From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: re: drm/i915: Switch eviction code to use vmas
Date: Mon, 19 Aug 2013 09:59:14 +0300
Message-ID: <20130819065914.GD28591@elgon.mountain>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Content-Disposition: inline
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: ben@bwidawsk.net
Cc: intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

Hello Ben Widawsky,

Here is another use after free warning.  It's some new static checker
stuff that I haven't pushed because it has lots of false postives.

The patch f7795b1d0b47: "drm/i915: Switch eviction code to use vmas" 
from Aug 14, 2013, leads to the following warning:
"drivers/gpu/drm/i915/i915_gem_evict.c:145 i915_gem_evict_something()
	 warn: 'vma' was already freed."


drivers/gpu/drm/i915/i915_gem_evict.c
   137          /* Unbinding will emit any required flushes */
   138          while (!list_empty(&eviction_list)) {
   139                  vma = list_first_entry(&eviction_list,
   140                                         struct i915_vma,
   141                                         exec_list);
   142                  if (ret == 0)
   143                          ret = i915_vma_unbind(vma);
                                      ^^^^^^^^^^^^^^^^^^^^
This often frees the "vma".

   144  
   145                  list_del_init(&vma->exec_list);
                                      ^^^^^^^^^^^^^^^
Dereference.

   146                  drm_gem_object_unreference(&vma->obj->base);
   147          }

regards,
dan carpenter