From ec0bb482de0ad5e4aba2a4537ea53eaeb77d11a6 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 20 Mar 2020 16:23:34 +0300 Subject: drm/gem: Fix a leak in drm_gem_objects_lookup() If the "handles" allocation or the copy_from_user() fails then we leak "objs". It's supposed to be freed in panfrost_job_cleanup(). Fixes: c117aa4d8701 ("drm: Add a drm_gem_objects_lookup helper") Signed-off-by: Dan Carpenter Signed-off-by: Emil Velikov Link: https://patchwork.freedesktop.org/patch/msgid/20200320132334.GC95012@mwanda --- drivers/gpu/drm/drm_gem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 7bf628e13023..d6ef48bc7a7b 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -709,6 +709,8 @@ int drm_gem_objects_lookup(struct drm_file *filp, void __user *bo_handles, if (!objs) return -ENOMEM; + *objs_out = objs; + handles = kvmalloc_array(count, sizeof(u32), GFP_KERNEL); if (!handles) { ret = -ENOMEM; @@ -722,8 +724,6 @@ int drm_gem_objects_lookup(struct drm_file *filp, void __user *bo_handles, } ret = objects_lookup(filp, handles, count, objs); - *objs_out = objs; - out: kvfree(handles); return ret; -- cgit v1.2.3 From 2ea8ad42ec8d04c014d04648170ee9c3ad119585 Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Fri, 15 May 2020 10:50:42 +0100 Subject: drm/gem: use _unlocked reference in drm_gem_objects_lookup docs Use the drm_gem_object_put_unlocked in the documentation for drm_gem_objects_lookup. The locked version of the helper should be used solely by people who know exactly what they are doing. Should prevent issues like ones adddressed with the next patch. Signed-off-by: Emil Velikov Acked-by: Sam Ravnborg Acked-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-3-emil.l.velikov@gmail.com --- drivers/gpu/drm/drm_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index d6ef48bc7a7b..bd01ffd39376 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -690,7 +690,7 @@ static int objects_lookup(struct drm_file *filp, u32 *handle, int count, * Returns: * * @objs filled in with GEM object pointers. Returned GEM objects need to be - * released with drm_gem_object_put(). -ENOENT is returned on a lookup + * released with drm_gem_object_put_unlocked(). -ENOENT is returned on a lookup * failure. 0 is returned on success. * */ -- cgit v1.2.3 From 2891586f323a88f486f734aaf7c6ceb33cec7b27 Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Fri, 15 May 2020 10:50:46 +0100 Subject: drm/doc: drop struct_mutex reference for drm_gem_object_free The comment that struct_mutex must be held is misleading. It is only required when .gem_free_object() is used. Since that one is going with the next patches, drop the reference. Signed-off-by: Emil Velikov Acked-by: Sam Ravnborg Reviewed-by: Daniel Vetter Acked-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-7-emil.l.velikov@gmail.com --- drivers/gpu/drm/drm_gem.c | 1 - 1 file changed, 1 deletion(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index bd01ffd39376..eb0017985d91 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -965,7 +965,6 @@ EXPORT_SYMBOL(drm_gem_object_release); * @kref: kref of the object to free * * Called after the last reference to the object has been lost. - * Must be called holding &drm_device.struct_mutex. * * Frees the object */ -- cgit v1.2.3 From 1a9458aeb8eb48bfa5f9b3e7682bddc28fd0b85e Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Fri, 15 May 2020 10:50:49 +0100 Subject: drm: remove drm_driver::gem_free_object No drivers set the callback, so remove it all together. Signed-off-by: Emil Velikov Acked-by: Sam Ravnborg Reviewed-by: Thomas Zimmermann Reviewed-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-10-emil.l.velikov@gmail.com --- drivers/gpu/drm/drm_gem.c | 22 +++------------------- include/drm/drm_drv.h | 8 -------- include/drm/drm_gem.h | 5 +++-- 3 files changed, 6 insertions(+), 29 deletions(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index eb0017985d91..21c69e71d685 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -975,15 +975,10 @@ drm_gem_object_free(struct kref *kref) container_of(kref, struct drm_gem_object, refcount); struct drm_device *dev = obj->dev; - if (obj->funcs) { + if (obj->funcs) obj->funcs->free(obj); - } else