Op 27-01-2022 om 12:56 schreef Thomas Hellström: > The vma destruction code was using an unlocked advisory check for > drm_mm_node_allocated() to avoid racing with eviction code unbinding > the vma. > > This is very fragile and prohibits the dereference of non-refcounted > pointers of dying vmas after a call to __i915_vma_unbind(). It also > prohibits the dereference of vma->obj of refcounted pointers of > dying vmas after a call to __i915_vma_unbind(), since even if a > refcount is held on the vma, that won't guarantee that its backing > object doesn't get destroyed. > > So introduce an unbind under the vm mutex at object destroy time, > removing all weak references of the vma and its object from the > object vma list and from the vm bound list. > > Signed-off-by: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx> > --- > drivers/gpu/drm/i915/gem/i915_gem_object.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.c b/drivers/gpu/drm/i915/gem/i915_gem_object.c > index 1a9e1f940a7d..e03e362d320b 100644 > --- a/drivers/gpu/drm/i915/gem/i915_gem_object.c > +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.c > @@ -280,6 +280,12 @@ void __i915_gem_object_pages_fini(struct drm_i915_gem_object *obj) > GEM_BUG_ON(vma->obj != obj); > spin_unlock(&obj->vma.lock); > > + /* Verify that the vma is unbound under the vm mutex. */ > + mutex_lock(&vma->vm->mutex); > + atomic_and(~I915_VMA_PIN_MASK, &vma->flags); > + __i915_vma_unbind(vma); > + mutex_unlock(&vma->vm->mutex); > + > __i915_vma_put(vma); > > spin_lock(&obj->vma.lock); Reviewed-by: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>
