drm/i915: Fix a race between vma / object destruction and unbinding

From Thomas Hellstrom
51a405dea0ae54330b6441c5f7c3bb9ceadedce8 in linux 5.15.y/5.15.54
bc1922e5d349db4be14c55513102c024c2ae8a50 in mainline linux

diff --git a/sys/dev/pci/drm/i915/gem/i915_gem_object.c b/sys/dev/pci/drm/i915/gem/i915_gem_object.c
index 8765dba..3c9a0e1 100644 (file)
--- a/sys/dev/pci/drm/i915/gem/i915_gem_object.c
+++ b/sys/dev/pci/drm/i915/gem/i915_gem_object.c
@@ -237,6 +237,12 @@ void __i915_gem_free_object(struct drm_i915_gem_object *obj)
                        GEM_BUG_ON(vma->obj != obj);
                        spin_unlock(&obj->vma.lock);
 
+                       /* Verify that the vma is unbound under the vm mutex. */
+                       mutex_lock(&vma->vm->mutex);
+                       atomic_and(~I915_VMA_PIN_MASK, &vma->flags);
+                       __i915_vma_unbind(vma);
+                       mutex_unlock(&vma->vm->mutex);
+
                        __i915_vma_put(vma);
 
                        spin_lock(&obj->vma.lock);