if (dev->driver->gem_free_object_unlocked) { + else if (dev->driver->gem_free_object_unlocked) dev->driver->gem_free_object_unlocked(obj); - } else if (dev->driver->gem_free_object) { - WARN_ON(!mutex_is_locked(&dev->struct_mutex)); - - dev->driver->gem_free_object(obj); - } } EXPORT_SYMBOL(drm_gem_object_free); @@ -999,21 +994,10 @@ EXPORT_SYMBOL(drm_gem_object_free); void drm_gem_object_put_unlocked(struct drm_gem_object *obj) { - struct drm_device *dev; - if (!obj) return; - dev = obj->dev; - - if (dev->driver->gem_free_object) { - might_lock(&dev->struct_mutex); - if (kref_put_mutex(&obj->refcount, drm_gem_object_free, - &dev->struct_mutex)) - mutex_unlock(&dev->struct_mutex); - } else { - kref_put(&obj->refcount, drm_gem_object_free); - } + kref_put(&obj->refcount, drm_gem_object_free); } EXPORT_SYMBOL(drm_gem_object_put_unlocked); diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h index 6d457652f199..e6eff508f687 100644 --- a/include/drm/drm_drv.h +++ b/include/drm/drm_drv.h @@ -327,14 +327,6 @@ struct drm_driver { */ void (*debugfs_init)(struct drm_minor *minor); - /** - * @gem_free_object: deconstructor for drm_gem_objects - * - * This is deprecated and should not be used by new drivers. Use - * &drm_gem_object_funcs.free instead. - */ - void (*gem_free_object) (struct drm_gem_object *obj); - /** * @gem_free_object_unlocked: deconstructor for drm_gem_objects * diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h index 0b375069cd48..ec2d24a60a76 100644 --- a/include/drm/drm_gem.h +++ b/include/drm/drm_gem.h @@ -272,8 +272,9 @@ struct drm_gem_object { * attachment point for the device. This is invariant over the lifetime * of a gem object. * - * The &drm_driver.gem_free_object callback is responsible for cleaning - * up the dma_buf attachment and references acquired at import time. + * The &drm_driver.gem_free_object_unlocked callback is responsible for + * cleaning up the dma_buf attachment and references acquired at import + * time. * * Note that the drm gem/prime core does not depend upon drivers setting * this field any more. So for drivers where this doesn't make sense -- cgit v1.2.3 From b5d250744cccfb40024de663ea1f4da04e6d959c Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Fri, 15 May 2020 10:50:50 +0100 Subject: drm/gem: fold drm_gem_object_put_unlocked and __drm_gem_object_put() With earlier patch we removed the overhead so now we can lift the helper into the header effectively folding it with __drm_object_put. v2: drop struct_mutex references (Daniel) Signed-off-by: Emil Velikov Acked-by: Sam Ravnborg (v1) Reviewed-by: Daniel Vetter Acked-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-11-emil.l.velikov@gmail.com --- drivers/gpu/drm/drm_gem.c | 19 ------------------- drivers/gpu/drm/i915/gem/i915_gem_object.h | 2 +- include/drm/drm_drv.h | 2 -- include/drm/drm_gem.h | 16 +++------------- 4 files changed, 4 insertions(+), 35 deletions(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 21c69e71d685..9ba4b1520d48 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -982,25 +982,6 @@ drm_gem_object_free(struct kref *kref) } EXPORT_SYMBOL(drm_gem_object_free); -/** - * drm_gem_object_put_unlocked - drop a GEM buffer object reference - * @obj: GEM buffer object - * - * This releases a reference to @obj. Callers must not hold the - * &drm_device.struct_mutex lock when calling this function. - * - * See also __drm_gem_object_put(). - */ -void -drm_gem_object_put_unlocked(struct drm_gem_object *obj) -{ - if (!obj) - return; - - kref_put(&obj->refcount, drm_gem_object_free); -} -EXPORT_SYMBOL(drm_gem_object_put_unlocked); - /** * drm_gem_object_put - release a GEM buffer object reference * @obj: GEM buffer object diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h b/drivers/gpu/drm/i915/gem/i915_gem_object.h index 2faa481cc18f..41351cbf31b5 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_object.h +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h @@ -105,7 +105,7 @@ __attribute__((nonnull)) static inline void i915_gem_object_put(struct drm_i915_gem_object *obj) { - __drm_gem_object_put(&obj->base); + drm_gem_object_put_unlocked(&obj->base); } #define