git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Mikko Perttunen <mperttunen@nvidia.com>
	Fri, 15 May 2026 02:34:51 +0000 (11:34 +0900)
committer	Thierry Reding <treding@nvidia.com>
	Thu, 28 May 2026 15:19:28 +0000 (17:19 +0200)
commit	3cbf5e3c46e66d9b3b6b91099bb720c6cb1be3bc
tree	19c326421f743da2cf77ad858f579cf6a90708ea	tree \| snapshot
parent	ace01e2af3871343d700fb60c6f64d8f8e3180e1	commit \| diff

gpu: host1x: Allow entries in BO caches to be freed

When a buffer object is pinned via host1x_bo_pin() with a cache, the
resulting mapping is kept in the cache so it can be reused on subsequent
pins. Each mapping held a reference to the underlying host1x_bo (taken
in tegra_bo_pin / gather_bo_pin), so as long as a mapping was cached,
the bo itself could not be freed.

However, the only way to remove the cached mapping was through the free
path of the buffer object. This meant that if a bo got cached, it could
never get freed again.

Resolve the circularity by holding a weak reference to the bo from the
cache side. This is done by having the .pin callbacks not bump the bo's
refcount -- instead the common Host1x bo code does so, except for the
cache reference.

Also move the remove-cache-mapping-on-free code into a common function
inside Host1x code. This is only called from the TegraDRM GEM buffers
since those are the only ones that can be cached at the moment.

Reported-by: Aaron Kling <webgeek1234@gmail.com>
Fixes: 1f39b1dfa53c ("drm/tegra: Implement buffer object cache")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Tested-by: Aaron Kling <webgeek1234@gmail.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20260515-host1x-bocache-leak-v1-1-a0375f68aeab@nvidia.com

drivers/gpu/drm/tegra/gem.c		diff \| blob \| blame \| history
drivers/gpu/drm/tegra/submit.c		diff \| blob \| blame \| history
drivers/gpu/host1x/bus.c		diff \| blob \| blame \| history
include/linux/host1x.h		diff \| blob \| blame \| history