- Fix bo leak on error path during fb init
- Fix use-after-free due to order vm is put and destroyed -----BEGIN PGP SIGNATURE----- iQJNBAABCAA3FiEE6rM8lpABPHM5FqyDm6KlpjDL6lMFAmYhP4gZHGx1Y2FzLmRl bWFyY2hpQGludGVsLmNvbQAKCRCboqWmMMvqU72FD/9fdK0UOtlKJc93YatiMAoz JFre/RQlqLpblP3/HJliDc6rfbPK3dynZwOpItM9hYgjnOs7ZZygz20iTAGwk1mI 10s0E1MiDPRt0NTDijsWMmvnyU38vsQtrK29A9Lhb6eVJ8ruO+qUbPYYxkTZzwTz WouJtZDa7JnCRC/dGDSFuVP+SlZVUIuVSSStgyIbZfFizr0T93IFCqeo1lY7L1oa ZblqWt2tF/Z6A3r1xJDfddTYEqsKq2G1/w5bVh269ePZ1YKdtuB4cEXwngyTNWeM cp+ZKde1y/zsj7AkPyWQ/TRo1bJXG2SY5DLtUgjyQRBG3s7Q2QyKswLPS4dOYqIO yKW9OWQE9XhEcZzvXEKhaNV9kTSUhX5K1jRnYtnX7qwIPf6lhJZYfXqFHM+3A0Ur GocgJ/pz2yBQWOoj8tLRmh/9YQVF72s5tmRtTpla7TkTXZiWX/9JMgZ+UVx0Gm+A VQquefEsgYfvno3k8AJxQUN2BisAlXBZ9CjLYCnYa3yoLlejyqcLBJeRC7JNl5c6 1WA4GmkC2RNB+rd5aOUqOzmdJzNh8+/qNlwnNdK7Pu1SpfbqEcdv21U7xV4hdtri GTB42BvSY/fwy4ujMHR0qlOiOMAWsuwEh81J/i6ZPhMiX3wJiyW52qbJT8KoAq9z HHdU77zxhv0T0mS7LG+Y1A== =x39h -----END PGP SIGNATURE----- Merge tag 'drm-xe-fixes-2024-04-18' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes - Fix bo leak on error path during fb init - Fix use-after-free due to order vm is put and destroyed Signed-off-by: Dave Airlie <airlied@redhat.com> From: Lucas De Marchi <lucas.demarchi@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/xjguifyantaibyrnymuiotxws6akiexi6r7tqyieqxgquovubc@kkrtbe24hjjr
This commit is contained in:
Dave Airlie
commit
52c8b6e1c0
|
|
@ -31,7 +31,7 @@ int intel_fb_bo_framebuffer_init(struct intel_framebuffer *intel_fb,
|
|||
|
||||
ret = ttm_bo_reserve(&bo->ttm, true, false, NULL);
|
||||
if (ret)
|
||||
return ret;
|
||||
goto err;
|
||||
|
||||
if (!(bo->flags & XE_BO_SCANOUT_BIT)) {
|
||||
/*
|
||||
|
|
@ -42,12 +42,16 @@ int intel_fb_bo_framebuffer_init(struct intel_framebuffer *intel_fb,
|
|||
*/
|
||||
if (XE_IOCTL_DBG(i915, !list_empty(&bo->ttm.base.gpuva.list))) {
|
||||
ttm_bo_unreserve(&bo->ttm);
|
||||
return -EINVAL;
|
||||
ret = -EINVAL;
|
||||
goto err;
|
||||
}
|
||||
bo->flags |= XE_BO_SCANOUT_BIT;
|
||||
}
|
||||
ttm_bo_unreserve(&bo->ttm);
|
||||
return 0;
|
||||
|
||||
err:
|
||||
xe_bo_put(bo);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1577,6 +1577,16 @@ void xe_vm_close_and_put(struct xe_vm *vm)
|
|||
xe->usm.num_vm_in_fault_mode--;
|
||||
else if (!(vm->flags & XE_VM_FLAG_MIGRATION))
|
||||
xe->usm.num_vm_in_non_fault_mode--;
|
||||
|
||||
if (vm->usm.asid) {
|
||||
void *lookup;
|
||||
|
||||
xe_assert(xe, xe->info.has_asid);
|
||||
xe_assert(xe, !(vm->flags & XE_VM_FLAG_MIGRATION));
|
||||
|
||||
lookup = xa_erase(&xe->usm.asid_to_vm, vm->usm.asid);
|
||||
xe_assert(xe, lookup == vm);
|
||||
}
|
||||
mutex_unlock(&xe->usm.lock);
|
||||
|
||||
for_each_tile(tile, xe, id)
|
||||
|
|
@ -1592,24 +1602,15 @@ static void vm_destroy_work_func(struct work_struct *w)
|
|||
struct xe_device *xe = vm->xe;
|
||||
struct xe_tile *tile;
|
||||
u8 id;
|
||||
void *lookup;
|
||||
|
||||
/* xe_vm_close_and_put was not called? */
|
||||
xe_assert(xe, !vm->size);
|
||||
|
||||
mutex_destroy(&vm->snap_mutex);
|
||||
|
||||
if (!(vm->flags & XE_VM_FLAG_MIGRATION)) {
|
||||
if (!(vm->flags & XE_VM_FLAG_MIGRATION))
|
||||
xe_device_mem_access_put(xe);
|
||||
|
||||
if (xe->info.has_asid && vm->usm.asid) {
|
||||
mutex_lock(&xe->usm.lock);
|
||||
lookup = xa_erase(&xe->usm.asid_to_vm, vm->usm.asid);
|
||||
xe_assert(xe, lookup == vm);
|
||||
mutex_unlock(&xe->usm.lock);
|
||||
}
|
||||
}
|
||||
|
||||
for_each_tile(tile, xe, id)
|
||||
XE_WARN_ON(vm->pt_root[id]);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue