On Thu, 11 Sep 2025 11:08:43 +0000 Alice Ryhl <alicer...@google.com> wrote:
> On Thu, Sep 11, 2025 at 12:15:37PM +0200, Boris Brezillon wrote: > > On Tue, 09 Sep 2025 13:36:23 +0000 > > Alice Ryhl <alicer...@google.com> wrote: > > > > > static void panthor_vma_init(struct panthor_vma *vma, u32 flags) > > > @@ -2084,12 +2010,12 @@ static int panthor_gpuva_sm_step_map(struct > > > drm_gpuva_op *op, void *priv) > > > if (ret) > > > return ret; > > > > > > - /* Ref owned by the mapping now, clear the obj field so we don't > > > release the > > > - * pinning/obj ref behind GPUVA's back. > > > - */ > > > drm_gpuva_map(&vm->base, &vma->base, &op->map); > > > panthor_vma_link(vm, vma, op_ctx->map.vm_bo); > > > + > > > + drm_gpuvm_bo_put_deferred(op_ctx->map.vm_bo); > > > op_ctx->map.vm_bo = NULL; > > > > Hm, I don't see why we need a drm_gpuvm_bo_put_deferred() here. The > > original idea was to delegate the vm_bo ownership to the VA being added > > to the VM tree, so if we put it here, we have a UAF situation, don't we? > > The vm_bo refcount goes like this: > > incr vm_bo_obtain() > incr vma_link() > decr vm_bo_put() > > There is no decrement in panthor_vm_cleanup_op_ctx() due to this line: > > op_ctx->map.vm_bo = NULL > > So when everything is done, it is linked once and the refcount is > incremented by one, which is correct. Ah, right, I overlooked the change to panthor_vma_link() where you drop the _put().
