From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 11 May 2017 12:47:35 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.68~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa6a1c3e151cc1d49ee3984f8ff8f524c03bb09d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch
---

diff --git a/queue-4.9/drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch b/queue-4.9/drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch
new file mode 100644
index 00000000000..cae4ab94d17
--- /dev/null
+++ b/queue-4.9/drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch
@@ -0,0 +1,69 @@
+From 3089c1df10e2931b1d72d2ffa7d86431084c86b3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= <nicolai.haehnle@amd.com>
+Date: Sat, 18 Feb 2017 22:59:56 +0100
+Subject: drm/ttm: fix use-after-free races in vm fault handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nicolai Hähnle <nicolai.haehnle@amd.com>
+
+commit 3089c1df10e2931b1d72d2ffa7d86431084c86b3 upstream.
+
+The vm fault handler relies on the fact that the VMA owns a reference
+to the BO. However, once mmap_sem is released, other tasks are free to
+destroy the VMA, which can lead to the BO being freed. Fix two code
+paths where that can happen, both related to vm fault retries.
+
+Found via a lock debugging warning which flagged &bo->wu_mutex as
+locked while being destroyed.
+
+Fixes: cbe12e74ee4e ("drm/ttm: Allow vm fault retries")
+Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo_vm.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
++++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
+@@ -66,8 +66,11 @@ static int ttm_bo_vm_fault_idle(struct t
+ 		if (vmf->flags & FAULT_FLAG_RETRY_NOWAIT)
+ 			goto out_unlock;
+ 
++		ttm_bo_reference(bo);
+ 		up_read(&vma->vm_mm->mmap_sem);
+ 		(void) fence_wait(bo->moving, true);
++		ttm_bo_unreserve(bo);
++		ttm_bo_unref(&bo);
+ 		goto out_unlock;
+ 	}
+ 
+@@ -120,8 +123,10 @@ static int ttm_bo_vm_fault(struct vm_are
+ 
+ 		if (vmf->flags & FAULT_FLAG_ALLOW_RETRY) {
+ 			if (!(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
++				ttm_bo_reference(bo);
+ 				up_read(&vma->vm_mm->mmap_sem);
+ 				(void) ttm_bo_wait_unreserved(bo);
++				ttm_bo_unref(&bo);
+ 			}
+ 
+ 			return VM_FAULT_RETRY;
+@@ -166,6 +171,13 @@ static int ttm_bo_vm_fault(struct vm_are
+ 	ret = ttm_bo_vm_fault_idle(bo, vma, vmf);
+ 	if (unlikely(ret != 0)) {
+ 		retval = ret;
++
++		if (retval == VM_FAULT_RETRY &&
++		    !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
++			/* The BO has already been unreserved. */
++			return retval;
++		}
++
+ 		goto out_unlock;
+ 	}
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 2900b62b1a2..f15b7aebb04 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -99,3 +99,4 @@ f2fs-sanity-check-segment-count.patch
 xen-revert-commits-da72ff5bfcb0-and-72a9b186292d.patch
 wlcore-pass-win_size-taken-from-ieee80211_sta-to-fw.patch
 wlcore-add-rx_ba_win_size_change_event-event.patch
+drm-ttm-fix-use-after-free-races-in-vm-fault-handling.patch