tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drm/virtio: Fix NULL pointer deref in virtgpu_dma_buf_free_obj()

There is a chance that obj->dma_buf would be NULL by the time
virtgpu_dma_buf_free_obj() is called. This can happen for imported
prime objects, when drm_gem_object_exported_dma_buf_free() gets
called on them before drm_gem_object_free(). This is because
drm_gem_object_exported_dma_buf_free() explicitly sets
obj->dma_buf to NULL.

Therefore, fix this issue by storing the dma_buf pointer in the
virtio_gpu_object instance and using it in virtgpu_dma_buf_free_obj.
This stored pointer is guaranteed to be valid until the object is
freed as we took a reference on it in virtgpu_gem_prime_import().

Fixes: 415cb45895f4 ("drm/virtio: Use dma_buf from GEM object instance")
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://lore.kernel.org/r/20250501232419.180337-1-vivek.kasireddy@intel.com

authored by

Vivek Kasireddy and committed by
Dmitry Osipenko 44b6535d 9b8f3200

+3 -1
+1
drivers/gpu/drm/virtio/virtgpu_drv.h
··· 88 88 89 89 struct virtio_gpu_object { 90 90 struct drm_gem_shmem_object base; 91 + struct dma_buf *dma_buf; 91 92 struct sg_table *sgt; 92 93 uint32_t hw_res_handle; 93 94 bool dumb;
+2 -1
drivers/gpu/drm/virtio/virtgpu_prime.c
··· 206 206 struct virtio_gpu_device *vgdev = obj->dev->dev_private; 207 207 208 208 if (drm_gem_is_imported(obj)) { 209 - struct dma_buf *dmabuf = obj->dma_buf; 209 + struct dma_buf *dmabuf = bo->dma_buf; 210 210 211 211 dma_resv_lock(dmabuf->resv, NULL); 212 212 virtgpu_dma_buf_unmap(bo); ··· 332 332 333 333 obj->import_attach = attach; 334 334 get_dma_buf(buf); 335 + bo->dma_buf = buf; 335 336 336 337 ret = virtgpu_dma_buf_init_obj(dev, bo, attach); 337 338 if (ret < 0)