* [PATCH] drm/ttm: Always and only destroy bo->ttm_resv in ttm_bo_release_list
@ 2017-11-01 16:15 Michel Dänzer
[not found] ` <20171101161529.4844-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Michel Dänzer @ 2017-11-01 16:15 UTC (permalink / raw)
To: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
From: Michel Dänzer <michel.daenzer@amd.com>
Fixes a use-after-free due to a race condition in
ttm_bo_cleanup_refs_and_unlock, which allows one task to reserve a BO
and destroy its ttm_resv while another task is waiting for it to signal
in reservation_object_wait_timeout_rcu.
Fixes: 0d2bd2ae045d "drm/ttm: fix memory leak while individualizing BOs"
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
---
drivers/gpu/drm/ttm/ttm_bo.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index 379ec41d2c69..a19a0ebf32ac 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -150,8 +150,7 @@ static void ttm_bo_release_list(struct kref *list_kref)
ttm_tt_destroy(bo->ttm);
atomic_dec(&bo->glob->bo_count);
dma_fence_put(bo->moving);
- if (bo->resv == &bo->ttm_resv)
- reservation_object_fini(&bo->ttm_resv);
+ reservation_object_fini(&bo->ttm_resv);
mutex_destroy(&bo->wu_mutex);
if (bo->destroy)
bo->destroy(bo);
@@ -406,10 +405,8 @@ static int ttm_bo_individualize_resv(struct ttm_buffer_object *bo)
BUG_ON(!reservation_object_trylock(&bo->ttm_resv));
r = reservation_object_copy_fences(&bo->ttm_resv, bo->resv);
- if (r) {
+ if (r)
reservation_object_unlock(&bo->ttm_resv);
- reservation_object_fini(&bo->ttm_resv);
- }
return r;
}
@@ -457,10 +454,8 @@ static void ttm_bo_cleanup_refs_or_queue(struct ttm_buffer_object *bo)
if (reservation_object_test_signaled_rcu(&bo->ttm_resv, true)) {
ttm_bo_del_from_lru(bo);
spin_unlock(&glob->lru_lock);
- if (bo->resv != &bo->ttm_resv) {
+ if (bo->resv != &bo->ttm_resv)
reservation_object_unlock(&bo->ttm_resv);
- reservation_object_fini(&bo->ttm_resv);
- }
ttm_bo_cleanup_memtype_use(bo);
return;
@@ -560,8 +555,6 @@ static int ttm_bo_cleanup_refs_and_unlock(struct ttm_buffer_object *bo,
}
ttm_bo_del_from_lru(bo);
- if (!list_empty(&bo->ddestroy) && (bo->resv != &bo->ttm_resv))
- reservation_object_fini(&bo->ttm_resv);
list_del_init(&bo->ddestroy);
kref_put(&bo->list_kref, ttm_bo_ref_bug);
--
2.15.0.rc2
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply related [flat|nested] 7+ messages in thread[parent not found: <20171101161529.4844-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org>]
* Re: [PATCH] drm/ttm: Always and only destroy bo->ttm_resv in ttm_bo_release_list [not found] ` <20171101161529.4844-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org> @ 2017-11-02 2:30 ` Chunming Zhou 2017-11-02 10:49 ` Christian König 2017-11-02 17:22 ` [PATCH v2] " Michel Dänzer 2 siblings, 0 replies; 7+ messages in thread From: Chunming Zhou @ 2017-11-02 2:30 UTC (permalink / raw) To: Michel Dänzer, amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW I think so, it should be enough we free it in the last place. We also find many issues for bo->resv and bo->ttm_resv when debugging PER-VM-BO feature, after ttm_bo_individualize_resv, we should set bo->resv = &bo->ttm_rev before adding to destroy list, and the root resv is preventing eviction and swapout. Roger will give a summary and send those draft patches. For this patch, Reviewed-by: Chunming Zhou <david1.zhou@amd.com> On 2017年11月02日 00:15, Michel Dänzer wrote: > From: Michel Dänzer <michel.daenzer@amd.com> > > Fixes a use-after-free due to a race condition in > ttm_bo_cleanup_refs_and_unlock, which allows one task to reserve