diff options
| author | Daniel Vetter | 2013-07-24 23:25:03 +0200 |
|---|---|---|
| committer | Daniel Vetter | 2013-07-24 23:25:03 +0200 |
| commit | d861e3387650296f1fca2a4dd0dcd380c8fdddad (patch) | |
| tree | 9d5658171f779271e0530ddafc95e5533168bd5f /drivers/gpu/drm/i915/i915_gem.c | |
| parent | drm/i915: Use Graphics Base of Stolen Memory on all gen3+ (diff) | |
| download | kernel-qcow2-linux-d861e3387650296f1fca2a4dd0dcd380c8fdddad.tar.gz kernel-qcow2-linux-d861e3387650296f1fca2a4dd0dcd380c8fdddad.tar.xz kernel-qcow2-linux-d861e3387650296f1fca2a4dd0dcd380c8fdddad.zip | |
drm/i915: fix reference counting in i915_gem_create
This function is called without the dev->struct_mutex held, hence we
need to use the _unlocked unreference variants.
As soon as the object is registered userspace can sneak in here with a
gem_close ioctl call, so the object can (and with my new evil tests
actually does) get the final unreference in this place. The lack of
locking then results in hilarity and some good leakage.
To fix this we simply need to revert
Chris Wilson <chris@chris-wilson.co.uk>
v2: We need to make the trace call _before_ we drop our ref - the
object might very well be gone by then already.
v3: Just revert the original patch as suggested by Chris Wilson.
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
[danvet: Remove the added white line again to tighten the return
block, requested by Chris.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Diffstat (limited to 'drivers/gpu/drm/i915/i915_gem.c')
| -rw-r--r-- | drivers/gpu/drm/i915/i915_gem.c | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index c4653df5799b..0a1ddb8a28a7 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -219,16 +219,10 @@ i915_gem_create(struct drm_file *file, return -ENOMEM; ret = drm_gem_handle_create(file, &obj->base, &handle); - if (ret) { - drm_gem_object_release(&obj->base); - i915_gem_info_remove_obj(dev->dev_private, obj->base.size); - i915_gem_object_free(obj); - return ret; - } - /* drop reference from allocate - handle holds it now */ - drm_gem_object_unreference(&obj->base); - trace_i915_gem_object_create(obj); + drm_gem_object_unreference_unlocked(&obj->base); + if (ret) + return ret; *handle_p = handle; return 0; @@ -3956,6 +3950,8 @@ struct drm_i915_gem_object *i915_gem_alloc_object(struct drm_device *dev, } else obj->cache_level = I915_CACHE_NONE; + trace_i915_gem_object_create(obj); + return obj; } |