[Intel-gfx] [PATCH 3/3] drm/i915: Assert the vma's active tracking is clear before free

[Tvrtko Ursulin]

On 20/06/2017 13:43, Chris Wilson wrote:
> In looking at a use-after-free on Baytrail, it looks like the VMA's
> activity tracking is suspect. Add some asserts to catch freeing the VMA
> before we have decoupled all of its i915_gem_active trackers.
> 
> References: https://bugs.freedesktop.org/show_bug.cgi?id=101511
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Tvrtko Ursulin <tvrtko.ursulin at linux.intel.com>
> c: Joonas Lahtinen <joonas.lahtinen at linux.intel.com>
> ---
>   drivers/gpu/drm/i915/i915_vma.c | 9 +++++++--
>   1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers/gpu/drm/i915/i915_vma.c
> index 1cfe137cdc32..958be0a95960 100644
> --- a/drivers/gpu/drm/i915/i915_vma.c
> +++ b/drivers/gpu/drm/i915/i915_vma.c
> @@ -579,11 +579,17 @@ int __i915_vma_do_pin(struct i915_vma *vma,
>   
>   static void i915_vma_destroy(struct i915_vma *vma)
>   {
> +	int i;
> +
>   	GEM_BUG_ON(vma->node.allocated);
>   	GEM_BUG_ON(i915_vma_is_active(vma));
>   	GEM_BUG_ON(!i915_vma_is_closed(vma));
>   	GEM_BUG_ON(vma->fence);
>   
> +	for (i = 0; i < ARRAY_SIZE(vma->last_read); i++)
> +		GEM_BUG_ON(i915_gem_active_isset(&vma->last_read[i]));
> +	GEM_BUG_ON(i915_gem_active_isset(&vma->last_fence));
> +
>   	list_del(&vma->vm_link);
>   	if (!i915_vma_is_ggtt(vma))
>   		i915_ppgtt_put(i915_vm_to_ppgtt(vma->vm));
> @@ -680,9 +686,8 @@ int i915_vma_unbind(struct i915_vma *vma)
>   		__i915_vma_unpin(vma);
>   		if (ret)
>   			return ret;
> -
> -		GEM_BUG_ON(i915_vma_is_active(vma));
>   	}
> +	GEM_BUG_ON(i915_vma_is_active(vma));
>   
>   	if (i915_vma_is_pinned(vma))
>   		return -EBUSY;
> 

Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin at intel.com>

Regards,

Tvrtko