assert_object_held(obj) dma_resv_assert_held((obj)->base.resv) diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h index e6eff508f687..bb924cddc09c 100644 --- a/include/drm/drm_drv.h +++ b/include/drm/drm_drv.h @@ -332,8 +332,6 @@ struct drm_driver { * * This is deprecated and should not be used by new drivers. Use * &drm_gem_object_funcs.free instead. - * Compared to @gem_free_object this is not encumbered with - * &drm_device.struct_mutex legacy locking schemes. */ void (*gem_free_object_unlocked) (struct drm_gem_object *obj); diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h index ec2d24a60a76..c3bdade093ae 100644 --- a/include/drm/drm_gem.h +++ b/include/drm/drm_gem.h @@ -364,27 +364,17 @@ static inline void drm_gem_object_get(struct drm_gem_object *obj) } /** - * __drm_gem_object_put - raw function to release a GEM buffer object reference + * drm_gem_object_put_unlocked - drop a GEM buffer object reference * @obj: GEM buffer object * - * This function is meant to be used by drivers which are not encumbered with - * &drm_device.struct_mutex legacy locking and which are using the - * gem_free_object_unlocked callback. It avoids all the locking checks and - * locking overhead of drm_gem_object_put() and drm_gem_object_put_unlocked(). - * - * Drivers should never call this directly in their code. Instead they should - * wrap it up into a ``driver_gem_object_put(struct driver_gem_object *obj)`` - * wrapper function, and use that. Shared code should never call this, to - * avoid breaking drivers by accident which still depend upon - * &drm_device.struct_mutex locking. + * This releases a reference to @obj. */ static inline void -__drm_gem_object_put(struct drm_gem_object *obj) +drm_gem_object_put_unlocked(struct drm_gem_object *obj) { kref_put(&obj->refcount, drm_gem_object_free); } -void drm_gem_object_put_unlocked(struct drm_gem_object *obj); void drm_gem_object_put(struct drm_gem_object *obj); int drm_gem_handle_create(struct drm_file *file_priv, -- cgit v1.2.3 From eecd7fd8bf58d5d59f948d2655e41760d7cf17d9 Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Fri, 15 May 2020 10:50:51 +0100 Subject: drm/gem: add _locked suffix to drm_gem_object_put Vast majority of DRM (core and drivers) are struct_mutex free. As such we have only a handful of cases where the locked helper should be used. Make that stand out a little bit better. Done via the following script: __from=drm_gem_object_put __to=drm_gem_object_put_locked for __file in $(git grep --name-only --word-regexp $__from); do sed -i "s/\<$__from\>/$__to/g" $__file; done Cc: Rob Clark Cc: Sean Paul Cc: linux-arm-msm@vger.kernel.org Signed-off-by: Emil Velikov Acked-by: Sam Ravnborg Reviewed-by: Steven Price Acked-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-12-emil.l.velikov@gmail.com --- drivers/gpu/drm/drm_gem.c | 6 +++--- drivers/gpu/drm/msm/adreno/a5xx_debugfs.c | 4 ++-- drivers/gpu/drm/msm/msm_drv.c | 2 +- drivers/gpu/drm/msm/msm_gem.c | 6 +++--- drivers/gpu/drm/msm/msm_gem_submit.c | 2 +- drivers/gpu/drm/msm/msm_gpu.c | 2 +- include/drm/drm_gem.h | 4 ++-- 7 files changed, 13 insertions(+), 13 deletions(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 9ba4b1520d48..d1a7f1844128 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -983,7 +983,7 @@ drm_gem_object_free(struct kref *kref) EXPORT_SYMBOL(drm_gem_object_free); /** - * drm_gem_object_put - release a GEM buffer object reference + * drm_gem_object_put_locked - release a GEM buffer object reference * @obj: GEM buffer object * * This releases a reference to @obj. Callers must hold the @@ -994,7 +994,7 @@ EXPORT_SYMBOL(drm_gem_object_free); * drm_gem_object_put_unlocked() instead. */ void -drm_gem_object_put(struct drm_gem_object *obj) +drm_gem_object_put_locked(struct drm_gem_object *obj) { if (obj) { WARN_ON(!mutex_is_locked(&obj->dev->struct_mutex)); @@ -1002,7 +1002,7 @@ drm_gem_object_put(struct drm_gem_object *obj) kref_put(&obj->refcount, drm_gem_object_free); } } -EXPORT_SYMBOL(drm_gem_object_put); +EXPORT_SYMBOL(drm_gem_object_put_locked); /** * drm_gem_vm_open - vma->ops->open implementation for GEM diff --git a/drivers/gpu/drm/msm/adreno/a5xx_debugfs.c