diff mbox

drm/ttm: fix kref count mess in ttm_bo_move_to_lru_tail

Message ID 1461174769-31886-1-git-send-email-alexander.deucher@amd.com (mailing list archive)
State New, archived
Headers show

Commit Message

Alex Deucher April 20, 2016, 5:52 p.m. UTC 
From: Flora Cui <Flora.Cui@amd.com>

Fixes the following scenario:

1. Page table bo allocated in vram and linked to man->lru.
   tbo->list_kref.refcount=2
2. Page table bo is swapped out and removed from man->lru.
   tbo->list_kref.refcount=1
3. Command submission from userspace.  Page table bo is moved
   to vram.  ttm_bo_move_to_lru_tail() link it to man->lru and
   don't increase the kref count.

Signed-off-by: Flora Cui <Flora.Cui@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/ttm/ttm_bo.c | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

Comments

Alex Deucher April 26, 2016, 4:50 a.m. UTC | #1 
Ping.  Any objections?


On Wed, Apr 20, 2016 at 1:52 PM, Alex Deucher <alexdeucher@gmail.com> wrote:
> From: Flora Cui <Flora.Cui@amd.com>
>
> Fixes the following scenario:
>
> 1. Page table bo allocated in vram and linked to man->lru.
>    tbo->list_kref.refcount=2
> 2. Page table bo is swapped out and removed from man->lru.
>    tbo->list_kref.refcount=1
> 3. Command submission from userspace.  Page table bo is moved
>    to vram.  ttm_bo_move_to_lru_tail() link it to man->lru and
>    don't increase the kref count.
>
> Signed-off-by: Flora Cui <Flora.Cui@amd.com>
> Reviewed-by: Christian König <christian.koenig@amd.com>
> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> Cc: stable@vger.kernel.org
> ---
>  drivers/gpu/drm/ttm/ttm_bo.c | 17 ++++-------------
>  1 file changed, 4 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
> index 4cbf265..e3daafa 100644
> --- a/drivers/gpu/drm/ttm/ttm_bo.c
> +++ b/drivers/gpu/drm/ttm/ttm_bo.c
> @@ -230,22 +230,13 @@ EXPORT_SYMBOL(ttm_bo_del_sub_from_lru);
>
>  void ttm_bo_move_to_lru_tail(struct ttm_buffer_object *bo)
>  {
> -       struct ttm_bo_device *bdev = bo->bdev;
> -       struct ttm_mem_type_manager *man;
> +       int put_count = 0;
>
>         lockdep_assert_held(&bo->resv->lock.base);
>
> -       if (bo->mem.placement & TTM_PL_FLAG_NO_EVICT) {
> -               list_del_init(&bo->swap);
> -               list_del_init(&bo->lru);
> -
> -       } else {
> -               if (bo->ttm && !(bo->ttm->page_flags & TTM_PAGE_FLAG_SG))
> -                       list_move_tail(&bo->swap, &bo->glob->swap_lru);
> -
> -               man = &bdev->man[bo->mem.mem_type];
> -               list_move_tail(&bo->lru, &man->lru);
> -       }
> +       put_count = ttm_bo_del_from_lru(bo);
> +       ttm_bo_list_ref_sub(bo, put_count, true);
> +       ttm_bo_add_to_lru(bo);
>  }
>  EXPORT_SYMBOL(ttm_bo_move_to_lru_tail);
>
> --
> 2.5.5
>
Thomas Hellstrom April 27, 2016, 3:34 p.m. UTC | #2 
LGTM

Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>


On 04/26/2016 06:50 AM, Alex Deucher wrote:
> Ping.  Any objections?
>
>
> On Wed, Apr 20, 2016 at 1:52 PM, Alex Deucher <alexdeucher@gmail.com> wrote:
>> From: Flora Cui <Flora.Cui@amd.com>
>>
>> Fixes the following scenario:
>>
>> 1. Page table bo allocated in vram and linked to man->lru.
>>    tbo->list_kref.refcount=2
>> 2. Page table bo is swapped out and removed from man->lru.
>>    tbo->list_kref.refcount=1
>> 3. Command submission from userspace.  Page table bo is moved
>>    to vram.  ttm_bo_move_to_lru_tail() link it to man->lru and
>>    don't increase the kref count.
>>
>> Signed-off-by: Flora Cui <Flora.Cui@amd.com>
>> Reviewed-by: Christian König <christian.koenig@amd.com>
>> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
>> Cc: stable@vger.kernel.org
>> ---
>>  drivers/gpu/drm/ttm/ttm_bo.c | 17 ++++-------------
>>  1 file changed, 4 insertions(+), 13 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
>> index 4cbf265..e3daafa 100644
>> --- a/drivers/gpu/drm/ttm/ttm_bo.c
>> +++ b/drivers/gpu/drm/ttm/ttm_bo.c
>> @@ -230,22 +230,13 @@ EXPORT_SYMBOL(ttm_bo_del_sub_from_lru);
>>
>>  void ttm_bo_move_to_lru_tail(struct ttm_buffer_object *bo)
>>  {
>> -       struct ttm_bo_device *bdev = bo->bdev;
>> -       struct ttm_mem_type_manager *man;
>> +       int put_count = 0;
>>
>>         lockdep_assert_held(&bo->resv->lock.base);
>>
>> -       if (bo->mem.placement & TTM_PL_FLAG_NO_EVICT) {
>> -               list_del_init(&bo->swap);
>> -               list_del_init(&bo->lru);
>> -
>> -       } else {
>> -               if (bo->ttm && !(bo->ttm->page_flags & TTM_PAGE_FLAG_SG))
>> -                       list_move_tail(&bo->swap, &bo->glob->swap_lru);
>> -
>> -               man = &bdev->man[bo->mem.mem_type];
>> -               list_move_tail(&bo->lru, &man->lru);
>> -       }
>> +       put_count = ttm_bo_del_from_lru(bo);
>> +       ttm_bo_list_ref_sub(bo, put_count, true);
>> +       ttm_bo_add_to_lru(bo);
>>  }
>>  EXPORT_SYMBOL(ttm_bo_move_to_lru_tail);
>>
>> --
>> 2.5.5
>>
diff mbox

Patch

diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index 4cbf265..e3daafa 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -230,22 +230,13 @@  EXPORT_SYMBOL(ttm_bo_del_sub_from_lru);
 
 void ttm_bo_move_to_lru_tail(struct ttm_buffer_object *bo)
 {
-	struct ttm_bo_device *bdev = bo->bdev;
-	struct ttm_mem_type_manager *man;
+	int put_count = 0;
 
 	lockdep_assert_held(&bo->resv->lock.base);
 
-	if (bo->mem.placement & TTM_PL_FLAG_NO_EVICT) {
-		list_del_init(&bo->swap);
-		list_del_init(&bo->lru);
-
-	} else {
-		if (bo->ttm && !(bo->ttm->page_flags & TTM_PAGE_FLAG_SG))
-			list_move_tail(&bo->swap, &bo->glob->swap_lru);
-
-		man = &bdev->man[bo->mem.mem_type];
-		list_move_tail(&bo->lru, &man->lru);
-	}
+	put_count = ttm_bo_del_from_lru(bo);
+	ttm_bo_list_ref_sub(bo, put_count, true);
+	ttm_bo_add_to_lru(bo);
 }
 EXPORT_SYMBOL(ttm_bo_move_to_lru_tail);