--- /dev/null
+From 8046e1955465e3f24e9154d0f2a2e0a8e3f8dccf Mon Sep 17 00:00:00 2001
+From: John Brooks <john@fastquake.com>
+Date: Mon, 3 Jul 2017 14:05:34 -0400
+Subject: drm/ttm: Fix use-after-free in ttm_bo_clean_mm
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Brooks <john@fastquake.com>
+
+commit 8046e1955465e3f24e9154d0f2a2e0a8e3f8dccf upstream.
+
+We unref the man->move fence in ttm_bo_clean_mm() and then call
+ttm_bo_force_list_clean() which waits on it, except the refcount is now
+zero so a warning is generated (or worse):
+
+[149492.279301] refcount_t: increment on 0; use-after-free.
+[149492.279309] ------------[ cut here ]------------
+[149492.279315] WARNING: CPU: 3 PID: 18726 at lib/refcount.c:150 refcount_inc+0x2b/0x30
+[149492.279315] Modules linked in: vhost_net vhost tun x86_pkg_temp_thermal crc32_pclmul ghash_clmulni_intel efivarfs amdgpu(
+-) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
+[149492.279326] CPU: 3 PID: 18726 Comm: rmmod Not tainted 4.12.0-rc5-drm-next-4.13-ttmpatch+ #1
+[149492.279326] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD3H-BK/Z97X-UD3H-BK-CF, BIOS F6 06/17/2014
+[149492.279327] task: ffff8804ddfedcc0 task.stack: ffffc90008d20000
+[149492.279329] RIP: 0010:refcount_inc+0x2b/0x30
+[149492.279330] RSP: 0018:ffffc90008d23c30 EFLAGS: 00010286
+[149492.279331] RAX: 000000000000002b RBX: 0000000000000170 RCX: 0000000000000000
+[149492.279331] RDX: 0000000000000000 RSI: ffff88051ecccbe8 RDI: ffff88051ecccbe8
+[149492.279332] RBP: ffffc90008d23c30 R08: 0000000000000001 R09: 00000000000003ee
+[149492.279333] R10: ffffc90008d23bb0 R11: 00000000000003ee R12: ffff88043aaac960
+[149492.279333] R13: ffff8805005e28a8 R14: 0000000000000002 R15: ffff88050115e178
+[149492.279334] FS: 00007fc540168700(0000) GS:ffff88051ecc0000(0000) knlGS:0000000000000000
+[149492.279335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[149492.279336] CR2: 00007fc3e8654140 CR3: 000000027ba77000 CR4: 00000000001426e0
+[149492.279337] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[149492.279337] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[149492.279338] Call Trace:
+[149492.279345] ttm_bo_force_list_clean+0xb9/0x110 [ttm]
+[149492.279348] ttm_bo_clean_mm+0x7a/0xe0 [ttm]
+[149492.279375] amdgpu_ttm_fini+0xc9/0x1f0 [amdgpu]
+[149492.279392] amdgpu_bo_fini+0x12/0x40 [amdgpu]
+[149492.279415] gmc_v7_0_sw_fini+0x32/0x40 [amdgpu]
+[149492.279430] amdgpu_fini+0x2c9/0x490 [amdgpu]
+[149492.279445] amdgpu_device_fini+0x58/0x1b0 [amdgpu]
+[149492.279461] amdgpu_driver_unload_kms+0x4f/0xa0 [amdgpu]
+[149492.279470] drm_dev_unregister+0x3c/0xe0 [drm]
+[149492.279485] amdgpu_pci_remove+0x19/0x30 [amdgpu]
+[149492.279487] pci_device_remove+0x39/0xc0
+[149492.279490] device_release_driver_internal+0x155/0x210
+[149492.279491] driver_detach+0x38/0x70
+[149492.279493] bus_remove_driver+0x4c/0xa0
+[149492.279494] driver_unregister+0x2c/0x40
+[149492.279496] pci_unregister_driver+0x21/0x90
+[149492.279520] amdgpu_exit+0x15/0x406 [amdgpu]
+[149492.279523] SyS_delete_module+0x1a8/0x270
+[149492.279525] ? exit_to_usermode_loop+0x92/0xa0
+[149492.279528] entry_SYSCALL_64_fastpath+0x13/0x94
+[149492.279529] RIP: 0033:0x7fc53fcb68e7
+[149492.279529] RSP: 002b:00007ffcfbfaabb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[149492.279531] RAX: ffffffffffffffda RBX: 0000563117adb200 RCX: 00007fc53fcb68e7
+[149492.279531] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000563117adb268
+[149492.279532] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
+[149492.279533] R10: 0000000000000883 R11: 0000000000000206 R12: 00007ffcfbfa9ba0
+[149492.279533] R13: 0000000000000000 R14: 0000000000000000 R15: 0000563117adb200
+[149492.279534] Code: 55 48 89 e5 e8 77 fe ff ff 84 c0 74 02 5d c3 80 3d 40 f2 a4 00 00 75 f5 48 c7 c7 20 3c ca 81 c6 05 30 f2 a4 00 01 e8 91 f0 d7 ff <0f> ff 5d c3 90 55 48 89 fe bf 01 00 00 00 48 89 e5 e8 9f fe ff
+[149492.279557] ---[ end trace 2d4e0ffcb66a1016 ]---
+
+Unref the fence *after* waiting for it.
+
+v2: Set man->move to NULL after dropping the last ref (Christian König)
+
+Fixes: aff98ba1fdb8 (drm/ttm: wait for eviction in ttm_bo_force_list_clean)
+Signed-off-by: John Brooks <john@fastquake.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/gpu/drm/ttm/ttm_bo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -1343,7 +1343,6 @@ int ttm_bo_clean_mm(struct ttm_bo_device
+ mem_type);
+ return ret;
+ }
+- fence_put(man->move);
+
+ man->use_type = false;
+ man->has_type = false;
+@@ -1355,6 +1354,9 @@ int ttm_bo_clean_mm(struct ttm_bo_device
+ ret = (*man->func->takedown)(man);
+ }
+
++ fence_put(man->move);
++ man->move = NULL;
++
+ return ret;
+ }
+ EXPORT_SYMBOL(ttm_bo_clean_mm);
projects / thirdparty / kernel / stable-queue.git / commitdiff
