[Intel-gfx] [PATCH] drm/i915: Reset vma->mm_list after unbinding
Chris Wilson
chris at chris-wilson.co.uk
Wed Mar 5 14:05:29 CET 2014
On Tue, Feb 25, 2014 at 03:38:18PM -0800, Ben Widawsky wrote:
> On Tue, Feb 25, 2014 at 02:23:28PM +0000, Chris Wilson wrote:
> > In place of true activity counting, we walk the list of vma associated
> > with an object managing each on the vm's active/inactive list everytime
> > we call move-to-inactive. This depends upon the vma->mm_list being
> > cleared after unbinding, or else we run into difficulty when tracking
> > the object in multiple vm's - we see a use-after free and corruption of
> > the mm_list.
>
> I feel bad because someone in PRC told me about this bug, and I could
> have sword you had previously fixed it. So if you're reading this
> whomever you were, my apoligies.
> >
> > Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> > Cc: Ben Widawsky <ben at bwidawsk.net>
>
> I think Cc: stable too
>
> Reviewed-by: Ben Widawsky <ben at bwidawsk.net>
Daniel?
-Chris
> > ---
> > drivers/gpu/drm/i915/i915_gem.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
> > index 633a8d56e401..4de984e176f5 100644
> > --- a/drivers/gpu/drm/i915/i915_gem.c
> > +++ b/drivers/gpu/drm/i915/i915_gem.c
> > @@ -2874,7 +2874,7 @@ int i915_vma_unbind(struct i915_vma *vma)
> >
> > i915_gem_gtt_finish_object(obj);
> >
> > - list_del(&vma->mm_list);
> > + list_del_init(&vma->mm_list);
> > if (i915_is_ggtt(vma->vm))
> > obj->map_and_fenceable = false;
> >
> > --
> > 1.9.0
--
Chris Wilson, Intel Open Source Technology Centre
More information about the Intel-gfx
mailing list