On 02/11/17 11:49 AM, Christian König wrote: > Am 01.11.2017 um 17:15 schrieb Michel Dänzer: >> From: Michel Dänzer <michel.daenzer at amd.com> >> >> Fixes a use-after-free due to a race condition in >> ttm_bo_cleanup_refs_and_unlock, which allows one task to reserve a BO >> and destroy its ttm_resv while another task is waiting for it to signal >> in reservation_object_wait_timeout_rcu. >> >> Fixes: 0d2bd2ae045d "drm/ttm: fix memory leak while individualizing BOs" >> Signed-off-by: Michel Dänzer <michel.daenzer at amd.com> > > Good idea, but one thing we should probably change. > >> --- >>  drivers/gpu/drm/ttm/ttm_bo.c | 13 +++---------- >>  1 file changed, 3 insertions(+), 10 deletions(-) >> >> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c >> index 379ec41d2c69..a19a0ebf32ac 100644 >> --- a/drivers/gpu/drm/ttm/ttm_bo.c >> +++ b/drivers/gpu/drm/ttm/ttm_bo.c >> @@ -150,8 +150,7 @@ static void ttm_bo_release_list(struct kref >> *list_kref) >>      ttm_tt_destroy(bo->ttm); >>      atomic_dec(&bo->glob->bo_count); >>      dma_fence_put(bo->moving); >> -   if (bo->resv == &bo->ttm_resv) >> -       reservation_object_fini(&bo->ttm_resv); >> +   reservation_object_fini(&bo->ttm_resv); > > When we always call reservation_object_fini() here we should probably > also always call reservation_object_init() in ttm_bo_init_reserved() to > make sure the object is always initialized. Fair enough. > This way we can also remove the call to reservation_object_init() in > ttm_bo_individualize_resv(). Both done in v2, thanks for the review and suggestions. -- Earthling Michel Dänzer | http://www.amd.com Libre software enthusiast | Mesa and X developer
