From: Chris Wilson <chris@chris-wilson.co.uk>
To: Daniel Vetter <daniel@ffwll.ch>
Cc: intel-gfx@lists.freedesktop.org, Ben Widawsky <ben@bwidawsk.net>
Subject: Re: [PATCH 02/13] drm/i915: fix invalid reference handling of the default ctx obj
Date: Sat, 14 Jul 2012 10:55:19 +0100 [thread overview]
Message-ID: <1342259731_7151@CP5-2952> (raw)
In-Reply-To: <20120713153714.GE5721@phenom.ffwll.local>
On Fri, 13 Jul 2012 17:37:14 +0200, Daniel Vetter <daniel@ffwll.ch> wrote:
> On Fri, Jul 13, 2012 at 02:14:05PM +0100, Chris Wilson wrote:
> > Otherwise we end up trying to unpin a freed object and BUG.
> >
> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> > Cc: Ben Widawsky <ben@bwidawsk.net>
>
> Afact this patch contains quite some code refactoring that does not
> relate directly to the fix (or if it does, I fail to see the direct
> relevance). So I think this either needs an explanation in the commit
> message or be put into a separate patch (I agree though for actual code
> cleanups).
>
> For the fix itself I seem to be a bit dense again - the only thing I see
> is that you move the refcount handling into do_switch. Afacs we do the
> ref-handling in both cases only when do_switch is successful, and also
> right at the end of do_switch (or right afterwards). So can you please
> enlighten your clueless maintainer a bit an explain how things blow up?
The fix is that the reference handling was only done on one path, not
both. Hence the default_ctx ends up being used-after-free.
The rest of it was just unwinding the code to get to finding the bug...
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
next prev parent reply other threads:[~2012-07-14 9:55 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-13 13:14 Remove defunct flushing list (v2) Chris Wilson
2012-07-13 13:14 ` [PATCH 01/13] drm/i915: Flush the context object from the CPU caches upon creation Chris Wilson
2012-07-13 15:28 ` Ben Widawsky
2012-07-13 15:54 ` Daniel Vetter
2012-07-14 9:38 ` Chris Wilson
2012-07-14 11:58 ` Daniel Vetter
2012-07-14 12:48 ` Chris Wilson
2012-07-14 12:59 ` Daniel Vetter
2012-07-13 13:14 ` [PATCH 02/13] drm/i915: fix invalid reference handling of the default ctx obj Chris Wilson
2012-07-13 15:25 ` Ben Widawsky
2012-07-13 15:37 ` Daniel Vetter
2012-07-14 9:55 ` Chris Wilson [this message]
2012-07-14 11:53 ` Daniel Vetter
2012-07-13 13:14 ` [PATCH 03/13] drm/i915: Allow late allocation of request for i915_add_request() Chris Wilson
2012-07-13 13:14 ` [PATCH 04/13] drm/i915: Replace the pending_gpu_write flag with an explicit seqno Chris Wilson
2012-07-13 15:41 ` Daniel Vetter
2012-07-14 9:53 ` Chris Wilson
2012-07-13 13:14 ` [PATCH 05/13] drm/i915: Insert a flush between batches if the breadcrumb was dropped Chris Wilson
2012-07-13 15:46 ` Daniel Vetter
2012-07-14 10:24 ` Chris Wilson
2012-07-14 13:39 ` Daniel Vetter
2012-07-13 13:14 ` [PATCH 06/13] drm/i915: Remove the defunct flushing list Chris Wilson
2012-07-13 13:14 ` [PATCH 07/13] drm/i915: Remove the per-ring write list Chris Wilson
2012-07-13 13:14 ` [PATCH 08/13] drm/i915: Remove explicit flush from i915_gem_object_flush_fence() Chris Wilson
2012-07-13 13:14 ` [PATCH 09/13] drm/i915: Remove the explicit flush of the GPU write domain Chris Wilson
2012-07-13 13:14 ` [PATCH 10/13] drm/i915: Replace the complex flushing logic with simple invalidate/flush all Chris Wilson
2012-07-13 13:14 ` [PATCH 11/13] drm/i915: Clear the pending_gpu_fenced_access flag at the start of execbuffer Chris Wilson
2012-07-13 13:14 ` [PATCH 12/13] drm/i915: Split i915_gem_flush_ring() into seperate invalidate/flush funcs Chris Wilson
2012-07-13 13:14 ` [PATCH 13/13] drm/i915: Move the write seqno handling to move_to_active Chris Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1342259731_7151@CP5-2952 \
--to=chris@chris-wilson.co.uk \
--cc=ben@bwidawsk.net \
--cc=daniel@ffwll.ch \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.