From: Boris Brezillon <boris.brezillon@collabora.com>
To: "Loïc Molinari" <loic.molinari@collabora.com>
Cc: dri-devel@lists.freedesktop.org, David Airlie <airlied@gmail.com>,
Simona Vetter <simona@ffwll.ch>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>,
kernel@collabora.com
Subject: Re: [PATCH] drm/gem: Fix a GEM leak in drm_gem_get_unmapped_area()
Date: Thu, 8 Jan 2026 14:43:44 +0100 [thread overview]
Message-ID: <20260108144344.33952ddf@fedora> (raw)
In-Reply-To: <43836c92-d19e-43c9-8480-cb26c37bdfea@collabora.com>
On Thu, 8 Jan 2026 14:25:01 +0100
Loïc Molinari <loic.molinari@collabora.com> wrote:
> On 07/01/2026 12:12, Boris Brezillon wrote:
> > On Tue, 6 Jan 2026 17:49:35 +0100
> > Boris Brezillon <boris.brezillon@collabora.com> wrote:
> >
> >> drm_gem_object_lookup_at_offset() can return a valid object with
> >> filp or filp->f_op->get_unmapped_area set to NULL. Make sure we still
> >> release the ref we acquired on such objects.
> >>
> >> Cc: Loïc Molinari <loic.molinari@collabora.com>
> >> Fixes: 99bda20d6d4c ("drm/gem: Introduce drm_gem_get_unmapped_area() fop")
> >> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
> >> ---
> >> drivers/gpu/drm/drm_gem.c | 10 ++++++----
> >> 1 file changed, 6 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> >> index 36c8af123877..f7cbf6e8d1e0 100644
> >> --- a/drivers/gpu/drm/drm_gem.c
> >> +++ b/drivers/gpu/drm/drm_gem.c
> >> @@ -1298,11 +1298,13 @@ unsigned long drm_gem_get_unmapped_area(struct file *filp, unsigned long uaddr,
> >> unsigned long ret;
> >>
> >> obj = drm_gem_object_lookup_at_offset(filp, pgoff, len >> PAGE_SHIFT);
> >> - if (IS_ERR(obj) || !obj->filp || !obj->filp->f_op->get_unmapped_area)
> >> - return mm_get_unmapped_area(filp, uaddr, len, 0, flags);
> >> + if (IS_ERR(obj))
> >> + obj = NULL;
> >>
> >> - ret = obj->filp->f_op->get_unmapped_area(obj->filp, uaddr, len, 0,
> >> - flags);
> >> + if (!obj || !obj->filp || !obj->filp->f_op->get_unmapped_area)
> >> + ret = mm_get_unmapped_area(filp, uaddr, len, 0, flags);
> >
> > Also, I'm wondering if we shouldn't pass pgoff instead of zero here to
> > have the exact same behavior that existed before
> > drm_gem_get_unmapped_area() was introduced.
> >
>
> For mappings with a file (the DRM file in our case), if
> filp->f_op->get_unmapped_area isn't set then generic_get_unmapped_area()
> is used and it ignores the pgoff argument.
That's true for architectures that rely on the default implementation
(Arm64 for instance), but other architectures might have their own
implementation.
> So it wasn't 0 before but was
> ignored anyway.
Didn't check all of them but the Arm implementation does take this
pgoff into account if I read the code correctly [1]. The fact this
argument is passed around makes me think other architectures might take
this into account too. I know this pgoff is just a fake offset into the
/dev/dri pseudo-file, but if we want to err on the safe side, we'd
rather do exactly what was done before drm_gem_get_unmapped_area() was
introduced for the ->filp==NULL case. That's just my 2 cts, of course.
Regards,
Boris
[1]https://elixir.bootlin.com/linux/v6.18.3/source/arch/arm/mm/mmap.c#L30
next prev parent reply other threads:[~2026-01-08 13:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 16:49 [PATCH] drm/gem: Fix a GEM leak in drm_gem_get_unmapped_area() Boris Brezillon
2026-01-07 11:12 ` Boris Brezillon
2026-01-08 13:25 ` Loïc Molinari
2026-01-08 13:43 ` Boris Brezillon [this message]
2026-01-08 14:04 ` Loïc Molinari
2026-01-08 14:45 ` Boris Brezillon
2026-01-09 9:42 ` Loïc Molinari
2026-01-09 9:50 ` Boris Brezillon
2026-01-08 13:18 ` Loïc Molinari
2026-01-08 13:31 ` Boris Brezillon
2026-01-08 14:09 ` Loïc Molinari
2026-01-09 12:02 ` Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260108144344.33952ddf@fedora \
--to=boris.brezillon@collabora.com \
--cc=airlied@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=kernel@collabora.com \
--cc=loic.molinari@collabora.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=simona@ffwll.ch \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.