Commit 52c8b6e1 authored by Dave Airlie's avatar Dave Airlie

Merge tag 'drm-xe-fixes-2024-04-18' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes

- Fix bo leak on error path during fb init
- Fix use-after-free due to order vm is put and destroyed
Signed-off-by: default avatarDave Airlie <airlied@redhat.com>

From: Lucas De Marchi <lucas.demarchi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/xjguifyantaibyrnymuiotxws6akiexi6r7tqyieqxgquovubc@kkrtbe24hjjr
parents 5493bf2d ca7c52ac
...@@ -31,7 +31,7 @@ int intel_fb_bo_framebuffer_init(struct intel_framebuffer *intel_fb, ...@@ -31,7 +31,7 @@ int intel_fb_bo_framebuffer_init(struct intel_framebuffer *intel_fb,
ret = ttm_bo_reserve(&bo->ttm, true, false, NULL); ret = ttm_bo_reserve(&bo->ttm, true, false, NULL);
if (ret) if (ret)
return ret; goto err;
if (!(bo->flags & XE_BO_SCANOUT_BIT)) { if (!(bo->flags & XE_BO_SCANOUT_BIT)) {
/* /*
...@@ -42,12 +42,16 @@ int intel_fb_bo_framebuffer_init(struct intel_framebuffer *intel_fb, ...@@ -42,12 +42,16 @@ int intel_fb_bo_framebuffer_init(struct intel_framebuffer *intel_fb,
*/ */
if (XE_IOCTL_DBG(i915, !list_empty(&bo->ttm.base.gpuva.list))) { if (XE_IOCTL_DBG(i915, !list_empty(&bo->ttm.base.gpuva.list))) {
ttm_bo_unreserve(&bo->ttm); ttm_bo_unreserve(&bo->ttm);
return -EINVAL; ret = -EINVAL;
goto err;
} }
bo->flags |= XE_BO_SCANOUT_BIT; bo->flags |= XE_BO_SCANOUT_BIT;
} }
ttm_bo_unreserve(&bo->ttm); ttm_bo_unreserve(&bo->ttm);
return 0;
err:
xe_bo_put(bo);
return ret; return ret;
} }
......
...@@ -1577,6 +1577,16 @@ void xe_vm_close_and_put(struct xe_vm *vm) ...@@ -1577,6 +1577,16 @@ void xe_vm_close_and_put(struct xe_vm *vm)
xe->usm.num_vm_in_fault_mode--; xe->usm.num_vm_in_fault_mode--;
else if (!(vm->flags & XE_VM_FLAG_MIGRATION)) else if (!(vm->flags & XE_VM_FLAG_MIGRATION))
xe->usm.num_vm_in_non_fault_mode--; xe->usm.num_vm_in_non_fault_mode--;
if (vm->usm.asid) {
void *lookup;
xe_assert(xe, xe->info.has_asid);
xe_assert(xe, !(vm->flags & XE_VM_FLAG_MIGRATION));
lookup = xa_erase(&xe->usm.asid_to_vm, vm->usm.asid);
xe_assert(xe, lookup == vm);
}
mutex_unlock(&xe->usm.lock); mutex_unlock(&xe->usm.lock);
for_each_tile(tile, xe, id) for_each_tile(tile, xe, id)
...@@ -1592,24 +1602,15 @@ static void vm_destroy_work_func(struct work_struct *w) ...@@ -1592,24 +1602,15 @@ static void vm_destroy_work_func(struct work_struct *w)
struct xe_device *xe = vm->xe; struct xe_device *xe = vm->xe;
struct xe_tile *tile; struct xe_tile *tile;
u8 id; u8 id;
void *lookup;
/* xe_vm_close_and_put was not called? */ /* xe_vm_close_and_put was not called? */
xe_assert(xe, !vm->size); xe_assert(xe, !vm->size);
mutex_destroy(&vm->snap_mutex); mutex_destroy(&vm->snap_mutex);
if (!(vm->flags & XE_VM_FLAG_MIGRATION)) { if (!(vm->flags & XE_VM_FLAG_MIGRATION))
xe_device_mem_access_put(xe); xe_device_mem_access_put(xe);
if (xe->info.has_asid && vm->usm.asid) {
mutex_lock(&xe->usm.lock);
lookup = xa_erase(&xe->usm.asid_to_vm, vm->usm.asid);
xe_assert(xe, lookup == vm);
mutex_unlock(&xe->usm.lock);
}
}
for_each_tile(tile, xe, id) for_each_tile(tile, xe, id)
XE_WARN_ON(vm->pt_root[id]); XE_WARN_ON(vm->pt_root[id]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment