From 2dc37ec50d886881e22390c94750fd85cb06e318 Mon Sep 17 00:00:00 2001 From: Mark Yao Date: Thu, 22 Dec 2016 12:44:14 +0800 Subject: [PATCH] drm/rockchip: gem: add mutex lock for drm mm drm_mm_insert_node_generic and drm_mm_remove_node may access same resource with list ops, it's not threads safe, so protect this context with mutex lock. Fix bug: [49451.856244] ================================================================== [49451.856350] BUG: KASAN: wild-memory-access on address dead000000000108 [49451.856379] Write of size 8 by task Binder:218_4/683 [49451.856417] CPU: 2 PID: 683 Comm: Binder:218_4 Not tainted 4.4.36 #62 [49451.856443] Hardware name: Rockchip RK3399 Excavator Board edp (Android) (DT) [49451.856469] Call trace: [49451.856519] [] dump_backtrace+0x0/0x230 [49451.856556] [] show_stack+0x14/0x1c [49451.856592] [] dump_stack+0xa0/0xc8 [49451.856633] [] kasan_report+0x110/0x4dc [49451.856670] [] __asan_store8+0x24/0x7c [49451.856715] [] drm_mm_insert_node_generic+0x2dc/0x464 [49451.856760] [] rockchip_gem_iommu_map+0x60/0x158 [49451.856794] [] rockchip_gem_create_object+0x278/0x488 [49451.856827] [] rockchip_gem_create_with_handle+0x24/0x10c [49451.856862] [] rockchip_gem_create_ioctl+0x3c/0x50 [49451.856896] [] drm_ioctl+0x354/0x52c [49451.856939] [] do_vfs_ioctl+0x670/0x78c [49451.856976] [] SyS_ioctl+0x60/0x88 [49451.857009] [] el0_svc_naked+0x24/0x28 Change-Id: I2ea377aa9ca24f70c59e2d86f2a6ad5ccb9c0891 Signed-off-by: Mark Yao --- drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 1 + drivers/gpu/drm/rockchip/rockchip_drm_drv.h | 2 ++ drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 9 +++++++++ 3 files changed, 12 insertions(+) diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c index 915ca8606ee2..c3969fdc47f2 100644 --- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c +++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c @@ -754,6 +754,7 @@ static int rockchip_drm_init_iommu(struct drm_device *drm_dev) DRM_DEBUG("IOMMU context initialized (aperture: %#llx-%#llx)\n", start, end); drm_mm_init(&private->mm, start, end - start + 1); + mutex_init(&private->mm_lock); return 0; } diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_drv.h b/drivers/gpu/drm/rockchip/rockchip_drm_drv.h index f66a814a52dc..172f214d81c9 100644 --- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.h +++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.h @@ -121,6 +121,8 @@ struct rockchip_drm_private { unsigned int cpu_fence_context; atomic_t cpu_fence_seqno; #endif + /* protect drm_mm on multi-threads */ + struct mutex mm_lock; struct drm_mm mm; }; diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c index 2af62e3c6d24..4c44e992b468 100644 --- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c +++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c @@ -35,9 +35,13 @@ static int rockchip_gem_iommu_map(struct rockchip_gem_object *rk_obj) int prot = IOMMU_READ | IOMMU_WRITE; ssize_t ret; + mutex_lock(&private->mm_lock); + ret = drm_mm_insert_node_generic(&private->mm, &rk_obj->mm, rk_obj->base.size, PAGE_SIZE, 0, 0, 0); + + mutex_unlock(&private->mm_lock); if (ret < 0) { DRM_ERROR("out of I/O virtual memory: %zd\n", ret); return ret; @@ -68,8 +72,13 @@ static int rockchip_gem_iommu_unmap(struct rockchip_gem_object *rk_obj) struct rockchip_drm_private *private = drm->dev_private; iommu_unmap(private->domain, rk_obj->dma_addr, rk_obj->size); + + mutex_lock(&private->mm_lock); + drm_mm_remove_node(&rk_obj->mm); + mutex_unlock(&private->mm_lock); + return 0; } -- 2.34.1