drm: prime: fix refcounting on the dmabuf import error path
authorImre Deak <imre.deak@intel.com>
Fri, 19 Apr 2013 01:11:56 +0000 (11:11 +1000)
committerDave Airlie <airlied@redhat.com>
Tue, 30 Apr 2013 23:40:21 +0000 (09:40 +1000)
In commit be8a42ae60 we inroduced a refcount problem, where on the
drm_gem_prime_fd_to_handle() error path we'll call dma_buf_put() for
self imported dma buffers.

Fix this by taking a reference on the dma buffer in the .gem_import
hook instead of assuming the caller had taken one. Besides fixing the
bug this is also more logical.

Signed-off-by: Imre Deak <imre.deak@intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/gpu/drm/drm_prime.c
drivers/gpu/drm/exynos/exynos_drm_dmabuf.c
drivers/gpu/drm/i915/i915_gem_dmabuf.c
drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c
drivers/gpu/drm/udl/udl_gem.c

index 7830d8e..71c7315 100644 (file)
@@ -271,7 +271,6 @@ struct drm_gem_object *drm_gem_prime_import(struct drm_device *dev,
                         * refcount on gem itself instead of f_count of dmabuf.
                         */
                        drm_gem_object_reference(obj);
-                       dma_buf_put(dma_buf);
                        return obj;
                }
        }
@@ -280,6 +279,8 @@ struct drm_gem_object *drm_gem_prime_import(struct drm_device *dev,
        if (IS_ERR(attach))
                return ERR_PTR(PTR_ERR(attach));
 
+       get_dma_buf(dma_buf);
+
        sgt = dma_buf_map_attachment(attach, DMA_BIDIRECTIONAL);
        if (IS_ERR_OR_NULL(sgt)) {
                ret = PTR_ERR(sgt);
@@ -300,6 +301,8 @@ fail_unmap:
        dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
 fail_detach:
        dma_buf_detach(dma_buf, attach);
+       dma_buf_put(dma_buf);
+
        return ERR_PTR(ret);
 }
 EXPORT_SYMBOL(drm_gem_prime_import);
@@ -342,6 +345,9 @@ int drm_gem_prime_fd_to_handle(struct drm_device *dev,
                goto fail;
 
        mutex_unlock(&file_priv->prime.lock);
+
+       dma_buf_put(dma_buf);
+
        return 0;
 
 fail:
index ba0a3aa..ff7f2a8 100644 (file)
@@ -235,7 +235,6 @@ struct drm_gem_object *exynos_dmabuf_prime_import(struct drm_device *drm_dev,
                         * refcount on gem itself instead of f_count of dmabuf.
                         */
                        drm_gem_object_reference(obj);
-                       dma_buf_put(dma_buf);
                        return obj;
                }
        }
@@ -244,6 +243,7 @@ struct drm_gem_object *exynos_dmabuf_prime_import(struct drm_device *drm_dev,
        if (IS_ERR(attach))
                return ERR_PTR(-EINVAL);
 
+       get_dma_buf(dma_buf);
 
        sgt = dma_buf_map_attachment(attach, DMA_BIDIRECTIONAL);
        if (IS_ERR_OR_NULL(sgt)) {
@@ -298,6 +298,8 @@ err_unmap_attach:
        dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL);
 err_buf_detach:
        dma_buf_detach(dma_buf, attach);
+       dma_buf_put(dma_buf);
+
        return ERR_PTR(ret);
 }
 
index c6dfc14..30485e9 100644 (file)
@@ -272,7 +272,6 @@ struct drm_gem_object *i915_gem_prime_import(struct drm_device *dev,
                         * refcount on gem itself instead of f_count of dmabuf.
                         */
                        drm_gem_object_reference(&obj->base);
-                       dma_buf_put(dma_buf);
                        return &obj->base;
                }
        }
@@ -282,6 +281,8 @@ struct drm_gem_object *i915_gem_prime_import(struct drm_device *dev,
        if (IS_ERR(attach))
                return ERR_CAST(attach);
 
+       get_dma_buf(dma_buf);
+
        obj = i915_gem_object_alloc(dev);
        if (obj == NULL) {
                ret = -ENOMEM;
@@ -301,5 +302,7 @@ struct drm_gem_object *i915_gem_prime_import(struct drm_device *dev,
 
 fail_detach:
        dma_buf_detach(dma_buf, attach);
+       dma_buf_put(dma_buf);
+
        return ERR_PTR(ret);
 }
index 0682cb5..be7cd97 100644 (file)
@@ -212,7 +212,6 @@ struct drm_gem_object *omap_gem_prime_import(struct drm_device *dev,
                         * refcount on gem itself instead of f_count of dmabuf.
                         */
                        drm_gem_object_reference(obj);
-                       dma_buf_put(buffer);
                        return obj;
                }
        }
index 3816270..ef034fa 100644 (file)
@@ -303,6 +303,8 @@ struct drm_gem_object *udl_gem_prime_import(struct drm_device *dev,
        if (IS_ERR(attach))
                return ERR_CAST(attach);
 
+       get_dma_buf(dma_buf);
+
        sg = dma_buf_map_attachment(attach, DMA_BIDIRECTIONAL);
        if (IS_ERR(sg)) {
                ret = PTR_ERR(sg);
@@ -322,5 +324,7 @@ fail_unmap:
        dma_buf_unmap_attachment(attach, sg, DMA_BIDIRECTIONAL);
 fail_detach:
        dma_buf_detach(dma_buf, attach);
+       dma_buf_put(dma_buf);
+
        return ERR_PTR(ret);
 }