| Summary: |
[BDW] use-after-free in gen8_ppgtt_alloc_page_directories |
| Product: |
DRI
|
Reporter: |
mwa <matthew.auld> |
| Component: |
DRM/Intel | Assignee: |
Intel GFX Bugs mailing list <intel-gfx-bugs> |
| Status: |
CLOSED
DUPLICATE
|
QA Contact: |
Intel GFX Bugs mailing list <intel-gfx-bugs> |
| Severity: |
normal
|
|
|
| Priority: |
medium
|
CC: |
intel-gfx-bugs
|
| Version: |
DRI git | |
|
| Hardware: |
x86-64 (AMD64) | |
|
| OS: |
Linux (All) | |
|
| Whiteboard: |
|
|
i915 platform:
|
BDW
|
i915 features:
|
GEM/PPGTT
|
|---|
| Attachments: |
| Description |
Flags |
|
dmesg
|
none
|
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 129346 [details] dmesg It looks like we are hitting a use-after-free in gen8_ppgtt_alloc_page_directories with some pdp state. One possible theory from looking at the log is that the shrinker kicks in and starts swinging its axe, evicting one or more vma's, which results in said pdp being freed, I guess we didn't have anything else inserted in that range, which is why it was freed. But all of this could have happened while we were in the middle of allocating a va range for another vma which just so happens to touch the same pdp, and so with a little bad timing the free could have happened just after we check if we need to allocate a new pdp, resulting in all kinds of brokenness. It looks like something similar could also happen with a pd.