drm/virtio: Fix NULL pointer deref in virtgpu_dma_buf_free_obj()

There is a chance that obj->dma_buf would be NULL by the time
virtgpu_dma_buf_free_obj() is called. This can happen for imported
prime objects, when drm_gem_object_exported_dma_buf_free() gets
called on them before drm_gem_object_free(). This is because
drm_gem_object_exported_dma_buf_free() explicitly sets
obj->dma_buf to NULL.

Therefore, fix this issue by storing the dma_buf pointer in the
virtio_gpu_object instance and using it in virtgpu_dma_buf_free_obj.
This stored pointer is guaranteed to be valid until the object is
freed as we took a reference on it in virtgpu_gem_prime_import().

Fixes: 415cb45895f4 ("drm/virtio: Use dma_buf from GEM object instance")
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://lore.kernel.org/r/20250501232419.180337-1-vivek.kasireddy@intel.com

diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h
index f17660a71a3e7a22b5d4fefa6b754c227a294037..f7def8b42068f246c368a8fcc49b7636f58ba98f 100644 (file)
--- a/drivers/gpu/drm/virtio/virtgpu_drv.h
+++ b/drivers/gpu/drm/virtio/virtgpu_drv.h
@@ -88,6 +88,7 @@ struct virtio_gpu_object_params {
 
 struct virtio_gpu_object {
        struct drm_gem_shmem_object base;
+       struct dma_buf *dma_buf;
        struct sg_table *sgt;
        uint32_t hw_res_handle;
        bool dumb;

diff --git a/drivers/gpu/drm/virtio/virtgpu_prime.c b/drivers/gpu/drm/virtio/virtgpu_prime.c
index 1118a0250279b58b51758f0f7b395545e630cfe4..722cde5e2d86415db0b00894ee779e4ffc8edb80 100644 (file)
--- a/drivers/gpu/drm/virtio/virtgpu_prime.c
+++ b/drivers/gpu/drm/virtio/virtgpu_prime.c
@@ -206,7 +206,7 @@ static void virtgpu_dma_buf_free_obj(struct drm_gem_object *obj)
        struct virtio_gpu_device *vgdev = obj->dev->dev_private;
 
        if (drm_gem_is_imported(obj)) {
-               struct dma_buf *dmabuf = obj->dma_buf;
+               struct dma_buf *dmabuf = bo->dma_buf;
 
                dma_resv_lock(dmabuf->resv, NULL);
                virtgpu_dma_buf_unmap(bo);
@@ -332,6 +332,7 @@ struct drm_gem_object *virtgpu_gem_prime_import(struct drm_device *dev,
 
        obj->import_attach = attach;
        get_dma_buf(buf);
+       bo->dma_buf = buf;
 
        ret = virtgpu_dma_buf_init_obj(dev, bo, attach);
        if (ret < 0)