Commit fad20834 authored Jul 01, 2017 by Chris Wilson

drm/i915: Fix use-after-free of context during free_contexts



When iterating the list of contexts to free, we need to use a safe
iterator as we are freeing the link as we go. Pass an extra thick brown
paper bag.

Fixes: 5f09a9c8 ("drm/i915: Allow contexts to be unreferenced locklessly")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Matthew Auld <matthew.auld@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170630230517.1938-1-chris@chris-wilson.co.uk


Reviewed-by: Matthew Auld <matthew.auld@intel.com>

parent a874b6a3

drivers/gpu/drm/i915/i915_gem_context.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -193,11 +193,11 @@ static void i915_gem_context_free(struct i915_gem_context *ctx)
		static void contexts_free(struct drm_i915_private *i915)
		{
		struct llist_node *freed = llist_del_all(&i915->contexts.free_list);
		struct i915_gem_context *ctx;
		struct i915_gem_context ctx, cn;

		lockdep_assert_held(&i915->drm.struct_mutex);

		llist_for_each_entry(ctx, freed, free_link)
		llist_for_each_entry_safe(ctx, cn, freed, free_link)
		i915_gem_context_free(ctx);
		}