b/drivers/gpu/drm/msm/adreno/a5xx_debugfs.c index 8cae2ca4af6b..68eddac7771c 100644 --- a/drivers/gpu/drm/msm/adreno/a5xx_debugfs.c +++ b/drivers/gpu/drm/msm/adreno/a5xx_debugfs.c @@ -124,13 +124,13 @@ reset_set(void *data, u64 val) if (a5xx_gpu->pm4_bo) { msm_gem_unpin_iova(a5xx_gpu->pm4_bo, gpu->aspace); - drm_gem_object_put(a5xx_gpu->pm4_bo); + drm_gem_object_put_locked(a5xx_gpu->pm4_bo); a5xx_gpu->pm4_bo = NULL; } if (a5xx_gpu->pfp_bo) { msm_gem_unpin_iova(a5xx_gpu->pfp_bo, gpu->aspace); - drm_gem_object_put(a5xx_gpu->pfp_bo); + drm_gem_object_put_locked(a5xx_gpu->pfp_bo); a5xx_gpu->pfp_bo = NULL; } diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 29295dee2a2e..6baed5b43ea3 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -932,7 +932,7 @@ static int msm_ioctl_gem_madvise(struct drm_device *dev, void *data, ret = 0; } - drm_gem_object_put(obj); + drm_gem_object_put_locked(obj); unlock: mutex_unlock(&dev->struct_mutex); diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c index 5a6a79fbc9d6..8696c405f709 100644 --- a/drivers/gpu/drm/msm/msm_gem.c +++ b/drivers/gpu/drm/msm/msm_gem.c @@ -879,7 +879,7 @@ void msm_gem_describe_objects(struct list_head *list, struct seq_file *m) } #endif -/* don't call directly! Use drm_gem_object_put() and friends */ +/* don't call directly! Use drm_gem_object_put_locked() and friends */ void msm_gem_free_object(struct drm_gem_object *obj) { struct msm_gem_object *msm_obj = to_msm_bo(obj); @@ -1183,7 +1183,7 @@ static void *_msm_gem_kernel_new(struct drm_device *dev, uint32_t size, return vaddr; err: if (locked) - drm_gem_object_put(obj); + drm_gem_object_put_locked(obj); else drm_gem_object_put_unlocked(obj); @@ -1215,7 +1215,7 @@ void msm_gem_kernel_put(struct drm_gem_object *bo, msm_gem_unpin_iova(bo, aspace); if (locked) - drm_gem_object_put(bo); + drm_gem_object_put_locked(bo); else drm_gem_object_put_unlocked(bo); } diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 385d4965a8d0..8f450a245cfb 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -387,7 +387,7 @@ static void submit_cleanup(struct msm_gem_submit *submit) struct msm_gem_object *msm_obj = submit->bos[i].obj; submit_unlock_unpin_bo(submit, i, false); list_del_init(&msm_obj->submit_entry); - drm_gem_object_put(&msm_obj->base); + drm_gem_object_put_locked(&msm_obj->base); } } diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c index 615c5cda5389..86a68f96c48d 100644 --- a/drivers/gpu/drm/msm/msm_gpu.c +++ b/drivers/gpu/drm/msm/msm_gpu.c @@ -694,7 +694,7 @@ static void retire_submit(struct msm_gpu *gpu, struct msm_ringbuffer *ring, /* move to inactive: */ msm_gem_move_to_inactive(&msm_obj->base); msm_gem_unpin_iova(&msm_obj->base, submit->aspace); - drm_gem_object_put(&msm_obj->base); + drm_gem_object_put_locked(&msm_obj->base); } pm_runtime_mark_last_busy(&gpu->pdev->dev); diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h index c3bdade093ae..a231a2b3f5ac 100644 --- a/include/drm/drm_gem.h +++ b/include/drm/drm_gem.h @@ -187,7 +187,7 @@ struct drm_gem_object { * * Reference count of this object * - * Please use drm_gem_object_get() to acquire and drm_gem_object_put() + * Please use drm_gem_object_get() to acquire and drm_gem_object_put_locked() * or drm_gem_object_put_unlocked() to release a reference to a GEM * buffer object. */ @@ -375,7 +375,7 @@ drm_gem_object_put_unlocked(struct drm_gem_object *obj) kref_put(&obj->refcount, drm_gem_object_free); } -void drm_gem_object_put(struct drm_gem_object *obj); +void drm_gem_object_put_locked(struct drm_gem_object *obj); int drm_gem_handle_create(struct drm_file *file_priv, struct drm_gem_object *obj, -- cgit v1.2.3 From be6ee102341bc4d07e050dda119ecb91229bc654 Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Fri, 15 May 2020 10:50:53 +0100 Subject: drm: remove _unlocked suffix in drm_gem_object_put_unlocked Spelling out _unlocked for each and every driver is a annoying. Especially if we consider how many drivers, do not know (or need to) about the horror stories involving struct_mutex. Just drop the suffix. It makes the API cleaner. Done via the following script: __from=drm_gem_object_put_unlocked __to=drm_gem_object_put for __file in $(git