[PATCH] drm/ttm: fix ttm client driver (e.g. amdgpu) reload issue

[Monk Liu <Monk.Liu-5C7GfCeVMHo@public.gmane.org>]

need to clear bo glob and mem glob during their release
otherwise their member value would be wrongly used in the
next glob init stage and lead to wild pointer access problems:

1) kobj.state_initialized is 1
2) ttm_bo_glob.bo_count isn't cleared and referenced via it
   on member "swap_lru" would hit out of bound array accessing
   bug

Signed-off-by: Monk Liu <Monk.Liu@amd.com>
---
 drivers/gpu/drm/ttm/ttm_bo.c     | 2 ++
 drivers/gpu/drm/ttm/ttm_memory.c | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index c7de667..6434eac 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -1604,6 +1604,8 @@ static void ttm_bo_global_kobj_release(struct kobject *kobj)
 		container_of(kobj, struct ttm_bo_global, kobj);
 
 	__free_page(glob->dummy_read_page);
+
+	memset(glob, 0, sizeof(*glob));
 }
 
 static void ttm_bo_global_release(void)
diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
index 8617958..7128bbf 100644
--- a/drivers/gpu/drm/ttm/ttm_memory.c
+++ b/drivers/gpu/drm/ttm/ttm_memory.c
@@ -229,9 +229,17 @@ static const struct sysfs_ops ttm_mem_global_ops = {
 	.store = &ttm_mem_global_store,
 };
 
+void ttm_mem_glob_kobj_release(struct kobject *kobj)
+{
+	struct ttm_mem_global *glob = container_of(kobj, struct ttm_mem_global, kobj);
+
+	memset(glob, 0, sizeof(*glob));
+}
+
 static struct kobj_type ttm_mem_glob_kobj_type = {
 	.sysfs_ops = &ttm_mem_global_ops,
 	.default_attrs = ttm_mem_global_attrs,
+	.release = ttm_mem_glob_kobj_release,
 };
 
 static bool ttm_zones_above_swap_target(struct ttm_mem_global *glob,
-- 
2.7.4

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx