linux/drivers/gpu/drm/ttm
Nicolai Hähnle 3089c1df10 drm/ttm: fix use-after-free races in vm fault handling
The vm fault handler relies on the fact that the VMA owns a reference
to the BO. However, once mmap_sem is released, other tasks are free to
destroy the VMA, which can lead to the BO being freed. Fix two code
paths where that can happen, both related to vm fault retries.

Found via a lock debugging warning which flagged &bo->wu_mutex as
locked while being destroyed.

Fixes: cbe12e74ee ("drm/ttm: Allow vm fault retries")
Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2017-02-21 16:48:45 -05:00
..
Makefile drm/ttm: Remove TTM_HAS_AGP 2016-03-30 17:20:43 +02:00
ttm_agp_backend.c drm/ttm: Remove TTM_HAS_AGP 2016-03-30 17:20:43 +02:00
ttm_bo_manager.c drm: Improve drm_mm search (and fix topdown allocation) with rbtrees 2017-02-03 11:10:32 +01:00
ttm_bo_util.c dma-buf: Rename struct fence to dma_fence 2016-10-25 14:40:39 +02:00
ttm_bo_vm.c drm/ttm: fix use-after-free races in vm fault handling 2017-02-21 16:48:45 -05:00
ttm_bo.c Merge branch 'drm-next-4.11' of git://people.freedesktop.org/~agd5f/linux into drm-next 2017-02-01 08:39:35 +10:00
ttm_execbuf_util.c dma-buf: Rename struct fence to dma_fence 2016-10-25 14:40:39 +02:00
ttm_lock.c drm/ttm: Fixed a read/write lock imbalance 2015-11-26 15:47:38 +01:00
ttm_memory.c drm/ttm: Add interface to export kernel_zone max memory size in ttm 2016-08-08 11:33:08 -04:00
ttm_module.c drm/ttm: make device_released static 2014-07-22 12:59:32 +10:00
ttm_object.c dma-buf: cleanup dma_buf_export() to make it easily extensible 2015-04-21 14:47:16 +05:30
ttm_page_alloc_dma.c drm/ttm: remove cpu_address member from ttm_tt 2016-09-16 15:53:05 -04:00
ttm_page_alloc.c drm/ttm: Remove TTM_HAS_AGP 2016-03-30 17:20:43 +02:00
ttm_tt.c drm/ttm: remove cpu_address member from ttm_tt 2016-09-16 15:53:05 -04:00