From f788c87d02b3814964afc17db5dca086d2a84071 Mon Sep 17 00:00:00 2001 From: Yiwei Zhang Date: Wed, 24 Jul 2024 22:17:00 -0700 Subject: [PATCH] venus: fix a race condition between gem close and gem handle tracking After using sparse array to manager virtgpu bo, we set gem_handle to 0 to indicate that the bo is invalid. However, the gem handle gets closed before that and can be reused by another newly created bo, leading to the tracked gem handle being unexpectedly zero'ed out. Fixes: 88f481dd742 ("venus: make sure gem_handle and vn_renderer_bo are 1:1") Signed-off-by: Yiwei Zhang Part-of: --- src/virtio/vulkan/vn_renderer_virtgpu.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/virtio/vulkan/vn_renderer_virtgpu.c b/src/virtio/vulkan/vn_renderer_virtgpu.c index df231a1aaef..5aaae2a8911 100644 --- a/src/virtio/vulkan/vn_renderer_virtgpu.c +++ b/src/virtio/vulkan/vn_renderer_virtgpu.c @@ -1111,10 +1111,15 @@ virtgpu_bo_destroy(struct vn_renderer *renderer, struct vn_renderer_bo *_bo) if (bo->base.mmap_ptr) munmap(bo->base.mmap_ptr, bo->base.mmap_size); - virtgpu_ioctl_gem_close(gpu, bo->gem_handle); - /* set gem_handle to 0 to indicate that the bo is invalid */ + /* Set gem_handle to 0 to indicate that the bo is invalid. Must be set + * before closing gem handle. Otherwise the same gem handle can be reused + * by another newly created bo and unexpectedly gotten zero'ed out the + * tracked gem handle. + */ + const uint32_t gem_handle = bo->gem_handle; bo->gem_handle = 0; + virtgpu_ioctl_gem_close(gpu, gem_handle); mtx_unlock(&gpu->dma_buf_import_mutex);