drm/i915: Fix a race between vma / object destruction and unbinding
The vma destruction code was using an unlocked advisory check for drm_mm_node_allocated() to avoid racing with eviction code unbinding the vma. This is very fragile and prohibits the dereference of non-refcounted pointers of dying vmas after a call to __i915_vma_unbind(). It also prohibits the dereference of vma->obj of refcounted pointers of dying vmas after a call to __i915_vma_unbind(), since even if a refcount is held on the vma, that won't guarantee that its backing object doesn't get destroyed. So introduce an unbind under the vm mutex at object destroy time, removing all weak references of the vma and its object from the object vma list and from the vm bound list. Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20220127115622.302970-1-thomas.hellstrom@linux.intel.com
This commit is contained in:
Thomas Hellström
parent
512712a824
commit
bc1922e5d3
1 changed files with 6 additions and 0 deletions
|
|
@ -280,6 +280,12 @@ void __i915_gem_object_pages_fini(struct drm_i915_gem_object *obj)
|
||||||
GEM_BUG_ON(vma->obj != obj);
|
GEM_BUG_ON(vma->obj != obj);
|
||||||
spin_unlock(&obj->vma.lock);
|
spin_unlock(&obj->vma.lock);
|
||||||
|
|
||||||
|
/* Verify that the vma is unbound under the vm mutex. */
|
||||||
|
mutex_lock(&vma->vm->mutex);
|
||||||
|
atomic_and(~I915_VMA_PIN_MASK, &vma->flags);
|
||||||
|
__i915_vma_unbind(vma);
|
||||||
|
mutex_unlock(&vma->vm->mutex);
|
||||||
|
|
||||||
__i915_vma_put(vma);
|
__i915_vma_put(vma);
|
||||||
|
|
||||||
spin_lock(&obj->vma.lock);
|
spin_lock(&obj->vma.lock);
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue