summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMaarten Lankhorst <maarten.lankhorst@canonical.com>2012-12-19 18:21:10 +0100
committerDave Airlie <airlied@redhat.com>2012-12-20 07:46:20 +1000
commit0953e76e91f4b6206cef50bd680696dc6bf1ef99 (patch)
treeba93fb6eb4ad4a6588b07be0a5e010e256813fc8
parent55bde6b1442fed8af67b92d21acce67db454c9f9 (diff)
drm/ttm: fix delayed ttm_bo_cleanup_refs_and_unlock delayed handling
Fix regression introduced by 85b144f860176 "drm/ttm: call ttm_bo_cleanup_refs with reservation and lru lock held, v3" Slowpath ttm_bo_cleanup_refs_and_unlock accidentally tried to increase refcount on &bo->sync_obj instead of bo->sync_obj. The compiler didn't complain since sync_obj_ref takes a void pointer, so it was still valid c. This could result in lockups, memory corruptions, and warnings like these when graphics card VRAM usage is high: ------------[ cut here ]------------ WARNING: at include/linux/kref.h:42 radeon_fence_ref+0x2c/0x40() Hardware name: System Product Name Pid: 157, comm: X Not tainted 3.7.0-rc7-00520-g85b144f-dirty #174 Call Trace: [<ffffffff81058c84>] ? warn_slowpath_common+0x74/0xb0 [<ffffffff8129273c>] ? radeon_fence_ref+0x2c/0x40 [<ffffffff8125e95c>] ? ttm_bo_cleanup_refs_and_unlock+0x18c/0x2d0 [<ffffffff8125f17c>] ? ttm_mem_evict_first+0x1dc/0x2a0 [<ffffffff81264452>] ? ttm_bo_man_get_node+0x62/0xb0 [<ffffffff8125f4ce>] ? ttm_bo_mem_space+0x28e/0x340 [<ffffffff8125fb0c>] ? ttm_bo_move_buffer+0xfc/0x170 [<ffffffff810de172>] ? kmem_cache_alloc+0xb2/0xc0 [<ffffffff8125fc15>] ? ttm_bo_validate+0x95/0x110 [<ffffffff8125ff7c>] ? ttm_bo_init+0x2ec/0x3b0 [<ffffffff8129419a>] ? radeon_bo_create+0x18a/0x200 [<ffffffff81293e80>] ? radeon_bo_clear_va+0x40/0x40 [<ffffffff812a5342>] ? radeon_gem_object_create+0x92/0x160 [<ffffffff812a575c>] ? radeon_gem_create_ioctl+0x6c/0x150 [<ffffffff812a529f>] ? radeon_gem_object_free+0x2f/0x40 [<ffffffff81246b60>] ? drm_ioctl+0x420/0x4f0 [<ffffffff812a56f0>] ? radeon_gem_pwrite_ioctl+0x20/0x20 [<ffffffff810f53a4>] ? do_vfs_ioctl+0x2e4/0x4e0 [<ffffffff810e5588>] ? vfs_read+0x118/0x160 [<ffffffff810f55ec>] ? sys_ioctl+0x4c/0xa0 [<ffffffff810e5851>] ? sys_read+0x51/0xa0 [<ffffffff814b0612>] ? system_call_fastpath+0x16/0x1b Signed-off-by: Maarten Lankhorst <maarten.lankhorst@canonical.com> Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de> Acked-by: Paul Menzel <paulepanter@users.sourceforge.net> Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r--drivers/gpu/drm/ttm/ttm_bo.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index a9151337d5b..33d20be87db 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -579,7 +579,7 @@ static int ttm_bo_cleanup_refs_and_unlock(struct ttm_buffer_object *bo,
* at this point the buffer should be dead, so
* no new sync objects can be attached.
*/
- sync_obj = driver->sync_obj_ref(&bo->sync_obj);
+ sync_obj = driver->sync_obj_ref(bo->sync_obj);
spin_unlock(&bdev->fence_lock);
atomic_set(&bo->reserved, 0);