Skip to content

Commit bc1a413

Browse files
gurchetansinghkraxel
authored andcommitted
drm/virtio: add case for shmem objects in virtio_gpu_cleanup_object(..)
This function can be reused for hostmem objects. v2: move virtio_gpu_is_shmem() check to virtio_gpu_cleanup_object() v3: use-after free fix Signed-off-by: Gurchetan Singh <[email protected]> Link: http://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Gerd Hoffmann <[email protected]>
1 parent f651c8b commit bc1a413

File tree

2 files changed

+20
-15
lines changed

2 files changed

+20
-15
lines changed

drivers/gpu/drm/virtio/virtgpu_drv.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -371,7 +371,7 @@ int virtio_gpu_object_create(struct virtio_gpu_device *vgdev,
371371
struct virtio_gpu_object **bo_ptr,
372372
struct virtio_gpu_fence *fence);
373373

374-
bool virtio_gpu_is_shmem(struct drm_gem_object *obj);
374+
bool virtio_gpu_is_shmem(struct virtio_gpu_object *bo);
375375

376376
/* virtgpu_prime.c */
377377
struct drm_gem_object *virtgpu_gem_prime_import_sg_table(

drivers/gpu/drm/virtio/virtgpu_object.c

Lines changed: 19 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -65,21 +65,26 @@ static void virtio_gpu_resource_id_put(struct virtio_gpu_device *vgdev, uint32_t
6565
void virtio_gpu_cleanup_object(struct virtio_gpu_object *bo)
6666
{
6767
struct virtio_gpu_device *vgdev = bo->base.base.dev->dev_private;
68-
struct virtio_gpu_object_shmem *shmem = to_virtio_gpu_shmem(bo);
6968

70-
if (shmem->pages) {
71-
if (shmem->mapped) {
72-
dma_unmap_sg(vgdev->vdev->dev.parent,
73-
shmem->pages->sgl, shmem->mapped,
74-
DMA_TO_DEVICE);
75-
shmem->mapped = 0;
69+
virtio_gpu_resource_id_put(vgdev, bo->hw_res_handle);
70+
if (virtio_gpu_is_shmem(bo)) {
71+
struct virtio_gpu_object_shmem *shmem = to_virtio_gpu_shmem(bo);
72+
73+
if (shmem->pages) {
74+
if (shmem->mapped) {
75+
dma_unmap_sg(vgdev->vdev->dev.parent,
76+
shmem->pages->sgl, shmem->mapped,
77+
DMA_TO_DEVICE);
78+
shmem->mapped = 0;
79+
}
80+
81+
sg_free_table(shmem->pages);
82+
shmem->pages = NULL;
83+
drm_gem_shmem_unpin(&bo->base.base);
7684
}
77-
sg_free_table(shmem->pages);
78-
shmem->pages = NULL;
79-
drm_gem_shmem_unpin(&bo->base.base);
85+
86+
drm_gem_shmem_free_object(&bo->base.base);
8087
}
81-
virtio_gpu_resource_id_put(vgdev, bo->hw_res_handle);
82-
drm_gem_shmem_free_object(&bo->base.base);
8388
}
8489

8590
static void virtio_gpu_free_object(struct drm_gem_object *obj)
@@ -110,9 +115,9 @@ static const struct drm_gem_object_funcs virtio_gpu_shmem_funcs = {
110115
.mmap = drm_gem_shmem_mmap,
111116
};
112117

113-
bool virtio_gpu_is_shmem(struct drm_gem_object *obj)
118+
bool virtio_gpu_is_shmem(struct virtio_gpu_object *bo)
114119
{
115-
return obj->funcs == &virtio_gpu_shmem_funcs;
120+
return bo->base.base.funcs == &virtio_gpu_shmem_funcs;
116121
}
117122

118123
struct drm_gem_object *virtio_gpu_create_object(struct drm_device *dev,

0 commit comments

Comments
 (0)