drm/i915: Assert the vma's active tracking is clear before free (7a3bc034) · Commits · e / devices / android_kernel_fairphone_FP5

In looking at a use-after-free on Baytrail, it looks like the VMA's activity tracking is suspect. Add some asserts to catch freeing the VMA before we have decoupled all of its i915_gem_active trackers. References: https://bugs.freedesktop.org/show_bug.cgi?id=101511 Signed-off-by:

Chris Wilson <chris@chris-wilson.co.uk> Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/20170620124321.1108-3-chris@chris-wilson.co.uk Reviewed-by:

Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>

drivers/gpu/drm/i915/i915_vma.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -579,11 +579,17 @@ int __i915_vma_do_pin(struct i915_vma *vma,

		static void i915_vma_destroy(struct i915_vma *vma)
		{
		int i;

		GEM_BUG_ON(vma->node.allocated);
		GEM_BUG_ON(i915_vma_is_active(vma));
		GEM_BUG_ON(!i915_vma_is_closed(vma));
		GEM_BUG_ON(vma->fence);

		for (i = 0; i < ARRAY_SIZE(vma->last_read); i++)
		GEM_BUG_ON(i915_gem_active_isset(&vma->last_read[i]));
		GEM_BUG_ON(i915_gem_active_isset(&vma->last_fence));

		list_del(&vma->vm_link);
		if (!i915_vma_is_ggtt(vma))
		i915_ppgtt_put(i915_vm_to_ppgtt(vma->vm));
		@@ -680,9 +686,8 @@ int i915_vma_unbind(struct i915_vma *vma)
		__i915_vma_unpin(vma);
		if (ret)
		return ret;

		GEM_BUG_ON(i915_vma_is_active(vma));
		}
		GEM_BUG_ON(i915_vma_is_active(vma));

		if (i915_vma_is_pinned(vma))
		return -EBUSY;