• C
    drm/i915: Repeat unbinding during free if interrupted (v6) · be72615b
    Chris Wilson 提交于
    If during the freeing of an object the unbind is interrupted by a system
    call, which is quite possible if we have outstanding GPU writes that
    must be flushed, the unbind is silently aborted. This still leaves the
    AGP region and backing pages allocated, and perhaps more importantly,
    the object remains upon the various lists exposing us to memory
    corruption.
    
    I think this is the cause behind the use-after-free, such as
    
      Bug 15664 - Graphics hang and kernel backtrace when starting Azureus
                  with Compiz enabled
      https://bugzilla.kernel.org/show_bug.cgi?id=15664
    
    v2: Daniel Vetter reminded me that kernel space programming is never easy.
    We cannot simply spin to clear the pending signal and so must deferred
    the freeing of the object until later.
    v3: Run from the top level retire requests.
    v4: Tested with P(return -ERESTARTSYS)=.5 from i915_gem_do_wait_request()
    v5: Rebase against Eric's for-linus tree.
    v6: Refactor, split and add a comment about avoiding unbounded recursion.
    Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
    Cc: Daniel Vetter <daniel@ffwll.ch>
    Signed-off-by: NEric Anholt <eric@anholt.net>
    be72615b
i915_gem.c 135.0 KB