[SRU][F][PATCH v2 2/7] drm/gem: fold drm_gem_object_put_unlocked and __drm_gem_object_put()

Stefan Bader stefan.bader at canonical.com
Tue Mar 12 09:30:43 UTC 2024 

On 08.03.24 21:11, Bethany Jamison wrote:
> From: Emil Velikov <emil.velikov at collabora.com>
> 
> With earlier patch we removed the overhead so now we can lift the helper
> into the header effectively folding it with __drm_object_put.
> 
> v2: drop struct_mutex references (Daniel)
> 
> Signed-off-by: Emil Velikov <emil.velikov at collabora.com>
> Acked-by: Sam Ravnborg <sam at ravnborg.org> (v1)
> Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> Acked-by: Thomas Zimmermann <tzimmermann at suse.de>
> Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-11-emil.l.velikov@gmail.com
> (backported from commit b5d250744cccfb40024de663ea1f4da04e6d959c)
> [bjamison: context conflict in a function b5d deletes, Bionic/upstream
> were functionally the same with Bionic having an additional validation
> check, accepted incoming change to delete the function]
> CVE-2023-39198
> Signed-off-by: Bethany Jamison <bethany.jamison at canonical.com>
> ---
>   drivers/gpu/drm/drm_gem.c                  | 30 ----------------------
>   drivers/gpu/drm/i915/gem/i915_gem_object.h |  2 +-
>   include/drm/drm_drv.h                      |  2 --
>   include/drm/drm_gem.h                      | 16 +++---------
>   4 files changed, 4 insertions(+), 46 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index d801598299b6..663dc2130b91 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -972,36 +972,6 @@ drm_gem_object_free(struct kref *kref)
>   }
>   EXPORT_SYMBOL(drm_gem_object_free);
>   
> -/**
> - * drm_gem_object_put_unlocked - drop a GEM buffer object reference
> - * @obj: GEM buffer object
> - *
> - * This releases a reference to @obj. Callers must not hold the
> - * &drm_device.struct_mutex lock when calling this function.
> - *
> - * See also __drm_gem_object_put().
> - */
> -void
> -drm_gem_object_put_unlocked(struct drm_gem_object *obj)
> -{
> -	struct drm_device *dev;
> -
> -	if (!obj)
> -		return;
> -
> -	dev = obj->dev;
> -
> -	if (dev->driver->gem_free_object) {
> -		might_lock(&dev->struct_mutex);
> -		if (kref_put_mutex(&obj->refcount, drm_gem_object_free,
> -				&dev->struct_mutex))
> -			mutex_unlock(&dev->struct_mutex);
> -	} else {
> -		kref_put(&obj->refcount, drm_gem_object_free);
> -	}
> -}
> -EXPORT_SYMBOL(drm_gem_object_put_unlocked);
> -
>   /**
>    * drm_gem_object_put - release a GEM buffer object reference
>    * @obj: GEM buffer object
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h b/drivers/gpu/drm/i915/gem/i915_gem_object.h
> index 53172a4185da..49cdd66d4e73 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_object.h
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h
> @@ -96,7 +96,7 @@ __attribute__((nonnull))
>   static inline void
>   i915_gem_object_put(struct drm_i915_gem_object *obj)
>   {
> -	__drm_gem_object_put(&obj->base);
> +	drm_gem_object_put_unlocked(&obj->base);

This seems to replace a function but the one that just got dropped. I 
think this is fixed up in later patches but would create issues when one 
tries to bisect.

Generally I think this is the update to the patch where I was worried 
about a potential regression introduced by adding a helper function from 
a different set. Fixing that not necessarily means to pull all the code 
in which allow that helper to be used. A different approach would be to 
check what the helper does and how newer code calls it. And then check 
how it was done before. If I remember right the patch introducing the 
helper also changed a lot of call sites. So you could as well modify the 
one fix patch by replacing the call to the helper by whatever other 
callers did back in Focal.
>   }
>   
>   #define assert_object_held(obj) dma_resv_assert_held((obj)->base.resv)
> diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h
> index 8976afe48c1c..4c86a42cbfca 100644
> --- a/include/drm/drm_drv.h
> +++ b/include/drm/drm_drv.h
> @@ -505,8 +505,6 @@ struct drm_driver {
>   	 *
>   	 * This is deprecated and should not be used by new drivers. Use
>   	 * &drm_gem_object_funcs.free instead.
> -	 * Compared to @gem_free_object this is not encumbered with
> -	 * &drm_device.struct_mutex legacy locking schemes.
>   	 */
>   	void (*gem_free_object_unlocked) (struct drm_gem_object *obj);
>   
> diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h
> index 6aaba14f5972..8a40315750e3 100644
> --- a/include/drm/drm_gem.h
> +++ b/include/drm/drm_gem.h
> @@ -350,27 +350,17 @@ static inline void drm_gem_object_get(struct drm_gem_object *obj)
>   }
>   
>   /**
> - * __drm_gem_object_put - raw function to release a GEM buffer object reference
> + * drm_gem_object_put_unlocked - drop a GEM buffer object reference
>    * @obj: GEM buffer object
>    *
> - * This function is meant to be used by drivers which are not encumbered with
> - * &drm_device.struct_mutex legacy locking and which are using the
> - * gem_free_object_unlocked callback. It avoids all the locking checks and
> - * locking overhead of drm_gem_object_put() and drm_gem_object_put_unlocked().
> - *
> - * Drivers should never call this directly in their code. Instead they should
> - * wrap it up into a ``driver_gem_object_put(struct driver_gem_object *obj)``
> - * wrapper function, and use that. Shared code should never call this, to
> - * avoid breaking drivers by accident which still depend upon
> - * &drm_device.struct_mutex locking.
> + * This releases a reference to @obj.
>    */
>   static inline void
> -__drm_gem_object_put(struct drm_gem_object *obj)
> +drm_gem_object_put_unlocked(struct drm_gem_object *obj)
>   {
>   	kref_put(&obj->refcount, drm_gem_object_free);
>   }
>   
> -void drm_gem_object_put_unlocked(struct drm_gem_object *obj);
>   void drm_gem_object_put(struct drm_gem_object *obj);
>   
>   int drm_gem_handle_create(struct drm_file *file_priv,

-- 
- Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240312/3c5b381c/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240312/3c5b381c/attachment-0001.sig>

More information about the kernel-team mailing list