[Mesa-dev] Crash in iris_bufmgr.c
Kenneth Graunke
kenneth at whitecape.org
Thu May 30 07:14:32 UTC 2019
On Wednesday, May 29, 2019 10:30:45 PM PDT Mathias Fröhlich wrote:
> Hi Kenneth,
>
> since your recent changes, I get a zero pointer dereference in
> alloc_bo_from_cache on one workload here:
>
> What I get is
>
> Thread 2 "" received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7fffef776700 (LWP 20924)]
> list_del (item=0x7fffe8ae4020) at ../src/util/list.h:91
> 91 item->prev->next = item->next;
> (gdb) p item->prev
> $1 = (struct list_head *) 0x0
> (gdb) where
> #0 list_del (item=0x7fffe8ae4020) at ../src/util/list.h:91
> #1 0x00007ffff469072f in alloc_bo_from_cache (bufmgr=0x4d8370, bucket=0x4d8418, memzone=IRIS_MEMZONE_OTHER, flags=0, match_zone=true)
> at ../src/gallium/drivers/iris/iris_bufmgr.c:387
> [...]
>
> I think the reason is that you use list_for_each_entry_safe in
> alloc_bo_from_cache in the outer loop and store a pointer to
> the next list entry. But when you call into iris_bo_cache_purge_bucket
> from inside that loop the function body there may walk the same list
> node than __next from list_for_each_entry_safe in alloc_bo_from_cache
> points to and may zero the list pointers out.
>
> You may know best how to fix that.
>
> best and thanks
> Mathias
Ouch. Thanks for letting me know. Fixed by:
commit 53878f7a8989879b0f3ca37df9fd1fb37f2525ca
Author: Kenneth Graunke <kenneth at whitecape.org>
Date: Wed May 29 23:20:31 2019 -0700
iris: Be lazy about cleaning up purged BOs in the cache.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20190530/875d1316/attachment.sig>
More information about the mesa-dev
mailing list