Skip to content

L
linux
Commit cf303626 authored by Michel Thierry's avatar Michel Thierry Committed by Daniel Vetter
Browse files
Options

drm/i915: fix another use-after-free in i915_gem_evict_everything 

Also here, i915_gem_evict_vm causes an unbind, which can end up dropping
the last ref to the ppgtt.

Triggered by igt gem_evict_everything test.

Testcase: igt/gem_evict_everything
Signed-off-by: default avatarMichel Thierry <michel.thierry@intel.com>
Reviewed-by: default avatarChris Wilson <chris@cris-wilsonc.co.uk>
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
parent a1e470d4
Hide whitespace changes
Inline Side-by-side
Showing with 2 additions and 2 deletions
drivers/gpu/drm/i915/i915_gem_evict.c
View file @ cf303626
......@@ -243,7 +243,7 @@ int
i915_gem_evict_everything(struct drm_device *dev)
{
struct drm_i915_private *dev_priv = dev->dev_private;
struct i915_address_space *vm;
struct i915_address_space *vm, *v;
bool lists_empty = true;
int ret;
......@@ -270,7 +270,7 @@ i915_gem_evict_everything(struct drm_device *dev)
i915_gem_retire_requests(dev);
/* Having flushed everything, unbind() should never raise an error */
list_for_each_entry(vm, &dev_priv->vm_list, global_link)
list_for_each_entry_safe(vm, v, &dev_priv->vm_list, global_link)
WARN_ON(i915_gem_evict_vm(vm, false));
return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7