grep --name-only $__from); do sed -i "s/$__from/$__to/g" $__file; done Pay special attention to the compat #define v2: keep sed and #define removal separate Cc: David Airlie Cc: Daniel Vetter Signed-off-by: Emil Velikov Acked-by: Sam Ravnborg (v1) Reviewed-by: Steven Price Acked-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-14-emil.l.velikov@gmail.com --- Documentation/gpu/drm-mm.rst | 2 +- drivers/gpu/drm/drm_client.c | 2 +- drivers/gpu/drm/drm_gem.c | 26 +++++++++++++------------- drivers/gpu/drm/drm_gem_cma_helper.c | 8 ++++---- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 6 +++--- drivers/gpu/drm/drm_gem_shmem_helper.c | 4 ++-- drivers/gpu/drm/drm_gem_ttm_helper.c | 2 +- drivers/gpu/drm/drm_gem_vram_helper.c | 10 +++++----- drivers/gpu/drm/drm_prime.c | 6 +++--- include/drm/drm_gem.h | 2 +- 10 files changed, 34 insertions(+), 34 deletions(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/Documentation/gpu/drm-mm.rst b/Documentation/gpu/drm-mm.rst index 5ba2ead8f317..8c8540ee859c 100644 --- a/Documentation/gpu/drm-mm.rst +++ b/Documentation/gpu/drm-mm.rst @@ -178,7 +178,7 @@ GEM Objects Lifetime -------------------- All GEM objects are reference-counted by the GEM core. References can be -acquired and release by calling drm_gem_object_get() and drm_gem_object_put_unlocked() +acquired and release by calling drm_gem_object_get() and drm_gem_object_put() respectively. When the last reference to a GEM object is released the GEM core calls diff --git a/drivers/gpu/drm/drm_client.c b/drivers/gpu/drm/drm_client.c index 8cb93f5209a4..536a22747b51 100644 --- a/drivers/gpu/drm/drm_client.c +++ b/drivers/gpu/drm/drm_client.c @@ -237,7 +237,7 @@ static void drm_client_buffer_delete(struct drm_client_buffer *buffer) drm_gem_vunmap(buffer->gem, buffer->vaddr); if (buffer->gem) - drm_gem_object_put_unlocked(buffer->gem); + drm_gem_object_put(buffer->gem); if (buffer->handle) drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file); diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index d1a7f1844128..efc0367841e2 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -235,7 +235,7 @@ drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) mutex_unlock(&dev->object_name_lock); if (final) - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); } /* @@ -331,7 +331,7 @@ int drm_gem_dumb_map_offset(struct drm_file *file, struct drm_device *dev, *offset = drm_vma_node_offset_addr(&obj->vma_node); out: - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return ret; } @@ -690,7 +690,7 @@ static int objects_lookup(struct drm_file *filp, u32 *handle, int count, * Returns: * * @objs filled in with GEM object pointers. Returned GEM objects need to be - * released with drm_gem_object_put_unlocked(). -ENOENT is returned on a lookup + * released with drm_gem_object_put(). -ENOENT is returned on a lookup * failure. 0 is returned on success. * */ @@ -785,7 +785,7 @@ long drm_gem_dma_resv_wait(struct drm_file *filep, u32 handle, else if (ret > 0) ret = 0; - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return ret; } @@ -860,7 +860,7 @@ drm_gem_flink_ioctl(struct drm_device *dev, void *data, err: mutex_unlock(&dev->object_name_lock); - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return ret; } @@ -898,7 +898,7 @@ drm_gem_open_ioctl(struct drm_device *dev, void *data, /* drm_gem_handle_create_tail unlocks dev->object_name_lock. */ ret = drm_gem_handle_create_tail(file_priv, obj, &handle); - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); if (ret) return ret; @@ -991,7 +991,7 @@ EXPORT_SYMBOL(drm_gem_object_free); * driver doesn't use &drm_device.struct_mutex for anything. * * For drivers not encumbered with legacy locking use - * drm_gem_object_put_unlocked() instead. + * drm_gem_object_put() instead. */ void drm_gem_object_put_locked(struct drm_gem_object *obj) @@ -1030,7 +1030,7 @@ void drm_gem_vm_close(struct vm_area_struct *vma) { struct drm_gem_object *obj = vma->vm_private_data; - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); } EXPORT_SYMBOL(drm_gem_vm_close); @@ -1079,7 +1079,7 @@ int drm_gem_mmap_obj(struct drm_gem_object *obj, unsigned long obj_size, if (obj->funcs && obj->funcs->mmap) { ret = obj->funcs->mmap(obj, vma); if (ret) { - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return ret; } WARN_ON(!