On Thu, Sep 12, 2013 at 6:44 PM, Thomas Hellstrom <thellstrom@xxxxxxxxxx> wrote: > > I think a possible fix would be if fault() were allowed to return an error > and drop the mmap_sem() before returning. > > Otherwise we need to track down all copy_to_user / copy_from_user which > happen with bo::reserve held. For maximal evilness submit the relocation list (or whatever data execbuf slurps in with copy_from_user while holding bo::reserve) of a bo in the execbuf list. At least that's the testcase we have for drm/i915. Then make sure that the execbuf wants the bo somewhere it can't be mmaped from userspace, so needs to be moved both in the fault handler and then back for the execbuf to continue ;-) -Daniel -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