a BO > and destroy its ttm_resv while another task is waiting for it to signal > in reservation_object_wait_timeout_rcu. > > Fixes: 0d2bd2ae045d "drm/ttm: fix memory leak while individualizing BOs" > Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> > --- > drivers/gpu/drm/ttm/ttm_bo.c | 13 +++---------- > 1 file changed, 3 insertions(+), 10 deletions(-) > > diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c > index 379ec41d2c69..a19a0ebf32ac 100644 > --- a/drivers/gpu/drm/ttm/ttm_bo.c > +++ b/drivers/gpu/drm/ttm/ttm_bo.c > @@ -150,8 +150,7 @@ static void ttm_bo_release_list(struct kref *list_kref) > ttm_tt_destroy(bo->ttm); > atomic_dec(&bo->glob->bo_count); > dma_fence_put(bo->moving); > - if (bo->resv == &bo->ttm_resv) > - reservation_object_fini(&bo->ttm_resv); > + reservation_object_fini(&bo->ttm_resv); > mutex_destroy(&bo->wu_mutex); > if (bo->destroy) > bo->destroy(bo); > @@ -406,10 +405,8 @@ static int ttm_bo_individualize_resv(struct ttm_buffer_object *bo) > BUG_ON(!reservation_object_trylock(&bo->ttm_resv)); > > r = reservation_object_copy_fences(&bo->ttm_resv, bo->resv); > - if (r) { > + if (r) > reservation_object_unlock(&bo->ttm_resv); > - reservation_object_fini(&bo->ttm_resv); > - } > > return r; > } > @@ -457,10 +454,8 @@ static void ttm_bo_cleanup_refs_or_queue(struct ttm_buffer_object *bo) > if (reservation_object_test_signaled_rcu(&bo->ttm_resv, true)) { > ttm_bo_del_from_lru(bo); > spin_unlock(&glob->lru_lock); > - if (bo->resv != &bo->ttm_resv) { > + if (bo->resv != &bo->ttm_resv) > reservation_object_unlock(&bo->ttm_resv); > - reservation_object_fini(&bo->ttm_resv); > - } > > ttm_bo_cleanup_memtype_use(bo); > return; > @@ -560,8 +555,6 @@ static int ttm_bo_cleanup_refs_and_unlock(struct ttm_buffer_object *bo, > } > > ttm_bo_del_from_lru(bo); > - if (!list_empty(&bo->ddestroy) && (bo->resv != &bo->ttm_resv)) > - reservation_object_fini(&bo->ttm_resv); > list_del_init(&bo->ddestroy); > kref_put(&bo->list_kref, ttm_bo_ref_bug); > _______________________________________________ amd-gfx mailing list amd-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/amd-gfx ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] drm/ttm: Always and only destroy bo->ttm_resv in ttm_bo_release_list [not found] ` <20171101161529.4844-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org> 2017-11-02 2:30 ` Chunming Zhou @ 2017-11-02 10:49 ` Christian König [not found] ` <da4684ab-2c6d-7543-0c5d-3483ca093bc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> 2017-11-02 17:22 ` [PATCH v2] " Michel Dänzer 2 siblings, 1 reply; 7+ messages in thread From: Christian König @ 2017-11-02 10:49 UTC (permalink / raw) To: Michel Dänzer, amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW Am 01.11.2017 um 17:15 schrieb Michel Dänzer: > From: Michel Dänzer <michel.daenzer@amd.com> > > Fixes a use-after-free due to a race condition in > ttm_bo_cleanup_refs_and_unlock, which allows one task to reserve a BO > and destroy its ttm_resv while another task is waiting for it to signal > in reservation_object_wait_timeout_rcu. > > Fixes: 0d2bd2ae045d "drm/ttm: fix memory leak while individualizing BOs" > Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> Good idea, but one thing we should probably change. > --- > drivers/gpu/drm/ttm/ttm_bo.c | 13 +++---------- > 1 file changed, 3 insertions(+), 10 deletions(-) > > diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c > index 379ec41d2c69..a19a0ebf32ac 100644 > --- a/drivers/gpu/drm/ttm/ttm_bo.c > +++ b/drivers/gpu/drm/ttm/ttm_bo.c > @@ -150,8 +150,7 @@ static void ttm_bo_release_list(struct kref *list_kref) > ttm_tt_destroy(bo->ttm); > atomic_dec(&bo->glob->bo_count); > dma_fence_put(bo->moving); > - if (bo->resv == &bo->ttm_resv) > - reservation_object_fini(&bo->ttm_resv); > + reservation_object_fini(&bo->ttm_resv); When we always call reservation_object_fini() here we should probably also always call reservation_object_init() in ttm_bo_init_reserved() to make sure the object is always initialized. This way we can also remove the call to reservation_object_init() in ttm_bo_individualize_resv(). Regards, Christian. > mutex_destroy(&bo->wu_mutex); > if (bo->destroy) > bo->destroy(bo); > @@ -406,10 +405,8 @@ static int ttm_bo_individualize_resv(struct ttm_buffer_object *bo) > BUG_ON(!reservation_object_trylock(&bo->ttm_resv)); > > r = reservation_object_copy_fences(&bo->ttm_resv, bo->resv); > - if (r) { > + if (r) > reservation_object_unlock(&bo->ttm_resv); > - reservation_object_fini(&bo->ttm_resv); > - } > > return r; > } > @@ -457,10 +454,8 @@ static void ttm_bo_cleanup_refs_or_queue(struct ttm_buffer_object *bo) > if (reservation_object_test_signaled_rcu(&bo->ttm_resv, true)) { > ttm_bo_del_from_lru(bo); > spin_unlock(&glob->lru_lock); > - if (bo->resv != &bo->ttm_resv) { > + if (bo->resv != &bo->ttm_resv) > reservation_object_unlock(&bo->ttm_resv); > - reservation_object_fini(&bo->ttm_resv); > - } > > ttm_bo_cleanup_memtype_use(bo); > return; > @@ -560,8 +555,6 @@ static int ttm_bo_cleanup_refs_and_unlock(struct ttm_buffer_object *bo, > } > > ttm_bo_del_from_lru(bo); > - if (!list_empty(&bo->ddestroy) && (bo->resv != &bo->ttm_resv)) > - reservation_object_fini(&bo->ttm_resv); > list_del_init(&bo->ddestroy); > kref_put(&bo->list_kref, ttm_bo_ref_bug); > _______________________________________________ amd-gfx mailing list amd-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/amd-gfx ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <da4684ab-2c6d-7543-0c5d-3483ca093bc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>]
* Re: [PATCH] drm/ttm: Always and only destroy bo->ttm_resv in ttm_bo_release_list [not found] ` <da4684ab-2c6d-7543-0c5d-3483ca093bc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> @ 2017-11-02 17:23 ` Michel Dänzer 0 siblings, 0 replies; 7+ messages in thread From: Michel Dänzer @ 2017-11-02 17:23 UTC (permalink / raw) To: christian.koenig-5C7GfCeVMHo; +Cc: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW On 02/11/17 11:49 AM, Christian König wrote: > Am 01.11.2017 um 17:15 schrieb Michel Dänzer: >> From: Michel Dänzer <michel.daenzer@amd.com> >> >> Fixes a use-after-free due to a race condition in >> ttm_bo_cleanup_refs_and_unlock, which allows one task to reserve a BO >> and destroy its ttm_resv while another task is waiting for it to signal >> in reservation_object_wait_timeout_rcu. >> >> Fixes: 0d2bd2ae045d "drm/ttm: fix memory leak while individualizing BOs" >> Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> > > Good idea, but one thing we should probably change. > >> --- >> drivers/gpu/drm/ttm/ttm_bo.c | 13 +++---------- >> 1 file changed, 3 insertions(+), 10 deletions(-) >> >> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c >> index 379ec41d2c69..a19a0ebf32ac 100644 >> --- a/drivers/gpu/drm/ttm/ttm_bo.c >> +++ b/drivers/gpu/drm/ttm/ttm_bo.c >> @@ -150,8 +150,7 @@ static void ttm_bo_release_list(struct kref >> *list_kref) >> ttm_tt_destroy(bo->ttm); >> atomic_dec(&bo->glob->bo_count); >> dma_fence_put(bo->moving); >> - if (bo->resv == &bo->ttm_resv) >> - reservation_object_fini(&bo->ttm_resv); >> + reservation_object_fini(&bo->ttm_resv); > > When