The refcount was not protected by the vm lock, fix this.. ------------[ cut here ]------------ WARNING: CPU: 2 PID: 2008 at drivers/gpu/drm/nouveau/core/core/mm.c:242 nouveau_mm_fini+0x4f/0x56 [nouveau]() Modules linked in: adt7475 ebtable_nat ebtables nouveau ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_CHECKSUM iptable_mangle bridge stp llc snd_hda_codec_hdmi kvm_intel ttm kvm drm_kms_helper drm mxm_wmi snd_hda_codec_realtek snd_hda_intel e1000e snd_hda_codec snd_hwdep snd_pcm ptp pps_core snd_page_alloc video parport_pc ppdev nfsd parport lockd nfs_acl auth_rpcgss sunrpc oid_registry CPU: 2 PID: 2008 Comm: Xorg Tainted: G W 3.11.0-rc1-patser+ #119 Hardware name: Acer Aspire M3985/Aspire M3985, BIOS P01-A1 03/12/2012 00000000000000f2 ffff8803f59b1b68 ffffffff81637988 000000000000b0b0 0000000000000000 ffff8803f59b1ba8 ffffffff81059e1d 0000000000000000 0000000000000000 ffff8803f9dd6c48 ffff8803f9dd6c00 ffff8803f688d898 Call Trace: [<ffffffff81637988>] dump_stack+0x55/0x86 [<ffffffff81059e1d>] warn_slowpath_common+0x87/0xaf [<ffffffff81059e5a>] warn_slowpath_null+0x15/0x17 [<ffffffffa02d6109>] nouveau_mm_fini+0x4f/0x56 [nouveau] [<ffffffffa02f5703>] nouveau_vm_ref+0x154/0x180 [nouveau] [<ffffffffa02d5cdb>] ? nouveau_mm_free+0x85/0x116 [nouveau] [<ffffffffa02f57c9>] nouveau_vm_put+0x9a/0xb0 [nouveau] [<ffffffffa033462d>] ? nouveau_gem_info+0x9d/0x9d [nouveau] [<ffffffffa0334646>] nouveau_gem_object_delete+0x19/0x28 [nouveau] [<ffffffffa032fc90>] nouveau_fence_work+0xc9/0x102 [nouveau] [<ffffffffa0334d59>] nouveau_gem_object_close+0x103/0x182 [nouveau] [<ffffffffa01d8bcd>] drm_gem_handle_delete+0xcc/0x153 [drm] [<ffffffffa01d8fc5>] drm_gem_close_ioctl+0x23/0x25 [drm] [<ffffffffa01d6f75>] drm_ioctl+0x4cc/0x612 [drm] [<ffffffff816341c0>] ? __slab_free.isra.66+0x24d/0x2aa [<ffffffffa01d8fa2>] ? drm_gem_destroy+0x4c/0x4c [drm] [<ffffffff812dbef8>] ? avc_has_perm_flags+0xb1/0x179 [<ffffffff8115e988>] do_vfs_ioctl+0x8b/0x4f8 [<ffffffff812dccb4>] ? inode_has_perm.isra.43.constprop.75+0x25/0x2b [<ffffffff812debef>] ? file_has_perm+0x8c/0x9a [<ffffffff810d3267>] ? rcu_user_exit+0xe/0x10 [<ffffffff8115ee7f>] SyS_ioctl+0x8a/0x9b [<ffffffff8164240b>] tracesys+0xdd/0xe2 ---[ end trace f99ff0179509b495 ]--- Signed-off-by: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxx> --- diff --git a/drivers/gpu/drm/nouveau/core/subdev/vm/base.c b/drivers/gpu/drm/nouveau/core/subdev/vm/base.c index 3b90b42..afc5106 100644 --- a/drivers/gpu/drm/nouveau/core/subdev/vm/base.c +++ b/drivers/gpu/drm/nouveau/core/subdev/vm/base.c @@ -28,6 +28,8 @@ #include <subdev/fb.h> #include <subdev/vm.h> +static