drm/ttm: Fix use-after-free in ttm_bo_clean_mm
We unref the man->move fence in ttm_bo_clean_mm() and then call
ttm_bo_force_list_clean() which waits on it, except the refcount is now
zero so a warning is generated (or worse):
[149492.279301] refcount_t: increment on 0; use-after-free.
[149492.279309] ------------[ cut here ]------------
[149492.279315] WARNING: CPU: 3 PID: 18726 at lib/refcount.c:150 refcount_inc+0x2b/0x30
[149492.279315] Modules linked in: vhost_net vhost tun x86_pkg_temp_thermal crc32_pclmul ghash_clmulni_intel efivarfs amdgpu(
-) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
[149492.279326] CPU: 3 PID: 18726 Comm: rmmod Not tainted 4.12.0-rc5-drm-next-4.13-ttmpatch+ #1
[149492.279326] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD3H-BK/Z97X-UD3H-BK-CF, BIOS F6 06/17/2014
[149492.279327] task:
ffff8804ddfedcc0 task.stack:
ffffc90008d20000
[149492.279329] RIP: 0010:refcount_inc+0x2b/0x30
[149492.279330] RSP: 0018:
ffffc90008d23c30 EFLAGS:
00010286
[149492.279331] RAX:
000000000000002b RBX:
0000000000000170 RCX:
0000000000000000
[149492.279331] RDX:
0000000000000000 RSI:
ffff88051ecccbe8 RDI:
ffff88051ecccbe8
[149492.279332] RBP:
ffffc90008d23c30 R08:
0000000000000001 R09:
00000000000003ee
[149492.279333] R10:
ffffc90008d23bb0 R11:
00000000000003ee R12:
ffff88043aaac960
[149492.279333] R13:
ffff8805005e28a8 R14:
0000000000000002 R15:
ffff88050115e178
[149492.279334] FS:
00007fc540168700(0000) GS:
ffff88051ecc0000(0000) knlGS:
0000000000000000
[149492.279335] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[149492.279336] CR2:
00007fc3e8654140 CR3:
000000027ba77000 CR4:
00000000001426e0
[149492.279337] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[149492.279337] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[149492.279338] Call Trace:
[149492.279345] ttm_bo_force_list_clean+0xb9/0x110 [ttm]
[149492.279348] ttm_bo_clean_mm+0x7a/0xe0 [ttm]
[149492.279375] amdgpu_ttm_fini+0xc9/0x1f0 [amdgpu]
[149492.279392] amdgpu_bo_fini+0x12/0x40 [amdgpu]
[149492.279415] gmc_v7_0_sw_fini+0x32/0x40 [amdgpu]
[149492.279430] amdgpu_fini+0x2c9/0x490 [amdgpu]
[149492.279445] amdgpu_device_fini+0x58/0x1b0 [amdgpu]
[149492.279461] amdgpu_driver_unload_kms+0x4f/0xa0 [amdgpu]
[149492.279470] drm_dev_unregister+0x3c/0xe0 [drm]
[149492.279485] amdgpu_pci_remove+0x19/0x30 [amdgpu]
[149492.279487] pci_device_remove+0x39/0xc0
[149492.279490] device_release_driver_internal+0x155/0x210
[149492.279491] driver_detach+0x38/0x70
[149492.279493] bus_remove_driver+0x4c/0xa0
[149492.279494] driver_unregister+0x2c/0x40
[149492.279496] pci_unregister_driver+0x21/0x90
[149492.279520] amdgpu_exit+0x15/0x406 [amdgpu]
[149492.279523] SyS_delete_module+0x1a8/0x270
[149492.279525] ? exit_to_usermode_loop+0x92/0xa0
[149492.279528] entry_SYSCALL_64_fastpath+0x13/0x94
[149492.279529] RIP: 0033:0x7fc53fcb68e7
[149492.279529] RSP: 002b:
00007ffcfbfaabb8 EFLAGS:
00000206 ORIG_RAX:
00000000000000b0
[149492.279531] RAX:
ffffffffffffffda RBX:
0000563117adb200 RCX:
00007fc53fcb68e7
[149492.279531] RDX:
000000000000000a RSI:
0000000000000800 RDI:
0000563117adb268
[149492.279532] RBP:
0000000000000003 R08:
0000000000000000 R09:
1999999999999999
[149492.279533] R10:
0000000000000883 R11:
0000000000000206 R12:
00007ffcfbfa9ba0
[149492.279533] R13:
0000000000000000 R14:
0000000000000000 R15:
0000563117adb200
[149492.279534] Code: 55 48 89 e5 e8 77 fe ff ff 84 c0 74 02 5d c3 80 3d 40 f2 a4 00 00 75 f5 48 c7 c7 20 3c ca 81 c6 05 30 f2 a4 00 01 e8 91 f0 d7 ff <0f> ff 5d c3 90 55 48 89 fe bf 01 00 00 00 48 89 e5 e8 9f fe ff
[149492.279557] ---[ end trace
2d4e0ffcb66a1016 ]---
Unref the fence *after* waiting for it.
v2: Set man->move to NULL after dropping the last ref (Christian König)
Fixes:
aff98ba1fdb8 (drm/ttm: wait for eviction in ttm_bo_force_list_clean)
Signed-off-by: John Brooks <john@fastquake.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org