Commit 2fcacf75 authored Mar 19, 2024 by Christian König Committed by Peng Zhang Mar 19, 2024

drm/amdgpu: fix tear down order in amdgpu_vm_pt_free

stable inclusion
from stable-v6.6.8
commit d50670681d8a14980a54238bad00a07fee122b5f
bugzilla: https://gitee.com/openeuler/kernel/issues/I99K53

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d50670681d8a14980a54238bad00a07fee122b5f



--------------------------------

commit ceb9a321e7639700844aa3bf234a4e0884f13b77 upstream.

When freeing PD/PT with shadows it can happen that the shadow
destruction races with detaching the PD/PT from the VM causing a NULL
pointer dereference in the invalidation code.

Fix this by detaching the the PD/PT from the VM first and then
freeing the shadow instead.

Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: https://gitlab.freedesktop.org/drm/amd/-/issues/2867


Cc: <stable@vger.kernel.org>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>

parent ec380e54

drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -642,13 +642,14 @@ static void amdgpu_vm_pt_free(struct amdgpu_vm_bo_base *entry)

		if (!entry->bo)
		return;

		entry->bo->vm_bo = NULL;
		shadow = amdgpu_bo_shadowed(entry->bo);
		if (shadow) {
		ttm_bo_set_bulk_move(&shadow->tbo, NULL);
		amdgpu_bo_unref(&shadow);
		}
		ttm_bo_set_bulk_move(&entry->bo->tbo, NULL);
		entry->bo->vm_bo = NULL;

		spin_lock(&entry->vm->status_lock);
		list_del(&entry->vm_status);