we always call reservation_object_fini() here we should probably > also always call reservation_object_init() in ttm_bo_init_reserved() to > make sure the object is always initialized. Fair enough. > This way we can also remove the call to reservation_object_init() in > ttm_bo_individualize_resv(). Both done in v2, thanks for the review and suggestions. -- Earthling Michel Dänzer | http://www.amd.com Libre software enthusiast | Mesa and X developer _______________________________________________ amd-gfx mailing list amd-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/amd-gfx ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] drm/ttm: Always and only destroy bo->ttm_resv in ttm_bo_release_list [not found] ` <20171101161529.4844-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org> 2017-11-02 2:30 ` Chunming Zhou 2017-11-02 10:49 ` Christian König @ 2017-11-02 17:22 ` Michel Dänzer [not found] ` <20171102172218.7827-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org> 2 siblings, 1 reply; 7+ messages in thread From: Michel Dänzer @ 2017-11-02 17:22 UTC (permalink / raw) To: dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW Cc: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW From: Michel Dänzer <michel.daenzer@amd.com> Fixes a use-after-free due to a race condition in ttm_bo_cleanup_refs_and_unlock, which allows one task to reserve a BO and destroy its ttm_resv while another task is waiting for it to signal in reservation_object_wait_timeout_rcu. v2: * Always initialize bo->ttm_resv in ttm_bo_init_reserved (Christian König) Fixes: 0d2bd2ae045d "drm/ttm: fix memory leak while individualizing BOs" Reviewed-by: Chunming Zhou <david1.zhou@amd.com> # v1 Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> --- drivers/gpu/drm/ttm/ttm_bo.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c index 379ec41d2c69..c088703777e2 100644 --- a/drivers/gpu/drm/ttm/ttm_bo.c +++ b/drivers/gpu/drm/ttm/ttm_bo.c @@ -150,8 +150,7 @@ static void ttm_bo_release_list(struct kref *list_kref) ttm_tt_destroy(bo->ttm); atomic_dec(&bo->glob->bo_count); dma_fence_put(bo->moving); - if (bo->resv == &bo->ttm_resv) - reservation_object_fini(&bo->ttm_resv); + reservation_object_fini(&bo->ttm_resv); mutex_destroy(&bo->wu_mutex); if (bo->destroy) bo->destroy(bo); @@ -402,14 +401,11 @@ static int ttm_bo_individualize_resv(struct ttm_buffer_object *bo) if (bo->resv == &bo->ttm_resv) return 0; - reservation_object_init(&bo->ttm_resv); BUG_ON(!reservation_object_trylock(&bo->ttm_resv)); r = reservation_object_copy_fences(&bo->ttm_resv, bo->resv); - if (r) { + if (r) reservation_object_unlock(&bo->ttm_resv); - reservation_object_fini(&bo->ttm_resv); - } return r; } @@ -457,10 +453,8 @@ static void ttm_bo_cleanup_refs_or_queue(struct ttm_buffer_object *bo) if (reservation_object_test_signaled_rcu(&bo->ttm_resv, true)) { ttm_bo_del_from_lru(bo); spin_unlock(&glob->lru_lock); - if (bo->resv != &bo->ttm_resv) { + if (bo->resv != &bo->ttm_resv) reservation_object_unlock(&bo->ttm_resv); - reservation_object_fini(&bo->ttm_resv); - } ttm_bo_cleanup_memtype_use(bo); return; @@ -560,8 +554,6 @@ static int ttm_bo_cleanup_refs_and_unlock(struct ttm_buffer_object *bo, } ttm_bo_del_from_lru(bo); - if (!list_empty(&bo->ddestroy) && (bo->resv != &bo->ttm_resv)) - reservation_object_fini(&bo->ttm_resv); list_del_init(&bo->ddestroy); kref_put(&bo->list_kref, ttm_bo_ref_bug); @@ -1210,8 +1202,8 @@ int ttm_bo_init_reserved(struct ttm_bo_device *bdev, lockdep_assert_held(&bo->resv->lock.base); } else { bo->resv = &bo->ttm_resv; - reservation_object_init(&bo->ttm_resv); } + reservation_object_init(&bo->ttm_resv); atomic_inc(&bo->glob->bo_count); drm_vma_node_reset(&bo->vma_node); bo->priority = 0; -- 2.15.0.rc2 _______________________________________________ amd-gfx mailing list amd-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/amd-gfx ^ permalink raw reply related [flat|nested] 7+ messages in thread
