diff options
author | John Harrison <John.C.Harrison@Intel.com> | 2016-04-01 15:22:57 +0100 |
---|---|---|
committer | John Harrison <John.C.Harrison@Intel.com> | 2016-05-06 14:12:43 +0100 |
commit | aedfea71d24ad95ea120871045263a080f69c65b (patch) | |
tree | 0c1d00a7e90bdf47dfcba8bde3741c1f383a10f8 /virt | |
parent | e80d58939935d29ed029933a527bda41b8a3d5d6 (diff) |
drm/i915: Fix clean up of file client list on execbuff failure
If an execbuff IOCTL call fails for some reason, it would leave the
request in the client list. The request clean up code would remove
this but only later on and only after the reference count has dropped
to zero. The entire sequence is contained within the driver mutex
lock. However, there is still a hole such that any code which does not
require the mutex lock could still find the request on the client list
and start using it. That would lead to broken reference counts, use of
dangling pointers and all sorts of other nastiness.
The throttle IOCTL in particular does not acquire the mutex and does
process the client list. And the likely situation of the execbuff
IOCTL failing is when the system is busy with lots of work
outstanding. That is exactly the situation where the throttle IOCTL
would try to wait on a request.
Currently, this hole is tiny - the gap between the reference count
dropping to zero and the free function being called in response.
However the next patch in this series enlarges that gap considerably
by deferring the free function (to remove the need for the mutex lock
when unreferencing requests).
v7: New patch in series.
Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
Diffstat (limited to 'virt')
0 files changed, 0 insertions, 0 deletions