commit af1a10a260fd26d8d0e0c53288781c0a777e5c8c
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sat Apr 16 10:17:44 2011 +0100

    drm/i915: Use a slab for object allocation
    
    The primary purpose of this was to debug some use-after-free memory
    corruption that was causing an OOPS inside drm/i915. As it turned out
    the corruption was being caused elsewhere and i915.ko as a major user of
    many objects was being hit hardest.
    
    Indeed as we do frequent the generic kmalloc caches, dedicating one to
    ourselves (or at least naming one for us depending upon the core) aids
    debugging our own slab usage.
    
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
index 8122738..c0b692f 100644
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -2202,6 +2202,9 @@ int i915_driver_unload(struct drm_device *dev)
 
 	destroy_workqueue(dev_priv->wq);
 
+	if (dev_priv->slab)
+		kmem_cache_destroy(dev_priv->slab);
+
 	pci_dev_put(dev_priv->bridge_dev);
 	kfree(dev->dev_private);
 
diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
index f02a5f5..b65e984 100644
--- a/drivers/gpu/drm/i915/i915_drv.h
+++ b/drivers/gpu/drm/i915/i915_drv.h
@@ -285,6 +285,8 @@ typedef struct drm_i915_private {
 
 	const struct intel_device_info *info;
 
+	struct kmem_cache *slab;
+
 	int has_gem;
 	int relative_constants_mode;
 
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 9d518b5..02cebaf 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -211,7 +211,7 @@ i915_gem_create(struct drm_file *file,
 	if (ret) {
 		drm_gem_object_release(&obj->base);
 		i915_gem_info_remove_obj(dev->dev_private, obj->base.size);
-		kfree(obj);
+		kmem_cache_free(dev_priv->slab, obj);
 		return ret;
 	}
 
@@ -3606,12 +3606,12 @@ struct drm_i915_gem_object *i915_gem_alloc_object(struct drm_device *dev,
 	struct drm_i915_gem_object *obj;
 	struct address_space *mapping;
 
-	obj = kzalloc(sizeof(*obj), GFP_KERNEL);
+	obj = kmem_cache_alloc(dev_priv->slab, GFP_KERNEL | __GFP_ZERO);
 	if (obj == NULL)
 		return NULL;
 
 	if (drm_gem_object_init(dev, &obj->base, size) != 0) {
-		kfree(obj);
+		kmem_cache_free(dev_priv->slab, obj);
 		return NULL;
 	}
 
@@ -3684,7 +3684,7 @@ static void i915_gem_free_object_tail(struct drm_i915_gem_object *obj)
 
 	kfree(obj->page_cpu_valid);
 	kfree(obj->bit_17);
-	kfree(obj);
+	kmem_cache_free(dev_priv->slab, obj);
 }
 
 void i915_gem_free_object(struct drm_gem_object *gem_obj)
@@ -3878,6 +3878,13 @@ i915_gem_load(struct drm_device *dev)
 	int i;
 	drm_i915_private_t *dev_priv = dev->dev_private;
 
+	dev_priv->slab = kmem_cache_create("i915_gem_object",
+					   sizeof(struct drm_i915_gem_object),
+					   0,
+					   SLAB_HWCACHE_ALIGN,
+					   NULL);
+	WARN_ON(!dev_priv->slab);
+
 	INIT_LIST_HEAD(&dev_priv->mm.active_list);
 	INIT_LIST_HEAD(&dev_priv->mm.flushing_list);
 	INIT_LIST_HEAD(&dev_priv->mm.inactive_list);