This is a note to let you know that I've just added the patch titled
drm/vmwgfx: Prevent unmapping active read buffers
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-vmwgfx-prevent-unmapping-active-read-buffers.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <sta...@vger.kernel.org> know about it.
>From aba07b9a0587f50e5d3346eaa19019cf3f86c0ea Mon Sep 17 00:00:00 2001
From: Zack Rusin <zack.ru...@broadcom.com>
Date: Fri, 16 Aug 2024 14:32:05 -0400
Subject: drm/vmwgfx: Prevent unmapping active read buffers
From: Zack Rusin <zack.ru...@broadcom.com>
commit aba07b9a0587f50e5d3346eaa19019cf3f86c0ea upstream.
The kms paths keep a persistent map active to read and compare the cursor
buffer. These maps can race with each other in simple scenario where:
a) buffer "a" mapped for update
b) buffer "a" mapped for compare
c) do the compare
d) unmap "a" for compare
e) update the cursor
f) unmap "a" for update
At step "e" the buffer has been unmapped and the read contents is bogus.
Prevent unmapping of active read buffers by simply keeping a count of
how many paths have currently active maps and unmap only when the count
reaches 0.
Fixes: 485d98d472d5 ("drm/vmwgfx: Add support for CursorMob and CursorBypass 4")
Cc: Broadcom internal kernel review list <bcm-kernel-feedback-l...@broadcom.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <sta...@vger.kernel.org> # v5.19+
Signed-off-by: Zack Rusin <zack.ru...@broadcom.com>
Link:
https://patchwork.freedesktop.org/patch/msgid/20240816183332.31961-2-zack.ru...@broadcom.com
Reviewed-by: Martin Krastev <martin.kras...@broadcom.com>
Reviewed-by: Maaz Mombasawala <maaz.mombasaw...@broadcom.com>
[Shivani: Modified to apply on v6.1.y]
Signed-off-by: Shivani Agarwal <shivani.agar...@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 12 +++++++++++-
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 3 +++
2 files changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
@@ -348,6 +348,8 @@ void *vmw_bo_map_and_cache(struct vmw_bu
void *virtual;
int ret;
+ atomic_inc(&vbo->map_count);
+
virtual = ttm_kmap_obj_virtual(&vbo->map, ¬_used);
if (virtual)
return virtual;
@@ -370,10 +372,17 @@ void *vmw_bo_map_and_cache(struct vmw_bu
*/
void vmw_bo_unmap(struct vmw_buffer_object *vbo)
{
+ int map_count;
+
if (vbo->map.bo == NULL)
return;
- ttm_bo_kunmap(&vbo->map);
+ map_count = atomic_dec_return(&vbo->map_count);
+
+ if (!map_count) {
+ ttm_bo_kunmap(&vbo->map);
+ vbo->map.bo = NULL;
+ }
}
@@ -510,6 +519,7 @@ int vmw_bo_init(struct vmw_private *dev_
BUILD_BUG_ON(TTM_MAX_BO_PRIORITY <= 3);
vmw_bo->base.priority = 3;
vmw_bo->res_tree = RB_ROOT;
+ atomic_set(&vmw_bo->map_count, 0);
size = ALIGN(size, PAGE_SIZE);
drm_gem_private_object_init(vdev, &vmw_bo->base.base, size);
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
@@ -116,6 +116,8 @@ struct vmwgfx_hash_item {
* @base: The TTM buffer object
* @res_tree: RB tree of resources using this buffer object as a backing MOB
* @base_mapped_count: ttm BO mapping count; used by KMS atomic helpers.
+ * @map_count: The number of currently active maps. Will differ from the
+ * cpu_writers because it includes kernel maps.
* @cpu_writers: Number of synccpu write grabs. Protected by reservation when
* increased. May be decreased without reservation.
* @dx_query_ctx: DX context if this buffer object is used as a DX query MOB
@@ -129,6 +131,7 @@ struct vmw_buffer_object {
/* For KMS atomic helpers: ttm bo mapping count */
atomic_t base_mapped_count;
+ atomic_t map_count;
atomic_t cpu_writers;
/* Not ref-counted. Protected by binding_mutex */
struct vmw_resource *dx_query_ctx;
Patches currently in stable-queue which might be from zack.ru...@broadcom.com
are
queue-6.1/drm-vmwgfx-prevent-unmapping-active-read-buffers.patch
