[Intel-gfx] [PATCH] drm/i915: Fix use-after-free in do_switch
Barbalho, Rafael
rafael.barbalho at intel.com
Thu Dec 5 17:28:23 CET 2013
> -----Original Message-----
> From: intel-gfx-bounces at lists.freedesktop.org [mailto:intel-gfx-
> bounces at lists.freedesktop.org] On Behalf Of Daniel Vetter
> Sent: Thursday, December 05, 2013 2:43 PM
> To: Intel Graphics Development
> Cc: Lister, Ian; Daniel Vetter; stable at vger.kernel.org; Widawsky, Benjamin
> Subject: [Intel-gfx] [PATCH] drm/i915: Fix use-after-free in do_switch
>
> So apparently under ridiculous amounts of memory pressure we can get into
> trouble in do_switch when we try to move the old hw context backing
> storage object onto the active lists.
>
[SNIP]
>
> Aside: There's currently no means to get a badly-fragmenting hw context
> object away from a bad spot in the upstream code. We should fix this by at
> least adding some code to evict_something to handle hw contexts.
>
> References: https://code.google.com/p/chromium/issues/detail?id=248191
> Reported-by: Ian Lister <ian.lister at intel.com>
> Cc: Ian Lister <ian.lister at intel.com>
> Cc: stable at vger.kernel.org
> Cc: Ben Widawsky <benjamin.widawsky at intel.com>
> Cc: Stéphane Marchesin <marcheu at chromium.org>
> Cc: Bloomfield, Jon <jon.bloomfield at intel.com>
> Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
Tested-by: Rafael Barbalho <rafael.barbalho at intel.com>
> ---
> drivers/gpu/drm/i915/i915_gem_context.c | 14 ++++++++++++--
> 1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_gem_context.c
> b/drivers/gpu/drm/i915/i915_gem_context.c
> index 41877045a1a0..2d2877493f61 100644
> --- a/drivers/gpu/drm/i915/i915_gem_context.c
> +++ b/drivers/gpu/drm/i915/i915_gem_context.c
> @@ -421,11 +421,21 @@ static int do_switch(struct i915_hw_context *to)
> if (ret)
> return ret;
>
> - /* Clear this page out of any CPU caches for coherent swap-in/out.
> Note
> + /*
> + * Pin can switch back to the default context if we end up calling into
> + * evict_everything - as a last ditch gtt defrag effort that also
> + * switches to the default context. Hence we need to reload from
> here.
> + */
> + from = ring->last_context;
> +
> + /*
> + * Clear this page out of any CPU caches for coherent swap-in/out.
> +Note
> * that thanks to write = false in this call and us not setting any gpu
> * write domains when putting a context object onto the active list
> * (when switching away from it), this won't block.
> - * XXX: We need a real interface to do this instead of trickery. */
> + *
> + * XXX: We need a real interface to do this instead of trickery.
> + */
> ret = i915_gem_object_set_to_gtt_domain(to->obj, false);
> if (ret) {
> i915_gem_object_unpin(to->obj);
> --
> 1.8.4.3
>
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/intel-gfx
More information about the Intel-gfx
mailing list