Am 01.05.20 um 16:21 schrieb Felix Kuehling:
From: Felix Kuehling <[email protected]>
That reference gets dropped when the the dma-buf is freed. Not incrementing
the refcount can lead to use-after-free errors.
Signed-off-by: Felix Kuehling <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
index ffeb20f11c07..a0f9b3ef4aad 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
@@ -398,8 +398,15 @@ struct dma_buf *amdgpu_gem_prime_export(struct
drm_gem_object *gobj,
return ERR_PTR(-EPERM);
buf = drm_gem_prime_export(gobj, flags);
- if (!IS_ERR(buf))
+ if (!IS_ERR(buf)) {
buf->ops = &amdgpu_dmabuf_ops;
+ /* GEM needs a reference to the underlying object
+ * that gets dropped when the dma-buf is released,
+ * through the amdgpu_gem_object_free callback
+ * from drm_gem_object_put_unlocked.
+ */
+ amdgpu_bo_ref(bo);
+ }
Of hand that doesn't sounds correct to me. Why should the exported bo be
closed through amdgpu_gem_object_free()?
Regards,
Christian.
return buf;
}
_______________________________________________
amd-gfx mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
