[Intel-gfx] [PATCH] drm/i915: Fix erroneous dereference of batch_obj inside reset_status
Mika Kuoppala
mika.kuoppala at linux.intel.com
Thu Dec 5 17:07:27 CET 2013
Chris Wilson <chris at chris-wilson.co.uk> writes:
> As the rings may be processed and their requests deallocated in a
> different order to the natural retirement during a reset,
>
> /* Whilst this request exists, batch_obj will be on the
> * active_list, and so will hold the active reference. Only when this
> * request is retired will the the batch_obj be moved onto the
> * inactive_list and lose its active reference. Hence we do not need
> * to explicitly hold another reference here.
> */
>
> is violated, and the batch_obj may be dereferenced after it had been
> freed on another ring. This can be simply avoided by processing the
> status update prior to deallocating any requests.
>
> Fixes regression (a possible OOPS following a GPU hang) from
> commit aa60c664e6df502578454621c3a9b1f087ff8d25
> Author: Mika Kuoppala <mika.kuoppala at linux.intel.com>
> Date: Wed Jun 12 15:13:20 2013 +0300
>
> drm/i915: find guilty batch buffer on ring resets
>
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Mika Kuoppala <mika.kuoppala at intel.com>
> Cc: stable at vger.kernel.org
Passes the igt/gem_reset_stats/close-pending-fork and
doesn't affect the fast path.
Reviewed-by: Mika Kuoppala <mika.kuoppala at intel.com>
More information about the Intel-gfx
mailing list