(vma->vm_flags & VM_DONTEXPAND)); @@ -1089,7 +1089,7 @@ int drm_gem_mmap_obj(struct drm_gem_object *obj, unsigned long obj_size, else if (dev->driver->gem_vm_ops) vma->vm_ops = dev->driver->gem_vm_ops; else { - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return -EINVAL; } @@ -1155,13 +1155,13 @@ int drm_gem_mmap(struct file *filp, struct vm_area_struct *vma) return -EINVAL; if (!drm_vma_node_is_allowed(node, priv)) { - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return -EACCES; } if (node->readonly) { if (vma->vm_flags & VM_WRITE) { - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return -EINVAL; } @@ -1171,7 +1171,7 @@ int drm_gem_mmap(struct file *filp, struct vm_area_struct *vma) ret = drm_gem_mmap_obj(obj, drm_vma_node_size(node) << PAGE_SHIFT, vma); - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return ret; } diff --git a/drivers/gpu/drm/drm_gem_cma_helper.c b/drivers/gpu/drm/drm_gem_cma_helper.c index 12e98fb28229..b3db3ca7bd7a 100644 --- a/drivers/gpu/drm/drm_gem_cma_helper.c +++ b/drivers/gpu/drm/drm_gem_cma_helper.c @@ -114,7 +114,7 @@ struct drm_gem_cma_object *drm_gem_cma_create(struct drm_device *drm, return cma_obj; error: - drm_gem_object_put_unlocked(&cma_obj->base); + drm_gem_object_put(&cma_obj->base); return ERR_PTR(ret); } EXPORT_SYMBOL_GPL(drm_gem_cma_create); @@ -156,7 +156,7 @@ drm_gem_cma_create_with_handle(struct drm_file *file_priv, */ ret = drm_gem_handle_create(file_priv, gem_obj, handle); /* drop reference from allocate - handle holds it now. */ - drm_gem_object_put_unlocked(gem_obj); + drm_gem_object_put(gem_obj); if (ret) return ERR_PTR(ret); @@ -380,13 +380,13 @@ unsigned long drm_gem_cma_get_unmapped_area(struct file *filp, return -EINVAL; if (!drm_vma_node_is_allowed(node, priv)) { - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return -EACCES; } cma_obj = to_drm_gem_cma_obj(obj); - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); return cma_obj->vaddr ? (unsigned long)cma_obj->vaddr : -EINVAL; } diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index ccc2c71fa491..109d11fb4cd4 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -95,7 +95,7 @@ void drm_gem_fb_destroy(struct drm_framebuffer *fb) int i; for (i = 0; i < 4; i++) - drm_gem_object_put_unlocked(fb->obj[i]); + drm_gem_object_put(fb->obj[i]); drm_framebuffer_cleanup(fb); kfree(fb); @@ -175,7 +175,7 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, + mode_cmd->offsets[i]; if (objs[i]->size < min_size) { - drm_gem_object_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); ret = -EINVAL; goto err_gem_object_put; } @@ -189,7 +189,7 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, err_gem_object_put: for (i--; i >= 0; i--) - drm_gem_object_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); return ret; } diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index df31e5782eed..339eee79ea52 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -360,7 +360,7 @@ drm_gem_shmem_create_with_handle(struct drm_file *file_priv, */ ret = drm_gem_handle_create(file_priv, &shmem->base, handle); /* drop reference from allocate - handle holds it now. */ - drm_gem_object_put_unlocked(&shmem->base); + drm_gem_object_put(&shmem->base); if (ret) return ERR_PTR(ret); @@ -684,7 +684,7 @@ drm_gem_shmem_prime_import_sg_table(struct drm_device *dev, err_free_array: kvfree(shmem->pages); err_free_gem: - drm_gem_object_put_unlocked(&shmem->base); + drm_gem_object_put(&shmem->base); return ERR_PTR(ret); } diff --git a/drivers/gpu/drm/drm_gem_ttm_helper.c b/drivers/gpu/drm/drm_gem_ttm_helper.c index 605a8a3da7f9..892b2288a104 100644 --- a/drivers/gpu/drm/drm_gem_ttm_helper.c +++ b/drivers/gpu/drm/drm_gem_ttm_helper.c @@ -74,7 +74,7 @@ int drm_gem_ttm_mmap(struct drm_gem_object *gem, * ttm has its own object refcounting, so drop gem reference * to avoid double accounting counting. */ - drm_gem_object_put_unlocked(gem); + drm_gem_object_put(gem); return 0; } diff --git a/drivers/gpu/drm/drm_gem_vram_helper.c b/drivers/gpu/drm/drm_gem_vram_helper.c index 