From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel Vetter <daniel@ffwll.ch>
Subject: Re: [PATCH 02/13] drm/i915: fix invalid reference
 handling of the default ctx obj
Date: Sat, 14 Jul 2012 13:53:10 +0200
Message-ID: <20120714115238.GA5498@phenom.ffwll.local>
References: <1342185256-16024-1-git-send-email-chris@chris-wilson.co.uk>
	<1342185256-16024-3-git-send-email-chris@chris-wilson.co.uk>
	<20120713153714.GE5721@phenom.ffwll.local>
	<1342259731_7151@CP5-2952>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org>
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43])
	by gabe.freedesktop.org (Postfix) with ESMTP id BF5499F077
	for <intel-gfx@lists.freedesktop.org>;
	Sat, 14 Jul 2012 04:53:11 -0700 (PDT)
Received: by wgbdr1 with SMTP id dr1so431615wgb.12
	for <intel-gfx@lists.freedesktop.org>;
	Sat, 14 Jul 2012 04:53:10 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <1342259731_7151@CP5-2952>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Sender: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
Errors-To: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: intel-gfx@lists.freedesktop.org, Ben Widawsky <ben@bwidawsk.net>
List-Id: intel-gfx@lists.freedesktop.org

On Sat, Jul 14, 2012 at 10:55:19AM +0100, Chris Wilson wrote:
> On Fri, 13 Jul 2012 17:37:14 +0200, Daniel Vetter <daniel@ffwll.ch> wrote:
> > On Fri, Jul 13, 2012 at 02:14:05PM +0100, Chris Wilson wrote:
> > > Otherwise we end up trying to unpin a freed object and BUG.
> > > 
> > > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> > > Cc: Ben Widawsky <ben@bwidawsk.net>
> > 
> > Afact this patch contains quite some code refactoring that does not
> > relate directly to the fix (or if it does, I fail to see the direct
> > relevance). So I think this either needs an explanation in the commit
> > message or be put into a separate patch (I agree though for actual code
> > cleanups).
> > 
> > For the fix itself I seem to be a bit dense again - the only thing I see
> > is that you move the refcount handling into do_switch. Afacs we do the
> > ref-handling in both cases only when do_switch is successful, and also
> > right at the end of do_switch (or right afterwards). So can you please
> > enlighten your clueless maintainer a bit an explain how things blow up?
> 
> The fix is that the reference handling was only done on one path, not
> both. Hence the default_ctx ends up being used-after-free.
> 
> The rest of it was just unwinding the code to get to finding the bug...

Yeah, I've figured this out somewhat later yesterday. Still, a bugfix
shouldn't resemble a riddle more than a simple patch ... Afacs we only
need to move the reference count handling from i915_switch_context to
do_switch (and mention in the commit message that it's been missing when
creating the default context).
-Daniel
-- 
Daniel Vetter
Mail: daniel@ffwll.ch
Mobile: +41 (0)79 365 57 48