From: Chris Wilson Date: Tue, 20 Jun 2017 12:43:21 +0000 (+0100) Subject: drm/i915: Assert the vma's active tracking is clear before free X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=7a3bc034ed5c4b57c145a025070739ec41434e94;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git drm/i915: Assert the vma's active tracking is clear before free In looking at a use-after-free on Baytrail, it looks like the VMA's activity tracking is suspect. Add some asserts to catch freeing the VMA before we have decoupled all of its i915_gem_active trackers. References: https://bugs.freedesktop.org/show_bug.cgi?id=101511 Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: Joonas Lahtinen Link: http://patchwork.freedesktop.org/patch/msgid/20170620124321.1108-3-chris@chris-wilson.co.uk Reviewed-by: Tvrtko Ursulin --- diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers/gpu/drm/i915/i915_vma.c index 1cfe137cdc32..958be0a95960 100644 --- a/drivers/gpu/drm/i915/i915_vma.c +++ b/drivers/gpu/drm/i915/i915_vma.c @@ -579,11 +579,17 @@ err_unpin: static void i915_vma_destroy(struct i915_vma *vma) { + int i; + GEM_BUG_ON(vma->node.allocated); GEM_BUG_ON(i915_vma_is_active(vma)); GEM_BUG_ON(!i915_vma_is_closed(vma)); GEM_BUG_ON(vma->fence); + for (i = 0; i < ARRAY_SIZE(vma->last_read); i++) + GEM_BUG_ON(i915_gem_active_isset(&vma->last_read[i])); + GEM_BUG_ON(i915_gem_active_isset(&vma->last_fence)); + list_del(&vma->vm_link); if (!i915_vma_is_ggtt(vma)) i915_ppgtt_put(i915_vm_to_ppgtt(vma->vm)); @@ -680,9 +686,8 @@ int i915_vma_unbind(struct i915_vma *vma) __i915_vma_unpin(vma); if (ret) return ret; - - GEM_BUG_ON(i915_vma_is_active(vma)); } + GEM_BUG_ON(i915_vma_is_active(vma)); if (i915_vma_is_pinned(vma)) return -EBUSY;