Re: [syzbot] [dri?] WARNING in drm_prime_destroy_file_private (2)

From: Hillf Danton
Date: Fri Dec 29 2023 - 20:05:00 EST

Next message: Konrad Dybcio: "Re: [PATCH 1/4] PCI: qcom: Reshuffle reset logic in 2_7_0 .init"
Previous message: Gergo Koteles: "[PATCH] ALSA: hda/tas2781: configure the amp after firmware load"
In reply to: syzbot: "Re: [syzbot] [dri?] WARNING in drm_prime_destroy_file_private (2)"
Next in thread: syzbot: "Re: [syzbot] [dri?] WARNING in drm_prime_destroy_file_private (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 27 Dec 2023 12:51:18 -0800
> HEAD commit: 5254c0cbc92d Merge tag 'block-6.7-2023-12-22' of git://git..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=155d5fd6e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -287,6 +287,7 @@ void drm_file_free(struct drm_file *file
if (dev->driver->postclose)
dev->driver->postclose(dev, file);

+ drm_prime_del_handles(&file->prime);
drm_prime_destroy_file_private(&file->prime);

WARN_ON(!list_empty(&file->event_list));
--- a/drivers/gpu/drm/drm_internal.h
+++ b/drivers/gpu/drm/drm_internal.h
@@ -76,6 +76,7 @@ void drm_prime_init_file_private(struct
void drm_prime_destroy_file_private(struct drm_prime_file_private *prime_fpriv);
void drm_prime_remove_buf_handle(struct drm_prime_file_private *prime_fpriv,
uint32_t handle);
+void drm_prime_del_handles(struct drm_prime_file_private *prime_fpriv);

/* drm_drv.c */
struct drm_minor *drm_minor_acquire(unsigned int minor_id);
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -106,6 +106,8 @@ static int drm_prime_add_buf_handle(stru
get_dma_buf(dma_buf);
member->dma_buf = dma_buf;
member->handle = handle;
+ RB_CLEAR_NODE(&member->dmabuf_rb);
+ RB_CLEAR_NODE(&member->handle_rb);

rb = NULL;
p = &prime_fpriv->dmabufs.rb_node;
@@ -185,6 +187,27 @@ static int drm_prime_lookup_buf_handle(s
return -ENOENT;
}

+void drm_prime_del_handles(struct drm_prime_file_private *prime_fpriv)
+{
+ struct drm_prime_member *member;
+ struct rb_node *rb;
+
+ mutex_lock(&prime_fpriv->lock);
+ for (;;) {
+ rb = rb_first(&prime_fpriv->dmabufs);
+ if (!rb)
+ break;
+ member = rb_entry(rb, struct drm_prime_member, handle_rb);
+
+ rb_erase(&member->handle_rb, &prime_fpriv->handles);
+ rb_erase(&member->dmabuf_rb, &prime_fpriv->dmabufs);
+
+ dma_buf_put(member->dma_buf);
+ kfree(member);
+ }
+ mutex_unlock(&prime_fpriv->lock);
+}
+
void drm_prime_remove_buf_handle(struct drm_prime_file_private *prime_fpriv,
uint32_t handle)
{
--

Next message: Konrad Dybcio: "Re: [PATCH 1/4] PCI: qcom: Reshuffle reset logic in 2_7_0 .init"
Previous message: Gergo Koteles: "[PATCH] ALSA: hda/tas2781: configure the amp after firmware load"
In reply to: syzbot: "Re: [syzbot] [dri?] WARNING in drm_prime_destroy_file_private (2)"
Next in thread: syzbot: "Re: [syzbot] [dri?] WARNING in drm_prime_destroy_file_private (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]