[parent not found: <20171102172218.7827-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org>]
* Re: [PATCH v2] drm/ttm: Always and only destroy bo->ttm_resv in ttm_bo_release_list [not found] ` <20171102172218.7827-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org> @ 2017-11-02 17:34 ` Christian König 0 siblings, 0 replies; 7+ messages in thread From: Christian König @ 2017-11-02 17:34 UTC (permalink / raw) To: Michel Dänzer, dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW Cc: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW Am 02.11.2017 um 18:22 schrieb Michel Dänzer: > From: Michel Dänzer <michel.daenzer@amd.com> > > Fixes a use-after-free due to a race condition in > ttm_bo_cleanup_refs_and_unlock, which allows one task to reserve a BO > and destroy its ttm_resv while another task is waiting for it to signal > in reservation_object_wait_timeout_rcu. > > v2: > * Always initialize bo->ttm_resv in ttm_bo_init_reserved > (Christian König) > > Fixes: 0d2bd2ae045d "drm/ttm: fix memory leak while individualizing BOs" > Reviewed-by: Chunming Zhou <david1.zhou@amd.com> # v1 > Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> > --- > drivers/gpu/drm/ttm/ttm_bo.c | 16 ++++------------ > 1 file changed, 4 insertions(+), 12 deletions(-) > > diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c > index 379ec41d2c69..c088703777e2 100644 > --- a/drivers/gpu/drm/ttm/ttm_bo.c > +++ b/drivers/gpu/drm/ttm/ttm_bo.c > @@ -150,8 +150,7 @@ static void ttm_bo_release_list(struct kref *list_kref) > ttm_tt_destroy(bo->ttm); > atomic_dec(&bo->glob->bo_count); > dma_fence_put(bo->moving); > - if (bo->resv == &bo->ttm_resv) > - reservation_object_fini(&bo->ttm_resv); > + reservation_object_fini(&bo->ttm_resv); > mutex_destroy(&bo->wu_mutex); > if (bo->destroy) > bo->destroy(bo); > @@ -402,14 +401,11 @@ static int ttm_bo_individualize_resv(struct ttm_buffer_object *bo) > if (bo->resv == &bo->ttm_resv) > return 0; > > - reservation_object_init(&bo->ttm_resv); > BUG_ON(!reservation_object_trylock(&bo->ttm_resv)); > > r = reservation_object_copy_fences(&bo->ttm_resv, bo->resv); > - if (r) { > + if (r) > reservation_object_unlock(&bo->ttm_resv); > - reservation_object_fini(&bo->ttm_resv); > - } > > return r; > } > @@ -457,10 +453,8 @@ static void ttm_bo_cleanup_refs_or_queue(struct ttm_buffer_object *bo) > if (reservation_object_test_signaled_rcu(&bo->ttm_resv, true)) { > ttm_bo_del_from_lru(bo); > spin_unlock(&glob->lru_lock); > - if (bo->resv != &bo->ttm_resv) { > + if (bo->resv != &bo->ttm_resv) > reservation_object_unlock(&bo->ttm_resv); > - reservation_object_fini(&bo->ttm_resv); > - } > > ttm_bo_cleanup_memtype_use(bo); > return; > @@ -560,8 +554,6 @@ static int ttm_bo_cleanup_refs_and_unlock(struct ttm_buffer_object *bo, > } > > ttm_bo_del_from_lru(bo); > - if (!list_empty(&bo->ddestroy) && (bo->resv != &bo->ttm_resv)) > - reservation_object_fini(&bo->ttm_resv); > list_del_init(&bo->ddestroy); > kref_put(&bo->list_kref, ttm_bo_ref_bug); > > @@ -1210,8 +1202,8 @@ int ttm_bo_init_reserved(struct ttm_bo_device *bdev, > lockdep_assert_held(&bo->resv->lock.base); > } else { > bo->resv = &bo->ttm_resv; > - reservation_object_init(&bo->ttm_resv); > } > + reservation_object_init(&bo->ttm_resv); > atomic_inc(&bo->glob->bo_count); > drm_vma_node_reset(&bo->vma_node); > bo->priority = 0; _______________________________________________ amd-gfx mailing list amd-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/amd-gfx ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] drm/ttm: Always and only destroy bo->ttm_resv in ttm_bo_release_list @ 2017-11-01 16:15 Michel Dänzer 0 siblings, 0 replies; 7+ messages in thread From: Michel Dänzer @ 2017-11-01 16:15 UTC (permalink / raw) To: amd-gfx From: Michel Dänzer <michel.daenzer@amd.com> Fixes a use-after-free due to a race condition in ttm_bo_cleanup_refs_and_unlock, which allows one task to reserve a BO and destroy its ttm_resv while another task is waiting for it to signal in reservation_object_wait_timeout_rcu. Fixes: 0d2bd2ae045d "drm/ttm: fix memory leak while individualizing BOs" Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> --- drivers/gpu/drm/ttm/ttm_bo.c | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c index 379ec41d2c69..a19a0ebf32ac 100644 --- a/drivers/gpu/drm/ttm/ttm_bo.c +++ b/drivers/gpu/drm/ttm/ttm_bo.c @@ -150,8 +150,7 @@ static void ttm_bo_release_list(struct kref *list_kref) ttm_tt_destroy(bo->ttm); atomic_dec(&bo->glob->bo_count); dma_fence_put(bo->moving); - if (bo->resv == &bo->ttm_resv) - reservation_object_fini(&bo->ttm_resv); + reservation_object_fini(&bo->ttm_resv); mutex_destroy(&bo->wu_mutex); if (bo->destroy) bo->destroy(bo); @@ -406,10 +405,8 @@ static int ttm_bo_individualize_resv(struct ttm_buffer_object *bo) BUG_ON(!reservation_object_trylock(&bo->ttm_resv)); r = reservation_object_copy_fences(&bo->ttm_resv, bo->resv); - if (r) { + if (r) reservation_object_unlock(&bo->ttm_resv); - reservation_object_fini(&bo->ttm_resv); - } return r; } @@ -457,10 +454,8 @@ static void ttm_bo_cleanup_refs_or_queue(struct ttm_buffer_object *bo) if (reservation_object_test_signaled_rcu(&bo->ttm_resv, true)) { ttm_bo_del_from_lru(bo); spin_unlock(&glob->lru_lock); - if (bo->resv != &bo->ttm_resv) { + if (bo->resv != &bo->ttm_resv) reservation_object_unlock(&bo->ttm_resv); - reservation_object_fini(&bo->ttm_resv); - } ttm_bo_cleanup_memtype_use(bo); return; @@ -560,8 +555,6 @@ static int ttm_bo_cleanup_refs_and_unlock(struct ttm_buffer_object *bo, } ttm_bo_del_from_lru(bo); - if (!list_empty(&bo->ddestroy) && (bo->resv != &bo->ttm_resv)) - reservation_object_fini(&bo->ttm_resv); list_del_init(&bo->ddestroy); kref_put(&bo->list_kref, ttm_bo_ref_bug); -- 2.15.0.rc2 _______________________________________________ amd-gfx mailing list amd-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/amd-gfx _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-11-02 17:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-01 16:15 [PATCH] drm/ttm: Always and only destroy bo->ttm_resv in ttm_bo_release_list Michel Dänzer
[not found] ` <20171101161529.4844-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org>
2017-11-02 2:30 ` Chunming Zhou
2017-11-02 10:49 ` Christian König
[not found] ` <da4684ab-2c6d-7543-0c5d-3483ca093bc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-11-02 17:23 ` Michel Dänzer
2017-11-02 17:22 ` [PATCH v2] " Michel Dänzer
[not found] ` <20171102172218.7827-1-michel-otUistvHUpPR7s880joybQ@public.gmane.org>
2017-11-02 17:34 ` Christian König
-- strict thread matches above, loose matches on Subject: below --
2017-11-01 16:15 [PATCH] " Michel Dänzer
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.