4.9-stable patches

added patches:
	drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch

diff --git a/queue-4.9/drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch b/queue-4.9/drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch
new file mode 100644 (file)
index 0000000..cae4ab9
--- /dev/null
+++ b/queue-4.9/drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch
@@ -0,0 +1,69 @@
+From 3089c1df10e2931b1d72d2ffa7d86431084c86b3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= <nicolai.haehnle@amd.com>
+Date: Sat, 18 Feb 2017 22:59:56 +0100
+Subject: drm/ttm: fix use-after-free races in vm fault handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nicolai Hähnle <nicolai.haehnle@amd.com>
+
+commit 3089c1df10e2931b1d72d2ffa7d86431084c86b3 upstream.
+
+The vm fault handler relies on the fact that the VMA owns a reference
+to the BO. However, once mmap_sem is released, other tasks are free to
+destroy the VMA, which can lead to the BO being freed. Fix two code
+paths where that can happen, both related to vm fault retries.
+
+Found via a lock debugging warning which flagged &bo->wu_mutex as
+locked while being destroyed.
+
+Fixes: cbe12e74ee4e ("drm/ttm: Allow vm fault retries")
+Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo_vm.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
++++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
+@@ -66,8 +66,11 @@ static int ttm_bo_vm_fault_idle(struct t
+               if (vmf->flags & FAULT_FLAG_RETRY_NOWAIT)
+                       goto out_unlock;
+ 
++              ttm_bo_reference(bo);
+               up_read(&vma->vm_mm->mmap_sem);
+               (void) fence_wait(bo->moving, true);
++              ttm_bo_unreserve(bo);
++              ttm_bo_unref(&bo);
+               goto out_unlock;
+       }
+ 
+@@ -120,8 +123,10 @@ static int ttm_bo_vm_fault(struct vm_are
+ 
+               if (vmf->flags & FAULT_FLAG_ALLOW_RETRY) {
+                       if (!(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
++                              ttm_bo_reference(bo);
+                               up_read(&vma->vm_mm->mmap_sem);
+                               (void) ttm_bo_wait_unreserved(bo);
++                              ttm_bo_unref(&bo);
+                       }
+ 
+                       return VM_FAULT_RETRY;
+@@ -166,6 +171,13 @@ static int ttm_bo_vm_fault(struct vm_are
+       ret = ttm_bo_vm_fault_idle(bo, vma, vmf);
+       if (unlikely(ret != 0)) {
+               retval = ret;
++
++              if (retval == VM_FAULT_RETRY &&
++                  !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
++                      /* The BO has already been unreserved. */
++                      return retval;
++              }
++
+               goto out_unlock;
+       }
+ 

diff --git a/queue-4.9/series b/queue-4.9/series
index 2900b62b1a2fd7f33924c761d0224dc9692222d6..f15b7aebb045ce75967ffc2feb63ca9d7ab73a2c 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -99,3 +99,4 @@ f2fs-sanity-check-segment-count.patch
 xen-revert-commits-da72ff5bfcb0-and-72a9b186292d.patch
 wlcore-pass-win_size-taken-from-ieee80211_sta-to-fw.patch
 wlcore-add-rx_ba_win_size_change_event-event.patch
+drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch