[Intel-gfx] [PATCH] drm/i915: fix reference counting in i915_gem_create

[Daniel Vetter]

This function is called without the dev->struct_mutex held, hence we
need to use the _unlocked unreference variants.

As soon as the object is registered userspace can sneak in here with a
gem_close ioctl call, so the object can (and with my new evil tests
actually does) get the final unreference in this place. The lack of
locking then results in hilarity and some good leakage.

v2: We need to make the trace call _before_ we drop our ref - the
object might very well be gone by then already.

Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
---
 drivers/gpu/drm/i915/i915_gem.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 49592d6..56abcd1f 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -226,10 +226,11 @@ i915_gem_create(struct drm_file *file,
 		return ret;
 	}
 
-	/* drop reference from allocate - handle holds it now */
-	drm_gem_object_unreference(&obj->base);
 	trace_i915_gem_object_create(obj);
 
+	/* drop reference from allocate - handle holds it now */
+	drm_gem_object_unreference_unlocked(&obj->base);
+
 	*handle_p = handle;
 	return 0;
 }
-- 
1.8.1.4