Date: Thu, 6 Jun 2024 20:42:56 GMT From: Vladimir Kondratyev <wulf@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 613723bac219 - main - linuxkpi: Allow ida_destroy and idr_destroy to be called multiple times Message-ID: <202406062042.456Kgus0046120@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by wulf: URL: https://cgit.FreeBSD.org/src/commit/?id=613723bac219cb08ac1ad0afd3e07850d7fccc10 commit 613723bac219cb08ac1ad0afd3e07850d7fccc10 Author: Austin Shafer <ashafer@badland.io> AuthorDate: 2024-06-06 20:42:06 +0000 Commit: Vladimir Kondratyev <wulf@FreeBSD.org> CommitDate: 2024-06-06 20:42:06 +0000 linuxkpi: Allow ida_destroy and idr_destroy to be called multiple times This fixes some weird behavior triggered by nvidia-drm.ko: some DRM cleanup functions will be called multiple times, leading to a double free. drm_mode_config_cleanup will be called twice, causing ida_destroy to be called twice. Although calling the cleanup twice doesn't seem very clean, on Linux this seems to be permissable as it handles it just fine. Not doing these checks causes mutex panics and double frees. In order to preserve this behavior this change checks if the objects have already been destroyed and bails if so. This fixes the panic seen when unloading the nvidia-drm driver. MFC after: 1 week Reviewed by: bz, manu Differential revision: https://reviews.freebsd.org/D44865 --- sys/compat/linuxkpi/common/src/linux_idr.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sys/compat/linuxkpi/common/src/linux_idr.c b/sys/compat/linuxkpi/common/src/linux_idr.c index 583e2c237198..59c375194689 100644 --- a/sys/compat/linuxkpi/common/src/linux_idr.c +++ b/sys/compat/linuxkpi/common/src/linux_idr.c @@ -178,6 +178,14 @@ idr_destroy(struct idr *idr) { struct idr_layer *il, *iln; + /* + * This idr can be reused, and this function might be called multiple times + * without a idr_init(). Check if this is the case. If we do not do this + * then the mutex will panic while asserting that it is valid. + */ + if (mtx_initialized(&idr->lock) == 0) + return; + idr_remove_all(idr); mtx_lock(&idr->lock); for (il = idr->free; il != NULL; il = iln) { @@ -802,4 +810,5 @@ ida_destroy(struct ida *ida) { idr_destroy(&ida->idr); free(ida->free_bitmap, M_IDR); + ida->free_bitmap = NULL; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406062042.456Kgus0046120>