From patchwork Fri Aug 16 20:29:33 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ben Widawsky X-Patchwork-Id: 2845764 Return-Path: X-Original-To: patchwork-intel-gfx@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 866A29F2F5 for ; Fri, 16 Aug 2013 20:30:13 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B2763201CB for ; Fri, 16 Aug 2013 20:30:12 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 7FD0C20181 for ; Fri, 16 Aug 2013 20:30:11 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 4EBE0E60E1 for ; Fri, 16 Aug 2013 13:30:11 -0700 (PDT) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from mail.bwidawsk.net (bwidawsk.net [166.78.191.112]) by gabe.freedesktop.org (Postfix) with ESMTP id 76983E5CCB for ; Fri, 16 Aug 2013 13:29:50 -0700 (PDT) Received: by mail.bwidawsk.net (Postfix, from userid 5001) id 8DD3D599AD; Fri, 16 Aug 2013 13:29:49 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from lundgren.jf.intel.com (jfdmzpr02-ext.jf.intel.com [134.134.137.71]) by mail.bwidawsk.net (Postfix) with ESMTPSA id 4A46D58311; Fri, 16 Aug 2013 13:29:39 -0700 (PDT) From: Ben Widawsky To: Intel GFX Date: Fri, 16 Aug 2013 13:29:33 -0700 Message-Id: <1376684973-14743-1-git-send-email-benjamin.widawsky@intel.com> X-Mailer: git-send-email 1.8.3.4 In-Reply-To: <1376675024-779-1-git-send-email-benjamin.widawsky@intel.com> References: <1376675024-779-1-git-send-email-benjamin.widawsky@intel.com> MIME-Version: 1.0 Cc: Ben Widawsky , Ben Widawsky Subject: [Intel-gfx] [PATCH] [v2] drm/i915/vma: Correct use after free in eviction X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org Errors-To: intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org X-Virus-Scanned: ClamAV using ClamSMTP The vma will [possibly] be destroyed during unbind in eviction. Immediately after this, we try to delete the list entry. Chris and Ville did the debug on this before I woke up, I just get to take credit for the fix :p v2: Missed the drm_object_unreference use after free (Ville) Reported-by: Mika Kuoppala Cc: Ville Syrjälä Cc: Chris Wilson Signed-off-by: Ben Widawsky Reviewed-by: Chris Wilson --- drivers/gpu/drm/i915/i915_gem_evict.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gem_evict.c b/drivers/gpu/drm/i915/i915_gem_evict.c index 0cbaad4..3b7b74e 100644 --- a/drivers/gpu/drm/i915/i915_gem_evict.c +++ b/drivers/gpu/drm/i915/i915_gem_evict.c @@ -136,14 +136,17 @@ found: /* Unbinding will emit any required flushes */ while (!list_empty(&eviction_list)) { + struct drm_gem_object *obj; vma = list_first_entry(&eviction_list, struct i915_vma, exec_list); + + obj = &vma->obj->base; + list_del_init(&vma->exec_list); if (ret == 0) ret = i915_vma_unbind(vma); - list_del_init(&vma->exec_list); - drm_gem_object_unreference(&vma->obj->base); + drm_gem_object_unreference(obj); } return ret;