[Intel-gfx] [PATCH] drm/i915: Repeat unbinding during free if interrupted (v3)
Daniel Vetter
daniel at ffwll.ch
Fri Jul 23 17:25:23 CEST 2010
On Fri, Jul 23, 2010 at 03:54:44PM +0100, Chris Wilson wrote:
> If during the freeing of an object the unbind is interrupted by a system
> call, which is quite possible if we have outstanding GPU writes that
> must be flushed, the unbind is silently aborted. This still leaves the
> AGP region and backing pages allocated, and perhaps more importantly,
> the object remains upon the various lists exposing us to memory
> corruption.
>
> I think this is the cause behind the use-after-free, such as
>
> Bug 15664 - Graphics hang and kernel backtrace when starting Azureus
> with Compiz enabled
> https://bugzilla.kernel.org/show_bug.cgi?id=15664
>
> v2: Daniel Vetter reminded me that kernel space programming is never easy.
> We cannot simply spin to clear the pending signal and so must deferred
> the freeing of the object until later.
> v3: Run from the top level retire requests.
>
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: stable at kernel.org
Cleaning up the deferred free list in retire_request looks much saner than
what I've had in mind when discussing this on irc.
Reviewed-By: Daniel Vetter <daniel at ffwll.ch>
--
Daniel Vetter
Mail: daniel at ffwll.ch
Mobile: +41 (0)79 365 57 48
More information about the Intel-gfx
mailing list