[Intel-gfx] [RFC PATCH] drm/i915/guc: Fix premature release of context on reset
Chris Wilson
chris at chris-wilson.co.uk
Wed Jul 24 15:24:37 UTC 2019
Quoting Janusz Krzysztofik (2019-07-24 16:05:25)
> When using GuC submission, some execlists originated helper functions
> are reused. One of them, used inside guc_reset() and
> guc_cancel_requests() callbacks introduced by commit 292ad25c22d9
> ("drm/i915/guc: Implement reset locally"), unfortunately calls
> execlists_schedule_out() helper instead of its GuC specific equivalent.
> As execlists functions maintain context references for themselves, that
> helper releases a context associated with a request being processed as
> soon as the context inflight queue becomes empty. Since GuC submission
> doesn't keep extra context references, possibly still active contexts
> may be released prematurely, resulting in kernel panic.
Fwiw, that rq->context->inflight = NULL in schedule_out() is not
protected against a dangling dereference. Which, if you are not falling
into the execlists trap, you can remove entirely to avoid the potential
use-after-free.
-Chris
More information about the Intel-gfx
mailing list