[0289/1094] drm/i915: Reset vma->mm_list after unbinding

Message ID	1413889294-31328-290-git-send-email-dheerajx.s.jamwal@intel.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <ltsi-dev-bounces@lists.linuxfoundation.org> From: Dheeraj Jamwal <dheerajx.s.jamwal@intel.com> To: ltsi-dev@lists.linuxfoundation.org Date: Tue, 21 Oct 2014 18:48:09 +0800 Message-Id: <1413889294-31328-290-git-send-email-dheerajx.s.jamwal@intel.com> In-Reply-To: <1413889294-31328-1-git-send-email-dheerajx.s.jamwal@intel.com> References: <dheerajx.s.jamwal@intel.com> <1413889294-31328-1-git-send-email-dheerajx.s.jamwal@intel.com> Subject: [LTSI-dev] [PATCH 0289/1094] drm/i915: Reset vma->mm_list after unbinding Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ltsi-dev-bounces@lists.linuxfoundation.org Errors-To: ltsi-dev-bounces@lists.linuxfoundation.org

Message ID

1413889294-31328-290-git-send-email-dheerajx.s.jamwal@intel.com (mailing list archive)

State

New, archived

Headers

From: Dheeraj Jamwal <dheerajx.s.jamwal@intel.com>
To: ltsi-dev@lists.linuxfoundation.org
Date: Tue, 21 Oct 2014 18:48:09 +0800
Message-Id: <1413889294-31328-290-git-send-email-dheerajx.s.jamwal@intel.com>
In-Reply-To: <1413889294-31328-1-git-send-email-dheerajx.s.jamwal@intel.com>
References: <dheerajx.s.jamwal@intel.com>
	<1413889294-31328-1-git-send-email-dheerajx.s.jamwal@intel.com>
Subject: [LTSI-dev] [PATCH 0289/1094] drm/i915: Reset vma->mm_list after
	unbinding
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ltsi-dev-bounces@lists.linuxfoundation.org
Errors-To: ltsi-dev-bounces@lists.linuxfoundation.org

Commit Message

Dheeraj Jamwal Oct. 21, 2014, 10:48 a.m. UTC

From: Chris Wilson <chris@chris-wilson.co.uk>

In place of true activity counting, we walk the list of vma associated
with an object managing each on the vm's active/inactive list everytime
we call move-to-inactive. This depends upon the vma->mm_list being
cleared after unbinding, or else we run into difficulty when tracking
the object in multiple vm's - we see a use-after free and corruption of
the mm_list.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Ben Widawsky <ben@bwidawsk.net>
Reviewed-by: Ben Widawsky <ben@bwidawsk.net>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
(cherry picked from commit 64bf930379ac8097705db7d40602c2aa9ec0d2f4)

Signed-off-by: Dheeraj Jamwal <dheerajx.s.jamwal@intel.com>
---
 drivers/gpu/drm/i915/i915_gem.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 0ec1080..b41ead6 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -2739,7 +2739,7 @@  int i915_vma_unbind(struct i915_vma *vma)
 
 	i915_gem_gtt_finish_object(obj);
 
-	list_del(&vma->mm_list);
+	list_del_init(&vma->mm_list);
 	/* Avoid an unnecessary call to unbind on rebind. */
 	if (i915_is_ggtt(vma->vm))
 		obj->map_and_fenceable = true;

[0289/1094] drm/i915: Reset vma->mm_list after unbinding

Commit Message

Patch