From 5ab1aebd51889f1959b43344db0a3c740536e5b3 Mon Sep 17 00:00:00 2001 From: Yiwei Zhang Date: Wed, 24 Jul 2024 22:17:00 -0700 Subject: [PATCH] venus: fix a race condition between gem close and gem handle tracking After using sparse array to manager virtgpu bo, we set gem_handle to 0 to indicate that the bo is invalid. However, the gem handle gets closed before that and can be reused by another newly created bo, leading to the tracked gem handle being unexpectedly zero'ed out. Fixes: 88f481dd742 ("venus: make sure gem_handle and vn_renderer_bo are 1:1") Signed-off-by: Yiwei Zhang Part-of: (cherry picked from commit f788c87d02b3814964afc17db5dca086d2a84071) --- .pick_status.json | 2 +- src/virtio/vulkan/vn_renderer_virtgpu.c | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index 666cec8d53c..97bed1932be 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -1284,7 +1284,7 @@ "description": "venus: fix a race condition between gem close and gem handle tracking", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": "88f481dd7422f09ac28de50667fd36ad2ab5f891", "notes": null diff --git a/src/virtio/vulkan/vn_renderer_virtgpu.c b/src/virtio/vulkan/vn_renderer_virtgpu.c index df231a1aaef..5aaae2a8911 100644 --- a/src/virtio/vulkan/vn_renderer_virtgpu.c +++ b/src/virtio/vulkan/vn_renderer_virtgpu.c @@ -1111,10 +1111,15 @@ virtgpu_bo_destroy(struct vn_renderer *renderer, struct vn_renderer_bo *_bo) if (bo->base.mmap_ptr) munmap(bo->base.mmap_ptr, bo->base.mmap_size); - virtgpu_ioctl_gem_close(gpu, bo->gem_handle); - /* set gem_handle to 0 to indicate that the bo is invalid */ + /* Set gem_handle to 0 to indicate that the bo is invalid. Must be set + * before closing gem handle. Otherwise the same gem handle can be reused + * by another newly created bo and unexpectedly gotten zero'ed out the + * tracked gem handle. + */ + const uint32_t gem_handle = bo->gem_handle; bo->gem_handle = 0; + virtgpu_ioctl_gem_close(gpu, gem_handle); mtx_unlock(&gpu->dma_buf_import_mutex);