<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - [BDW] use-after-free in gen8_ppgtt_alloc_page_directories"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=99684">99684</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[BDW] use-after-free in gen8_ppgtt_alloc_page_directories
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>DRI
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>DRI git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>DRM/Intel
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>matthew.auld@intel.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=129346" name="attach_129346" title="dmesg">attachment 129346</a> <a href="attachment.cgi?id=129346&action=edit" title="dmesg">[details]</a></span>
dmesg

It looks like we are hitting a use-after-free in
gen8_ppgtt_alloc_page_directories with some pdp state. One possible theory from
looking at the log is that the shrinker kicks in and starts swinging its axe,
evicting one or more vma's, which results in said pdp being freed, I guess we
didn't have anything else inserted in that range, which is why it was freed.
But all of this could have happened while we were in the middle of allocating a
va range for another vma which just so happens to touch the same pdp, and so
with a little bad timing the free could have happened just after we check if we
need to allocate a new pdp, resulting in all kinds of brokenness. It looks like
something similar could also happen with a pd.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
          <li>You are on the CC list for the bug.</li>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>