git.baikalelectronics.ru Git - kernel.git/commit

author	Mikel Rychliski <mikel@mikelr.com>
	Thu, 24 Jun 2021 04:51:20 +0000 (00:51 -0400)
committer	Christian König <christian.koenig@amd.com>
	Wed, 30 Jun 2021 09:56:21 +0000 (11:56 +0200)
commit	ce49f37d79073f256d1a2f25e443d0a2e3ecc213
tree	d85cbbe0a48d1a9b814ef95b633889417b83db78	tree \| snapshot
parent	6e09669b2b291d10cbcedd2dc28efac0b8d8be46	commit \| diff

drm/radeon: Fix NULL dereference when updating memory stats

radeon_ttm_bo_destroy() is attempting to access the resource object to
update memory counters. However, the resource object is already freed when
ttm calls this function via the destroy callback. This causes an oops when
a bo is freed:

BUG: kernel NULL pointer dereference, address: 0000000000000010
RIP: 0010:radeon_ttm_bo_destroy+0x2c/0x100 [radeon]
Call Trace:
radeon_bo_unref+0x1a/0x30 [radeon]
radeon_gem_object_free+0x33/0x50 [radeon]
drm_gem_object_release_handle+0x69/0x70 [drm]
drm_gem_handle_delete+0x62/0xa0 [drm]
? drm_mode_destroy_dumb+0x40/0x40 [drm]
drm_ioctl_kernel+0xb2/0xf0 [drm]
drm_ioctl+0x30a/0x3c0 [drm]
? drm_mode_destroy_dumb+0x40/0x40 [drm]
radeon_drm_ioctl+0x49/0x80 [radeon]
__x64_sys_ioctl+0x8e/0xd0

Avoid the issue by updating the counters in the delete_mem_notify callback
instead. Also, fix memory statistic updating in radeon_bo_move() to
identify the source type correctly. The source type needs to be saved
before the move, because the moved from object may be altered by the move.

Fixes: 0abecef40ccc ("drm/ttm: allocate resource object instead of embedding it v2")
Signed-off-by: Mikel Rychliski <mikel@mikelr.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210624045121.15643-1-mikel@mikelr.com

drivers/gpu/drm/radeon/radeon_object.c		diff \| blob \| history
drivers/gpu/drm/radeon/radeon_object.h		diff \| blob \| history
drivers/gpu/drm/radeon/radeon_ttm.c		diff \| blob \| history