On Fri, Dec 16, 2016 at 01:18:42PM +0000, Tvrtko Ursulin wrote:
> From: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxx>
>
> Commit 3b3f1650b1ca ("drm/i915: Allocate intel_engine_cs
> structure only for the enabled engines") introduced the
> dynanically allocated engine instances and created an
> potential use after free scenario in logical_render_ring_init
> where lrc_destroy_wa_ctx_obj could be called after the engine
> instance has been freed.
>
> This can only happen during engine setup/init error handling
> which luckily does not happen ever in practice.
>
> Fix is to not call lrc_destroy_wa_ctx_obj since it would have
> already been executed from the preceding engine cleanup.
>
> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxx>
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Fixes: 3b3f1650b1ca ("drm/i915: Allocate intel_engine_cs structure only for the enabled engines")
> Cc: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
> Cc: Joonas Lahtinen <joonas.lahtinen@xxxxxxxxxxxxxxx>
> Cc: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxx>
> Cc: Daniel Vetter <daniel.vetter@xxxxxxxxx>
> Cc: Jani Nikula <jani.nikula@xxxxxxxxxxxxxxx>
Reviewed-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
