From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?ISO-8859-1?Q?Christian_K=F6nig?= <deathsimple@vodafone.de>
Subject: Re: [PATCH] drm/radeon: fix rare segfault
Date: Tue, 03 Jul 2012 11:29:26 +0200
Message-ID: <4FF2BB76.6000902@vodafone.de>
References: <1341247254-10516-1-git-send-email-j.glisse@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Content-Transfer-Encoding: quoted-printable
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Received: from outgoing.email.vodafone.de (outgoing.email.vodafone.de
	[139.7.28.128])
	by gabe.freedesktop.org (Postfix) with ESMTP id E7C699E804
	for <dri-devel@lists.freedesktop.org>;
	Tue,  3 Jul 2012 02:29:29 -0700 (PDT)
In-Reply-To: <1341247254-10516-1-git-send-email-j.glisse@gmail.com>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: j.glisse@gmail.com
Cc: Jerome Glisse <jglisse@redhat.com>, dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

On 02.07.2012 18:40, j.glisse@gmail.com wrote:
> From: Jerome Glisse <jglisse@redhat.com>
>
> In gem idle/busy ioctl the radeon object was derefenced after
> drm_gem_object_unreference_unlocked which in case the object
> have been destroyed lead to use of a possibly free pointer with
> possibly wrong data.
>
> Signed-off-by: Jerome Glisse <jglisse@redhat.com>

Reviewed-by: Christian K=F6nig <christian.koenig@amd.com>

> ---
>   drivers/gpu/drm/radeon/radeon_gem.c |   10 ++++++----
>   1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon=
/radeon_gem.c
> index 74176c5..c8838fc 100644
> --- a/drivers/gpu/drm/radeon/radeon_gem.c
> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> @@ -325,6 +325,7 @@ int radeon_gem_mmap_ioctl(struct drm_device *dev, voi=
d *data,
>   int radeon_gem_busy_ioctl(struct drm_device *dev, void *data,
>   			  struct drm_file *filp)
>   {
> +	struct radeon_device *rdev =3D dev->dev_private;
>   	struct drm_radeon_gem_busy *args =3D data;
>   	struct drm_gem_object *gobj;
>   	struct radeon_bo *robj;
> @@ -350,13 +351,14 @@ int radeon_gem_busy_ioctl(struct drm_device *dev, v=
oid *data,
>   		break;
>   	}
>   	drm_gem_object_unreference_unlocked(gobj);
> -	r =3D radeon_gem_handle_lockup(robj->rdev, r);
> +	r =3D radeon_gem_handle_lockup(rdev, r);
>   	return r;
>   }
>   =

>   int radeon_gem_wait_idle_ioctl(struct drm_device *dev, void *data,
>   			      struct drm_file *filp)
>   {
> +	struct radeon_device *rdev =3D dev->dev_private;
>   	struct drm_radeon_gem_wait_idle *args =3D data;
>   	struct drm_gem_object *gobj;
>   	struct radeon_bo *robj;
> @@ -369,10 +371,10 @@ int radeon_gem_wait_idle_ioctl(struct drm_device *d=
ev, void *data,
>   	robj =3D gem_to_radeon_bo(gobj);
>   	r =3D radeon_bo_wait(robj, NULL, false);
>   	/* callback hw specific functions if any */
> -	if (robj->rdev->asic->ioctl_wait_idle)
> -		robj->rdev->asic->ioctl_wait_idle(robj->rdev, robj);
> +	if (rdev->asic->ioctl_wait_idle)
> +		robj->rdev->asic->ioctl_wait_idle(rdev, robj);
>   	drm_gem_object_unreference_unlocked(gobj);
> -	r =3D radeon_gem_handle_lockup(robj->rdev, r);
> +	r =3D radeon_gem_handle_lockup(rdev, r);
>   	return r;
>   }
>   =