From c30215de7ecf4df5d7115154f390aaf7976c4789 Mon Sep 17 00:00:00 2001
From: Nanley Chery <nanley.g.chery@intel.com>
Date: Mon, 22 Feb 2021 10:54:30 -0800
Subject: [PATCH] iris: Set BO maps to NULL in bo_free

bo_free is called on external BOs when there are no objects left which
reference them. The function unmaps the address range associated with
any maps which occured. However, if the BO is busy (not idle), it
doesn't mark the pointer to the start address as invalid. This can lead
to a segfault later on.

At the end of bo_free, these BOs are still present in the handle hash
table. If such a BO is reused (i.e., when a DMABUF with the same handle
is reimported) and the driver attempts to get another mapping, the
bufmgr will incorrectly assume that the map pointer is still valid and
reuse it. This leads to a segfault. Set the pointer to NULL to mark it
as invalid.

Enables iris to run and pass the piglit test,
ext_image_dma_buf_import-reimport-bug.

Cc: mesa-stable
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/9230>
(cherry picked from commit 0092219cfe2c46843b8feff76d0f4df87a8b3c81)
---
 .pick_status.json                      | 2 +-
 src/gallium/drivers/iris/iris_bufmgr.c | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.pick_status.json b/.pick_status.json
index 95fcdf5538e..424e606009b 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -949,7 +949,7 @@
         "description": "iris: Set BO maps to NULL in bo_free",
         "nominated": true,
         "nomination_type": 0,
-        "resolution": 0,
+        "resolution": 1,
         "master_sha": null,
         "because_sha": null
     },
diff --git a/src/gallium/drivers/iris/iris_bufmgr.c b/src/gallium/drivers/iris/iris_bufmgr.c
index 9a67602ac02..a29cef0dd4d 100644
--- a/src/gallium/drivers/iris/iris_bufmgr.c
+++ b/src/gallium/drivers/iris/iris_bufmgr.c
@@ -798,14 +798,17 @@ bo_free(struct iris_bo *bo)
    if (bo->map_cpu && !bo->userptr) {
       VG_NOACCESS(bo->map_cpu, bo->size);
       os_munmap(bo->map_cpu, bo->size);
+      bo->map_cpu = NULL;
    }
    if (bo->map_wc) {
       VG_NOACCESS(bo->map_wc, bo->size);
       os_munmap(bo->map_wc, bo->size);
+      bo->map_wc = NULL;
    }
    if (bo->map_gtt) {
       VG_NOACCESS(bo->map_gtt, bo->size);
       os_munmap(bo->map_gtt, bo->size);
+      bo->map_gtt = NULL;
    }
 
    if (bo->idle) {