summaryrefslogtreecommitdiff
path: root/drivers/gpu
diff options
context:
space:
mode:
authorBrad Spengler <brad.spengler@opensrcsec.com>2026-01-07 20:12:36 +0300
committerSasha Levin <sashal@kernel.org>2026-03-12 14:09:07 +0300
commit2633a30eb45bcf22af46cd272dcb4bfe7a6396bb (patch)
tree75776cf1879cb5f8f72d3487518573223b351904 /drivers/gpu
parentc27dea9f50ed525facb62ef647dddc4722456e07 (diff)
downloadlinux-2633a30eb45bcf22af46cd272dcb4bfe7a6396bb.tar.xz
drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release
[ Upstream commit 211ecfaaef186ee5230a77d054cdec7fbfc6724a ] The kref_put() call uses (void *)kvfree as the release callback, which is incorrect. kref_put() expects a function with signature void (*release)(struct kref *), but kvfree has signature void (*)(const void *). Calling through an incompatible function pointer is undefined behavior. The code only worked by accident because ref_count is the first member of vmw_bo_dirty, making the kref pointer equal to the struct pointer. Fix this by adding a proper release callback that uses container_of() to retrieve the containing structure before freeing. Fixes: c1962742ffff ("drm/vmwgfx: Use kref in vmw_bo_dirty") Signed-off-by: Brad Spengler <brad.spengler@opensrcsec.com> Signed-off-by: Zack Rusin <zack.rusin@broadcom.com> Cc: Ian Forbes <ian.forbes@broadcom.com> Link: https://patch.msgid.link/20260107171236.3573118-1-zack.rusin@broadcom.com Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/gpu')
-rw-r--r--drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
index fd4e76486f2d..45561bc1c9ef 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
@@ -260,6 +260,13 @@ out_no_dirty:
return ret;
}
+static void vmw_bo_dirty_free(struct kref *kref)
+{
+ struct vmw_bo_dirty *dirty = container_of(kref, struct vmw_bo_dirty, ref_count);
+
+ kvfree(dirty);
+}
+
/**
* vmw_bo_dirty_release - Release a dirty-tracking user from a buffer object
* @vbo: The buffer object
@@ -274,7 +281,7 @@ void vmw_bo_dirty_release(struct vmw_bo *vbo)
{
struct vmw_bo_dirty *dirty = vbo->dirty;
- if (dirty && kref_put(&dirty->ref_count, (void *)kvfree))
+ if (dirty && kref_put(&dirty->ref_count, vmw_bo_dirty_free))
vbo->dirty = NULL;
}
generated by cgit v1.2.3 (git 2.39.0) at 2026-05-03 06:19:38 +0300