8b2d5c945c95..0023ce1d2cf7 100644 --- a/drivers/gpu/drm/drm_gem_vram_helper.c +++ b/drivers/gpu/drm/drm_gem_vram_helper.c @@ -618,9 +618,9 @@ int drm_gem_vram_fill_create_dumb(struct drm_file *file, ret = drm_gem_handle_create(file, &gbo->bo.base, &handle); if (ret) - goto err_drm_gem_object_put_unlocked; + goto err_drm_gem_object_put; - drm_gem_object_put_unlocked(&gbo->bo.base); + drm_gem_object_put(&gbo->bo.base); args->pitch = pitch; args->size = size; @@ -628,8 +628,8 @@ int drm_gem_vram_fill_create_dumb(struct drm_file *file, return 0; -err_drm_gem_object_put_unlocked: - drm_gem_object_put_unlocked(&gbo->bo.base); +err_drm_gem_object_put: + drm_gem_object_put(&gbo->bo.base); return ret; } EXPORT_SYMBOL(drm_gem_vram_fill_create_dumb); @@ -737,7 +737,7 @@ int drm_gem_vram_driver_dumb_mmap_offset(struct drm_file *file, gbo = drm_gem_vram_of_gem(gem); *offset = drm_gem_vram_mmap_offset(gbo); - drm_gem_object_put_unlocked(gem); + drm_gem_object_put(gem); return 0; } diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c index 282774e469ac..bbfc713bfdc3 100644 --- a/drivers/gpu/drm/drm_prime.c +++ b/drivers/gpu/drm/drm_prime.c @@ -270,7 +270,7 @@ void drm_gem_dmabuf_release(struct dma_buf *dma_buf) struct drm_device *dev = obj->dev; /* drop the reference on the export fd holds */ - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); drm_dev_put(dev); } @@ -329,7 +329,7 @@ int drm_gem_prime_fd_to_handle(struct drm_device *dev, /* _handle_create_tail unconditionally unlocks dev->object_name_lock. */ ret = drm_gem_handle_create_tail(file_priv, obj, handle); - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); if (ret) goto out_put; @@ -500,7 +500,7 @@ out_have_handle: fail_put_dmabuf: dma_buf_put(dmabuf); out: - drm_gem_object_put_unlocked(obj); + drm_gem_object_put(obj); out_unlock: mutex_unlock(&file_priv->prime.lock); diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h index 2f7b86c0649c..10c5d561eb18 100644 --- a/include/drm/drm_gem.h +++ b/include/drm/drm_gem.h @@ -188,7 +188,7 @@ struct drm_gem_object { * Reference count of this object * * Please use drm_gem_object_get() to acquire and drm_gem_object_put_locked() - * or drm_gem_object_put_unlocked() to release a reference to a GEM + * or drm_gem_object_put() to release a reference to a GEM * buffer object. */ struct kref refcount; -- cgit v1.2.3 From e0b3d2140ec6f04335eb20f4651ca2b705084268 Mon Sep 17 00:00:00 2001 From: Daniel Vetter Date: Mon, 11 May 2020 11:35:47 +0200 Subject: drm/gem: WARN if drm_gem_get_pages is called on a private obj No real functional change, since this just converts an annoying Oops into a more harmless WARNING backtrace. It's still a driver bug. Acked-by: Thomas Zimmermann Tested-by: Boris Brezillon Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20200511093554.211493-3-daniel.vetter@ffwll.ch --- drivers/gpu/drm/drm_gem.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index efc0367841e2..94dd94230fd1 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -548,6 +548,10 @@ static void drm_gem_check_release_pagevec(struct pagevec *pvec) * set during initialization. If you have special zone constraints, set them * after drm_gem_object_init() via mapping_set_gfp_mask(). shmem-core takes care * to keep pages in the required zone during swap-in. + * + * This function is only valid on objects initialized with + * drm_gem_object_init(), but not for those initialized with + * drm_gem_private_object_init() only. */ struct page **drm_gem_get_pages(struct drm_gem_object *obj) { @@ -556,6 +560,10 @@ struct page **drm_gem_get_pages(struct drm_gem_object *obj) struct pagevec pvec; int i, npages; + + if (WARN_ON(!obj->filp)) + return ERR_PTR(-EINVAL); + /* This is the shared memory object that backs the GEM resource */ mapping = obj->filp->f_mapping; -- cgit v1.2.3 From ad0f449bebc79b01583c711684fefcdc9620320a Mon Sep 17 00:00:00 2001 From: Thomas Zimmermann Date: Fri, 5 Jun 2020 09:32:47 +0200 Subject: drm: Remove struct drm_driver.gem_print_info The .gem_print_info callback in struct drm_driver is obsolete and has no users left. Remove it. Signed-off-by: Thomas Zimmermann Suggested-by: Emil Velikov Reviewed-by: Emil Velikov