From: Boris Brezillon <boris.brezillon@collabora.com>
To: Alice Ryhl <aliceryhl@google.com>
Cc: "Danilo Krummrich" <dakr@kernel.org>,
"Matthew Brost" <matthew.brost@intel.com>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Steven Price" <steven.price@arm.com>,
"Daniel Almeida" <daniel.almeida@collabora.com>,
"Liviu Dudau" <liviu.dudau@arm.com>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
rust-for-linux@vger.kernel.org
Subject: Re: [PATCH v2 2/2] panthor: use drm_gpuva_unlink_defer()
Date: Thu, 11 Sep 2025 13:18:17 +0200 [thread overview]
Message-ID: <20250911131817.3e0ab0d0@fedora> (raw)
In-Reply-To: <aMKtuwdk2HsejS-Q@google.com>
On Thu, 11 Sep 2025 11:08:43 +0000
Alice Ryhl <aliceryhl@google.com> wrote:
> On Thu, Sep 11, 2025 at 12:15:37PM +0200, Boris Brezillon wrote:
> > On Tue, 09 Sep 2025 13:36:23 +0000
> > Alice Ryhl <aliceryhl@google.com> wrote:
> >
> > > static void panthor_vma_init(struct panthor_vma *vma, u32 flags)
> > > @@ -2084,12 +2010,12 @@ static int panthor_gpuva_sm_step_map(struct drm_gpuva_op *op, void *priv)
> > > if (ret)
> > > return ret;
> > >
> > > - /* Ref owned by the mapping now, clear the obj field so we don't release the
> > > - * pinning/obj ref behind GPUVA's back.
> > > - */
> > > drm_gpuva_map(&vm->base, &vma->base, &op->map);
> > > panthor_vma_link(vm, vma, op_ctx->map.vm_bo);
> > > +
> > > + drm_gpuvm_bo_put_deferred(op_ctx->map.vm_bo);
> > > op_ctx->map.vm_bo = NULL;
> >
> > Hm, I don't see why we need a drm_gpuvm_bo_put_deferred() here. The
> > original idea was to delegate the vm_bo ownership to the VA being added
> > to the VM tree, so if we put it here, we have a UAF situation, don't we?
>
> The vm_bo refcount goes like this:
>
> incr vm_bo_obtain()
> incr vma_link()
> decr vm_bo_put()
>
> There is no decrement in panthor_vm_cleanup_op_ctx() due to this line:
>
> op_ctx->map.vm_bo = NULL
>
> So when everything is done, it is linked once and the refcount is
> incremented by one, which is correct.
Ah, right, I overlooked the change to panthor_vma_link() where you drop
the _put().
next prev parent reply other threads:[~2025-09-11 11:18 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 13:36 [PATCH v2 0/2] Defer vm_bo cleanup in GPUVM with DRM_GPUVM_IMMEDIATE_MODE Alice Ryhl
2025-09-09 13:36 ` [PATCH v2 1/2] drm/gpuvm: add deferred vm_bo cleanup Alice Ryhl
2025-09-09 13:39 ` Alice Ryhl
2025-09-11 11:57 ` Boris Brezillon
2025-09-11 12:00 ` Boris Brezillon
2025-09-09 14:20 ` Thomas Hellström
2025-09-10 6:39 ` Alice Ryhl
2025-09-11 12:18 ` Boris Brezillon
2025-09-09 13:36 ` [PATCH v2 2/2] panthor: use drm_gpuva_unlink_defer() Alice Ryhl
2025-09-11 10:15 ` Boris Brezillon
2025-09-11 11:08 ` Alice Ryhl
2025-09-11 11:18 ` Boris Brezillon [this message]
2025-09-11 12:35 ` Boris Brezillon
2025-09-11 12:38 ` Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250911131817.3e0ab0d0@fedora \
--to=boris.brezillon@collabora.com \
--cc=airlied@gmail.com \
--cc=aliceryhl@google.com \
--cc=dakr@kernel.org \
--cc=daniel.almeida@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liviu.dudau@arm.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=matthew.brost@intel.com \
--cc=mripard@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=simona@ffwll.ch \
--cc=steven.price@arm.com \
--cc=thomas.hellstrom@linux.intel.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.