Hello Ben Widawsky,
Here is another use after free warning. It's some new static checker stuff that I haven't pushed because it has lots of false postives.
The patch f7795b1d0b47: "drm/i915: Switch eviction code to use vmas" from Aug 14, 2013, leads to the following warning: "drivers/gpu/drm/i915/i915_gem_evict.c:145 i915_gem_evict_something() warn: 'vma' was already freed."
drivers/gpu/drm/i915/i915_gem_evict.c 137 /* Unbinding will emit any required flushes */ 138 while (!list_empty(&eviction_list)) { 139 vma = list_first_entry(&eviction_list, 140 struct i915_vma, 141 exec_list); 142 if (ret == 0) 143 ret = i915_vma_unbind(vma); ^^^^^^^^^^^^^^^^^^^^ This often frees the "vma".
144 145 list_del_init(&vma->exec_list); ^^^^^^^^^^^^^^^ Dereference.
146 drm_gem_object_unreference(&vma->obj->base); 147 }
regards, dan carpenter
On Mon, Aug 19, 2013 at 09:59:14AM +0300, Dan Carpenter wrote:
Hello Ben Widawsky,
Here is another use after free warning. It's some new static checker stuff that I haven't pushed because it has lots of false postives.
The patch f7795b1d0b47: "drm/i915: Switch eviction code to use vmas" from Aug 14, 2013, leads to the following warning: "drivers/gpu/drm/i915/i915_gem_evict.c:145 i915_gem_evict_something() warn: 'vma' was already freed."
drivers/gpu/drm/i915/i915_gem_evict.c 137 /* Unbinding will emit any required flushes */ 138 while (!list_empty(&eviction_list)) { 139 vma = list_first_entry(&eviction_list, 140 struct i915_vma, 141 exec_list); 142 if (ret == 0) 143 ret = i915_vma_unbind(vma); ^^^^^^^^^^^^^^^^^^^^ This often frees the "vma".
144 145 list_del_init(&vma->exec_list); ^^^^^^^^^^^^^^^ Dereference.
146 drm_gem_object_unreference(&vma->obj->base); 147 }
Correct. Patch is en route already, thanks. -Chris
On Mon, Aug 19, 2013 at 09:59:14AM +0300, Dan Carpenter wrote:
Hello Ben Widawsky,
Here is another use after free warning. It's some new static checker stuff that I haven't pushed because it has lots of false postives.
The patch f7795b1d0b47: "drm/i915: Switch eviction code to use vmas" from Aug 14, 2013, leads to the following warning: "drivers/gpu/drm/i915/i915_gem_evict.c:145 i915_gem_evict_something() warn: 'vma' was already freed."
drivers/gpu/drm/i915/i915_gem_evict.c 137 /* Unbinding will emit any required flushes */ 138 while (!list_empty(&eviction_list)) { 139 vma = list_first_entry(&eviction_list, 140 struct i915_vma, 141 exec_list); 142 if (ret == 0) 143 ret = i915_vma_unbind(vma); ^^^^^^^^^^^^^^^^^^^^ This often frees the "vma".
144 145 list_del_init(&vma->exec_list); ^^^^^^^^^^^^^^^ Dereference.
146 drm_gem_object_unreference(&vma->obj->base); 147 }
regards, dan carpenter
Hi Dan. This should already be fixed. Do we need to cc:stable this? http://cgit.freedesktop.org/~danvet/drm-intel/commit/?h=drm-intel-next-queue...
dri-devel@lists.freedesktop.org
-
Ben Widawsky -
Chris Wilson -
Dan Carpenter