From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel Vetter <daniel@ffwll.ch>
Subject: Re: [PATCH] drm/i915: Repeat unbinding during free if
 interrupted (v3)
Date: Fri, 23 Jul 2010 17:25:23 +0200
Message-ID: <20100723152522.GA4295@viiv.ffwll.ch>
References: <1279896490-29222-1-git-send-email-chris@chris-wilson.co.uk>
	<1279896884-29492-1-git-send-email-chris@chris-wilson.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org>
Received: from mail.ffwll.ch (cable-static-49-187.intergga.ch [157.161.49.187])
	by gabe.freedesktop.org (Postfix) with ESMTP id CF1219E8B0
	for <intel-gfx@lists.freedesktop.org>;
	Fri, 23 Jul 2010 08:31:44 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <1279896884-29492-1-git-send-email-chris@chris-wilson.co.uk>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Sender: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
Errors-To: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: intel-gfx@lists.freedesktop.org, stable@kernel.org
List-Id: intel-gfx@lists.freedesktop.org

On Fri, Jul 23, 2010 at 03:54:44PM +0100, Chris Wilson wrote:
> If during the freeing of an object the unbind is interrupted by a system
> call, which is quite possible if we have outstanding GPU writes that
> must be flushed, the unbind is silently aborted. This still leaves the
> AGP region and backing pages allocated, and perhaps more importantly,
> the object remains upon the various lists exposing us to memory
> corruption.
> 
> I think this is the cause behind the use-after-free, such as
> 
>   Bug 15664 - Graphics hang and kernel backtrace when starting Azureus
>               with Compiz enabled
>   https://bugzilla.kernel.org/show_bug.cgi?id=15664
> 
> v2: Daniel Vetter reminded me that kernel space programming is never easy.
> We cannot simply spin to clear the pending signal and so must deferred
> the freeing of the object until later.
> v3: Run from the top level retire requests.
> 
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: stable@kernel.org

Cleaning up the deferred free list in retire_request looks much saner than
what I've had in mind when discussing this on irc.

Reviewed-By: Daniel Vetter <daniel@ffwll.ch>
-- 
Daniel Vetter
Mail: daniel@ffwll.ch
Mobile: +41 (0)79 365 57 48