[PATCH] Revert "drm/tegra: Use dma_buf from GEM object instance"

dri-devel.lists.freedesktop.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] Revert "drm/tegra: Use dma_buf from GEM object instance"
@ 2025-07-15  8:45 Thomas Zimmermann
  2025-07-15 13:16 ` Simona Vetter
  2025-08-12  9:12 ` Thomas Zimmermann
  0 siblings, 2 replies; 4+ messages in thread
From: Thomas Zimmermann @ 2025-07-15  8:45 UTC (permalink / raw)
  To: thierry.reding, mperttunen, airlied, simona, jonathanh
  Cc: linux-tegra, dri-devel, Thomas Zimmermann

This reverts commit 482c7e296edc0f594e8869a789a40be53c49bd6a.

The dma_buf field in struct drm_gem_object is not stable over the
object instance's lifetime. The field becomes NULL when user space
releases the final GEM handle on the buffer object. This resulted
in a NULL-pointer deref.

Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on
GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer:
Acquire internal references on GEM handles") only solved the problem
partially. They especially don't work for buffer objects without a DRM
framebuffer associated.

Hence, this revert to going back to using .import_attach->dmabuf.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
---
 drivers/gpu/drm/tegra/gem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
index 41a285ec889f..8ede07fb7a21 100644
--- a/drivers/gpu/drm/tegra/gem.c
+++ b/drivers/gpu/drm/tegra/gem.c
@@ -526,7 +526,7 @@ void tegra_bo_free_object(struct drm_gem_object *gem)
 		if (drm_gem_is_imported(gem)) {
 			dma_buf_unmap_attachment_unlocked(gem->import_attach, bo->sgt,
 							  DMA_TO_DEVICE);
-			dma_buf_detach(gem->dma_buf, gem->import_attach);
+			dma_buf_detach(gem->import_attach->dmabuf, gem->import_attach);
 		}
 	}

-- 
2.50.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] Revert "drm/tegra: Use dma_buf from GEM object instance"
  2025-07-15  8:45 [PATCH] Revert "drm/tegra: Use dma_buf from GEM object instance" Thomas Zimmermann
@ 2025-07-15 13:16 ` Simona Vetter
  2025-08-12  9:12 ` Thomas Zimmermann
  1 sibling, 0 replies; 4+ messages in thread
From: Simona Vetter @ 2025-07-15 13:16 UTC (permalink / raw)
  To: Thomas Zimmermann
  Cc: thierry.reding, mperttunen, airlied, simona, jonathanh,
	linux-tegra, dri-devel

On Tue, Jul 15, 2025 at 10:45:39AM +0200, Thomas Zimmermann wrote:
> This reverts commit 482c7e296edc0f594e8869a789a40be53c49bd6a.
> 
> The dma_buf field in struct drm_gem_object is not stable over the
> object instance's lifetime. The field becomes NULL when user space
> releases the final GEM handle on the buffer object. This resulted
> in a NULL-pointer deref.
> 
> Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on
> GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer:
> Acquire internal references on GEM handles") only solved the problem
> partially. They especially don't work for buffer objects without a DRM
> framebuffer associated.
> 
> Hence, this revert to going back to using .import_attach->dmabuf.
> 
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>

Reviewed-by: Simona Vetter <simona.vetter@ffwll.ch>

> ---
>  drivers/gpu/drm/tegra/gem.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
> index 41a285ec889f..8ede07fb7a21 100644
> --- a/drivers/gpu/drm/tegra/gem.c
> +++ b/drivers/gpu/drm/tegra/gem.c
> @@ -526,7 +526,7 @@ void tegra_bo_free_object(struct drm_gem_object *gem)
>  		if (drm_gem_is_imported(gem)) {
>  			dma_buf_unmap_attachment_unlocked(gem->import_attach, bo->sgt,
>  							  DMA_TO_DEVICE);
> -			dma_buf_detach(gem->dma_buf, gem->import_attach);
> +			dma_buf_detach(gem->import_attach->dmabuf, gem->import_attach);
>  		}
>  	}
>  
> -- 
> 2.50.0
> 

-- 
Simona Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Revert "drm/tegra: Use dma_buf from GEM object instance"
  2025-07-15  8:45 [PATCH] Revert "drm/tegra: Use dma_buf from GEM object instance" Thomas Zimmermann
  2025-07-15 13:16 ` Simona Vetter
@ 2025-08-12  9:12 ` Thomas Zimmermann
  2025-08-26  8:40   ` Thomas Zimmermann
  1 sibling, 1 reply; 4+ messages in thread
From: Thomas Zimmermann @ 2025-08-12  9:12 UTC (permalink / raw)
  To: thierry.reding, mperttunen, airlied, simona, jonathanh
  Cc: linux-tegra, dri-devel

Hi Thierry,

can I take this patch into drm-misc-fixes?

Best regards
Thomas

Am 15.07.25 um 10:45 schrieb Thomas Zimmermann:
> This reverts commit 482c7e296edc0f594e8869a789a40be53c49bd6a.
>
> The dma_buf field in struct drm_gem_object is not stable over the
> object instance's lifetime. The field becomes NULL when user space
> releases the final GEM handle on the buffer object. This resulted
> in a NULL-pointer deref.
>
> Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on
> GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer:
> Acquire internal references on GEM handles") only solved the problem
> partially. They especially don't work for buffer objects without a DRM
> framebuffer associated.
>
> Hence, this revert to going back to using .import_attach->dmabuf.
>
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> ---
>   drivers/gpu/drm/tegra/gem.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
> index 41a285ec889f..8ede07fb7a21 100644
> --- a/drivers/gpu/drm/tegra/gem.c
> +++ b/drivers/gpu/drm/tegra/gem.c
> @@ -526,7 +526,7 @@ void tegra_bo_free_object(struct drm_gem_object *gem)
>   		if (drm_gem_is_imported(gem)) {
>   			dma_buf_unmap_attachment_unlocked(gem->import_attach, bo->sgt,
>   							  DMA_TO_DEVICE);
> -			dma_buf_detach(gem->dma_buf, gem->import_attach);
> +			dma_buf_detach(gem->import_attach->dmabuf, gem->import_attach);
>   		}
>   	}
>   

-- 
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Revert "drm/tegra: Use dma_buf from GEM object instance"
  2025-08-12  9:12 ` Thomas Zimmermann
@ 2025-08-26  8:40   ` Thomas Zimmermann
  0 siblings, 0 replies; 4+ messages in thread
From: Thomas Zimmermann @ 2025-08-26  8:40 UTC (permalink / raw)
  To: thierry.reding, mperttunen, airlied, simona, jonathanh
  Cc: linux-tegra, dri-devel

Hi

Am 12.08.25 um 11:12 schrieb Thomas Zimmermann:
> Hi Thierry,
>
> can I take this patch into drm-misc-fixes?

I'm merging this patch into drm-misc-fixes to get the upstream bug fixed.

Best regards
Thomas

>
> Best regards
> Thomas
>
> Am 15.07.25 um 10:45 schrieb Thomas Zimmermann:
>> This reverts commit 482c7e296edc0f594e8869a789a40be53c49bd6a.
>>
>> The dma_buf field in struct drm_gem_object is not stable over the
>> object instance's lifetime. The field becomes NULL when user space
>> releases the final GEM handle on the buffer object. This resulted
>> in a NULL-pointer deref.
>>
>> Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on
>> GEM handles for framebuffers") and commit f6bfc9afc751 
>> ("drm/framebuffer:
>> Acquire internal references on GEM handles") only solved the problem
>> partially. They especially don't work for buffer objects without a DRM
>> framebuffer associated.
>>
>> Hence, this revert to going back to using .import_attach->dmabuf.
>>
>> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
>> ---
>>   drivers/gpu/drm/tegra/gem.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
>> index 41a285ec889f..8ede07fb7a21 100644
>> --- a/drivers/gpu/drm/tegra/gem.c
>> +++ b/drivers/gpu/drm/tegra/gem.c
>> @@ -526,7 +526,7 @@ void tegra_bo_free_object(struct drm_gem_object 
>> *gem)
>>           if (drm_gem_is_imported(gem)) {
>> dma_buf_unmap_attachment_unlocked(gem->import_attach, bo->sgt,
>>                                 DMA_TO_DEVICE);
>> -            dma_buf_detach(gem->dma_buf, gem->import_attach);
>> +            dma_buf_detach(gem->import_attach->dmabuf, 
>> gem->import_attach);
>>           }
>>       }
>

-- 
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-08-26  8:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-15  8:45 [PATCH] Revert "drm/tegra: Use dma_buf from GEM object instance" Thomas Zimmermann
2025-07-15 13:16 ` Simona Vetter
2025-08-12  9:12 ` Thomas Zimmermann
2025-08-26  8:40   ` Thomas Zimmermann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).