On Fri, Jul 23, 2010 at 03:54:44PM +0100, Chris Wilson wrote: > If during the freeing of an object the unbind is interrupted by a system > call, which is quite possible if we have outstanding GPU writes that > must be flushed, the unbind is silently aborted. This still leaves the > AGP region and backing pages allocated, and perhaps more importantly, > the object remains upon the various lists exposing us to memory > corruption. > > I think this is the cause behind the use-after-free, such as > > Bug 15664 - Graphics hang and kernel backtrace when starting Azureus > with Compiz enabled > https://bugzilla.kernel.org/show_bug.cgi?id=15664 > > v2: Daniel Vetter reminded me that kernel space programming is never easy. > We cannot simply spin to clear the pending signal and so must deferred > the freeing of the object until later. > v3: Run from the top level retire requests. > > Signed-off-by: Chris Wilson <ch...@chris-wilson.co.uk> > Cc: sta...@kernel.org
Cleaning up the deferred free list in retire_request looks much saner than what I've had in mind when discussing this on irc. Reviewed-By: Daniel Vetter <dan...@ffwll.ch> -- Daniel Vetter Mail: dan...@ffwll.ch Mobile: +41 (0)79 365 57 48 _______________________________________________ Intel-gfx mailing list Intel-gfx@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/intel-gfx
