From patchwork Mon Jul 29 09:55:02 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maarten Lankhorst X-Patchwork-Id: 2834873 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id E3103C0319 for ; Mon, 29 Jul 2013 09:55:49 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id DC01220277 for ; Mon, 29 Jul 2013 09:55:48 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id B12AC20274 for ; Mon, 29 Jul 2013 09:55:47 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 82C6EE61D0 for ; Mon, 29 Jul 2013 02:55:47 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by gabe.freedesktop.org (Postfix) with ESMTP id 58B53E619F; Mon, 29 Jul 2013 02:55:05 -0700 (PDT) Received: from 5ed49945.cm-7-5c.dynamic.ziggo.nl ([94.212.153.69] helo=[192.168.1.128]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1V3kAR-0001yj-7z; Mon, 29 Jul 2013 09:55:03 +0000 Message-ID: <51F63BF6.5090903@canonical.com> Date: Mon, 29 Jul 2013 11:55:02 +0200 From: Maarten Lankhorst User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7 MIME-Version: 1.0 To: "nouveau@lists.freedesktop.org" Subject: [PATCH] drm/nouveau: protect vm refcount with mutex Cc: "dri-devel@lists.freedesktop.org" X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org X-Spam-Status: No, score=-5.7 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The refcount was not protected by the vm lock, fix this.. ------------[ cut here ]------------ WARNING: CPU: 2 PID: 2008 at drivers/gpu/drm/nouveau/core/core/mm.c:242 nouveau_mm_fini+0x4f/0x56 [nouveau]() Modules linked in: adt7475 ebtable_nat ebtables nouveau ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_CHECKSUM iptable_mangle bridge stp llc snd_hda_codec_hdmi kvm_intel ttm kvm drm_kms_helper drm mxm_wmi snd_hda_codec_realtek snd_hda_intel e1000e snd_hda_codec snd_hwdep snd_pcm ptp pps_core snd_page_alloc video parport_pc ppdev nfsd parport lockd nfs_acl auth_rpcgss sunrpc oid_registry CPU: 2 PID: 2008 Comm: Xorg Tainted: G W 3.11.0-rc1-patser+ #119 Hardware name: Acer Aspire M3985/Aspire M3985, BIOS P01-A1 03/12/2012 00000000000000f2 ffff8803f59b1b68 ffffffff81637988 000000000000b0b0 0000000000000000 ffff8803f59b1ba8 ffffffff81059e1d 0000000000000000 0000000000000000 ffff8803f9dd6c48 ffff8803f9dd6c00 ffff8803f688d898 Call Trace: [] dump_stack+0x55/0x86 [] warn_slowpath_common+0x87/0xaf [] warn_slowpath_null+0x15/0x17 [] nouveau_mm_fini+0x4f/0x56 [nouveau] [] nouveau_vm_ref+0x154/0x180 [nouveau] [] ? nouveau_mm_free+0x85/0x116 [nouveau] [] nouveau_vm_put+0x9a/0xb0 [nouveau] [] ? nouveau_gem_info+0x9d/0x9d [nouveau] [] nouveau_gem_object_delete+0x19/0x28 [nouveau] [] nouveau_fence_work+0xc9/0x102 [nouveau] [] nouveau_gem_object_close+0x103/0x182 [nouveau] [] drm_gem_handle_delete+0xcc/0x153 [drm] [] drm_gem_close_ioctl+0x23/0x25 [drm] [] drm_ioctl+0x4cc/0x612 [drm] [] ? __slab_free.isra.66+0x24d/0x2aa [] ? drm_gem_destroy+0x4c/0x4c [drm] [] ? avc_has_perm_flags+0xb1/0x179 [] do_vfs_ioctl+0x8b/0x4f8 [] ? inode_has_perm.isra.43.constprop.75+0x25/0x2b [] ? file_has_perm+0x8c/0x9a [] ? rcu_user_exit+0xe/0x10 [] SyS_ioctl+0x8a/0x9b [] tracesys+0xdd/0xe2 ---[ end trace f99ff0179509b495 ]--- Signed-off-by: Maarten Lankhorst diff --git a/drivers/gpu/drm/nouveau/core/subdev/vm/base.c b/drivers/gpu/drm/nouveau/core/subdev/vm/base.c index 3b90b42..afc5106 100644 --- a/drivers/gpu/drm/nouveau/core/subdev/vm/base.c +++ b/drivers/gpu/drm/nouveau/core/subdev/vm/base.c @@ -28,6 +28,8 @@ #include #include +static void nouveau_vm_del(struct nouveau_vm *vm); + void nouveau_vm_map_at(struct nouveau_vma *vma, u64 delta, struct nouveau_mem *node) { @@ -335,10 +337,10 @@ nouveau_vm_get(struct nouveau_vm *vm, u64 size, u32 page_shift, return ret; } } + ++vm->refcount; + vma->vm = vm; mutex_unlock(&nv_subdev(vmm)->mutex); - vma->vm = NULL; - nouveau_vm_ref(vm, &vma->vm, NULL); vma->offset = (u64)vma->node->offset << 12; #ifdef NOUVEAU_VM_POISON if (vm->poison) @@ -353,7 +355,7 @@ nouveau_vm_put(struct nouveau_vma *vma) { struct nouveau_vm *vm = vma->vm; struct nouveau_vmmgr *vmm = vm->vmm; - u32 fpde, lpde; + u32 fpde, lpde, ref; if (unlikely(vma->node == NULL)) return; @@ -363,9 +365,12 @@ nouveau_vm_put(struct nouveau_vma *vma) mutex_lock(&nv_subdev(vmm)->mutex); nouveau_vm_unmap_pgt(vm, vma->node->type != vmm->spg_shift, fpde, lpde); nouveau_mm_free(&vm->mm, &vma->node); - mutex_unlock(&nv_subdev(vmm)->mutex); - nouveau_vm_ref(NULL, &vma->vm, NULL); + vma->vm = NULL; + ref = --vm->refcount; + mutex_unlock(&nv_subdev(vmm)->mutex); + if (!ref) + nouveau_vm_del(vm); } int @@ -429,25 +434,21 @@ nouveau_vm_link(struct nouveau_vm *vm, struct nouveau_gpuobj *pgd) nouveau_gpuobj_ref(pgd, &vpgd->obj); - mutex_lock(&nv_subdev(vmm)->mutex); for (i = vm->fpde; i <= vm->lpde; i++) vmm->map_pgt(pgd, i, vm->pgt[i - vm->fpde].obj); list_add(&vpgd->head, &vm->pgd_list); - mutex_unlock(&nv_subdev(vmm)->mutex); return 0; } static void nouveau_vm_unlink(struct nouveau_vm *vm, struct nouveau_gpuobj *mpgd) { - struct nouveau_vmmgr *vmm = vm->vmm; struct nouveau_vm_pgd *vpgd, *tmp; struct nouveau_gpuobj *pgd = NULL; if (!mpgd) return; - mutex_lock(&nv_subdev(vmm)->mutex); list_for_each_entry_safe(vpgd, tmp, &vm->pgd_list, head) { if (vpgd->obj == mpgd) { pgd = vpgd->obj; @@ -456,7 +457,6 @@ nouveau_vm_unlink(struct nouveau_vm *vm, struct nouveau_gpuobj *mpgd) break; } } - mutex_unlock(&nv_subdev(vmm)->mutex); nouveau_gpuobj_ref(NULL, &pgd); } @@ -489,20 +489,31 @@ nouveau_vm_ref(struct nouveau_vm *ref, struct nouveau_vm **ptr, vm = ref; if (vm) { + struct nouveau_vmmgr *vmm = vm->vmm; + + mutex_lock(&nv_subdev(vmm)->mutex); ret = nouveau_vm_link(vm, pgd); - if (ret) + if (ret) { + mutex_unlock(&nv_subdev(vmm)->mutex); return ret; + } vm->refcount++; + mutex_unlock(&nv_subdev(vmm)->mutex); } vm = *ptr; *ptr = ref; if (vm) { + struct nouveau_vmmgr *vmm = vm->vmm; + + mutex_lock(&nv_subdev(vmm)->mutex); nouveau_vm_unlink(vm, pgd); - if (--vm->refcount == 0) + ret = --vm->refcount; + mutex_unlock(&nv_subdev(vmm)->mutex); + if (!ret) nouveau_vm_del(vm); }