panvk: Keep a ref to a pan_kmod_bo in panvk_image

We don't need the panfrost_bo object which contains both the BO and
its CPU/GPU mappings. We store the GPU address at bind time and store
it in the pimage object.

While at it, keep a ref to the buffer object so we don't end up with
a invalid deref (UAF) if the vulkan user does something silly like
freeing the VkDeviceMemory object while the VkImage is still active.
Flag this with a TODO to make sure we don't forget about it.

Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Constantine Shablya <constantine.shablya@collabora.com>
Reviewed-by: Erik Faye-Lund <erik.faye-lund@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/26698>

src/panfrost/vulkan/panvk_device.c

@@ -1322,14 +1322,15 @@ panvk_BindImageMemory2(VkDevice device, uint32_t bindInfoCount,
    for (uint32_t i = 0; i < bindInfoCount; ++i) {
       VK_FROM_HANDLE(panvk_image, image, pBindInfos[i].image);
       VK_FROM_HANDLE(panvk_device_memory, mem, pBindInfos[i].memory);
+      struct pan_kmod_bo *old_bo = image->bo;
 
       if (mem) {
-         image->bo = mem->bo;
+         image->bo = pan_kmod_bo_get(mem->bo->kmod_bo);
          image->pimage.data.base = mem->bo->ptr.gpu;
          image->pimage.data.offset = pBindInfos[i].memoryOffset;
          /* Reset the AFBC headers */
          if (drm_is_afbc(image->pimage.layout.modifier)) {
-            void *base = image->bo->ptr.cpu + image->pimage.data.offset;
+            void *base = mem->bo->ptr.cpu + image->pimage.data.offset;
 
             for (unsigned layer = 0; layer < image->pimage.layout.array_size;
                  layer++) {
@@ -1347,6 +1348,8 @@ panvk_BindImageMemory2(VkDevice device, uint32_t bindInfoCount,
          image->bo = NULL;
          image->pimage.data.offset = pBindInfos[i].memoryOffset;
       }
+
+      pan_kmod_bo_put(old_bo);
    }
 
    return VK_SUCCESS;

src/panfrost/vulkan/panvk_image.c

@@ -215,6 +215,9 @@ panvk_DestroyImage(VkDevice _device, VkImage _image,
    if (!image)
       return;
 
+   if (image->bo)
+      pan_kmod_bo_put(image->bo);
+
    vk_image_destroy(&device->vk, pAllocator, &image->vk);
 }
 

src/panfrost/vulkan/panvk_private.h

@@ -949,7 +949,11 @@ struct panvk_pipeline {
 
 struct panvk_image {
    struct vk_image vk;
-   struct panfrost_bo *bo;
+
+   /* TODO: See if we can rework the synchronization logic so we don't need to
+    * pass BOs around.
+    */
+   struct pan_kmod_bo *bo;
 
    struct pan_image pimage;
 };

src/panfrost/vulkan/panvk_vX_device.c

@@ -250,7 +250,7 @@ panvk_per_arch(queue_submit)(struct vk_queue *vk_queue,
                struct panvk_image *img =
                   container_of(iview->vk.image, struct panvk_image, vk);
 
-               bos[bo_idx++] = panfrost_bo_handle(img->bo);
+               bos[bo_idx++] = pan_kmod_bo_handle(img->bo);
             }
          }
 

src/panfrost/vulkan/panvk_vX_image.c

@@ -147,7 +147,7 @@ panvk_per_arch(CreateImageView)(VkDevice _device,
                        : MALI_ATTRIBUTE_TYPE_3D_INTERLEAVED;
          cfg.pointer = image->pimage.data.base + offset;
          cfg.stride = util_format_get_blocksize(view->pview.format);
-         cfg.size = panfrost_bo_size(image->bo) - offset;
+         cfg.size = pan_kmod_bo_size(image->bo) - offset;
       }
 
       attrib_buf += pan_size(ATTRIBUTE_BUFFER);

src/panfrost/vulkan/panvk_vX_meta_blit.c

@@ -127,8 +127,8 @@ panvk_meta_blit(struct panvk_cmd_buffer *cmdbuf,
 
       views[0].first_layer = views[0].last_layer = ctx.dst.cur_layer;
       views[1].first_layer = views[1].last_layer = views[0].first_layer;
-      batch->blit.src = src_img->bo->kmod_bo;
-      batch->blit.dst = dst_img->bo->kmod_bo;
+      batch->blit.src = src_img->bo;
+      batch->blit.dst = dst_img->bo;
       panvk_per_arch(cmd_alloc_tls_desc)(cmdbuf, true);
       panvk_per_arch(cmd_alloc_fb_desc)(cmdbuf);
       panvk_per_arch(cmd_prepare_tiler_context)(cmdbuf);

src/panfrost/vulkan/panvk_vX_meta_copy.c

@@ -669,8 +669,8 @@ panvk_meta_copy_img2img(struct panvk_cmd_buffer *cmdbuf,
       struct panvk_batch *batch = panvk_cmd_open_batch(cmdbuf);
 
       dstview.first_layer = dstview.last_layer = l + first_dst_layer;
-      batch->blit.src = src->bo->kmod_bo;
-      batch->blit.dst = dst->bo->kmod_bo;
+      batch->blit.src = src->bo;
+      batch->blit.dst = dst->bo;
       panvk_per_arch(cmd_alloc_tls_desc)(cmdbuf, true);
       panvk_per_arch(cmd_alloc_fb_desc)(cmdbuf);
       panvk_per_arch(cmd_prepare_tiler_context)(cmdbuf);
@@ -1107,7 +1107,7 @@ panvk_meta_copy_buf2img(struct panvk_cmd_buffer *cmdbuf,
 
       view.first_layer = view.last_layer = l + first_layer;
       batch->blit.src = buf->bo->kmod_bo;
-      batch->blit.dst = img->bo->kmod_bo;
+      batch->blit.dst = img->bo;
       panvk_per_arch(cmd_alloc_tls_desc)(cmdbuf, true);
       panvk_per_arch(cmd_alloc_fb_desc)(cmdbuf);
       panvk_per_arch(cmd_prepare_tiler_context)(cmdbuf);
@@ -1522,7 +1522,7 @@ panvk_meta_copy_img2buf(struct panvk_cmd_buffer *cmdbuf,
 
    struct pan_tls_info tlsinfo = {0};
 
-   batch->blit.src = img->bo->kmod_bo;
+   batch->blit.src = img->bo;
    batch->blit.dst = buf->bo->kmod_bo;
    batch->tls = pan_pool_alloc_desc(&cmdbuf->desc_pool.base, LOCAL_STORAGE);
    GENX(pan_emit_tls)(&tlsinfo, batch->tls.cpu);