void nouveau_vm_del(struct nouveau_vm *vm); + void nouveau_vm_map_at(struct nouveau_vma *vma, u64 delta, struct nouveau_mem *node) { @@ -335,10 +337,10 @@ nouveau_vm_get(struct nouveau_vm *vm, u64 size, u32 page_shift, return ret; } } + ++vm->refcount; + vma->vm = vm; mutex_unlock(&nv_subdev(vmm)->mutex); - vma->vm = NULL; - nouveau_vm_ref(vm, &vma->vm, NULL); vma->offset = (u64)vma->node->offset << 12; #ifdef NOUVEAU_VM_POISON if (vm->poison) @@ -353,7 +355,7 @@ nouveau_vm_put(struct nouveau_vma *vma) { struct nouveau_vm *vm = vma->vm; struct nouveau_vmmgr *vmm = vm->vmm; - u32 fpde, lpde; + u32 fpde, lpde, ref; if (unlikely(vma->node == NULL)) return; @@ -363,9 +365,12 @@ nouveau_vm_put(struct nouveau_vma *vma) mutex_lock(&nv_subdev(vmm)->mutex); nouveau_vm_unmap_pgt(vm, vma->node->type != vmm->spg_shift, fpde, lpde); nouveau_mm_free(&vm->mm, &vma->node); - mutex_unlock(&nv_subdev(vmm)->mutex); - nouveau_vm_ref(NULL, &vma->vm, NULL); + vma->vm = NULL; + ref = --vm->refcount; + mutex_unlock(&nv_subdev(vmm)->mutex); + if (!ref) + nouveau_vm_del(vm); } int @@ -429,25 +434,21 @@ nouveau_vm_link(struct nouveau_vm *vm, struct nouveau_gpuobj *pgd) nouveau_gpuobj_ref(pgd, &vpgd->obj); - mutex_lock(&nv_subdev(vmm)->mutex); for (i = vm->fpde; i <= vm->lpde; i++) vmm->map_pgt(pgd, i, vm->pgt[i - vm->fpde].obj); list_add(&vpgd->head, &vm->pgd_list); - mutex_unlock(&nv_subdev(vmm)->mutex); return 0; } static void nouveau_vm_unlink(struct nouveau_vm *vm, struct nouveau_gpuobj *mpgd) { - struct nouveau_vmmgr *vmm = vm->vmm; struct nouveau_vm_pgd *vpgd, *tmp; struct nouveau_gpuobj *pgd = NULL; if (!mpgd) return; - mutex_lock(&nv_subdev(vmm)->mutex); list_for_each_entry_safe(vpgd, tmp, &vm->pgd_list, head) { if (vpgd->obj == mpgd) { pgd = vpgd->obj; @@ -456,7 +457,6 @@ nouveau_vm_unlink(struct nouveau_vm *vm, struct nouveau_gpuobj *mpgd) break; } } - mutex_unlock(&nv_subdev(vmm)->mutex); nouveau_gpuobj_ref(NULL, &pgd); } @@ -489,20 +489,31 @@ nouveau_vm_ref(struct nouveau_vm *ref, struct nouveau_vm **ptr, vm = ref; if (vm) { + struct nouveau_vmmgr *vmm = vm->vmm; + + mutex_lock(&nv_subdev(vmm)->mutex); ret = nouveau_vm_link(vm, pgd); - if (ret) + if (ret) { + mutex_unlock(&nv_subdev(vmm)->mutex); return ret; + } vm->refcount++; + mutex_unlock(&nv_subdev(vmm)->mutex); } vm = *ptr; *ptr = ref; if (vm) { + struct nouveau_vmmgr *vmm = vm->vmm; + + mutex_lock(&nv_subdev(vmm)->mutex); nouveau_vm_unlink(vm, pgd); - if (--vm->refcount == 0) + ret = --vm->refcount; + mutex_unlock(&nv_subdev(vmm)->mutex); + if (!ret) nouveau_vm_del(vm); } _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel