drm/i915: fix another use-after-free in i915_gem_evict_everything

Also here, i915_gem_evict_vm causes an unbind, which can end up dropping the last ref to the ppgtt. Triggered by igt gem_evict_everything test. Testcase: igt/gem_evict_everything Signed-off-by: Michel Thierry <michel.thierry@intel.com> Reviewed-by: Chris Wilson <chris@cris-wilsonc.co.uk> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
author: Michel Thierry <michel.thierry@intel.com> 2014-09-09 08:04:43 -0400
committer: Daniel Vetter <daniel.vetter@ffwll.ch> 2014-09-19 08:41:16 -0400
commit: cf303626748e0a5c059e453d025539583d870116 (patch)
tree: 377e1c45d9ba381b44d70bb3b81adea0686b9447
parent: a1e470d421f68d69bf35c1ed316a861625010eab (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem_evict.c b/drivers/gpu/drm/i915/i915_gem_evict.c
index bbf4b12d842e..886ff2ee7a28 100644
--- a/drivers/gpu/drm/i915/i915_gem_evict.c
+++ b/drivers/gpu/drm/i915/i915_gem_evict.c
@@ -243,7 +243,7 @@ int
 i915_gem_evict_everything(struct drm_device *dev)
 {
        struct drm_i915_private *dev_priv = dev->dev_private;
-        struct i915_address_space *vm;
+        struct i915_address_space *vm, *v;
        bool lists_empty = true;
        int ret;
@@ -270,7 +270,7 @@ i915_gem_evict_everything(struct drm_device *dev)
        i915_gem_retire_requests(dev);
        /* Having flushed everything, unbind() should never raise an error */
-        list_for_each_entry(vm, &dev_priv->vm_list, global_link)
+        list_for_each_entry_safe(vm, v, &dev_priv->vm_list, global_link)
                WARN_ON(i915_gem_evict_vm(vm, false));
        return 0;
author	Michel Thierry <michel.thierry@intel.com>	2014-09-09 08:04:43 -0400
committer	Daniel Vetter <daniel.vetter@ffwll.ch>	2014-09-19 08:41:16 -0400
commit	cf303626748e0a5c059e453d025539583d870116 (patch)
tree	377e1c45d9ba381b44d70bb3b81adea0686b9447
parent	a1e470d421f68d69bf35c1ed316a861625010eab (diff)

diff --git a/drivers/gpu/drm/i915/i915_gem_evict.c b/drivers/gpu/drm/i915/i915_gem_evict.c index bbf4b12d842e..886ff2ee7a28 100644 --- a/drivers/gpu/drm/i915/i915_gem_evict.c +++ b/drivers/gpu/drm/i915/i915_gem_evict.c
@@ -243,7 +243,7 @@ int
243	i915_gem_evict_everything(struct drm_device *dev)	243	i915_gem_evict_everything(struct drm_device *dev)
244	{	244	{
245	struct drm_i915_private *dev_priv = dev->dev_private;	245	struct drm_i915_private *dev_priv = dev->dev_private;
246	struct i915_address_space *vm;	246	struct i915_address_space vm, v;
247	bool lists_empty = true;	247	bool lists_empty = true;
248	int ret;	248	int ret;
249		249
@@ -270,7 +270,7 @@ i915_gem_evict_everything(struct drm_device *dev)
270	i915_gem_retire_requests(dev);	270	i915_gem_retire_requests(dev);
271		271
272	/* Having flushed everything, unbind() should never raise an error */	272	/* Having flushed everything, unbind() should never raise an error */
273	list_for_each_entry(vm, &dev_priv->vm_list, global_link)	273	list_for_each_entry_safe(vm, v, &dev_priv->vm_list, global_link)
274	WARN_ON(i915_gem_evict_vm(vm, false));	274	WARN_ON(i915_gem_evict_vm(vm, false));
275		275
276	return 0;	276	return 0;