[Intel-gfx] [PATCH] drm/i915: Reset vma->mm_list after unbinding
Ville Syrjälä
ville.syrjala at linux.intel.com
Thu Feb 27 15:11:39 CET 2014
On Tue, Feb 25, 2014 at 02:23:28PM +0000, Chris Wilson wrote:
> In place of true activity counting, we walk the list of vma associated
> with an object managing each on the vm's active/inactive list everytime
> we call move-to-inactive. This depends upon the vma->mm_list being
> cleared after unbinding, or else we run into difficulty when tracking
> the object in multiple vm's - we see a use-after free and corruption of
> the mm_list.
>
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Ben Widawsky <ben at bwidawsk.net>
> ---
> drivers/gpu/drm/i915/i915_gem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
> index 633a8d56e401..4de984e176f5 100644
> --- a/drivers/gpu/drm/i915/i915_gem.c
> +++ b/drivers/gpu/drm/i915/i915_gem.c
> @@ -2874,7 +2874,7 @@ int i915_vma_unbind(struct i915_vma *vma)
>
> i915_gem_gtt_finish_object(obj);
>
> - list_del(&vma->mm_list);
> + list_del_init(&vma->mm_list);
Isn't this just another symptom of the vma unbind recursion bug? I mean
how can someone else be accessing vma->mm_list while we're in the process
of freeing the vma itself (happens just a few lines down from here).
> if (i915_is_ggtt(vma->vm))
> obj->map_and_fenceable = false;
>
> --
> 1.9.0
>
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/intel-gfx
--
Ville Syrjälä
Intel OTC
More information about the Intel-gfx
mailing list