Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp799757pxb; Tue, 3 Nov 2020 12:53:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJxEMoe7Ma2d8KYLi6tScKv1GnppKlaEOWSiXrZqTa/zU/bLNB4IDw4YxP9AL64p2x0Enj2X X-Received: by 2002:a05:6402:3056:: with SMTP id bu22mr23294444edb.252.1604436801680; Tue, 03 Nov 2020 12:53:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604436801; cv=none; d=google.com; s=arc-20160816; b=sdEQkCkRuT45U4X5mYoJUP7IR3C4nu/2lg5vaU2JhT54ZepLHbBWycwPvs37ay+gHi YVVhmCpWUVSUwy9d2CRmwilzmQenQa5K3haVlZz8w6WUjrgCUbOSkJeOUD1HLAGTQ0Zv jQJekk/FbnLM+ZnKhptusRHBDp6Z3MWvJpnvnhjCMJDSTpOsm3bSqaafNIC4tX2Xe61a Q+WvWPh+WdWo0HrzX7joK2xCjrYM6lzqqaIzWye92AzGGzR0U/MQp0ArOnFexskAzuwQ DjoV7eL/Z7p/UjX+DU+81Z88EzzbrjjV8vQYtrp/lcJWv7eDDRflnTDzuIazOpY5GXx1 /x5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ch1gm/0eU/iTIQ6fdga3Y/4KsrYxJfNv1prxNtc7/Ds=; b=D/vG2StgBlquFifO6m9LTgC++Hb7znVGwXiKKa5t3cRa1fjgbFllCwx5UVdPd4lr/4 WXI3BBujDG3r1L5qEiiQXkTu/0d5JEy3OYAphNITotG+ybdtJQKg8UWyLv5zvIgy2+Gz wumKGXDvKBRPyl5uYQSaZ2cvEvHEKkRDfK9ZAFxN+ZMc/V1+0Cj1g/g/upsoJE0P+jeb Chb/XRhs15R8pmdY2japP8T/dPgmx6u9WhvgeDymXe/kTADPfKo4KPCh8YhWKNRgI6n9 kwBCpG85VvkCasG99HOtyY1U5a5ZDifEp2L43zqFxzImgU1Wtp7EBkARucZnKaKKOMwC uvsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fZNhfo31; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b1si4433ejb.290.2020.11.03.12.52.58; Tue, 03 Nov 2020 12:53:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fZNhfo31; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730974AbgKCUtg (ORCPT + 99 others); Tue, 3 Nov 2020 15:49:36 -0500 Received: from mail.kernel.org ([198.145.29.99]:42284 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731535AbgKCUt0 (ORCPT ); Tue, 3 Nov 2020 15:49:26 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 64561223FD; Tue, 3 Nov 2020 20:49:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604436564; bh=H/bahLUtNGlRGYIevvmapEfWHWWFAfHpFt8kL4xiXQA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fZNhfo31Yy6TcO9SQ1wjM64U4BOIlj6Wt1UcsqvtLGLHktjT5qTQnj1D5bHJoSzzL 5urSeXgEO6V+Fn0upevWsZXDInHEwJQUSmzbVXFBSRsRXI0GAFJwPZhSFWRnGbWQCs 5dLw7muACcI7fKTFgepnuXq0aF8vAxYvRb32Aa58= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Boris Brezillon , =?UTF-8?q?Christian=20K=C3=B6nig?= , Sumit Semwal , Lucas Stach , Russell King , Christian Gmeiner , Inki Dae , Joonyoung Shim , Seung-Woo Kim , Kyungmin Park , Thomas Zimmermann , Gerd Hoffmann , Rob Herring , dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, piotr.oniszczuk@gmail.com, Daniel Vetter Subject: [PATCH 5.9 267/391] drm/shme-helpers: Fix dma_buf_mmap forwarding bug Date: Tue, 3 Nov 2020 21:35:18 +0100 Message-Id: <20201103203405.042055538@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203348.153465465@linuxfoundation.org> References: <20201103203348.153465465@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Vetter commit f49a51bfdc8ea717c97ccd4cc98b7e6daaa5553a upstream. When we forward an mmap to the dma_buf exporter, they get to own everything. Unfortunately drm_gem_mmap_obj() overwrote vma->vm_private_data after the driver callback, wreaking the exporter complete. This was noticed because vb2_common_vm_close blew up on mali gpu with panfrost after commit 26d3ac3cb04d ("drm/shmem-helpers: Redirect mmap for imported dma-buf"). Unfortunately drm_gem_mmap_obj also acquires a surplus reference that we need to drop in shmem helpers, which is a bit of a mislayer situation. Maybe the entire dma_buf_mmap forwarding should be pulled into core gem code. Note that the only two other drivers which forward mmap in their own code (etnaviv and exynos) get this somewhat right by overwriting the gem mmap code. But they seem to still have the leak. This might be a good excuse to move these drivers over to shmem helpers completely. Reviewed-by: Boris Brezillon Acked-by: Christian König Cc: Christian König Cc: Sumit Semwal Cc: Lucas Stach Cc: Russell King Cc: Christian Gmeiner Cc: Inki Dae Cc: Joonyoung Shim Cc: Seung-Woo Kim Cc: Kyungmin Park Fixes: 26d3ac3cb04d ("drm/shmem-helpers: Redirect mmap for imported dma-buf") Cc: Boris Brezillon Cc: Thomas Zimmermann Cc: Gerd Hoffmann Cc: Rob Herring Cc: dri-devel@lists.freedesktop.org Cc: linux-media@vger.kernel.org Cc: linaro-mm-sig@lists.linaro.org Cc: # v5.9+ Reported-and-tested-by: piotr.oniszczuk@gmail.com Cc: piotr.oniszczuk@gmail.com Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20201027214922.3566743-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/drm_gem.c | 4 ++-- drivers/gpu/drm/drm_gem_shmem_helper.c | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -1085,6 +1085,8 @@ int drm_gem_mmap_obj(struct drm_gem_obje */ drm_gem_object_get(obj); + vma->vm_private_data = obj; + if (obj->funcs && obj->funcs->mmap) { ret = obj->funcs->mmap(obj, vma); if (ret) { @@ -1107,8 +1109,6 @@ int drm_gem_mmap_obj(struct drm_gem_obje vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot); } - vma->vm_private_data = obj; - return 0; } EXPORT_SYMBOL(drm_gem_mmap_obj); --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -594,8 +594,13 @@ int drm_gem_shmem_mmap(struct drm_gem_ob /* Remove the fake offset */ vma->vm_pgoff -= drm_vma_node_start(&obj->vma_node); - if (obj->import_attach) + if (obj->import_attach) { + /* Drop the reference drm_gem_mmap_obj() acquired.*/ + drm_gem_object_put(obj); + vma->vm_private_data = NULL; + return dma_buf_mmap(obj->dma_buf, vma, 0); + } shmem = to_drm_gem_shmem_obj(obj);