diff options
| author | Thomas Hellstrom <thellstrom@vmware.com> | 2015-09-14 01:13:11 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2015-11-09 14:33:39 -0800 |
| commit | 435d5d7f3a0dd62dc1465c314e338f159fb7d43a (patch) | |
| tree | f2a632e93670e466cce9e15678e17300194e3b72 /lib/cpu-notifier-error-inject.c | |
| parent | a1638a11d9fb9457a8a5a9cc1a00e59ca56c8fe3 (diff) | |
drm/vmwgfx: Fix up user_dmabuf refcounting
commit 54c12bc374408faddbff75dbf1a6167c19af39c4 upstream.
If user space calls unreference on a user_dmabuf it will typically
kill the struct ttm_base_object member which is responsible for the
user-space visibility. However the dmabuf part may still be alive and
refcounted. In some situations, like for shared guest-backed surface
referencing/opening, the driver may try to reference the
struct ttm_base_object member again, causing an immediate kernel warning
and a later kernel NULL pointer dereference.
Fix this by always maintaining a reference on the struct
ttm_base_object member, in situations where it might subsequently be
referenced.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib/cpu-notifier-error-inject.c')
0 files changed, 0 insertions, 0 deletions