From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 78F21C433EF for ; Thu, 27 Jan 2022 11:57:23 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id F322010E444; Thu, 27 Jan 2022 11:57:22 +0000 (UTC) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by gabe.freedesktop.org (Postfix) with ESMTPS id 5A93910E444; Thu, 27 Jan 2022 11:57:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643284642; x=1674820642; h=message-id:date:mime-version:subject:to:references:from: in-reply-to:content-transfer-encoding; bh=ykwxbGE1mxGqjvO+nGA9W62Kj+d19cTCk91R/q0rkPg=; b=gfMQRDPz1+VOX6gcUyfPJ+ChSMiar7EiAa6Pw5KKHzGfbWV0eociJVPQ OkTvuZY5DGT9dFa2R/52vFMb5QQ4rvnppoFB9fjYVHO0tWIxO4ehPAsz2 Cdmy3VfBPXRUPYBSG9WHPKBM/OcBN/EBqp3yEbdjH6RXtiYYC0g+hDrU5 2tgIsQW/SbJmgtjTu9xXonNegjmE2tqX9YN9+5NFQQwz2L65sJhMw9OEG AmC5hFnO0JlivM4sZgFamDgnzz4dUN4rM6TsaB9Rz1q6YbdEMw7fXZ5E8 uZd//PDZ8hEa5VkHM7MjZBbogErI/wHwC6uvVp0vO5thhJmzUitcgPtwt Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10239"; a="234204522" X-IronPort-AV: E=Sophos;i="5.88,320,1635231600"; d="scan'208";a="234204522" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jan 2022 03:57:21 -0800 X-IronPort-AV: E=Sophos;i="5.88,320,1635231600"; d="scan'208";a="480262521" Received: from grossi-mobl.ger.corp.intel.com (HELO [10.252.33.31]) ([10.252.33.31]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jan 2022 03:57:20 -0800 Message-ID: Date: Thu, 27 Jan 2022 12:57:18 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Thunderbird/91.5.1 Content-Language: en-US To: =?UTF-8?Q?Thomas_Hellstr=c3=b6m?= , intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org References: <20220127115622.302970-1-thomas.hellstrom@linux.intel.com> From: Maarten Lankhorst In-Reply-To: <20220127115622.302970-1-thomas.hellstrom@linux.intel.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: [Intel-gfx] [PATCH] drm/i915: Fix a race between vma / object destruction and unbinding X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" Op 27-01-2022 om 12:56 schreef Thomas Hellström: > The vma destruction code was using an unlocked advisory check for > drm_mm_node_allocated() to avoid racing with eviction code unbinding > the vma. > > This is very fragile and prohibits the dereference of non-refcounted > pointers of dying vmas after a call to __i915_vma_unbind(). It also > prohibits the dereference of vma->obj of refcounted pointers of > dying vmas after a call to __i915_vma_unbind(), since even if a > refcount is held on the vma, that won't guarantee that its backing > object doesn't get destroyed. > > So introduce an unbind under the vm mutex at object destroy time, > removing all weak references of the vma and its object from the > object vma list and from the vm bound list. > > Signed-off-by: Thomas Hellström > --- > drivers/gpu/drm/i915/gem/i915_gem_object.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.c b/drivers/gpu/drm/i915/gem/i915_gem_object.c > index 1a9e1f940a7d..e03e362d320b 100644 > --- a/drivers/gpu/drm/i915/gem/i915_gem_object.c > +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.c > @@ -280,6 +280,12 @@ void __i915_gem_object_pages_fini(struct drm_i915_gem_object *obj) > GEM_BUG_ON(vma->obj != obj); > spin_unlock(&obj->vma.lock); > > + /* Verify that the vma is unbound under the vm mutex. */ > + mutex_lock(&vma->vm->mutex); > + atomic_and(~I915_VMA_PIN_MASK, &vma->flags); > + __i915_vma_unbind(vma); > + mutex_unlock(&vma->vm->mutex); > + > __i915_vma_put(vma); > > spin_lock(&obj->vma.lock); Reviewed-by: Maarten Lankhorst