From 2ed4c3290e731aa4c1316070c44bd7b16c7f3fd7 Mon Sep 17 00:00:00 2001
From: jsg <jsg@openbsd.org>
Date: Tue, 20 Jun 2023 02:30:04 +0000
Subject: [PATCH] drm/amdgpu: fix Null pointer dereference error in
 amdgpu_device_recover_vram

From Horatio Zhang
c5a17f3247bd7f6c2e22678dbfcd73832f487e3f in linux-6.1.y/6.1.34
2a1eb1a343208ce7d6839b73d62aece343e693ff in mainline linux
---
 sys/dev/pci/drm/amd/amdgpu/amdgpu_object.c | 10 ++++------
 sys/dev/pci/drm/amd/amdgpu/amdgpu_vm_pt.c  |  1 -
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_object.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_object.c
index 2c1285b26e3..5c44cb7e1df 100644
--- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_object.c
+++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_object.c
@@ -80,9 +80,10 @@ static void amdgpu_bo_user_destroy(struct ttm_buffer_object *tbo)
 static void amdgpu_bo_vm_destroy(struct ttm_buffer_object *tbo)
 {
 	struct amdgpu_device *adev = amdgpu_ttm_adev(tbo->bdev);
-	struct amdgpu_bo *bo = ttm_to_amdgpu_bo(tbo);
+	struct amdgpu_bo *shadow_bo = ttm_to_amdgpu_bo(tbo), *bo;
 	struct amdgpu_bo_vm *vmbo;
 
+	bo = shadow_bo->parent;
 	vmbo = to_amdgpu_bo_vm(bo);
 	/* in case amdgpu_device_recover_vram got NULL of bo->parent */
 	if (!list_empty(&vmbo->shadow_list)) {
@@ -693,11 +694,6 @@ int amdgpu_bo_create_vm(struct amdgpu_device *adev,
 		return r;
 
 	*vmbo_ptr = to_amdgpu_bo_vm(bo_ptr);
-	INIT_LIST_HEAD(&(*vmbo_ptr)->shadow_list);
-	/* Set destroy callback to amdgpu_bo_vm_destroy after vmbo->shadow_list
-	 * is initialized.
-	 */
-	bo_ptr->tbo.destroy = &amdgpu_bo_vm_destroy;
 	return r;
 }
 
@@ -714,6 +710,8 @@ void amdgpu_bo_add_to_shadow_list(struct amdgpu_bo_vm *vmbo)
 
 	mutex_lock(&adev->shadow_list_lock);
 	list_add_tail(&vmbo->shadow_list, &adev->shadow_list);
+	vmbo->shadow->parent = amdgpu_bo_ref(&vmbo->bo);
+	vmbo->shadow->tbo.destroy = &amdgpu_bo_vm_destroy;
 	mutex_unlock(&adev->shadow_list_lock);
 }
 
diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_vm_pt.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_vm_pt.c
index 432bf2662a9..7faa4182c31 100644
--- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_vm_pt.c
+++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_vm_pt.c
@@ -564,7 +564,6 @@ int amdgpu_vm_pt_create(struct amdgpu_device *adev, struct amdgpu_vm *vm,
 		return r;
 	}
 
-	(*vmbo)->shadow->parent = amdgpu_bo_ref(bo);
 	amdgpu_bo_add_to_shadow_list(*vmbo);
 
 	return 0;
-- 
2.20.1