On Thu, Sep 11, 2025 at 12:15:37PM +0200, Boris Brezillon wrote:
> On Tue, 09 Sep 2025 13:36:23 +0000
> Alice Ryhl <[email protected]> wrote:
>
> > static void panthor_vma_init(struct panthor_vma *vma, u32 flags)
> > @@ -2084,12 +2010,12 @@ static int panthor_gpuva_sm_step_map(struct
> > drm_gpuva_op *op, void *priv)
> > if (ret)
> > return ret;
> >
> > - /* Ref owned by the mapping now, clear the obj field so we don't
> > release the
> > - * pinning/obj ref behind GPUVA's back.
> > - */
> > drm_gpuva_map(&vm->base, &vma->base, &op->map);
> > panthor_vma_link(vm, vma, op_ctx->map.vm_bo);
> > +
> > + drm_gpuvm_bo_put_deferred(op_ctx->map.vm_bo);
> > op_ctx->map.vm_bo = NULL;
>
> Hm, I don't see why we need a drm_gpuvm_bo_put_deferred() here. The
> original idea was to delegate the vm_bo ownership to the VA being added
> to the VM tree, so if we put it here, we have a UAF situation, don't we?
The vm_bo refcount goes like this:
incr vm_bo_obtain()
incr vma_link()
decr vm_bo_put()
There is no decrement in panthor_vm_cleanup_op_ctx() due to this line:
op_ctx->map.vm_bo = NULL
So when everything is done, it is linked once and the refcount is
incremented by one, which is correct.
Alice