Reviewed-by: Laurent Pinchart Link: https://patchwork.freedesktop.org/patch/msgid/20200605073247.4057-44-tzimmermann@suse.de --- drivers/gpu/drm/drm_gem.c | 2 -- include/drm/drm_drv.h | 17 ----------------- 2 files changed, 19 deletions(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 94dd94230fd1..a57f5379fc08 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -1199,8 +1199,6 @@ void drm_gem_print_info(struct drm_printer *p, unsigned int indent, if (obj->funcs && obj->funcs->print_info) obj->funcs->print_info(p, indent, obj); - else if (obj->dev->driver->gem_print_info) - obj->dev->driver->gem_print_info(p, indent, obj); } int drm_gem_pin(struct drm_gem_object *obj) diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h index bb924cddc09c..8f110a28b6a2 100644 --- a/include/drm/drm_drv.h +++ b/include/drm/drm_drv.h @@ -353,23 +353,6 @@ struct drm_driver { */ void (*gem_close_object) (struct drm_gem_object *, struct drm_file *); - /** - * @gem_print_info: - * - * This callback is deprecated in favour of - * &drm_gem_object_funcs.print_info. - * - * If driver subclasses struct &drm_gem_object, it can implement this - * optional hook for printing additional driver specific info. - * - * drm_printf_indent() should be used in the callback passing it the - * indent argument. - * - * This callback is called from drm_gem_print_info(). - */ - void (*gem_print_info)(struct drm_printer *p, unsigned int indent, - const struct drm_gem_object *obj); - /** * @gem_create_object: constructor for gem objects * -- cgit v1.2.3 From 8490d6a7e0a0a6fab5c2d82d57a3937306660864 Mon Sep 17 00:00:00 2001 From: Steve Cohen Date: Mon, 20 Jul 2020 18:30:50 -0400 Subject: drm: hold gem reference until object is no longer accessed A use-after-free in drm_gem_open_ioctl can happen if the GEM object handle is closed between the idr lookup and retrieving the size from said object since a local reference is not being held at that point. Hold the local reference while the object can still be accessed to fix this and plug the potential security hole. Signed-off-by: Steve Cohen Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/1595284250-31580-1-git-send-email-cohens@codeaurora.org --- drivers/gpu/drm/drm_gem.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 7bf628e13023..ee2058ad482c 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -871,9 +871,6 @@ err: * @file_priv: drm file-private structure * * Open an object using the global name, returning a handle and the size. - * - * This handle (of course) holds a reference to the object, so the object - * will not go away until the handle is deleted. */ int drm_gem_open_ioctl(struct drm_device *dev, void *data, @@ -898,14 +895,15 @@ drm_gem_open_ioctl(struct drm_device *dev, void *data, /* drm_gem_handle_create_tail unlocks dev->object_name_lock. */ ret = drm_gem_handle_create_tail(file_priv, obj, &handle); - drm_gem_object_put_unlocked(obj); if (ret) - return ret; + goto err; args->handle = handle; args->size = obj->size; - return 0; +err: + drm_gem_object_put_unlocked(obj); + return ret; } /** -- cgit v1.2.3 From a9e10b169e65f0f7061233ebe843a4b4f488dbae Mon Sep 17 00:00:00 2001 From: Steve Cohen Date: Wed, 29 Jul 2020 01:35:52 -0400 Subject: drm: re-add deleted doc for drm_gem_open_ioctl Add back the removed documentation for drm_gem_open_ioctl. This patch is submitted in response to [1]. [1] https://lore.kernel.org/linux-arm-msm/20200728085244.GY6419@phenom.ffwll.local/ Signed-off-by: Steve Cohen Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/1596000952-27621-1-git-send-email-cohens@codeaurora.org --- drivers/gpu/drm/drm_gem.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers/gpu/drm/drm_gem.c') diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index ee2058ad482c..fe9412219b1e 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -871,6 +871,9 @@ err: * @file_priv: drm file-private structure * * Open an object using the global name, returning a handle and the size. + * + * This handle (of course) holds a reference to the object, so the object + * will not go away until the handle is deleted. */ int drm_gem_open_ioctl(struct drm_device *dev, void *data, -- cgit v1.2.3