On 5/14/26 10:49 PM, Zack Rusin wrote: > That still doesn't look correct. dumb buffers own the resource and > should drop it themselves. What you did is made arg.rep.handle stay in > tdev->idr and now both the tfile and dumb_buffer own the surface. > Whichever one is destroyed first will make the other UAF on that > surface. >
So the tdev->idr still needs to have the handle for the surface ref ioctl to work on a dumb buffer. Instead of having a ref object, we could increment a refcount for the ttm base object directly, and then release it on dumb buffer destroy.This way the tfile does not hold a reference to the dumb surface. > For all the commits in that series that are fixes please find a proper > Fixes commit. And if you want to land this through drm-misc-fixes then > you'll need to remove the last one from the series because I don't > think we should land general cleanups through fixes. > > z Sounds good. -- Maaz Mombasawala <[email protected]>
