@@ -745,13 +745,21 @@ static int do_switch_rcs(struct intel_engine_cs *ring,
from->obj->dirty = 1;
BUG_ON(from->obj->ring != ring);
- /* obj is kept alive until the next request by its active ref */
- i915_gem_object_ggtt_unpin(from->obj);
}
uninitialized = !to->is_initialized && from == NULL;
to->is_initialized = true;
do_switch_fini_common(ring, from, to);
+ /* From may have disappeared again after thecontext unref */
+ from = ring->last_context;
+ if (from != NULL) {
+ /* obj is kept alive until the next request by its active ref.
+ * XXX: The context needs to be unpinned last, or else we risk
+ * hitting evict/idle on the ppgtt free, which will call back
+ * into this, and we'll get a double unpin on this context
+ */
+ i915_gem_object_ggtt_unpin(from->obj);
+ }
if (uninitialized) {
ret = i915_gem_render_state_init(ring);
See the following for many more details. commit acc240d41ea1ab9c488a79219fb313b5b46265ae Author: Daniel Vetter <daniel.vetter@ffwll.ch> Date: Thu Dec 5 15:42:34 2013 +0100 drm/i915: Fix use-after-free in do_switch In this case, the issue is only for full PPGTT: do_switch context_unref ppgtt_release i915_gpu_idle switch_to_default from changes to default context This could be backported to the pre do_switch cleanup I did in this series. However, it's much cleaner and more obvious as a patch on top, so I'd really like to do this as a post cleanup patch. Signed-off-by: Ben Widawsky <ben@bwidawsk.net> --- drivers/gpu/drm/i915/i915_gem_context.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)