From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id EE265C678D5 for ; Tue, 7 Mar 2023 17:47:07 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 2303710E52A; Tue, 7 Mar 2023 17:47:07 +0000 (UTC) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by gabe.freedesktop.org (Postfix) with ESMTPS id 580EC10E244; Tue, 7 Mar 2023 17:47:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1678211224; x=1709747224; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=VTdJ1Cp+B7PAYrF0xhhQyKtNPUtYt67rPYuWEClwc9M=; b=ktzh8sCbUHmqw6e20UzePb1aTP+G4kqRWFjyRJX/xPpJXCcwduIxBruC emqIJMUzxStIcOgYjzxCaYkL/qKPiaoVyRSZvbZeyBEHxX7fSTltsbltL e8f1gq09l32V2ORqYQ8x0DEoawooD24+7s68EBL3TrW+bNT66n3Hbapo2 juKLYX7E8eUCmzEvhpaI48j/GrSkvumrdsK4Xjb9mJOQv+VMQ6970nei2 DBiA/lF40GGZBM9LCz467Ssl7wU+m3aIFfcSCzsjD8J8+/lGHrFBjQ/q3 IkQzz7u7y9sZXD/hE7PdAPY1tl9PHrL7fTnDNQRsfohVq7uDDVxcGoy4a A==; X-IronPort-AV: E=McAfee;i="6500,9779,10642"; a="333391637" X-IronPort-AV: E=Sophos;i="5.98,241,1673942400"; d="scan'208";a="333391637" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Mar 2023 09:47:02 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10642"; a="626624449" X-IronPort-AV: E=Sophos;i="5.98,241,1673942400"; d="scan'208";a="626624449" Received: from peiwangc-mobl1.ccr.corp.intel.com (HELO [10.249.254.10]) ([10.249.254.10]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Mar 2023 09:46:58 -0800 Message-ID: Date: Tue, 7 Mar 2023 18:46:54 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 To: =?UTF-8?Q?Christian_K=c3=b6nig?= , dri-devel@lists.freedesktop.org References: <20230307144621.10748-1-thomas.hellstrom@linux.intel.com> <20230307144621.10748-2-thomas.hellstrom@linux.intel.com> <9383eed5-d3ad-d61f-9fce-6a543890ee83@amd.com> Content-Language: en-US From: =?UTF-8?Q?Thomas_Hellstr=c3=b6m?= In-Reply-To: <9383eed5-d3ad-d61f-9fce-6a543890ee83@amd.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [Intel-gfx] [PATCH v2 1/7] drm/ttm: Fix a NULL pointer dereference X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Philip Yang , Daniel Vetter , Felix Kuehling , Arunpravin Paneer Selvam , Qiang Yu , Huang Rui , Matthew Auld , Alex Deucher , intel-gfx@lists.freedesktop.org, Nirmoy Das Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" On 3/7/23 17:55, Christian König wrote: > Am 07.03.23 um 15:46 schrieb Thomas Hellström: >> The LRU mechanism may look up a resource in the process of being removed >> from an object. The locking rules here are a bit unclear but it looks >> currently like res->bo assignment is protected by the LRU lock, whereas >> bo->resource is protected by the object lock, while *clearing* of >> bo->resource is also protected by the LRU lock. This means that if >> we check that bo->resource points to the LRU resource under the LRU >> lock we should be safe. >> So perform that check before deciding to swap out a bo. That avoids >> dereferencing a NULL bo->resource in ttm_bo_swapout(). > > Please make sure that this is pushed to drm-misc-fixes ASAP. > > I've getting complains for this from different sides. > > Thanks, > Christian. Done. /Thomas > >> >> Fixes: 6a9b02899402 ("drm/ttm: move the LRU into resource handling v4") >> Cc: Christian König >> Cc: Daniel Vetter >> Cc: Christian Koenig >> Cc: Huang Rui >> Cc: Alex Deucher >> Cc: Felix Kuehling >> Cc: Philip Yang >> Cc: Qiang Yu >> Cc: Matthew Auld >> Cc: Nirmoy Das >> Cc: Tvrtko Ursulin >> Cc: "Thomas Hellström" >> Cc: Anshuman Gupta >> Cc: Arunpravin Paneer Selvam >> Cc: dri-devel@lists.freedesktop.org >> Signed-off-by: Thomas Hellström >> Reviewed-by: Christian König >> --- >>   drivers/gpu/drm/ttm/ttm_device.c | 2 +- >>   1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/ttm/ttm_device.c >> b/drivers/gpu/drm/ttm/ttm_device.c >> index c7a1862f322a..ae2f19dc9f81 100644 >> --- a/drivers/gpu/drm/ttm/ttm_device.c >> +++ b/drivers/gpu/drm/ttm/ttm_device.c >> @@ -158,7 +158,7 @@ int ttm_device_swapout(struct ttm_device *bdev, >> struct ttm_operation_ctx *ctx, >>               struct ttm_buffer_object *bo = res->bo; >>               uint32_t num_pages; >>   -            if (!bo) >> +            if (!bo || bo->resource != res) >>                   continue; >>                 num_pages = PFN_UP(bo->base.size); >