From: Boris Brezillon <boris.brezillon@collabora.com>
To: Alice Ryhl <aliceryhl@google.com>
Cc: "Danilo Krummrich" <dakr@kernel.org>,
"Matthew Brost" <matthew.brost@intel.com>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Steven Price" <steven.price@arm.com>,
"Daniel Almeida" <daniel.almeida@collabora.com>,
"Liviu Dudau" <liviu.dudau@arm.com>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
rust-for-linux@vger.kernel.org
Subject: Re: [PATCH v2 2/2] panthor: use drm_gpuva_unlink_defer()
Date: Thu, 11 Sep 2025 13:18:17 +0200 [thread overview]
Message-ID: <20250911131817.3e0ab0d0@fedora> (raw)
In-Reply-To: <aMKtuwdk2HsejS-Q@google.com>
On Thu, 11 Sep 2025 11:08:43 +0000
Alice Ryhl <aliceryhl@google.com> wrote:
> On Thu, Sep 11, 2025 at 12:15:37PM +0200, Boris Brezillon wrote:
> > On Tue, 09 Sep 2025 13:36:23 +0000
> > Alice Ryhl <aliceryhl@google.com> wrote:
> >
> > > static void panthor_vma_init(struct panthor_vma *vma, u32 flags)
> > > @@ -2084,12 +2010,12 @@ static int panthor_gpuva_sm_step_map(struct drm_gpuva_op *op, void *priv)
> > > if (ret)
> > > return ret;
> > >
> > > - /* Ref owned by the mapping now, clear the obj field so we don't release the
> > > - * pinning/obj ref behind GPUVA's back.
> > > - */
> > > drm_gpuva_map(&vm->base, &vma->base, &op->map);
> > > panthor_vma_link(vm, vma, op_ctx->map.vm_bo);
> > > +
> > > + drm_gpuvm_bo_put_deferred(op_ctx->map.vm_bo);
> > > op_ctx->map.vm_bo = NULL;
> >
> > Hm, I don't see why we need a drm_gpuvm_bo_put_deferred() here. The
> > original idea was to delegate the vm_bo ownership to the VA being added
> > to the VM tree, so if we put it here, we have a UAF situation, don't we?
>
> The vm_bo refcount goes like this:
>
> incr vm_bo_obtain()
> incr vma_link()
> decr vm_bo_put()
>
> There is no decrement in panthor_vm_cleanup_op_ctx() due to this line:
>
> op_ctx->map.vm_bo = NULL
>
> So when everything is done, it is linked once and the refcount is
> incremented by one, which is correct.
Ah, right, I overlooked the change to panthor_vma_link() where you drop
the _put().
next prev parent reply other threads:[~2025-09-11 11:18 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 13:36 [PATCH v2 0/2] Defer vm_bo cleanup in GPUVM with DRM_GPUVM_IMMEDIATE_MODE Alice Ryhl
2025-09-09 13:36 ` [PATCH v2 1/2] drm/gpuvm: add deferred vm_bo cleanup Alice Ryhl
2025-09-09 13:39 ` Alice Ryhl
2025-09-11 11:57 ` Boris Brezillon
2025-09-11 12:00 ` Boris Brezillon
2025-09-09 14:20 ` Thomas Hellström
2025-09-10 6:39 ` Alice Ryhl
2025-09-11 12:18 ` Boris Brezillon
2025-09-09 13:36 ` [PATCH v2 2/2] panthor: use drm_gpuva_unlink_defer() Alice Ryhl
2025-09-11 10:15 ` Boris Brezillon
2025-09-11 11:08 ` Alice Ryhl
2025-09-11 11:18 ` Boris Brezillon [this message]
2025-09-11 12:35 ` Boris Brezillon
2025-09-11 12:38 ` Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250911131817.3e0ab0d0@fedora \
--to=boris.brezillon@collabora.com \
--cc=airlied@gmail.com \
--cc=aliceryhl@google.com \
--cc=dakr@kernel.org \
--cc=daniel.almeida@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liviu.dudau@arm.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=matthew.brost@intel.com \
--cc=mripard@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=simona@ffwll.ch \
--cc=steven.price@arm.com \
--cc=thomas.hellstrom@linux.intel.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).