1. Patchew
  2. linux
  3. View series

[PATCH] drm/nouveau: prime: drm_prime_gem_destroy comment

Chris Bainbridge posted 1 patch 8 months, 3 weeks ago 
drivers/gpu/drm/drm_prime.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
[PATCH] drm/nouveau: prime: drm_prime_gem_destroy comment
Posted by Chris Bainbridge 8 months, 3 weeks ago 
Edit the comments on correct usage of drm_prime_gem_destroy to note
that, if using TTM, drm_prime_gem_destroy must be called in the
ttm_buffer_object.destroy hook, to avoid the dma_buf being freed leaving
a dangling pointer which will be later dereferenced by
ttm_bo_delayed_delete.

Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Suggested-by: Christian König <christian.koenig@amd.com>
---
 drivers/gpu/drm/drm_prime.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
index 32a8781cfd67..452d5c7cd292 100644
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -929,7 +929,9 @@ EXPORT_SYMBOL(drm_gem_prime_export);
  * &drm_driver.gem_prime_import_sg_table internally.
  *
  * Drivers must arrange to call drm_prime_gem_destroy() from their
- * &drm_gem_object_funcs.free hook when using this function.
+ * &drm_gem_object_funcs.free hook or &ttm_buffer_object.destroy
+ * hook when using this function, to avoid the dma_buf being freed while the
+ * ttm_buffer_object can still dereference it.
  */
 struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
 					    struct dma_buf *dma_buf,
@@ -999,7 +1001,9 @@ EXPORT_SYMBOL(drm_gem_prime_import_dev);
  * implementation in drm_gem_prime_fd_to_handle().
  *
  * Drivers must arrange to call drm_prime_gem_destroy() from their
- * &drm_gem_object_funcs.free hook when using this function.
+ * &drm_gem_object_funcs.free hook or &ttm_buffer_object.destroy
+ * hook when using this function, to avoid the dma_buf being freed while the
+ * ttm_buffer_object can still dereference it.
  */
 struct drm_gem_object *drm_gem_prime_import(struct drm_device *dev,
 					    struct dma_buf *dma_buf)
-- 
2.47.2
Re: [PATCH] drm/nouveau: prime: drm_prime_gem_destroy comment
Posted by Christian König 8 months, 3 weeks ago 

Am 26.03.25 um 13:53 schrieb Chris Bainbridge:
> Edit the comments on correct usage of drm_prime_gem_destroy to note
> that, if using TTM, drm_prime_gem_destroy must be called in the
> ttm_buffer_object.destroy hook, to avoid the dma_buf being freed leaving
> a dangling pointer which will be later dereferenced by
> ttm_bo_delayed_delete.
>
> Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
> Suggested-by: Christian König <christian.koenig@amd.com>

The subject line of the patch should probably read "drm/prime: fix drm_prime_gem_destroy comment" since this isn't nouveau specific at all.

It's just that all other TTM drivers except for nouveau got that right.

Regards,
Christian.

> ---
>  drivers/gpu/drm/drm_prime.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
> index 32a8781cfd67..452d5c7cd292 100644
> --- a/drivers/gpu/drm/drm_prime.c
> +++ b/drivers/gpu/drm/drm_prime.c
> @@ -929,7 +929,9 @@ EXPORT_SYMBOL(drm_gem_prime_export);
>   * &drm_driver.gem_prime_import_sg_table internally.
>   *
>   * Drivers must arrange to call drm_prime_gem_destroy() from their
> - * &drm_gem_object_funcs.free hook when using this function.
> + * &drm_gem_object_funcs.free hook or &ttm_buffer_object.destroy
> + * hook when using this function, to avoid the dma_buf being freed while the
> + * ttm_buffer_object can still dereference it.
>   */
>  struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
>  					    struct dma_buf *dma_buf,
> @@ -999,7 +1001,9 @@ EXPORT_SYMBOL(drm_gem_prime_import_dev);
>   * implementation in drm_gem_prime_fd_to_handle().
>   *
>   * Drivers must arrange to call drm_prime_gem_destroy() from their
> - * &drm_gem_object_funcs.free hook when using this function.
> + * &drm_gem_object_funcs.free hook or &ttm_buffer_object.destroy
> + * hook when using this function, to avoid the dma_buf being freed while the
> + * ttm_buffer_object can still dereference it.
>   */
>  struct drm_gem_object *drm_gem_prime_import(struct drm_device *dev,
>  					    struct dma_buf *dma_buf)
[PATCH v2] drm/prime: fix drm_prime_gem_destroy comment
Posted by Chris Bainbridge 8 months, 3 weeks ago 
Edit the comments on correct usage of drm_prime_gem_destroy to note
that, if using TTM, drm_prime_gem_destroy must be called in the
ttm_buffer_object.destroy hook, to avoid the dma_buf being freed leaving
a dangling pointer which will be later dereferenced by
ttm_bo_delayed_delete.

Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Suggested-by: Christian König <christian.koenig@amd.com>
---
 drivers/gpu/drm/drm_prime.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
index 32a8781cfd67..452d5c7cd292 100644
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -929,7 +929,9 @@ EXPORT_SYMBOL(drm_gem_prime_export);
  * &drm_driver.gem_prime_import_sg_table internally.
  *
  * Drivers must arrange to call drm_prime_gem_destroy() from their
- * &drm_gem_object_funcs.free hook when using this function.
+ * &drm_gem_object_funcs.free hook or &ttm_buffer_object.destroy
+ * hook when using this function, to avoid the dma_buf being freed while the
+ * ttm_buffer_object can still dereference it.
  */
 struct drm_gem_object *drm_gem_prime_import_dev(struct drm_device *dev,
 					    struct dma_buf *dma_buf,
@@ -999,7 +1001,9 @@ EXPORT_SYMBOL(drm_gem_prime_import_dev);
  * implementation in drm_gem_prime_fd_to_handle().
  *
  * Drivers must arrange to call drm_prime_gem_destroy() from their
- * &drm_gem_object_funcs.free hook when using this function.
+ * &drm_gem_object_funcs.free hook or &ttm_buffer_object.destroy
+ * hook when using this function, to avoid the dma_buf being freed while the
+ * ttm_buffer_object can still dereference it.
  */
 struct drm_gem_object *drm_gem_prime_import(struct drm_device *dev,
 					    struct dma_buf *dma_buf)
-- 
2.47.2
Re: [PATCH v2] drm/prime: fix drm_prime_gem_destroy comment
Posted by Danilo Krummrich 8 months, 3 weeks ago 
On Wed, Mar 26, 2025 at 01:10:58PM +0000, Chris Bainbridge wrote:
> Edit the comments on correct usage of drm_prime_gem_destroy to note
> that, if using TTM, drm_prime_gem_destroy must be called in the
> ttm_buffer_object.destroy hook, to avoid the dma_buf being freed leaving
> a dangling pointer which will be later dereferenced by
> ttm_bo_delayed_delete.
> 
> Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
> Suggested-by: Christian König <christian.koenig@amd.com>

Can you please send new version of patches as a new mail thread (not in reply to
previous versions) please?

Otherwise,

	Reviewed-by: Danilo Krummrich <dakr@kernel.org>

@Christian, I assume you will pick this one up?
Re: [PATCH v2] drm/prime: fix drm_prime_gem_destroy comment
Posted by Christian König 8 months, 3 weeks ago 
Am 28.03.25 um 12:01 schrieb Danilo Krummrich:
> On Wed, Mar 26, 2025 at 01:10:58PM +0000, Chris Bainbridge wrote:
>> Edit the comments on correct usage of drm_prime_gem_destroy to note
>> that, if using TTM, drm_prime_gem_destroy must be called in the
>> ttm_buffer_object.destroy hook, to avoid the dma_buf being freed leaving
>> a dangling pointer which will be later dereferenced by
>> ttm_bo_delayed_delete.
>>
>> Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
>> Suggested-by: Christian König <christian.koenig@amd.com>
> Can you please send new version of patches as a new mail thread (not in reply to
> previous versions) please?
>
> Otherwise,
>
> 	Reviewed-by: Danilo Krummrich <dakr@kernel.org>
>
> @Christian, I assume you will pick this one up?

Sure, I can take care of that.

Regards,
Christian.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.