1. 13 9月, 2017 1 次提交
  2. 30 8月, 2017 1 次提交
  3. 19 8月, 2017 1 次提交
  4. 18 8月, 2017 3 次提交
  5. 04 7月, 2017 1 次提交
    • J
      drm/ttm: Fix use-after-free in ttm_bo_clean_mm · 8046e195
      John Brooks 提交于
      We unref the man->move fence in ttm_bo_clean_mm() and then call
      ttm_bo_force_list_clean() which waits on it, except the refcount is now
      zero so a warning is generated (or worse):
      
      [149492.279301] refcount_t: increment on 0; use-after-free.
      [149492.279309] ------------[ cut here ]------------
      [149492.279315] WARNING: CPU: 3 PID: 18726 at lib/refcount.c:150 refcount_inc+0x2b/0x30
      [149492.279315] Modules linked in: vhost_net vhost tun x86_pkg_temp_thermal crc32_pclmul ghash_clmulni_intel efivarfs amdgpu(
      -) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
      [149492.279326] CPU: 3 PID: 18726 Comm: rmmod Not tainted 4.12.0-rc5-drm-next-4.13-ttmpatch+ #1
      [149492.279326] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD3H-BK/Z97X-UD3H-BK-CF, BIOS F6 06/17/2014
      [149492.279327] task: ffff8804ddfedcc0 task.stack: ffffc90008d20000
      [149492.279329] RIP: 0010:refcount_inc+0x2b/0x30
      [149492.279330] RSP: 0018:ffffc90008d23c30 EFLAGS: 00010286
      [149492.279331] RAX: 000000000000002b RBX: 0000000000000170 RCX: 0000000000000000
      [149492.279331] RDX: 0000000000000000 RSI: ffff88051ecccbe8 RDI: ffff88051ecccbe8
      [149492.279332] RBP: ffffc90008d23c30 R08: 0000000000000001 R09: 00000000000003ee
      [149492.279333] R10: ffffc90008d23bb0 R11: 00000000000003ee R12: ffff88043aaac960
      [149492.279333] R13: ffff8805005e28a8 R14: 0000000000000002 R15: ffff88050115e178
      [149492.279334] FS:  00007fc540168700(0000) GS:ffff88051ecc0000(0000) knlGS:0000000000000000
      [149492.279335] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [149492.279336] CR2: 00007fc3e8654140 CR3: 000000027ba77000 CR4: 00000000001426e0
      [149492.279337] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [149492.279337] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [149492.279338] Call Trace:
      [149492.279345]  ttm_bo_force_list_clean+0xb9/0x110 [ttm]
      [149492.279348]  ttm_bo_clean_mm+0x7a/0xe0 [ttm]
      [149492.279375]  amdgpu_ttm_fini+0xc9/0x1f0 [amdgpu]
      [149492.279392]  amdgpu_bo_fini+0x12/0x40 [amdgpu]
      [149492.279415]  gmc_v7_0_sw_fini+0x32/0x40 [amdgpu]
      [149492.279430]  amdgpu_fini+0x2c9/0x490 [amdgpu]
      [149492.279445]  amdgpu_device_fini+0x58/0x1b0 [amdgpu]
      [149492.279461]  amdgpu_driver_unload_kms+0x4f/0xa0 [amdgpu]
      [149492.279470]  drm_dev_unregister+0x3c/0xe0 [drm]
      [149492.279485]  amdgpu_pci_remove+0x19/0x30 [amdgpu]
      [149492.279487]  pci_device_remove+0x39/0xc0
      [149492.279490]  device_release_driver_internal+0x155/0x210
      [149492.279491]  driver_detach+0x38/0x70
      [149492.279493]  bus_remove_driver+0x4c/0xa0
      [149492.279494]  driver_unregister+0x2c/0x40
      [149492.279496]  pci_unregister_driver+0x21/0x90
      [149492.279520]  amdgpu_exit+0x15/0x406 [amdgpu]
      [149492.279523]  SyS_delete_module+0x1a8/0x270
      [149492.279525]  ? exit_to_usermode_loop+0x92/0xa0
      [149492.279528]  entry_SYSCALL_64_fastpath+0x13/0x94
      [149492.279529] RIP: 0033:0x7fc53fcb68e7
      [149492.279529] RSP: 002b:00007ffcfbfaabb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [149492.279531] RAX: ffffffffffffffda RBX: 0000563117adb200 RCX: 00007fc53fcb68e7
      [149492.279531] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000563117adb268
      [149492.279532] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
      [149492.279533] R10: 0000000000000883 R11: 0000000000000206 R12: 00007ffcfbfa9ba0
      [149492.279533] R13: 0000000000000000 R14: 0000000000000000 R15: 0000563117adb200
      [149492.279534] Code: 55 48 89 e5 e8 77 fe ff ff 84 c0 74 02 5d c3 80 3d 40 f2 a4 00 00 75 f5 48 c7 c7 20 3c ca 81 c6 05 30 f2 a4 00 01 e8 91 f0 d7 ff <0f> ff 5d c3 90 55 48 89 fe bf 01 00 00 00 48 89 e5 e8 9f fe ff
      [149492.279557] ---[ end trace 2d4e0ffcb66a1016 ]---
      
      Unref the fence *after* waiting for it.
      
      v2: Set man->move to NULL after dropping the last ref (Christian König)
      
      Fixes: aff98ba1 (drm/ttm: wait for eviction in ttm_bo_force_list_clean)
      Signed-off-by: NJohn Brooks <john@fastquake.com>
      Reviewed-by: NChristian König <christian.koenig@amd.com>
      Reviewed-by: NAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      8046e195
  6. 29 4月, 2017 1 次提交
  7. 05 4月, 2017 2 次提交
  8. 30 3月, 2017 2 次提交
  9. 01 3月, 2017 1 次提交
  10. 28 1月, 2017 5 次提交
  11. 27 1月, 2017 1 次提交
  12. 14 1月, 2017 2 次提交
    • P
      locking/atomic, kref: Kill kref_sub() · bdfafc4f
      Peter Zijlstra 提交于
      By general sentiment kref_sub() is a bad interface, make it go away.
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      bdfafc4f
    • P
      locking/atomic, kref: Add kref_read() · 2c935bc5
      Peter Zijlstra 提交于
      Since we need to change the implementation, stop exposing internals.
      
      Provide kref_read() to read the current reference count; typically
      used for debug messages.
      
      Kills two anti-patterns:
      
      	atomic_read(&kref->refcount)
      	kref->refcount.counter
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      2c935bc5
  13. 09 11月, 2016 1 次提交
  14. 26 10月, 2016 1 次提交
  15. 25 10月, 2016 1 次提交
    • C
      dma-buf: Rename struct fence to dma_fence · f54d1867
      Chris Wilson 提交于
      I plan to usurp the short name of struct fence for a core kernel struct,
      and so I need to rename the specialised fence/timeline for DMA
      operations to make room.
      
      A consensus was reached in
      https://lists.freedesktop.org/archives/dri-devel/2016-July/113083.html
      that making clear this fence applies to DMA operations was a good thing.
      Since then the patch has grown a bit as usage increases, so hopefully it
      remains a good thing!
      
      (v2...: rebase, rerun spatch)
      v3: Compile on msm, spotted a manual fixup that I broke.
      v4: Try again for msm, sorry Daniel
      
      coccinelle script:
      @@
      
      @@
      - struct fence
      + struct dma_fence
      @@
      
      @@
      - struct fence_ops
      + struct dma_fence_ops
      @@
      
      @@
      - struct fence_cb
      + struct dma_fence_cb
      @@
      
      @@
      - struct fence_array
      + struct dma_fence_array
      @@
      
      @@
      - enum fence_flag_bits
      + enum dma_fence_flag_bits
      @@
      
      @@
      (
      - fence_init
      + dma_fence_init
      |
      - fence_release
      + dma_fence_release
      |
      - fence_free
      + dma_fence_free
      |
      - fence_get
      + dma_fence_get
      |
      - fence_get_rcu
      + dma_fence_get_rcu
      |
      - fence_put
      + dma_fence_put
      |
      - fence_signal
      + dma_fence_signal
      |
      - fence_signal_locked
      + dma_fence_signal_locked
      |
      - fence_default_wait
      + dma_fence_default_wait
      |
      - fence_add_callback
      + dma_fence_add_callback
      |
      - fence_remove_callback
      + dma_fence_remove_callback
      |
      - fence_enable_sw_signaling
      + dma_fence_enable_sw_signaling
      |
      - fence_is_signaled_locked
      + dma_fence_is_signaled_locked
      |
      - fence_is_signaled
      + dma_fence_is_signaled
      |
      - fence_is_later
      + dma_fence_is_later
      |
      - fence_later
      + dma_fence_later
      |
      - fence_wait_timeout
      + dma_fence_wait_timeout
      |
      - fence_wait_any_timeout
      + dma_fence_wait_any_timeout
      |
      - fence_wait
      + dma_fence_wait
      |
      - fence_context_alloc
      + dma_fence_context_alloc
      |
      - fence_array_create
      + dma_fence_array_create
      |
      - to_fence_array
      + to_dma_fence_array
      |
      - fence_is_array
      + dma_fence_is_array
      |
      - trace_fence_emit
      + trace_dma_fence_emit
      |
      - FENCE_TRACE
      + DMA_FENCE_TRACE
      |
      - FENCE_WARN
      + DMA_FENCE_WARN
      |
      - FENCE_ERR
      + DMA_FENCE_ERR
      )
       (
       ...
       )
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      Acked-by: NSumit Semwal <sumit.semwal@linaro.org>
      Acked-by: NChristian König <christian.koenig@amd.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/20161025120045.28839-1-chris@chris-wilson.co.uk
      f54d1867
  16. 15 9月, 2016 1 次提交
  17. 08 8月, 2016 3 次提交
  18. 06 8月, 2016 1 次提交
  19. 19 7月, 2016 1 次提交
  20. 08 7月, 2016 10 次提交