Bug 99684 - [BDW] use-after-free in gen8_ppgtt_alloc_page_directories
Summary: [BDW] use-after-free in gen8_ppgtt_alloc_page_directories
Status: CLOSED DUPLICATE of bug 99295
Alias: None
Product: DRI
Classification: Unclassified
Component: DRM/Intel (show other bugs)
Version: DRI git
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Intel GFX Bugs mailing list
QA Contact: Intel GFX Bugs mailing list
Depends on:
Reported: 2017-02-05 13:23 UTC by mwa
Modified: 2017-07-24 22:39 UTC (History)
1 user (show)

See Also:
i915 platform: BDW
i915 features: GEM/PPGTT

dmesg (158.01 KB, text/plain)
2017-02-05 13:23 UTC, mwa
no flags Details

Description mwa 2017-02-05 13:23:30 UTC
Created attachment 129346 [details]

It looks like we are hitting a use-after-free in gen8_ppgtt_alloc_page_directories with some pdp state. One possible theory from looking at the log is that the shrinker kicks in and starts swinging its axe, evicting one or more vma's, which results in said pdp being freed, I guess we didn't have anything else inserted in that range, which is why it was freed. But all of this could have happened while we were in the middle of allocating a va range for another vma which just so happens to touch the same pdp, and so with a little bad timing the free could have happened just after we check if we need to allocate a new pdp, resulting in all kinds of brokenness. It looks like something similar could also happen with a pd.
Comment 1 Chris Wilson 2017-02-05 13:42:08 UTC
Shrinker doing unbind + clear_range vs bind + va_allocate is protected by struct_mutex. But what if the shrinker is triggered by va_allocate or insert-enties. Insert-entries should not be an issue, it should never allocate. But there is a window of opportunity for the shrinker to run as we do allocate and reap a level after we have already checked its presence.

Please see the patches on the list as to how we could fix this by moving the accounting into the allocation phase - that will prevent us from reaping levels we have already processed.
Comment 2 Tomeu Vizoso 2017-02-06 14:17:19 UTC

*** This bug has been marked as a duplicate of bug 99295 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.