Hello Murray,
thanks for looking into this!
On Thu, 2023-09-28 at 00:13 -0400, Zack Rusin wrote:
From: Zack Rusin zackr@vmware.com
Surfaces can be backed (i.e. stored in) memory objects (mob's) which are created and managed by the userspace as GEM buffers. Surfaces grab only a ttm reference which means that the gem object can be deleted underneath us, especially in cases where prime buffer export is used.
Make sure that all userspace surfaces which are backed by gem objects hold a gem reference to make sure they're not deleted before vmw surfaces are done with them, which fixes: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 2632 at lib/refcount.c:28 refcount_warn_saturate+0xfb/0x150
[]
---[ end trace 0000000000000000 ]---
A lot of the analyis on the bug was done by Murray McAllister and Ian Forbes.
Reported-by: Murray McAllister murray.mcallister@gmail.com Cc: Ian Forbes iforbes@vmware.com Signed-off-by: Zack Rusin zackr@vmware.com Fixes: a950b989ea29 ("drm/vmwgfx: Do not drop the reference to the handle too soon") Cc: stable@vger.kernel.org # v6.2+
Do you remember the particular reason this was marked 6.2+?
That's because that's the kernel release where the commit this one is fixing first landed.
We see this on Debian 6.1.67 (which at least has the mentioned "drm/vmwgfx: Do not drop the reference to the handle too soon"):
The original had to be backported there. I'll ask someone on my team to check the branches the original was backported to see if this change even applies on those and then we'll see what we can do. In the meantime if you know anyone on the Debian kernel team suggesting this as a cherry-pick might also be a good idea.
z
Hi Alexander,
I think the backport might already be on Debian's radar for your version:
Sorry, my reference to Debian was irrelevant, the patch-to-be-fixed is actually in the upstream kernel:
$ git log --grep "drm/vmwgfx: Do not drop the reference to the handle too soon" v6.1.67 commit 0a127ac972404600c99eb141c8d5b5348e53ee4f Author: Zack Rusin zackr@vmware.com Date: Sat Feb 11 00:05:14 2023 -0500
drm/vmwgfx: Do not drop the reference to the handle too soon
commit a950b989ea29ab3b38ea7f6e3d2540700a3c54e8 upstream.
So it was merely a hint for Stable Team to pick the Subject path into v6.1.x.
linux-stable-mirror@lists.linaro.org
-
Sverdlin, Alexander