From a8fb1317a5e2edb3840a0883a9d941bba5744a3f Mon Sep 17 00:00:00 2001 From: jsg Date: Wed, 13 Jul 2022 03:56:21 +0000 Subject: [PATCH] drm/i915: Fix a race between vma / object destruction and unbinding From Thomas Hellstrom 51a405dea0ae54330b6441c5f7c3bb9ceadedce8 in linux 5.15.y/5.15.54 bc1922e5d349db4be14c55513102c024c2ae8a50 in mainline linux --- sys/dev/pci/drm/i915/gem/i915_gem_object.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/dev/pci/drm/i915/gem/i915_gem_object.c b/sys/dev/pci/drm/i915/gem/i915_gem_object.c index 8765dbafbed..3c9a0e1f135 100644 --- a/sys/dev/pci/drm/i915/gem/i915_gem_object.c +++ b/sys/dev/pci/drm/i915/gem/i915_gem_object.c @@ -237,6 +237,12 @@ void __i915_gem_free_object(struct drm_i915_gem_object *obj) GEM_BUG_ON(vma->obj != obj); spin_unlock(&obj->vma.lock); + /* Verify that the vma is unbound under the vm mutex. */ + mutex_lock(&vma->vm->mutex); + atomic_and(~I915_VMA_PIN_MASK, &vma->flags); + __i915_vma_unbind(vma); + mutex_unlock(&vma->vm->mutex); + __i915_vma_put(vma); spin_lock(&obj->vma.lock); -- 2.20.1