Commit 0ff501cb authored by Daniel Vetter's avatar Daniel Vetter

drm/i915: Fix list corruption in vma_unbind

The saga around the breadcrumb vmas used by execbuf continues ...

This time around we've managed to unconditionally move the object to
the unbound list on the last vma unbind even though it might never
have been on either the bound or unbound list. Hilarity ensued.

Chris Wilson tracked this one down but compared to his patches I've
simply opted to completely separate the unbound case for not-yet bound
vmas. Otherwise we imo end up with semantically hard to parse checks
around the list_move_tail(global_list, ...).

Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Ben Widawsky <ben@bwidawsk.net>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=68462Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
parent b833d685
...@@ -2610,8 +2610,11 @@ int i915_vma_unbind(struct i915_vma *vma) ...@@ -2610,8 +2610,11 @@ int i915_vma_unbind(struct i915_vma *vma)
if (list_empty(&vma->vma_link)) if (list_empty(&vma->vma_link))
return 0; return 0;
if (!drm_mm_node_allocated(&vma->node)) if (!drm_mm_node_allocated(&vma->node)) {
goto destroy; i915_gem_vma_destroy(vma);
return 0;
}
if (obj->pin_count) if (obj->pin_count)
return -EBUSY; return -EBUSY;
...@@ -2651,7 +2654,6 @@ int i915_vma_unbind(struct i915_vma *vma) ...@@ -2651,7 +2654,6 @@ int i915_vma_unbind(struct i915_vma *vma)
drm_mm_remove_node(&vma->node); drm_mm_remove_node(&vma->node);
destroy:
i915_gem_vma_destroy(vma); i915_gem_vma_destroy(vma);
/* Since the unbound list is global, only move to that list if /* Since the unbound list is global, only move to that list if
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment