iris: Set BO maps to NULL in bo_free

bo_free is called on external BOs when there are no objects left which
reference them. The function unmaps the address range associated with
any maps which occured. However, if the BO is busy (not idle), it
doesn't mark the pointer to the start address as invalid. This can lead
to a segfault later on.

At the end of bo_free, these BOs are still present in the handle hash
table. If such a BO is reused (i.e., when a DMABUF with the same handle
is reimported) and the driver attempts to get another mapping, the
bufmgr will incorrectly assume that the map pointer is still valid and
reuse it. This leads to a segfault. Set the pointer to NULL to mark it
as invalid.

Enables iris to run and pass the piglit test,
ext_image_dma_buf_import-reimport-bug.

Cc: mesa-stable
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/9230>

diff --git a/src/gallium/drivers/iris/iris_bufmgr.c b/src/gallium/drivers/iris/iris_bufmgr.c
index 541465f..be50e5b 100644 (file)
--- a/src/gallium/drivers/iris/iris_bufmgr.c
+++ b/src/gallium/drivers/iris/iris_bufmgr.c
@@ -798,14 +798,17 @@ bo_free(struct iris_bo *bo)
    if (bo->map_cpu && !bo->userptr) {
       VG_NOACCESS(bo->map_cpu, bo->size);
       os_munmap(bo->map_cpu, bo->size);
+      bo->map_cpu = NULL;
    }
    if (bo->map_wc) {
       VG_NOACCESS(bo->map_wc, bo->size);
       os_munmap(bo->map_wc, bo->size);
+      bo->map_wc = NULL;
    }
    if (bo->map_gtt) {
       VG_NOACCESS(bo->map_gtt, bo->size);
       os_munmap(bo->map_gtt, bo->size);
+      bo->map_gtt = NULL;
    }
 
    if (bo->idle) {