[Bug 88433] [all Bisected]igt/drv_module_reload causes major memory corruption and system hang

Fri Jan 16 07:08:39 PST 2015

https://bugs.freedesktop.org/show_bug.cgi?id=88433

--- Comment #7 from Matt Roper <matthew.d.roper at intel.com> ---
(In reply to Ander Conselvan de Oliveira from comment #6)
> (In reply to Ander Conselvan de Oliveira from comment #5)
> > (In reply to Jani Nikula from comment #4)
> > > Please always assign to bisected bad commit author! I'm also CC'ing Ander
> > > for being the reviewer.
> > > 
> > > At a very quick glance, only intel_plane_duplicate_state looks suspicious.
> > > Is plane->state always valid when non-NULL?
> > > 
> > > Matt, Ander?
> > 
> > It should, but maybe I missed something in the review. But the error
> > checking in intel_plane_duplicate_state() and callers seems to be correct.
> > Perhaps the bug is in the plane helpers.
> 
> Actually the problem is somewhere with intel_plane_destroy.
> intel_plane_state_destroy doesn't set the plane to NULL and then something
> bad happens when drm_plane_cleanup tries to destroy it again.

Yep, Ander's analysis looks correct.  When I first wrote the patchset, the DRM
core wasn't cleaning up plane state, so I had to call the state destruction in
intel_plane_destroy() so that we wouldn't leak it on driver unload.  But the
core got updated to do the destruction before my patches actually landed and I
didn't notice before this series got merged, so we're now doing a double
kfree() (and possibly a double framebuffer unreference as well).

The fix is to just not cleanup the plane state in the driver anymore since the
core will handle it for us.  I'll send a patch for that shortly.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20150116/826e4f9a/attachment.html>