Patch "drm/i915: Fix a race between vma / object destruction and unbinding" has been added to the 5.15-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    drm/i915: Fix a race between vma / object destruction and unbinding

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-i915-fix-a-race-between-vma-object-destruction-a.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 28dde823cbf891cb44f4fc3d6c8b5070226ad53c
Author: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>
Date:   Thu Jan 27 12:56:22 2022 +0100

    drm/i915: Fix a race between vma / object destruction and unbinding
    
    [ Upstream commit bc1922e5d349db4be14c55513102c024c2ae8a50 ]
    
    The vma destruction code was using an unlocked advisory check for
    drm_mm_node_allocated() to avoid racing with eviction code unbinding
    the vma.
    
    This is very fragile and prohibits the dereference of non-refcounted
    pointers of dying vmas after a call to __i915_vma_unbind(). It also
    prohibits the dereference of vma->obj of refcounted pointers of
    dying vmas after a call to __i915_vma_unbind(), since even if a
    refcount is held on the vma, that won't guarantee that its backing
    object doesn't get destroyed.
    
    So introduce an unbind under the vm mutex at object destroy time,
    removing all weak references of the vma and its object from the
    object vma list and from the vm bound list.
    
    Signed-off-by: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>
    Reviewed-by: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220127115622.302970-1-thomas.hellstrom@xxxxxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.c b/drivers/gpu/drm/i915/gem/i915_gem_object.c
index 6fb9afb65034..5f48d5ea5c15 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_object.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_object.c
@@ -224,6 +224,12 @@ void __i915_gem_free_object(struct drm_i915_gem_object *obj)
 			GEM_BUG_ON(vma->obj != obj);
 			spin_unlock(&obj->vma.lock);
 
+			/* Verify that the vma is unbound under the vm mutex. */
+			mutex_lock(&vma->vm->mutex);
+			atomic_and(~I915_VMA_PIN_MASK, &vma->flags);
+			__i915_vma_unbind(vma);
+			mutex_unlock(&vma->vm->mutex);
+
 			__i915_vma_put(vma);
 
 			spin_lock(&obj->vma.lock);