Skip to content

Commit 1e0f0ff

Browse files
jexpositjexposit
committed
Revert "drm/gem-shmem: Use dma_buf from GEM object instance"
JIRA: https://issues.redhat.com/browse/RHEL-106712 Conflicts: The following hunk didn't apply: ``` --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -351,7 +351,7 @@ int drm_gem_shmem_vmap_locked(struct drm_gem_shmem_object *shmem, dma_resv_assert_held(obj->resv); if (drm_gem_is_imported(obj)) { - ret = dma_buf_vmap(obj->dma_buf, map); + ret = dma_buf_vmap(obj->import_attach->dmabuf, map); } else { pgprot_t prot = PAGE_KERNEL; ``` Because the function drm_gem_shmem_vmap() was refactored to drm_gem_shmem_vmap_locked() upstream, but we don't have the changes. I apply only the relevant changes to both dma_buf_vmap() calls present in drm_gem_shmem_vmap(). commit 6d496e9 Author: Thomas Zimmermann <tzimmermann@suse.de> Date: Tue Jul 15 17:58:16 2025 +0200 Revert "drm/gem-shmem: Use dma_buf from GEM object instance" This reverts commit 1a148af. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9a ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Reviewed-by: Simona Vetter <simona.vetter@ffwll.ch> Acked-by: Christian König <christian.koenig@amd.com> Acked-by: Zack Rusin <zack.rusin@broadcom.com> Cc: <stable@vger.kernel.org> # v6.15+ Link: https://lore.kernel.org/r/20250715155934.150656-7-tzimmermann@suse.de Signed-off-by: José Expósito <jexposit@redhat.com>
1 parent 956c221 commit 1e0f0ff

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

drivers/gpu/drm/drm_gem_shmem_helper.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -339,10 +339,10 @@ int drm_gem_shmem_vmap(struct drm_gem_shmem_object *shmem,
339339
int ret = 0;
340340

341341
if (drm_gem_is_imported(obj)) {
342-
ret = dma_buf_vmap(obj->dma_buf, map);
342+
ret = dma_buf_vmap(obj->import_attach->dmabuf, map);
343343
if (!ret) {
344344
if (drm_WARN_ON(obj->dev, map->is_iomem)) {
345-
dma_buf_vunmap(obj->dma_buf, map);
345+
dma_buf_vunmap(obj->import_attach->dmabuf, map);
346346
return -EIO;
347347
}
348348
}
@@ -405,7 +405,7 @@ void drm_gem_shmem_vunmap(struct drm_gem_shmem_object *shmem,
405405
struct drm_gem_object *obj = &shmem->base;
406406

407407
if (drm_gem_is_imported(obj)) {
408-
dma_buf_vunmap(obj->dma_buf, map);
408+
dma_buf_vunmap(obj->import_attach->dmabuf, map);
409409
} else {
410410
dma_resv_assert_held(shmem->base.resv);
411411

0 commit comments

Comments
 (0)