RE: [PATCH] drm: Fix gem obj imbalance due to calling drm_gem_object_put() twice

From: Roberto Sassu
Date: Fri Jan 07 2022 - 05:34:33 EST

Next message: Greg KH: "Re: linux-next: build warning after merge of the usb tree"
Previous message: Chevron Li: "[PATCH V3 1/1] mmc:sdhci-bayhub:fix Qualcomm sd host 7180 SD card compatibility issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Roberto Sassu
> Sent: Tuesday, December 21, 2021 12:39 PM
> After commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"),
> drm_gem_mmap_obj() takes a reference of the passed drm_gem_object at the
> beginning of the function to safely dereference the mmap offset pointer,
> and releases it at the end, if an error occurred. However, the cma and
> shmem helpers are also releasing that reference in case of an error,
> which causes the imbalance of the reference counter and the panic
> reported by syzbot.
>
> Don't release the reference in drm_gem_mmap_obj() if the mmap method was
> called and it returned an error, and uniformly apply the same behavior of
> the cma and shmem helpers to the ttm helper (release the reference in the
> helper, not in the caller, when an error occurs).

Hello

I'm wondering if this patch and:

https://lore.kernel.org/dri-devel/20211213183122.838119-1-roberto.sassu@xxxxxxxxxx/

could be useful.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua

> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> Reported-by: syzbot+c8ae65286134dd1b800d@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 9786b65bc61ac ("drm/ttm: fix mmap refcounting")
> ---
> drivers/gpu/drm/drm_gem.c | 3 ++-
> drivers/gpu/drm/drm_gem_ttm_helper.c | 4 +---
> 2 files changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 4dcdec6487bb..7264a1a7a8d2 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -1049,8 +1049,9 @@ int drm_gem_mmap_obj(struct drm_gem_object
> *obj, unsigned long obj_size,
>
> if (obj->funcs->mmap) {
> ret = obj->funcs->mmap(obj, vma);
> + /* All helpers call drm_gem_object_put() */
> if (ret)
> - goto err_drm_gem_object_put;
> + return ret;
> WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));
> } else {
> if (!vma->vm_ops) {
> diff --git a/drivers/gpu/drm/drm_gem_ttm_helper.c
> b/drivers/gpu/drm/drm_gem_ttm_helper.c
> index ecf3d2a54a98..c44bfdbb722d 100644
> --- a/drivers/gpu/drm/drm_gem_ttm_helper.c
> +++ b/drivers/gpu/drm/drm_gem_ttm_helper.c
> @@ -101,8 +101,6 @@ int drm_gem_ttm_mmap(struct drm_gem_object *gem,
> int ret;
>
> ret = ttm_bo_mmap_obj(vma, bo);
> - if (ret < 0)
> - return ret;
>
> /*
> * ttm has its own object refcounting, so drop gem reference
> @@ -110,7 +108,7 @@ int drm_gem_ttm_mmap(struct drm_gem_object *gem,
> */
> drm_gem_object_put(gem);
>
> - return 0;
> + return ret;
> }
> EXPORT_SYMBOL(drm_gem_ttm_mmap);
>
> --
> 2.32.0

Next message: Greg KH: "Re: linux-next: build warning after merge of the usb tree"
Previous message: Chevron Li: "[PATCH V3 1/1] mmc:sdhci-bayhub:fix Qualcomm sd host 7180 SD card compatibility issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]