review.tizen.org Git - platform/kernel/linux-exynos.git/commit

drm/vmwgfx: Fix up user_dmabuf refcounting

commit 54c12bc374408faddbff75dbf1a6167c19af39c4 upstream.

If user space calls unreference on a user_dmabuf it will typically
kill the struct ttm_base_object member which is responsible for the
user-space visibility. However the dmabuf part may still be alive and
refcounted. In some situations, like for shared guest-backed surface
referencing/opening, the driver may try to reference the
struct ttm_base_object member again, causing an immediate kernel warning
and a later kernel NULL pointer dereference.

Fix this by always maintaining a reference on the struct
ttm_base_object member, in situations where it might subsequently be
referenced.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Thomas Hellstrom <thellstrom@vmware.com>
	Mon, 14 Sep 2015 08:13:11 +0000 (01:13 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 9 Nov 2015 22:33:39 +0000 (14:33 -0800)
commit	435d5d7f3a0dd62dc1465c314e338f159fb7d43a
tree	f2a632e93670e466cce9e15678e17300194e3b72	tree \| snapshot
parent	a1638a11d9fb9457a8a5a9cc1a00e59ca56c8fe3	commit \| diff

drivers/gpu/drm/vmwgfx/vmwgfx_drv.c		diff \| blob \| history
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h		diff \| blob \| history
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c		diff \| blob \| history
drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c		diff \| blob \| history
drivers/gpu/drm/vmwgfx/vmwgfx_resource.c		diff \| blob \| history
drivers/gpu/drm/vmwgfx/vmwgfx_shader.c		diff \| blob \| history
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c		diff \| blob \| history