From d0a133f7f5bc3583e460ba6bb54474a50ada5201 Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Sat, 19 Aug 2017 13:05:58 +0100 Subject: drm: Release driver tracking before making the object available again This is the same bug as we fixed in commit f6cd7daecff5 ("drm: Release driver references to handle before making it available again"), but now the exposure is via the PRIME lookup tables. If we remove the object/handle from the PRIME lut, then a new request for the same object/fd will generate a new handle, thus for a short window that object is known to userspace by two different handles. Fix this by releasing the driver tracking before PRIME. Fixes: 0ff926c7d4f0 ("drm/prime: add exported buffers to current fprivs imported buffer list (v2)") Signed-off-by: Chris Wilson Cc: David Airlie Cc: Daniel Vetter Cc: Rob Clark Cc: Ville Syrjälä Cc: Thierry Reding Cc: stable@vger.kernel.org Reviewed-by: Daniel Vetter Signed-off-by: Joonas Lahtinen Link: https://patchwork.freedesktop.org/patch/msgid/20170819120558.6465-1-chris@chris-wilson.co.uk --- drivers/gpu/drm/drm_gem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index ad4e9cfe48a2..88c6d78ee2d5 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -255,13 +255,13 @@ drm_gem_object_release_handle(int id, void *ptr, void *data) struct drm_gem_object *obj = ptr; struct drm_device *dev = obj->dev; + if (dev->driver->gem_close_object) + dev->driver->gem_close_object(obj, file_priv); + if (drm_core_check_feature(dev, DRIVER_PRIME)) drm_gem_remove_prime_handles(obj, file_priv); drm_vma_node_revoke(&obj->vma_node, file_priv); - if (dev->driver->gem_close_object) - dev->driver->gem_close_object(obj, file_priv); - drm_gem_object_handle_put_unlocked(obj); return 0; -- cgit v1.2.3-55-g7522 From 90378e58919285637aa0f063c04ba0c6449d98b1 Mon Sep 17 00:00:00 2001 From: Noralf Trønnes Date: Thu, 17 Aug 2017 18:21:30 +0200 Subject: drm/gem: drm_gem_dumb_map_offset(): reject dma-buf Reject mapping an imported dma-buf since is's an invalid use-case. Cc: Philipp Zabel Cc: Laurent Pinchart Cc: Sean Paul Cc: Daniel Vetter Signed-off-by: Noralf Trønnes Acked-by: Daniel Vetter Acked-by: Eric Anholt Acked-by: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/1502986891-36764-2-git-send-email-noralf@tronnes.org --- drivers/gpu/drm/drm_gem.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 88c6d78ee2d5..8bea0326e7a7 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -333,6 +333,12 @@ int drm_gem_dumb_map_offset(struct drm_file *file, struct drm_device *dev, if (!obj) return -ENOENT; + /* Don't allow imported objects to be mapped */ + if (obj->import_attach) { + ret = -EINVAL; + goto out; + } + ret = drm_gem_create_mmap_offset(obj); if (ret) goto out; -- cgit v1.2.3-55-g7522 From 3fbe2e184d2fbc353425efa7b788aba64374119b Mon Sep 17 00:00:00 2001 From: Haneen Mohammed Date: Thu, 21 Sep 2017 15:04:24 -0600 Subject: drm: Remove obsolete "This is gross" comment Remove obsolete comment which was initially added in 2008 to annotate that idr_find() was used before idr_remove() since idr_remove() didn't use to return feedback. The comment now is irrelevant with commit f6cd7daecff5 ("drm: Release driver references to handle before making it available again"). Signed-off-by: Haneen Mohammed Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20170921210424.GA21951@Haneen --- drivers/gpu/drm/drm_gem.c | 9 --------- 1 file changed, 9 deletions(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 8bea0326e7a7..4e710ec40599 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -281,15 +281,6 @@ drm_gem_handle_delete(struct drm_file *filp, u32 handle) { struct drm_gem_object *obj; - /* This is gross. The idr system doesn't let us try a delete and - * return an error code. It just spews if you fail at deleting. - * So, we have to grab a lock around finding the object and then - * doing the delete on it and dropping the refcount, or the user - * could race us to double-decrement the refcount and cause a - * use-after-free later. Given the frequency of our handle lookups, - * we may want to use ida for number allocation and a hash table - * for the pointers, anyway. - */ spin_lock(&filp->table_lock); /* Check if we currently have a reference on the object */ -- cgit v1.2.3-55-g7522 From 5b9fbfff7644f2d3f42a6c105587b86e29ca9c48 Mon Sep 17 00:00:00 2001 From: Jordan Crouse Date: Tue, 3 Oct 2017 09:38:10 -0600 Subject: drm: fix typo in drm_gem_get_pages() comment I spent an embarrassingly long time looking for drm_gem_init_object() before I realized I was actually looking for drm_gem_object_init(). Fix the typo to keep other poor developers from suffering the same fate. Signed-off-by: Jordan Crouse Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/1507045091-6550-1-git-send-email-jcrouse@codeaurora.org --- drivers/gpu/drm/drm_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 811f6d26d108..55d6182555c7 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -534,7 +534,7 @@ EXPORT_SYMBOL(drm_gem_create_mmap_offset); * Note that you are not allowed to change gfp-zones during runtime. That is, * shmem_read_mapping_page_gfp() must be called with the same gfp_zone(gfp) as * set during initialization. If you have special zone constraints, set them - * after drm_gem_init_object() via mapping_set_gfp_mask(). shmem-core takes care + * after drm_gem_object_init() via mapping_set_gfp_mask(). shmem-core takes care * to keep pages in the required zone during swap-in. */ struct page **drm_gem_get_pages(struct drm_gem_object *obj) -- cgit v1.2.3-55-g7522