_ref(bo);
> + }
Of hand that doesn't sounds correct to me. Why should the exported bo be
closed through amdgpu_gem_object_free()?
Regards,
Christian.
>
> return buf;
> }
More information about the amd-gfx
mailing list