Nouveau - Sep 2016 - [PATCH] fifo/nv04: avoid ramht race against cookie insertion

Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
Cc: stable at vger.kernel.org
---

Ian Romanick reported a kernel crash that implicated this path in a null
pointer jump, which means that one of the function pointers had been nulled
out. Not sure if a race there would explain it, but maybe.

There is also questionable ramht usage in channv50 and various disp code. If
you think this is a good idea, those should probably be fixed up as well.

 drm/nouveau/nvkm/engine/fifo/dmanv04.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drm/nouveau/nvkm/engine/fifo/dmanv04.c
b/drm/nouveau/nvkm/engine/fifo/dmanv04.c
index edec30f..0a7b6ed 100644
--- a/drm/nouveau/nvkm/engine/fifo/dmanv04.c
+++ b/drm/nouveau/nvkm/engine/fifo/dmanv04.c
@@ -37,7 +37,10 @@ nv04_fifo_dma_object_dtor(struct nvkm_fifo_chan *base, int
cookie)
 {
 	struct nv04_fifo_chan *chan = nv04_fifo_chan(base);
 	struct nvkm_instmem *imem =
chan->fifo->base.engine.subdev.device->imem;
+
+	mutex_lock(&chan->fifo->base.engine.subdev.mutex);
 	nvkm_ramht_remove(imem->ramht, cookie);
+	mutex_unlock(&chan->fifo->base.engine.subdev.mutex);
 }
 
 static int
-- 
2.7.3

On Fri, Sep 9, 2016 at 10:34 PM, Ilia Mirkin <imirkin at alum.mit.edu>
wrote:
> Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
> Cc: stable at vger.kernel.org
Ian mentioned that he tested this out on IRC:

#dri-devel: <idr> imirkin: Your patch to the nouveau kernel module
fixes the oops that I encountered.  Consider that a Tested-by.

So you can probably throw in a

Tested-by: Ian Romanick <idr at freedesktop.org>
> ---
>
> Ian Romanick reported a kernel crash that implicated this path in a null
> pointer jump, which means that one of the function pointers had been nulled
> out. Not sure if a race there would explain it, but maybe.
>
> There is also questionable ramht usage in channv50 and various disp code.
If
> you think this is a good idea, those should probably be fixed up as well.
>
>  drm/nouveau/nvkm/engine/fifo/dmanv04.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drm/nouveau/nvkm/engine/fifo/dmanv04.c
b/drm/nouveau/nvkm/engine/fifo/dmanv04.c
> index edec30f..0a7b6ed 100644
> --- a/drm/nouveau/nvkm/engine/fifo/dmanv04.c
> +++ b/drm/nouveau/nvkm/engine/fifo/dmanv04.c
> @@ -37,7 +37,10 @@ nv04_fifo_dma_object_dtor(struct nvkm_fifo_chan *base,
int cookie)
>  {
>         struct nv04_fifo_chan *chan = nv04_fifo_chan(base);
>         struct nvkm_instmem *imem =
chan->fifo->base.engine.subdev.device->imem;
> +
> +       mutex_lock(&chan->fifo->base.engine.subdev.mutex);
>         nvkm_ramht_remove(imem->ramht, cookie);
> +       mutex_unlock(&chan->fifo->base.engine.subdev.mutex);
>  }
>
>  static int
> --
> 2.7.3
>