Patch "drm/ttm: Reorder sys manager cleanup step" has been added to the 6.5-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 3 Nov 2023 23:04:20 -0400

This is a note to let you know that I've just added the patch titled

    drm/ttm: Reorder sys manager cleanup step

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-ttm-reorder-sys-manager-cleanup-step.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 47ce6d6686107472d6a36ab1ae35e9468a2e04f9
Author: Karolina Stolarek <karolina.stolarek@xxxxxxxxx>
Date:   Mon Oct 16 14:15:25 2023 +0200

    drm/ttm: Reorder sys manager cleanup step
    
    [ Upstream commit 3b401e30c249849d803de6c332dad2a595a58658 ]
    
    With the current cleanup flow, we could trigger a NULL pointer
    dereference if there is a delayed destruction of a BO with a
    system resource that gets executed on drain_workqueue() call,
    as we attempt to free a resource using an already released
    resource manager.
    
    Remove the device from the device list and drain its workqueue
    before releasing the system domain manager in ttm_device_fini().
    
    Signed-off-by: Karolina Stolarek <karolina.stolarek@xxxxxxxxx>
    Reviewed-by: Christian König <christian.koenig@xxxxxxx>
    Link: https://patchwork.freedesktop.org/patch/msgid/20231016121525.2237838-1-karolina.stolarek@xxxxxxxxx
    Signed-off-by: Christian König <christian.koenig@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/ttm/ttm_device.c b/drivers/gpu/drm/ttm/ttm_device.c
index 7726a72befc54..d48b39132b324 100644
--- a/drivers/gpu/drm/ttm/ttm_device.c
+++ b/drivers/gpu/drm/ttm/ttm_device.c
@@ -232,10 +232,6 @@ void ttm_device_fini(struct ttm_device *bdev)
 	struct ttm_resource_manager *man;
 	unsigned i;
 
-	man = ttm_manager_type(bdev, TTM_PL_SYSTEM);
-	ttm_resource_manager_set_used(man, false);
-	ttm_set_driver_manager(bdev, TTM_PL_SYSTEM, NULL);
-
 	mutex_lock(&ttm_global_mutex);
 	list_del(&bdev->device_list);
 	mutex_unlock(&ttm_global_mutex);
@@ -243,6 +239,10 @@ void ttm_device_fini(struct ttm_device *bdev)
 	drain_workqueue(bdev->wq);
 	destroy_workqueue(bdev->wq);
 
+	man = ttm_manager_type(bdev, TTM_PL_SYSTEM);
+	ttm_resource_manager_set_used(man, false);
+	ttm_set_driver_manager(bdev, TTM_PL_SYSTEM, NULL);
+
 	spin_lock(&bdev->lru_lock);
 	for (i = 0; i < TTM_MAX_BO_PRIORITY; ++i)
 		if (list_empty(&man->lru[0]))






