[SRU][F][PATCH v2 2/7] drm/gem: fold drm_gem_object_put_unlocked and __drm_gem_object_put()

Andrei Gherzan andrei.gherzan at canonical.com
Mon Mar 11 11:15:04 UTC 2024 

On 24/03/08 02:11PM, Bethany Jamison wrote:
> From: Emil Velikov <emil.velikov at collabora.com>
> 
> With earlier patch we removed the overhead so now we can lift the helper
> into the header effectively folding it with __drm_object_put.
> 
> v2: drop struct_mutex references (Daniel)
> 
> Signed-off-by: Emil Velikov <emil.velikov at collabora.com>
> Acked-by: Sam Ravnborg <sam at ravnborg.org> (v1)
> Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> Acked-by: Thomas Zimmermann <tzimmermann at suse.de>
> Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-11-emil.l.velikov@gmail.com
> (backported from commit b5d250744cccfb40024de663ea1f4da04e6d959c)


There seemse to be a fix for this one in
https://lore.kernel.org/all/20200520142347.29060-1-chris@chris-wilson.co.uk/
This fix landed in 5.9.

See 0e799e840a07e9cd843149be6811fd895d20a5a0

> [bjamison: context conflict in a function b5d deletes, Bionic/upstream
> were functionally the same with Bionic having an additional validation
> check, accepted incoming change to delete the function]
> CVE-2023-39198
> Signed-off-by: Bethany Jamison <bethany.jamison at canonical.com>
> ---
>  drivers/gpu/drm/drm_gem.c                  | 30 ----------------------
>  drivers/gpu/drm/i915/gem/i915_gem_object.h |  2 +-
>  include/drm/drm_drv.h                      |  2 --
>  include/drm/drm_gem.h                      | 16 +++---------
>  4 files changed, 4 insertions(+), 46 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index d801598299b6..663dc2130b91 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -972,36 +972,6 @@ drm_gem_object_free(struct kref *kref)
>  }
>  EXPORT_SYMBOL(drm_gem_object_free);
>  
> -/**
> - * drm_gem_object_put_unlocked - drop a GEM buffer object reference
> - * @obj: GEM buffer object
> - *
> - * This releases a reference to @obj. Callers must not hold the
> - * &drm_device.struct_mutex lock when calling this function.
> - *
> - * See also __drm_gem_object_put().
> - */
> -void
> -drm_gem_object_put_unlocked(struct drm_gem_object *obj)
> -{
> -	struct drm_device *dev;
> -
> -	if (!obj)
> -		return;
> -
> -	dev = obj->dev;
> -
> -	if (dev->driver->gem_free_object) {
> -		might_lock(&dev->struct_mutex);
> -		if (kref_put_mutex(&obj->refcount, drm_gem_object_free,
> -				&dev->struct_mutex))
> -			mutex_unlock(&dev->struct_mutex);
> -	} else {
> -		kref_put(&obj->refcount, drm_gem_object_free);
> -	}
> -}
> -EXPORT_SYMBOL(drm_gem_object_put_unlocked);
> -
>  /**
>   * drm_gem_object_put - release a GEM buffer object reference
>   * @obj: GEM buffer object
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h b/drivers/gpu/drm/i915/gem/i915_gem_object.h
> index 53172a4185da..49cdd66d4e73 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_object.h
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h
> @@ -96,7 +96,7 @@ __attribute__((nonnull))
>  static inline void
>  i915_gem_object_put(struct drm_i915_gem_object *obj)
>  {
> -	__drm_gem_object_put(&obj->base);
> +	drm_gem_object_put_unlocked(&obj->base);
>  }
>  
>  #define assert_object_held(obj) dma_resv_assert_held((obj)->base.resv)
> diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h
> index 8976afe48c1c..4c86a42cbfca 100644
> --- a/include/drm/drm_drv.h
> +++ b/include/drm/drm_drv.h
> @@ -505,8 +505,6 @@ struct drm_driver {
>  	 *
>  	 * This is deprecated and should not be used by new drivers. Use
>  	 * &drm_gem_object_funcs.free instead.
> -	 * Compared to @gem_free_object this is not encumbered with
> -	 * &drm_device.struct_mutex legacy locking schemes.
>  	 */
>  	void (*gem_free_object_unlocked) (struct drm_gem_object *obj);
>  
> diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h
> index 6aaba14f5972..8a40315750e3 100644
> --- a/include/drm/drm_gem.h
> +++ b/include/drm/drm_gem.h
> @@ -350,27 +350,17 @@ static inline void drm_gem_object_get(struct drm_gem_object *obj)
>  }
>  
>  /**
> - * __drm_gem_object_put - raw function to release a GEM buffer object reference
> + * drm_gem_object_put_unlocked - drop a GEM buffer object reference
>   * @obj: GEM buffer object
>   *
> - * This function is meant to be used by drivers which are not encumbered with
> - * &drm_device.struct_mutex legacy locking and which are using the
> - * gem_free_object_unlocked callback. It avoids all the locking checks and
> - * locking overhead of drm_gem_object_put() and drm_gem_object_put_unlocked().
> - *
> - * Drivers should never call this directly in their code. Instead they should
> - * wrap it up into a ``driver_gem_object_put(struct driver_gem_object *obj)``
> - * wrapper function, and use that. Shared code should never call this, to
> - * avoid breaking drivers by accident which still depend upon
> - * &drm_device.struct_mutex locking.
> + * This releases a reference to @obj.
>   */
>  static inline void
> -__drm_gem_object_put(struct drm_gem_object *obj)
> +drm_gem_object_put_unlocked(struct drm_gem_object *obj)
>  {
>  	kref_put(&obj->refcount, drm_gem_object_free);
>  }
>  
> -void drm_gem_object_put_unlocked(struct drm_gem_object *obj);
>  void drm_gem_object_put(struct drm_gem_object *obj);
>  
>  int drm_gem_handle_create(struct drm_file *file_priv,

-- 
Andrei Gherzan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240311/ce68e3f2/attachment-0001.sig>

More information about the kernel-team mailing list