[Intel-gfx] [PATCH 02/13] drm/i915: fix invalid reference handling of the default ctx obj
Daniel Vetter
daniel at ffwll.ch
Sat Jul 14 13:53:10 CEST 2012
On Sat, Jul 14, 2012 at 10:55:19AM +0100, Chris Wilson wrote:
> On Fri, 13 Jul 2012 17:37:14 +0200, Daniel Vetter <daniel at ffwll.ch> wrote:
> > On Fri, Jul 13, 2012 at 02:14:05PM +0100, Chris Wilson wrote:
> > > Otherwise we end up trying to unpin a freed object and BUG.
> > >
> > > Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> > > Cc: Ben Widawsky <ben at bwidawsk.net>
> >
> > Afact this patch contains quite some code refactoring that does not
> > relate directly to the fix (or if it does, I fail to see the direct
> > relevance). So I think this either needs an explanation in the commit
> > message or be put into a separate patch (I agree though for actual code
> > cleanups).
> >
> > For the fix itself I seem to be a bit dense again - the only thing I see
> > is that you move the refcount handling into do_switch. Afacs we do the
> > ref-handling in both cases only when do_switch is successful, and also
> > right at the end of do_switch (or right afterwards). So can you please
> > enlighten your clueless maintainer a bit an explain how things blow up?
>
> The fix is that the reference handling was only done on one path, not
> both. Hence the default_ctx ends up being used-after-free.
>
> The rest of it was just unwinding the code to get to finding the bug...
Yeah, I've figured this out somewhat later yesterday. Still, a bugfix
shouldn't resemble a riddle more than a simple patch ... Afacs we only
need to move the reference count handling from i915_switch_context to
do_switch (and mention in the commit message that it's been missing when
creating the default context).
-Daniel
--
Daniel Vetter
Mail: daniel at ffwll.ch
Mobile: +41 (0)79 365 57 48
More information about the Intel-gfx
mailing list